+## October 2022

+### New articles

+- [Edit Azure Active Directory B2C Identity Experience Framework (IEF) XML with Grit Visual IEF Editor](partner-grit-editor.md)

+- [Register apps in Azure Active Directory B2C](register-apps.md)

+### Updated articles

+- [Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C](identity-provider-azure-ad-single-tenant.md)

+- [Set up a password reset flow in Azure Active Directory B2C](add-password-reset-policy.md)

+- [Azure Active Directory B2C documentation landing page](index.yml)

+- [Publish your Azure Active Directory B2C app to the Azure Active Directory app gallery](publish-app-to-azure-ad-app-gallery.md)

+- [JSON claims transformations](json-transformations.md)

+ | Default lifetime | 1 hour | 10 ΓÇô 43,200 Minutes (30 days) | Default values can be overridden by the individual passes, within the minimum and maximum lifetime configured by the policy. |

+### Add a federated credential

+Federated identity credentials are a type of credential that allows workloads, such as GitHub Actions, workloads running on Kubernetes, or workloads running in compute platforms outside of Azure access Azure AD protected resources without needing to manage secrets using [workload identity federation](workload-identity-federation.md).

+To add a federated credential, follow these steps:

+1. In the Azure portal, in **App registrations**, select your application.

+1. Select **Certificates & secrets** > **Federated credentials** > **Add a credential**.

+1. In the **Federated credential scenario** drop-down box, select one of the supported scenarios, and follow the corresponding guidance to complete the configuration.

+ - **Customer managed keys** for encrypt data in your tenant using Azure Key Vault in another tenant.

+ - **GitHub actions deploying Azure resources** to [configure a GitHub workflow](workload-identity-federation-create-trust.md#github-actions) to get tokens for your application and deploy assets to Azure.

+ - **Kubernetes accessing Azure resources** to configure a [Kubernetes service account](workload-identity-federation-create-trust.md#kubernetes) to get tokens for your application and access Azure resources.

+ - **Other issuer** to configure an identity managed by an external [OpenID Connect provider](workload-identity-federation-create-trust.md#other-identity-providers) to get tokens for your application and access Azure resources.

+

+For more information, how to get an access token with a federated credential, check out the [Microsoft identity platform and the OAuth 2.0 client credentials flow](v2-oauth2-client-creds-grant-flow.md#third-case-access-token-request-with-a-federated-credential) article.

+This article describes how to manage a federated identity credential on a user-assigned managed identity in Azure Active Directory (Azure AD). The federated identity credential creates a trust relationship between a user-assigned managed identity and an external identity provider (IdP). Configuring a federated identity credential on a system-assigned managed identity isn't supported.

+To add a federated identity for GitHub actions, follow these steps:

+1. For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value. The values must exactly match the configuration in the [GitHub workflow](https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions#on). For more info, read the [examples](#entity-type-examples).

+1. Add a **Name** for the federated credential.

+1. The **Issuer**, **Audiences**, and **Subject identifier** fields autopopulate based on the values you entered.

+1. Select **Add** to configure the federated credential.

+Use the following values from your Azure AD Managed Identity for your GitHub workflow:

+- `AZURE_CLIENT_ID` the managed identity **Client ID**

+- `AZURE_SUBSCRIPTION_ID` the **Subscription ID**.

+ The following screenshot demonstrates how to copy the managed identity ID and subscription ID.

+ [](./media/workload-identity-federation-create-trust-user-assigned-managed-identity/copy-managed-identity-id.png#lightbox)

+- `AZURE_TENANT_ID` the **Directory (tenant) ID**. Learn [how to find your Azure Active Directory tenant ID](../fundamentals/active-directory-how-to-find-tenant.md).

+Select **Add** to configure the federated credential.

+Select **Add** to configure the federated credential.

+There's a limit of 3-120 characters for a federated identity credential name length. It must be alphanumeric, dash, underscore. First symbol is alphanumeric only.

+You must add exactly one audience to a federated identity credential. The audience is verified during token exchange. Use ΓÇ£api://AzureADTokenExchangeΓÇ¥ as the default value.

+List, Get, and Delete operations aren't available with template. Refer to Azure CLI for these operations. By default, all child federated identity credentials are created in parallel, which triggers concurrency detection logic and causes the deployment to fail with a 409-conflict HTTP status code. To create them sequentially, specify a chain of dependencies using the *dependsOn* property.

+To add a federated identity for GitHub actions, follow these steps:

+1. Find your app registration in the [App Registrations](https://aka.ms/appregistrations) experience of the Azure portal. Select **Certificates & secrets** in the left nav pane, select the **Federated credentials** tab, and select **Add credential**.

+1. In the **Federated credential scenario** drop-down box, select **GitHub actions deploying Azure resources**.

+1. Specify the **Organization** and **Repository** for your GitHub Actions workflow.

+1. For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value. The values must exactly match the configuration in the [GitHub workflow](https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions#on). Pattern matching isn't supported for branches and tags. Specify an environment if your on-push workflow runs against many branches or tags. For more info, read the [examples](#entity-type-examples).

+1. Add a **Name** for the federated credential.

+1. The **Issuer**, **Audiences**, and **Subject identifier** fields autopopulate based on the values you entered.

+1. Select **Add** to configure the federated credential.

+ :::image type="content" source="media/workload-identity-federation-create-trust/add-credential.png" alt-text="Screenshot of the Add a credential window, showing sample values." :::

+Use the following values from your Azure AD application registration for your GitHub workflow:

+- `AZURE_CLIENT_ID` the **Application (client) ID**

+- `AZURE_TENANT_ID` the **Directory (tenant) ID**

+

+ The following screenshot demonstrates how to copy the application ID and tenant ID.

+ 

+- `AZURE_SUBSCRIPTION_ID` your subscription ID. To get the subscription ID, open **Subscriptions** in Azure portal and find your subscription. Then, copy the **Subscription ID**.

+The `id` parameter specifies the identifier URI, application ID, or object ID of the application. The `parameters` parameter specifies the parameters, in JSON format, for creating the federated identity credential.

+Typically, a software workload (such as an application, service, script, or container-based application) needs an identity in order to authenticate and access resources or communicate with other services. When these workloads run on Azure, you can use [managed identities](../managed-identities-azure-resources/overview.md) and the Azure platform manages the credentials for you. For a software workload running outside of Azure, you need to use application credentials (a secret or certificate) to access Azure AD protected resources (such as Azure, Microsoft Graph, Microsoft 365, or third-party resources). These credentials pose a security risk and have to be stored securely and rotated regularly. You also run the risk of service downtime if the credentials expire.

+You use workload identity federation to configure an Azure AD app registration or [user-assigned managed identity](../managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) to trust tokens from an external identity provider (IdP), such as GitHub. Once that trust relationship is created, your software workload can exchange trusted tokens from the external IdP for access tokens from Microsoft identity platform. Your software workload then uses that access token to access the Azure AD protected resources to which the workload has been granted access. This eliminates the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.

+Create a trust relationship between the external IdP and an app registration or user-assigned managed identity in Azure AD. The federated identity credential is used to indicate which token from the external IdP should be trusted by your application or managed identity. You configure a federated identity either:

+- On an Azure AD [App registration](/azure/active-directory/develop/quickstart-register-app) in the Azure portal or through Microsoft Graph. This configuration allows you to get an access token for your application without needing to manage secrets outside Azure. For more information, learn how to [configure an app to trust an external identity provider](workload-identity-federation-create-trust.md).

+- On a user-assigned managed identity through the Azure portal, Azure CLI, Azure PowerShell, Azure SDK, and Azure Resource Manager (ARM) templates. The external workload uses the access token to access Azure AD protected resources without needing to manage secrets (in supported scenarios). The [steps for configuring the trust relationship](workload-identity-federation-create-trust-user-assigned-managed-identity.md) will differ, depending on the scenario and external IdP.

+- For information about the required format of JWTs created by external identity providers, read about the [assertion format](active-directory-certificate-credentials.md#assertion-format).

+* **User lifecycle management**: The process of provisioning, managing, and deprovisioning user access to resources.

+## April 2022

+### General Availability - Entitlement management separation of duties checks for incompatible access packages

+**Type:** Changed feature

+**Service category:** Other

+**Product capability:** Identity Governance

+In Azure AD entitlement management, an administrator can now configure the incompatible access packages and groups of an access package in the Azure portal. This prevents a user who already has one of those incompatible access rights from being able to request further access. For more information, see: [Configure separation of duties checks for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-incompatible.md).

+### General Availability - Microsoft Defender for Endpoint Signal in Identity Protection

+**Type:** New feature

+**Service category:** Identity Protection

+**Product capability:** Identity Security & Protection

+

+Identity Protection now integrates a signal from Microsoft Defender for Endpoint (MDE) that will protect against PRT theft detection. To learn more, see: [What is risk? Azure AD Identity Protection | Microsoft Docs](../identity-protection/concept-identity-protection-risks.md).

+

+### General Availability - Entitlement management 3 stages of approval

+**Type:** Changed feature

+**Service category:** Other

+**Product capability:** Entitlement Management

+

+This update extends the Azure AD entitlement management access package policy to allow a third approval stage. This will be able to be configured via the Azure portal or Microsoft Graph. For more information, see: [Change approval and requestor information settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md).

+

+### General Availability - Improvements to Azure AD Smart Lockout

+**Type:** Changed feature

+**Service category:** Identity Protection

+**Product capability:** User Management

+

+With a recent improvement, Smart Lockout now synchronizes the lockout state across Azure AD data centers, so the total number of failed sign-in attempts allowed before an account is locked out will match the configured lockout threshold. For more information, see: [Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md).

+

+### Public Preview - Integration of Microsoft 365 App Certification details into Azure Active Directory UX and Consent Experiences

+**Type:** New feature

+**Service category:** User Access Management

+**Product capability:** AuthZ/Access Delegation

+Microsoft 365 Certification status for an app is now available in Azure AD consent UX, and custom app consent policies. The status will later be displayed in several other Identity-owned interfaces such as enterprise apps. For more information, see: [Understanding Azure AD application consent experiences](../develop/application-consent-experience.md).

+### Public preview - Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels

+**Type:** New feature

+**Service category:** Access Reviews

+**Product capability:** Identity Governance

+Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels. For more information, see: [Include B2B direct connect users and teams accessing Teams Shared Channels in access reviews (preview)](../governance/create-access-review.md#include-b2b-direct-connect-users-and-teams-accessing-teams-shared-channels-in-access-reviews).

+### Public Preview - New MS Graph APIs to configure federated settings when federated with Azure AD

+**Type:** New feature

+**Service category:** MS Graph

+**Product capability:** Identity Security & Protection

+We're announcing the public preview of following MS Graph APIs and PowerShell cmdlets for configuring federated settings when federated with Azure AD:

+|Action |MS Graph API |PowerShell cmdlet |

+||||

+|Get federation settings for a federated domain | [Get internalDomainFederation](/graph/api/internaldomainfederation-get?view=graph-rest-beta&preserve-view=true) | [Get-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

+|Create federation settings for a federated domain | [Create internalDomainFederation](/graph/api/domain-post-federationconfiguration?view=graph-rest-beta&preserve-view=true) | [New-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

+|Remove federation settings for a federated domain | [Delete internalDomainFederation](/graph/api/internaldomainfederation-delete?view=graph-rest-beta&preserve-view=true) | [Remove-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/remove-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

+|Update federation settings for a federated domain | [Update internalDomainFederation](/graph/api/internaldomainfederation-update?view=graph-rest-beta&preserve-view=true) | [Update-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

+If using older MSOnline cmdlets ([Get-MsolDomainFederationSettings](/powershell/module/msonline/get-msoldomainfederationsettings?view=azureadps-1.0&preserve-view=true) and [Set-MsolDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0&preserve-view=true)), we highly recommend transitioning to the latest MS Graph APIs and PowerShell cmdlets.

+For more information, see [internalDomainFederation resource type - Microsoft Graph beta | Microsoft Docs](/graph/api/resources/internaldomainfederation?view=graph-rest-beta&preserve-view=true).

+### Public Preview ΓÇô Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users

+**Type:** New feature

+**Service category:** RBAC role

+**Product capability:** AuthZ/Access Delegation

+Added functionality to session controls allowing admins to reauthenticate a user on every sign-in if a user or particular sign-in event is deemed risky, or when enrolling a device in Intune. For more information, see [Configure authentication session management with conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md).

+### Public Preview ΓÇô Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

+**Type:** New feature

+**Service category:** MS Graph

+**Product capability:** Identity Security & Protection

+We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true).

+We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit [Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#enable-protection-to-prevent-by-passing-of-cloud-azure-ad-multi-factor-authentication-when-federated-with-azure-ad).

+### New Federated Apps available in Azure AD Application gallery - April 2022

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** Third Party Integration

+In April 2022 we added the following 24 new applications in our App gallery with Federation support:

+[X-1FBO](https://www.x1fbo.com/), [select Armor](https://app.clickarmor.c)

+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

+For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

+### General Availability - Customer data storage for Japan customers in Japanese data centers

+**Type:** New feature

+**Service category:** App Provisioning

+**Product capability:** GoLocal

+From April 15, 2022, Microsoft began storing Azure ADΓÇÖs Customer Data for new tenants with a Japan billing address within the Japanese data centers. For more information, see: [Customer data storage for Japan customers in Azure Active Directory](active-directory-data-storage-japan.md).

+### Public Preview - New provisioning connectors in the Azure AD Application Gallery - April 2022

+**Type:** New feature

+**Service category:** App Provisioning

+**Product capability:** Third Party Integration

+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

+- [Adobe Identity Management (OIDC)](../saas-apps/adobe-identity-management-provisioning-oidc-tutorial.md)

+- [embed signage](../saas-apps/embed-signage-provisioning-tutorial.md)

+- [KnowBe4 Security Awareness Training](../saas-apps/knowbe4-security-awareness-training-provisioning-tutorial.md)

+- [NordPass](../saas-apps/nordpass-provisioning-tutorial.md)

+For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md)

+## October 2022

+### General Availability - Upgrade Azure AD Provisioning agent to the latest version (version number: 1.1.977.0)

+**Type:** Plan for change

+**Service category:** Provisioning

+**Product capability:** AAD Connect Cloud Sync

+Microsoft will stop support for Azure AD provisioning agent with versions 1.1.818.0 and below starting Feb 1,2023. If you are using Azure AD cloud sync, please make sure you have the latest version of the agent. You can info about the agent release history [here](../app-provisioning/provisioning-agent-release-version-history.md). You can download the latest version [here](https://download.msappproxy.net/Subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/Connector/provisioningAgentInstaller)

+You can find out which version of the agent you are using as follows:

+1. Going to the domain server which you have the agent installed

+1. Right-click on the Microsoft Azure AD Connect Provisioning Agent app

+1. Click on ΓÇ£DetailsΓÇ¥ tab and you can find the version number there

+> [!NOTE]

+> Azure Active Directory (AD) Connect follows the [Modern Lifecycle Policy](/lifecycle/policies/modern). Changes for products and services under the Modern Lifecycle Policy may be more frequent and require customers to be alert for forthcoming modifications to their product or service.

+Product governed by the Modern Policy follow a [continuous support and servicing model](/lifecycle/overview/product-end-of-support-overview). Customers must take the latest update to remain supported. For products and services governed by the Modern Lifecycle Policy, Microsoft's policy is to provide a minimum 30 days' notification when customers are required to take action in order to avoid significant degradation to the normal use of the product or service.

+### General Availability - Add multiple domains to the same SAML/Ws-Fed based identity provider configuration for your external users

+**Type:** New feature

+**Service category:** B2B

+**Product capability:** B2B/B2C

+An IT admin can now add multiple domains to a single SAML/WS-Fed identity provider configuration to invite users from multiple domains to authenticate from the same identity provider endpoint. For more information, see: [Federation with SAML/WS-Fed identity providers for guest users](../external-identities/direct-federation.md).

+### General Availability - Limits on the number of configured API permissions for an application registration will be enforced starting in October 2022

+**Type:** Plan for change

+**Service category:** Other

+**Product capability:** Developer Experience

+In the end of October, the total number of required permissions for any single application registration must not exceed 400 permissions across all APIs. Applications exceeding the limit won't be able to increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs.

+In the Azure portal, the required permissions are listed under API Permissions within specific applications in the application registration menu. When using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an [application](/graph/api/resources/application) entity. For more information, see: [Validation differences by supported account types (signInAudience)](../develop/supported-accounts-validation.md).

+### Public Preview - Conditional access Authentication strengths

+**Type:** New feature

+**Service category:** Conditional Access

+**Product capability:** User Authentication

+Announcing Public preview of Authentication strength, a Conditional Access control that allows administrators to specify which authentication methods can be used to access a resource. For more information, see: [Conditional Access authentication strength (preview)](../authentication/concept-authentication-strengths.md). You can use custom authentication strengths to restrict access by requiring specific FIDO2 keys using the Authenticator Attestation GUIDs (AAGUIDs), and apply this through conditional access policies. For more information, see: [FIDO2 security key advanced options](../authentication/concept-authentication-strengths.md#fido2-security-key-advanced-options).

+### Public Preview - Conditional access authentication strengths for external identities

+**Type:** New feature

+**Service category:** B2B

+**Product capability:** B2B/B2C

+You can now require your business partner (B2B) guests across all Microsoft clouds to use specific authentication methods to access your resources with **Conditional Access Authentication Strength policies**. For more information, see: [Conditional Access: Require an authentication strength for external users](../conditional-access/howto-conditional-access-policy-authentication-strength-external.md).

+### Generally Availability - Windows Hello for Business, Cloud Kerberos Trust deployment

+**Type:** New feature

+**Service category:** Authentications (Logins)

+**Product capability:** User Authentication

+We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, weΓÇÖve made Windows Hello for Business much easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Hybrid Cloud Kerberos Trust Deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).

+### General Availability - Device-based conditional access on Linux Desktops

+**Type:** New feature

+**Service category:** Conditional Access

+**Product capability:** SSO

+This feature empowers users on Linux clients to register their devices with Azure AD, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.

+- Users can register their Linux devices with Azure AD

+- Users can enroll in Mobile Device Management (Intune), which can be used to provide compliance decisions based upon policy definitions to allow device based conditional access on Linux Desktops

+- If compliant, users can use Edge Browser to enable Single-Sign on to M365/Azure resources and satisfy device-based Conditional Access policies.

+For more information, see:

+[Azure AD registered devices](../devices/concept-azure-ad-register.md).

+[Plan your Azure Active Directory device deployment](../devices/plan-device-deployment.md)

+### General Availability - Deprecation of Azure Multi-Factor Authentication Server

+**Type:** Deprecated

+**Service category:** MFA

+**Product capability:** Identity Security & Protection

+Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multi-factor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services, and to remain in a supported state, organizations should migrate their usersΓÇÖ authentication data to the cloud-based Azure AD Multi-Factor Authentication service using the latest Migration Utility included in the most recent Azure AD Multi-Factor Authentication Server update. For more information, see: [Migrate from MFA Server to Azure AD Multi-Factor Authentication](../authentication/how-to-migrate-mfa-server-to-azure-mfa.md).

+### General Availability - Change of Default User Consent Settings

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** Developer Experience

+Starting Sept 30th, 2022, Microsoft will require all new tenants to follow a new user consent configuration. While this won't impact any existing tenants that were created before September 30, 2022, all new tenants created after September 30, 2022, will have the default setting of ΓÇ£Enable automatic updates (Recommendation)ΓÇ¥ under User consent settings. This change reduces the risk of malicious applications attempting to trick users into granting them access to your organization's data. For more information, see: [Configure how users consent to applications](../manage-apps/configure-user-consent.md).

+### Public Preview - Lifecycle Workflows is now available

+**Type:** New feature

+**Service category:** Lifecycle Workflows

+**Product capability:** Identity Governance

+We're excited to announce the public preview of Lifecycle Workflows, a new Identity Governance capability that allows customers to extend the user provisioning process, and adds enterprise grade user lifecycle management capabilities, in Azure AD to modernize your identity lifecycle management process. With Lifecycle Workflows, you can:

+- Confidently configure and deploy custom workflows to onboard and offboard cloud employees at scale replacing your manual processes.

+- Automate out-of-the-box actions critical to required Joiner and Leaver scenarios and get rich reporting insights.

+- Extend workflows via Logic Apps integrations with custom tasks extensions for more complex scenarios.

+For more information, see: [What are Lifecycle Workflows? (Public Preview)](../governance/what-are-lifecycle-workflows.md).

+### Public Preview - User-to-Group Affiliation recommendation for group Access Reviews

+**Type:** New feature

+**Service category:** Access Reviews

+**Product capability:** Identity Governance

+This feature provides Machine Learning based recommendations to the reviewers of Azure AD Access Reviews to make the review experience easier and more accurate. The recommendation detects user affiliation with other users within the group, and leverages the scoring mechanism we built by computing the userΓÇÖs average distance with other users in the group. For more information, see: [Review recommendations for Access reviews](../governance/review-recommendations-access-reviews.md).

+### General Availability - Group assignment for SuccessFactors Writeback application

+**Type:** New feature

+**Service category:** Provisioning

+**Product capability:** Outbound to SaaS Applications

+When configuring writeback of attributes from Azure AD to SAP SuccessFactors Employee Central, you can now specify the scope of users using Azure AD group assignment. For more information, see: [Tutorial: Configure attribute write-back from Azure AD to SAP SuccessFactors](../saas-apps/sap-successfactors-writeback-tutorial.md).

+### General Availability - Number Matching for Microsoft Authenticator notifications

+**Type:** New feature

+**Service category:** Microsoft Authenticator App

+**Product capability:** User Authentication

+To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving an MFA notification in the Microsoft Authenticator app. We've also refreshed the Azure portal admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update we have also added the highly requested ability for admins to exclude user groups from each feature.

+The number matching feature greatly up-levels the security posture of the Microsoft Authenticator app and protects organizations from MFA fatigue attacks. We highly encourage our customers to adopt this feature leveraging the rollout controls we have built. Number Matching will begin to be enabled for all users of the Microsoft Authenticator app starting 27th of February 2023.

+For more information, see: [How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy](../authentication/how-to-mfa-number-match.md).

+### General Availability - Additional context in Microsoft Authenticator notifications

+**Type:** New feature

+**Service category:** Microsoft Authenticator App

+**Product capability:** User Authentication

+Reduce accidental approvals by showing users additional context in Microsoft Authenticator app notifications. Customers can enhance notifications with the following:

+- Application Context: This feature will show users which application they're signing into.

+- Geographic Location Context: This feature will show users their sign-in location based on the IP address of the device they're signing into.

+The feature is available for both MFA and Password-less Phone Sign-in notifications and greatly increases the security posture of the Microsoft Authenticator app. We've also refreshed the Azure portal Admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update, we've also added the highly requested ability for admins to exclude user groups from certain features.

+We highly encourage our customers to adopt these critical security features to reduce accidental approvals of Authenticator notifications by end users.

+For more information, see: [How to use additional context in Microsoft Authenticator notifications - Authentication methods policy](../authentication/how-to-mfa-additional-context.md).

+### New Federated Apps available in Azure AD Application gallery - October 2022

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** 3rd Party Integration

+In October 2022 we've added the following 15 new applications in our App gallery with Federation support:

+[Unifii](https://www.unifii.com.au/), [WaitWell Staff App](https://waitwell.c)

+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

+For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

+### Public preview - New provisioning connectors in the Azure AD Application Gallery - October 2022

+**Type:** New feature

+**Service category:** App Provisioning

+**Product capability:** 3rd Party Integration

+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

+- [LawVu](../saas-apps/lawvu-provisioning-tutorial.md)

+For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

+ 1. Optionally you can choose to exclude users or groups from the policy.

+| Azure SQL | [Managed identities in Azure AD for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity) |

+| Azure SQL Managed Instance | [Managed identities in Azure AD for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity) |

+# Azure AD recommendation: Integrate third party apps

+[Azure Active Directory (Azure AD) recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

+This article covers the recommendation to integrate your third party apps with Azure AD.

+As an Azure AD admin responsible for managing applications, you want to use the Azure AD security features with your third party apps. Integrating these apps into Azure AD enables you to use one unified method to manage access to your third party apps. Your users also benefit from using single sign-on to access all your apps with a single password.

+If Azure AD determines that none of your users are using Azure AD to authenticate to your third party apps, this recommendation shows up.

+Integrating third party apps with Azure AD allows you to utilize the core identity and access features provided by Azure AD. Manage access, single sign-on, and other properties. Add an extra security layer by using [Conditional Access](../conditional-access/overview.md) to control how your users can access your apps.

+Integrating third party apps with Azure AD:

+2. For each app that isn't integrated into Azure AD, verify whether an integration is possible.

+- [Explore tutorials for integrating SaaS applications with Azure AD](../saas-apps/tutorial-list.md)

+As an admin, you want to maintain security for your companyΓÇÖs resources, but you also want your employees to easily access resources as needed.

+This article covers the recommendation to migrate apps from ADFS to Azure Active Directory (Azure AD).

+# Azure AD recommendation: Convert per-user MFA to Conditional Access MFA

+This article covers the recommendation to convert per-user Multi-factor authentication (MFA) accounts to Conditional Access (CA) MFA accounts.

+As an admin, you want to maintain security for your companyΓÇÖs resources, but you also want your employees to easily access resources as needed. MFA enables you to enhance the security posture of your tenant.

+In your tenant, you can enable MFA on a per-user basis. In this scenario, your users perform MFA each time they sign in, with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on. While enabling MFA is a good practice, converting per-user MFA to MFA based on [Conditional Access](../conditional-access/overview.md) can reduce the number of times your users are prompted for MFA.

+This recommendation shows up if:

+- You have per-user MFA configured for at least 5% of your users.

+- Conditional Access policies are active for more than 1% of your users (indicating familiarity with CA policies).

+This recommendation improves your user's productivity and minimizes the sign-in time with fewer MFA prompts. CA and MFA used together help ensure that your most sensitive resources can have the tightest controls, while your least sensitive resources can be more freely accessible.

+1. Confirm that there's an existing CA policy with an MFA requirement. Ensure that you're covering all resources and users you would like to secure with MFA.

+ - Review your [Conditional Access policies](https://portal.azure.com/?Microsoft_AAD_IAM_enableAadvisorFeaturePreview=true&amp%3BMicrosoft_AAD_IAM_enableAadvisorFeature=true#blade/Microsoft_AAD_IAM/PoliciesTemplateBlade).

+2. Require MFA using a Conditional Access policy.

+ - [Secure user sign-in events with Azure AD Multi-Factor Authentication](../authentication/tutorial-enable-azure-mfa.md).

+After all users have been migrated to CA MFA accounts, the recommendation status automatically updates the next time the service runs. Continue to review your CA policies to improve the overall health of your tenant.

+- [Learn about requiring MFA for all users using Conditional Access](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)

+- [View the MFA CA policy tutorial](../authentication/tutorial-enable-azure-mfa.md)

+| September | 99.999% | 99.998% |

+# Customer intent: As a developer, I want to learn how to access the Azure AD reporting API using certificates so that I can create an application that does not require user intervention to access reports.

+The [Azure Active Directory (Azure AD) reporting APIs](concept-reporting-api.md) provide you with programmatic access to the data through a set of REST-based APIs. You can call these APIs from various programming languages and tools. If you want to access the Azure AD Reporting API without user intervention, you must configure your access to use certificates.

+1. To access sign-in data, make sure you have an Azure AD tenant with a premium (P1/P2) license. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure AD edition. If you didn't have any activities data prior to the upgrade, it will take a couple of days for the data to show up in the reports after you upgrade to a premium license.

+2. Create or switch to a user account in the **Global Administrator**, **Security Administrator**, **Security Reader** or **Report Reader** role for the tenant.

+ - The Microsoft Authentication Library libraries needed for authentication

+ - Access tokens from user, application keys, and certificates using Microsoft Authentication Library

+1. Go to the [Azure portal](https://portal.azure.com) > **Azure Active Directory** > **App registrations** and choose your application from the list.

+2. From the Application registration area, select **Certificates & secrets** under the **Manage** section, and then select **Upload Certificate**.

+4. Note the Application ID, and the thumbprint of the certificate you registered with your application. To find the thumbprint, from your application page in the portal, go to **Certificates & secrets** under **Manage** section. The thumbprint will be under the **Certificates** list.

+7. Use the access token in your PowerShell script to query the Graph API. Use the **Invoke-MSCloudIdMSGraphQuery** cmdlet from the MSCloudIDUtils to enumerate the `signins` and `directoryAudits` endpoint. This cmdlet handles multi-paged results, and sends those results to the PowerShell pipeline.

+8. Query the `directoryAudits` endpoint to retrieve the audit logs.

+9. Query the `signins` endpoint to retrieve the sign-in logs.

+* A user who's a *Global Administrator* or *Security Administrator* for the Azure AD tenant.

+- An Azure Active Directory (Azure AD) tenant.

+- A user who's a Global Administrator or Security Administrator for the Azure AD tenant.

+ Title: Optimize Azure workloads by using Advisor score

+description: Use Azure Advisor score to get the most out of Azure.

+# Optimize Azure workloads by using Advisor score

+## Introduction to Advisor score

+As a core feature of Advisor, Advisor score can help you achieve these goals effectively and efficiently.

+It's also important to track and report the progress you're making in this optimization journey. With Advisor score, you can easily do all these things with the new gamification experience.

+

+* **Advisor score** helps you baseline how your workload or subscriptions are doing based on an Advisor score. You can also see the historical trends to understand what your trend is.

+The contribution of each recommendation to your category score is shown clearly on the **Advisor score** page in the Azure portal. You can increase each category score by the percentage point listed in the **Potential score increase** column. This value reflects both the weight of the recommendation within the category and the predicted ease of implementation to address the potentially easiest tasks. Focusing on the recommendations with the greatest score impact will help you make the most progress with time.

+

+In the left pane, under the **Advisor** section, see **Advisor score**.

+

+* Follow recommendations from [Microsoft Defender for Cloud](/security/benchmark/azure/security-control-vulnerability-management) and run automated vulnerability scanning tools such as [Defender for Containers](/azure/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure) to avoid unnecessary resource usage by identifying vulnerabilities in your images and minimizing the window of opportunity for attackers.

+Learn more about utilizing the Standard Load Balancer for inbound traffic at the [AKS Standard Load Balancer documentation](load-balancer-standard.md).

+1. Navigate to the repository's settings, and select **Security > Secrets and variables > Actions**.

+1. For each secret, click **New Repository Secret** and enter the name and value of the secret.

+[!Important]

+The feature described in this document, pod security policy (preview), will begin deprecation with Kubernetes version 1.21, with its removal in version 1.25. AKS will mark Pod Security Policy as "Deprecated" in the AKS API on 04-01-2023. You can now Migrate Pod Security Policy to Pod Security Admission Controller ahead of the deprecation.

+After pod security policy (preview) is deprecated, you must have already migrated to Pod Security Admission controller or disabled the feature on any existing clusters using the deprecated feature to perform future cluster upgrades and stay within Azure support.

+**Video:** Check out [Azure Analysis Services Overview](https://www.youtube.com/watch?v=m1jnG1zIvTo&t=31s) to learn how Azure Analysis Services fits in with Microsoft's overall BI capabilities.

+In [GitHub](https://github.com/), browse your repository. Select **Settings > Security > Secrets and variables > Actions > New repository secret**.

+In [GitHub](https://github.com/), browse your repository. Select **Settings > Security > Secrets and variables > Actions > New repository secret**.

+1. Open your GitHub repository and go to **Settings > Security > Secrets and variables > Actions > New repository secret**.

+In [GitHub](https://github.com/), browse your repository. Select **Settings > Security > Secrets and variables > Actions > New repository secret**.

+In [GitHub](https://github.com/), browse your repository. Select **Settings > Security > Secrets and variables > Actions > New repository secret**.

+1. Open your GitHub repository and go to **Settings > Security > Secrets and variables > Actions > New repository secret**.

+1. Create the web app with the [`az webapp create`](/cli/azure/webapp#az-webapp-create) command:

+1. Deploy the Azure Resource Manager template using the Azure CLI. The deployment might take up to 5 minutes.

+## OCR in Form Recognizer - Read model

+## OCR supported document types

+Form Recognizer v3.0 version supports several languages for the read OCR model. *See* our [Language Support](language-support.md) for a complete list of supported handwritten and printed languages.

+ Title: Form Recognizer overview

+description: Machine-learning based OCR and intelligent document processing understanding service to automate extraction of text, table and structure, and key-value pairs from your forms and documents.

+# What is Azure Form Recognizer?

+ import requests

+ quit()

+ quit()

+* Learn more about the [layout model](concept-layout.md)

+> Executing child scripts using `.\child-runbook.ps1` is not supported in PowerShell 7.1 and PowerShell 7.2 (preview).

+> This article is applicable for PowerShell 5.1; PowerShell 7.1 (preview) and PowerShell 7.2 (preview) does not support workflows. A PowerShell Workflow script is very similar to a Windows PowerShell script but has some significant differences that can be confusing to a new user. Therefore, we recommend that you write your runbooks using PowerShell Workflow only if you need to use [checkpoints](#use-checkpoints-in-a-workflow).

+| [PowerShell](#powershell-runbooks) |Textual runbook based on Windows PowerShell scripting. The currently supported versions are: PowerShell 5.1 (GA), PowerShell 7.1 (preview), and PowerShell 7.2 (preview).|

+| [PowerShell Workflow](#powershell-workflow-runbooks)|Textual runbook based on Windows PowerShell Workflow scripting. |

+| [Python](#python-runbooks) |Textual runbook based on Python scripting. The currently supported versions are: Python 2.7 (GA), Python 3.8 (preview), and Python 3.10 (preview). |

+The PowerShell version is determined by the **Runtime version** specified (that is version 7.2 (preview), 7.1 (preview) or 5.1). The Azure Automation service supports the latest PowerShell runtime.

+The same Azure sandbox and Hybrid Runbook Worker can execute **PowerShell 5.1** and **PowerShell 7.1 (preview)** runbooks side by side.

+> - Currently, PowerShell 7.2 (preview) runtime version is supported in five regions for Cloud jobs only: West Central US, East US, South Africa North, North Europe, Australia Southeast

+> - At the time of runbook execution, if you select **Runtime Version** as **7.1 (preview)**, PowerShell modules targeting 7.1 (preview) runtime version are used and if you select **Runtime Version** as **5.1**, PowerShell modules targeting 5.1 runtime version are used. This applies for PowerShell 7.2 (preview) modules and runbooks.

+> [!NOTE]

+> Currently, PowerShell 5.1, PowerShell 7.1 (preview) and PowerShell 7.2 (preview) are supported.

+### Advantages

+- Implement all complex logic with PowerShell code without the other complexities of PowerShell Workflow.

+- Start faster than PowerShell Workflow runbooks, since they don't need to be compiled before running.

+- Run in Azure and on Hybrid Runbook Workers for both Windows and Linux.

+### Limitations and Known issues

+The following are the current limitations and known issues with PowerShell runbooks:

+# [PowerShell 5.1](#tab/lps51)

+**Limitations**

+- You must be familiar with PowerShell scripting.

+- Runbooks can't use [parallel processing](automation-powershell-workflow.md#use-parallel-processing) to execute multiple actions in parallel.

+- Runbooks can't use [checkpoints](automation-powershell-workflow.md#use-checkpoints-in-a-workflow) to resume runbook if there's an error.

+- You can include only PowerShell, PowerShell Workflow runbooks, and graphical runbooks as child runbooks by using the [Start-AzAutomationRunbook](/powershell/module/az.automation/start-azautomationrunbook) cmdlet, which creates a new job.

+- Runbooks can't use the PowerShell [#Requires](/powershell/module/microsoft.powershell.core/about/about_requires) statement, it is not supported in Azure sandbox or on Hybrid Runbook Workers and might cause the job to fail.

+**Known issues**

+# [PowerShell 7.1 (preview)](#tab/lps71)

+**Limitations**

+- You must be familiar with PowerShell scripting.

+- The Azure Automation internal PowerShell cmdlets are not supported on a Linux Hybrid Runbook Worker. You must import the `automationassets` module at the beginning of your Python runbook to access the Automation account shared resources (assets) functions.

+- For the PowerShell 7 runtime version, the module activities are not extracted for the imported modules.

+- *PSCredential* runbook parameter type is not supported in PowerShell 7 runtime version.

+- PowerShell 7.x does not support workflows. See [this](/powershell/scripting/whats-new/differences-from-windows-powershell?view=powershell-7.1#powershell-workflow&preserve-view=true) for more details.

+- PowerShell 7.x currently does not support signed runbooks.

+- Source control integration doesn't support PowerShell 7.1 (preview) Also, PowerShell 7.1 (preview) runbooks in source control gets created in Automation account as Runtime 5.1.

+**Known issues**

+# [PowerShell 7.2 (preview)](#tab/lps72)

+**Limitations**

+> [!NOTE]

+> Currently, PowerShell 7.2 (preview) runtime version is supported in five regions for Cloud jobs only: West Central US, East US, South Africa North, North Europe, and Australia Southeast.

+- You must be familiar with PowerShell scripting.

+- For the PowerShell 7 runtime version, the module activities are not extracted for the imported modules.

+- *PSCredential* runbook parameter type is not supported in PowerShell 7 runtime version.

+- PowerShell 7.x does not support workflows. See [this](/powershell/scripting/whats-new/differences-from-windows-powershell?view=powershell-7.1#powershell-workflow&preserve-view=true) for more details.

+- PowerShell 7.x currently does not support signed runbooks.

+- Source control integration doesn't support PowerShell 7.2 (preview). Also, PowerShell 7.2 (preview) runbooks in source control gets created in Automation account as Runtime 5.1.

+- Currently, only cloud jobs are supported for PowerShell 7.2 (preview) runtime versions.

+- Logging job operations to the Log Analytics workspace through linked workspace or diagnostics settings are not supported.

+- Currently, PowerShell 7.2 (preview) runbooks are only supported from Azure portal. Rest API and PowerShell is not supported.

+- Az module 8.3.0 is installed by default and cannot be managed at the automation account level. Use custom modules to override the Az module to the desired version.

+- The imported PowerShell 7.2 (preview) module would be validated during job execution. Ensure that all dependencies for the selected module are also imported for successful job execution.

+**Known issues**

+- Executing child scripts using `.\child-runbook.ps1` is not supported in this preview.

+ **Workaround**: Use `Start-AutomationRunbook` (internal cmdlet) or `Start-AzAutomationRunbook` (from *Az.Automation* module) to start another runbook from parent runbook.

+- Runbook properties defining logging preference is not supported in PowerShell 7 runtime.

+ **Workaround**: Explicitly set the preference at the start of the runbook as below -

+ ```

+ $VerbosePreference = "Continue"

+ $ProgressPreference = "Continue"

+ ```

+> [!NOTE]

+> PowerShell 7.1 (preview) and PowerShell 7.2 (preview) do not support Workflow runbooks.

+Python runbooks compile under Python 2, Python 3.8 (preview) and Python 3.10 (preview). You can directly edit the code of the runbook using the text editor in the Azure portal. You can also use an offline text editor and [import the runbook](manage-runbooks.md) into Azure Automation.

+* Python 3.10 (preview) runbooks are currently supported in five regions for cloud jobs only:

+ - West Central US

+ - East US

+ - South Africa North

+ - North Europe

+ - Australia Southeast

+> [!NOTE]

+> Importing a Python package may take several minutes.

+

+- Uses the robust Python libraries.

+- Can run in Azure or on Hybrid Runbook Workers.

+- For Python 2, Windows Hybrid Runbook Workers are supported with [python 2.7](https://www.python.org/downloads/release/latest/python2) installed.

+- For Python 3.8 (preview) Cloud Jobs, Python 3.8 (preview) version is supported. Scripts and packages from any 3.x version might work if the code is compatible across different versions.

+- For Python 3.8 (preview) Hybrid jobs on Windows machines, you can choose to install any 3.x version you may want to use.

+- For Python 3.8 (preview) Hybrid jobs on Linux machines, we depend on the Python 3 version installed on the machine to run DSC OMSConfig and the Linux Hybrid Worker. Different versions should work if there are no breaking changes in method signatures or contracts between versions of Python 3.

+Following are the limitations of Python runbooks

+# [Python 2.7](#tab/py27)

+- You must be familiar with Python scripting.

+- For Python 2.7.12 modules use wheel files cp27-amd6.

+- To use third-party libraries, you must [import the packages](python-packages.md) into the Automation account.

+- Azure Automation doesn't supportΓÇ»**sys.stderr**.

+- The Python **automationassets** package is not available on pypi.org, so it's not available for import onto a Windows machine.

+# [Python 3.8 (preview)](#tab/py38)

+- You must be familiar with Python scripting.

+- For Python 3.8 (preview) modules, use wheel files targeting cp38-amd64.

+- To use third-party libraries, you must [import the packages](python-packages.md) into the Automation account.

+- Using **Start-AutomationRunbook** cmdlet in PowerShell/PowerShell Workflow to start a Python 3.8 (preview) runbook (preview) doesn't work. You can use **Start-AzAutomationRunbook** cmdlet from Az.Automation module or **Start-AzureRmAutomationRunbook** cmdlet from AzureRm.Automation module to work around this limitation. 

+- Azure Automation doesn't supportΓÇ»**sys.stderr**.

+- The Python **automationassets** package is not available on pypi.org, so it's not available for import onto a Windows machine.

+# [Python 3.10 (preview)](#tab/py10)

+**Limitations**

+- For Python 3.10 (preview) modules, currently, only the wheel files targeting cp310 Linux OS are supported. [Learn more](./python-3-packages.md)

+- Currently, only cloud jobs are supported for Python 3.10 (preview) runtime versions.

+- Custom packages for Python 3.10 (preview) are only validated during job runtime. Job is expected to fail if the package is not compatible in the runtime or if required dependencies of packages are not imported into automation account.

+- Currently, Python 3.10 (preview) runbooks are only supported from Azure portal. Rest API and PowerShell is not supported.

+It is applicable for Windows Hybrid workers. For a Windows Runbook Worker, when running a Python 2 runbook it looks for the environment variable `PYTHON_2_PATH` first and validates whether it points to a valid executable file. For example, if the installation folder is `C:\Python2`, it would check if `C:\Python2\python.exe` is a valid path. If not found, then it looks for the `PATH` environment variable to do a similar check.

+For cloud jobs, Python 3.8 jobs sometimes fail with an exception message `invalid interpreter executable path`. You might see this exception if the job is delayed, starting more than 10 minutes, or using **Start-AutomationRunbook** to start Python 3.8 runbooks. If the job is delayed, restarting the runbook should be sufficient. Hybrid jobs should work without any issue if using the following steps:

+## Graphical runbooks

+You can create and edit graphical and graphical PowerShell Workflow runbooks using the graphical editor in the Azure portal. However, you can't create or edit this type of runbook with another tool. Main features of graphical runbooks:

+* Exported to files in your Automation account and then imported into another Automation account.

+* Generate PowerShell code.

+* Converted to or from graphical PowerShell Workflow runbooks during import.

+### Advantages

+* Use visual insert-link-configure authoring model.

+* Focus on how data flows through the process.

+* Visually represent management processes.

+* Include other runbooks as child runbooks to create high-level workflows.

+* Encourage modular programming.

+### Limitations

+* Can't create or edit outside the Azure portal.

+* Might require a code activity containing PowerShell code to execute complex logic.

+* Can't convert to one of the [text formats](automation-runbook-types.md), nor can you convert a text runbook to graphical format.

+* Can't view or directly edit PowerShell code that the graphical workflow creates. You can view the code you create in any code activities.

+* Can't run runbooks on a Linux Hybrid Runbook Worker. See [Automate resources in your datacenter or cloud by using Hybrid Runbook Worker](automation-hybrid-runbook-worker.md).

+* Graphical runbooks can't be digitally signed.

+> When you use the webhook with PowerShell 7 runbook, it auto-converts the webhook input parameter to an invalid JSON. For more information, see [Known issues - PowerShell 7.1 (preview)](./automation-runbook-types.md#limitations-and-known-issues). We recommend that you use the webhook with PowerShell 5 runbook.

+> This article is applicable for PowerShell 5.1; PowerShell 7.1 (preview) and PowerShell 7.2 (preview) don't support workflows.

+This article describes how to import, manage, and use Python 3 (preview) packages in Azure Automation running on the Azure sandbox environment and Hybrid Runbook Workers. Python packages should be downloaded on Hybrid Runbook workers for successful job execution. To help simplify runbooks, you can use Python packages to import the modules you need.

+## Default Python packages

+To support Python 3.8 (preview) runbooks in the Automation service, Azure package 4.0.0 is installed by default in the Automation account. The default version can be overridden by importing Python packages into your Automation account.

+Preference is given to the imported version in your Automation account. To import a single package, see [Import a package](#import-a-package). To import a package with multiple packages, see [Import a package with dependencies](#import-a-package-with-dependencies).

+There are no default packages installed for Python 3.10 (preview).

+Azure Automation supports only a Python package that only contains Python code and doesn't include other language extensions or code in other languages. However, the Azure Sandbox environment might not have the required compilers for C/C++ binaries, so it's recommended to use [wheel files](https://pythonwheels.com/) instead.

+> [!NOTE]

+> Currently, Python 3.10 (preview) only supports wheel files.

+The [Python Package Index](https://pypi.org/) (PyPI) is a repository of software for the Python programming language. When selecting a Python 3 package to import into your Automation account from PyPI, note the following filename parts:

+Select a Python version:

+#### [Python 3.8 (preview)](#tab/py3)

+|cp38|Automation supports **Python 3.8 (preview)** for Cloud jobs.|

+For example:

+- To import pandas - select a wheel file with a name similar as `pandas-1.2.3-cp38-win_amd64.whl`.

+Some Python packages available on PyPI don't provide a wheel file. In this case, download the source (.zip or .tar.gz file) and generate the wheel file using `pip`.

+Perform the following steps using a 64-bit Windows machine with Python 3.8.x and wheel package installed:

+1. Run pip to get the wheel file with the following command: `pip wheel --no-deps pandas-1.2.4.tar.gz`

+#### [Python 3.10 (preview)](#tab/py10)

+| Filename part | Description |

+|||

+|cp310|Automation supports **Python 3.10 (preview)** for Cloud jobs.|

+|manylinux_x86_64|Azure sandbox processes are Linux based 64-bit architecture for Python 3.10 (preview) runbooks.

+For example:

+- To import pandas - select a wheel file with a name similar as `pandas-1.5.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl`

+Some Python packages available on PyPI don't provide a wheel file. In this case, download the source (.zip or .tar.gz file) and generate the wheel file using pip.

+Perform the following steps using a 64-bit Linux machine with Python 3.10.x and wheel package installed:

+1. Download the source file `pandas-1.2.4.tar.gz.`

+1. Run pip to get the wheel file with the following command: `pip wheel --no-deps pandas-1.2.4.tar.gz`

+1. On the **Add Python Package** page, select a local package to upload. The package can be a **.whl** or **.tar.gz** file for Python 3.8 (preview) and **.whl** file for Python 3.10 (preview).

+1. Enter a name and select the **Runtime Version** as Python 3.8 (preview) or Python 3.10 (preview).

+ > [!NOTE]

+ > Python 3.10 (preview) runtime version is currently supported in five regions for Cloud jobs only: West Central US, East US, South Africa North, North Europe, Australia Southeast.

+ :::image type="content" source="media/python-3-packages/upload-package.png" alt-text="Screenshot shows the Add Python 3.8 (preview) Package page with an uploaded tar.gz file selected.":::

+You can import a Python 3.8 (preview) package and its dependencies by importing the following Python script into a Python 3 runbook, and then running it.

+> [!NOTE]

+> Currently, importing a runbook from Azure Portal isn't supported for Python 3.10 (preview).

+#!/usr/bin/env python3

+import os

+import requests

+# printing environment variables

+endPoint = os.getenv('IDENTITY_ENDPOINT')+"?resource=https://management.azure.com/"

+identityHeader = os.getenv('IDENTITY_HEADER')

+payload={}

+headers = {

+ 'X-IDENTITY-HEADER': identityHeader,

+ 'Metadata': 'True'

+}

+response = requests.request("GET", endPoint, headers=headers, data=payload)

+print(response.text)

+> The Python `automationassets` package is not available on pypi.org, so it's not available for import on to a Windows hybrid runbook worker.

+### Python 3.8 (preview) PowerShell cmdlets

+#### Add new Python 3.8 (preview) package

+```python

+New-AzAutomationPython3Package -AutomationAccountName tarademo -ResourceGroupName mahja -Name requires.io -ContentLinkUri https://files.pythonhosted.org/packages/7f/e2/85dfb9f7364cbd7a9213caea0e91fc948da3c912a2b222a3e43bc9cc6432/requires.io-0.2.6-py2.py3-none-any.whl

+Response

+ResourceGroupName : mahja

+AutomationAccountName : tarademo

+Name : requires.io

+IsGlobal : False

+Version :

+SizeInBytes : 0

+ActivityCount : 0

+CreationTime : 9/26/2022 1:37:13 PM +05:30

+LastModifiedTime : 9/26/2022 1:37:13 PM +05:30

+ProvisioningState : Creating

+```

+#### List all Python 3.8 (preview) packages

+```python

+Get-AzAutomationPython3Package -AutomationAccountName tarademo -ResourceGroupName mahja

+Response :

+ResourceGroupName : mahja

+AutomationAccountName : tarademo

+Name : cryptography

+IsGlobal : False

+Version :

+SizeInBytes : 0

+ActivityCount : 0

+CreationTime : 9/26/2022 11:52:28 AM +05:30

+LastModifiedTime : 9/26/2022 12:11:00 PM +05:30

+ProvisioningState : Failed

+ResourceGroupName : mahja

+AutomationAccountName : tarademo

+Name : requires.io

+IsGlobal : False

+Version :

+SizeInBytes : 0

+ActivityCount : 0

+CreationTime : 9/26/2022 1:37:13 PM +05:30

+LastModifiedTime : 9/26/2022 1:39:04 PM +05:30

+ProvisioningState : ContentValidated

+ResourceGroupName : mahja

+AutomationAccountName : tarademo

+Name : sockets

+IsGlobal : False

+Version : 1.0.0

+SizeInBytes : 4495

+ActivityCount : 0

+CreationTime : 9/20/2022 12:46:28 PM +05:30

+LastModifiedTime : 9/22/2022 5:03:42 PM +05:30

+ProvisioningState : Succeeded

+```

+#### Obtain details about specific package

+```python

+Get-AzAutomationPython3Package -AutomationAccountName tarademo -ResourceGroupName mahja -Name sockets

+Response

+ResourceGroupName : mahja

+AutomationAccountName : tarademo

+Name : sockets

+IsGlobal : False

+Version : 1.0.0

+SizeInBytes : 4495

+ActivityCount : 0

+CreationTime : 9/20/2022 12:46:28 PM +05:30

+LastModifiedTime : 9/22/2022 5:03:42 PM +05:30

+ProvisioningState : Succeeded

+```

+#### Remove Python 3.8 (preview) package

+```python

+Remove-AzAutomationPython3Package -AutomationAccountName tarademo -ResourceGroupName mahja -Name sockets

+```

+#### Update Python 3.8 (preview) package

+```python

+Set-AzAutomationPython3Package -AutomationAccountName tarademo -ResourceGroupName mahja -Name requires.io -ContentLinkUri https://files.pythonhosted.org/packages/7f/e2/85dfb9f7364cbd7a9213caea0e91fc948da3c912a2b222a3e43bc9cc6432/requires.io-0.2.6-py2.py3-none-any.whl

+ResourceGroupName : mahja

+AutomationAccountName : tarademo

+Name : requires.io

+IsGlobal : False

+Version : 0.2.6

+SizeInBytes : 10109

+ActivityCount : 0

+CreationTime : 9/26/2022 1:37:13 PM +05:30

+LastModifiedTime : 9/26/2022 1:43:12 PM +05:30

+ProvisioningState : Creating

+```

+ Title: Quickstart for using Azure App Configuration with Python apps using the Python provider | Microsoft Docs

+description: In this quickstart, create a Python app with the Azure App Configuration Python provider to centralize storage and management of application settings separate from your code.

+ms.devlang: python

+#Customer intent: As a Python developer, I want to manage all my app settings in one place.

+# Quickstart: Create a Python app with the Azure App Configuration Python provider

+In this quickstart, you will use the Python provider for Azure App Configuration to centralize storage and management of application settings using the [Azure App Configuration Python provider client library](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration-provider).

+The Python App Configuration provider is a library running on top of the Azure SDK for Python, helping Python developers easily consume the App Configuration service. It enables configuration settings to be used like a dictionary.

+## Prerequisites

+- Azure subscription - [create one for free](https://azure.microsoft.com/free/)

+- Python 3.6 or later - for information on setting up Python on Windows, see the [Python on Windows documentation](/windows/python/)

+## Create an App Configuration store

+9. Select **Configuration Explorer** > **Create** > **Key-value** to add the following key-value pairs:

+ | Key | Value | Label | Content type |

+ |-|-|-|--|

+ | *message* | *Hello* | Leave empty | Leave empty |

+ | *test.message* | *Hello test* | Leave empty | Leave empty |

+ | *my_json* | *{"key":"value"}* | Leave empty | *application/json* |

+10. Select **Apply**.

+## Set up the Python app

+1. Create a new directory for the project named *app-configuration-quickstart*.

+ ```console

+ mkdir app-configuration-quickstart

+ ```

+1. Switch to the newly created *app-configuration-quickstart* directory.

+ ```console

+ cd app-configuration-quickstart

+ ```

+1. Install the Azure App Configuration provider by using the `pip install` command.

+ ```console

+ pip install azure-appconfiguration-provider

+ ```

+1. Create a new file called *app-configuration-quickstart.py* in the *app-configuration-quickstart* directory and add the following code:

+ ```python

+ from azure.appconfiguration.provider import (

+ AzureAppConfigurationProvider,

+ SettingSelector

+ )

+ import os

+ connection_string = os.environ.get("AZURE_APPCONFIG_CONNECTION_STRING")

+ # Connect to Azure App Configuration using a connection string.

+ config = AzureAppConfigurationProvider.load(

+ connection_string=connection_string)

+ # Find the key "message" and print its value.

+ print(config["message"])

+ # Find the key "my_json" and print the value for "key" from the dictionary.

+ print(config["my_json"]["key"])

+ # Connect to Azure App Configuration using a connection string and trimmed key prefixes.

+ trimmed = {"test."}

+ config = AzureAppConfigurationProvider.load(

+ connection_string=connection_string, trimmed_key_prefixes=trimmed)

+ # From the keys with trimmed prefixes, find a key with "message" and print its value.

+ print(config["message"])

+ # Connect to Azure App Configuration using SettingSelector.

+ selects = {SettingSelector("message*", "\0")}

+ config = AzureAppConfigurationProvider.load(

+ connection_string=connection_string, selects=selects)

+ # Print True or False to indicate if "message" is found in Azure App Configuration.

+ print("message found: " + str("message" in config))

+ print("test.message found: " + str("test.message" in config))

+ ```

+## Configure your App Configuration connection string

+1. Set an environment variable named **AZURE_APPCONFIG_CONNECTION_STRING**, and set it to the connection string of your App Configuration store. At the command line, run the following command:

+ ### [Windows command prompt](#tab/windowscommandprompt)

+ To build and run the app locally using the Windows command prompt, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```cmd

+ setx AZURE_APPCONFIG_CONNECTION_STRING "connection-string-of-your-app-configuration-store"

+ ```

+ ### [PowerShell](#tab/powershell)

+ If you use Windows PowerShell, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```azurepowershell

+ $Env:AZURE_APPCONFIG_CONNECTION_STRING = "<app-configuration-store-connection-string>"

+ ```

+ ### [macOS](#tab/unix)

+ If you use macOS, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```console

+ export AZURE_APPCONFIG_CONNECTION_STRING='<app-configuration-store-connection-string>'

+ ```

+ ### [Linux](#tab/linux)

+ If you use Linux, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```console

+ export AZURE_APPCONFIG_CONNECTION_STRING='<app-configuration-store-connection-string>'

+ ```

+1. Restart the command prompt to allow the change to take effect. Print out the value of the environment variable to validate that it is set properly with the command below.

+ ### [Windows command prompt](#tab/windowscommandprompt)

+ Using the Windows command prompt, run the following command:

+ ```cmd

+ printenv AZURE_APPCONFIG_CONNECTION_STRING

+ ```

+ ### [PowerShell](#tab/powershell)

+ If you use Windows PowerShell, run the following command:

+ ```azurepowershell

+ $Env:AZURE_APPCONFIG_CONNECTION_STRING

+ ```

+ ### [macOS](#tab/unix)

+ If you use macOS, run the following command:

+ ```console

+ echo "$AZURE_APPCONFIG_CONNECTION_STRING"

+ ```

+ ### [Linux](#tab/linux)

+ If you use Linux, run the following command:

+ ```console

+ echo "$AZURE_APPCONFIG_CONNECTION_STRING"

+1. After the build successfully completes, run the following command to run the app locally:

+ ```python

+ python app-configuration-quickstart.py

+ ```

+ You should see the following output:

+ ```Output

+ Hello

+ value

+ Hello test

+ message found: True

+ test.message found: False

+ ```

+## Clean up resources

+## Next steps

+In this quickstart, you created a new App Configuration store and learned how to access key-values from a Python app.

+For additional code samples, visit:

+> [!div class="nextstepaction"]

+> [Azure App Configuration Python provider](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration-provider)

+

+ Title: Quickstart for using Azure App Configuration with Python apps using the Azure SDK for Python | Microsoft Docs

+description: In this quickstart, create a Python app with the Azure SDK for Python to centralize storage and management of application settings separate from your code.

+# Quickstart: Create a Python app with the Azure SDK for Python

+In this quickstart, you will use the Azure SDK for Python to centralize storage and management of application settings using the [Azure App Configuration client library for Python](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration).

+To use Azure App Configuration with the Python provider instead of the SDK, go to [Python provider](./quickstart-python-provider.md). The Python provider enables loading configuration settings from an Azure App Configuration store in a managed way.

+- Python 3.6 or later - for information on setting up Python on Windows, see the [Python on Windows documentation](/windows/python/)

+9. Select **Configuration Explorer** > **Create** > **Key-value** to add the following key-value pairs:

+ | Key | Value |

+ |-|-|

+ | *TestApp:Settings:Message* | *Data from Azure App Configuration* |

+10. Select **Apply**.

+> The code snippets in this quickstart will help you get started with the App Configuration client library for Python. For your application, you should also consider handling exceptions according to your needs. To learn more about exception handling, please refer to our [Python SDK documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration).

+1. Set an environment variable named **AZURE_APPCONFIG_CONNECTION_STRING**, and set it to the connection string of your App Configuration store. At the command line, run the following command:

+ ### [Windows command prompt](#tab/windowscommandprompt)

+ To build and run the app locally using the Windows command prompt, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ setx AZURE_APPCONFIG_CONNECTION_STRING "connection-string-of-your-app-configuration-store"

+ ```

+ ### [PowerShell](#tab/powershell)

+ If you use Windows PowerShell, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```azurepowershell

+ $Env:AZURE_APPCONFIG_CONNECTION_STRING = "<app-configuration-store-connection-string>"

+ ### [macOS](#tab/unix)

+ If you use macOS, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```console

+ export AZURE_APPCONFIG_CONNECTION_STRING='<app-configuration-store-connection-string>'

+ ```

+ ### [Linux](#tab/linux)

+ If you use Linux, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:

+ ```console

+ export AZURE_APPCONFIG_CONNECTION_STRING='<app-configuration-store-connection-string>'

+ ```

+1. Restart the command prompt to allow the change to take effect. Print out the value of the environment variable to validate that it is set properly with the command below.

+ ### [Windows command prompt](#tab/windowscommandprompt)

+ Using the Windows command prompt, run the following command:

+ ```cmd

+ printenv AZURE_APPCONFIG_CONNECTION_STRING

+ ```

+ ### [PowerShell](#tab/powershell)

+ $Env:AZURE_APPCONFIG_CONNECTION_STRING

+ ### [macOS](#tab/unix)

+ If you use macOS, run the following command:

+ echo "$AZURE_APPCONFIG_CONNECTION_STRING"

+ ### [Linux](#tab/linux)

+ If you use Linux, run the following command:

+ ```console

+ echo "$AZURE_APPCONFIG_CONNECTION_STRING"

+ ```

+1. Restart the command prompt to allow the change to take effect. Print out the value of the environment variable to validate that it is set properly.

+Learn below how to:

+- [Connect to an App Configuration store](#connect-to-an-app-configuration-store)

+- [Get a configuration setting](#get-a-configuration-setting)

+- [Add a configuration setting](#add-a-configuration-setting)

+- [Get a list of configuration settings](#get-a-list-of-configuration-settings)

+- [Lock a configuration setting](#lock-a-configuration-setting)

+- [Unlock a configuration setting](#unlock-a-configuration-setting)

+- [Update a configuration setting](#update-a-configuration-setting)

+- [Delete a configuration setting](#delete-a-configuration-setting)

+ connection_string = os.getenv('AZURE_APPCONFIG_CONNECTION_STRING')

+The following code snippet creates a `ConfigurationSetting` object with `key` and `value` fields and invokes the `add_configuration_setting` method.

+ connection_string = os.getenv('AZURE_APPCONFIG_CONNECTION_STRING')

+> [Azure App Configuration client library samples](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration/samples)

+To help troubleshoot issues with `sourceControlConfigurations` resource (Flux v1), run these Azure CLI commands with `--debug` parameter specified:

+To help troubleshoot issues with `fluxConfigurations` resource (Flux v2), run these Azure CLI commands with the `--debug` parameter specified:

+1. In [GitHub](https://github.com/), go to your repository.

+1. Select **Security > Secrets and variables > Actions**.

+1. Select **New repository secret**.

+1. Add a new secret with the name `AZURE_FUNCTIONAPP_PUBLISH_PROFILE` and the value set to the contents of the publishing profile file.

+1. Select **Add secret**.

+| Getting started | Concepts| Samples |

+| <ul><li>[Python function using Visual Studio Code](./create-first-function-vs-code-python.md?pivots=python-mode-decorators)</li><li>[Python function with terminal/command prompt](./create-first-function-cli-python.md?pivots=python-mode-decorators)</li></ul> | <ul><li>[Developer guide](functions-reference.md)</li><li>[Hosting options](functions-scale.md)</li><li>[Performance&nbsp;considerations](functions-best-practices.md)</li></ul> | <li>[Code Examples](functions-bindings-triggers-python.md)</li> |

+At this time, only specific triggers and bindings are supported by the v2 programming model. For more information, see [Triggers and inputs](#triggers-and-inputs).

+As an example, the following code demonstrates how to define a Blob storage input binding:

+ "AzureWebJobsStorage": "<azure-storage-connection-string>",

+ "AzureWebJobsFeatureFlags": "EnableWorkerIndexing"

+| [HTTP](functions-bindings-triggers-python.md#http-trigger) | x | | |

+| [Timer](functions-bindings-triggers-python.md#timer-trigger) | x | | |

+| [Azure Queue Storage](functions-bindings-triggers-python.md#azure-queue-storage-trigger) | x | | x |

+| [Azure Service Bus topic](functions-bindings-triggers-python.md#azure-service-bus-topic-trigger) | x | | x |

+| [Azure Service Bus queue](functions-bindings-triggers-python.md#azure-service-bus-queue-trigger) | x | | x |

+| [Azure Cosmos DB](functions-bindings-triggers-python.md#azure-eventhub-trigger) | x | x | x |

+| [Azure Blob Storage](functions-bindings-triggers-python.md#blob-trigger) | x | x | x |

+| [Azure Hub](functions-bindings-triggers-python.md#azure-eventhub-trigger) | x | | x |

+For more examples, see [Python V2 model Azure Functions triggers and bindings (preview)](functions-bindings-triggers-python.md).

+ "version": "[3.*, 4.0.0)"

+You can use ASGI and WSGI-compatible frameworks such as Flask and FastAPI with your HTTP-triggered Python functions. You must first update the host.json file to include an HTTP `routePrefix`, as shown in the following example:

+```json

+{

+ "version": "2.0",

+ "logging":

+ {

+ "applicationInsights":

+ {

+ "samplingSettings":

+ {

+ "isEnabled": true,

+ "excludedTypes": "Request"

+ }

+ }

+ },

+ "extensionBundle":

+ {

+ "id": "Microsoft.Azure.Functions.ExtensionBundle",

+ "version": "[2.*, 3.0.0)"

+ },

+ "extensions":

+ {

+ "http":

+ {

+ "routePrefix": ""

+ }

+ }

+}

+```

+The framework code looks like the following example:

+| Version 3.x | Buster | [Python 3.7](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python37/python37.Dockerfile)<br />[Python 3.8](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python38/python38.Dockerfile)<br/> [Python 3.9](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python39/python39.Dockerfile)|

+[HttpResponse]: /python/api/azure-functions/azure.functions.httpresponse

+Specifically with the v2 model, here are some known issues and their workarounds:

+* [Multiple Python workers not supported](#multiple-python-workers-not-supported)

+* [Could not load file or assembly](#troubleshoot-could-not-load-file-or-assembly)

+* [Unable to resolve the Azure Storage connection named Storage](#troubleshoot-unable-to-resolve-the-azure-storage-connection)

+* [Issues with deployment](#issue-with-deployment)

+General troubleshooting guides for Python Functions include:

+#### Disk encryption for virtual machines

+You can encrypt the storage that supports these virtual machines in one of two ways to support necessary encryption standards.

+- Use Azure Disk Encryption to encrypt the drives by using dm-crypt (Linux) or BitLocker (Windows):

+ - [Enable Azure Disk Encryption for Linux](../virtual-machines/linux/disk-encryption-overview.md)

+ - [Enable Azure Disk Encryption for Windows](../virtual-machines/windows/disk-encryption-overview.md)

+- Use Azure Storage service encryption for storage accounts with your own key to encrypt the storage account that holds the disks:

+ - [Storage service encryption with customer-managed keys](../storage/common/customer-managed-keys-configure-key-vault.md)

+#### Disk encryption for virtual machine scale sets

+You can encrypt disks that support virtual machine scale sets by using Azure Disk Encryption:

+- [Encrypt disks in virtual machine scale sets](../virtual-machine-scale-sets/disk-encryption-key-vault.md)

+When you use a secure webhook action, you must use Azure AD to secure the connection between your action group and your protected web API, which is your webhook endpoint. For an overview of Azure AD applications and service principals, see [Microsoft identity platform (v2.0) overview](../../active-directory/develop/v2-overview.md). Follow these steps to take advantage of the secure webhook functionality.

+> [!NOTE]

+>

+> Basic authentication is not supported for SecureWebhok. To use basic authentication you must use Webhook.

+> [!NOTE]

+>

+> Using "All" as a dimension value is equivalent to selecting "\*" (all current and future values).

+### Why am I missing telemetry data?

+Both [TelemetryChannels](telemetry-channels.md#what-are-telemetry-channels) will lose buffered telemetry if it isn't flushed before an application shuts down.

+To avoid data loss, flush the TelemetryClient when an application is shutting down.

+For more information, see [Flushing data](#flushing-data).

+TelemetryConfiguration.Active.ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/";

+TelemetryConfiguration.Active.SetAzureTokenCredential(credential);

+> **Java** based applications running on Azure VMs and VMSS are monitored with the **[Application Insights Java 3.0 agent](./java-in-process-agent.md)**, which is generally available.

+### [.NET Framework](#tab/net)

+The Application Insights Agent auto-collects the same dependency signals out-of-the-box as the SDK. See [Dependency auto-collection](./auto-collect-dependencies.md#net) to learn more.

+### [.NET Core / .NET](#tab/core)

+The Application Insights Agent auto-collects the same dependency signals out-of-the-box as the SDK. See [Dependency auto-collection](./auto-collect-dependencies.md#net) to learn more.

+> The steps below do not apply to Node.js and Python applications, which require SDK instrumentation.

+1. The top row on this chart represents the entry point. It's the incoming request to the first component called in this transaction. The duration is the total time taken for the transaction to complete.

+1. Any calls to external dependencies are simple noncollapsible rows, with icons that represent the dependency type.

+1. Calls to other components are collapsible rows. Each row corresponds to a specific operation invoked at the component.

+1. By default, the request, dependency, or exception that you selected appears on the right side. Select any row to see its [details](#details-of-the-selected-telemetry).

+This error indicates that the browser was unable to call into a required API or the API returned a failure response. To troubleshoot the behavior, open a browser [InPrivate window](https://support.microsoft.com/microsoft-edge/browse-inprivate-in-microsoft-edge-cd2c9a48-0bc4-b98e-5e46-ac40c84e27e2) and [disable any browser extensions](https://support.microsoft.com/microsoft-edge/add-turn-off-or-remove-extensions-in-microsoft-edge-9c0ec68c-2fbc-2f2c-9ff0-bdc76f46b026) that are running, then identify if you can still reproduce the portal behavior. If the portal error still occurs, try testing with other browsers, or other machines, investigate DNS or other network related issues from the client machine where the API calls are failing. If the portal error persists and requires further investigations, then [collect a browser network trace](../../azure-portal/capture-browser-trace.md#capture-a-browser-trace-for-troubleshooting) while you reproduce the unexpected portal behavior and open a support case from the Azure portal.

+- The template needs to be deployed in the Azure Managed Grafana workspaces resource group.

+The system assigned identity for the Azure Managed Grafana resource is also required. To get to it, open the **Overview** page for the Azure Managed Grafana instance and select the JSON view. Copy the value of the `principalId` field for the `SystemAssigned` identity.

+Please assign the `Monitoring Data Reader` on the Azure Monitor Workspace for the Grafana System Identity i.e. take the principal ID that you got from the Azure Managed Grafana Resource, open the Access Control Blade for the Azure Monitor Workspace and assign the `Monitoring Data Reader` Built-In role to the principal ID (System Assigned MSI for the Azure Managed Grafana resource). This will let the Azure Managed Grafana resource read data from the Azure Monitor Workspace and is a requirement for viewing the metrics.

+ },

+ "azureMonitorWorkspaceResourceId": "[parameters('azureMonitorWorkspaceResourceId')]"

+ For e.g. In the above code snippet `full_resource_id_1` and `full_resource_id_2` were already present on the Azure Managed Grafana resource and we're manually adding them to the ARM template. The final `azureMonitorWorkspaceResourceId` already exists in the template and is being used to link to the Azure Monitor Workspace resource ID provided in the parameters file. Please note, You do not have to replace `full_resource_id_1` and `full_resource_id_2` and any other resource id's if no integrations are found in the retrieval step.

+Currently, Azure CLI is the only option to remove the metrics addon and stop sending Prometheus metrics to Azure Monitor managed service for Prometheus.

+The aks-preview extension needs to be installed using the command `az extension add --name aks-preview`. For more information on how to install a CLI extension, see [Use and manage extensions with the Azure CLI](/azure/azure-cli-extensions-overview). The following command removes the agent from the cluster nodes and deletes the recording rules created for the data being collected from the cluster, it doesn't remove the DCE, DCR, or the data already collected and stored in your Azure Monitor workspace.

+> If you need to delete a resource, you should first delete its diagnostic settings. Otherwise, if you recreate this resource, the diagnostic settings for the deleted resource could be included with the new resource, depending on the resource configuration for each resource. If the diagnostics settings are included with the new resource, this resumes the collection of resource logs as defined in the diagnostic setting and sends the applicable metric and log data to the previously configured destination.

+>

+>Also, itΓÇÖs a good practice to delete the diagnostic settings for a resource you're going to delete and don't plan on using again to keep your environment clean.

+### DNS requirements

+# Use availability zones for high availability in Azure NetApp Files (preview)

+>[!IMPORTANT]

+>Availability zone volume placement in Azure NetApp Files is currently in preview. Refer to [Manage availability zone volume placement](manage-availability-zone-volume-placement.md#register-the-feature) for details on registering the feature.

+1. Select **Security > Secrets and variables > Actions > New repository secret**.

+> [!IMPORTANT]

+>Changing the Azure NetApp Files volumes tier after creating the datastore will result in unexpected behavior in portal and API due to metadata mismatch. Set your performance tier of the Azure NetApp Files volume when creating the datastore. If you need to change tier during run time, detach the datastore, change the performance tier of the volume and attach the datastore. We are working on improvements to make this seamless.

+ | **Netmask** | Netmask of the MSA to be deployed, for example, **255.255.255.0**. |

+- **Azure Arc** extends Azure management to any infrastructure, including Azure VMware Solution, on-premises, or other cloud platforms. [Azure Arc-enabled servers](../azure-arc/servers/overview.md) lets you manage your Windows and Linux physical servers and virtual machines hosted *outside* of Azure, on your corporate network, or another cloud provider. You can attach a Kubernetes cluster hosted in your Azure VMware Solution environment using [Azure Arc enabled Kubernetes](../azure-arc/kubernetes/overview.md).

+- **Azure Monitor** collects, analyzes, and acts on data from your cloud and on-premises environments. It requires no deployment. You can monitor guest operating system performance to discover and map application dependencies for Azure VMware Solution or on-premises VMs. Your Log Analytics workspace in Azure Monitor enables log collection and performance counter collection using the Log Analytics agent or extensions.

+If you're new to Azure or unfamiliar with any of the services previously mentioned, review the following articles:

+1. Once you've enabled Update Management, you can [deploy updates on VMs and review the results](../automation/update-management/deploy-updates.md).

+Monitor guest operating system performance to discover and map application dependencies for Azure VMware Solution or on-premises VMs. Your Log Analytics workspace in Azure Monitor enables log collection and performance counter collection using the Log Analytics agent or extensions.

+Azure VMware Solution doesn't allow you to manage your private cloud with your on-premises vCenter Server. Instead, you'll need to connect to the Azure VMware Solution vCenter Server instance through a jump box.

+In this tutorial, you'll create a jump box in the resource group you created in the [previous tutorial](tutorial-configure-networking.md) and sign into the Azure VMware Solution vCenter Server. This jump box is a Windows virtual machine (VM) on the same virtual network you created. It provides access to both vCenter Server and the NSX Manager.

+ :::image type="content" source="media/tutorial-access-private-cloud/ss8-azure-w10vm-create.png" alt-text="Screenshot of how to add a new Windows 10 VM for a jump box."lightbox="media/tutorial-access-private-cloud/ss8-azure-w10vm-create.png":::

+1. Enter the required information in the fields, and then select **Review + create**.

+1. In the Azure portal, select your private cloud, and then **Manage** > **Identity**.

+ :::image type="content" source="media/tutorial-access-private-cloud/ss4-display-identity.png" alt-text="Screenshot showing the private cloud vCenter Server and NSX Manager URLs and credentials."lightbox="media/tutorial-access-private-cloud/ss4-display-identity.png":::

+1. Navigate to the VM you created in the preceding step and connect to the virtual machine.

+1. In the Windows VM, open a browser and navigate to the vCenter Server and NSX-T Manager URLs in two tabs.

+ :::image type="content" source="media/tutorial-access-private-cloud/ss5-vcenter-login.png" alt-text="Screenshot showing the VMware vSphere sign in page."lightbox="media/tutorial-access-private-cloud/ss5-vcenter-login.png" border="true":::

+ :::image type="content" source="media/tutorial-access-private-cloud/ss6-vsphere-client-home.png" alt-text="Screenshot showing a summary of Cluster-1 in the vSphere Client."lightbox="media/tutorial-access-private-cloud/ss6-vsphere-client-home.png" border="true":::

+ :::image type="content" source="media/tutorial-access-private-cloud/ss10-nsx-manager-home.png" alt-text="Screenshot of the NSX-T Manager Overview."lightbox="media/tutorial-access-private-cloud/ss10-nsx-manager-home.png" border="true":::

+Because Azure VMware Solution doesn't allow you to manage your private cloud with your cloud vCenter Server at launch, you'll need to do more steps for the configuration. This tutorial covers these steps and related prerequisites.

+When you delete a private cloud, all VMs, their data, clusters, and network address space provisioned get deleted. The dedicated Azure VMware Solution hosts are securely wiped and returned to the free pool.

+3. Enter the name of the private cloud and select **Yes**.

+# Tutorial: Peer on-premises environments to Azure VMware Solution

+After you deploy your Azure VMware Solution private cloud, you'll connect it to your on-premises environment. ExpressRoute Global Reach connects your on-premises environment to your Azure VMware Solution private cloud. The ExpressRoute Global Reach connection is established between the private cloud ExpressRoute circuit and an existing ExpressRoute connection to your on-premises environments.

+1. From **ExpressRoute circuits** in the left navigation, under Settings, select **Authorizations**.

+ :::image type="content" source="media/expressroute-global-reach/start-request-auth-key-on-premises-expressroute.png" alt-text="Select Authorizations and enter the name for the authorization key."lightbox="media/expressroute-global-reach/start-request-auth-key-on-premises-expressroute.png":::

+## Peer private cloud to on-premises

+ :::image type="content" source="./media/expressroute-global-reach/expressroute-global-reach-tab.png" alt-text="Screenshot showing the ExpressRoute Global Reach tab in the Azure VMware Solution private cloud." lightbox="./media/expressroute-global-reach/expressroute-global-reach-tab.png":::

+ :::image type="content" source="./media/expressroute-global-reach/on-premises-cloud-connections.png" alt-text="Screenshot showing the dialog for entering the connection information." lightbox="./media/expressroute-global-reach/on-premises-cloud-connections.png":::

+>:::image type="content" source="./media/expressroute-global-reach/on-premises-connection-disconnect.png" alt-text="Screenshot showing how to disconnect or delete an on-premises connection in Azure VMware Solution." lightbox="./media/expressroute-global-reach/on-premises-connection-disconnect.png":::

+To get the most out of your Azure VMware Solution private cloud experience, scale the clusters and hosts to reflect what you need for planned workloads. You can scale the clusters and hosts in a private cloud as required for your application workload. You should address performance and availability limitations for specific services on a case-by-case basis.

+You'll need an existing private cloud to complete this tutorial. If you haven't created a private cloud, follow the [create a private cloud tutorial](tutorial-create-private-cloud.md) to create one.

+ :::image type="content" source="media/tutorial-scale-private-cloud/ss2-select-add-cluster.png" alt-text="Screenshot showing how to add a cluster to an Azure VMware Solution private cloud." lightbox="media/tutorial-scale-private-cloud/ss2-select-add-cluster.png" border="true":::

+ :::image type="content" source="media/tutorial-scale-private-cloud/ss3-configure-new-cluster.png" alt-text="Screenshot showing how to configure a new cluster." lightbox="media/tutorial-scale-private-cloud/ss3-configure-new-cluster.png" border="true":::

+## Scale a cluster

+1. Select the cluster you want to scale, select **More** (...), then select **Edit**.

+ :::image type="content" source="media/tutorial-scale-private-cloud/ss4-select-scale-private-cloud-2.png" alt-text="Screenshot showing where to edit an existing cluster." lightbox="media/tutorial-scale-private-cloud/ss4-select-scale-private-cloud-2.png" border="true":::

+If you require another Azure VMware Solution private cloud, [create another private cloud](tutorial-create-private-cloud.md) following the same networking prerequisites, cluster, and host limits.

+Azure Backup enables you to easily configure operational backup for protecting block blobs in your storage accounts.

+This article describes how to configure backups for blobs in a storage account via REST API. Backup of blobs is configured at the storage account level. So, all blobs in the storage account are protected with operational backup.

+In this article, you'll learn about:

+> [!div class="checklist"]

+> - Prerequisites

+> - Configure backup

+Once you create the vault and policy, you need to consider two critical points to protect all Azure Blobs within a storage account.

+### Key entities

+#### Storage account that contains the blobs for protection

+Fetch the Azure Resource Manager ID of the storage account which contains the blobs to be protected. This serves as the identifier of the storage account.

+For example, we'll use a storage account named *msblobbackup*, under the resource group *RG-BlobBackup*, in a different subscription and in *west US*.

+The Backup vault requires permissions on the storage account to enable backups on blobs present within the storage account. The system-assigned managed identity of the vault is used for assigning the permissions.

+For example, we'll use a backup vault called *testBkpVault* in *West US* region under *TestBkpVaultRG* resource group.

+You need to assign a few permissions via Azure role-based access control (Azure RBAC) to vault (represented by vault Managed Service Identity) and the relevant storage account. You can do these via Azure portal, PowerShell, or REST API. Learn more about all [related permissions](blob-backup-configure-manage.md#grant-permissions-to-the-backup-vault-on-storage-accounts).

+Once you set the relevant permissions to the vault and storage account, and configure the vault and policy, prepare the request to configure backup.

+The following is the request body to configure backup for all blobs within a storage account. The Azure Resource Manager ID (ARM ID) of the storage account and its details are mentioned in the *datasourceinfo* section and the policy information is present in the *policyinfo* section.

+To validate if the request to configure backup will be successful, use [the validate for backup API](/rest/api/dataprotection/backup-instances/validate-for-backup). You can use the response to perform all required prerequisites and then submit the configuration for backup request.

+*Validate for backup request* is a *POST operation and the URI has `{subscriptionId}`, `{vaultName}`, `{vaultresourceGroupName}` parameters.

+For example, this translates to:

+The [request body](#prepare-the-request-to-configure-backup) that you prepared earlier is used to give the details of the storage account to be protected.

+If the given storage account is already protected, the response is HTTP 400 (Bad request) and clearly states that the given storage account is protected to a backup vault along with details.

+###### Track response

+If the data source is unprotected, then the API proceeds for further validations and creates a tracking operation.

+Track the resulting operation using the *Azure-AsyncOperation* header with a simple *GET* command.

+It returns 200 (OK) once the validation completes and the response body lists further requirements to be fulfilled, such as permissions.

+If all the permissions are granted, then resubmit the validate request and track the resulting operation. It returns 200 (OK) as succeeded, if all the conditions are met.

+Once the request validation is complete, you can submit the same to the [create backup instance API](/rest/api/dataprotection/backup-instances/create-or-update). A Backup instance represents an item protected with data protection service of Azure Backup within the backup vault. In this case, the storage account is the backup instance and you can use the same request body, which was validated above, with minor additions.

+Use a unique name for the backup instance. So, we recommend you use a combination of the resource name and a unique identifier. In this example, use *msblobbackup-f2df34eb-5628-4570-87b2-0331d797c67d* here and mark it as the backup instance name.

+To create or update the backup instance, use the following *PUT* operation.

+Use the same request body that you used to validate the backup request with a unique name as we mentioned [above](#configure-backup).

+Once you submit the *PUT* request to create a backup instance, the initial response is 201 (Created) with an Azure-asyncOperation header.

+>[Note]

+>The request body contains all the backup instance properties.

+Then track the resulting operation using the *Azure-AsyncOperation* header with a simple *GET* command.

+To remove the protection on a storage account and delete the backup data as well, follow [the delete operation process](/rest/api/dataprotection/backup-instances/delete).

+Encrypted disks | Supported.<br/><br/> Azure VMs enabled with Azure Disk Encryption can be backed up (with or without the Azure AD app).<br/><br/> Encrypted VMs can't be recovered at the file/folder level. You must recover the entire VM.<br/><br/> You can enable encryption on VMs that are already protected by Azure Backup. <br><br> You can back up and restore disks encrypted using platform-managed keys (PMKs) or customer-managed keys (CMKs). You can also assign a disk-encryption set while restoring in the same region (that is providing disk-encryption set while performing cross-region restore is currently not supported, however, you can assign the DES to the restored disk after the restore is complete).

+- If you've deleted a container during the retention period, that container won't be restored with the point-in-time restore operation. If you attempt to restore a range of blobs that includes blobs in a deleted container, the point-in-time restore operation will fail. For more information about protecting containers from deletion, see [Soft delete for containers](../storage/blobs/soft-delete-container-overview.md).

+[Overview of operational backup for Azure Blobs](blob-backup-overview.md)

+ > If **target-resource-group** isn't provided, then the managed disks will be restored as unmanaged disks to the given storage account. This will have significant consequences to the restore time since the time taken to restore the disks entirely depends on the given storage account. You'll get the benefit of instant restore only when the target-resource-group parameter is given. If the intention is to restore managed disks as unmanaged then don't provide the **target-resource-group** parameter and instead provide the **restore-as-unmanaged-disk** parameter as shown below. This parameter is available from Azure CLI 3.4.0 onwards.

+A [service tags](../virtual-network/service-tags-overview.md) is a group of IP address prefixes that can be assigned to in-bound and out-bound NSG rules. It automatically handles updates to the group of IP address prefixes without any intervention. This benefits you because you can use service tags to explicitly allow in-bound traffic from Chaos Studio without needing to know the IP addresses of the platform. Currently service tags can be enabled via PowerShell and support will soon be added to the Chaos Studio user interface.

+* Limitation of service tags is that they can only be used with applications that have a public IP address. If a resource only has a private IP address, then service tags will not be able to allow traffic to route to it.

+ Title: Trigger batch inference with trained model

+description: Trigger batch inference with trained model

+# Trigger batch inference with trained model

+You could choose the batch inference API, or the streaming inference API for detection.

+| Batch inference API | Streaming inference API |

+| - | - |

+| More suitable for batch use cases when customers donΓÇÖt need to get inference results immediately and want to detect anomalies and get results over a longer time period.| When customers want to get inference immediately and want to detect multivariate anomalies in real-time, this API is recommended. Also suitable for customers having difficulties conducting the previous compressing and uploading process for inference. |

+|API Name| Method | Path | Description |

+| | - | -- | |

+|**Batch Inference**| POST | `{endpoint}`/anomalydetector/v1.1/multivariate/models/`{modelId}`: detect-batch | Trigger an asynchronous inference with `modelId`, which works in a batch scenario |

+|**Get Batch Inference Results**| GET | `{endpoint}`/anomalydetector/v1.1/multivariate/detect-batch/`{resultId}` | Get batch inference results with `resultId` |

+|**Streaming Inference**| POST | `{endpoint}`/anomalydetector/v1.1/multivariate/models/`{modelId}`: detect-last | Trigger a synchronous inference with `modelId`, which works in a streaming scenario |

+## Trigger a batch inference

+To perform batch inference, provide the blob URL containing the inference data, the start time, and end time. For inference data volume, at least `1 sliding window` length and at most **20000** timestamps.

+This inference is asynchronous, so the results aren't returned immediately. Notice that you need to save in a variable the link of the results in the **response header** which contains the `resultId`, so that you may know where to get the results afterwards.

+Failures are usually caused by model issues or data issues. You can't perform inference if the model isn't ready or the data link is invalid. Make sure that the training data and inference data are consistent, meaning they should be **exactly** the same variables but with different timestamps. More variables, fewer variables, or inference with a different set of variables won't pass the data verification phase and errors will occur. Data verification is deferred so that you'll get error messages only when you query the results.

+### Request

+A sample request:

+```json

+{

+ "dataSource": "{{dataSource}}",

+ "topContributorCount": 3,

+ "startTime": "2021-01-02T12:00:00Z",

+ "endTime": "2021-01-03T00:00:00Z"

+}

+```

+#### Required parameters

+* **dataSource**: This is the Blob URL that linked to your folder or CSV file located in Azure Blob Storage. The schema should be the same as your training data, either OneTable or MultiTable, and the variable number and name should be exactly the same as well.

+* **startTime**: The start time of data used for inference. If it's earlier than the actual earliest timestamp in the data, the actual earliest timestamp will be used as the starting point.

+* **endTime**: The end time of data used for inference, which must be later than or equal to `startTime`. If `endTime` is later than the actual latest timestamp in the data, the actual latest timestamp will be used as the ending point.

+#### Optional parameters

+* **topContributorCount**: This is a number that you could specify N from **1 to 30**, which will give you the details of top N contributed variables in the anomaly results. For example, if you have 100 variables in the model, but you only care the top five contributed variables in detection results, then you should fill this field with 5. The default number is **10**.

+### Response

+A sample response:

+```json

+{

+ "resultId": "aaaaaaaa-5555-1111-85bb-36f8cdfb3365",

+ "summary": {

+ "status": "CREATED",

+ "errors": [],

+ "variableStates": [],

+ "setupInfo": {

+ "dataSource": "https://mvaddataset.blob.core.windows.net/sample-onetable/sample_data_5_3000.csv",

+ "topContributorCount": 3,

+ "startTime": "2021-01-02T12:00:00Z",

+ "endTime": "2021-01-03T00:00:00Z"

+ }

+ },

+ "results": []

+}

+```

+* **resultId**: This is the information that you'll need to trigger **Get Batch Inference Results API**.

+* **status**: This indicates whether you trigger a batch inference task successfully. If you see **CREATED**, then you don't need to trigger this API again, you should use the **Get Batch Inference Results API** to get the detection status and anomaly results.

+## Get batch detection results

+There's no content in the request body, what's required only is to put the resultId in the API path, which will be in a format of:

+**{{endpoint}}anomalydetector/v1.1/multivariate/detect-batch/{{resultId}}**

+### Response

+A sample response:

+```json

+{

+ "resultId": "aaaaaaaa-5555-1111-85bb-36f8cdfb3365",

+ "summary": {

+ "status": "READY",

+ "errors": [],

+ "variableStates": [

+ {

+ "variable": "series_0",

+ "filledNARatio": 0.0,

+ "effectiveCount": 721,

+ "firstTimestamp": "2021-01-02T12:00:00Z",

+ "lastTimestamp": "2021-01-03T00:00:00Z"

+ },

+ {

+ "variable": "series_1",

+ "filledNARatio": 0.0,

+ "effectiveCount": 721,

+ "firstTimestamp": "2021-01-02T12:00:00Z",

+ "lastTimestamp": "2021-01-03T00:00:00Z"

+ },

+ {

+ "variable": "series_2",

+ "filledNARatio": 0.0,

+ "effectiveCount": 721,

+ "firstTimestamp": "2021-01-02T12:00:00Z",

+ "lastTimestamp": "2021-01-03T00:00:00Z"

+ },

+ {

+ "variable": "series_3",

+ "filledNARatio": 0.0,

+ "effectiveCount": 721,

+ "firstTimestamp": "2021-01-02T12:00:00Z",

+ "lastTimestamp": "2021-01-03T00:00:00Z"

+ },

+ {

+ "variable": "series_4",

+ "filledNARatio": 0.0,

+ "effectiveCount": 721,

+ "firstTimestamp": "2021-01-02T12:00:00Z",

+ "lastTimestamp": "2021-01-03T00:00:00Z"

+ }

+ ],

+ "setupInfo": {

+ "dataSource": "https://mvaddataset.blob.core.windows.net/sample-onetable/sample_data_5_3000.csv",

+ "topContributorCount": 3,

+ "startTime": "2021-01-02T12:00:00Z",

+ "endTime": "2021-01-03T00:00:00Z"

+ }

+ },

+ "results": [

+ {

+ "timestamp": "2021-01-02T12:00:00Z",

+ "value": {

+ "isAnomaly": false,

+ "severity": 0.0,

+ "score": 0.3377174139022827,

+ "interpretation": []

+ },

+ "errors": []

+ },

+ {

+ "timestamp": "2021-01-02T12:01:00Z",

+ "value": {

+ "isAnomaly": false,

+ "severity": 0.0,

+ "score": 0.24631972312927247,

+ "interpretation": []

+ },

+ "errors": []

+ },

+ {

+ "timestamp": "2021-01-02T12:02:00Z",

+ "value": {

+ "isAnomaly": false,

+ "severity": 0.0,

+ "score": 0.16678125858306886,

+ "interpretation": []

+ },

+ "errors": []

+ },

+ {

+ "timestamp": "2021-01-02T12:03:00Z",

+ "value": {

+ "isAnomaly": false,

+ "severity": 0.0,

+ "score": 0.23783254623413086,

+ "interpretation": []

+ },

+ "errors": []

+ },

+ {

+ "timestamp": "2021-01-02T12:04:00Z",

+ "value": {

+ "isAnomaly": false,

+ "severity": 0.0,

+ "score": 0.24804904460906982,

+ "interpretation": []

+ },

+ "errors": []

+ },

+ {

+ "timestamp": "2021-01-02T12:05:00Z",

+ "value": {

+ "isAnomaly": false,

+ "severity": 0.0,

+ "score": 0.11487171649932862,

+ "interpretation": []

+ },

+ "errors": []

+ },

+ {

+ "timestamp": "2021-01-02T12:06:00Z",

+ "value": {

+ "isAnomaly": true,

+ "severity": 0.32980116622958083,

+ "score": 0.5666913509368896,

+ "interpretation": [

+ {

+ "variable": "series_2",

+ "contributionScore": 0.4130149677604554,

+ "correlationChanges": {

+ "changedVariables": [

+ "series_0",

+ "series_4",

+ "series_3"

+ ]

+ }

+ },

+ {

+ "variable": "series_3",

+ "contributionScore": 0.2993065960239115,

+ "correlationChanges": {

+ "changedVariables": [

+ "series_0",

+ "series_4",

+ "series_3"

+ ]

+ }

+ },

+ {

+ "variable": "series_1",

+ "contributionScore": 0.287678436215633,

+ "correlationChanges": {

+ "changedVariables": [

+ "series_0",

+ "series_4",

+ "series_3"

+ ]

+ }

+ }

+ ]

+ },

+ "errors": []

+ }

+ ]

+}

+```

+The response contains the result status, variable information, inference parameters, and inference results.

+* **variableStates**: This lists the information of each variable in the inference request.

+* **setupInfo**: This is the request body submitted for this inference.

+* **results**: This contains the detection results. There are three typical types of detection results.

+* Error code `InsufficientHistoricalData`. This usually happens only with the first few timestamps because the model inferences data in a window-based manner and it needs historical data to make a decision. For the first few timestamps, there's insufficient historical data, so inference can't be performed on them. In this case, the error message can be ignored.

+* **isAnomaly**: `false` indicates the current timestamp isn't an anomaly.`true` indicates an anomaly at the current timestamp.

+ * `severity` indicates the relative severity of the anomaly and for abnormal data it's always greater than 0.

+ * `score` is the raw output of the model on which the model makes a decision. `severity` is a derived value from `score`. Every data point has a `score`.

+* **interpretation**: This field only appears when a timestamp is detected as anomalous, which contains `variables`, `contributionScore`, `correlationChanges`.

+* **contributors**: This is a list containing the contribution score of each variable. Higher contribution scores indicate higher possibility of the root cause. This list is often used for interpreting anomalies and diagnosing the root causes.

+* **correlationChanges**: This field only appears when a timestamp is detected as anomalous, which included in interpretation. It contains `changedVariables` and `changedValues` that interpret which correlations between variables changed.

+* **changedVariables**: This field will show which variables that have significant change in correlation with `variable`. The variables in this list are ranked by the extent of correlation changes.

+> [!NOTE]

+> A common pitfall is taking all data points with `isAnomaly`=`true` as anomalies. That may end up with too many false positives.

+> You should use both `isAnomaly` and `severity` (or `score`) to sift out anomalies that are not severe and (optionally) use grouping to check the duration of the anomalies to suppress random noise.

+> Please refer to the [FAQ](../concepts/best-practices-multivariate.md#faq) in the best practices document for the difference between `severity` and `score`.

+## Next steps

+* [Best practices of multivariate anomaly detection](../concepts/best-practices-multivariate.md)

+ Title: Streaming inference with trained model

+description: Streaming inference with trained model

+# Streaming inference with trained model

+You could choose the batch inference API, or the streaming inference API for detection.

+| Batch inference API | Streaming inference API |

+| - | - |

+| More suitable for batch use cases when customers donΓÇÖt need to get inference results immediately and want to detect anomalies and get results over a longer time period.| When customers want to get inference immediately and want to detect multivariate anomalies in real-time, this API is recommended. Also suitable for customers having difficulties conducting the previous compressing and uploading process for inference. |

+|API Name| Method | Path | Description |

+| | - | -- | |

+|**Batch Inference**| POST | `{endpoint}`/anomalydetector/v1.1/multivariate/models/`{modelId}`: detect-batch | Trigger an asynchronous inference with `modelId` which works in a batch scenario |

+|**Get Batch Inference Results**| GET | `{endpoint}`/anomalydetector/v1.1/multivariate/detect-batch/`{resultId}` | Get batch inference results with `resultId` |

+|**Streaming Inference**| POST | `{endpoint}`/anomalydetector/v1.1/multivariate/models/`{modelId}`: detect-last | Trigger a synchronous inference with `modelId`, which works in a streaming scenario |

+## Trigger a streaming inference API

+### Request

+With the synchronous API, you can get inference results point by point in real time, and no need for compressing and uploading task like for training and asynchronous inference. Here are some requirements for the synchronous API:

+* You need to put data in **JSON format** into the API request body.

+* Due to payload limitation, the size of inference data in the request body is limited, which support at most `2880` timestamps * `300` variables, and at least `1 sliding window length`.

+You can submit a bunch of timestamps of multiple variables in JSON format in the request body, with an API call like this:

+**{{endpoint}}/anomalydetector/v1.1/multivariate/models/{modelId}:detect-last**

+A sample request:

+```json

+{

+ "variables": [

+ {

+ "variableName": "Variable_1",

+ "timestamps": [

+ "2021-01-01T00:00:00Z",

+ "2021-01-01T00:01:00Z",

+ "2021-01-01T00:02:00Z"

+ //more timestamps

+ ],

+ "values": [

+ 0.4551378545933972,

+ 0.7388603950488748,

+ 0.201088255984052

+ //more values

+ ]

+ },

+ {

+ "variableName": "Variable_2",

+ "timestamps": [

+ "2021-01-01T00:00:00Z",

+ "2021-01-01T00:01:00Z",

+ "2021-01-01T00:02:00Z"

+ //more timestamps

+ ],

+ "values": [

+ 0.9617871613964145,

+ 0.24903311574778408,

+ 0.4920561254118613

+ //more values

+ ]

+ },

+ {

+ "variableName": "Variable_3",

+ "timestamps": [

+ "2021-01-01T00:00:00Z",

+ "2021-01-01T00:01:00Z",

+ "2021-01-01T00:02:00Z"

+ //more timestamps

+ ],

+ "values": [

+ 0.4030756879437628,

+ 0.15526889968448554,

+ 0.36352226408981103

+ //more values

+ ]

+ }

+ ],

+ "topContributorCount": 2

+}

+```

+#### Required parameters

+* **variableName**: This name should be exactly the same as in your training data.

+* **timestamps**: The length of the timestamps should be equal to **1 sliding window**, since every streaming inference call will use 1 sliding window to detect the last point in the sliding window.

+* **values**: The values of each variable in every timestamp that was inputted above.

+#### Optional parameters

+* **topContributorCount**: This is a number that you could specify N from **1 to 30**, which will give you the details of top N contributed variables in the anomaly results. For example, if you have 100 variables in the model, but you only care the top five contributed variables in detection results, then you should fill this field with 5. The default number is **10**.

+### Response

+A sample response:

+```json

+{

+ "variableStates": [

+ {

+ "variable": "series_0",

+ "filledNARatio": 0.0,

+ "effectiveCount": 1,

+ "firstTimestamp": "2021-01-03T01:59:00Z",

+ "lastTimestamp": "2021-01-03T01:59:00Z"

+ },

+ {

+ "variable": "series_1",

+ "filledNARatio": 0.0,

+ "effectiveCount": 1,

+ "firstTimestamp": "2021-01-03T01:59:00Z",

+ "lastTimestamp": "2021-01-03T01:59:00Z"

+ },

+ {

+ "variable": "series_2",

+ "filledNARatio": 0.0,

+ "effectiveCount": 1,

+ "firstTimestamp": "2021-01-03T01:59:00Z",

+ "lastTimestamp": "2021-01-03T01:59:00Z"

+ },

+ {

+ "variable": "series_3",

+ "filledNARatio": 0.0,

+ "effectiveCount": 1,

+ "firstTimestamp": "2021-01-03T01:59:00Z",

+ "lastTimestamp": "2021-01-03T01:59:00Z"

+ },

+ {

+ "variable": "series_4",

+ "filledNARatio": 0.0,

+ "effectiveCount": 1,

+ "firstTimestamp": "2021-01-03T01:59:00Z",

+ "lastTimestamp": "2021-01-03T01:59:00Z"

+ }

+ ],

+ "results": [

+ {

+ "timestamp": "2021-01-03T01:59:00Z",

+ "value": {

+ "isAnomaly": false,

+ "severity": 0.0,

+ "score": 0.2675322890281677,

+ "interpretation": []

+ },

+ "errors": []

+ }

+ ]

+}

+```

+The response contains the result status, variable information, inference parameters, and inference results.

+* **variableStates**: This lists the information of each variable in the inference request.

+* **setupInfo**: This is the request body submitted for this inference.

+* **results**: This contains the detection results. There are three typical types of detection results.

+* **isAnomaly**: `false` indicates the current timestamp isn't an anomaly.`true` indicates an anomaly at the current timestamp.

+ * `severity` indicates the relative severity of the anomaly and for abnormal data it's always greater than 0.

+ * `score` is the raw output of the model on which the model makes a decision. `severity` is a derived value from `score`. Every data point has a `score`.

+* **interpretation**: This field only appears when a timestamp is detected as anomalous, which contains `variables`, `contributionScore`, `correlationChanges`.

+* **contributors**: This is a list containing the contribution score of each variable. Higher contribution scores indicate higher possibility of the root cause. This list is often used for interpreting anomalies and diagnosing the root causes.

+* **correlationChanges**: This field only appears when a timestamp is detected as anomalous, which is included in interpretation. It contains `changedVariables` and `changedValues` that interpret which correlations between variables changed.

+* **changedVariables**: This field will show which variables that have significant change in correlation with `variable`. The variables in this list are ranked by the extent of correlation changes.

+> [!NOTE]

+> A common pitfall is taking all data points with `isAnomaly`=`true` as anomalies. That may end up with too many false positives.

+> You should use both `isAnomaly` and `severity` (or `score`) to sift out anomalies that are not severe and (optionally) use grouping to check the duration of the anomalies to suppress random noise.

+> Please refer to the [FAQ](../concepts/best-practices-multivariate.md#faq) in the best practices document for the difference between `severity` and `score`.

+## Next steps

+* [Multivariate Anomaly Detection reference architecture](../concepts/multivariate-architecture.md)

+* [Best practices of multivariate anomaly detection](../concepts/best-practices-multivariate.md)

+ Title: Train a Multivariate Anomaly Detection model

+description: Train a Multivariate Anomaly Detection model

+# Train a Multivariate Anomaly Detection model

+To test out Multivariate Anomaly Detection quickly, try the [Code Sample](https://github.com/Azure-Samples/AnomalyDetector)! For more instructions on how to run a jupyter notebook, please refer to [Install and Run a Jupyter Notebook](https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/install.html#).

+## API Overview

+There are 7 APIs provided in Multivariate Anomaly Detection:

+* **Training**: Use `Train Model API` to create and train a model, then use `Get Model Status API` to get the status and model metadata.

+* **Inference**:

+ * Use `Async Inference API` to trigger an asynchronous inference process and use `Get Inference results API` to get detection results on a batch of data.

+ * You could also use `Sync Inference API` to trigger a detection on one timestamp every time.

+* **Other operations**: `List Model API` and `Delete Model API` are supported in Multivariate Anomaly Detection model for model management.

+

+|API Name| Method | Path | Description |

+| | - | -- | |

+|**Train Model**| POST | `{endpoint}`/anomalydetector/v1.1/multivariate/models | Create and train a model |

+|**Get Model Status**| GET | `{endpoint}`anomalydetector/v1.1/multivariate/models/`{modelId}` | Get model status and model metadata with `modelId` |

+|**Batch Inference**| POST | `{endpoint}`/anomalydetector/v1.1/multivariate/models/`{modelId}`: detect-batch | Trigger an asynchronous inference with `modelId` which works in a batch scenario |

+|**Get Batch Inference Results**| GET | `{endpoint}`/anomalydetector/v1.1/multivariate/detect-batch/`{resultId}` | Get batch inference results with `resultId` |

+|**Streaming Inference**| POST | `{endpoint}`/anomalydetector/v1.1/multivariate/models/`{modelId}`: detect-last | Trigger a synchronous inference with `modelId` which works in a streaming scenario |

+|**List Model**| GET | `{endpoint}`/anomalydetector/v1.1/multivariate/models | List all models |

+|**Delete Model**| DELET | `{endpoint}`/anomalydetector/v1.1/multivariate/models/`{modelId}` | Delete model with `modelId` |

+## Train a model

+In this process, you'll use the following information that you created previously:

+* **Key** of Anomaly Detector resource

+* **Endpoint** of Anomaly Detector resource

+* **Blob URL** of your data in Storage Account

+For training data size, the maximum number of timestamps is **1000000**, and a recommended minimum number is **5000** timestamps.

+### Request

+Here's a sample request body to train a Multivariate Anomaly Detection model.

+```json

+{

+ "slidingWindow": 200,

+ "alignPolicy": {

+ "alignMode": "Outer",

+ "fillNAMethod": "Linear",

+ "paddingValue": 0

+ },

+ "dataSource": "{{dataSource}}", //Example: https://mvaddataset.blob.core.windows.net/sample-onetable/sample_data_5_3000.csv

+ "dataSchema": "OneTable",

+ "startTime": "2021-01-01T00:00:00Z",

+ "endTime": "2021-01-02T09:19:00Z",

+ "displayName": "SampleRequest"

+}

+```

+#### Required parameters

+These three parameters are required in training and inference API requests:

+* **dataSource**: This is the Blob URL that linked to your folder or CSV file located in the Azure Blob Storage.

+* **dataSchema**: This indicates the schema that you're using: `OneTable` or `MultiTable`.

+* **startTime**: The start time of data used for training or inference. If it's earlier than the actual earliest timestamp in the data, the actual earliest timestamp will be used as the starting point.

+* **endTime**: The end time of data used for training or inference, which must be later than or equal to `startTime`. If `endTime` is later than the actual latest timestamp in the data, the actual latest timestamp will be used as the ending point. If `endTime` equals to `startTime`, it means inference of one single data point, which is often used in streaming scenarios.

+#### Optional parameters

+Other parameters for training API are optional:

+* **slidingWindow**: How many data points are used to determine anomalies. An integer between 28 and 2,880. The default value is 300. If `slidingWindow` is `k` for model training, then at least `k` points should be accessible from the source file during inference to get valid results.

+ Multivariate Anomaly Detection takes a segment of data points to decide if the next data point is an anomaly. The length of the segment is the `slidingWindow`.

+ Please keep two things in mind when choosing a `slidingWindow` value:

+ 1. The properties of your data: whether it's periodic and the sampling rate. When your data is periodic, you could set the length of 1 - 3 cycles as the `slidingWindow`. When your data is at a high frequency (small granularity) like minute-level or second-level, you could set a relatively higher value of `slidingWindow`.

+ 1. The trade-off between training/inference time and potential performance impact. A larger `slidingWindow` may cause longer training/inference time. There's **no guarantee** that larger `slidingWindow`s will lead to accuracy gains. A small `slidingWindow` may make it difficult for the model to converge on an optimal solution. For example, it's hard to detect anomalies when `slidingWindow` has only two points.

+* **alignMode**: How to align multiple variables (time series) on timestamps. There are two options for this parameter, `Inner` and `Outer`, and the default value is `Outer`.

+ This parameter is critical when there's misalignment between timestamp sequences of the variables. The model needs to align the variables onto the same timestamp sequence before further processing.

+ `Inner` means the model will report detection results only on timestamps on which **every variable** has a value, that is, the intersection of all variables. `Outer` means the model will report detection results on timestamps on which **any variable** has a value, that is, the union of all variables.

+ Here's an example to explain different `alignModel` values.

+ *Variable-1*

+ |timestamp | value|

+ -| --|

+ |2020-11-01| 1

+ |2020-11-02| 2

+ |2020-11-04| 4

+ |2020-11-05| 5

+ *Variable-2*

+ timestamp | value

+ | -

+ 2020-11-01| 1

+ 2020-11-02| 2

+ 2020-11-03| 3

+ 2020-11-04| 4

+ *`Inner` join two variables*

+ timestamp | Variable-1 | Variable-2

+ -| - | -

+ 2020-11-01| 1 | 1

+ 2020-11-02| 2 | 2

+ 2020-11-04| 4 | 4

+ *`Outer` join two variables*

+ timestamp | Variable-1 | Variable-2

+ | - | -

+ 2020-11-01| 1 | 1

+ 2020-11-02| 2 | 2

+ 2020-11-03| `nan` | 3

+ 2020-11-04| 4 | 4

+ 2020-11-05| 5 | `nan`

+* **fillNAMethod**: How to fill `nan` in the merged table. There might be missing values in the merged table and they should be properly handled. We provide several methods to fill them up. The options are `Linear`, `Previous`, `Subsequent`, `Zero`, and `Fixed` and the default value is `Linear`.

+ | Option | Method |

+ | - | -|

+ | `Linear` | Fill `nan` values by linear interpolation |

+ | `Previous` | Propagate last valid value to fill gaps. Example: `[1, 2, nan, 3, nan, 4]` -> `[1, 2, 2, 3, 3, 4]` |

+ | `Subsequent` | Use next valid value to fill gaps. Example: `[1, 2, nan, 3, nan, 4]` -> `[1, 2, 3, 3, 4, 4]` |

+ | `Zero` | Fill `nan` values with 0. |

+ | `Fixed` | Fill `nan` values with a specified valid value that should be provided in `paddingValue`. |

+* **paddingValue**: Padding value is used to fill `nan` when `fillNAMethod` is `Fixed` and must be provided in that case. In other cases it's optional.

+* **displayName**: This is an optional parameter, which is used to identify models. For example, you can use it to mark parameters, data sources, and any other metadata about the model and its input data. The default value is an empty string.

+### Response

+Within the response, the most important thing is the `modelId`, which you'll use to trigger the Get Model Status API.

+A response sample:

+```json

+{

+ "modelId": "09c01f3e-5558-11ed-bd35-36f8cdfb3365",

+ "createdTime": "2022-11-01T00:00:00Z",

+ "lastUpdatedTime": "2022-11-01T00:00:00Z",

+ "modelInfo": {

+ "dataSource": "https://mvaddataset.blob.core.windows.net/sample-onetable/sample_data_5_3000.csv",

+ "dataSchema": "OneTable",

+ "startTime": "2021-01-01T00:00:00Z",

+ "endTime": "2021-01-02T09:19:00Z",

+ "displayName": "SampleRequest",

+ "slidingWindow": 200,

+ "alignPolicy": {

+ "alignMode": "Outer",

+ "fillNAMethod": "Linear",

+ "paddingValue": 0.0

+ },

+ "status": "CREATED",

+ "errors": [],

+ "diagnosticsInfo": {

+ "modelState": {

+ "epochIds": [],

+ "trainLosses": [],

+ "validationLosses": [],

+ "latenciesInSeconds": []

+ },

+ "variableStates": []

+ }

+ }

+}

+```

+## Get model status

+You could use the above API to trigger a training and use **Get model status API** to know whether the model is trained successfully or not.

+### Request

+There's no content in the request body, what's required only is to put the modelId in the API path, which will be in a format of:

+**{{endpoint}}anomalydetector/v1.1/multivariate/models/{{modelId}}**

+### Response

+* **status**: The `status` in the response body indicates the model status with this category: *CREATED, RUNNING, READY, FAILED.*

+* **trainLosses & validationLosses**: These are two machine learning concepts indicating the model performance. If the numbers are decreasing and finally to a relatively small number like 0.2, 0.3, then it means the model performance is good to some extent. However, the model performance still needs to be validated through inference and the comparison with labels if any.

+* **epochIds**: indicates how many epochs the model has been trained out of a total of 100 epochs. For example, if the model is still in training status, `epochId` might be `[10, 20, 30, 40, 50]` , which means that it has completed its 50th training epoch, and therefore is halfway complete.

+* **latenciesInSeconds**: contains the time cost for each epoch and is recorded every 10 epochs. In this example, the 10th epoch takes approximately 0.34 second. This would be helpful to estimate the completion time of training.

+* **variableStates**: summarizes information about each variable. It's a list ranked by `filledNARatio` in descending order. It tells how many data points are used for each variable and `filledNARatio` tells how many points are missing. Usually we need to reduce `filledNARatio` as much as possible.

+Too many missing data points will deteriorate model accuracy.

+* **errors**: Errors during data processing will be included in the `errors` field.

+A response sample:

+```json

+{

+ "modelId": "09c01f3e-5558-11ed-bd35-36f8cdfb3365",

+ "createdTime": "2022-11-01T00:00:12Z",

+ "lastUpdatedTime": "2022-11-01T00:00:12Z",

+ "modelInfo": {

+ "dataSource": "https://mvaddataset.blob.core.windows.net/sample-onetable/sample_data_5_3000.csv",

+ "dataSchema": "OneTable",

+ "startTime": "2021-01-01T00:00:00Z",

+ "endTime": "2021-01-02T09:19:00Z",

+ "displayName": "SampleRequest",

+ "slidingWindow": 200,

+ "alignPolicy": {

+ "alignMode": "Outer",

+ "fillNAMethod": "Linear",

+ "paddingValue": 0.0

+ },

+ "status": "READY",

+ "errors": [],

+ "diagnosticsInfo": {

+ "modelState": {

+ "epochIds": [

+ 10,

+ 20,

+ 30,

+ 40,

+ 50,

+ 60,

+ 70,

+ 80,

+ 90,

+ 100

+ ],

+ "trainLosses": [

+ 0.30325182933699,

+ 0.24335388161919333,

+ 0.22876543213020673,

+ 0.2439815090461211,

+ 0.22489577260884372,

+ 0.22305156764659015,

+ 0.22466289590705524,

+ 0.22133831883018668,

+ 0.2214335961775346,

+ 0.22268397090109912

+ ],

+ "validationLosses": [

+ 0.29047123109451445,

+ 0.263965221366497,

+ 0.2510373182971068,

+ 0.27116744686858824,

+ 0.2518718700216274,

+ 0.24802495975687047,

+ 0.24790137705176768,

+ 0.24640804830223623,

+ 0.2463938973166726,

+ 0.24831805566344597

+ ],

+ "latenciesInSeconds": [

+ 2.1662967205047607,

+ 2.0658926963806152,

+ 2.112030029296875,

+ 2.130472183227539,

+ 2.183091640472412,

+ 2.1442034244537354,

+ 2.117824077606201,

+ 2.1345198154449463,

+ 2.0993552207946777,

+ 2.1198465824127197

+ ]

+ },

+ "variableStates": [

+ {

+ "variable": "series_0",

+ "filledNARatio": 0.0004999999999999449,

+ "effectiveCount": 1999,

+ "firstTimestamp": "2021-01-01T00:01:00Z",

+ "lastTimestamp": "2021-01-02T09:19:00Z"

+ },

+ {

+ "variable": "series_1",

+ "filledNARatio": 0.0004999999999999449,

+ "effectiveCount": 1999,

+ "firstTimestamp": "2021-01-01T00:01:00Z",

+ "lastTimestamp": "2021-01-02T09:19:00Z"

+ },

+ {

+ "variable": "series_2",

+ "filledNARatio": 0.0004999999999999449,

+ "effectiveCount": 1999,

+ "firstTimestamp": "2021-01-01T00:01:00Z",

+ "lastTimestamp": "2021-01-02T09:19:00Z"

+ },

+ {

+ "variable": "series_3",

+ "filledNARatio": 0.0004999999999999449,

+ "effectiveCount": 1999,

+ "firstTimestamp": "2021-01-01T00:01:00Z",

+ "lastTimestamp": "2021-01-02T09:19:00Z"

+ },

+ {

+ "variable": "series_4",

+ "filledNARatio": 0.0004999999999999449,

+ "effectiveCount": 1999,

+ "firstTimestamp": "2021-01-01T00:01:00Z",

+ "lastTimestamp": "2021-01-02T09:19:00Z"

+ }

+ ]

+ }

+ }

+}

+```

+## List models

+You may refer to [this page](https://westus2.dev.cognitive.microsoft.com/docs/services/AnomalyDetector-v1-1/operations/ListMultivariateModel) for information about the request URL and request headers. Notice that we only return 10 models ordered by update time, but you can visit other models by setting the `$skip` and the `$top` parameters in the request URL. For example, if your request URL is `https://{endpoint}/anomalydetector/v1.1/multivariate/models?$skip=10&$top=20`, then we'll skip the latest 10 models and return the next 20 models.

+A sample response is

+```json

+{

+ "models": [

+ {

+ "modelId": "09c01f3e-5558-11ed-bd35-36f8cdfb3365",

+ "createdTime": "2022-10-26T18:00:12Z",

+ "lastUpdatedTime": "2022-10-26T18:03:53Z",

+ "modelInfo": {

+ "dataSource": "https://mvaddataset.blob.core.windows.net/sample-onetable/sample_data_5_3000.csv",

+ "dataSchema": "OneTable",

+ "startTime": "2021-01-01T00:00:00Z",

+ "endTime": "2021-01-02T09:19:00Z",

+ "displayName": "SampleRequest",

+ "slidingWindow": 200,

+ "alignPolicy": {

+ "alignMode": "Outer",

+ "fillNAMethod": "Linear",

+ "paddingValue": 0.0

+ },

+ "status": "READY",

+ "errors": [],

+ "diagnosticsInfo": {

+ "modelState": {

+ "epochIds": [

+ 10,

+ 20,

+ 30,

+ 40,

+ 50,

+ 60,

+ 70,

+ 80,

+ 90,

+ 100

+ ],

+ "trainLosses": [

+ 0.30325182933699,

+ 0.24335388161919333,

+ 0.22876543213020673,

+ 0.2439815090461211,

+ 0.22489577260884372,

+ 0.22305156764659015,

+ 0.22466289590705524,

+ 0.22133831883018668,

+ 0.2214335961775346,

+ 0.22268397090109912

+ ],

+ "validationLosses": [

+ 0.29047123109451445,

+ 0.263965221366497,

+ 0.2510373182971068,

+ 0.27116744686858824,

+ 0.2518718700216274,

+ 0.24802495975687047,

+ 0.24790137705176768,

+ 0.24640804830223623,

+ 0.2463938973166726,

+ 0.24831805566344597

+ ],

+ "latenciesInSeconds": [

+ 2.1662967205047607,

+ 2.0658926963806152,

+ 2.112030029296875,

+ 2.130472183227539,

+ 2.183091640472412,

+ 2.1442034244537354,

+ 2.117824077606201,

+ 2.1345198154449463,

+ 2.0993552207946777,

+ 2.1198465824127197

+ ]

+ },

+ "variableStates": [

+ {

+ "variable": "series_0",

+ "filledNARatio": 0.0004999999999999449,

+ "effectiveCount": 1999,

+ "firstTimestamp": "2021-01-01T00:01:00Z",

+ "lastTimestamp": "2021-01-02T09:19:00Z"

+ },

+ {

+ "variable": "series_1",

+ "filledNARatio": 0.0004999999999999449,

+ "effectiveCount": 1999,

+ "firstTimestamp": "2021-01-01T00:01:00Z",

+ "lastTimestamp": "2021-01-02T09:19:00Z"

+ },

+ {

+ "variable": "series_2",

+ "filledNARatio": 0.0004999999999999449,

+ "effectiveCount": 1999,

+ "firstTimestamp": "2021-01-01T00:01:00Z",

+ "lastTimestamp": "2021-01-02T09:19:00Z"

+ },

+ {

+ "variable": "series_3",

+ "filledNARatio": 0.0004999999999999449,

+ "effectiveCount": 1999,

+ "firstTimestamp": "2021-01-01T00:01:00Z",

+ "lastTimestamp": "2021-01-02T09:19:00Z"

+ },

+ {

+ "variable": "series_4",

+ "filledNARatio": 0.0004999999999999449,

+ "effectiveCount": 1999,

+ "firstTimestamp": "2021-01-01T00:01:00Z",

+ "lastTimestamp": "2021-01-02T09:19:00Z"

+ }

+ ]

+ }

+ }

+ }

+ ],

+ "currentCount": 42,

+ "maxCount": 1000,

+ "nextLink": ""

+}

+```

+The response contains four fields, `models`, `currentCount`, `maxCount`, and `nextLink`.

+* **models**: This contains the created time, last updated time, model ID, display name, variable counts, and the status of each model.

+* **currentCount**: This contains the number of trained multivariate models in your Anomaly Detector resource.

+* **maxCount**: The maximum number of models supported by your Anomaly Detector resource, which will be differentiated by the pricing tier that you choose.

+* **nextLink**: This could be used to fetch more models since maximum models that will be listed in this API response is **10**.

+## Next steps

+* [Best practices of multivariate anomaly detection](../concepts/best-practices-multivariate.md)

+### Nov 2022

+* Multivariate Anomaly Detection is now a generally available feature in Anomaly Detector service, with a better user experience and better model performance. Learn more about [how to use latest Multivariate Anomaly Detection](quickstarts/client-libraries-multivariate.md).

+### June 2022

+* New blog released: [4 sets of best practices to use Multivariate Anomaly Detector when monitoring your equipment](https://techcommunity.microsoft.com/t5/ai-cognitive-services-blog/4-sets-of-best-practices-to-use-multivariate-anomaly-detector/ba-p/3490848#footerContent).

+ Title: OCR - Optical Character Recognition

+description: Learn how the optical character recognition (OCR) services extract print and handwritten text from images and documents in global languages.

+# OCR - Optical Character Recognition

+## OCR engine

+> [!WARNING]

+> The Computer Vision legacy [ocr](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f20d) and [RecognizeText](https://westus.dev.cognitive.microsoft.com/docs/services/5cd27ec07268f6c679a3e641/operations/587f2c6a1540550560080311) operations are no longer supported and should not be used.

+## OCR supported languages

+## OCR common features

+## Use the OCR cloud APIs or deploy on-premises

+## OCR data privacy and security

+- OCR for general (non-document) images - try the [Computer Vision 4.0 preview Image Analysis REST API quickstart](./concept-ocr.md).

+- OCR for PDF, Office and HTML documents and document images, start with [Form Recognizer Read](../../applied-ai-services/form-recognizer/concept-read.md).

+As you use this API in your application, see the [reference documentation](/rest/api/language/2022-05-01/conversational-analysis-authoring) for additional information.

+As you use this API in your application, see the [reference documentation](/rest/api/language/2022-05-01/conversation-analysis-runtime) for additional information.

+As you use this API in your application, see the [reference documentation](/rest/api/language/2022-05-01/text-analysis-authoring) for additional information.

+As you use this API in your application, see the [reference documentation](/rest/api/language/2022-05-01/text-analysis-runtime/analyze-text) for additional information.

+ * [Language authoring conversational language understanding APIs](/rest/api/language/2022-05-01/conversational-analysis-authoring)

+ * [Language authoring text analysis APIs](/rest/api/language/2022-05-01/text-analysis-authoring)

+ * [Language authoring conversational language understanding export API](/rest/api/language/2022-05-01/text-analysis-authoring/export)

+ * [Language authoring text analysis export API](/rest/api/language/2022-05-01/text-analysis-authoring/export)

+ *[Language Runtime CLU APIs](/rest/api/language/2022-05-01/conversation-analysis-runtime)

+ *[Language Runtime Text Analysis APIs](/rest/api/language/2022-05-01/text-analysis-runtime/analyze-text)

+ * [Language conversational language understanding APIs](/rest/api/language/2022-05-01/conversational-analysis-authoring)

+ * [Language text analysis APIs](/rest/api/language/2022-05-01/text-analysis-authoring)

+ * [Language authoring conversational language understanding APIs](/rest/api/language/2022-05-01/conversational-analysis-authoring)

+ * [Language authoring text analysis APIs](/rest/api/language/2022-05-01/text-analysis-authoring)

+To submit an asynchronous job, review the [reference documentation](/rest/api/language/2022-05-01/text-analysis-runtime/submit-job) for the JSON body you'll send in your request.

+ 1. Include additional Language service features in the `tasks` object, to be performed on your data at the same time.

+To [get the status and retrieve the results](/rest/api/language/2022-05-01/text-analysis-runtime/job-status) of the request, send a GET request to the URL you received in the `operation-location` header from the previous API response. Remember to include your key in the `Ocp-Apim-Subscription-Key`. The response will include the results of your API call.

+|LUIS authoring APIs and SDK support in .NET, Python, Java, and Node.js |[CLU Authoring REST APIs](/rest/api/language/2022-05-01/conversational-analysis-authoring). | For more information, see the [quickstart article](../quickstart.md?pivots=rest-api) for information on the CLU authoring APIs. [Refactoring](#do-i-have-to-refactor-my-code-if-i-migrate-my-applications-from-luis-to-clu) will be necessary to use the CLU authoring APIs. |

+|LUIS Runtime APIs and SDK support in .NET, Python, Java, and Node.js |[CLU Runtime APIs](/rest/api/language/2022-05-01/conversation-analysis-runtime). CLU Runtime SDK support for [.NET](/dotnet/api/overview/azure/ai.language.conversations-readme) and [Python](/python/api/overview/azure/ai-language-conversations-readme?view=azure-python-preview&preserve-view=true). | See [how to call the API](../how-to/call-api.md#use-the-client-libraries-azure-sdk) for more information. [Refactoring](#do-i-have-to-refactor-my-code-if-i-migrate-my-applications-from-luis-to-clu) will be necessary to use the CLU runtime API response. |

+[CLU authoring APIs](/rest/api/language/2022-05-01/conversational-analysis-authoring): Instead of LUIS's specific CRUD APIs for individual actions such as _add utterance_, _delete entity_, and _rename intent_, CLU offers an [import API](/rest/api/language/2022-05-01/conversational-analysis-authoring/import) that replaces the full content of a project using the same name. If your service used LUIS programmatic APIs to provide a platform for other customers, you must consider this new design paradigm. All other APIs such as: _listing projects_, _training_, _deploying_, and _deleting_ are available. APIs for actions such as _importing_ and _deploying_ are asynchronous operations instead of synchronous as they were in LUIS.

+[CLU runtime APIs](/rest/api/language/2022-05-01/conversation-analysis-runtime): The new API request and response includes many of the same parameters such as: _query_, _prediction_, _top intent_, _intents_, _entities_, and their values. The CLU response object offers a more straightforward approach. Entity predictions are provided as they are within the utterance text, and any additional information such as resolution or list keys are provided in extra parameters called `extraInformation` and `resolution`. See the [reference documentation](/rest/api/language/2022-05-01/conversation-analysis-runtime) for more information on the API response structure.

+## As a developer, I want to access my SQL database from my logic app workflow.

+| **Consumption** | Multi-tenant Azure Logic Apps | Managed connector, which appears in the designer under the **Standard** label. For more information, review the following documentation: <br><br>- [SQL Server managed connector reference](/connectors/sql) <br>- [Managed connectors in Azure Logic Apps](managed.md) |

+| **Consumption** | Integration service environment (ISE) | Managed connector, which appears in the designer under the **Standard** label, and the ISE version, which has different message limits than the Standard class. For more information, review the following documentation: <br><br>- [SQL Server managed connector reference](/connectors/sql) <br>- [ISE message limits](../logic-apps/logic-apps-limits-and-config.md#message-size-limits) <br>- [Managed connectors in Azure Logic Apps](managed.md) |

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (Windows plans only) | Managed connector, which appears in the designer under the **Azure** label, and built-in connector, which appears in the designer under the **Built-in** label and is [service provider based](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). The built-in version differs in the following ways: <br><br>- The built-in version doesn't have triggers. You can use the SQL managed connector trigger or a different trigger. <br><br>- The built-in version can connect directly to an SQL database and access Azure virtual networks. You don't need an on-premises data gateway. <br><br>For more information, review the following documentation: <br><br>- [SQL Server managed connector reference](/connectors/sql/) <br>- [SQL Server built-in connector reference](/azure/logic-apps/connectors/built-in/reference/sql/) <br>- [Built-in connectors in Azure Logic Apps](built-in.md) |

+### Limitations

+For more information, review the [SQL Server managed connector reference](/connectors/sql/) or the [SQL Server built-in connector reference](/azure/logic-apps/connectors/built-in/reference/sql/).

+ * To use Azure Active Directory authentication or managed identity authentication with your logic app, you have to set up your SQL Server to work with these authentication types. For more information, see [Authentication - SQL Server managed connector reference](/connectors/sql/#authentication).

+ * To use the built-in connector, you can authenticate your connection with either a managed identity, Azure Active Directory, or a connection string. You can adjust connection pooling by specifying parameters in the connection string. For more information, review [Connection Pooling](/dotnet/framework/data/adonet/connection-pooling).

+ * **Built-in** when you want to use SQL Server [built-in actions](/azure/logic-apps/connectors/built-in/reference/sql/) such as **Execute query**

+ * [Built-in actions](/azure/logic-apps/connectors/built-in/reference/sql/)

+* [Built-in connectors for Azure Logic Apps](built-in.md)

+1. In the GitHub UI, navigate to your forked repository and select **Security > Secrets and variables > Actions**.

+az acr manifest list-metadata --name <repositoryName> --registry <acrName> \

+## Prerequisites

+* The user will require following permissions (at registry level) to create/delete replications:

+ | Permission | Description |

+ |||

+ | Microsoft.ContainerRegistry/registries/write | Create a replication |

+ | Microsoft.ContainerRegistry/registries/replications/write | Delete a replication |

+ USER_NAME="helmtoken"

+ --source aci-helloworld:latest \

+* **Problems accessing Key Vault**<a name="problems-accessing-key-vault"></a>

+ * If your pipelineRun deployment fails with a `403 Forbidden` error when accessing Azure Key Vault, verify that your pipeline managed identity has adequate permissions.

+ * A pipelineRun uses the exportPipeline or importPipeline managed identity to fetch the SAS token secret from your Key Vault. ExportPipelines and importPipelines are provisioned with either a system-assigned or user-assigned managed identity. This managed identity is required to have `secret get` permissions on the Key Vault in order to read the SAS token secret. Ensure that an access policy for the managed identity was added to the Key Vault. For more information, reference [Give the ExportPipeline identity keyvault policy access](./container-registry-transfer-cli.md#give-the-exportpipeline-identity-keyvault-policy-access) and [Give the ImportPipeline identity keyvault policy access](./container-registry-transfer-cli.md#give-the-importpipeline-identity-keyvault-policy-access).

+[az-resource-delete]: /cli/azure/resource#az_resource_delete

+1. Select **Security > Secrets and variables > Actions**.

+1. Select **New repository secret**.

+* Learn more about [Microsoft Defender for container registries](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-va-acr)

+* Learn more about [container security in Microsoft Defender for Cloud](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction)

+Microsoft Defender for Cloud scans images that are pushed to a registry, imported into a registry, or any images pulled within the last 30 days. If vulnerabilities are detected, [recommended remediations](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-va-acr#view-and-remediate-findings) appear in Microsoft Defender for Cloud.

+For details, see [Use Microsoft Defender for container registries](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-va-acr).

+> - [.NET](https://www.nuget.org/packages/Azure.ResourceManager.CosmosDB/)

+When removing indexes and immediately running queries that have filters on the dropped indexes, results might be inconsistent and incomplete until the index transformation finishes. If you remove indexes, the query engine does not provide consistent or complete results when queries filter on these newly removed indexes. Most developers do not drop indexes and then immediately try to query them so, in practice, this situation is unlikely.

+ Title: Quickstart - Azure Cosmos DB for MongoDB for .NET with MongoDB driver

+- Azure Container Registry images - [Use Microsoft Defender for container registries to scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-azure.md)

+- Amazon AWS Elastic Container Registry images - [Use Microsoft Defender for container registries to scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-elastic.md)

+- [Scan your ACR images for vulnerabilities](defender-for-containers-vulnerability-assessment-azure.md)

+- [Scan your ECR images for vulnerabilities](defender-for-containers-vulnerability-assessment-elastic.md)

+ Title: Defender for Cloud glossary for device builder

+description: The glossary provides a brief description of important Defender for Cloud platform terms and concepts.

+# Defender for Cloud glossary for device builder

+This glossary provides a brief description of important terms and concepts for the Microsoft Defender for Cloud platform. Select the **Learn more** links to go to related terms in the glossary. This will help you to learn and use the product tools quickly and effectively.

+<a name="glossary-a"></a>

+## A

+| Term | Description | Learn more |

+|--|--|--|

+|**AAC**|Adaptive application controls are an intelligent and automated solution for defining allowlists of known-safe applications for your machines. |[Adaptive Application Controls](adaptive-application-controls.md)

+| **ACR Tasks** | A suite of features within Azure container registry | [Frequently asked questions - Azure Container Registry](../container-registry/container-registry-faq.yml) |

+|**ADO**|Azure DevOps provides developer services for allowing teams to plan work, collaborate on code development, and build and deploy applications.|[What is Azure DevOps?](/azure/devops/user-guide/what-is-azure-devops) |

+|**AKS**| Azure Kubernetes Service, Microsoft's managed service for developing, deploying, and managing containerized applications.| [Kubernetes Concepts](/azure-stack/aks-hci/kubernetes-concepts)|

+|**Alerts**| Alerts defend your workloads in real-time so you can react immediately and prevent security events from developing.|[Security alerts and incidents](alerts-overview.md)|

+|**ANH** | Adaptive network hardening| [Improve your network security posture with adaptive network hardening](adaptive-network-hardening.md)

+|**APT** | Advanced Persistent Threats | [Video: Understanding APTs](/events/teched-2012/sia303)|

+| **Arc-enabled Kubernetes**| Azure Arc-enabled Kubernetes allows you to attach and configure Kubernetes clusters running anywhere. You can connect your clusters running on other public cloud providers or clusters running on your on-premises data center.|[What is Azure Arc-enabled Logic Apps? (Preview)](../logic-apps/azure-arc-enabled-logic-apps-overview.md)

+|**ARM**| Azure Resource Manager-the deployment and management service for Azure.| [Azure Resource Manager Overview](/azure/azure-resource-manager/management/overview)|

+|**ASB**| Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure.| [Azure Security Benchmark](/azure/baselines/security-center-security-baseline) |

+|**Auto-provisioning**| To make sure that your server resources are secure, Microsoft Defender for Cloud uses agents installed on your servers to send information about your servers to Microsoft Defender for Cloud for analysis. You can use auto provisioning to quietly deploy the Azure Monitor Agent on your servers.| [Configure auto provision](../iot-dps/quick-setup-auto-provision.md)|

+## B

+| Term | Description | Learn more |

+|--|--|--|

+|**Blob storage**| Azure Blob Storage is the high scale object storage service for Azure and a key building block for data storage in Azure.| [what is Azure blob storage?](/azure/storage/blobs/storage-blobs-introduction)|

+## C

+| Term | Description | Learn more |

+|--|--|--|

+|**Cacls** | Change access control list, Microsoft Windows native command-line utility often used for modifying the security permission on folders and files.| [access-control-lists](/windows/win32/secauthz/access-control-lists) |

+|**CIS Benchmark** | (Kubernetes) Center for Internet Security benchmark| [CIS](/azure/aks/cis-kubernetes)|

+|**CORS**| Cross origin resource sharing, an HTTP feature that enables a web application running under one domain to access resources in another domain.| [CORS](/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services)|

+|**CNCF**|Cloud Native Computing Foundation|[Build CNCF projects by using Azure Kubernetes service](/azure/architecture/example-scenario/apps/build-cncf-incubated-graduated-projects-aks)|

+|**CSPM**|Cloud Security Posture Management| [Cloud Security Posture Management (CSPM)](concept-cloud-security-posture-management.md)|

+|**CWPP** | Cloud Workload Protection Platform | [CWPP](/azure/defender-for-cloud/overview-page)|

+## D

+| Term | Description | Learn more |

+|--|--|--|

+| **DDOS Attack** | Distributed denial-of-service, a type of attack where an attacker sends more requests to an application than the application is capable of handling.| [DDOS FAQs](/azure/ddos-protection/ddos-faq)|

+## E

+| Term | Description | Learn more |

+|--|--|--|

+|**EDR**| Endpoint Detection and Response|[Microsoft Defender for Endpoint]([Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](integration-defender-for-endpoint.md)|

+|**EKS**| Amazon Elastic Kubernetes Service, Amazon's managed service for running Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.|[EKS](https://aws.amazon.com/eks/)|

+|**eBPF**|Extended Berkley Packet Filter |[What is eBPF?](https://ebpf.io/)|

+## F

+| Term | Description | Learn more |

+|--|--|--|

+|**FIM**| File Integrity Monitoring | ([File Integrity Monitoring in Microsoft Defender for Cloud](file-integrity-monitoring-overview.md)|

+**FTP** | File Transfer Protocol | [Deploy content using FTP](/azure/app-service/deploy-ftp?tabs=portal)|

+## G

+| Term | Description | Learn more |

+|--|--|--|

+|**GCP**| Google Cloud Platform | [Onboard a GPC Project](/azure/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp)|

+|**GKE**| Google Kubernetes Engine, GoogleΓÇÖs managed environment for deploying, managing, and scaling applications using GCP infrastructure.|[Deploy a Kubernetes workload using GPU sharing on your Azure Stack Edge Pro](../databox-online/azure-stack-edge-gpu-deploy-kubernetes-gpu-sharing.md)|

+## J

+| Term | Description | Learn more |

+|--|--|--|

+| **JIT** | Just-in-Time VM access |[Understanding just-in-time (JIT) VM access](just-in-time-access-overview.md)|

+## K

+| Term | Description | Learn more |

+|--|--|--|

+|**KQL**|Kusto Query Language-a tool to explore your data and discover patterns, identify anomalies and outliers, create statistical modeling, and more.| [KQL Overview](/azure/data-explorer/kusto/query/)|

+## L

+| Term | Description | Learn more |

+|--|--|--|

+|**LSA**| Local Security Authority| [Secure and use policies on virtual machines in Azure](../virtual-machines/security-policy.md)|

+## M

+| Term | Description | Learn more |

+|--|--|--|

+|**MDC**| Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources. | [What is Microsoft Defender for Cloud?](defender-for-cloud-introduction.md)|

+|**MDE**| Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.|[Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](integration-defender-for-endpoint.md)|

+|**MFA**|multi factor authentication, a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.|[How it works: Azure Multi Factor Authentication](/azure/active-directory/authentication/concept-mfa-howitworks)|

+|**MITRE ATT&CK**| a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.|[MITRE ATT&CK](https://attack.mitre.org/)|

+|**MMA**| Microsoft Monitoring Agent, also known as Log Analytics Agent|[Log Analytics Agent Overview](/azure/azure-monitor/agents/log-analytics-agent)|

+## N

+| Term | Description | Learn more |

+|--|--|--|

+|**NGAV**| Next Generation Anti-Virus |

+**NIST** | National Institute of Standards and Technology|[National Institute of Standards and Technology](https://www.nist.gov/)

+## R

+| Term | Description | Learn more |

+|--|--|--|

+|**RaMP**| Rapid Modernization Plan, guidance based on initiatives, giving you a set of deployment paths to more quickly implement key layers of protection.|[Zero Trust Rapid Modernization Plan](../security/fundamentals/zero-trust.md)|

+|**RBAC**| Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. | [RBAC Overview](/azure/role-based-access-control/overview)|

+|**RDP** | Remote Desktop Protocol (RDP) is a sophisticated technology that uses various techniques to perfect the server's remote graphics' delivery to the client device.| [RDP Bandwidth Requirements](/azure/virtual-desktop/rdp-bandwidth)|

+|**Recommendations**|Recommendations secure your workloads with step-by-step actions that protect your workloads from known security risks.| [What are security policies, initiatives, and recommendations?](security-policy-concept.md)|

+**Regulatory Compliance** | Regulatory compliance refers to the discipline and process of ensuring that a company follows the laws enforced by governing bodies in their geography or rules required | [Regulatory Compliance Overview](/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance) |

+## S

+| Term | Description | Learn more |

+|--|--|--|

+|**Secure Score**|Defender for Cloud continually assesses your cross-cloud resources for security issues. It then aggregates all the findings into a single score that represents your current security situation: the higher the score, the lower the identified risk level.|[Security posture for Microsoft Defender for Cloud](secure-score-security-controls.md)|

+|**Security Initiative** | A collection of Azure Policy Definitions, or rules, that are grouped together towards a specific goal or purpose. | [What are security policies, initiatives, and recommendations?](security-policy-concept.md)

+|**Security Policy**| An Azure rule about specific security conditions that you want controlled.|[Understanding Security Policies](security-policy-concept.md)|

+|**SOAR**| Security Orchestration Automated Response, a collection of software tools designed to collect data about security threats from multiple sources and respond to low-level security events without human assistance.| [SOAR](/azure/sentinel/automation)|

+## T

+| Term | Description | Learn more |

+|--|--|--|

+|**TVM**|Threat and Vulnerability Management, a built-in module in Microsoft Defender for Endpoint that can discover vulnerabilities and misconfigurations in near real time and prioritize vulnerabilities based on the threat landscape and detections in your organization.|[Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management](deploy-vulnerability-assessment-tvm.md)

+## Z

+| Term | Description | Learn more |

+|--|--|--|

+|**Zero-Trust**|A new security model that assumes breach and verifies each request as though it originated from an uncontrolled network.|[Zero-Trust Security](/azure/security/fundamentals/zero-trust)|

+ ## Next Steps

+[Microsoft Defender for Cloud-overview](overview-page.md)

+- [Identify vulnerabilities in images in Azure container registries](defender-for-containers-vulnerability-assessment-azure.md)

+- [Identify vulnerabilities in images in AWS Elastic Container Registry](defender-for-containers-vulnerability-assessment-elastic.md)

+[Learn about creating rules to disable findings from the integrated vulnerability assessment tool](defender-for-containers-vulnerability-assessment-azure.md#disable-specific-findings).

+> [Scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-azure.md)

+- [Microsoft Defender for Containers in a multicloud environment](episode-nine.md)

+- [Scan your ACR images for vulnerabilities](defender-for-containers-vulnerability-assessment-azure.md)

+- [Scan your Amazon AWS ECR images for vulnerabilities](defender-for-containers-vulnerability-assessment-elastic.md)

+- [Vulnerability assessment for Azure Container Registry (ACR)](defender-for-containers-vulnerability-assessment-azure.md)

+- [Vulnerability assessment for Amazon AWS Elastic Container Registry (ECR)](defender-for-containers-vulnerability-assessment-elastic.md)

+Learn more about [viewing vulnerabilities for running images in (ACR)](defender-for-containers-vulnerability-assessment-azure.md).

+No. Only Azure Kubernetes Service (AKS) clusters that use Virtual Machine Scale Sets for the nodes is supported.

+ Title: Identify vulnerabilities in Azure Container Registry with Microsoft Defender for Cloud

+description: Learn how to use Defender for Containers to scan images in your Azure Container Registry to find vulnerabilities.

+# Use Defender for Containers to scan your Azure Container Registry images for vulnerabilities

+This article explains how to use Defender for Containers to scan the container images stored in your Azure Resource Manager-based Azure Container Registry, as part of the protections provided within Microsoft Defender for Cloud.

+To enable scanning of vulnerabilities in containers, you have to [enable Defender for Containers](defender-for-containers-enable.md). When the scanner, powered by Qualys, reports vulnerabilities, Defender for Cloud presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more subscriptions, or for a specific registry.

+Defender for Cloud filters and classifies findings from the scanner. Images without vulnerabilities are marked as healthy and Defender for Cloud doesn't send notifications about healthy images to keep you from getting unwanted informational alerts.

+The triggers for an image scan are:

+- **On push** - Whenever an image is pushed to your registry, Defender for Containers automatically scans that image. To trigger the scan of an image, push it to your repository.

+- **Recently pulled** - Since new vulnerabilities are discovered every day, **Microsoft Defender for Containers** also scans, on a weekly basis, any image that has been pulled within the last 30 days. There's no extra charge for these rescans; as mentioned above, you're billed once per image.

+- **On import** - Azure Container Registry has import tools to bring images to your registry from Docker Hub, Microsoft Container Registry, or another Azure container registry. **Microsoft Defender for Containers** scans any supported images you import. Learn more in [Import container images to a container registry](../container-registry/container-registry-import-images.md).

+- **Continuous scan**- This trigger has two modes:

+ - A continuous scan based on an image pull. This scan is performed every seven days after an image was pulled, and only for 30 days after the image was pulled. This mode doesn't require the security profile, or extension.

+ - (Preview) Continuous scan for running images. This scan is performed every seven days for as long as the image runs. This mode runs instead of the above mode when the Defender profile, or extension is running on the cluster.

+

+When a scan is triggered, findings are available as Defender for Cloud recommendations from 2 minutes up to 15 minutes after the scan is complete.

+Also, check out the ability scan container images for vulnerabilities as the images are built in your CI/CD GitHub workflows. Learn more in [Defender for DevOps](defender-for-devops-introduction.md).

+## Prerequisites

+Before you can scan your ACR images:

+- [Enable Defender for Containers](defender-for-containers-enable.md) for your subscription. Defender for Containers is now ready to scan images in your registries.

+ >[!NOTE]

+ > This feature is charged per image.

+- If you want to find vulnerabilities in images stored in other container registries, you can import the images into ACR and scan them.

+ Use the ACR tools to bring images to your registry from Docker Hub or Microsoft Container Registry. When the import completes, the imported images are scanned by the built-in vulnerability assessment solution.

+ Learn more in [Import container images to a container registry](../container-registry/container-registry-import-images.md)

+ You can also [scan images in Amazon AWS Elastic Container Registry](defender-for-containers-vulnerability-assessment-elastic.md) directly from the Azure portal.

+For a list of the types of images and container registries supported by Microsoft Defender for Containers, see [Availability](supported-machines-endpoint-solutions-clouds-containers.md?tabs=azure-aks#registries-and-images).

+## View and remediate findings

+1. To view the findings, open the **Recommendations** page. If issues were found, you'll see the recommendation [Container registry images should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/dbd0cb49-b563-45e7-9724-889e799fa648).

+ 

+1. Select the recommendation.

+ The recommendation details page opens with additional information. This information includes the list of registries with vulnerable images ("Affected resources") and the remediation steps.

+1. Select a specific registry to see the repositories within it that have vulnerable repositories.

+ 

+ The registry details page opens with the list of affected repositories.

+1. Select a specific repository to see the repositories within it that have vulnerable images.

+ 

+ The repository details page opens. It lists the vulnerable images together with an assessment of the severity of the findings.

+1. Select a specific image to see the vulnerabilities.

+ 

+ The list of findings for the selected image opens.

+ 

+1. To learn more about a finding, select the finding.

+ The findings details pane opens.

+ [](media/monitor-container-security/acr-finding-details-pane.png#lightbox)

+ This pane includes a detailed description of the issue and links to external resources to help mitigate the threats.

+1. Follow the steps in the remediation section of this pane.

+1. When you've taken the steps required to remediate the security issue, replace the image in your registry:

+ 1. Push the updated image to trigger a scan.

+ 1. Check the recommendations page for the recommendation [Container registry images should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/dbd0cb49-b563-45e7-9724-889e799fa648).

+ If the recommendation still appears and the image you've handled still appears in the list of vulnerable images, check the remediation steps again.

+ 1. When you're sure the updated image has been pushed, scanned, and is no longer appearing in the recommendation, delete the ΓÇ£oldΓÇ¥ vulnerable image from your registry.

+## Disable specific findings

+> [!NOTE]

+> [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]

+If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise.

+When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings. Typical scenarios include:

+- Disable findings with severity below medium

+- Disable findings that are non-patchable

+- Disable findings with CVSS score below 6.5

+- Disable findings with specific text in the security check or category (for example, ΓÇ£RedHatΓÇ¥, ΓÇ£CentOS Security Update for sudoΓÇ¥)

+> [!IMPORTANT]

+> To create a rule, you need permissions to edit a policy in Azure Policy.

+>

+> Learn more in [Azure RBAC permissions in Azure Policy](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy).

+You can use any of the following criteria:

+- Finding ID

+- Category

+- Security check

+- CVSS v3 scores

+- Severity

+- Patchable status

+To create a rule:

+1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/dbd0cb49-b563-45e7-9724-889e799fa648), select **Disable rule**.

+1. Select the relevant scope.

+1. Define your criteria.

+1. Select **Apply rule**.

+ :::image type="content" source="./media/defender-for-containers-vulnerability-assessment-azure/new-disable-rule-for-registry-finding.png" alt-text="Create a disable rule for VA findings on registry.":::

+1. To view, override, or delete a rule:

+ 1. Select **Disable rule**.

+ 1. From the scope list, subscriptions with active rules show as **Rule applied**.

+ :::image type="content" source="./media/remediate-vulnerability-findings-vm/modify-rule.png" alt-text="Modify or delete an existing rule.":::

+ 1. To view or delete the rule, select the ellipsis menu ("...").

+## FAQ

+### How does Defender for Containers scan an image?

+Defender for Containers pulls the image from the registry and runs it in an isolated sandbox with the Qualys scanner. The scanner extracts a list of known vulnerabilities.

+Defender for Cloud filters and classifies findings from the scanner. When an image is healthy, Defender for Cloud marks it as such. Defender for Cloud generates security recommendations only for images that have issues to be resolved. By only notifying you when there are problems, Defender for Cloud reduces the potential for unwanted informational alerts.

+### Can I get the scan results via REST API?

+Yes. The results are under [Sub-Assessments REST API](/rest/api/defenderforcloud/sub-assessments/list). Also, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.

+### Why is Defender for Cloud alerting me to vulnerabilities about an image that isnΓÇÖt in my registry?

+Some images may reuse tags from an image that was already scanned. For example, you may reassign the tag ΓÇ£LatestΓÇ¥ every time you add an image to a digest. In such cases, the ΓÇÿoldΓÇÖ image does still exist in the registry and may still be pulled by its digest. If the image has security findings and is pulled, it will expose security vulnerabilities.

+## Next steps

+Learn more about the [advanced protection plans of Microsoft Defender for Cloud](enhanced-security-features-overview.md).

+ Title: Identify vulnerabilities in Amazon AWS Elastic Container Registry with Microsoft Defender for Cloud

+description: Learn how to use Defender for Containers to scan images in your Amazon AWS Elastic Container Registry (ECR) to find vulnerabilities.

+# Use Defender for Containers to scan your Amazon AWS Elastic Container Registry images for vulnerabilities (Preview)

+Defender for Containers lets you scan the container images stored in your Amazon AWS Elastic Container Registry (ECR) as part of the protections provided within Microsoft Defender for Cloud.

+To enable scanning of vulnerabilities in containers, you have to [connect your AWS account to Defender for Cloud](quickstart-onboard-aws.md) and [enable Defender for Containers](defender-for-containers-enable.md). The agentless scanner, powered by the open-source scanner Trivy, scans your ECR repositories and reports vulnerabilities.

+Defender for Containers creates resources in your AWS account to build an inventory of the software in your images. The scan then sends only the software inventory to Defender for Cloud. This architecture protects your information privacy and intellectual property, and also keeps the outbound network traffic to a minimum. Defender for Containers creates an ECS cluster in a dedicated VPC, an internet gateway, and an S3 bucket in the us-east-1 and eu-central-1 regions to build the software inventory.

+Defender for Cloud filters and classifies findings from the software inventory that the scanner creates. Images without vulnerabilities are marked as healthy and Defender for Cloud doesn't send notifications about healthy images to keep you from getting unwanted informational alerts.

+The triggers for an image scan are:

+- **On push** - Whenever an image is pushed to your registry, Defender for Containers automatically scans that image within 2 hours.

+- **Continuous scan** - Defender for Containers reassesses the images based on the latest database of vulnerabilities of Trivy. This reassessment is performed weekly.

+## Prerequisites

+Before you can scan your ECR images:

+- [Connect your AWS account to Defender for Cloud and enable Defender for Containers](quickstart-onboard-aws.md)

+- You must have at least one free VPC in the `us-east-1` and `eu-central-1` regions to host the AWS resources that build the software inventory.

+For a list of the types of images not supported by Microsoft Defender for Containers, see [Availability](supported-machines-endpoint-solutions-clouds-containers.md?tabs=aws-eks#images).

+## Enable vulnerability assessment

+To enable vulnerability assessment:

+1. From Defender for Cloud's menu, open **Environment settings**.

+1. Select the AWS connector that connects to your AWS account.

+ :::image type="content" source="media/defender-for-kubernetes-intro/select-aws-connector.png" alt-text="Screenshot of Defender for Cloud's environment settings page showing an AWS connector.":::

+1. In the Monitoring Coverage section of the Containers plan, select **Settings**.

+ :::image type="content" source="media/defender-for-containers-vulnerability-assessment-elastic/aws-containers-settings.png" alt-text="Screenshot of Containers settings for the AWS connector." lightbox="media/defender-for-containers-vulnerability-assessment-elastic/aws-containers-settings.png":::

+1. Turn on **Vulnerability assessment**.

+ :::image type="content" source="media/defender-for-containers-vulnerability-assessment-elastic/aws-containers-enable-va.png" alt-text="Screenshot of the toggle to turn on vulnerability assessment for ECR images.":::

+1. Select **Save** > **Next: Configure access**.

+1. Download the CloudFormation template.

+

+1. Using the downloaded CloudFormation template, create the stack in AWS as instructed on screen. If you're onboarding a management account, you'll need to run the CloudFormation template both as Stack and as StackSet. It takes up to 30 minutes for the AWS resources to be created. The resources have the prefix `defender-for-containers-va`.

+1. Select **Next: Review and generate**.

+

+1. Select **Update**.

+Findings are available as Defender for Cloud recommendations from 2 hours after vulnerability assessment is turned on. The recommendation also shows any reason that a repository is identified as not scannable ("Not applicable"), such as images pushed more than 3 months before you enabled vulnerability assessment.

+## View and remediate findings

+Vulnerability assessment lists the repositories with vulnerable images as the results of the [Elastic container registry images should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/03587042-5d4b-44ff-af42-ae99e3c71c87) recommendation. From the recommendation, you can identify vulnerable images and get details about the vulnerabilities.

+Vulnerability findings for an image are still shown in the recommendation for 48 hours after an image is deleted.

+1. To view the findings, open the **Recommendations** page. If the scan found issues, you'll see the recommendation [Elastic container registry images should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/03587042-5d4b-44ff-af42-ae99e3c71c87).

+ :::image type="content" source="media/defender-for-containers-vulnerability-assessment-elastic/elastic-container-registry-recommendation.png" alt-text="Screenshot of the Recommendation to remediate findings in ECR images.":::

+1. Select the recommendation.

+ The recommendation details page opens with additional information. This information includes the list of repositories with vulnerable images ("Affected resources") and the remediation steps.

+1. Select specific repositories to the vulnerabilities found in images in those repositories.

+ :::image type="content" source="media/defender-for-containers-vulnerability-assessment-elastic/elastic-container-registry-unhealthy-repositories.png" alt-text="Screenshot of ECR repositories that have vulnerabilities." lightbox="media/defender-for-containers-vulnerability-assessment-elastic/elastic-container-registry-unhealthy-repositories.png":::

+ The vulnerabilities section shows the identified vulnerabilities.

+1. To learn more about a vulnerability, select the vulnerability.

+ The vulnerability details pane opens.

+ :::image type="content" source="media/defender-for-containers-vulnerability-assessment-elastic/elastic-container-registry-vulnerability.png" alt-text="Screenshot of vulnerability details in ECR repositories." lightbox="media/defender-for-containers-vulnerability-assessment-elastic/elastic-container-registry-vulnerability.png":::

+ This pane includes a detailed description of the issue and links to external resources to help mitigate the threats.

+1. Follow the steps in the remediation section of the recommendation.

+1. When you've taken the steps required to remediate the security issue, replace the image in your registry:

+ 1. Push the updated image to trigger a scan.

+ 1. Check the recommendations page for the recommendation [Container registry images should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/dbd0cb49-b563-45e7-9724-889e799fa648).

+ If the recommendation still appears and the image you've handled still appears in the list of vulnerable images, check the remediation steps again.

+ 1. When you're sure the updated image has been pushed, scanned, and is no longer appearing in the recommendation, delete the ΓÇ£oldΓÇ¥ vulnerable image from your registry.

+<!--

+## Disable specific findings

+> [!NOTE]

+> [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]

+If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise.

+When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings. Typical scenarios include:

+- Disable findings with severity below medium

+- Disable findings that are non-patchable

+- Disable findings with CVSS score below 6.5

+- Disable findings with specific text in the security check or category (for example, ΓÇ£RedHatΓÇ¥, ΓÇ£CentOS Security Update for sudoΓÇ¥)

+> [!IMPORTANT]

+> To create a rule, you need permissions to edit a policy in Azure Policy.

+>

+> Learn more in [Azure RBAC permissions in Azure Policy](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy).

+You can use any of the following criteria:

+- Finding ID

+- Category

+- Security check

+- CVSS v3 scores

+- Severity

+- Patchable status

+To create a rule:

+1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/dbd0cb49-b563-45e7-9724-889e799fa648), select **Disable rule**.

+1. Select the relevant scope.

+1. Define your criteria.

+1. Select **Apply rule**.

+ :::image type="content" source="media/defender-for-containers-vulnerability-assessment-azure/new-disable-rule-for-registry-finding.png" alt-text="Screenshot of how to create a disable rule for VA findings on registry.":::

+1. To view, override, or delete a rule:

+ 1. Select **Disable rule**.

+ 1. From the scope list, subscriptions with active rules show as **Rule applied**.

+ :::image type="content" source="./media/remediate-vulnerability-findings-vm/modify-rule.png" alt-text="Screenshot of how to modify or delete an existing rule.":::

+ 1. To view or delete the rule, select the ellipsis menu ("..."). -->

+## FAQs

+### Can I get the scan results via REST API?

+Yes. The results are under [Sub-Assessments REST API](/rest/api/defenderforcloud/sub-assessments/list). Also, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.

+## Next steps

+Learn more about:

+- [Advanced protection plans of Microsoft Defender for Cloud](enhanced-security-features-overview.md)

+- [Multicloud protections](multicloud.yml) for your AWS account

+# Exclude a storage account from a protected subscription in the per-transaction plan

+When you [enable Microsoft Defender for Storage](../storage/common/azure-defender-storage-configure.md) on a subscription for the per-transaction pricing, all current and future Azure Storage accounts in that subscription are protected. You can exclude specific storage accounts from the Defender for Storage protections using the Azure portal, PowerShell, or the Azure CLI.

+## Exclude an Azure Storage account protection on a subscription with per-transaction pricing

+1. Disable Microsoft Defender for Storage for the desired account on the relevant subscription with the `security atp storage` command (using the same resource ID):

+- Explore the [Microsoft Defender for Storage ΓÇô Price Estimation Dashboard](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-storage-price-estimation-dashboard/ba-p/2429724)

+You can [enable Microsoft Defender for Storage](../storage/common/azure-defender-storage-configure.md) at either the subscription level (recommended) or the resource level.

+## Explore security anomalies

+When storage activity anomalies occur, you receive an email notification with information about the suspicious security event. Details of the event include:

+- The nature of the anomaly

+- The storage account name

+- The event time

+- The storage type

+- The potential causes

+- The investigation steps

+- The remediation steps

+The email also includes details on possible causes and recommended actions to investigate and mitigate the potential threat.

+You can review and manage your current security alerts from Microsoft Defender for Cloud's [Security alerts tile](managing-and-responding-alerts.md). Select an alert for details and actions for investigating the current threat and addressing future threats.

+## Limitations of hash reputation analysis

+After you enable Defender for Storage, you can create a test alert to demonstrate how Defender for Storage recognizes and triggers alerts on security risks.

+1. Open a storage account with [Microsoft Defender for Storage enabled](../storage/common/azure-defender-storage-configure.md).

+- Azure Container Registry images - [Use Microsoft Defender for container registries to scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-azure.md)

+- Amazon AWS Elastic Container Registry images - [Use Microsoft Defender for container registries to scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-elastic.md)

+- Azure Container Registry images - [Use Microsoft Defender for container registries to scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-azure.md)

+- Amazon AWS Elastic Container Registry images - [Use Microsoft Defender for container registries to scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-elastic.md)

+- Azure Container Registry images - [Use Defender for Containers to scan your ACR images for vulnerabilities](defender-for-containers-vulnerability-assessment-azure.md)

+Yes. When you enable [Microsoft Defender for Servers](defender-for-servers-introduction.md) on an Azure subscription or a connected AWS account, you'll be charged for all machines that are connected to your Azure subscription or AWS account. The term machines include Azure virtual machines, Azure Virtual Machine Scale Sets instances, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.

+ steps:

+ - uses: actions/checkout@v2

+ - uses: actions/setup-dotnet@v1

+ with:

+ dotnet-version: |

+ 5.0.x

+ 6.0.x

+ # Upload alerts to the Security tab

+ - name: Upload alerts to Security tab

+ uses: github/codeql-action/upload-sarif@v1

+ with:

+ sarif_file: ${{ steps.msdo.outputs.sarifFile }}

+Defender for Cloud collects data from your Azure virtual machines (VMs), Virtual Machine Scale Sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats. Some Defender plans require monitoring components to collect data from your workloads.

+Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection. Data collection is only needed for compute resources such as VMs, Virtual Machine Scale Sets, IaaS containers, and non-Azure computers.

+- Azure Container Registry images - [Use Microsoft Defender for container registries to scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-azure.md)

+- Amazon AWS Elastic Container Registry images - [Use Microsoft Defender for container registries to scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-elastic.md)

+- [Troubleshoot your multicloud connectors](troubleshooting-guide.md#troubleshooting-the-native-multicloud-connector)

+Learn more in [Use Microsoft Defender for Container to scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-azure.md).

+Azure Defender for container registries includes a vulnerability scanner to scan images in your Azure Container Registry registries. Learn how to scan your registries and remediate findings in [Use Azure Defender for container registries to scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-azure.md).

+- [Azure Defender's integrated vulnerability assessment scanner for container registries](defender-for-containers-vulnerability-assessment-azure.md)

+- **Guest Attestation extension should be installed on supported Windows Virtual Machine Scale Sets**

+- **Guest Attestation extension should be installed on supported Linux Virtual Machine Scale Sets**

+Learn more about this scanner in [Use Azure Defender for container registries to scan your images for vulnerabilities](defender-for-containers-vulnerability-assessment-azure.md).

+Learn more in [Disable specific findings for your container images](defender-for-containers-vulnerability-assessment-azure.md#disable-specific-findings) and [Disable specific findings for your virtual machines](remediate-vulnerability-findings-vm.md#disable-specific-findings).

+- [Security Center's integrated vulnerability assessment solution for Azure Container Registry images](defender-for-containers-vulnerability-assessment-azure.md)

+- [Onboard on-premises servers to Security Center from Windows Admin Center (preview)](#onboard-on-premises-servers-to-security-center-from-windows-admin-center-preview)

+### Onboard on-premises servers to Security Center from Windows Admin Center (preview)

+Microsoft Defender for Cloud enables comprehensive visibility, posture management, and threat protection across hybrid and multicloud environments including Azure, AWS, Google, and on-premises resources.

+Defender for DevOps allows you to gain visibility into and manage your connected developer environments and code resources. Currently, you can connect [Azure DevOps](quickstart-onboard-devops.md) and [GitHub](quickstart-onboard-github.md) systems to Defender for Cloud and onboard DevOps repositories to Inventory and the new DevOps Security page. It provides security teams with a high-level overview of the discovered security issues that exist within them in a unified DevOps Security page.

+Larn more about the [Defender Cloud Security Posture Management (CSPM) plan](concept-cloud-security-posture-management.md).

+Learn more about [vulnerability assessment for Amazon ECR images](defender-for-containers-vulnerability-assessment-elastic.md).

+ | Recommendation | Assessment key |

+This feature is in preview and is only available for Linux images.

+All auto-provisioning components available in the connector-level (Azure Arc, MDE, and vulnerability assessments) are enabled by default, and the new configuration supports both [Plan 1 and Plan 2 pricing tiers](defender-for-servers-introduction.md#defender-for-servers-plans).

+- A ruleset can have up to 25 DNS forwarding rules.

+- A ruleset can be linked to up to 10 virtual networks in the same region

+* **ExpressRoute_API_Provider_Sub:** This subscription will be used to manage production ExpressRoute circuits created in peering locations.

+* [Quickstart: Create an Azure Firewall with multiple public IP addresses - Resource Manager template](quick-create-multiple-ip-template.md)

+Rule types must match their parent rule collection category. For example, a DNAT rule can only be part of a DNAT rule collection.

+                    "privateRanges": "[255.255.255.255/32]"

+ :::image type="content" source="media/snat-private-range/private-ip.png" alt-text="Screenshot of edit private IP prefixes.":::

+3. Select the conditions to perform SNAT for your environment under **Perform SNAT** to customize the SNAT configuration.

+ :::image type="content" source="media/snat-private-range/private-ip-ranges-snat.png" alt-text="Screenshot of Private IP ranges (SNAT)." lightbox="media/snat-private-range/private-ip-ranges-snat.png":::

+ Title: Set up an Azure Front Door Standard/Premium Origin

+# Set up an Azure Front Door Standard/Premium Origin

+> This documentation is for Azure Front Door Standard/Premium. Looking for information on Azure Front Door? View [here](../front-door-overview.md).

+| Apache Spark | 2.4.4 |

+> [!NOTE]

+> Spark 3.1.2 (HDI 5.0) doesnΓÇÖt support IO Cache.