+- By staying in the same domain for your application during sign-in, you mitigate the impact of [third-party cookie blocking](/azure/active-directory/develop/reference-third-party-cookies-spas).

+By default, the password is set not to expire. However, the value is configurable by using the [Update-MgDomain](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdomain) cmdlet from the Microsoft Graph PowerShell module. This command updates the tenant so that all users' passwords expire after a number of days you configure. For example:

+```powershell

+Import-Module Microsoft.Graph.Identity.DirectoryManagement

+Connect-MgGraph -Scopes 'Domain.ReadWrite.All'

+$domainId = "contoso.com"

+$params = @{

+ passwordValidityPeriodInDays = 90

+ passwordNotificationWindowInDays = 15

+}

+Update-MgDomain -DomainId $domainId -BodyParameter $params

+```

+> [!NOTE]

+> `passwordValidityPeriodInDays` indicates the length of time in days that a password remains valid before it must be changed. `passwordNotificationWindowInDays` indicates the length of time in days before the password expiration date when users receive their first notification to indicate that their password is about to expire.

+✔️ Training a custom classifier requires at least `two` distinct classes and a minimum of `five` samples per class. The model response contains the page ranges for each of the classes of documents identified.

+✔️ The maximum allowed number of classes is `500`. The maximum allowed number of samples per class is `100`.

+See the following service-level language support articles for more information on language support:

+| Language | Language code | Notes |

+|:|:-:|:--:|

+| English | `en` | |

+| Spanish | `es` | |

+| Language | Language code | Notes |

+|--||--|

+| Afrikaans      |     `af`  |                    |

+| Albanian     |     `sq`  |                    |

+| Amharic     |     `am`  |                    |

+| Arabic    |     `ar`  |                    |

+| Armenian    |     `hy`  |                    |

+| Assamese    |     `as`  |                    |

+| Azerbaijani    |     `az`  |                    |

+| Basque    |     `eu`  |                    |

+| Belarusian |     `be`  |                    |

+| Bengali     |     `bn`  |                    |

+| Bosnian    |     `bs`  |                    |

+| Breton    |     `br`  |                    |

+| Bulgarian      |     `bg`  |                    |

+| Burmese    |     `my`  |                    |

+| Catalan    |     `ca`  |                    |

+| Chinese-Simplified    |     `zh-hans` |                    |

+| Chinese-Traditional |     `zh-hant` |                    |

+| Croatian | `hr` | |

+| Czech    |     `cs`  |                    |

+| Danish | `da` | |

+| Dutch                 |     `nl`      |                    |

+| English               |     `en`      |                    |

+| Esperanto    |     `eo`  |                    |

+| Estonian              |     `et`      |                    |

+| Filipino    |     `fil`  |                    |

+| Finnish               |     `fi`      |                    |

+| French                |     `fr`      |                    |

+| Galician    |     `gl`  |                    |

+| Georgian    |     `ka`  |                    |

+| German                |     `de`      |                    |

+| Greek    |     `el`  |                    |

+| Gujarati    |     `gu`  |                    |

+| Hausa      |     `ha`  |                    |

+| Hebrew    |     `he`  |                    |

+| Hindi      |     `hi`  |                    |

+| Hungarian    |     `hu`  |                    |

+| Indonesian            |     `id`      |                    |

+| Irish            |     `ga`      |                    |

+| Italian               |     `it`      |                    |

+| Japanese              |     `ja`      |                    |

+| Javanese            |     `jv`      |                    |

+| Kannada            |     `kn`      |                    |

+| Kazakh            |     `kk`      |                    |

+| Khmer            |     `km`      |                    |

+| Korean                |     `ko`      |                    |

+| Kurdish (Kurmanji)   |     `ku`      |                    |

+| Kyrgyz            |     `ky`      |                    |

+| Lao            |     `lo`      |                    |

+| Latin            |     `la`      |                    |

+| Latvian               |     `lv`      |                    |

+| Lithuanian            |     `lt`      |                    |

+| Macedonian            |     `mk`      |                    |

+| Malagasy            |     `mg`      |                    |

+| Malay            |     `ms`      |                    |

+| Malayalam            |     `ml`      |                    |

+| Marathi            |     `mr`      |                    |

+| Mongolian            |     `mn`      |                    |

+| Nepali            |     `ne`      |                    |

+| Norwegian (Bokmål)    |     `no`      | `nb` also accepted |

+| Odia            |     `or`      |                    |

+| Oromo            |     `om`      |                    |

+| Pashto            |     `ps`      |                    |

+| Persian       |     `fa`      |                    |

+| Polish                |     `pl`      |                    |

+| Portuguese (Brazil)   |    `pt-BR`    |                    |

+| Portuguese (Portugal) |    `pt-PT`    | `pt` also accepted |

+| Punjabi            |     `pa`      |                    |

+| Romanian              |     `ro`      |                    |

+| Russian               |     `ru`      |                    |

+| Sanskrit            |     `sa`      |                    |

+| Scottish Gaelic       |     `gd`      |                    |

+| Serbian            |     `sr`      |                    |

+| Sindhi            |     `sd`      |                    |

+| Sinhala            |     `si`      |                    |

+| Slovak                |     `sk`      |                    |

+| Slovenian             |     `sl`      |                    |

+| Somali            |     `so`      |                    |

+| Spanish               |     `es`      |                    |

+| Sudanese            |     `su`      |                    |

+| Swahili            |     `sw`      |                    |

+| Swedish               |     `sv`      |                    |

+| Tamil            |     `ta`      |                    |

+| Telugu           |     `te`      |                    |

+| Thai            |     `th`      |                    |

+| Turkish              |     `tr`      |                    |

+| Ukrainian           |     `uk`      |                    |

+| Urdu            |     `ur`      |                    |

+| Uyghur            |     `ug`      |                    |

+| Uzbek            |     `uz`      |                    |

+| Vietnamese            |     `vi`      |                    |

+| Welsh            |     `cy`      |                    |

+| Western Frisian       |     `fy`      |                    |

+| Xhosa            |     `xh`      |                    |

+| Yiddish            |     `yi`      |                    |

+Use this article to learn which natural languages that language detection supports.

+If you have content expressed in a less frequently used language, you can try Language Detection to see if it returns a code. The response for languages that can't be detected is `unknown`.

+| Language | Language Code |

+|||

+| Afrikaans | `af` |

+| Albanian | `sq` |

+| Amharic | `am` |

+| Arabic | `ar` |

+| Armenian | `hy` |

+| Assamese | `as` |

+| Azerbaijani | `az` |

+| Bashkir | `ba` |

+| Basque | `eu` |

+| Belarusian | `be` |

+| Bengali | `bn` |

+| Bosnian | `bs` |

+| Bulgarian | `bg` |

+| Burmese | `my` |

+| Catalan | `ca` |

+| Central Khmer | `km` |

+| Chinese | `zh` |

+| Chinese Simplified | `zh_chs` |

+| Chinese Traditional | `zh_cht` |

+| Chuvash | `cv` |

+| Corsican | `co` |

+| Croatian | `hr` |

+| Czech | `cs` |

+| Danish | `da` |

+| Dari | `prs` |

+| Divehi | `dv` |

+| Dutch | `nl` |

+| English | `en` |

+| Esperanto | `eo` |

+| Estonian | `et` |

+| Faroese | `fo` |

+| Fijian | `fj` |

+| Finnish | `fi` |

+| French | `fr` |

+| Galician | `gl` |

+| Georgian | `ka` |

+| German | `de` |

+| Greek | `el` |

+| Gujarati | `gu` |

+| Haitian | `ht` |

+| Hausa | `ha` |

+| Hebrew | `he` |

+| Hindi | `hi` |

+| Hmong Daw | `mww` |

+| Hungarian | `hu` |

+| Icelandic | `is` |

+| Igbo | `ig` |

+| Indonesian | `id` |

+| Inuktitut | `iu` |

+| Irish | `ga` |

+| Italian | `it` |

+| Japanese | `ja` |

+| Javanese | `jv` |

+| Kannada | `kn` |

+| Kazakh | `kk` |

+| Kinyarwanda | `rw` |

+| Kirghiz | `ky` |

+| Korean | `ko` |

+| Kurdish | `ku` |

+| Lao | `lo` |

+| Latin | `la` |

+| Latvian | `lv` |

+| Lithuanian | `lt` |

+| Luxembourgish | `lb` |

+| Macedonian | `mk` |

+| Malagasy | `mg` |

+| Malay | `ms` |

+| Malayalam | `ml` |

+| Maltese | `mt` |

+| Maori | `mi` |

+| Marathi | `mr` |

+| Mongolian | `mn` |

+| Nepali | `ne` |

+| Norwegian | `no` |

+| Norwegian Nynorsk | `nn` |

+| Odia | `or` |

+| Pasht | `ps` |

+| Persian | `fa` |

+| Polish | `pl` |

+| Portuguese | `pt` |

+| Punjabi | `pa` |

+| Queretaro Otomi | `otq` |

+| Romanian | `ro` |

+| Russian | `ru` |

+| Samoan | `sm` |

+| Serbian | `sr` |

+| Shona | `sn` |

+| Sindhi | `sd` |

+| Sinhala | `si` |

+| Slovak | `sk` |

+| Slovenian | `sl` |

+| Somali | `so` |

+| Spanish | `es` |

+| Sundanese | `su` |

+| Swahili | `sw` |

+| Swedish | `sv` |

+| Tagalog | `tl` |

+| Tahitian | `ty` |

+| Tajik | `tg` |

+| Tamil | `ta` |

+| Tatar | `tt` |

+| Telugu | `te` |

+| Thai | `th` |

+| Tibetan | `bo` |

+| Tigrinya | `ti` |

+| Tongan | `to` |

+| Turkish | `tr` |

+| Turkmen | `tk` |

+| Upper Sorbian | `hsb` |

+| Uyghur | `ug` |

+| Ukrainian | `uk` |

+| Urdu | `ur` |

+| Uzbek | `uz` |

+| Vietnamese | `vi` |

+| Welsh | `cy` |

+| Xhosa | `xh` |

+| Yiddish | `yi` |

+| Yoruba | `yo` |

+| Yucatec Maya | `yua` |

+| Zulu | `zu` |

+| Language | Language Code |

+|||

+| Assamese | `as` |

+| Bengali | `bn` |

+| Gujarati | `gu` |

+| Hindi | `hi` |

+| Kannada | `kn` |

+| Malayalam | `ml` |

+| Marathi | `mr` |

+| Odia | `or` |

+| Punjabi | `pa` |

+| Tamil | `ta` |

+| Telugu | `te` |

+| Urdu | `ur` |

+|Language |Language code|Notes |

+||-||

+|Afrikaans |`af` | |

+|Amharic |`am` | |

+|Arabic |`ar` | |

+|Assamese |`as` | |

+|Azerbaijani |`az` | |

+|Bulgarian |`bg` | |

+|Bengali |`bn` | |

+|Bosnian |`bs` | |

+|Catalan |`ca` | |

+|Czech |`cs` | |

+|Welsh |`cy` | |

+|Danish |`da` | |

+|German |`de` | |

+|Greek |`el` | |

+|English |`en` | |

+|Spanish |`es` | |

+|Estonian |`et` | |

+|Basque |`eu` | |

+|Persian |`fa` | |

+|Finnish |`fi` | |

+|French |`fr` | |

+|Irish |`ga` | |

+|Galician |`gl` | |

+|Gujarati |`gu` | |

+|Hebrew |`he` | |

+|Hindi |`hi` | |

+|Croatian |`hr` | |

+|Hungarian |`hu` | |

+|Armenian |`hy` | |

+|Italian |`it` | |

+|Indonesian |`id` | |

+|Japanese |`ja` | |

+|Georgian |`ka` | |

+|Kazakh |`kk` | |

+|Khmer |`km` | |

+|Kannada |`kn` | |

+|Korean |`ko` | |

+|Kurdish(Kurmanji) |`ku` | |

+|Kyrgyz |`ky` | |

+|Lao |`lo` | |

+|Lithuanian |`lt` | |

+|Latvian |`lv` | |

+|Malagasy |`mg` | |

+|Macedonian |`mk` | |

+|Malayalam |`ml` | |

+|Mongolian |`mn` | |

+|Marathi |`mr` | |

+|Malay |`ms` | |

+|Burmese |`my` | |

+|Nepali |`ne` | |

+|Dutch |`nl` | |

+|Norwegian (Bokmål) |`no` |`nb` also accepted|

+|Odia |`or` | |

+|Punjabi |`pa` | |

+|Polish |`pl` | |

+|Pashto |`ps` | |

+|Portuguese (Brazil) |`pt-BR` | |

+|Portuguese (Portugal)|`pt-PT` |`pt` also accepted|

+|Romanian |`ro` | |

+|Russian |`ru` | |

+|Slovak |`sk` | |

+|Slovenian |`sl` | |

+|Somali |`so` | |

+|Albanian |`sq` | |

+|Serbian |`sr` | |

+|Swazi |`ss` | |

+|Swedish |`sv` | |

+|Swahili |`sw` | |

+|Tamil |`ta` | |

+|Telugu |`te` | |

+|Thai |`th` | |

+|Turkish |`tr` | |

+|Uyghur |`ug` | |

+|Ukrainian |`uk` | |

+|Urdu |`ur` | |

+|Uzbek |`uz` | |

+|Vietnamese |`vi` | |

+|Chinese-Simplified |`zh-hans` |`zh` also accepted|

+|Chinese-Traditional |`zh-hant` | |

+| Language | Language code | Notes |

+|--||--|

+|German |`de` | |

+|English |`en` | |

+|Spanish |`es` | |

+|French |`fr` | |

+| Language | Language code | Notes |

+|-|-|-|

+| Afrikaans | `af` | |

+| Albanian | `sq` | |

+| Amharic | `am` | |

+| Arabic | `ar` |

+| Armenian | `hy` | |

+| Assamese | `as` | |

+| Azerbaijani | `az` | |

+| Basque | `eu` | |

+| Belarusian (new) | `be` | |

+| Bengali | `bn` | |

+| Bosnian | `bs` | |

+| Breton (new) | `br` | |

+| Bulgarian | `bg` | |

+| Burmese | `my` | |

+| Catalan | `ca` | |

+| Chinese (Simplified) | `zh-hans` | `zh` also accepted |

+| Chinese (Traditional) | `zh-hant` | |

+| Croatian | `hr` | |

+| Czech | `cs` | |

+| Danish | `da` |

+| Dutch | `nl` | |

+| English | `en` | |

+| Esperanto (new) | `eo` | |

+| Estonian | `et` | |

+| Filipino | `fil` | |

+| Finnish | `fi` |

+| French | `fr` | |

+| Galician | `gl` | |

+| Georgian | `ka` | |

+| German | `de` | |

+| Greek | `el` |

+| Gujarati | `gu` | |

+| Hausa (new) | `ha` | |

+| Hebrew | `he` | |

+| Hindi | `hi` | |

+| Hungarian | `hu` | |

+| Indonesian | `id` | |

+| Irish | `ga` | |

+| Italian | `it` | |

+| Japanese | `ja` | |

+| Javanese (new) | `jv` | |

+| Kannada | `kn` | |

+| Kazakh | `kk` | |

+| Khmer | `km` | |

+| Korean | `ko` | |

+| Kurdish (Kurmanji) | `ku` | |

+| Kyrgyz | `ky` | |

+| Lao | `lo` | |

+| Latin (new) | `la` | |

+| Latvian | `lv` | |

+| Lithuanian | `lt` | |

+| Macedonian | `mk` | |

+| Malagasy | `mg` | |

+| Malay | `ms` | |

+| Malayalam | `ml` | |

+| Marathi | `mr` | |

+| Mongolian | `mn` | |

+| Nepali | `ne` | |

+| Norwegian | `no` | |

+| Odia | `or` | |

+| Oromo (new) | `om` | |

+| Pashto | `ps` | |

+| Persian | `fa` | |

+| Polish | `pl` |

+| Portuguese (Portugal) | `pt-PT` | `pt` also accepted |

+| Portuguese (Brazil) | `pt-BR` | |

+| Punjabi | `pa` | |

+| Romanian | `ro` | |

+| Russian | `ru` |

+| Sanskrit (new) | `sa` | |

+| Scottish Gaelic (new) | `gd` | |

+| Serbian | `sr` | |

+| Sindhi (new) | `sd` | |

+| Sinhala (new) | `si` | |

+| Slovak | `sk` | |

+| Slovenian | `sl` | |

+| Somali | `so` | |

+| Spanish | `es` | |

+| Sundanese (new) | `su` | |

+| Swahili | `sw` | |

+| Swedish | `sv` |

+| Tamil | `ta` | |

+| Telugu | `te` | |

+| Thai | `th` | |

+| Turkish | `tr` | |

+| Ukrainian | `uk` | |

+| Urdu | `ur` | |

+| Uyghur | `ug` | |

+| Uzbek | `uz` | |

+| Vietnamese | `vi` | |

+| Welsh | `cy` | |

+| Western Frisian (new) | `fy` | |

+| Xhosa (new) | `xh` | |

+| Yiddish (new) | `yi` | |

+| Language | Language code | Notes |

+|-|-|-|

+| Afrikaans (new) | `af` | |

+| Albanian (new) | `sq` | |

+| Amharic (new) | `am` | |

+| Arabic | `ar` | |

+| Armenian (new) | `hy` | |

+| Assamese (new) | `as` | |

+| Azerbaijani (new) | `az` | |

+| Basque (new) | `eu` | |

+| Belarusian (new) | `be` | |

+| Bengali | `bn` | |

+| Bosnian (new) | `bs` | |

+| Breton (new) | `br` | |

+| Bulgarian (new) | `bg` | |

+| Burmese (new) | `my` | |

+| Catalan (new) | `ca` | |

+| Chinese (Simplified) | `zh-hans` | `zh` also accepted |

+| Chinese (Traditional) (new) | `zh-hant` | |

+| Croatian (new) | `hr` | |

+| Czech (new) | `cs` | |

+| Danish | `da` | |

+| Dutch | `nl` | |

+| English | `en` | |

+| Esperanto (new) | `eo` | |

+| Estonian (new) | `et` | |

+| Filipino (new) | `fil` | |

+| Finnish | `fi` | |

+| French | `fr` | |

+| Galician (new) | `gl` | |

+| Georgian (new) | `ka` | |

+| German | `de` | |

+| Greek | `el` | |

+| Gujarati (new) | `gu` | |

+| Hausa (new) | `ha` | |

+| Hebrew (new) | `he` | |

+| Hindi | `hi` | |

+| Hungarian | `hu` | |

+| Indonesian | `id` | |

+| Irish (new) | `ga` | |

+| Italian | `it` | |

+| Japanese | `ja` | |

+| Javanese (new) | `jv` | |

+| Kannada (new) | `kn` | |

+| Kazakh (new) | `kk` | |

+| Khmer (new) | `km` | |

+| Korean | `ko` | |

+| Kurdish (Kurmanji) | `ku` | |

+| Kyrgyz (new) | `ky` | |

+| Lao (new) | `lo` | |

+| Latin (new) | `la` | |

+| Latvian (new) | `lv` | |

+| Lithuanian (new) | `lt` | |

+| Macedonian (new) | `mk` | |

+| Malagasy (new) | `mg` | |

+| Malay (new) | `ms` | |

+| Malayalam (new) | `ml` | |

+| Marathi | `mr` | |

+| Mongolian (new) | `mn` | |

+| Nepali (new) | `ne` | |

+| Norwegian | `no` | |

+| Odia (new) | `or` | |

+| Oromo (new) | `om` | |

+| Pashto (new) | `ps` | |

+| Persian (new) | `fa` | |

+| Polish | `pl` | |

+| Portuguese (Portugal) | `pt-PT` | `pt` also accepted |

+| Portuguese (Brazil) | `pt-BR` | |

+| Punjabi (new) | `pa` | |

+| Romanian (new) | `ro` | |

+| Russian | `ru` | |

+| Sanskrit (new) | `sa` | |

+| Scottish Gaelic (new) | `gd` | |

+| Serbian (new) | `sr` | |

+| Sindhi (new) | `sd` | |

+| Sinhala (new) | `si` | |

+| Slovak (new) | `sk` | |

+| Slovenian (new) | `sl` | |

+| Somali (new) | `so` | |

+| Spanish | `es` | |

+| Sundanese (new) | `su` | |

+| Swahili (new) | `sw` | |

+| Swedish | `sv` | |

+| Tamil | `ta` | |

+| Telugu | `te` | |

+| Thai (new) | `th` | |

+| Turkish | `tr` | |

+| Ukrainian (new) | `uk` | |

+| Urdu (new) | `ur` | |

+| Uyghur (new) | `ug` | |

+| Uzbek (new) | `uz` | |

+| Vietnamese (new) | `vi` | |

+| Welsh (new) | `cy` | |

+| Western Frisian (new) | `fy` | |

+| Xhosa (new) | `xh` | |

+| Yiddish (new) | `yi` | |

+The hosted API service supports the English, Spanish, French, German, Italian, Portuguese and Hebrew languages.

+The docker container supports the English, Spanish, French, German, Italian, Portuguese and Hebrew languages.

+## Details of the supported container tags:

+| Language Code | Featured Tag | Specific Tag |

+|:--|:-:|::|

+| `en` | latest | 3.0.59413252-onprem-amd64 |

+| `en`, `es`, `it`, `fr`, `de`, `pt` | latin | 3.0.60903415-latin-onprem-amd64 |

+| `he` | semitic | 3.0.60903415-semitic-onprem-amd64 |

+Azure OpenAI Service includes a content filtering system that works alongside core models. This system works by running both the prompt and completion through an ensemble of classification models aimed at detecting and preventing the output of harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Variations in API configurations and application design might affect completions and thus filtering behavior.

+The content filtering models have been specifically trained and tested on the following languages: English, German, Japanese, Spanish, French, Italian, Portuguese, and Chinese. However, the service can work in many other languages, but the quality might vary. In all cases, you should do your own testing to ensure that it works for your application.

+In addition to the content filtering system, the Azure OpenAI Service performs monitoring to detect content and/or behaviors that suggest use of the service in a manner that might violate applicable product terms. For more information about understanding and mitigating risks associated with your application, see the [Transparency Note for Azure OpenAI](/legal/cognitive-services/openai/transparency-note?tabs=text). For more information about how data is processed in connection with content filtering and abuse monitoring, see [Data, privacy, and security for Azure OpenAI Service](/legal/cognitive-services/openai/data-privacy?context=/azure/ai-services/openai/context/context#preventing-abuse-and-harmful-content-generation).

+|Safe | Content might be related to violence, self-harm, sexual, or hate categories but the terms are used in general, journalistic, scientific, medical, and similar professional contexts, which are appropriate for most audiences. |

+When the content filtering system detects harmful content, you'll receive either an error on the API call if the prompt was deemed inappropriate or the `finish_reason` on the response will be `content_filter` to signify that some of the completion was filtered. When building your application or system, you'll want to account for these scenarios where the content returned by the Completions API is filtered, which might result in content that is incomplete. How you act on this information will be application specific. The behavior can be summarized in the following points:

+# [Python](#tab/python)

+# [JavaScript](#tab/javascrit)

+[Azure OpenAI JavaScript SDK source code & samples](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/openai/openai)

+```javascript

+import { OpenAIClient, AzureKeyCredential } from "@azure/openai";

+// Load the .env file if it exists

+import * as dotenv from "dotenv";

+dotenv.config();

+// You will need to set these environment variables or edit the following values

+const endpoint = process.env["ENDPOINT"] || "<endpoint>";

+const azureApiKey = process.env["AZURE_API_KEY"] || "<api key>";

+const messages = [

+ { role: "system", content: "You are a helpful assistant. You will talk like a pirate." },

+ { role: "user", content: "Can you help me?" },

+ { role: "assistant", content: "Arrrr! Of course, me hearty! What can I do for ye?" },

+ { role: "user", content: "What's the best way to train a parrot?" },

+];

+export async function main() {

+ console.log("== Get completions Sample ==");

+ const client = new OpenAIClient(endpoint, new AzureKeyCredential(azureApiKey));

+ const deploymentId = "gpt-35-turbo"; //This needs to correspond to the name you chose when you deployed the model.

+ const events = await client.listChatCompletions(deploymentId, messages, { maxTokens: 128 });

+ for await (const event of events) {

+ for (const choice of event.choices) {

+ console.log(choice.message);

+ if (!choice.contentFilterResults) {

+ console.log("No content filter is found");

+ return;

+ }

+ if (choice.contentFilterResults.error) {

+ console.log(

+ `Content filter ran into the error ${choice.contentFilterResults.error.code}: ${choice.contentFilterResults.error.message}`

+ );

+ } else {

+ const { hate, sexual, selfHarm, violence } = choice.contentFilterResults;

+ console.log(

+ `Hate category is filtered: ${hate?.filtered} with ${hate?.severity} severity`

+ );

+ console.log(

+ `Sexual category is filtered: ${sexual?.filtered} with ${sexual?.severity} severity`

+ );

+ console.log(

+ `Self-harm category is filtered: ${selfHarm?.filtered} with ${selfHarm?.severity} severity`

+ );

+ console.log(

+ `Violence category is filtered: ${violence?.filtered} with ${violence?.severity} severity`

+ );

+ }

+ }

+ }

+}

+main().catch((err) => {

+ console.error("The sample encountered an error:", err);

+});

+```

+- `2023-09-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-09-01-preview/inference.json)

+> We are retiring the standard voices from September 1, 2021 through August 31, 2024. If you used a standard voice with your Speech resource that was created prior to September 1, 2021 then you can continue to do so until August 31, 2024. To use neural voices, choose voice names that include 'Neural' in their name, for example: en-US-JennyMultilingualNeural. All other Speech resources can only use prebuilt neural voices. You can choose from the supported [neural voice names](language-support.md?tabs=tts). After August 31, 2024 the standard voices won't be supported with any Speech resource.

+Nodes are deployed onto a private virtual network subnet, with no public IP addresses assigned. For troubleshooting and management purposes, SSH is enabled by default and only accessible using the internal IP address. Disabling SSH during cluster and node pool creation, or for an existing cluster or node pool, is in preview. See [Manage SSH access][manage-ssh-access] for more information.

+[manage-ssh-access]: manage-ssh-node-access.md

+| Annotation | Value | Description |

+|--|-|--|

+| `service.beta.kubernetes.io/azure-load-balancer-internal` | `true` or `false` | Specify whether the load balancer should be internal. If not set, it defaults to public. |

+| `service.beta.kubernetes.io/azure-load-balancer-internal-subnet` | Name of the subnet | Specify which subnet the internal load balancer should be bound to. If not set, it defaults to the subnet configured in cloud config file. |

+| `service.beta.kubernetes.io/azure-dns-label-name` | Name of the DNS label on Public IPs | Specify the DNS label name for the **public** service. If it's set to an empty string, the DNS entry in the Public IP isn't used. |

+| `service.beta.kubernetes.io/azure-shared-securityrule` | `true` or `false` | Specify exposing the service through a potentially shared Azure security rule to increase service exposure, utilizing Azure [Augmented Security Rules][augmented-security-rules] in Network Security groups. |

+| `service.beta.kubernetes.io/azure-load-balancer-resource-group` | Name of the resource group | Specify the resource group of load balancer public IPs that aren't in the same resource group as the cluster infrastructure (node resource group). |

+| `service.beta.kubernetes.io/azure-allowed-service-tags` | List of allowed service tags | Specify a list of allowed [service tags][service-tags] separated by commas. |

+| `service.beta.kubernetes.io/azure-load-balancer-tcp-idle-timeout` | TCP idle timeouts in minutes | Specify the time in minutes for TCP connection idle timeouts to occur on the load balancer. The default and minimum value is 4. The maximum value is 30. The value must be an integer. |

+| `service.beta.kubernetes.io/azure-load-balancer-disable-tcp-reset` | `true` or `false` | Specify whether the load balancer should disable TCP reset on idle timeout. |

+| `service.beta.kubernetes.io/azure-load-balancer-ipv4` | IPv4 address | Specify the IPv4 address to assign to the load balancer. |

+| `service.beta.kubernetes.io/azure-load-balancer-ipv6` | IPv6 address | Specify the IPv6 address to assign to the load balancer. |

+| Annotation | Value | Description |

+|-|--|--|

+| `service.beta.kubernetes.io/azure-load-balancer-health-probe-interval` | Health probe interval | |

+| `service.beta.kubernetes.io/azure-load-balancer-health-probe-num-of-probe` | The minimum number of unhealthy responses of health probe | |

+| `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` | Request path of the health probe | |

+| `service.beta.kubernetes.io/port_{port}_no_lb_rule` | true/false | {port} is service port number. When set to true, no lb rule or health probe rule for this port is generated. Health check service should not be exposed to the public internet(e.g. istio/envoy health check service) |

+| `service.beta.kubernetes.io/port_{port}_no_probe_rule` | true/false | {port} is service port number. When set to true, no health probe rule for this port is generated. |

+| `service.beta.kubernetes.io/port_{port}_health-probe_protocol` | Health probe protocol | {port} is service port number. Explicit protocol for the health probe for the service port {port}, overriding port.appProtocol if set. |

+| `service.beta.kubernetes.io/port_{port}_health-probe_port` | port number or port name in service manifest | {port} is service port number. Explicit port for the health probe for the service port {port}, overriding the default value. |

+| `service.beta.kubernetes.io/port_{port}_health-probe_interval` | Health probe interval | {port} is service port number. |

+| `service.beta.kubernetes.io/port_{port}_health-probe_num-of-probe` | The minimum number of unhealthy responses of health probe | {port} is service port number. |

+| `service.beta.kubernetes.io/port_{port}_health-probe_request-path` | Request path of the health probe | {port} is service port number. |

+||-|||-|--|--|

+||--||

+[augmented-security-rules]: ../virtual-network/network-security-groups-overview.md#augmented-security-rules

+## Disable OutboundNAT for Windows (Preview)

+Windows OutboundNAT can cause certain connection and communication issues with your AKS pods. An example issue is node port reuse. In this example, Windows OutboundNAT uses ports to translate your pod IP to your Windows node host IP, which can cause an unstable connection to the external service due to a port exhaustion issue.

+* If you're using Kubernetes version 1.25 or older, you need to [update your deployment configuration][upgrade-kubernetes].

+* You need to install or update `aks-preview` and register the feature flag.

+ ```azurecli-interactive

+ # Install aks-preview

+ az extension add --name aks-preview

+ # Update aks-preview

+ az extension update --name aks-preview

+ ```

+ ```azurecli-interactive

+ az feature register --namespace Microsoft.ContainerService --name DisableWindowsOutboundNATPreview

+ ```

+ ```azurecli-interactive

+ az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/DisableWindowsOutboundNATPreview')].{Name:name,State:properties.state}"

+ ```

+ 4. Refresh the registration of the `Microsoft.ContainerService` resource provider using the [`az provider register`][az-provider-register] command.

+ ```azurecli-interactive

+ az provider register --namespace Microsoft.ContainerService

+ ```

+### Limitations

+* You can't set cluster outbound type to LoadBalancer. You can set it to Nat Gateway or UDR:

+ * [NAT Gateway](./nat-gateway.md): NAT Gateway can automatically handle NAT connection and is more powerful than Standard Load Balancer. You might incur extra charges with this option.

+ * [UDR (UserDefinedRouting)](./limit-egress-traffic.md): You must keep port limitations in mind when configuring routing rules.

+ * If you need to switch from a load balancer to NAT Gateway, you can either add a NAT gateway into the VNet or run [`az aks upgrade`][aks-upgrade] to update the outbound type.

+> [!NOTE]

+> UserDefinedRouting has the following limitations:

+>

+> * SNAT by Load Balancer (must use the default OutboundNAT) has "64 ports on the host IP".

+> * SNAT by Azure Firewall (disable OutboundNAT) has 2496 ports per public IP.

+> * SNAT by NAT Gateway (disable OutboundNAT) has 64512 ports per public IP.

+> * If the Azure Firewall port range isn't enough for your application, you need to use NAT Gateway.

+> * Azure Firewall doesn't SNAT with Network rules when the destination IP address is in a private IP address range per [IANA RFC 1918 or shared address space per IANA RFC 6598](../firewall/snat-private-range.md).

+ > You can use an existing AKS cluster, but you might need to update the outbound type and add a node pool to enable `--disable-windows-outbound-nat`.

+ ```azurecli-interactive

+[az-provider-register]: /cli/azure/provider#az_provider_register

+## Kubernetes Integration

+### Kubernetes Ingress

+> [!IMPORTANT]

+> Support for Kubernetes Ingress is currently experimental and not covered through Azure Support. Learn more on [GitHub](https://github.com/Azure/api-management-self-hosted-gateway-ingress).

+| Name | Description | Required | Default | Availability |

+|-||-|-| -|

+| k8s.ingress.enabled | Enable Kubernetes Ingress integration. | No | `false` | v1.2+ |

+| k8s.ingress.namespace | Kubernetes namespace to watch Kubernetes Ingress resources in. | No | `default` | v1.2+ |

+| k8s.ingress.dns.suffix | DNS suffix to build DNS hostname for services to send requests to. | No | `svc.cluster.local` | v2.4+ |

+| k8s.ingress.config.path | Path to Kubernetes configuration (Kubeconfig). | No | N/A | v2.4+ |

+ Logs from ALB Controller will be returned in JSON format.

+# Enable Change Tracking and Inventory using Azure Monitoring Agent

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: Windows Registry :heavy_check_mark: Windows Files :heavy_check_mark: Linux Files :heavy_check_mark: Windows Software :heavy_check_mark: File Content Changes

+ Title: Migration guidance from Change Tracking and inventory using Log Analytics to Azure Monitoring Agent

+description: An overview on how to migrate from Change Tracking and inventory using Log Analytics to Azure Monitoring Agent.

+# Migration guidance from Change Tracking and inventory using Log Analytics to Change Tracking and inventory using Azure Monitoring Agent version

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: Azure Arc-enabled servers.

+This article provides guidance to move from Change Tracking and Inventory using Log Analytics version to the Azure Monitoring Agent version.

+## Onboarding to Change tracking and inventory using Azure Monitoring Agent

+### [Using Azure portal - for single VM](#tab/ct-single-vm)

+1. Sign in to the [Azure portal](https://portal.azure.com) and select your virtual machine

+1. Under **Operations** , select **Change tracking**.

+1. Select **Configure with AMA** and in the **Configure with Azure monitor agent**, provide the **Log analytics workspace** and select **Migrate** to initiate the deployment.

+ :::image type="content" source="media/guidance-migration-log-analytics-monitoring-agent/onboarding-single-vm-inline.png" alt-text="Screenshot of onboarding a single VM to Change tracking and inventory using Azure monitoring agent." lightbox="media/guidance-migration-log-analytics-monitoring-agent/onboarding-single-vm-expanded.png":::

+1. Select **Switch to CT&I with AMA** to evaluate the incoming events and logs across LA agent and AMA version.

+ :::image type="content" source="media/guidance-migration-log-analytics-monitoring-agent/switch-versions-inline.png" alt-text="Screenshot that shows switching between log analytics and Azure Monitoring Agent after a successful migration." lightbox="media/guidance-migration-log-analytics-monitoring-agent/switch-versions-expanded.png":::

+### [Using Azure portal - for Automation account](#tab/ct-at-scale)

+1. Sign in to [Azure portal](https://portal.azure.com) and select your Automation account.

+1. Under **Configuration Management**, select **Change tracking** and then select **Configure with AMA**.

+ :::image type="content" source="media/guidance-migration-log-analytics-monitoring-agent/onboarding-at-scale-inline.png" alt-text="Screenshot of onboarding at scale to Change tracking and inventory using Azure monitoring agent." lightbox="media/guidance-migration-log-analytics-monitoring-agent/onboarding-at-scale-expanded.png":::

+1. On the **Onboarding to Change Tracking with Azure Monitoring** page, you can view your automation account and list of machines that are currently on Log Analytics and ready to be onboarded to Azure Monitoring Agent of Change Tracking and inventory.

+1. On the **Assess virtual machines** tab, select the machines and then select **Next**.

+1. On **Assign workspace** tab, assign a new [Log Analytics workspace resource ID](#obtain-log-analytics-workspace-resource-id) to which the settings of AMA based solution should be stored and select **Next**.

+

+ :::image type="content" source="media/guidance-migration-log-analytics-monitoring-agent/assign-workspace-inline.png" alt-text="Screenshot of assigning new Log Analytics resource ID." lightbox="media/guidance-migration-log-analytics-monitoring-agent/assign-workspace-expanded.png":::

+

+1. On **Review** tab, you can review the machines that are being onboarded and the new workspace.

+1. Select **Migrate** to initiate the deployment.

+1. After a successful migration, select **Switch to CT&I with AMA** to compare both the LA and AMA experience.

+ :::image type="content" source="media/guidance-migration-log-analytics-monitoring-agent/switch-versions-inline.png" alt-text="Screenshot that shows switching between log analytics and Azure Monitoring Agent after a successful migration." lightbox="media/guidance-migration-log-analytics-monitoring-agent/switch-versions-expanded.png":::

+### [Using PowerShell script](#tab/ps-policy)

+#### Prerequisites

+- Ensure to have the Windows PowerShell console installed. Follow the steps to [install Windows PowerShell](https://learn.microsoft.com/powershell/scripting/windows-powershell/install/installing-windows-powershell?view=powershell-7.3).

+- We recommend that you use PowerShell version 7.1.3 or higher.

+- Obtain Read access for the specified workspace resources.

+- Ensure that you have `Az.Accounts` and `Az.OperationalInsights` modules installed. The `Az.PowerShell` module is used to pull workspace agent configuration information.

+- Ensure to have the Azure credentials to run `Connect-AzAccount` and `Select Az-Context` that set the context for the script to run.

+Follow these steps to migrate using scripts.

+#### Migration guidance

+1. Install the script to run to conduct migrations.

+1. Ensure that the new workspace resource ID is different to the one with which it's associated to in the Change Tracking and Inventory using the LA version.

+1. Migrate settings for the following data types:

+ - Windows Services

+ - Linux Files

+ - Windows Files

+ - Windows Registry

+ - Linux Daemons

+1. Generate and associates a new DCR to transfer the settings to the Change Tracking and Inventory using AMA.

+#### Onboard at scale

+Use the [script](https://github.com/mayguptMSFT/AzureMonitorCommunity/blob/master/Azure%20Services/Azure%20Monitor/Agents/Migration%20Tools/DCR%20Config%20Generator/CTDcrGenerator/CTWorkSpaceSettingstoDCR.ps1) to migrate Change tracking workspace settings to data collection rule.

+

+#### Parameters

+**Parameter** | **Required** | **Description** |

+ | | |

+`InputWorkspaceResourceId`| Yes | Resource ID of the workspace associated to Change Tracking & Inventory with Log Analytics. |

+`OutputWorkspaceResourceId`| Yes | Resource ID of the workspace associated to Change Tracking & Inventory with Azure Monitoring Agent. |

+`OutputDCRName`| Yes | Custom name of the new DCR created. |

+`OutputDCRLocation`| Yes | Azure location of the output workspace ID. |

+`OutputDCRTemplateFolderPath`| Yes | Folder path where DCR templates are created. |

+### Obtain Log Analytics Workspace Resource ID

+To obtain the Log Analytics Workspace resource ID, follow these steps:

+1. Sign in to [Azure portal](https://portal.azure.com)

+1. In **Log Analytics Workspace**, select the specific workspace and select **Json View**.

+1. Copy the **Resource ID**.

+## Limitations

+### [Using Azure portal](#tab/limit-single-vm)

+**For single VM and Automation Account**

+1. 100 VMs per Automation Account can be migrated in one instance.

+1. Any VM with > 100 file/registry settings for migration via portal isn't supported now.

+1. Arc VM migration isn't supported with portal, we recommend that you use PowerShell script migration.

+1. For File Content changes-based settings, you have to migrate manually from LA version to AMA version of Change Tracking & Inventory. Follow the guidance listed in [Track file contents](manage-change-tracking-monitoring-agent.md#configure-file-content-changes).

+1. Alerts that you configure using the Log Analytics Workspace must be [manually configured](configure-alerts.md).

+### [Using PowerShell script](#tab/limit-policy)

+1. For File Content changes-based settings, you have to migrate manually from LA version to AMA version of Change Tracking & Inventory. Follow the guidance listed in [Track file contents](manage-change-tracking.md#track-file-contents).

+1. Alerts that you configure using the Log Analytics Workspace must be [manually configured](configure-alerts.md).

+## Disable Change tracking using Log Analytics Agent

+After you enable management of your virtual machines using Change Tracking and Inventory using Azure Monitoring Agent, you might decide to stop using Change Tracking & Inventory with LA agent version and remove the configuration from the account.

+The disable method incorporates the following:

+- [Removes change tracking with LA agent for selected few VMs within Log Analytics Workspace](remove-vms-from-change-tracking.md).

+- [Removes change tracking with LA agent from the entire Log Analytics Workspace](remove-feature.md).

+

+## Next steps

+- To enable from the Azure portal, see [Enable Change Tracking and Inventory from the Azure portal](../change-tracking/enable-vms-monitoring-agent.md).

+ Title: Manage change tracking and inventory in Azure Automation using Azure Monitoring Agent

+description: This article tells how to use change tracking and inventory to track software and Microsoft service changes in your environment using Azure Monitoring Agent

+# Manage change tracking and inventory using Azure Monitoring Agent

+ Title: Azure Automation Change Tracking and Inventory overview using Azure Monitoring Agent

+description: This article describes the Change Tracking and Inventory feature using Azure monitoring agent, which helps you identify software and Microsoft service changes in your environment.

+# Overview of change tracking and inventory using Azure Monitoring Agent

+> - Currently, Change tracking and inventory uses Log Analytics Agent and this is scheduled to retire by 31.August.2024. We recommend that you use Azure Monitoring Agent as the new supporting agent.

+> - Guidance on migration from Change Tracking & Inventory using Log Analytics agent to Azure Monitoring Agent will be available once it is generally available. [Learn more](guidance-migration-log-analytics-monitoring-agent.md).

+> - We recommend that you use Change Tracking with Azure Monitoring Agent with the Change tracking extension version 2.20.0.0 (or above) to access the GA version of this service.

+This article explains on the latest version of change tracking support using Azure Monitoring Agent as a singular agent for data collection.

+> [!NOTE]

+> The [Current GA version](../../defender-for-cloud/file-integrity-monitoring-enable-log-analytics.md) of File Integrity Monitoring based on Log Analytics agent, will be deprecated in August 2024, and a **new version will be provided over MDE soon**.  The **[FIM Public Preview](../../defender-for-cloud/file-integrity-monitoring-enable-ama.md) based on Azure Monitor Agent (AMA), will be deprecated when the alternative is provided over MDE**. Hence, the FIM with AMA Public Preview version is not planned for GA. Read the announcement [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-strategy-and-plan-towards-log/ba-p/3883341).

+Change Tracking and Inventory using Azure Monitoring Agent doesn't support or has the following limitations:

+The average Log Analytics data usage for a machine using Change Tracking and Inventory is approximately 40 MB per month, depending on your environment. With the Usage and Estimated Costs feature of the Log Analytics workspace, you can view the data ingested by Change Tracking and Inventory in a usage chart. Use this data view to evaluate your data usage and determine how it affects your bill. See [Understand your usage and estimate costs](../../azure-monitor/cost-usage.md#usage-and-estimated-costs).

+ Title: Supported regions for Change tracking and inventory using Azure Monitoring Agent

+# Supported regions for Change tracking and inventory Azure Monitoring Agent

+[Change Tracking and Inventory](change-tracking/overview.md) combines functions to allow you to track Linux and Windows virtual machine and server infrastructure changes. The service supports change tracking across services, daemons, software, registry, and files in your environment to help you diagnose unwanted changes and raise alerts. Inventory support allows you to query in-guest resources for visibility into installed applications and other configuration items. Change Tracking & Inventory is now supported with the Azure Monitoring Agent version. [Learn more](change-tracking/overview-monitoring-agent.md).

+ - Ensure resource creation\deletion operations are captured to SQL.

+ - Send monitoring data to ServiceNow, Event Hubs, New Relic and so on.

+Depending on your requirements, one or more of the following Azure services integrate with or complement Azure Automation to help fulfill them:

+This error can be caused if the pricing tier doesn't match the subscription's billing model. For more information, see [Monitoring usage and estimated costs in Azure Monitor](../../azure-monitor/cost-usage.md#usage-and-estimated-costs).

+### General Availability: Change Tracking using Azure Monitoring Agent

+Azure Automation announces General Availability of Change Tracking using Azure Monitoring Agent. [Learn more](change-tracking/guidance-migration-log-analytics-monitoring-agent.md).

+* VMware vSphere version 7.0, 8.0

+* Review the [system requirements](system-requirements.md) for deploying and managing Arc resource bridge.

+> Delivery of ESUs through Azure Arc to virtual machines running on Virtual Desktop Infrastructure (VDI) is not recommended. VDI systems should use Multiple Activation Keys (MAK) to apply ESUs. See [Access your Multiple Activation Key from the Microsoft 365 Admin Center](/windows-server/get-started/extended-security-updates-deploy) to learn more.

+When you [enable guest management](enable-guest-management-at-scale.md) on VMware VMs, Azure Arc agent is installed on the VMs. The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers. This article provides an architectural overview of Azure connected machine agent.

+>[!NOTE]

+>Moving VMware vCenter resources between Resource Groups and Subscriptions is currently not supported.

+

+[Manage access to VMware resources through Azure RBAC](setup-and-manage-self-service-access.md).

+Azure Arc-enabled VMware vSphere (preview) currently works with vCenter Server versions 7 and 8.

+| Cold start times<sup>2</sup> | [Configurable optimizations](./dotnet-isolated-process-guide.md#performance-optimizations) | Optimized |

+In general, your app should use the latest versions of its core dependencies. At a minimum, you should update your project as follows:

+- Upgrade [Microsoft.Azure.Functions.Worker] to version 1.19.0 or later.

+- Upgrade [Microsoft.Azure.Functions.Worker.Sdk] to version 1.15.1 or later.

+- Add a framework reference to `Microsoft.AspNetCore.App`, unless your app targets .NET Framework.

+The following example shows this configuration in the context of a project file:

+ <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.15.1" />

+### Placeholders

+Placeholders are a platform capability that improves cold start for apps targeting .NET 6 or later. The feature requires some opt-in configuration. To enable placeholders:

+- **Update your project as detailed in the preceding section.**

+- Additionally, when using version 1.15.1 or earlier of `Microsoft.Azure.Functions.Worker.Sdk`, you must add two properties to the project file:

+ - Set the property `FunctionsEnableWorkerIndexing` to "True".

+ - Set the property `FunctionsAutoRegisterGeneratedMetadataProvider` to "True".

+- Set the `WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED` application setting to "1".

+- Ensure that the `netFrameworkVersion` property of the function app matches your project's target framework, which must be .NET 6 or later.

+- Ensure that the function app is configured to use a 64-bit process.

+> [!IMPORTANT]

+> Setting the `WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED` to "1" requires all other aspects of the configuration to be set correctly. Any deviation can cause startup failures.

+The following CLI commands will set the application setting, update the `netFrameworkVersion` property, and make the app run as 64-bit. Replace `<groupName>` with the name of the resource group, and replace `<appName>` with the name of your function app. Replace `<framework>` with the appropriate version string, such as "v6.0", "v7.0", or "v8.0", according to your target .NET version.

+```azurecli

+az functionapp config appsettings set -g <groupName> -n <appName> --settings 'WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED=1'

+az functionapp config set -g <groupName> -n <appName> --net-framework-version <framework>

+az functionapp config set -g <groupName> -n <appName> --use-32bit-worker-process false

+### Optimized executor

+The function executor is a component of the platform that causes invocations to run. An optimized version of this component is available, and in version 1.15.1 or earlier of the SDK, it requires opt-in configuration. To enable the optimized executor, you must update your project file:

+- **Update your project as detailed in the above section.**

+- Additionally set the property `FunctionsEnableExecutorSourceGen` to "True"

+<sup>1</sup> Only 64-bit apps are eligible for some other performance optimizations.

+If developing using a JavaScript framework, one of the following open-source projects can be useful:

+* Bing Maps provides two hosted branches of their SDK; Release and Experimental. The Experimental branch can receive multiple updates a day when new development is taking place. Azure Maps only hosts a release branch, however experimental features are created as custom modules in the open-source Azure Maps code samples project. Bing Maps used to have a frozen branch as well that was updated less frequently, thus reducing the risk of breaking changes due to a release. In Azure Maps, you can use the npm module and point to any previous minor version release.

+

+| |

+

+```html

+

+| `getClusterChildren(clusterId: number)` | `Promise<Feature<Geometry, any> | Shape>` | Retrieves the children of the given cluster on the next zoom level. These children can be a combination of shapes and subclusters. The subclusters are features with properties matching cluster properties. |

+> * Tips on using more advanced features available in Azure Maps.

+If developing using a JavaScript framework, one of the following open-source projects can be useful:

+You can use Custom images to represent points on a map. The following map uses a custom image to display a point on the map. The point is displayed at latitude: 51.5 and longitude: -0.2. The anchor offsets the position of the marker, so that the point of the pushpin icon aligns with the correct position on the map.

+When lots of data points appear on the map, points can overlap, making the map look cluttered and difficult to read and use. Clustering point data is the process of combining data points that are near each other and representing them on the map as a single clustered data point. As the user zooms into the map, the clusters break apart into their individual data points. Clustering data points improves the user experience and map performance.

+| `getClusterChildren(clusterId: number)` | Promise&lt;Array&lt;Feature&lt;Geometry, any&gt; \| Shape&gt;&gt; | Retrieves the children of the given cluster on the next zoom level. These children can be a combination of shapes and subclusters. The subclusters are features with properties matching ClusteredProperties. |

+ //Scale the size of the clustered bubble based on the number of points in the cluster.

+> In Azure Maps layers can easily be rendered beneath other layers, including base map layers. Often it is desirable to render tile layers below the map labels so that they are easy to read. The `map.layers.add` method takes in a second parameter which is the id of the layer in which to insert the new layer below. To insert a tile layer below the map labels, use this code: `map.layers.add(myTileLayer, "labels");`

+```html

+| | Azure Storage | Γ£ô (Preview) | | Γ£ô |

+| | Event Hubs | Γ£ô (Preview) | | Γ£ô |

+| | Azure Storage | Γ£ô (Preview) | | Γ£ô | |

+| | Event Hubs | Γ£ô (Preview) | | Γ£ô | |

+| October 2023| **Windows** <ul><li>Minimize CPU spikes when resetting an Event Log subscription</li><li>Enable multiple IIS subscriptions to use same filter</li><li>Cleanup files and folders for inactive tenants in multi-tenant mode</li><li>AMA installer will not install unnecessary certs</li><li>AMA emits Telemetry table locally</li><li>Update Metric Extension to v2.2023.721.1630</li><li>Update AzureSecurityPack to v4.29.0.4</li><li>Update AzureWatson to v1.0.99</li></ul>**Linux**<ul><li> Add support for Process metrics counters for Log Analytics upload and Azure Monitor Metrics</li><li>Use rsyslog omfwd TCP for improved syslog reliability</li><li>Support Palo Alto CEF logs where hostname is followed by 2 spaces</li><li>Bug and reliability improvements</li></ul> |1.20.0|1.28.11|

+ Title: Send data to Event Hubs and Storage (Preview)

+description: This article describes how to use Azure Monitor Agent to upload data to Azure Storage and Event Hubs.

+# Send data to Event Hubs and Storage (Preview)

+This article describes how to use the Azure Monitor Agent (AMA) to upload data to Azure Storage and Event Hubs. This feature is in preview.

+The Azure Monitor Agent is the new, consolidated telemetry agent for collecting data from IaaS resources like virtual machines. By using the upload capability in this preview, you can upload the logs<sup>[1](#FN1)</sup> you send to Log Analytics workspaces to Event Hubs and Storage. Both data destinations use data collection rules to configure collection setup for the agents.

+> [!NOTE]

+> This functionality replaces the Windows diagnostics extension (WAD) and Linux diagnostics extension (LAD). For more information, see [Compare Azure Monitor Agent to legacy agents](./agents-overview.md#compare-to-legacy-agents).

+**Footnotes**

+<a name="FN1">1</a>: Not all data types are supported; refer to [What's supported](#whats-supported) for specifics.

+## What's supported

+### Data types

+- Windows:

+ - Windows Event Logs ΓÇô to eventhub and storage

+ - Perf counters ΓÇô eventhub and storage

+ - IIS logs ΓÇô to storage blob

+ - Custom logs ΓÇô to storage blob

+- Linux:

+ - Syslog ΓÇô to eventhub and storage

+ - Perf counters ΓÇô to eventhub and storage

+ - Custom Logs / Log files ΓÇô to eventhub and storage

+### Operating systems

+- Environments that are supported by the Azure Monitoring Agent on Windows and Linux

+- This feature is only supported and planned to be supported for Azure VMs. There are no plans to bring this to on-premises or Azure Arc scenarios.

+## What's not supported

+### Data types

+- Windows:

+ - ETW Logs

+ - Windows Crash Dumps (not planned nor will be supported)

+ - Application Logs (not planned nor will be supported)

+ - .NET event source logs (not planned nor will be supported)

+## Prerequisites

+A [user-assigned managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) associated with the following resources:

+- [Storage account](../../storage/common/storage-account-create.md)

+- [Event Hubs namespace and event hub](../../event-hubs/event-hubs-create.md)

+- [Virtual machine](../../virtual-machines/overview.md)

+## Create a data collection rule

+Create a data collection rule for collecting events and sending to storage and event hub.

+1. In the Azure portal's search box, type in *template* and then select **Deploy a custom template**.

+ :::image type="content" source="../logs/media/tutorial-workspace-transformations-api/deploy-custom-template.png" lightbox="../logs/media/tutorial-workspace-transformations-api/deploy-custom-template.png" alt-text="Screenshot that shows the Azure portal with template entered in the search box and Deploy a custom template highlighted in the search results.":::

+1. Select **Build your own template in the editor**.

+ :::image type="content" source="../logs/media/tutorial-workspace-transformations-api/build-custom-template.png" lightbox="../logs/media/tutorial-workspace-transformations-api/build-custom-template.png" alt-text="Screenshot that shows portal screen to build template in the editor.":::

+1. Paste this Azure Resource Manager template into the editor:

+ ### [Windows](#tab/windows)

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]",

+ "metadata": {

+ "description": "Location for all resources."

+ }

+ },

+ "dataCollectionRulesName": {

+ "defaultValue": "[concat(resourceGroup().name, 'DCR')]",

+ "type": "String"

+ },

+ "storageAccountName": {

+ "defaultValue": "[concat(resourceGroup().name, 'sa')]",

+ "type": "String"

+ },

+ "eventHubNamespaceName": {

+ "defaultValue": "[concat(resourceGroup().name, 'eh')]",

+ "type": "String"

+ },

+ "eventHubInstanceName": {

+ "defaultValue": "[concat(resourceGroup().name, 'ehins')]",

+ "type": "String"

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Insights/dataCollectionRules",

+ "apiVersion": "2022-06-01",

+ "name": "[parameters('dataCollectionRulesName')]",

+ "location": "[parameters('location')]",

+ "kind": "AgentDirectToStore",

+ "properties": {

+ "dataSources": {

+ "performanceCounters": [

+ {

+ "streams": [

+ "Microsoft-Perf"

+ ],

+ "samplingFrequencyInSeconds": 10,

+ "counterSpecifiers": [

+ "\\Process(_Total)\\Working Set - Private",

+ "\\Memory\\% Committed Bytes In Use",

+ "\\LogicalDisk(_Total)\\% Free Space",

+ "\\Network Interface(*)\\Bytes Total/sec"

+ ],

+ "name": "perfCounterDataSource10"

+ }

+ ],

+ "windowsEventLogs": [

+ {

+ "streams": [

+ "Microsoft-Event"

+ ],

+ "xPathQueries": [

+ "Application!*[System[(Level=2)]]",

+ "System!*[System[(Level=2)]]"

+ ],

+ "name": "eventLogsDataSource"

+ }

+ ],

+ "iisLogs": [

+ {

+ "streams": [

+ "Microsoft-W3CIISLog"

+ ],

+ "logDirectories": [

+ "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\"

+ ],

+ "name": "myIisLogsDataSource"

+ }

+ ],

+ "logFiles": [

+ {

+ "streams": [

+ "Custom-Text-logs"

+ ],

+ "filePatterns": [

+ "C:\\JavaLogs\\*.log"

+ ],

+ "format": "text",

+ "settings": {

+ "text": {

+ "recordStartTimestampFormat": "ISO 8601"

+ }

+ },

+ "name": "myTextLogs"

+ }

+ ]

+ },

+ "destinations": {

+ "eventHubsDirect": [

+ {

+ "eventHubResourceId": "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubInstanceName'))]",

+ "name": "myEh1"

+ }

+ ],

+ "storageBlobsDirect": [

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "blobNamedPerf",

+ "containerName": "PerfBlob"

+ },

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "blobNamedWin",

+ "containerName": "WinEventBlob"

+ },

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "blobNamedIIS",

+ "containerName": "IISBlob"

+ },

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "blobNamedTextLogs",

+ "containerName": "TxtLogBlob"

+ }

+ ],

+ "storageTablesDirect": [

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "tableNamedPerf",

+ "tableName": "PerfTable"

+ },

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "tableNamedWin",

+ "tableName": "WinTable"

+ },

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "tableUnnamed"

+ }

+ ]

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Microsoft-Perf"

+ ],

+ "destinations": [

+ "myEh1",

+ "blobNamedPerf",

+ "tableNamedPerf",

+ "tableUnnamed"

+ ]

+ },

+ {

+ "streams": [

+ "Microsoft-WindowsEvent"

+ ],

+ "destinations": [

+ "myEh1",

+ "blobNamedWin",

+ "tableNamedWin",

+ "tableUnnamed"

+ ]

+ },

+ {

+ "streams": [

+ "Microsoft-W3CIISLog"

+ ],

+ "destinations": [

+ "blobNamedIIS"

+ ]

+ },

+ {

+ "streams": [

+ "Custom-Text-logs"

+ ],

+ "destinations": [

+ "blobNamedTextLogs"

+ ]

+ }

+ ]

+ }

+ }

+ ]

+ }

+ ```

+ ### [Linux](#tab/linux)

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]",

+ "metadata": {

+ "description": "Location for all resources."

+ }

+ },

+ "dataCollectionRulesName": {

+ "defaultValue": "[concat(resourceGroup().name, 'DCR')]",

+ "type": "String"

+ },

+ "storageAccountName": {

+ "defaultValue": "[concat(resourceGroup().name, 'sa')]",

+ "type": "String"

+ },

+ "eventHubNamespaceName": {

+ "defaultValue": "[concat(resourceGroup().name, 'eh')]",

+ "type": "String"

+ },

+ "eventHubInstanceName": {

+ "defaultValue": "[concat(resourceGroup().name, 'ehins')]",

+ "type": "String"

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Insights/dataCollectionRules",

+ "apiVersion": "2022-06-01",

+ "name": "[parameters('dataCollectionRulesName')]",

+ "location": "[parameters('location')]",

+ "kind": "AgentDirectToStore",

+ "properties": {

+ "dataSources": {

+ "performanceCounters": [

+ {

+ "streams": [

+ "Microsoft-Perf"

+ ],

+ "samplingFrequencyInSeconds": 10,

+ "counterSpecifiers": [

+ "Processor(*)\\% Processor Time",

+ "Processor(*)\\% Idle Time",

+ "Processor(*)\\% User Time",

+ "Processor(*)\\% Nice Time",

+ "Processor(*)\\% Privileged Time",

+ "Processor(*)\\% IO Wait Time",

+ "Processor(*)\\% Interrupt Time",

+ "Processor(*)\\% DPC Time",

+ "Memory(*)\\Available MBytes Memory",

+ "Memory(*)\\% Available Memory",

+ "Memory(*)\\Used Memory MBytes",

+ "Memory(*)\\% Used Memory",

+ "Memory(*)\\Pages/sec",

+ "Memory(*)\\Page Reads/sec",

+ "Memory(*)\\Page Writes/sec",

+ "Memory(*)\\Available MBytes Swap",

+ "Memory(*)\\% Available Swap Space",

+ "Memory(*)\\Used MBytes Swap Space",

+ "Memory(*)\\% Used Swap Space",

+ "Logical Disk(*)\\% Free Inodes",

+ "Logical Disk(*)\\% Used Inodes",

+ "Logical Disk(*)\\Free Megabytes",

+ "Logical Disk(*)\\% Free Space",

+ "Logical Disk(*)\\% Used Space",

+ "Logical Disk(*)\\Logical Disk Bytes/sec",

+ "Logical Disk(*)\\Disk Read Bytes/sec",

+ "Logical Disk(*)\\Disk Write Bytes/sec",

+ "Logical Disk(*)\\Disk Transfers/sec",

+ "Logical Disk(*)\\Disk Reads/sec",

+ "Logical Disk(*)\\Disk Writes/sec",

+ "Network(*)\\Total Bytes Transmitted",

+ "Network(*)\\Total Bytes Received",

+ "Network(*)\\Total Bytes",

+ "Network(*)\\Total Packets Transmitted",

+ "Network(*)\\Total Packets Received",

+ "Network(*)\\Total Rx Errors",

+ "Network(*)\\Total Tx Errors",

+ "Network(*)\\Total Collisions"

+ ],

+ "name": "perfCounterDataSource10"

+ }

+ ],

+ "syslog": [

+ {

+ "streams": [

+ "Microsoft-Syslog"

+ ],

+ "facilityNames": [

+ "auth",

+ "authpriv",

+ "cron",

+ "daemon",

+ "mark",

+ "kern",

+ "local0",

+ "local1",

+ "local2",

+ "local3",

+ "local4",

+ "local5",

+ "local6",

+ "local7",

+ "lpr",

+ "mail",

+ "news",

+ "syslog",

+ "user",

+ "UUCP"

+ ],

+ "logLevels": [

+ "Debug",

+ "Info",

+ "Notice",

+ "Warning",

+ "Error",

+ "Critical",

+ "Alert",

+ "Emergency"

+ ],

+ "name": "syslogDataSource"

+ }

+ ],

+ "logFiles": [

+ {

+ "streams": [

+ "Custom-Text-logs"

+ ],

+ "filePatterns": [

+ "/var/log/messages"

+ ],

+ "format": "text",

+ "settings": {

+ "text": {

+ "recordStartTimestampFormat": "ISO 8601"

+ }

+ },

+ "name": "myTextLogs"

+ }

+ ]

+ },

+ "destinations": {

+ "eventHubsDirect": [

+ {

+ "eventHubResourceId": "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubInstanceName'))]",

+ "name": "myEh1"

+ }

+ ],

+ "storageBlobsDirect": [

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "blobNamedPerf",

+ "containerName": "PerfBlob"

+ },

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "blobNamedLinux",

+ "containerName": "SyslogBlob"

+ },

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "blobNamedTextLogs",

+ "containerName": "TxtLogBlob"

+ }

+ ],

+ "storageTablesDirect": [

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "tableNamedPerf",

+ "tableName": "PerfTable"

+ },

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "tableNamedLinux",

+ "tableName": "LinuxTable"

+ },

+ {

+ "storageAccountResourceId": "[resourceId('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",

+ "name": "tableUnnamed"

+ }

+ ]

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Microsoft-Perf"

+ ],

+ "destinations": [

+ "myEh1",

+ "blobNamedPerf",

+ "tableNamedPerf",

+ "tableUnnamed"

+ ]

+ },

+ {

+ "streams": [

+ "Microsoft-Syslog"

+ ],

+ "destinations": [

+ "myEh1",

+ "blobNamedLinux",

+ "tableNamedLinux",

+ "tableUnnamed"

+ ]

+ },

+ {

+ "streams": [

+ "Custom-Text-logs"

+ ],

+ "destinations": [

+ "blobNamedTextLogs"

+ ]

+ }

+ ]

+ }

+ }

+ ]

+ }

+ ```

+

+1. Update the following values in the Azure Resource Manager template. See the example Azure Resource Manager template for a sample.

+ **Event hub**

+ | Value | Description |

+ |:|:|

+ | `dataSources` | Define it per your requirements. The supported types for direct upload to Event Hubs for Windows are `performanceCounters` and `windowsEventLogs` and for Linux, they're `performanceCounters` and `syslog`. |

+ | `destinations` | Use `eventHubsDirect` for direct upload to the event hub. |

+ | `eventHubResourceId` | Resource ID of the event hub instance.<br><br>NOTE: It isn't the event hub namespace resource ID. |

+ | `dataFlows` | Under `dataFlows`, include destination name. |

+ **Storage table**

+ | Value | Description |

+ |:|:|

+ | `dataSources` | Define it per your requirements. The supported types for direct upload to storage Table for Windows are `performanceCounters`, `windowsEventLogs` and for Linux, they're `performanceCounters` and `syslog`. |

+ | `destinations` | Use `storageTablesDirect` for direct upload to table storage. |

+ | `storageAccountResourceId` | Resource ID of the storage account. |

+ | `tableName` | The name of the Table where JSON blob with event data is uploaded to. |

+ | `dataFlows` | Under `dataFlows`, include destination name. |

+ **Storage blob**

+ | Value | Description |

+ |:|:|

+ | `dataSources` | Define it per your requirements. The supported types for direct upload to storage blob for Windows are `performanceCounters`, `windowsEventLogs`, `iisLogs`, `logFiles` and for Linux, they're `performanceCounters`, `syslog` and `logFiles`. |

+ | `destinations` | Use `storageBlobsDirect` for direct upload to blob storage. |

+ | `storageAccountResourceId` | The resource ID of the storage account. |

+ | `containerName` | The name of the container where JSON blob with event data is uploaded to. |

+ | `dataFlows` | Under `dataFlows`, include destination name. |

+1. Select **Save**.

+## Create DCR association and deploy AzureMonitorAgent

+Use custom template deployment to create the DCR association and AMA deployment.

+1. In the Azure portal's search box, type in *template* and then select **Deploy a custom template**.

+ :::image type="content" source="../logs/media/tutorial-workspace-transformations-api/deploy-custom-template.png" lightbox="../logs/media/tutorial-workspace-transformations-api/deploy-custom-template.png" alt-text="Screenshot that shows the Azure portal with template entered in the search box and Deploy a custom template highlighted in the search results.":::

+1. Select **Build your own template in the editor**.

+ :::image type="content" source="../logs/media/tutorial-workspace-transformations-api/build-custom-template.png" lightbox="../logs/media/tutorial-workspace-transformations-api/build-custom-template.png" alt-text="Screenshot that shows portal screen to build template in the editor.":::

+1. Paste this Azure Resource Manager template into the editor:

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "vmName": {

+ "defaultValue": "[concat(resourceGroup().name, 'vm')]",

+ "type": "String"

+ },

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]",

+ "metadata": {

+ "description": "Location for all resources."

+ }

+ },

+ "dataCollectionRulesName": {

+ "defaultValue": "[concat(resourceGroup().name, 'DCR')]",

+ "type": "String",

+ "metadata": {

+ "description": "Data Collection Rule Name"

+ }

+ },

+ "dcraName": {

+ "type": "string",

+ "defaultValue": "[concat(uniquestring(resourceGroup().id), 'DCRLink')]",

+ "metadata": {

+ "description": "Name of the association."

+ }

+ },

+ "identityName": {

+ "type": "string",

+ "defaultValue": "[concat(resourceGroup().name, 'UAI')]",

+ "metadata": {

+ "description": "Managed Identity"

+ }

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",

+ "name": "[concat(parameters('vmName'),'/microsoft.insights/', parameters('dcraName'))]",

+ "apiVersion": "2021-04-01",

+ "properties": {

+ "description": "Association of data collection rule. Deleting this association will break the data collection for this virtual machine.",

+ "dataCollectionRuleId": "[resourceID('Microsoft.Insights/dataCollectionRules',parameters('dataCollectionRulesName'))]"

+ }

+ },

+ {

+ "type": "Microsoft.Compute/virtualMachines/extensions",

+ "name": "[concat(parameters('vmName'), '/AMAExtension')]",

+ "apiVersion": "2020-06-01",

+ "location": "[parameters('location')]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations', parameters('vmName'), 'Microsoft.Insights', parameters('dcraName'))]"

+ ],

+ "properties": {

+ "publisher": "Microsoft.Azure.Monitor",

+ "type": "AzureMonitorWindowsAgent",

+ "typeHandlerVersion": "1.0",

+ "autoUpgradeMinorVersion": true,

+ "settings": {

+ "authentication": {

+ "managedIdentity": {

+ "identifier-type": "mi_res_id",

+ "identifier-value": "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('identityName'))]"

+ }

+ }

+ }

+ }

+ }

+ ]

+ }

+ ```

+1. Select **Save**.

+## Troubleshooting

+Use the following section to troubleshoot sending data to Event Hubs and Storage.

+### Data not found in storage account blob storage

+- Check that the built-in role `Storage Blob Data Contributor` is assigned with managed identity on the storage account.

+- Check that the managed identity is assigned to the VM.

+- Check that the AMA settings have managed identity parameter.

+### Data not found in storage account table storage

+- Check that the built-in role `Storage Table Data Contributor` is assigned with managed identity on storage account.

+- Check that the managed identity is assigned to the VM.

+- Check that the AMA settings have managed identity parameter.

+### Data not flowing to event hub

+- Check that the built-in role `Azure Event Hubs Data Sender` is assigned with managed identity on storage account.

+- Check that the managed identity is assigned to the VM.

+- Check that the AMA settings have managed identity parameter.

+## AMA and WAD/LAD Convergence

+### Will the Azure Monitoring Agent support data upload to Application Insights?

+No, this support isn't a part of the roadmap. Application Insights are now powered by Log Analytics Workspaces.

+### Will the Azure Monitoring Agent support Windows Crash Dumps as a data type to upload?

+No, this support isn't a part of the roadmap. The Azure Monitoring Agent is meant for telemetry logs and not large file types.

+### Does this mean the Linux (LAD) and Windows (WAD) Diagnostic Extensions are no longer supported/retired?

+No, not until Azure formally announces the deprecation of these agents, which would start a three-year clock until they're no longer supported.

+### How to configure AMA for event hubs and storage data destinations

+Today the configuration experience is by using the DCR API.

+### Will you still be actively developing on WAD and LAD?

+WAD and LAD will only be getting security/patches going forward. Most engineering funding has gone to the Azure Monitoring Agent. We highly recommend migrating to the Azure Monitoring Agent to benefit from all its awesome capabilities.

+## See also

+- For more information on creating a data collection rule, see [Collect events and performance counters from virtual machines with Azure Monitor Agent](./data-collection-rule-azure-monitor-agent.md).

+ Title: Collect logs from a text or JSON file with Azure Monitor Agent

+description: Configure a data collection rule to collect log data from a text or JSON file on a virtual machine using Azure Monitor Agent.

+# Collect logs from a text or JSON file with Azure Monitor Agent

+Many applications log information to text or JSON files instead of standard logging services such as Windows Event log or Syslog. This article explains how to collect log data from text and JSON files on monitored machines using [Azure Monitor Agent](azure-monitor-agent-overview.md) by creating a [data collection rule (DCR)](../essentials/data-collection-rule-overview.md).

+- A VM, Virtual Machine Scale Set, or Arc-enabled on-premises server that writes logs to a text or JSON file.

+ Text and JSON file requirements and best practices:

+The table created in the script has two columns:

+- `TimeGenerated` (datetime)

+- `RawData` (string

+This is the default table schema for log data collected from text and JSON files. If you know your final schema, you can add columns in the script before creating the table. If you don't, you can [add columns using the Log Analytics table UI](../logs/create-custom-table.md#add-or-delete-a-custom-column).

+The easiest way to make the REST call is from an Azure Cloud PowerShell command line (CLI). To open the shell, go to the Azure portal, press the Cloud Shell button, and select PowerShell. If this is your first time using Azure Cloud PowerShell, you'll need to walk through the one-time configuration wizard.

+Copy and paste this script into PowerShell to create the table in your workspace:

+You should receive a 200 response and details about the table you just created.

+## Create a data collection rule to collect data from a text or JSON file

+ - **Data Collection Endpoint** specifies the data collection endpoint to which Azure Monitor Agent sends collected data. This data collection endpoint must be in the same region as the Log Analytics workspace. For more information, see [How to set up data collection endpoints based on your deployment](../essentials/data-collection-endpoint-overview.md#how-to-set-up-data-collection-endpoints-based-on-your-deployment).

+1. From the **Data source type** dropdown, select **Custom Text Logs** or **JSON Logs**.

+ - **Table name** - The name of the destination table you created in your Log Analytics Workspace. For more information, see [Create a custom table](#create-a-custom-table).

+ :::image type="content" source="media/data-collection-rule-azure-monitor-agent/data-collection-rule-destination.png" lightbox="media/data-collection-rule-azure-monitor-agent/data-collection-rule-destination.png" alt-text="Screenshot that shows the destination tab of the Add data source screen for a data collection rule in Azure portal." border="false":::

+ - To collect data from a text file, use this template:

+

+

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "dataCollectionRuleName": {

+ "type": "string",

+ "metadata": {

+ "description": "Specifies the name of the Data Collection Rule to create."

+ }

+ },

+ "location": {

+ "type": "string",

+ "metadata": {

+ "description": "Specifies the location in which to create the Data Collection Rule."

+ }

+ },

+ "workspaceName": {

+ "type": "string",

+ "metadata": {

+ "description": "Name of the Log Analytics workspace to use."

+ }

+ },

+ "workspaceResourceId": {

+ "type": "string",

+ "metadata": {

+ "description": "Specifies the Azure resource ID of the Log Analytics workspace to use."

+ }

+ },

+ "endpointResourceId": {

+ "type": "string",

+ "metadata": {

+ "description": "Specifies the Azure resource ID of the Data Collection Endpoint to use."

+ }

+ "resources": [

+ {

+ "type": "Microsoft.Insights/dataCollectionRules",

+ "name": "[parameters('dataCollectionRuleName')]",

+ "location": "[parameters('location')]",

+ "apiVersion": "2021-09-01-preview",

+ "properties": {

+ "dataCollectionEndpointId": "[parameters('endpointResourceId')]",

+ "streamDeclarations": {

+ "Custom-MyLogFileFormat": {

+ "columns": [

+ {

+ "name": "TimeGenerated",

+ "type": "datetime"

+ },

+ {

+ "name": "RawData",

+ "type": "string"

+ }

+ ]

+ }

+ },

+ "dataSources": {

+ "logFiles": [

+ "streams": [

+ "Custom-MyLogFileFormat"

+ ],

+ "filePatterns": [

+ "C:\\JavaLogs\\*.log"

+ ],

+ "format": "text",

+ "settings": {

+ "text": {

+ "recordStartTimestampFormat": "ISO 8601"

+ }

+ },

+ "name": "myLogFileFormat-Windows"

+ "streams": [

+ "Custom-MyLogFileFormat"

+ ],

+ "filePatterns": [

+ "//var//*.log"

+ ],

+ "format": "text",

+ "settings": {

+ "text": {

+ "recordStartTimestampFormat": "ISO 8601"

+ }

+ },

+ "name": "myLogFileFormat-Linux"

+ }

+ ]

+ },

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": "[parameters('workspaceResourceId')]",

+ "name": "[parameters('workspaceName')]"

+ },

+ "dataFlows": [

+ "destinations": [

+ "[parameters('workspaceName')]"

+ "transformKql": "source",

+ "outputStream": "Custom-MyTable_CL"

+ }

+ ]

+ }

+ }

+ ],

+ "outputs": {

+ "dataCollectionRuleId": {

+ "type": "string",

+ "value": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('dataCollectionRuleName'))]"

+ }

+ }

+ }

+ ```

+ - To collect data from a JSON file, use this template:

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "resources": [

+ {

+ "type": "Microsoft.Insights/dataCollectionRules",

+ "name": `DataCollectionRuleName`,

+ "location": `location` ,

+ "apiVersion": "2021-09-01-preview",

+ "properties": {

+ "dataCollectionEndpointId": `endpointResourceId` ,

+ "streamDeclarations": {

+ "Custom-JSONLog": {

+ "columns": [

+ {

+ "name": "TimeGenerated",

+ "type": "datetime"

+ },

+ {

+ "name": "RawData",

+ "type": "string"

+ ]

+ }

+ },

+ "dataSources": {

+ "logFiles": [

+ {

+ "streams": [

+ "Custom-JSONLog"

+ ],

+ "filePatterns": [

+ "C:\\JavaLogs\\*.log"

+ ],

+ "format": "json",

+ "settings": {

+ },

+ "name": "myLogFileFormat "

+ }

+ ]

+ },

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": `workspaceResourceId` ,

+ "name": "`workspaceName`"

+ }

+ ]

+ },

+ "dataFlows": [

+ "Custom-JSONLog"

+ "destinations": [

+ "`workspaceName`"

+ "transformKql": "source",

+ "outputStream": "`Table-Name_CL`"

+ }

+ }

+ ],

+ "outputs": {

+ "dataCollectionRuleId": {

+ "type": "string",

+ "value": "[resourceId('Microsoft.Insights/dataCollectionRules', `dataCollectionRuleName`"

+ ```

+ See [Structure of a data collection rule in Azure Monitor](../essentials/data-collection-rule-structure.md#custom-logs) if you want to modify the data collection rule.

+1. Associate the data collection rule to the virtual machine you want to collect data from. You can associate the same data collection rule with multiple machines:

+ 1. Select either individual virtual machines to associate the data collection rule, or select a resource group to create an association for all virtual machines in that resource group. Select **Apply**.

+Use the following steps to troubleshoot collection of logs from text and JSON files.

+## Use the Azure Monitor Agent Troubleshooter

+Use the [Azure Monitor Agent Troubleshooter](use-azure-monitor-agent-troubleshooter.md) to look for common issues and share results with Microsoft.

+### Check if you've ingested data to your custom table

+Start by checking if any records have been ingested into your custom log table by running the following query in Log Analytics:

+<YourCustomTable>_CL

+If records aren't returned, check the other sections for possible causes. This query looks for entries in the last two days, but you can modify for another time range. It can take 5-7 minutes for new data to appear in your table. The Azure Monitor Agent only collects data written to the text or JSON file after you associate the data collection rule with the virtual machine.

+### Verify that logs are being populated

+The agent will only collect new content written to the log file being collected. If you're experimenting with the collection logs from a text or JSON file, you can use the following script to generate sample logs.

+If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.18.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.18.jar", "-jar", "<myapp.jar>"]

+If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.18.jar"` somewhere before `-jar`, for example:

+ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.18.jar" -jar <myapp.jar>

+COPY agent/applicationinsights-agent-3.4.18.jar applicationinsights-agent-3.4.18.jar

+ENTRYPOINT["java", "-javaagent:applicationinsights-agent-3.4.18.jar", "-jar", "app.jar"]

+In this example we have copied the `applicationinsights-agent-3.4.18.jar` and `applicationinsights.json` files from an `agent` folder (you can choose any folder of your machine). These two files have to be in the same folder in the Docker container.

+JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.18.jar"

+CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.18.jar"

+If the file `<tomcat>/bin/setenv.sh` already exists, modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.18.jar` to `CATALINA_OPTS`.

+set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.18.jar

+set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.18.jar"

+If the file `<tomcat>/bin/setenv.bat` already exists, modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.18.jar` to `CATALINA_OPTS`.

+Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.4.18.jar` to the `Java Options` under the `Java` tab.

+Add `-javaagent:path/to/applicationinsights-agent-3.4.18.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

+ JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.4.18.jar -Xms1303m -Xmx1303m ..."

+Add `-javaagent:path/to/applicationinsights-agent-3.4.18.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

+ <option value="-javaagent:path/to/applicationinsights-agent-3.4.18.jar"/>

+-javaagent:path/to/applicationinsights-agent-3.4.18.jar

+Add `-javaagent:path/to/applicationinsights-agent-3.4.18.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

+ -javaagent:path/to/applicationinsights-agent-3.4.18.jar>

+ -javaagent:path/to/applicationinsights-agent-3.4.18.jar

+-javaagent:path/to/applicationinsights-agent-3.4.18.jar

+Add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.18.jar"` somewhere before `-jar`, for example:

+java -javaagent:"path/to/applicationinsights-agent-3.4.18.jar" -jar <myapp.jar>

+If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.18.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.18.jar", "-jar", "<myapp.jar>"]

+If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.18.jar"` somewhere before `-jar`, for example:

+ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.18.jar" -jar <myapp.jar>

+ <version>3.4.18</version>

+By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.4.18.jar`.

+If you specify a relative path, it's resolved relative to the directory where `applicationinsights-agent-3.4.18.jar` is located.

+If you specify a relative path, it's resolved relative to the directory where `applicationinsights-agent-3.4.18.jar` is located.

+ <version>3.4.18</version>

+`applicationinsights-agent-3.4.18.jar` is located.

+-javaagent:path/to/applicationinsights-agent-3.4.18.jar

+Download the [applicationinsights-agent-3.4.18.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.4.18/applicationinsights-agent-3.4.18.jar) file.

+Point the JVM to the jar file by adding `-javaagent:"path/to/applicationinsights-agent-3.4.18.jar"` to your application's JVM args.

+ Create a configuration file named `applicationinsights.json`, and place it in the same directory as `applicationinsights-agent-3.4.18.jar` with the following content:

+All metrics that you send by using [trackMetric](./api-custom-events-metrics.md#trackmetric) or [GetMetric and TrackValue](./api-custom-events-metrics.md#getmetric) API calls are automatically stored in both logs and metrics stores. Although the log-based version of your custom metric always retains all dimensions, the pre-aggregated version of the metric is stored by default with no dimensions. You can turn on collection of dimensions of custom metrics on the [usage and estimated cost](../cost-usage.md#usage-and-estimated-costs) tab by selecting the **Enable alerting on custom metric dimensions** checkbox.

+Cost optimization refers to ways to reduce unnecessary expenses and improve operational efficiencies. You can significantly reduce your cost for Azure Monitor by understanding your different configuration options and opportunities to reduce the amount of data that it collects. See [Azure Monitor cost and usage](cost-usage.md) to understand the different ways that Azure Monitor charges and how to view your monthly bill.

+Cost optimization refers to ways to reduce unnecessary expenses and improve operational efficiencies. You can significantly reduce your cost for Azure Monitor by understanding your different configuration options and opportunities to reduce the amount of data that it collects. See [Azure Monitor cost and usage](cost-usage.md) to understand the different ways that Azure Monitor charges and how to view your monthly bill.

+Cost optimization refers to ways to reduce unnecessary expenses and improve operational efficiencies. You can significantly reduce your cost for Azure Monitor by understanding your different configuration options and opportunities to reduce the amount of data that it collects. Before you use this article, you should see [Azure Monitor cost and usage](cost-usage.md) to understand the different ways that Azure Monitor charges and how to view your monthly bill.

+Cost optimization refers to ways to reduce unnecessary expenses and improve operational efficiencies. You can significantly reduce your cost for Azure Monitor by understanding your different configuration options and opportunities to reduce the amount of data that it collects. See [Azure Monitor cost and usage](cost-usage.md) to understand the different ways that Azure Monitor charges and how to view your monthly bill.

+A core goal of your monitoring strategy will be minimizing costs. Some data collection and features in Azure Monitor have no cost while other have costs based on their particular configuration, amount of data collected, or frequency that they're run. The articles in this scenario identify any recommendations that include a cost, but you should be familiar with Azure Monitor pricing as you design your implementation for cost optimization. See the following for details and guidance on Azure Monitor pricing:

+- [Azure Monitor cost and usage](cost-usage.md)

+- [Cost optimization in Azure Monitor](best-practices-cost.md)

+See [Cloud monitoring guide: Formulate a monitoring strategy](/azure/cloud-adoption-framework/strategy/monitoring-strategy) for a number of factors that you should consider when developing a monitoring strategy. You should also refer to [Monitoring strategy for cloud deployment models](/azure/cloud-adoption-framework/manage/monitor/cloud-models-monitor-overview), which assist in comparing completely cloud based monitoring with a hybrid model.

+ You won't necessarily configure complete monitoring for all of your cloud resources but instead focus on your critical applications and the components they depend on. This not only reduces your monitoring costs but also reduce the complexity of your monitoring environment. See [Cloud monitoring guide: Collect the right data](/azure/cloud-adoption-framework/manage/monitor/data-collection) for guidance on defining the data that you require.

+As you configure your monitoring environment, you need to determine which users should have access to monitoring data and which users need to be notified when an issue is detected. These may be application and resource owners, or you may have a centralized monitoring team. This information determines how you configure permissions for data access and notifications for alerts. You may also require custom workbooks to present particular sets of information to different users.

+Azure Monitor is designed to address Health and Status monitoring. A complete monitoring solution typically involves multiple Azure services and potentially other products. Other monitoring objectives, which may require additional solutions, are described in the Cloud Monitoring Guide in [primary monitoring objectives](/azure/cloud-adoption-framework/strategy/monitoring-strategy#formulate-monitoring-requirements).

+Cost optimization refers to ways to reduce unnecessary expenses and improve operational efficiencies. You can significantly reduce your cost for Azure Monitor by understanding your different configuration options and opportunities to reduce the amount of data that it collects. See [Azure Monitor cost and usage](cost-usage.md) to understand the different ways that Azure Monitor charges and how to view your monthly bill.

+> See [Estimate Azure Monitor costs](../cost-estimate.md#log-data-ingestion) to estimate your costs for Container insights before you enable it.

+> [!NOTE]

+> This section describes [collection of Prometheus metrics in your Log Analytics workspace](container-insights-prometheus-logs.md). This information does not apply if you're using [Managed Prometheus to scrape your Prometheus metrics](prometheus-metrics-enable.md).

+If you [collect Prometheus metrics in your Log Analytics workspace](container-insights-prometheus-logs.md), make sure that you limit the number of metrics you collect from your cluster:

+ Title: Estimate Azure Monitor costs

+description: Guidance on using the Azure Monitor pricing calculator to estimate Azure Monitor billable usage.

+# Estimate Azure Monitor costs

+Your Azure Monitor cost will vary significantly based on your expected utilization and configuration. Use the [Azure Monitor Pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=monitor) to get cost estimates for different features of Azure Monitor based on your particular environment.

+Since Azure Monitor has [multiple types of charges](cost-usage.md#pricing-model), its calculator has multiple categories. See the sections below for an explanation of these categories and guidance for providing estimates. See [Azure Monitor Pricing](https://azure.microsoft.com/pricing/details/monitor/) for current pricing details.

+Some of the values required by the calculator might be difficult to provide if you're just getting started with Azure Monitor. For example, you might have no idea of the volume of analytics logs generated from the different Azure resources that you intend to monitor. A common strategy is to enable monitoring for a small group of resources and use the observed data volumes with the calculator to determine your costs for a full environment. See [Analyze usage in Log Analytics workspace](logs/analyze-usage.md) for queries and other methods to measure the billable data in your Log Analytics workspace.

+## Log data ingestion

+This section includes the ingestion and retention of data in your Log Analytics workspaces. This includes such features as Container insights and Application insights in addition to resource logs collected from your Azure resources and agents installed on your virtual machines. This is where the bulk of monitoring costs will typically be incurred in most environments.

+| Category | Description |

+|:|:|

+| Estimate Data Volume For Monitoring VMs | Data collected from your virtual machines either using VM insights or by creating a DCR to events and performance data. The data collected from each VM will vary significantly depending on your particular collection settings and the workloads running on your virtual machines, so you should validate these estimates in your own environment. |

+| Estimate Data Volume Using Container Insights | Data collected from your Kubernetes clusters. The estimate is based on the number of clusters and their configuration. This estimate applies only for metrics and inventory data collected. Container logs (stdout, stderr, and environmental variables) vary significantly based on the log sizes generated by the workload, and they're excluded from this estimate. You should include their volume in the *Analytics Logs* category. |

+| Estimate Data Volume Based On Application Activity | Data collected from your workspace-based applications using Application Insights. The data collected from each application will vary significantly depending on your particular collection settings and applications, so you should validate these estimates in your own environment.

+| Analytics Logs | Resource logs collected from Azure resources and any other data aside from those listed above sent to Log Analytics tables not configured for [basic logs](logs/basic-logs-configure.md). This can be difficult to estimate so you should enable monitoring for a small group of resources and use the observed data volumes to extrapolate for a full environment. |

+| Basic Logs | Resource logs collected from Azure resources and any other data aside from those listed above sent to Log Analytics tables configured for [basic logs](logs/basic-logs-configure.md). This can be difficult to estimate so you should enable monitoring for a small group of resources and use the observed data volumes to extrapolate for a full environment. |

+| Interactive Data Retention | [Interactive retention](logs/data-retention-archive.md) setting for your Log Analytics workspace. |

+| Data Archive | [Archive](logs/data-retention-archive.md) setting for your Log Analytics workspace. |

+| Basic Logs Search Queries | Estimated number and scanned data of the queries that you expect to run using tables configured for [basic logs](logs/basic-logs-configure.md). |

+| Search Jobs | Estimated number and scanned data of the [search jobs](logs/search-jobs.md) that you expect to run against [archived data](logs/data-retention-archive.md). |

+| Platform logs| Resource logs collected from Azure resources to an Event Hub, Storage account, or a partner. This doesn't include logs sent to your Log Analytics workspace, which are included in the **Analytics Logs** and **Basic Logs** category. This can be difficult to estimate so you should enable monitoring for a small group of resources and use the observed data volumes to extrapolate for a full environment. |

+## Managed Prometheus

+This section includes charges for the ingestion and query of Prometheus metrics by your Kubernetes clusters.

+| Category | Description |

+|:|:|

+| Metric Sample Ingestion | Number and frequency of the Prometheus metrics collected by your AKS nodes. See [Default Prometheus metrics configuration in Azure Monitor](containers/prometheus-metrics-scrape-default.md). |

+| Query Samples Processed | Number of query samples can be estimated from the dashboards and alerting rules that use them. |

+## Application Insights

+This section includes charges from [classic Application Insights resources](app/convert-classic-resource.md). Workspace-based Application Insights resources are included in the Log Data Ingestion category.

+| Category | Description |

+|:|:|

+| Data ingestion | Volume of data that you expect from your classic Application Insights resources. This can be difficult to estimate so you should enable monitoring for a small group of resources and use the observed data volumes to extrapolate for a full environment. |

+| Data Retention | [Data retention setting](logs/data-retention-archive.md#set-data-retention-for-classic-application-insights-resources) for your classic Application Insights resources. |

+| Multi-step Web Test | Number of legacy [multi-step web tests](/previous-versions/azure/azure-monitor/app/availability-multistep) that you expect to run. |

+## Alert rules

+This section includes charges for alert rules.

+| Category | Description |

+|:|:|

+| Metric Signals Monitored | Number of [metrics alert rules](alerts/alerts-types.md#metric-alerts) and their time series. |

+| Log Signals Monitored | Number of [log alert rules](alerts/alerts-types.md#log-alerts) and their frequency. |

+## ITSM connector - ticket creation/update

+This section includes charges for ITSM events, which are sent in response to alerts being triggered.

+| Category | Description |

+|:|:|

+| Estimate the number of ITSM events that will be sent beyond the number included for free. |

+## Notifications

+This section includes charges for notifications, which are sent in response to alerts being triggered.

+| Category | Description |

+|:|:|

+| Emails, web hooks and push notifications | Estimate the number of different types of notifications that will be sent beyond the number included for free. |

+## Next steps

+- See [Azure Monitor Logs pricing details](logs/cost-logs.md) for details on how charges are calculated for data in a Log Analytics workspace and different configuration options to reduce your charges.

+- See [Analyze usage in Log Analytics workspace](logs/analyze-usage.md) for details on analyzing the data in your workspace to determine to source of any higher than expected usage and opportunities to reduce your amount of data collected.

+- See [Azure Monitor best practices - Cost management](best-practices-cost.md) for best practices on configuring and managing Azure Monitor to minimize your charges.

+ Title: Azure Monitor billing meter names

+description: Reference of Azure Monitor billing meter names.

+# Azure Monitor billing meter names

+This article contains a reference of the billing meter names used by Azure Monitor in [Azure Cost Management + Billing](cost-usage.md#azure-cost-management--billing). Use this information to interpret your monthly charges for Azure Monitor.

+## Log data ingestion

+The following table lists the meters used to bill for data ingestion in your Log Analytics workspaces, and whether the meter is regional. There's a different billing meter, `MeterId` in the export usage report for each region. Note that Basic Logs ingestion can be used when the workspace's pricing tier is Pay-as-you-go or any commitment tier.

+| Pricing tier |ServiceName | MeterName | Regional Meter? |

+| -- | -- | -- | -- |

+| (any) | Azure Monitor | Basic Logs Data Ingestion | yes |

+| Pay-as-you-go | Log Analytics | Pay-as-you-go Data Ingestion | yes |

+| 100 GB/day Commitment Tier | Azure Monitor | 100 GB Commitment Tier Capacity Reservation | yes |

+| 200 GB/day Commitment Tier | Azure Monitor | 200 GB Commitment Tier Capacity Reservation | yes |

+| 300 GB/day Commitment Tier | Azure Monitor | 300 GB Commitment Tier Capacity Reservation | yes |

+| 400 GB/day Commitment Tier | Azure Monitor | 400 GB Commitment Tier Capacity Reservation | yes |

+| 500 GB/day Commitment Tier | Azure Monitor | 500 GB Commitment Tier Capacity Reservation | yes |

+| 1000 GB/day Commitment Tier | Azure Monitor | 1000 GB Commitment Tier Capacity Reservation | yes |

+| 2000 GB/day Commitment Tier | Azure Monitor | 2000 GB Commitment Tier Capacity Reservation | yes |

+| 5000 GB/day Commitment Ties | Azure Monitor | 5000 GB Commitment Tier Capacity Reservation | yes |

+| Per Node (legacy tier) | Insight and Analytics | Standard Node | no |

+| Per Node (legacy tier) | Insight and Analytics | Standard Data Overage per Node | no |

+| Per Node (legacy tier) | Insight and Analytics | Standard Data Included per Node | no |

+| Standalone (legacy tier) | Log Analytics | Pay-as-you-go Data Analyzed | no |

+| Standard (legacy tier) | Log Analytics | Standard Data Analyzed | no |

+| Premium (legacy tier) | Log Analytics | Premium Data Analyzed | no |

+The *Standard Data Included per Node* meter is used both for the Log Analytics [Per Node tier](logs/cost-logs.md#per-node-pricing-tier) data allowance, and also the [Defender for Servers data allowance](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud), for workspaces in any pricing tier.

+## Other Azure Monitor logs meters

+| ServiceName | MeterName | Regional Meter? |

+| -- | | |

+| Log Analytics | Pay-as-you-go Data Retention | yes |

+| Insight and Analytics | Standard Data Retention | no |

+| Azure Monitor | Data Archive | yes |

+| Azure Monitor | Search Queries Scanned | yes |

+| Azure Monitor | Search Jobs Scanned | yes |

+| Azure Monitor | Data Restore | yes |

+| Azure Monitor | Log Analytics data export Data Exported | yes |

+| Azure Monitor | Platform Logs Data Processed | yes |

+*Pay-as-you-go Data Retention* is used for workspaces in all modern pricing tiers (Pay-as-you-go and Commitment Tiers). "Standard Data Retention" is used for workspaces in the legacy Per Node and Standalone pricing tiers.

+## Azure Monitor metrics meters:

+| ServiceName | MeterName | Regional Meter? |

+| -- | | |

+| Azure Monitor | Metrics ingestion Metric samples | yes |

+| Azure Monitor | Prometheus Metrics Queries Metric samples | yes |

+| Azure Monitor | Native Metric Queries API Calls | yes |

+## Azure Monitor alerts meters

+| ServiceName | MeterName | Regional Meter? |

+| -- | | |

+| Azure Monitor | Alerts Metric Monitored | no |

+| Azure Monitor | Alerts Dynamic Threshold | no |

+| Azure Monitor | Alerts System Log Monitored at 1 Minute Frequency | no |

+| Azure Monitor | Alerts System Log Monitored at 10 Minute Frequency | no |

+| Azure Monitor | Alerts System Log Monitored at 15 Minute Frequency | no |

+| Azure Monitor | Alerts System Log Monitored at 5 Minute Frequency | no |

+| Azure Monitor | Alerts Resource Monitored at 1 Minute Frequency | no |

+| Azure Monitor | Alerts Resource Monitored at 10 Minute Frequency | no |

+| Azure Monitor | Alerts Resource Monitored at 15 Minute Frequency | no |

+| Azure Monitor | Alerts Resource Monitored at 5 Minute Frequency | no |

+## Azure Monitor web test meters

+| ServiceName | MeterName | Regional Meter? |

+| -- | | |

+| Azure Monitor | Standard Web Test Execution | yes |

+| Application Insights | Multi-step Web Test | no |

+## Legacy classic Application Insights meters

+| ServiceName | MeterName | Regional Meter? |

+| -- | | |

+| Application Insights | Enterprise Node | no |

+| Application Insights | Enterprise Overage Data | no |

+### Legacy Application Insights meters

+Most Application Insights usage for both classic and workspace-based resources is reported on meters with **Log Analytics** for **Meter Category** because there's a single log back-end for all Azure Monitor components. Only Application Insights resources on legacy pricing tiers and multiple-step web tests are reported with **Application Insights** for **Meter Category**. The usage is shown in the **Consumed Quantity** column. The unit for each entry is shown in the **Unit of Measure** column. For more information, see [Understand your Microsoft Azure bill](../cost-management-billing/understand/review-individual-bill.md).

+To separate costs from your Log Analytics and classic Application Insights usage, [create a filter](../cost-management-billing/costs/group-filter.md) on **Resource type**. To see all Application Insights costs, filter **Resource type** to **microsoft.insights/components**. For Log Analytics costs, filter **Resource type** to **microsoft.operationalinsights/workspaces**. (Workspace-based Application Insights is all billed to the Log Analytics workspace resourced.)

+ Title: Azure Monitor cost and usage

+description: Overview of how Azure Monitor is billed and how to analyze billable usage.

+# Azure Monitor cost and usage

+This article describes the different ways that Azure Monitor charges for usage and how to evaluate charges on your Azure bill.

+## Pricing model

+Azure Monitor uses a consumption-based pricing (pay-as-you-go) billing model where you only pay for what you use. Features of Azure Monitor that are enabled by default do not incur any charge, including collection and alerting on the [Activity log](essentials/activity-log.md) and collection and analysis of [platform metrics](essentials/metrics-supported.md).

+Several other features don't have a direct cost, but you instead pay for the ingestion and retention of data that they collect. The following table describes the different types of usage that are charged in Azure Monitor. Detailed current pricing for each is provided in [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/).

+| Type | Description |

+|:|:|

+| Logs | Ingestion, retention, and export of data in [Log Analytics workspaces](logs/log-analytics-workspace-overview.md) and [legacy Application insights resources](app/convert-classic-resource.md). This will typically be the bulk of Azure Monitor charges for most customers. There is no charge for querying this data except in the case of [Basic Logs](logs/basic-logs-configure.md) or [Archived Logs](logs/data-retention-archive.md).<br><br>Charges for Logs can vary significantly on the configuration that you choose. See [Azure Monitor Logs pricing details](logs/cost-logs.md) for details on how charges for Logs data are calculated and the different pricing tiers available. |

+| Platform Logs | Processing of [diagnostic and auditing information](essentials/resource-logs.md) is charged for [certain services](essentials/resource-logs-categories.md#costs) when sent to destinations other than a Log Analytics workspace. There's no direct charge when this data is sent to a Log Analytics workspace, but there is a charge for the workspace data ingestion and collection. |

+| Metrics | There is no charge for [standard metrics](essentials/metrics-supported.md) collected from Azure resources. There is a cost for collecting [custom metrics](essentials/metrics-custom-overview.md) and for retrieving metrics from the [REST API](essentials/rest-api-walkthrough.md#retrieve-metric-values). |

+| Prometheus Metrics | Pricing for [Azure Monitor managed service for Prometheus](essentials/prometheus-metrics-overview.md) is based on [data samples ingested](essentials/prometheus-metrics-enable.md) and [query samples processed](essentials/azure-monitor-workspace-manage.md#link-a-grafana-workspace). Data is retained for 18 months at no extra charge. |

+| Alerts | Alerts are charged based on the type and number of [signals](alerts/alerts-overview.md) used by the alert rule, its frequency, and the type of [notification](alerts/action-groups.md) used in response. For [log alerts](alerts/alerts-unified-log.md) configured for [at scale monitoring](alerts/alerts-unified-log.md#split-by-alert-dimensions), the cost will also depend on the number of time series created by the dimensions resulting from your query. |

+| Web tests | There is a cost for [standard web tests](app/availability-standard-tests.md) and [multi-step web tests](app/availability-multistep.md) in Application Insights. Multi-step web tests have been deprecated.

+### Data transfer charges

+Sending data to Azure Monitor can incur data bandwidth charges. As described in the [Azure Bandwidth pricing page](https://azure.microsoft.com/pricing/details/bandwidth/), data transfer between Azure services located in two regions charged as outbound data transfer at the normal rate. Inbound data transfer is free. Data transfer charges for Azure Monitor though are typically very small compared to the costs for data ingestion and retention. You should focus more on your ingested data volume to control your costs.

+> [!NOTE]

+> Data sent to a different region using [Diagnostic Settings](essentials/diagnostic-settings.md) does not incur data transfer charges

+## View Azure Monitor usage and charges

+There are two primary tools to view and analyze your Azure Monitor billing and estimated charges. Each is described in detail in the following sections.

+| Tool | Description |

+|:|:|

+| [Azure Cost Management + Billing](#azure-cost-management--billing) | The primary tool that you use to analyze your usage and costs. It gives you multiple options to analyze your monthly charges for different Azure Monitor features and their projected cost over time. |

+| [Usage and Estimated Costs](#usage-and-estimated-costs) | Provides a listing of monthly charges for different Azure Monitor features. This is particularly useful for Log Analytics workspaces where it helps you to select your pricing tier by showing how your cost would change at different pricing tiers. |

+## Azure Cost Management + Billing

+To get started analyzing your Azure Monitor charges, open [Cost Management + Billing](../cost-management-billing/costs/quick-acm-cost-analysis.md?toc=/azure/billing/TOC.json) in the Azure portal. This tool includes several built-in dashboards for deep cost analysis like cost by resource and invoice details. Select **Cost Management** and then **Cost analysis**. Select your subscription or another [scope](../cost-management-billing/costs/understand-work-scopes.md).

+>[!NOTE]

+>You might need additional access to use Cost Management data. See [Assign access to Cost Management data](../cost-management-billing/costs/assign-access-acm-data.md).

+To limit the view to Azure Monitor charges, [create a filter](../cost-management-billing/costs/group-filter.md) for the following **Service names**. See [Azure Monitor billing meter names](cost-meters.md) for the different charges that are included in each service.

+- Azure Monitor

+- Log Analytics

+- Insight and Analytics

+- Application Insights

+Other services such as Microsoft Defender for Cloud and Microsoft Sentinel also bill their usage against Log Analytics workspace resources, so you might want to add them to your filter. See [Common cost analysis uses](../cost-management-billing/costs/cost-analysis-common-uses.md) for details on using this view.

+>[!NOTE]

+>Alternatively, you can go to the **Overview** page of a Log Analytics workspace or Application Insights resource and click **View Cost** in the upper right corner of the **Essentials** section. This will launch the **Cost Analysis** from Azure Cost Management + Billing already scoped to the workspace or application.

+> :::image type="content" source="logs/media/view-bill/view-cost-option.png" lightbox="logs/media/view-bill/view-cost-option.png" alt-text="Screenshot of option to view cost for Log Analytics workspace.":::

+### Automated mails and alerts

+Rather than manually analyzing your costs in the Azure portal, you can automate delivery of information using the following methods.

+ - **Daily cost analysis emails.** Once you've configured your Cost Analysis view, you should click **Subscribe** at the top of the screen to receive regular email updates from Cost Analysis.

+ - **Budget alerts.** To be notified if there are significant increases in your spending, create a [budget alerts](../cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending.md) for a single workspace or group of workspaces.

+### Export usage details

+To gain deeper understanding of your usage and costs, create exports using **Cost Analysis**. See [Tutorial: Create and manage exported data](../cost-management-billing/costs/tutorial-export-acm-data.md) to learn how to automatically create a daily export you can use for regular analysis.

+These exports are in CSV format and will contain a list of daily usage (billed quantity and cost) by resource, billing meter, and several other fields such as [AdditionalInfo](../cost-management-billing/automate/understand-usage-details-fields.md#list-of-fields-and-descriptions). You can use Microsoft Excel to do rich analyses of your usage not possible in the **Cost Analytics** experiences in the portal.

+The usage export has both the number of units of usage and their cost. Consequently, you can use this export to see the amount of benefits you are receiving from various offers such as the [Defender for Servers data allowance](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud) and the [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/).

+For example, usage from Log Analytics can be found by first filtering on the **Meter Category** column to show

+1. **Log Analytics** (for Pay-as-you-go data ingestion and interactive Data Retention),

+2. **Insight and Analytics** (used by some of the legacy pricing tiers), and

+3. **Azure Monitor** (used by most other Log Analytics features such as Commitment Tiers, Basic Logs ingesting, Data Archive, Search Queries, Search Jobs, etc.)

+Add a filter on the **Instance ID** column for **contains workspace** or **contains cluster**. The usage is shown in the **Consumed Quantity** column. The unit for each entry is shown in the **Unit of Measure** column.

+> [!NOTE]

+> See [Azure Monitor billing meter names](cost-meters.md) for a reference of the billing meter names used by Azure Monitor in Azure Cost Management + Billing.

+## Usage and estimated costs

+You can get additional usage details about Log Analytics workspaces and Application Insights resources from the **Usage and Estimated Costs** option for each.

+### Log Analytics workspace

+To learn about your usage trends and choose the most cost-effective [commitment tier](logs/cost-logs.md#commitment-tiers) for your Log Analytics workspace, select **Usage and Estimated Costs** from the **Log Analytics workspace** menu in the Azure portal.

+This view includes the following:

+A. Estimated monthly charges based on usage from the past 31 days using the current pricing tier.<br>

+B. Estimated monthly charges using different commitment tiers.<br>

+C. Billable data ingestion by solution from the past 31 days.

+To explore the data in more detail, click on the icon in the upper-right corner of either chart to work with the query in Log Analytics.

+### Application insights

+To learn about your usage trends for your classic Application Insights resource, select **Usage and Estimated Costs** from the **Applications** menu in the Azure portal.

+This view includes the following:

+A. Estimated monthly charges based on usage from the past month.<br>

+B. Billable data ingestion by table from the past month.

+To investigate your Application Insights usage more deeply, open the **Metrics** page, add the metric named *Data point volume*, and then select the *Apply splitting* option to split the data by "Telemetry item type".

+## View data allocation benefits

+To view data allocation benefits from sources such as [Microsoft Defender for Servers](https://azure.microsoft.com/pricing/details/defender-for-cloud/), [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5 and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/), or the [Sentinel Free Trial](https://azure.microsoft.com/pricing/details/microsoft-sentinel/), you need to [export your usage details](#export-usage-details).

+1. Open the exported usage spreadsheet and filter the *Instance ID* column to your workspace. To select all of your workspaces in the spreadsheet, filter the *Instance ID* column to "contains /workspaces/".

+2. Filter the *ResourceRate* column to show only rows where this is equal to zero. Now you will see the data allocations from these various sources.

+> [!NOTE]

+> Data allocations from Defender for Servers 500 MB/server/day will appear in rows with the meter name "Data Included per Node" and the meter category to "Insight and Analytics" (the name of a legacy offer still used with this meter.) If the workspace is in the legacy Per Node Log Analytics pricing tier, this meter will also include the data allocations from this Log Analytics pricing tier.

+## Operations Management Suite subscription entitlements

+Customers who purchased Microsoft Operations Management Suite E1 and E2 are eligible for per-node data ingestion entitlements for Log Analytics and Application Insights. Each Application Insights node includes up to 200 MB of data ingested per day (separate from Log Analytics data ingestion), with 90-day data retention at no extra cost.

+To receive these entitlements for Log Analytics workspaces or Application Insights resources in a subscription, they must use the Per-Node (OMS) pricing tier. This entitlement isn't visible in the estimated costs shown in the Usage and estimated cost pane.

+Depending on the number of nodes of the suite that your organization purchased, moving some subscriptions into a Per GB (pay-as-you-go) pricing tier might be advantageous, but this requires careful consideration.

+Also, if you move a subscription to the new Azure monitoring pricing model in April 2018, the Per GB tier is the only tier available. Moving a subscription to the new Azure monitoring pricing model isn't advisable if you have an Operations Management Suite subscription.

+> [!TIP]

+> If your organization has Microsoft Operations Management Suite E1 or E2, it's usually best to keep your Log Analytics workspaces in the Per-Node (OMS) pricing tier and your Application Insights resources in the Enterprise pricing tier.

+>

+## Next steps

+- See [Azure Monitor Logs pricing details](logs/cost-logs.md) for details on how charges are calculated for data in a Log Analytics workspace and different configuration options to reduce your charges.

+- See [Analyze usage in Log Analytics workspace](logs/analyze-usage.md) for details on analyzing the data in your workspace to determine to source of any higher than expected usage and opportunities to reduce your amount of data collected.

+- See [Set daily cap on Log Analytics workspace](logs/daily-cap.md) to control your costs by setting a daily limit on the amount of data that might be ingested in a workspace.

+- See [Azure Monitor best practices - Cost management](best-practices-cost.md) for best practices on configuring and managing Azure Monitor to minimize your charges.

+> Metrics sent to Azure Monitor via the Application Insights SDK are billed as ingested log data. They incur additional metrics charges only if the Application Insights feature [Enable alerting on custom metric dimensions](../app/pre-aggregated-metrics-log-metrics.md#custom-metrics-dimensions-and-pre-aggregation) has been selected. This checkbox sends data to the Azure Monitor metrics database by using the custom metrics API to allow the more complex alerting. Learn more about the [Application Insights pricing model](../cost-usage.md) and [prices in your region](https://azure.microsoft.com/pricing/details/monitor/).

+The **Data ingestion per solution** chart on the [Usage and estimated costs](../cost-usage.md#usage-and-estimated-costs) page for each workspace shows the total volume of data sent and how much is being sent by each solution over the previous 31 days. This information helps you determine trends such as whether any increase is from overall data usage or usage by a particular solution.

+- See [Azure Monitor cost and usage](../cost-usage.md) for a description of the different types of Azure Monitor charges and how to analyze them on your Azure bill.

+To create a new alert rule based on a cross-service query, follow the steps in [Create a new alert rule](../alerts/alerts-create-new-alert-rule.md), selecting your Log Analytics workspace on the **Scope** tab.

+### General cross-service query limitations

+### Azure Resource Graph cross-service query limitations

+When you query Azure Resource Graph data from Azure Monitor:

+* The query returns the first 1000 records only.

+* Azure Monitor doesn't return Azure Resource Graph query errors.

+* The Log Analytics query editor marks valid Azure Resource Graph queries as syntax errors.

+* These operators aren't supported: `smv-apply()`, `rand()`, `arg_max()`, `arg_min()`, `avg()`, `avg_if()`, `countif()`, `sumif()`, `percentile()`, `percentiles()`, `percentilew()`, `percentilesw()`, `stdev()`, `stdevif()`, `stdevp()`, `variance()`, `variancep()`, `varianceif()`.

+> This article describes how to change the commitment tier for a Log Analytics workspace once you determine which commitment tier you want to use. See [Azure Monitor Logs pricing details](cost-logs.md) for details on how commitment tiers work and [Azure Monitor cost and usage](../cost-usage.md#log-analytics-workspace) for recommendations on the most cost effective commitment based on your observed Azure Monitor usage.

+- See [Azure Monitor cost and usage](../cost-usage.md) for a description of the different types of Azure Monitor charges and how to analyze them on your Azure bill.

+> The **Usage and estimated costs** menu item for each Log Analytics workspace shows an estimate of what your data ingestion charges would be at each commitment level to help you choose the optimal commitment tier for your data ingestion patterns. Review this information periodically to determine if you can reduce your charges by moving to another tier. For information on this view, see [Usage and estimated costs](../cost-usage.md#usage-and-estimated-costs). To review your actual charges, use [Azure Cost Management = Billing](../cost-usage.md#azure-cost-management--billing).

+- See [Azure Monitor cost and usage](../cost-usage.md) for a description of the different types of Azure Monitor charges and how to analyze them on your Azure bill.

+To help you determine an appropriate daily cap for your workspace, see [Azure Monitor cost and usage](../cost-usage.md) to understand your data ingestion trends. You can also review [Analyze usage in Log Analytics workspace](analyze-usage.md) which provides methods to analyze your workspace usage in more detail.

+- [Azure Monitor cost estimates](../cost-estimate.md) using the [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/?service=monitor).

+Also consider potential [bandwidth charges](https://azure.microsoft.com/pricing/details/bandwidth/) that might apply when you're sending data to a workspace from a resource in another region. These charges are usually minor relative to data ingestion costs for most customers. These charges typically result from sending data to the workspace from a virtual machine. Monitoring data from other Azure resources by using [diagnostic settings](../essentials/diagnostic-settings.md) doesn't [incur egress charges](../cost-usage.md#data-transfer-charges).

+You might need to split billing between different parties or perform charge back to a customer or internal business unit. You can use [Azure Cost Management + Billing](../cost-usage.md#azure-cost-management--billing) to view charges by workspace. You can also use a log query to view [billable data volume by Azure resource, resource group, or subscription](analyze-usage.md#data-volume-by-azure-resource-resource-group-or-subscription). This approach might be sufficient for your billing requirements.

+- **If you need to split billing or perform charge back:** Consider whether [Azure Cost Management + Billing](../cost-usage.md#azure-cost-management--billing) or a log query provides cost reporting that's granular enough for your requirements. If not, use a separate workspace for each cost owner.

+- [Azure Monitor cost and usage](cost-usage.md)

+General|[Azure Monitor cost and usage](cost-usage.md)|Updated information about the Cost Analysis usage report which contains both the cost for your usage, and the number of units of usage. You can use this export to see the amount of benefit you're receiving from various offers such as the [Defender for Servers data allowance](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud) and the [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/). |

+General|[Azure Monitor cost and usage](cost-usage.md)|Added section detailing billing meter names.|

+| [Azure Monitor cost and usage](cost-usage.md) | Added standard web tests to table.<br>Added explanation of billable GB calculation. |

+> [!WARNING]

+> Browser traces often contain sensitive information and might include authentication tokens linked to your identity. Please remove any sensitive information before sharing traces with others. Microsoft support uses these traces for troubleshooting purposes only.

+- UK South (on AV36, and AV36P)

+> It can take up to five business days to allocate the hosts, depending on the number requested. Therefore, request what you need for provisioning to avoid the delays associated with making additional quota increase requests.

+ > - Azure VMware Solution requires a minimum of three hosts and recommends redundancy of N+1 hosts.

+ > - **New** The unused quota expires after 30 days. A new request will need to be submitted for any additional quota.

+ > - Azure VMware Solution requires a minimum of three hosts and recommends redundancy of N+1 hosts.

+ > - **New** The unused quota expires after 30 days. A new request will need to be submitted for any additional quota.

+# Windows VMs - copy and paste via Bastion

+* A virtual network with [Azure Bastion](./tutorial-create-host-portal.md) deployed.

+* A Windows virtual machine deployed to your virtual network.

+By default, Azure Bastion is automatically enabled to allow copy and paste for all sessions connected through the bastion resource. You don't need to configure anything extra. This applies to both the Basic and the Standard SKU tier. If you want to disable this feature, you can disable it for web-based clients on the configuration page of your Bastion resource.

+1. **Apply** changes. The bastion host updates.

+1. Connect to your virtual machine.

+1. For direct copy and paste, your browser might prompt you for clipboard access when the Bastion session is being initialized. **Allow** the web page to access the clipboard.

+To copy text from your local computer to a virtual machine, use the following steps.

+1. Connect to your virtual machine.

+1. On the virtual machine, you'll see two arrows on the left side of the session screen about halfway down. Launch the Bastion **Clipboard** access tool palette by selecting the two arrows.

+1. Copy the text from your local computer. Typically, the copied text automatically shows on the Bastion clipboard access tool palette. If it doesn't show up on the tool palette, then paste the text in the text area on the tool palette. Once the text is in the text area, you can paste it to the remote session.

+ :::image type="content" source="./media/bastion-vm-copy-paste/clipboard-copy.png" alt-text="Screenshot shows the clipboard for text copied in Bastion." lightbox="./media/bastion-vm-copy-paste/clipboard-copy.png":::

+1. If you want to copy the text from the virtual machine to your local computer, copy the text to the clipboard access tool. Once your text is in the text area on the palette, paste it to your local computer.

+For more virtual machine features, see [About VM connections and features](vm-about.md).

+An instance is an optimized Azure VM that is created when you configure Azure Bastion. It's fully managed by Azure and runs all of the processes needed for Azure Bastion. An instance is also referred to as a scale unit. You connect to client VMs via an Azure Bastion instance. When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU, you can specify the number of instances (with a minimum of two instances). This is called **host scaling**.

+# Quickstart: Deploy Azure Bastion - Developer SKU (Preview)

+> [!NOTE]

+> VNet peering isn't currently supported for the Developer SKU.

+When you deploy Bastion using the Developer SKU, the deployment requirements are different than when you deploy using other SKUs. Typically when you create a bastion host, a host is deployed to the AzureBastionSubnet in your virtual network. The Bastion host is dedicated for your use. When using the Developer SKU, a bastion host isn't deployed to your virtual network and you don't need an AzureBastionSubnet. However, the Developer SKU bastion host isn't a dedicated resource and is, instead, part of a shared pool.

+In this quickstart, you deployed Bastion using the Developer SKU, and then connected to a virtual machine securely via Bastion. Next, you can configure more features and work with VM connections.

+| Supported OS types | Windows, Linux (outbound traffic only) |

+* When running in a Linux environment, the agent-based network latency fault can only affect **outbound** traffic, not inbound traffic. The fault can affect **both inbound and outbound** traffic on Windows environments (via the `inboundDestinationFilters` and `destinationFilters` parameters).

+| Prerequisites | None. |

+| Prerequisites | None. |

+| Prerequisites | None. |

+- **Resource Move not supported** - Azure Chaos Studio tracked resources (for example, Experiments) currently do not support Resource Move. Experiments can be easily copied (by copying Experiment JSON) for use in other subscriptions, resource groups, or regions. Experiments can also already target resources across regions. Extension resources (Targets and Capabilities) do support Resource Move.

+ - Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2

+ - Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.2, openSUSE Leap 15.2, CentOS 8, Debian 10 Buster (with unzip installation required), Oracle Linux 8.3, and Ubuntu Server 18.04 LTS

+- **Hardened Linux untested** - The Chaos Studio agent isn't currently tested against custom Linux distributions or hardened Linux distributions (for example, FIPS or SELinux).

+- When selecting target resources for an agent-based fault in the experiment designer, it's possible to select virtual machines or virtual machine scale sets with an operating system not supported by the fault selected.

+- When running in a Linux environment, the agent-based network latency fault (NetworkLatency-1.1) can only affect **outbound** traffic, not inbound traffic. The fault can affect **both inbound and outbound** traffic on Windows environments (via the `inboundDestinationFilters` and `destinationFilters` parameters).

+We are also now excited to share that Chaos Studio supports running **agent-based experiments** using Private Endpoints! Chaos Studio now supports Private Link for **both** service-direct and agent-based experiments. If you would like to use Private-Link for agent-service, please reach out to your CSA or the Chaos Studio help team for instructions on how to get yourself onboarded. For private link for service-direct faults, read the following sections for instructions on how to use them.

+> To understand costs associated with Azure Monitor, see [Azure Monitor cost and usage](../azure-monitor/cost-usage.md).

+Each connected registry is a resource you manage using a cloud-based Azure container registry. The top parent in the connected registry hierarchy is an Azure container registry in an Azure cloud.

+- **ReadOnly mode** - When the connected registry is in ReadOnly mode, clients can only pull (read) artifacts. This configuration is used for nested IoT Edge scenarios, or other scenarios where clients need to pull a container image to operate.

+| IdleTcpConnectionTimeout | By default, idle connections are kept open indefinitely. | 20m-24h | This represents the amount of idle time after which unused connections are closed. Recommended values are between 20 minutes and 24 hours. |

+* If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)

+1. In the dialog that appears, enter your EA enrollment number for **BillingProfileIdOrEnrollmentNumber**. Specify the number of months of data to get. Enter "Enrollment Number" for **Scope**, then select **Next**.

+| MOSP (PAYG) | EA | ΓÇó If you're transferring the admin account to the EA enrollment, see [Transfer a subscription to an EA](mosp-ea-transfer.md#transfer-the-subscription-to-the-ea).<br><br> ΓÇó If you're transferring subscriptions to the EA enrollment, you must create a [billing support ticket](https://azure.microsoft.com/support/create-ticket/). |

+ - Partner Center Action Center emails are sent to partners. For more information about how partners can update their transactional notifications, see [Action Center preferences](/partner-center/action-center-overview#preferences).

+- Unsupported regions: Australia Central 2, France South, Germany North, Germany West Central, Jio India West, Korea South, Switzerland West.

+ * Regions that are supported by Defender for Storage but not by malware scanning. Learn more about [availability for Defender for Storage.](/azure/defender-for-cloud/defender-for-storage-introduction)

+- **Limited technology and tools**, such as lack of visibility or automated security remediation for OT networks. You need to evaluate and link information across data sources for OT networks, and integrations with existing SOC solutions might be costly.

+However, without OT data, context and integration with existing SOC tools and workflows, OT security and operational threats might be handled incorrectly, or even go unnoticed.

+Microsoft Sentinel is a scalable cloud service for security information event management (SIEM) security orchestration automated response (SOAR). SOC teams can use the integration between Microsoft Defender for IoT and Microsoft Sentinel to collect data across networks, detect and investigate threats, and respond to incidents.

+Install the Defender for IoT data connector alone to stream your OT network alerts to Microsoft Sentinel. Then, also install the **Microsoft Defender for IoT** solution for the extra value of IoT/OT-specific analytics rules, workbooks, and SOAR playbooks, and also incident mappings to [MITRE ATT&CK for ICS techniques](https://attack.mitre.org/techniques/ics/).

+Integrating Defender for IoT with Microsoft Sentinel also helps you ingest more data from Microsoft Sentinel's other partner integrations. For more information, see [Integrations with Microsoft and partner services](integrate-overview.md).

+> [!NOTE]

+> Some features of Microsoft Sentinel might incur a fee. For more information, see [Plan costs and understand Microsoft Sentinel pricing and billing](/azure/sentinel/billing).

+|**Use out-of-the-box solution rules** | Enable some or all of the [out-of-the-box analytics rules](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforot?tab=Overview) provided with the **Microsoft Defender for IoT** solution.<br><br> These analytics rules help to reduce alert fatigue by creating incidents only in specific situations. For example, you might choose to create incidents for excessive sign-in attempts, but for multiple scans detected in the network. |

+- Open an asset ticket in ServiceNow when a new asset is detected, such as a new engineering workstation. This alert can be an unauthorized device that might be used by adversaries to reprogram PLCs.

+- Send an email to relevant stakeholders when suspicious activity is detected, for example unplanned PLC reprogramming. The mail might be sent to OT personnel, such as a control engineer responsible on the related production line.

+You typically see more Defender for IoT *events* in Microsoft Sentinel than *alerts*, and more Defender for IoT *alerts* than *incidents*.

+Microsoft Sentinel creates incidents based on your analytics rules. You might have several alerts grouped in the same incident, or you might have analytics rules configured to *not* create incidents for specific alert types.

+- [Tutorial: Use playbooks with automation rules in Microsoft Sentinel](../../sentinel/tutorial-respond-threats-playbook.md)

+- Depending on where you want to create your forwarding alert rules, you need to have either an [OT network sensor or on-premises management console installed](how-to-install-software.md), with access as an **Admin** user.

+- You also need to define SMTP settings on the OT sensor or on-premises management console.

+ |**Minimal alert level** | Select the minimum [alert severity level](alert-engine-messages.md#alert-severities) you want to forward. <br><br> For example, if you select **Minor**, minor alerts and any alert above this severity level are forwarded. |

+ |**Minimal alert level** | At the top-right of the dialog, use the dropdown list to select the minimum [alert severity level](alert-engine-messages.md#alert-severities) that you want to forward. <br><br>For example, if you select **Minor**, minor alerts and any alert above this severity level are forwarded. |

+ |**Engines** | Select **All** to forward alerts triggered by all sensor analytics engines, or select **Specific** to add specific engines only. |

+| Priority | `User.Alert` |

+| Message | Sensor name: The name of the appliance. <br /> Alert time: The time that the alert was detected: Can vary from the time of the syslog server machine, and depends on the time-zone configuration of the forwarding rule. <br /> Alert Title:  The title of the alert. <br /> Alert message: The message of the alert. <br /> Alert severity: The severity of the alert: **Warning**, **Minor**, **Major**, or **Critical**. <br /> Alert type: **Protocol Violation**, **Policy Violation**, **Malware**, **Anomaly**, or **Operational**. <br /> Protocol: The protocol of the alert. <br /> **Source_MAC**: IP address, name, vendor, or OS of the source device. <br /> Destination_MAC: IP address, name, vendor, or OS of the destination. If data is missing, the value is **N/A**. <br /> alert_group: The alert group associated with the alert. |

+| Priority | `User.Alert` |

+| Message | *CEF:0* <br />Microsoft Defender for IoT/CyberX <br />Sensor name <br />Sensor version <br />Microsoft Defender for IoT Alert <br />Alert title <br />Integer indication of severity. 1=**Warning**, 4=**Minor**, 8=**Major**, or 10=**Critical**.<br />msg= The message of the alert. <br />protocol= The protocol of the alert. <br />severity= **Warning**, **Minor**, **Major**, or **Critical**. <br />type= **Protocol Violation**, **Policy Violation**, **Malware**, **Anomaly**, or **Operational**. <br />UUID= UUID of the alert (Optional) <br /> start= The time that the alert was detected. <br />Might vary from the time of the syslog server machine, and depends on the time-zone configuration of the forwarding rule. <br />src_ip= IP address of the source device. (Optional) <br />src_mac= MAC address of the source device. (Optional) <br />dst_ip= IP address of the destination device. (Optional)<br />dst_mac= MAC address of the destination device. (Optional)<br />cat= The alert group associated with the alert. |

+| Priority | `User.Alert` |

+| Message | Sensor name: The name of the Microsoft Defender for IoT appliance. <br />*LEEF:1.0* <br />Microsoft Defender for IoT <br />Sensor <br />Sensor version <br />Microsoft Defender for IoT Alert <br /> Title:  The title of the alert. <br />msg: The message of the alert. <br />protocol: The protocol of the alert.<br />severity: **Warning**, **Minor**, **Major**, or **Critical**. <br />type: The type of the alert: **Protocol Violation**, **Policy Violation**, **Malware**, **Anomaly**, or **Operational**. <br />start: The time of the alert. It might be different from the time of the syslog server machine, and depends on the time-zone configuration. <br />src_ip: IP address of the source device.<br />dst_ip: IP address of the destination device. <br />cat: The alert group associated with the alert. |

+## Configure forwarding rules for partner integrations

+You might be integrating Defender for IoT with a partner service to send alert or device inventory information to another security or device management system, or to communicate with partner-side firewalls.

+In such cases, use supported **Actions** to enter credentials and other information required to communicate with integrated partner services.

+- [Integrate Qradar with Microsoft Defender for IoT](tutorial-qradar.md)

+### Configure alert groups in partner services

+*Alert groups* help SOC teams using those partner solutions to manage alerts based on enterprise security policies and business priorities. For example, alerts about new detections are organized into a *discovery* group, which includes any alerts about new devices, VLANs, user accounts, MAC addresses, and more.

+ Title: Integrate with partner services | Microsoft Defender for IoT

+description: Learn about supported integrations across your organization's security stack with Microsoft Defender for IoT.

+Integrate Microsoft Defender for IoT with partner services to view data from across your security stack data in Defender for IoT, or to view Defender for IoT data in one of your security ecosystem integrations.

+> [!IMPORTANT]

+> Defender for IoT is refreshing its security stack integrations to improve the overall robustness, scalability, and ease of maintenance of various security solutions.

+>

+> If you're integrating your security solution with cloud-based systems, we recommend that you use data connectors through [Microsoft Sentinel](concept-sentinel-integration.md). For on-premises integrations, we recommend that you either configure your OT sensor to [forward syslog events](how-to-forward-alert-information-to-partners.md)), or use [Defender for IoT APIs](references-work-with-defender-for-iot-apis.md).

+>

+> The legacy [Aruba ClearPass](#aruba-clearpass), [Palo Alto Panorama](#palo-alto), and [Splunk](#splunk) integrations are supported through October 2024 using sensor version 23.1.3, and won't be supported in upcoming major software versions. For customers using legacy integration methods, we recommend moving your integrations to the standard cloud or on-premises methods.

+| **Aruba ClearPass** (cloud) | View Defender for IoT data together with Aruba ClearPass data, using Microsoft Sentinel to create custom dashboards, custom alerts, and improve your investigation ability.<br><br> Connect to [Microsoft Sentinel](concept-sentinel-integration.md), and install the [Aruba ClearPass data connector](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-arubaclearpass?tab=Overview). | - OT networks <br>- Cloud-connected or locally managed OT sensors | Microsoft | [Microsoft Sentinel documentation](/azure/sentinel/data-connectors/aruba-clearpass) |

+| **Aruba ClearPass** (on-premises) | View Defender for IoT data together with Aruba ClearPass data by doing one of the following:<br><br>- Configure your sensor to send syslog files directly to ClearPass. <br>- | - OT networks <br>- Cloud-connected or locally managed OT sensors | Microsoft | [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md) <br><br>[Defender for IoT API reference](references-work-with-defender-for-iot-apis.md)|

+|**Aruba ClearPass** (legacy) | Share Defender for IoT data directly with ClearPass Security Exchange and update the ClearPass Policy Manager Endpoint Database with Defender for IoT data. | - OT networks<br>- Locally managed sensors and on-premises management consoles | Microsoft | [Integrate ClearPass with Microsoft Defender for IoT](tutorial-clearpass.md) |

+|**Defender for IoT data connector in Microsoft Sentinel** (cloud) | Displays Defender for IoT cloud data in Microsoft Sentinel, supporting end-to-end SOC investigations for Defender for IoT alerts. <br><br>Connects to other partner services, allowing you to synchronize your data between Defender for IoT and supported partner systems, across Microsoft Sentinel. | - OT and Enterprise IoT networks <br>- Cloud-connected sensors | Microsoft | - [OT threat monitoring in enterprise SOCs](concept-sentinel-integration.md) <br>- [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](iot-solution.md) <br>- [Tutorial: Investigate and detect threats for IoT devices](iot-advanced-threat-monitoring.md) |

+| **Microsoft Sentinel** (on-premises) | View Defender for IoT data together with Microsoft Sentinel data by configuring your sensor to send syslog files directly to Microsoft Sentinel.| - OT networks <br>- Cloud-connected or locally managed OT sensors | Microsoft | [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md) |

+|**Microsoft Sentinel** (legacy) | Send Defender for IoT alerts from on-premises resources to Microsoft Sentinel. | - OT networks <br>- Locally managed sensors and on-premises management consoles | Microsoft | [Connect on-premises OT network sensors to Microsoft Sentinel](integrations/on-premises-sentinel.md) |

+| **Palo Alto Panorama** (cloud) | View Defender for IoT data together with Panorama data. Use Microsoft Sentinel solutions, which include out-of-the-box workbooks, hunting queries, automation playbooks, and analytics rules, or create custom dashboards, alerts, and more. <br><br> Connect to [Microsoft Sentinel](concept-sentinel-integration.md), and install one or more of the following solutions: <br>- [Palo Alto PAN-OS Solution](/azure/sentinel/data-connectors/palo-alto-networks-firewall) <br>- [Palo Alto Networks Cortex Data Lake Solution](/azure/sentinel/data-connectors/palo-alto-networks-cortex-data-lake-cdl) <br>- [Palo Alto Prisma Cloud CSPM solution](/azure/sentinel/data-connectors/palo-alto-prisma-cloud-cspm-using-azure-function) | - OT networks <br>- Cloud-connected or locally managed OT sensors | Microsoft |Microsoft Sentinel documentation: <br>- [Palo Alto PAN-OS Solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-paloaltopanos?tab=Overview) <br>- [Palo Alto Networks Cortex Data Lake Solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-paloaltocdl?tab=Overview) <br>- [Palo Alto Prisma Cloud CSPM solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-paloaltoprisma?tab=Overview) |

+| **Palo Alto Panorama** (on-premises) | View Defender for IoT data together with Panorama data by configuring your sensor to send syslog files directly to Palo Alto Panorama.| - OT networks <br>- Cloud-connected or locally managed OT sensors | Microsoft | [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md) |

+|**Palo Alto** (legacy) | Use Defender for IoT data to block critical threats with Palo Alto firewalls, either with automatic blocking or with blocking recommendations. | - OT networks<br>- Locally managed sensors and on-premises management consoles | Microsoft | [Integrate Palo-Alto with Microsoft Defender for IoT](tutorial-palo-alto.md) |

+| **Splunk** (cloud) | Send Defender for IoT alerts to Splunk using one of the following methods: <br><br>- Via the [OT Security Add-on for Splunk](https://apps.splunk.com/app/5151), which widens your capacity to ingest and monitor OT assets and provides OT vulnerability management reports that help you comply with and audit for NERC CIP. <br><br>- Via a SIEM that supports Event Hubs, such as Microsoft Sentinel | - OT networks <br>- Cloud-connected or locally managed OT sensors | Microsoft and Splunk |- Splunk documentation on [The OT Security Add-on for Splunk](https://splunk.github.io/ot-security-solution/integrationguide/) and [installing add-ins](https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall) <br>- [Stream Defender for IoT cloud alerts to a partner SIEM](integrations/send-cloud-data-to-partners.md) |

+| **Splunk** (on-premises) | View Defender for IoT data together with Splunk data by configuring your sensor to send syslog files directly to Splunk.| - OT networks <br>- Cloud-connected or locally managed OT sensors | Microsoft | [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md) |

+|**Splunk** (on-premises, legacy integration) | Send Defender for IoT alerts to Splunk | - OT networks<br>- Locally managed sensors and on-premises management consoles | Microsoft | [Integrate Splunk with Microsoft Defender for IoT](tutorial-splunk.md) |

+For more information, see:

+- [Stream Defender for IoT cloud alerts to a partner SIEM](integrations/send-cloud-data-to-partners.md)

+ Title: Connect Defender for IoT on-premises resources to Microsoft Sentinel (legacy)

+description: This article describes the legacy method for connecting your OT sensor or on-premises management console to Microsoft Sentinel.

+#CustomerIntent: As an admin user for my locally-managed OT sensor, I want to learn how to connect my sensor to Microsoft Sentinel so that I can view alerts generated together with other Microsoft Sentinel data.

+# Connect OT network sensors or on-premises management consoles to Microsoft Sentinel (legacy)

+This article describes the legacy method for connecting your OT sensor or on-premises management console to Microsoft Sentinel. Stream data into Microsoft Sentinel whenever you want to use Microsoft Sentinel's advanced threat hunting, security analytics, and automation features when responding to security incidents and threats across your network.

+> [!IMPORTANT]

+> If you're using a cloud connected sensor, we recommend that you connect Defender for IoT data using the Microsoft Sentinel solution instead of the legacy integration method. For more information, see:

+>

+> - [OT threat monitoring in enterprise SOCs](../concept-sentinel-integration.md)

+> - [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](../iot-solution.md)

+> - [Tutorial: Investigate and detect threats for IoT devices](../iot-advanced-threat-monitoring.md)

+description: Learn about the features and enhancements released for Microsoft Defender for IoT for organizations more than six months ago.

+For information on integrating with Microsoft Sentinel, see [Tutorial: Integrate Defender for IoT and Sentinel](../../sentinel/iot-solution.md?tabs=use-out-of-the-box-analytics-rules-recommended)

+- The on-premises management console has a new API to support our ServiceNow integration. For more information, see [Integration API reference for on-premises management consoles (Public preview)](api/management-integration-apis.md#integration-api-reference-for-on-premises-management-consoles-public-preview).

+- Upload TLS/SSL certificates directly to the sensors and on-premises management consoles.

+- There's no change in TLS/SSL certificate or validation functionality during the upgrade.

+- After you update your sensors and on-premises management consoles, administrative users can replace TLS/SSL certificates, or activate TLS/SSL certificate validation from the System Settings, TLS/SSL Certificate window.

+- During first-time sign-in, users are required to either use an TLS/SSL Certificate (recommended) or a locally generated self-signed certificate (not recommended)

+description: In this tutorial, you learn how to integrate Microsoft Defender for IoT with ClearPass using Defender for IoT's legacy, on-premises integration.

+This article describes how to integrate Aruba ClearPass with Microsoft Defender for IoT, in order to view both ClearPass and Defender for IoT information in a single place.

+Viewing both Defender for IoT and ClearPass information together provides SOC analysts with multidimensional visibility into the specialized OT protocols and devices deployed in industrial environments, along with ICS-aware behavioral analytics to rapidly detect suspicious or anomalous behavior.

+## Cloud-based integrations

+> [!TIP]

+> Cloud-based security integrations provide several benefits over on-premises solutions, such as centralized, simpler sensor management and centralized security monitoring.

+>

+> Other benefits include real-time monitoring, efficient resource use, increased scalability and robustness, improved protection against security threats, simplified maintenance and updates, and seamless integration with third-party solutions.

+>

+If you're integrating a cloud-connected OT sensor with Aruba ClearPass, we recommend that you connect to [Microsoft Sentinel](concept-sentinel-integration.md), and then install the [Aruba ClearPass data connector](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-arubaclearpass?tab=Overview).

+Microsoft Sentinel is a scalable cloud service for security information event management (SIEM) security orchestration automated response (SOAR). SOC teams can use the integration between Microsoft Defender for IoT and Microsoft Sentinel to collect data across networks, detect and investigate threats, and respond to incidents.

+In Microsoft Sentinel, the Defender for IoT data connector and solution brings out-of-the-box security content to SOC teams, helping them to view, analyze and respond to OT security alerts, and understand the generated incidents in the broader organizational threat contents.

+For more information, see:

+- [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](iot-solution.md)

+- [Tutorial: Investigate and detect threats for IoT devices](iot-advanced-threat-monitoring.md)

+- [Microsoft Sentinel documentation](/azure/sentinel/data-connectors/aruba-clearpass).

+## On-premises integrations

+If you're working with an air-gapped, locally managed OT sensor, you'll need an on-premises solution to view Defender for IoT and Splunk information in the same place.

+In such cases, we recommend that you configure your OT sensor to send syslog files directly to ClearPass, or use Defender for IoT's built-in API.

+For more information, see:

+- [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md)

+- [Defender for IoT API reference](references-work-with-defender-for-iot-apis.md)

+## On-premises integration (legacy)

+This section describes how to integrate Defender for IoT and ClearPass Policy Manager (CPPM) using the legacy, on-premises integration.

+> [!IMPORTANT]

+> The legacy Aruba ClearPass integration is supported through October 2024 using sensor version 23.1.3, and won't be supported in upcoming major software versions.. For customers using the legacy integration, we recommend moving to one of the following methods:

+>

+> - If you're integrating your security solution with cloud-based systems, we recommend that you use data connectors through [Microsoft Sentinel](#cloud-based-integrations).

+> - For on-premises integrations, we recommend that you either configure your OT sensor to [forward syslog events, or use Defender for IoT APIs](#on-premises-integrations).

+>

+### Prerequisites

+Before you begin, make sure that you have the following prerequisites:

+|Prerequisite |Description |

+|||

+|**Aruba ClearPass requirements** | CPPM runs on hardware appliances with pre-installed software or as a Virtual Machine under the following hypervisors. <br>- VMware ESXi 5.5, 6.0, 6.5, 6.6 or higher. <br>- Microsoft Hyper-V Server 2012 R2 or 2016 R2. <br>- Hyper-V on Microsoft Windows Server 2012 R2 or 2016 R2. <br>- KVM on CentOS 7.5 or later. <br><br>Hypervisors that run on a client computer such as VMware Player aren't supported. |

+|**Defender for IoT requirements** | - Defender for IoT version 2.5.1 or higher. <br>- Access to a Defender for IoT OT sensor as an [Admin user](roles-on-premises.md). |

+### Create a ClearPass API user

+### Create a ClearPass operator profile

+### Create a ClearPass OAuth API client

+### Configure Defender for IoT to integrate with ClearPass

+### Define a ClearPass forwarding rule

+For more information, see [On-premises integrations](#on-premises-integrations).

+### Monitor ClearPass and Defender for IoT communication

+If the sync isn't working, or shows an error, then itΓÇÖs likely youΓÇÖve missed capturing some of the information. Recheck the data recorded.

+When creating your forwarding rule:

+1. In the **Actions** area, select **FortiGate**.

+1. Define the server IP address where you want to send the data.

+1. Enter an API key created in FortiGate.

+1. Enter the incoming and outgoing firewall interface ports.

+1. Select to forward specific alert details. We recommend selecting one of more of the following:

+ - **Block illegal function codes**: Protocol violations - Illegal field value violating ICS protocol specification (potential exploit)

+ - **Block unauthorized PLC programming / firmware updates**: Unauthorized PLC changes

+ - **Block unauthorized PLC stop** PLC stop (downtime)

+ - **Block malware related alerts**: Blocking of the industrial malware attempts, such as TRITON or NotPetya

+ - **Block unauthorized scanning**: Unauthorized scanning (potential reconnaissance)

+For more information, see [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md).

+# Integrate Palo Alto with Microsoft Defender for IoT

+This article describes how to integrate Palo Alto with Microsoft Defender for IoT, in order to view both Palo Alto and Defender for IoT information in a single place, or use Defender for IoT data to configure blocking actions in Palo Alto.

+Viewing both Defender for IoT and Palo Alto information together provides SOC analysts with multidimensional visibility so that they can block critical threats faster.

+## Cloud-based integrations

+> [!TIP]

+> Cloud-based security integrations provide several benefits over on-premises solutions, such as centralized, simpler sensor management and centralized security monitoring.

+>

+> Other benefits include real-time monitoring, efficient resource use, increased scalability and robustness, improved protection against security threats, simplified maintenance and updates, and seamless integration with third-party solutions.

+If you're integrating a cloud-connected OT sensor with Palo Alto we recommend that you connect Defender for IoT to [Microsoft Sentinel](concept-sentinel-integration.md).

+Install one or more of the following solutions to view both Palo Alto and Defender for IoT data in Microsoft Sentinel.

+|Microsoft Sentinel solution |Learn more |

+|||

+|[Palo Alto PAN-OS Solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-paloaltopanos?tab=Overview) | [Palo Alto Networks (Firewall) connector for Microsoft Sentinel](/azure/sentinel/data-connectors/palo-alto-networks-firewall) |

+|[Palo Alto Networks Cortex Data Lake Solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-paloaltocdl?tab=Overview) | [Palo Alto Networks Cortex Data Lake (CDL) connector for Microsoft Sentinel](/azure/sentinel/data-connectors/palo-alto-networks-cortex-data-lake-cdl) |

+|[Palo Alto Prisma Cloud CSPM solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-paloaltoprisma?tab=Overview) | [Palo Alto Prisma Cloud CSPM (using Azure Function) connector for Microsoft Sentinel](/azure/sentinel/data-connectors/palo-alto-prisma-cloud-cspm-using-azure-function) |

+Microsoft Sentinel is a scalable cloud service for security information event management (SIEM) security orchestration automated response (SOAR). SOC teams can use the integration between Microsoft Defender for IoT and Microsoft Sentinel to collect data across networks, detect and investigate threats, and respond to incidents.

+In Microsoft Sentinel, the Defender for IoT data connector and solution brings out-of-the-box security content to SOC teams, helping them to view, analyze and respond to OT security alerts, and understand the generated incidents in the broader organizational threat contents.

+For more information, see:

+- [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](iot-solution.md)

+- [Tutorial: Investigate and detect threats for IoT devices](iot-advanced-threat-monitoring.md)

+## On-premises integrations

+If you're working with an air-gapped, locally managed OT sensor, you'll need an on-premises solution to view Defender for IoT and Palo Alto information in the same place.

+In such cases, we recommend that you configure your OT sensor to send syslog files directly to Palo Alto, or use Defender for IoT's built-in API.

+For more information, see:

+- [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md)

+- [Defender for IoT API reference](references-work-with-defender-for-iot-apis.md)

+## On-premises integration (legacy)

+This section describes how to integrate and use Palo Alto with Microsoft Defender for IoT using the legacy, on-premises integration, which automatically creates new policies in the Palo Alto Network's NMS and Panorama.

+> [!IMPORTANT]

+> The legacy Palo Alto Panorama integration is supported through October 2024 using sensor version 23.1.3, and won't be supported in upcoming major software versions. For customers using the legacy integration, we recommend moving to one of the following methods:

+>

+> - If you're integrating your security solution with cloud-based systems, we recommend that you use data connectors through [Microsoft Sentinel](#cloud-based-integrations).

+> - For on-premises integrations, we recommend that you either configure your OT sensor to [forward syslog events, or use Defender for IoT APIs](#on-premises-integrations).

+>

+The following table shows which incidents this integration is intended for:

+|**Scanning malware** | Reconnaissance tools that collect data about system configuration in a preattack phase. For example, the Havex Trojan scans industrial networks for devices using OPC, which is a standard protocol used by Windows-based SCADA systems to communicate with ICS devices. |

+When Defender for IoT detects a preconfigured use case, the **Block Source** button is added to the alert. Then, when the Defender for IoT user selects the **Block Source** button, Defender for IoT creates policies on Panorama by sending the predefined forwarding rule.

+In IT networks, there might be dynamic IP addresses. Therefore, for those subnets, the policy must be based on FQDN (DNS name) and not the IP address. Defender for IoT performs reverse lookup and matches devices with dynamic IP address to their FQDN (DNS name) every configured number of hours.

+In addition, Defender for IoT sends an email to the relevant Panorama user to notify that a new policy created by Defender for IoT is waiting for the approval. The figure below presents the Defender for IoT and Panorama integration architecture:

+### Prerequisites

+Before you begin, make sure that you have the following prerequisites:

+- Confirmation by the Panorama Administrator to allow automatic blocking.

+- Access to a Defender for IoT OT sensor as an [Admin user](roles-on-premises.md).

+### Configure DNS lookup

+When you're done, continue by creating forwarding rules as needed:

+- [Configure immediate blocking by a specified Palo Alto firewall](#configure-immediate-blocking-by-a-specified-palo-alto-firewall)

+- [Block suspicious traffic with the Palo Alto firewall](#block-suspicious-traffic-with-the-palo-alto-firewall)

+### Configure immediate blocking by a specified Palo Alto firewall

+Configure automatic blocking in cases such as malware-related alerts, by configuring a Defender for IoT forwarding rule to send a blocking command directly to a specific Palo Alto firewall.

+When Defender for IoT identifies a critical threat, it sends an alert that includes an option of blocking the infected source. Selecting **Block Source** in the alertΓÇÖs details activates the forwarding rule, which sends the blocking command to the specified Palo Alto firewall.

+When creating your forwarding rule:

+1. In the **Actions** area, define the server, host, port, and credentials for the Palo Alto NGFW.

+1. Configure the following options to allow blocking of the suspicious sources by the Palo Alto firewall:

+ | **Block illegal function codes** | Protocol violations - Illegal field value violating ICS protocol specification (potential exploit). |

+ | **Block unauthorized PLC programming / firmware updates** | Unauthorized PLC changes. |

+ | **Block unauthorized PLC stop** | PLC stop (downtime). |

+ | **Block malware related alerts** | Blocking of industrial malware attempts (TRITON, NotPetya, etc.). <br><br> You can select the option of **Automatic blocking**. <br> In that case, the blocking is executed automatically and immediately. |

+ | **Block unauthorized scanning** | Unauthorized scanning (potential reconnaissance). |

+For more information, see [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md).

+### Block suspicious traffic with the Palo Alto firewall

+Configure a Defender for IoT forwarding rule to block suspicious traffic with the Palo Alto firewall.

+When creating your forwarding rule:

+1. In the **Actions** area, define the server, host, port, and credentials for the Palo Alto NGFW.

+1. Define how the blocking is executed, as follows:

+ - **By IP Address**: Always creates blocking policies on Panorama based on the IP address.

+ - **By FQDN or IP Address**: Creates blocking policies on Panorama based on FQDN if it exists, otherwise by the IP Address.

+1. In the **Email** field, enter the email address for the policy notification email.

+For more information, see [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md).

+### Block specific suspicious sources

+After you've created your forwarding rule, use the following steps to block specific, suspicious sources:

+1. In the OT sensor's **Alerts** page, locate and select the alert related to the Palo Alto integration.

+1. In the **Please Confirm** dialog box, select **OK**.

+The suspicious source is now blocked by the Palo Alto firewall.

+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. The rule doesn't affect any alerts already in the system from before the forwarding rule was created.

+The following code is an example of a payload sent to QRadar:

+```sample payload

+<9>May 5 12:29:23 sensor_Agent LEEF:1.0|CyberX|CyberX platform|2.5.0|CyberX platform Alert|devTime=May 05 2019 15:28:54 devTimeFormat=MMM dd yyyy HH:mm:ss sev=2 cat=XSense Alerts title=Device is Suspected to be Disconnected (Unresponsive) score=81 reporter=192.168.219.50 rta=0 alertId=6 engine=Operational senderName=sensor Agent UUID=5-1557059334000 site=Site zone=Zone actions=handle dst=192.168.2.2 dstName=192.168.2.2 msg=Device 192.168.2.2 is suspected to be disconnected (unresponsive).

+```

+When configuring the forwarding rule:

+1. In the **Actions** area, select **Qradar**.

+1. Enter details for the QRadar host, port, and timezone.

+1. Optionally, select to enable encryption, and then configure encryption, and/or select to manage alerts externally.

+For more information, see [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md).

+ | **New Property** | One of the following: <br><br> - Sensor Alert Description <br> - Sensor Alert ID <br> - Sensor Alert Score <br> - Sensor Alert Title <br> - Sensor Destination Name <br> - Sensor Direct Redirect <br> - Sensor Sender IP <br> - Sensor Sender Name <br> - Sensor Alert Engine <br> - Sensor Source Device Name |

+description: This article describes how to integrate Splunk with Microsoft Defender for IoT for multidimensional visibility across OT protocols and IIoT devices.

+This article describes how to integrate Splunk with Microsoft Defender for IoT, in order to view both Splunk and Defender for IoT information in a single place.

+Viewing both Defender for IoT and Splunk information together provides SOC analysts with multidimensional visibility into the specialized OT protocols and IIoT devices deployed in industrial environments, along with ICS-aware behavioral analytics to rapidly detect suspicious or anomalous behavior.

+## Cloud-based integrations

+> [!TIP]

+> Cloud-based security integrations provide several benefits over on-premises solutions, such as centralized, simpler sensor management and centralized security monitoring.

+>

+> Other benefits include real-time monitoring, efficient resource use, increased scalability and robustness, improved protection against security threats, simplified maintenance and updates, and seamless integration with third-party solutions.

+>

+If you're integrating a cloud-connected OT sensor with Splunk, we recommend that you use Splunk's own [OT Security Add-on for Splunk](https://apps.splunk.com/app/5151). For more information, see:

+- [The Splunk documentation on installing add-ins](https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall)

+- [The Splunk documentation on the OT Security Add-on for Splunk](https://splunk.github.io/ot-security-solution/integrationguide/)

+## On-premises integrations

+If you're working with an air-gapped, locally managed OT sensor, you need an on-premises solution to view Defender for IoT and Splunk information in the same place.

+In such cases, we recommend that you configure your OT sensor to send syslog files directly to Splunk, or use Defender for IoT's built-in API.

+For more information, see:

+- [Forward on-premises OT alert information](how-to-forward-alert-information-to-partners.md)

+- [Defender for IoT API reference](references-work-with-defender-for-iot-apis.md)

+## On-premises integration (legacy)

+This section describes how to integrate Defender for IoT and Splunk using the legacy, on-premises integration.

+> [!IMPORTANT]

+> The legacy Splunk integration is supported through October 2024 using sensor version 23.1.3, and won't be supported in upcoming major software versions. For customers using the legacy integration, we recommend moving to one of the following methods:

+>

+> - If you're integrating your security solution with cloud-based systems, we recommend that you use the [OT Security Add-on for Splunk](#cloud-based-integrations).

+> - For on-premises integrations, we recommend that you either configure your OT sensor to [forward syslog events, or use Defender for IoT APIs](#on-premises-integrations).

+Microsoft Defender for IoT was formally known as [CyberX](https://blogs.microsoft.com/blog/2020/06/22/microsoft-acquires-cyberx-to-accelerate-and-secure-customers-iot-deployments/). References to CyberX refer to Defender for IoT.

+### Prerequisites

+Before you begin, make sure that you have the following prerequisites:

+|Prerequisites |Description |

+|||

+|**Version requirements** | The following versions are required for the application to run: <br>- Defender for IoT version 2.4 and above. <br>- Splunkbase version 11 and above. <br>- Splunk Enterprise version 7.2 and above. |

+|**Permission requirements** | Make sure you have: <br>- Access to a Defender for IoT OT sensor as an [Admin user](roles-on-premises.md). <br>- Splunk user with an *Admin* level user role. |

+> [!NOTE]

+> The Splunk application can be installed locally ('Splunk Enterprise') or run on a cloud ('Splunk Cloud'). The Splunk integration along with Defender for IoT supports 'Splunk Enterprise' only.

+>

+### Download the Defender for IoT application in Splunk

+To access the Defender for IoT application within Splunk, you need to download the application from the Splunkbase application store.

+description: This article describes new features available in Microsoft Defender for IoT, including both OT and Enterprise IoT networks, and both on-premises and in the Azure portal.

+## November 2023

+|Service area |Updates |

+|||

+| **OT networks** | [Updated security stack integration guidance](#updated-security-stack-integration-guidance)|

+### Updated security stack integration guidance

+Defender for IoT is refreshing its security stack integrations to improve the overall robustness, scalability, and ease of maintenance of various security solutions.

+If you're integrating your security solution with cloud-based systems, we recommend that you use data connectors through [Microsoft Sentinel](concept-sentinel-integration.md). For on-premises integrations, we recommend that you either configure your OT sensor to [forward syslog events](how-to-forward-alert-information-to-partners.md)), or use [Defender for IoT APIs](references-work-with-defender-for-iot-apis.md).

+The legacy Aruba ClearPass, Palo Alto Panorama, and Splunk integrations are supported through October 2024 using sensor version 23.1.3, and won't be supported in upcoming major software versions.

+For customers using legacy integration methods, we recommend moving your integrations to newly recommended methods. For more information, see:

+- [Integrate ClearPass with Microsoft Defender for IoT](tutorial-clearpass.md)

+- [Integrate Palo Alto with Microsoft Defender for IoT](tutorial-palo-alto.md)

+- [Integrate Splunk with Microsoft Defender for IoT](tutorial-splunk.md)

+- [Integrations with Microsoft and partner services](integrate-overview.md)

+After you've updated your OT sensor to version 22.3.8, no new device notifications for **Operating system changes** are generated. Existing **Operating system changes** notifications are automatically resolved if they aren't dismissed or otherwise handled within 14 days.

+After you've updated your sensor version, the **Inactive devices** and **New OT devices** notifications no longer appear. While any **Inactive devices** notifications that are left over from before the update are automatically dismissed, you might still have legacy **New OT devices** notifications to handle. Handle these notifications as needed to remove them from your sensor.

+Microsoft Sentinel's new [incident experience](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-new-incident-experience-is-here/ba-p/3717042) includes specific features for Defender for IoT customers. SOC analysts who are investigating OT/IoT-related can now use the following enhancements on incident details pages:

+When defining outbound *allow* rules to connect to Azure, you need to enable HTTPS traffic to each of the required endpoints on port 443. Outbound *allow* rules are defined once for all OT sensors onboarded to the same subscription.

+- **A successful sensor registration page**: After onboarding a new OT sensor with version 22.x, the successful registration page now provides instructions for next steps, including a link to the endpoints you'll need to add as secure outbound allow rules on your network. Select the **Download endpoint details** link to download the JSON file.

+During OT monitoring software installations and updates, the **cyberx** user is assigned a random password. When you update from version 10.x.x to version 22.1.7, the **cyberx_host** password is assigned with an identical password to the **cyberx** user.

+- **Merge duplicate devices**. You might need to merge devices if the sensor has discovered separate network entities that are associated with a single, unique device. Examples of this scenario might include a PLC with four network cards, a laptop with both WiFi and a physical network card, or a single workstation with multiple network cards.

+- [Tutorial: Integrate Defender for IoT and Sentinel](../../sentinel/iot-solution.md?tabs=use-out-of-the-box-analytics-rules-recommended)

+The Defender for IoT sensor software installation is now containerized. With the now-containerized sensor, you can use the *cyberx_host* user to investigate issues with other containers or the operating system, or to send files via FTP.

+If you're on a legacy version, you might need to run a series of updates in order to get to the latest version. You'll also need to update your firewall rules and reactivate your sensor with a new activation file.

+ Title: Add and configure a catalog hosted in a GitHub or Azure DevOps repository

+Deployment Environments supports catalogs hosted in Azure Repos (the repository service in Azure, commonly referred to as Azure DevOps) and catalogs hosted in GitHub. Azure DevOps supports authentication by assigning permissions to a managed identity. Azure DevOps and GitHub both support the use of PATs for authentication. To further secure your templates, the catalog is encrypted; Azure Deployment Environments supports encryption at rest with platform-managed encryption keys, which Microsoft for Azure Services manages.

+Microsoft offers a [sample catalog](https://aka.ms/deployment-environments/SampleCatalog) that you can use as your repository. You also can use your own private repository, or you can fork and customize the environment definitions in the sample catalog.

+> - Configure a managed identity for the dev center.

+## Configure a managed identity for the dev center

+After you create a dev center, before you can attach a catalog, you must configure a [managed identity](concept-environments-key-concepts.md#identities) to the dev center. You can attach either a system-assigned managed identity (system-assigned MSI) or a user-assigned managed identity (user-assigned MSI). You then assign roles to the managed identity to allow the dev center to create environment types in your subscription and read the Azure DevOps project that contains the catalog repo.

+If your dev center doesn't have an MSI attached, follow the steps in this article to create and attach one: [Configure a managed identity](how-to-configure-managed-identity.md).

+To learn more about managed identities, see: [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+You can add a catalog from an Azure DevOps repository or a GitHub repository. You can choose to authenticate by assigning permissions to an MSI, also called a managed identity, or by using a PAT, which you store in a key vault.

+Select the tab for the type of repository and authentication you want to use.

+## [Azure DevOps repo with MSI](#tab/DevOpsRepoMSI/)

+To add a catalog, you complete these tasks:

+- Configure a managed identity for the dev center.

+- Assign roles for the dev center managed identity.

+- Assign permissions in Azure DevOps for the dev center managed identity.

+- Add your repository as a catalog.

+### Assign permissions in Azure DevOps for the dev center managed identity

+You must give the dev center managed identity permissions to the repository in Azure DevOps.

+1. Sign in to your [Azure DevOps organization](https://dev.azure.com).

+1. Select **Organization settings**.

+

+ :::image type="content" source="media/how-to-configure-catalog/devops-organization-settings.png" alt-text="Screenshot showing the Azure DevOps organization page, with Organization Settings highlighted.":::

+

+1. On the **Overview** page, select **Users**.

+ :::image type="content" source="media/how-to-configure-catalog/devops-organization-overview.png" alt-text="Screenshot showing the Organization overview page, with Users highlighted.":::

+1. On the **Users** page, select **Add users**.

+ :::image type="content" source="media/how-to-configure-catalog/devops-add-user.png" alt-text="Screenshot showing the Users page, with Add user highlighted.":::

+1. Complete **Add new users** by entering or selecting the following information, and then select **Add**:

+ |Name |Value |

+ ||-|

+ |**Users or Service Principals**|Enter the name of your dev center. </br> When you use a system-assigned managed account, specify the name of the dev center, not the object ID of the managed account. When you use a user-assigned managed account, use the name of the managed account. |

+ |**Access level**|Select **Basic**.|

+ |**Add to projects**|Select the project that contains your repository.|

+ |**Azure DevOps Groups**|Select **Project Readers**.|

+ |**Send email invites (to Users only)**|Clear the checkbox.|

+ :::image type="content" source="media/how-to-configure-catalog/devops-add-user-blade.png" alt-text="Screenshot showing Add users, with example entries and Add highlighted.":::

+## Add a catalog to the dev center

+Azure Deployment Environments supports attaching Azure DevOps repositories and GitHub repositories. You can store a set of curated IaC templates in a repository. Attaching the repository to a dev center as a catalog gives your development teams access to the templates and enables them to quickly create consistent environments.

+In this article, you attach an Azure DevOps repository.

+### Add a catalog to your dev center

+1. Navigate to your dev center.

+1. In the left menu under **Environment configuration**, select **Catalogs**, and then select **Add**.

+ :::image type="content" source="media/how-to-configure-catalog/catalogs-page.png" alt-text="Screenshot that shows the Catalogs pane.":::

+1. In **Add catalog**, enter the following information, and then select **Add**:

+ | Field | Value |

+ | -- | -- |

+ | **Name** | Enter a name for the catalog. |

+ | **Catalog location** | Select **Azure DevOps**. |

+ | **Authentication type** | Select **Managed Identity**.|

+ | **Organization** | Select your Azure DevOps organization. |

+ | **Project** | From the list of projects, select the project that stores the repo. |

+ | **Repo** | From the list of repos, select the repo you want to add. |

+ | **Branch** | Select the branch. |

+ | **Folder path** | Dev Box retrieves a list of folders in your branch. Select the folder that stores your IaC templates. |

+ :::image type="content" source="media/how-to-configure-catalog/add-catalog-to-dev-center.png" alt-text="Screenshot showing the add catalog pane with examples entries and Add highlighted.":::

+1. In **Catalogs** for the dev center, verify that your catalog appears. If the connection is successful, **Status** is **Connected**. Connecting to a catalog can take a few minutes the first time.

+## [Azure DevOps repo with PAT](#tab/DevOpsRepoPAT/)

+### Get the clone URL for your Azure DevOps repository

+1. Go to the home page of your team collection (for example, `https://contoso-web-team.visualstudio.com`), and then select your project.

+1. [Get the Azure Repos Git repo clone URL](/azure/devops/repos/git/clone#get-the-clone-url-of-an-azure-repos-git-repo).

+1. Copy and save the URL. You use it later.

+

+### Create a personal access token in Azure DevOps

+1. Go to the home page of your team collection (for example, `https://contoso-web-team.visualstudio.com`) and select your project.

+1. Create a [personal access token](/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate#create-a-pat).

+1. Save the generated token. You use the token later.

+### Create a Key Vault

+You need an Azure Key Vault to store the personal access token (PAT) that is used to grant Azure access to your repository. Key vaults can control access with either access policies or role-based access control (RBAC). If you have an existing key vault, you can use it, but you should check whether it uses access policies or RBAC assignments to control access. For help with configuring an access policy for a key vault, see [Assign a Key Vault access policy](/azure/key-vault/general/assign-access-policy?branch=main&tabs=azure-portal).

+Use the following steps to create an RBAC key vault:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the Search box, enter *Key Vault*.

+1. From the results list, select **Key Vault**.

+1. On the Key Vault page, select **Create**.

+1. On the Create key vault tab, provide the following information:

+ |Name |Value |

+ |-|--|

+ |**Name**|Enter a name for the key vault.|

+ |**Subscription**|Select the subscription in which you want to create the key vault.|

+ |**Resource group**|Either use an existing resource group or select **Create new** and enter a name for the resource group.|

+ |**Location**|Select the location or region where you want to create the key vault.|

+

+ Leave the other options at their defaults.

+1. On the Access policy tab, select **Azure role-based access control**, and then select **Review + create**.

+1. On the Review + create tab, select **Create**.

+### Store the personal access token in the key vault

+1. In the Key Vault, on the left menu, select **Secrets**.

+1. On the Secrets page, select **Generate/Import**.

+1. On the Create a secret page:

+ - In the **Name** box, enter a descriptive name for your secret.

+ - In the **Secret value** box, paste the GitHub secret.

+ - Select **Create**.

+### Get the secret identifier

+Get the path to the secret you created in the key vault.

+1. In the Azure portal, navigate to your key vault.

+1. On the key vault page, from the left menu, select **Secrets**.

+1. On the Secrets page, select the secret you created earlier.

+1. On the versions page, select the **CURRENT VERSION**.

+1. On the current version page, for the **Secret identifier**, select copy.

+### Add your repository as a catalog

+1. In the [Azure portal](https://portal.azure.com/), go to your dev center.

+1. Ensure that the [identity](./how-to-configure-managed-identity.md) that's attached to the dev center has [access to the key vault secret](./how-to-configure-managed-identity.md#grant-the-managed-identity-access-to-the-key-vault-secret) where your personal access token is stored.

+1. In the left menu under **Environment configuration**, select **Catalogs**, and then select **Add**.

+1. In **Add catalog**, enter the following information, and then select **Add**:

+ | Field | Value |

+ | -- | -- |

+ | **Name** | Enter a name for the catalog. |

+ | **Catalog location** | Select **Azure DevOps**. |

+ | **Authentication type** | Select **Personal Access Token**.|

+ | **Organization** | Select the organization that hosts the catalog repo. |

+ | **Project** | Select the project that stores the catalog repo.|

+ | **Rep** | Select the repo that stores the catalog.|

+ | **Folder path** | Select the folder that holds your IaC templates.|

+ | **Secret identifier**| Enter the secret identifier that contains your personal access token for the repository.<br /> When you copy a secret identifier, the connection string includes a version identifier at the end, like in this example: `https://contoso-kv.vault.azure.net/secrets/GitHub-repo-pat/9376b432b72441a1b9e795695708ea5a`.<br />Removing the version identifier ensures that Deployment Environments fetch the latest version of the secret from the key vault. If your personal access token expires, only the key vault needs to be updated. <br />*Example secret identifier:* `https://contoso-kv.vault.azure.net/secrets/GitHub-repo-pat`|

+ :::image type="content" source="media/how-to-configure-catalog/add-devops-catalog-pane.png" alt-text="Screenshot that shows how to add a catalog to a dev center.":::

+1. In **Catalogs** for the dev center, verify that your catalog appears. If the connection is successful, the **Status** is **Connected**.

+## [GitHub repo with PAT](#tab/GitHubRepoPAT/)

+To add a catalog, you complete these tasks:

+- Get the clone URL for your repository.

+- Create a personal access token.

+- Store the personal access token as a key vault secret in Azure Key Vault.

+- Add your repository as a catalog.

+### Get the clone URL of a GitHub repository

+1. Go to the home page of the GitHub repository that contains the template definitions.

+1. [Get the GitHub repo clone URL](/azure/devops/repos/git/clone#get-the-clone-url-of-a-github-repo).

+1. Copy and save the URL. You use it later.

+### Create a personal access token in GitHub

+### Create a Key Vault

+You need an Azure Key Vault to store the personal access token (PAT) that is used to grant Azure access to your repository. Key vaults can control access with either access policies or role-based access control (RBAC). If you have an existing key vault, you can use it, but you should check whether it uses access policies or RBAC assignments to control access. For help with configuring an access policy for a key vault, see [Assign a Key Vault access policy](/azure/key-vault/general/assign-access-policy?branch=main&tabs=azure-portal).

+### Store the personal access token in the key vault

+### Get the secret identifier

+ | **Catalog location** | Select **GitHub**. |

+ | **Repo** | Enter or paste the clone URL for either your GitHub repository or your Azure DevOps repository.<br />*Sample catalog example:* `https://github.com/Azure/deployment-environments.git` |

+ | **Secret identifier**| Enter the secret identifier that contains your personal access token for the repository.<br /> When you copy a secret identifier, the connection string includes a version identifier at the end, like in this example: `https://contoso-kv.vault.azure.net/secrets/GitHub-repo-pat/9376b432b72441a1b9e795695708ea5a`.<br />Removing the version identifier ensures that Deployment Environments fetch the latest version of the secret from the key vault. If your personal access token expires, only the key vault needs to be updated. <br />*Example secret identifier:* `https://contoso-kv.vault.azure.net/secrets/GitHub-repo-pat`|

+ :::image type="content" source="media/how-to-configure-catalog/add-github-catalog-pane.png" alt-text="Screenshot that shows how to add a catalog to a dev center." lightbox="media/how-to-configure-catalog/add-github-catalog-pane.png":::

+- **Manifest schema errors**. Ensure that your environment definition manifest matches the [required schema](configure-environment-definition.md#add-an-environment-definition).

+## Related content

+- [Configure environment types for a dev center](how-to-configure-devcenter-environment-types.md)

+- [Create and configure a project by using the Azure CLI](how-to-create-configure-projects.md)

+- [Configure project environment types](how-to-configure-project-environment-types.md)

+The identity that's attached to the dev center should be assigned the Contributor and User Access Administrator roles for all the deployment subscriptions and the Reader role for all subscriptions that contain the relevant project. When a user creates or deploys an environment, the service grants appropriate access to the deployment identity that's attached to the project environment type. The deployment identity uses the access to perform deployments on behalf of the user. You can use the managed identity to empower developers to create environments without granting them access to the subscription.

+1. In the Azure portal, navigate to your dev center.

+1. To give Contributor access to the subscription, select **Add role assignment (Preview)**, enter or select the following information, and then select **Save**:

+

+ |Name |Value |

+ ||-|

+ |**Scope**|Subscription|

+ |**Subscription**|Select the subscription in which to use the managed identity.|

+ |**Role**|Contributor|

+1. To give User Access Administrator access to the subscription, select **Add role assignment (Preview)**, enter or select the following information, and then select **Save**:

+ |Name |Value |

+ ||-|

+ |**Scope**|Subscription|

+ |**Subscription**|Select the subscription in which to use the managed identity.|

+ |**Role**|User Access Administrator|

+1. To give Contributor access to the subscription, select **Add role assignment (Preview)**, enter or select the following information, and then select **Save**:

+

+ |Name |Value |

+ ||-|

+ |**Scope**|Subscription|

+ |**Subscription**|Select the subscription in which to use the managed identity.|

+ |**Role**|Contributor|

+1. To give User Access Administrator access to the subscription, select **Add role assignment (Preview)**, enter or select the following information, and then select **Save**:

+ |Name |Value |

+ ||-|

+ |**Scope**|Subscription|

+ |**Subscription**|Select the subscription in which to use the managed identity.|

+ |**Role**|User Access Administrator|

+> If you are attaching an Azure DevOps repository, use these steps: [Get the clone URL of an Azure DevOps repository](how-to-configure-catalog.md#get-the-clone-url-for-your-azure-devops-repository).

+- Azure role-based access control role with permissions to create and manage resources in the subscription, such as [Contributor](../role-based-access-control/built-in-roles.md#contributor) or [Owner](../role-based-access-control/built-in-roles.md#owner).

+- An [Azure DevOps repository](https://azure.microsoft.com/products/devops/repos/) repository that contains IaC templates. You can use the [Deployment Environments sample catalog](https://github.com/azure/deployment-environments) that contains samples created and maintained by the Azure Deployment Environments team.

+ - In your Azure DevOps organization, [create a project](/azure/devops/repos/get-started/sign-up-invite-teammates?view=azure-devops&branch=main&preserve-view=true) to store your repository.

+ - Import the [Deployment Environments sample catalog](https://github.com/azure/deployment-environments)

+To create and configure a dev center in Azure Deployment Environments by using the Azure portal:

+In this quickstart, you configure a system-assigned managed identity for your dev center. You then assign roles to the managed identity to allow the dev center to create environment types in your subscription and read the Azure DevOps repository project that contains the catalog.

+The managed identity that represents your dev center requires access to the subscriptions where you configure the [project environment types](concept-environments-key-concepts.md#project-environment-types), and to the Azure DevOps repo that stores your catalog.

+1. To give Contributor access to the subscription, select **Add role assignment (Preview)**, enter or select the following information, and then select **Save**:

+1. To give User Access Administrator access to the subscription, select **Add role assignment (Preview)**, enter or select the following information, and then select **Save**:

+### Assign permissions in Azure DevOps for the dev center managed identity

+You must give the dev center managed identity permissions to the repository in Azure DevOps.

+1. Sign in to your [Azure DevOps organization](https://dev.azure.com).

+1. Select **Organization settings**.

+

+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/devops-organization-settings.png" alt-text="Screenshot showing the Azure DevOps organization page, with Organization Settings highlighted.":::

+

+1. On the **Overview** page, select **Users**.

+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/devops-organization-overview.png" alt-text="Screenshot showing the Organization overview page, with Users highlighted.":::

+1. On the **Users** page, select **Add users**.

+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/devops-add-user.png" alt-text="Screenshot showing the Users page, with Add user highlighted.":::

+1. Complete **Add new users** by entering or selecting the following information, and then select **Add**:

+ |Name |Value |

+ ||-|

+ |**Users or Service Principals**|Enter the name of your dev center. </br> When you use a system assigned managed account, specify the name of the dev center, not the Object ID of the Managed Account. When you use a user assigned managed account, use the name of the managed account. |

+ |**Access level**|Select **Basic**.|

+ |**Add to projects**|Select the project that contains your repository.|

+ |**Azure DevOps Groups**|Select **Project Readers**.|

+ |**Send email invites (to Users only)**|Clear the checkbox.|

+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/devops-add-user-blade.png" alt-text="Screenshot showing Add users, with example entries and Add highlighted.":::

+## Add a catalog to the dev center

+Azure Deployment Environments supports attaching Azure DevOps repositories and GitHub repositories. You can store a set of curated IaC templates in a repository. Attaching the repository to a dev center as a catalog gives your development teams access to the templates and enables them to quickly create consistent environments.

+In this quickstart, you attach an Azure DevOps repository.

+ | **Catalog location** | Select **Azure DevOps**. |

+ | **Authentication type** | Select **Managed Identity**.|

+ | **Organization** | Select your Azure DevOps organization. |

+ | **Project** | From the list of projects, select the project that stores the repo. |

+ | **Repo** | From the list of repos, select the repo you want to add. |

+ | **Branch** | Select the branch. |

+ | **Folder path** | Dev Box retrieves a list of folders in your branch. Select the folder that stores your IaC templates. |

+ :::image type="content" source="media/quickstart-create-and-configure-devcenter/add-catalog-to-devcenter.png" alt-text="Screenshot showing the add catalog pane with examples entries and Add highlighted.":::

+1. In **Catalogs** for the dev center, verify that your catalog appears. If the connection is successful, **Status** is **Connected**. Connecting to a catalog can take a few minutes the first time.

+

+## Next step

+# Get Azure recommendations to migrate your SQL Server database

+Before migrating to Azure SQL, you can use the SQL Migration extension in Azure Data Studio to help you generate right-sized recommendations for Azure SQL Database, Azure SQL Managed Instance, and SQL Server on Azure Virtual Machines targets. The tool helps you collect performance data from your source SQL instance (running on-premises or other cloud), and recommend a compute and storage configuration to meet your workload's needs.

+To get started with Azure recommendations for your SQL Server database migration, you must meet the following prerequisites:

+<!--

+-->

+| Error | Error occurred during the operation.<br> The available values for MQTT: RequestCount, MQTT: Failed Published Messages, MQTT: Failed Subscription Operations metrics include: <br><br>-QuotaExceeded: the client exceeded one or more of the throttling limits that resulted in a failure <br>- AuthenticationError: a failure because of any authentication reasons. <br>- AuthorizationError: a failure because of any authorization reasons.<br>- ClientError: the client sent a bad request or used one of the unsupported features that resulted in a failure. <br>- ServiceError: a failure because of an unexpected server error or for a server's operational reason. <br><br> [Learn more about how the supported MQTT features.](mqtt-support.md) <br><br>The available values for MQTT: Failed Routed Messages metric include: <br><br>-AuthenticationError: the EventGrid Data Sender role for the custom topic configured as the destination for MQTT routed messages was deleted. <br>-TopicNotFoundError: The custom topic that is configured to receive all the MQTT routed messages was deleted. <br>-TooManyRequests: the number of MQTT routed messages per second exceeds the publish limit of the custom topic. <br>- ServiceError: a failure because of an unexpected server error or for a server's operational reason. <br><br> [Learn more about how the MQTT broker handles each of these routing errors.](mqtt-routing.md#mqtt-message-routing-behavior)|

+1. Add certificate name and browse to find the intermediate certificate (.step/certs/intermediate_ca.crt) and select **Upload**. You can upload a file of .pem, .cer, or .crt type.

+1. On the Upload certificate page, give a Certificate name and browse for the certificate file.

+1. Select **Upload** button to add the parent certificate.

+ :::image type="content" source="./media/mqtt-certificate-chain-client-authentication/event-grid-namespace-parent-certificate-added.png" alt-text="Screenshot showing the added CA certificate listed in the CA certificates page.":::

+ > [!NOTE]

+ > - CA certificate name can be 3-50 characters long.

+ > - CA certificate name can include alphanumeric, hyphen(-) and, no spaces.

+ > - The name needs to be unique per namespace.

+Event Grid has a client registry that stores information about the clients permitted to connect to it. Before a client can connect, there must be an entry for that client in the client registry. As a client connects to MQTT broker, it needs to authenticate with MQTT broker based on credentials stored in the identity registry. MQTT broker supports X.509 certificate authentication that is the industry authentication standard in IoT devices and [Microsoft Entra ID (formerly Azure Active Directory)](mqtt-client-azure-ad-token-and-rbac.md) that is Azure's authentication standard for applications.[Learn more about MQTT client authentication.](mqtt-client-authentication.md)

+While routing MQTT messages to custom topics, Event Grid provides durable delivery as it tries to deliver each message **at least once** immediately. If there's a failure, Event Grid either retries delivery or drops the message that was meant to be routed. Event Grid doesn't guarantee order for event delivery, so subscribers might receive them out of order.

+| TopicNotFoundError | The custom topic that is configured to receive all the MQTT routed messages was deleted. | Event Grid drops the MQTT message that was meant to be routed.|

+| AuthenticationError | The EventGrid Data Sender role for the custom topic configured as the destination for MQTT routed messages was deleted. | Event Grid drops the MQTT message that was meant to be routed.|

+| TooManyRequests | The number of MQTT routed messages per second exceeds the publish limit for the custom topic. | Event Grid retries to route the MQTT message.|

+- User Properties on CONNECT, SUBSCRIBE, DISCONNECT, PUBACK, AUTH packets are not used by the service so they're not supported. If any of these requests include user properties, the request will fail.

+- **[Microsoft Entra ID (formerly Azure Active Directory) authentication](mqtt-client-azure-ad-token-and-rbac.md)** - authenticate your applications using the Azure's standard mechanism for authentication.

+> To understand costs associated with Azure Monitor, see [Azure Monitor cost and usage](../azure-monitor/cost-usage.md). To understand the time it takes for your data to appear in Azure Monitor, see [Log data ingestion time](../azure-monitor/logs/data-ingestion-time.md).

+You can view near to real-time availability of [ARP](./expressroute-troubleshooting-arp-resource-manager.md) (Layer-2 connectivity) across peerings and peers (Primary and Secondary ExpressRoute routers). This dashboard shows the Private Peering ARP session status is up across both peers, but down for Microsoft peering for both peers. The default aggregation (Average) was utilized across both peers.

+For the source pattern in a URL rewrite action, only the path after the *patterns to match* in the route configuration is considered. For example, you have the following incoming URL format `contoso.com/pattern-to-match/source-pattern`, only `/source-pattern` gets considered by the rule set as the source pattern to be rewritten. The format of the out going URL after URL rewrite gets applied is `contoso.com/pattern-to-match/destination`.

+For situation, when you need to remove the `/pattern-to-match` segment of the URL, set the **origin path** for the origin group in route configuration to `/`.

+ Title: How Azure Resource Graph uses alerts to monitor resources

+description: In this quickstart, you learn how to create monitoring alerts for Azure resources using an Azure Resource Graph query and a Log Analytics workspace.

+# Quickstart: Create alerts with Azure Resource Graph and Log Analytics

+In this quickstart, you learn how you can use Azure Log Analytics to create alerts on Azure Resource Graph queries. You can create alerts with Azure Resource Graph query, Log Analytics workspace, and managed identities. The alert's conditions send notifications at a specified interval.

+You can use queries to set up alerts for your deployed Azure resources. You can create queries using Azure Resource Graph tables, or you can combine Azure Resource Graph tables and Log Analytics data from Azure Monitor Logs.

+This article includes two examples of alerts:

+- **Azure Resource Graph**: Uses the Azure Resource Graph `Resources` table to create a query that gets data for your deployed Azure resources and create an alert.

+- **Azure Resource Graph and Log Analytics**: Uses the Azure Resource Graph `Resources` table and Log Analytics data from the from Azure Monitor Logs `Heartbeat` table. This example uses a virtual machine to show how to set up the query and alert.

+> [!NOTE]

+> Azure Resource Graph alerts integration with Log Analytics is in public preview.

+## Prerequisites

+- If you don't have an Azure account, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- Resources deployed in Azure like virtual machines or storage accounts.

+- To use the example for the Azure Resource Graph and Log Analytics query, you need at least one Azure virtual machine with the Azure Monitor Agent.

+## What problem will we solve?

+You want to use an Azure Resource Graph query to get information about your Azure resources. You can use Azure Log Analytics to set up alerts that notify you when certain conditions are met.

+## Create workspace

+Create a Log Analytics Workspace in the subscription that's being monitored.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search field, type _log analytics workspaces_ and select **Log Analytics workspaces**.

+ If you've used Log Analytics workspaces, you can select it from **Azure services**.

+ :::image type="content" source="./media/alerts-query-quickstart/search-log-analytics.png" alt-text="Screenshot of the Azure home page that highlights search field and Log Analytics workspaces.":::

+1. Select **Create**.

+ - **Subscription**: Select your Azure subscription

+ - **Resource group**: _demo-arg-alert-rg_

+ - **Name**: _demo-arg-alert-workspace_

+ - **Region**: _West US3_

+1. Select **Review + Create** and wait for **Validation passed** to be displayed.

+1. Select **Create** to begin the deployment.

+1. Select **Go to resource** when the deployment is completed.

+## Create virtual machine

+# [Azure Resource Graph](#tab/azure-resource-graph)

+You don't need to create a virtual machine for the example that uses the Azure Resource Graph table.

+# [Azure Resource Graph and Log Analytics](#tab/arg-log-analytics)

+> [!NOTE]

+> This section is optional if you have existing virtual machines or know how to create a virtual machine. This example uses a virtual machine to show how to create a query using an Azure Resource Graph table and Log Analytics data.

+To get log information, when you connect your virtual machine to the Log Analytics workspace, the Azure Monitor Agent is installed on the virtual machine. If you don't have a virtual machine, you can create one for this example. To avoid unnecessary costs, delete the virtual machine when you're finished with the example.

+The following instructions are basic settings for a Linux virtual machine. Detailed steps about how to create a virtual machine are outside the scope of this article.

+1. In Azure, create an [Ubuntu Linux virtual machine](https://portal.azure.com/#create/canonical.0001-com-ubuntu-server-jammy22_04-lts-gen2).

+1. Select **Create**.

+1. Use the **Create a virtual machine**. You can accept most default settings with the following exceptions:

+ **Create a virtual machine**

+ - **Resource group**: _demo-arg-alert-rg_

+ - **virtual machine name**: Type a virtual machine name

+ - **Availability options**: _No infrastructure redundancy required_

+ - **Size**: _B1ms_

+ - **Administrator account**: Create key pair or username and password

+ - **Public inbound ports**: _None_

+ **Disks: accept defaults**

+ - Verify **Delete with VM** is selected.

+ **Networking**

+ - Accept defaults.

+ - Select **Delete public IP and NIC when VM is deleted**.

+ **Management**

+ - Accept defaults

+ - Change the **Auto-shutdown** **Time zone** to your time zone.

+ **Monitoring**, **Advanced**, and **Tags**

+ - No changes needed for this example.

+1. Select **Review and Create** and then **Create**.

+ If you selected SSH for authentication, you're prompted to **Generate new key pair**. Download the private key and create the virtual machine. When you're finished with the VM, delete the key file.

+Select **Go to resource** after the virtual machine is deployed.

+> [!NOTE]

+> This section is optional if you know how to connect a virtual machine to a Log Analytics workspace.

+Set up monitoring for a virtual machine.

+1. Go to your virtual machine.

+1. Select **Monitoring** > **Insights** > **Azure Monitor** > **Overview**.

+1. Select **Not Monitored**.

+1. Select **Enable** for virtual machine's **Monitor Coverage**.

+1. Select **Enable** for the **Azure Monitor Insights Onboarding**.

+1. Set up the **Monitoring Configuration**

+ - **Enable Insights using**: Azure Monitoring Agent

+ - **Subscription**: Select your subscription.

+ - Create a new Data Collection Rule

+ - Create a name.

+ - Select your subscription.

+ - Select your Log Analytics workspace _demo-arg-alert-workspace_.

+ - Select **Create**, verify the settings are correct, and select **Configure** to begin the deployment.

+1. Close **Azure Monitor Insights Onboarding**.

+After a successful deployment, **Insights** > **Overview** > **Monitored** shows the virtual machine's **Monitor Coverage** is enabled and a link to the data collection rule.

+Select the link to the data collection rule and verify the **Configuration** settings:

+- **Resources**: Shows the virtual machine, resource group, and subscription.

+- **Data Sources**:

+ - **Data source**: Performance Counters

+ - **Destination**: Azure Monitor Logs

+You can select the Performance Counters link to verify details.

+Go to your Log Analytics workspace _demo-arg-alert-workspace_. Select **Settings** > **Agents** > **Linux servers** and one Linux computer is connected to the **Azure Monitor Linux agent**.

+Go to your virtual machine and select **Settings** > **Extensions + applications** and verify that the `AzureMonitorLinuxAgent`shows provisioning succeeded.

+## Create query

+# [Azure Resource Graph](#tab/azure-resource-graph)

+From the Log Analytics workspace, create an Azure Resource Graph query to get a count of your Azure resources. This example uses the Azure Resource Graph `Resources` table.

+1. Select **Logs** from the left side of the **Log Analytics workspace** page.

+ Close the **Queries** window if it's displayed.

+1. Use the following code in the **New Query**.

+ ```kusto

+ arg("").Resources

+ | count

+ ```

+ Table names in Log Analytics need to be camel case with the first letter of each word capitalized, like `Resources` or `ResourceContainers`. You can also use lowercase like `resources` or `resourcecontainers`.

+ :::image type="content" source="./media/alerts-query-quickstart/log-analytics-workspace-query.png" alt-text="Screenshot of the Log Analytics workspace with a query of the Resources table that highlights logs and run button.":::

+1. Select **Run**.

+ The **Results** displays the **Count** of resources in your Azure subscription. Make a note of that number because you need it for the alert rule's condition. When you manually run the query the count is based on user identity, and a fired alert uses a managed identity. It's possible that the count might vary between a manual run or fired alert.

+1. Remove the count from your query.

+ ```kusto

+ arg("").Resources

+ ```

+# [Azure Resource Graph and Log Analytics](#tab/arg-log-analytics)

+From the Log Analytics workspace, create an Azure Resource Graph query to get the last heartbeat information from your virtual machine. This example uses the Azure Resource Graph `Resources` table and Log Analytics data from the from Azure Monitor Logs `Heartbeat` table.

+1. Go to your _demo-arg-alert-workspace_ Log Analytics workspace.

+1. Select **Logs** from the left side of the **Log Analytics workspace** page.

+ Close the **Queries** window if it's displayed.

+1. Use the following code in the **New Query**.

+ ```kusto

+ arg("").Resources

+ | where type == 'microsoft.compute/virtualmachines'

+ | project ResourceId = id, name, PowerState = tostring(properties.extended.instanceView.powerState.code)

+ | join (Heartbeat

+ | where TimeGenerated > ago(15m)

+ | summarize lastHeartBeat = max(TimeGenerated) by ResourceId)

+ on ResourceId

+ | project lastHeartBeat, PowerState, name, ResourceId

+ ```

+ Table names in Log Analytics need to be camel case with the first letter of each word capitalized, like `Resources` or `ResourceContainers`. You can also use lowercase like `resources` or `resourcecontainers`.

+ You can use other timeframes for the `TimeGenerated`. For example, rather than minutes like `15m` use hours like `12h`, `24h`, `48h`.

+ :::image type="content" source="./media/alerts-query-quickstart/log-analytics-cross-query.png" alt-text="Screenshot of the Log Analytics workspace with a cross query of the Resources and Heartbeat tables that highlights logs and run button.":::

+1. Select **Run**.

+ The query should return the virtual machine's last heartbeat, power state, name, and resource ID. If no **Results** are displayed, continue to the next steps.

+## Create alert rule

+# [Azure Resource Graph](#tab/azure-resource-graph)

+From the Log Analytics workspace, select **New alert rule**. The query from your Log Analytics workspace is copied to the alert rule. **Create an alert rule** has several tabs that need to be updated to create the alert.

+### Scope

+Verify that the scope is set to your Log Analytics workspace named _demo-arg-alert-workspace_.

+If you need to change the scope, do the following steps.

+1. Go to the **Scope** tab and select **Select scope**.

+1. At the bottom of the **Selected resources** screen, delete the current scope.

+1. Expand the **demo-arg-alert-rg** from the list of resources and select **demo-arg-alert-workspace**.

+1. Select **Apply**.

+1. Select **Next: Condition**.

+### Condition

+The form has several fields to complete.

+- **Signal name**: Custom log search

+- **Search query**: Displays the query code.

+**Measurement**

+- **Measure**: Table rows

+- **Aggregation type**: Count

+- **Aggregation granularity**: 5 minutes

+**Alert logic**

+- **Operator**: Greater than

+- **Threshold value**: Use a number that's less that the number returned from the resources count.

+ For example, if your resource count was 50 then use 45. This value triggers the alert to fire when it evaluates your resources because your number of resources is greater than the threshold value.

+- **Frequency of evaluation**: 5 minutes

+Select **Next: Actions**.

+### Actions

+Select **Create action group**.

+- **Subscription**: Select your Azure subscription.

+- **Resource group**: _demo-arg-alert-rg_

+- **Region**: Global

+- **Action group name**: _demo-arg-alert-action-group_

+- **Display name**: _demo-action_ (limit is 12 characters)

+Select **Next: Notifications**.

+- **Notification type**: Select **Email/SMS message/Push/Voice**.

+- **Name**: _email-alert_

+- Select the **Email** checkbox and type your email address.

+- Select **Ok**.

+Select **Review + Create**, verify the summary is correct, and select **Create**. You're returned to the **Actions** tab of the **Create an alert rule** page. The **Action group name** shows the action group you created.

+Select **Next: Details**.

+### Details

+Use the following information on the **Details** tab.

+ - **Subscription**: Select your Azure subscription

+ - **Resource group**: _demo-arg-alert-rg_

+ - **Severity**: Accept the default value **3 - Informational**

+ - **Alert rule name**: _demo-arg-alert-rule_

+ - **Alert rule description**: _Email alert for count of Azure resources_

+ - **Identity**: Select _System assigned managed identity_

+Select **Review + Create**, verify the summary is correct, and select **Create**. You're returned to the **Logs** page of your **Log Analytics workspace**.

+You receive an email notification to confirm you were added to the action group.

+### Assign role

+Assign the _Log Analytics Reader_ to the system-assigned managed identity so that it has permissions fire alerts that send email notifications.

+1. Select **Monitoring** > **Alerts** in the Log Analytics workspace.

+ Select **OK** if you're prompted that **Your unsaved edits will be discarded**.

+1. Select **Alert rules**.

+1. Select _demo-arg-alert-rule_.

+1. Select **Settings** > **Identity** > **System assigned**.

+ - **Status**: On

+ - **Object ID**: Shows the GUID for your Enterprise Application (service principal) in Microsoft Entra ID.

+ - **Permission**: Select **Azure role assignments**

+ - Verify the correct subscription is selected.

+ - Select **Add role assignment**

+ - **Scope**: _Subscription_

+ - **Subscription**: Your Azure subscription name

+ - **Role**: _Log Analytics Reader_

+1. Select **Save**.

+It takes a few minutes for the _Log Analytics Reader_ to display on the **Azure role assignments** page. Select **Refresh** to update the page.

+Use your browser's back button to return to the **Identity** and then select **Overview** to return to the alert rule. Select the link to your resource group named _demo-arg-alert-rg_.

+# [Azure Resource Graph and Log Analytics](#tab/arg-log-analytics)

+From the Log Analytics workspace, select **New alert rule**. The query from your Log Analytics workspace is copied to the alert rule. The **Create an alert rule** has several tabs that need to be updated.

+### Scope

+Verify that the scope is set to your Log Analytics workspace.

+If you need to change the scope, do the following steps.

+1. Go to the **Scope** tab and select **Select scope**.

+1. At the bottom of the **Selected resources** screen, delete the current scope.

+1. Expand the **demo-arg-alert-rg** from the list of resources and select **demo-arg-alert-workspace**.

+1. Select **Apply**.

+1. Select **Next: Condition**.

+### Condition

+The form has several fields to complete.

+- **Signal name**: Custom log search

+- **Search query**: Displays the query code.

+**Measurement**

+- **Measure**: Table rows

+- **Aggregation type**: Count

+- **Aggregation granularity**: 5 minutes

+**Alert logic**

+- **Operator**: Less than

+- **Threshold value**: 2

+- **Frequency of evaluation**: 5 minutes

+Select **Next: Actions**.

+### Actions

+Select **Create action group**.

+- **Subscription**: Select your Azure subscription.

+- **Resource group**: _demo-arg-alert-rg_

+- **Region**: Global

+- **Action group name**: _demo-arg-la-alert-action-group_

+- **Display name**: _demo-argla_ (limit is 12 characters)

+Select **Next: Notifications**.

+- **Notification type**: Select **Email/SMS message/Push/Voice**

+- **Name**: _email-alert-arg-la_

+- Select the **Email** checkbox and type your email address

+- Select **Ok**

+Select **Review + Create**, verify the summary is correct, and select **Create**. You're returned to the **Actions** tab of the **Create an alert rule** page. The **Action group name** shows the action group you created.

+Select **Next: Details**.

+### Details

+Use the following information on the **Details** tab.

+ - **Subscription**: Select your Azure subscription

+ - **Resource group**: _demo-arg-alert-rg_

+ - **Severity**: Accept the default value **2 - Warning**

+ - **Alert rule name**: _demo-arg-la-alert-rule_

+ - **Alert rule description**: _Email alert for ARG-LA query of Azure virtual machine_

+ - **Identity**: Select _System assigned managed identity_

+Select **Review + Create**, verify the summary is correct, and select **Create**. You're returned to the **Logs** page of your **Log Analytics workspace**.

+You receive an email notification to confirm you were added to the action group.

+### Assign role

+Assign the _Log Analytics Reader_ to the system-assigned managed identity so that it has permissions fire alerts that send email notifications.

+1. Select **Monitoring** > **Alerts** in the Log Analytics workspace.

+ Select **OK** if you're prompted that **Your unsaved edits will be discarded**.

+1. Select **Alert rules**

+1. Select _demo-arg-la-alert-rule_

+1. Select **Settings** > **Identity** > **System assigned**

+ - **Status**: On

+ - **Object ID**: Shows the GUID for your Enterprise Application (service principal) in Microsoft Entra ID.

+ - **Permission**: Select **Azure role assignments**

+ - Verify the correct subscription is selected.

+ - Select **Add role assignment**

+ - **Scope**: _Subscription_

+ - **Subscription**: Your Azure subscription name

+ - **Role**: _Log Analytics Reader_

+1. Select **Save**.

+It takes a few minutes for the _Log Analytics Reader_ to display on the **Azure role assignments** page. Select **Refresh** to update the page.

+Use your browser's back button to return to the **Identity** and select **Overview** to return to the alert rule. Select the link to your resource group named _demo-arg-alert-rg_.

+## Verify alerts

+# [Azure Resource Graph](#tab/azure-resource-graph)

+After the role is assigned to your alert rule, you begin to receive email for alert messages. The rule was created to send alerts every five minutes and it takes a few minutes to get the first alert.

+You can also view the alerts in the Azure portal.

+1. Go to the resource group _demo-arg-alert-rg_.

+1. Select _demo-arg-alert-workspace_ in your list of resources.

+1. Select **Monitoring** > **Alerts**.

+1. A list of alerts is displayed.

+ :::image type="content" source="./media/alerts-query-quickstart/alert-fired.png" alt-text="Screenshot of the Log Analytics workspace that shows list of alerts that fired.":::

+# [Azure Resource Graph and Log Analytics](#tab/arg-log-analytics)

+After the role is assigned to your alert rule, you begin to receive email for alert messages. The rule was created to send alerts every five minutes and it takes a few minutes to get the first alert.

+You can also view the alerts in the Azure portal.

+1. Go to the resource group _demo-arg-alert-rg_.

+1. Select your virtual machine.

+1. Select **Monitoring** > **Alerts**.

+1. A list of alerts is displayed.

+ :::image type="content" source="./media/alerts-query-quickstart/vm-alert-fired.png" alt-text="Screenshot of the virtual machine monitoring alerts that shows list of alerts that fired.":::

+> [!NOTE]

+> It might take 30 minutes for log information to become available to create alerts.

+## How did we solve the problem?

+You created an Azure Resource Graph query and a Log Analytics workspace to monitor Azure resources. You also set up alerts to notify you for events and assigned a role to the system-assigned managed identity. After the alert was created, you received email alerts based on conditions in the alert rule.

+## Clean up resources

+If you want to keep the alert configuration but stop the alert from firing and sending email notifications, you can disable it. Go to your alert rule _demo-arg-alert-rule_ or _demo-arg-la-alert-rule_ and select **Disable**.

+If you don't need this alert or the resources you created in this example, delete the resource group with the following steps:

+1. Go to your resource group _demo-arg-alert-rg_.

+1. Select **Delete resource group**.

+1. Type the resource group name to confirm.

+1. Select **Delete**.

+## Related content

+For more information about the query language or how to explore resources, go to the following articles.

+- [Understanding the Azure Resource Graph query language](./concepts/query-language.md)

+- [Explore your Azure resources with Resource Graph](./concepts/explore-resources.md)

+- [Overview of Log Analytics in Azure Monitor](../../azure-monitor/logs/log-analytics-overview.md)

+- [Troubleshoot Azure Resource Graph alerts](./troubleshoot/alerts.md)

+- Assess the effect of applying policies in a vast cloud environment.

+When an Azure resource is updated, Azure Resource Manager notifies Azure Resource Graph about the change. Azure Resource Graph then updates its database. Azure Resource Graph also does a regular _full scan_. This scan ensures that Azure Resource Graph data is current if there are missed notifications or when a resource is updated outside of Azure Resource Manager.

+## Alerts integration with Log Analytics

+> [!NOTE]

+> Azure Resource Graph alerts integration with Log Analytics is in public preview.

+You can create alert rules by using either Azure Resources Graph queries or integrating Log Analytics with Azure Resources Graph queries through Azure Monitor. Both methods can be used to create alerts for Azure resources. For examples, go to [Quickstart: Create alerts with Azure Resource Graph and Log Analytics](./alerts-query-quickstart.md).

+ Title: Troubleshoot Azure Resource Graph alerts

+description: Learn how to troubleshoot issues with Azure Resource Graph alerts integration with Log Analytics.

+# Troubleshoot Azure Resource Graph alerts

+> [!NOTE]

+> Azure Resource Graph alerts integration with Log Analytics is in public preview.

+The following descriptions help you troubleshoot queries for Azure Resource Graph alerts that integrate with Log Analytics.

+## Azure Resource Graph operators

+Only the operators supported in Azure Resource Graph Explorer are supported as part of this integration with Log Analytics for alerts. For more information, go to [supported operators](../concepts/query-language.md#supported-kql-language-elements).

+## Pagination

+Azure Resource Graph has pagination in its dedicated APIs. But with the way Log Analytics interacts with Azure Resource Graph, pagination isn't a supported reason why only 1,000 results are returned.

+- Cross queries between Azure Resource Graph and Log Analytics don't support pagination and only show the first 1,000 results.

+- You must set a limitation of 400 when writing a query with the [mv-expand](../concepts/query-language.md#supported-tabulartop-level-operators) operator.

+## Managed identities

+The managed identity for your alert must have the role [Log Analytics Contributor](../../../role-based-access-control/built-in-roles.md#log-analytics-contributor) or [Log Analytics Reader](../../../role-based-access-control/built-in-roles.md#log-analytics-reader). The role provides the permissions to get monitoring information.

+When you set up an alert, the results can be different than the result after the alert is fired. The reason is that a fired alert is run based on managed identity, but when you manually test an alert it's based on the user's identity.

+## Table names

+Azure Resource Graph table names need to be camel case with the first letter of each word capitalized, like `Resources` or `ResourceContainers`. You can also use lowercase like `resources` or `resourcecontainers`.

+### Prepare table and enable CDC feature on SQL Server SQLDB

+### Download SQLServer CDC connector on SSH

+wget https://repo1.maven.org/maven2/com/ververica/flink-sql-connector-sqlserver-cdc/2.4.1/flink-sql-connector-sqlserver-cdc-2.4.1.jar

+bin/sql-client.sh -j flink-sql-connector-sqlserver-cdc-2.4.1.jar

+### Create SQLServer CDC table

+### Validation

+ Title: 'Azure Machine Learning CLI & SDK v2'

+description: This article explains the difference between the v1 and v2 versions of Azure Machine Learning.

+#Customer intent: As a data scientist, I want to know whether to use v1 or v2 of CLI and SDK.

+# What is Azure Machine Learning CLI and Python SDK v2?

+Azure Machine Learning CLI v2 (CLI v2) and Azure Machine Learning Python SDK v2 (SDK v2) introduce a consistency of features and terminology across the interfaces. To create this consistency, the syntax of commands differs, in some cases significantly, from the first versions (v1).

+There are no differences in functionality between CLI v2 and SDK v2. The command line-based CLI might be more convenient in CI/CD MLOps types of scenarios, while the SDK might be more convenient for development.

+Azure Machine Learning CLI v2 is the latest extension for the [Azure CLI](/cli/azure/what-is-azure-cli). CLI v2 provides commands in the format *az ml __\<noun\> \<verb\> \<options\>__* to create and maintain Machine Learning assets and workflows. The assets or workflows themselves are defined by using a YAML file. The YAML file defines the configuration of the asset or workflow. For example, what is it, and where should it run?

+CLI v2 is useful in the following scenarios:

+* Onboard to Machine Learning without the need to learn a specific programming language.

+ The YAML file defines the configuration of the asset or workflow, such as what is it and where should it run? Any custom logic or IP used, say data preparation, model training, and model scoring, can remain in script files. These files are referred to in the YAML but aren't part of the YAML itself. Machine Learning supports script files in Python, R, Java, Julia, or C#. All you need to learn is YAML format and command lines to use Machine Learning. You can stick with script files of your choice.

+* Take advantage of ease of deployment and automation.

+ The use of command line for execution makes deployment and automation simpler because you can invoke workflows from any offering or platform, which allows users to call the command line.

+* Use managed inference deployments.

+ Machine Learning offers [endpoints](concept-endpoints.md) to streamline model deployments for both real-time and batch inference deployments. This functionality is available only via CLI v2 and SDK v2.

+* Reuse components in pipelines.

+ Machine Learning introduces [components](concept-component.md) for managing and reusing common logic across pipelines. This functionality is available only via CLI v2 and SDK v2.

+* Submit training jobs.

+* Manage data, models, and environments.

+* Perform managed inferencing (real time and batch).

+* Stitch together multiple tasks and production workflows by using Machine Learning pipelines.

+SDK v2 is on par with CLI v2 functionality and is consistent in how assets (nouns) and actions (verbs) are used between SDK and CLI. For example, to list an asset, you can use the `list` action in both SDK and CLI. You can use the same `list` action to list a compute, model, environment, and so on.

+SDK v2 is useful in the following scenarios:

+* Use Python functions to build a single step or a complex workflow.

+ SDK v2 allows you to build a single command or a chain of commands like Python functions. The command has a name and parameters, expects input, and returns output.

+* Move from simple to complex concepts incrementally.

+ SDK v2 allows you to:

+ * Add a hyperparameter sweep on top of that command.

+ * Add the command with various others into a pipeline one after the other.

+ This construction is useful because of the iterative nature of machine learning.

+* Reuse components in pipelines.

+ Machine Learning introduces [components](concept-component.md) for managing and reusing common logic across pipelines. This functionality is available only via CLI v2 and SDK v2.

+* Use managed inferencing.

+ Machine Learning offers [endpoints](concept-endpoints.md) to streamline model deployments for both real-time and batch inference deployments. This functionality is available only via CLI v2 and SDK v2.

+Here are some considerations to help you decide which version to use.

+Azure Machine Learning CLI v1 has been deprecated. We recommend that you use CLI v2 if:

+* You were a CLI v1 user.

+* You want to use new features like reusable components and managed inferencing.

+* You don't want to use a Python SDK. CLI v2 allows you to use YAML with scripts in Python, R, Java, Julia, or C#.

+* You were a user of R SDK previously. Machine Learning won't support an SDK in `R`. However, CLI v2 has support for `R` scripts.

+* You want to use command line-based automation or deployments.

+Azure Machine Learning Python SDK v1 doesn't have a planned deprecation date. If you have significant investments in Python SDK v1 and don't need any new features offered by SDK v2, you can continue to use SDK v1. However, you should consider using SDK v2 if:

+* You want to use new features like reusable components and managed inferencing.

+* You're starting a new workflow or pipeline. All new features and future investments will be introduced in v2.

+* You want to take advantage of the improved usability of the Python SDK v2 ability to compose jobs and pipelines by using Python functions, with easy evolution from simple to complex tasks.

+* [Upgrade from v1 to v2](how-to-migrate-from-v1.md)

+* Get started with CLI v2:

+ * [Train models with CLI (v2)](how-to-train-model.md)

+* Get started with SDK v2:

+ * [Train models with Azure Machine Learning Python SDK v2](how-to-train-model.md)

+ * [Tutorial: Create production Machine Learning pipelines with Python SDK v2 in a Jupyter notebook](tutorial-pipeline-python-sdk.md)

+* [Use managed networks](how-to-managed-network.md)

+> To understand costs associated with Azure Monitor, see [Azure Monitor cost and usage](../azure-monitor/cost-usage.md). To understand the time it takes for your data to appear in Azure Monitor, see [Log data ingestion time](../azure-monitor/logs/data-ingestion-time.md).

+1. Contact the owner of target private link service to approve the connection request.

+NAT gateway provides the following multi-dimensional metrics in Azure Monitor:

+| Dropped Packets | Packets dropped by the NAT gateway | Sum | / |

+| SNAT Connection Count | Number of new SNAT connections over a given interval of time | Sum | Connection State (Attempted, Failed), Protocol (6 TCP; 17 UDP) |

+| Total SNAT Connection Count | Total number of active SNAT connections | Sum | Protocol (6 TCP; 17 UDP) |

+| Datapath Availability | Availability of the data path of the NAT gateway. Used to determine whether the NAT gateway endpoints are available for outbound traffic flow. | Avg | Availability (0, 100) |

+>[!NOTE]

+> Count aggregation is not recommended for any of the NAT gateway metrics. Count aggregation adds up the number of metric values and not the metric values themselves. Use Sum aggregation instead to get the best representation of data values for connection count, bytes, and packets metrics.

+>

+> Use average for best represented health data for the datapath availability metric.

+>

+> See [aggregation types](/azure/azure-monitor/essentials/metrics-aggregation-explained#aggregation-types) for more information.

+ :::image type="content" source="./media/nat-metrics/nat-metrics-1.png" alt-text="Screenshot of the metrics set up in NAT gateway resource.":::

+Use this metric to:

+- View the amount of data being processed through NAT gateway to connect outbound or return inbound.

+To view the amount of data passing through NAT gateway:

+The packets metric shows you the number of data packets passing through NAT gateway.

+- Verify that traffic is passing outbound or returning inbound through NAT gateway.

+- View the amount of traffic going outbound through NAT gateway or returning inbound.

+To view the number of packets sent in one or both directions through NAT gateway, follow the same steps in the [Bytes](#bytes) section.

+The dropped packets metric shows you the number of data packets dropped by NAT gateway when traffic goes outbound or returns inbound in response to an outbound connection.

+- Check if periods of dropped packets coincide with periods of failed SNAT connections with the [SNAT Connection Count](#snat-connection-count) metric.

+- Help determine if you're experiencing a pattern of failed outbound connections or SNAT port exhaustion.

+Possible reasons for dropped packets:

+- Outbound connectivity failure can cause packets to drop. Connectivity failure can happen for various reasons. See the [NAT gateway connectivity troubleshooting guide](/azure/nat-gateway/troubleshoot-nat-connectivity) to help you further diagnose.

+The SNAT connection count metric shows you the number of new SNAT connections within a specified time frame. This metric can be filtered by **Attempted** and **Failed** connection states. A failed connection volume greater than zero can indicate SNAT port exhaustion.

+- Help diagnose if your NAT gateway is experiencing SNAT port exhaustion.

+- Determine if you're experiencing a pattern of failed outbound connections.

+The **Total SNAT connection count** metric shows you the total number of active SNAT connections passing through NAT gateway.

+- Evaluate the volume of connections passing through NAT gateway.

+

+- Determine if you're nearing the connection limit of NAT gateway.

+Possible reasons for failed connections:

+- A pattern of failed connections can happen for various reasons. See the [NAT gateway connectivity troubleshooting guide](/azure/nat-gateway/troubleshoot-nat-connectivity) to help you further diagnose.

+>[!NOTE]

+> When NAT gateway is attached to a subnet and public IP address, the Azure platform verifies NAT gateway is healthy by conducting health checks. These health checks may appear in NAT gatewayΓÇÖs SNAT connection metrics, but are negligible and donΓÇÖt impact NAT gatewayΓÇÖs ability to connect outbound.

+The datapath availability metric measures the health of the NAT gateway resource over time. This metric indicates if NAT gateway is available for directing outbound traffic to the internet. This metric is a reflection of the health of the Azure infrastructure.

+- Monitor the availability of NAT gateway.

+Possible reasons for a drop in data path availability include:

+- There aren't healthy VMs available in your NAT gateway configured subnet. For more information, see the [NAT gateway connectivity troubleshooting guide](/azure/nat-gateway/troubleshoot-nat-connectivity).

+Alerts can be configured in Azure Monitor for all NAT gateway metrics. These alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address potential issues with NAT gateway.

+### Alerts for datapath availability degradation

+Set up an alert on datapath availability to help you detect issues with the health of NAT gateway.

+The recommended guidance is to alert on NAT gatewayΓÇÖs datapath availability when it drops below 90% over a 15-minute period. This configuration is indicative of a NAT gateway resource being in a degraded state.

+6. In the **Threshold value** box, enter **90%**.

+Set up an alert on the **SNAT connection count** metric to notify you of connection failures on your NAT gateway. A failed connection volume greater than zero can indicate that either you have reached the connection limit on your NAT gateway or that you have hit SNAT port exhaustion. Investigate further to determine the root cause of these failures.

+>SNAT port exhaustion on your NAT gateway resource is uncommon. If you see SNAT port exhaustion, check if NAT gateway's idle timeout timer is set higher than the default amount of 4 minutes. A long idle timeout timer seeting can cause SNAT ports too be in hold down for longer, which results in exhausting SNAT port inventory sooner. You can also scale your NAT gateway with additional public IPs to increase NAT gateway's overall SNAT port inventory. To troubleshoot these kinds of issues, refer to the [NAT gateway connectivity troubleshooting guide](/azure/nat-gateway/troubleshoot-nat-connectivity#snat-exhaustion-due-to-nat-gateway-configuration).

+[Azure Monitor Network Insights](../network-watcher/network-insights-overview.md) allows you to visualize your Azure infrastructure setup and to review all metrics for your NAT gateway resource from a preconfigured metrics dashboard. These visual tools help you diagnose and troubleshoot any issues with your NAT gateway resource.

+2. On the landing page for **Insights**, there's a topology map of your NAT gateway setup. This map shows the relationship between the different components of your network (subnets, virtual machines, public IP addresses).

+* Learn about [troubleshooting NAT gateway connectivity](/azure/nat-gateway/troubleshoot-nat-connectivity)

+ Title: Install and upgrade Azure Monitor Agent - Azure Arc-enabled servers

+description: Learn how to install, upgrade, and uninstall Azure Monitor Agent on Azure Arc-enabled servers.

+#Customer intent: As an Azure administrator, I need to install the Azure Monitor Agent on Azure Arc-enabled servers so I can monitor a connection using the Connection Monitor.

+# Install and upgrade Azure Monitor Agent on Azure Arc-enabled servers

+Azure Monitor Agent is implemented as an Azure virtual machine (VM) extension. You can install Azure Monitor Agent using any of the methods described in [Azure Monitor Agent overview](../azure-monitor/agents/agents-overview.md?toc=/azure/network-watcher/toc.json).

+This article covers installing Azure Monitor Agent on Azure Arc-enabled servers using PowerShell or the Azure CLI. For more information, see [Manage Azure Monitor Agent](../azure-monitor/agents/azure-monitor-agent-manage.md?tabs=ARMAgentPowerShell%2CPowerShellWindows%2CPowerShellWindowsArc%2CCLIWindows%2CCLIWindowsArc).

+## Next step

+> [!div class="nextstepaction"]

+> [create a connection monitor](connection-monitor-create-using-portal.md)

+ Title: Connection monitor overview

+description: Learn about Azure Network Watcher connection monitor and how to use it to monitor network communication in a distributed environment.

+#CustomerIntent: As an Azure administrator, I need to monitor communication between one VM and another. If the communication fails, I need to know why so that I can resolve the problem.

+To start using Connection Monitor for monitoring, follow these steps:

+> [!NOTE]

+> If the Automatic Extension Upgrade isn't enabled on the virtual machine scale sets, then you have to manually upgrade the Network Watcher extension whenever a new version is released.

+>

+> As Connection Monitor now supports unified auto enablement of monitoring extensions, user can consent to auto upgrade of the virtual machine scale set with auto enablement of Network Watcher extension during the creation of Connection Monitor for virtual machine scale sets with manual upgrade.

+ resourceId: "/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.RedHatOpenShift/openShiftClusters/{clusterID}"

+ networkWatcherID: "/subscriptions/{subscriptionID}/resourceGroups/{networkWatcherRG}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}"

+ storageAccountResourceId: "/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}"

+For more help using Azure Native Dynatrace Service, visit the [Dynatrace](https://dt-url.net/azurenativedynatraceservice) documentation.

+| South India | :heavy_check_mark: | :x: | :heavy_check_mark: | :heavy_check_mark: |

+| UAE North | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |

+| West US 2 | :heavy_check_mark: (v3/v4 only) | :x: $ | :x: $ | :heavy_check_mark: |

+2. On the Create an Azure Database for PostgreSQL page, select **Single server**.

+| Microsoft Purview (Microsoft.Purview/accounts) | account | privatelink.purview.azure.com | purview.azure.com |

+| Microsoft Purview (Microsoft.Purview/accounts) | portal | privatelink.purviewstudio.azure.com | purview.azure.com </br> purviewstudio.azure.com |

+| Azure Digital Twins (Microsoft.DigitalTwins/digitalTwinsInstances) | digitalTwinsInstances | privatelink.digitaltwins.azure.net | digitaltwins.azure.net |

+| Azure Arc (Microsoft.HybridCompute/privateLinkScopes) | hybridcompute | privatelink.his.arc.azure.com <br/> privatelink.guestconfiguration.azure.com </br> privatelink.dp.kubernetesconfiguration.azure.com | his.arc.azure.com <br/> guestconfiguration.azure.com </br> dp.kubernetesconfiguration.azure.com |

+| Azure Media Services (Microsoft.Media/mediaservices) | keydelivery </br> liveevent </br> streamingendpoint | privatelink.media.azure.net | media.azure.net |

+| Azure Synapse Analytics (Microsoft.Synapse/workspaces) | Sql | privatelink.sql.azuresynapse.usgovcloudapi.net | sql.azuresynapse.usgovcloudapi.net |

+| Azure Synapse Analytics (Microsoft.Synapse/workspaces) | SqlOnDemand | privatelink.sql.azuresynapse.usgovcloudapi.net | {workspaceName}-ondemand.sql.azuresynapse.usgovcloudapi.net |

+| Azure Synapse Analytics (Microsoft.Synapse/workspaces) | Dev | privatelink.dev.azuresynapse.usgovcloudapi.net | dev.azuresynapse.usgovcloudapi.net |

+| Azure Synapse Studio (Microsoft.Synapse/privateLinkHubs) | Web | privatelink.azuresynapse.usgovcloudapi.net | azuresynapse.usgovcloudapi.net |

+| Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) | dfs </br> dfs_secondary | privatelink.dfs.core.usgovcloudapi.net | dfs.core.usgovcloudapi.net |

+| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.us | mongo.cosmos.azure.us |

+| Azure Container Registry (Microsoft.ContainerRegistry/registries) | registry | privatelink.azurecr.us </br> {regionName}.privatelink.azurecr.us | azurecr.us </br> {regionName}.azurecr.us |

+| Azure Event Grid (Microsoft.EventGrid/topics) | topic | privatelink.eventgrid.azure.us | eventgrid.azure.us |

+| Azure Event Grid (Microsoft.EventGrid/domains) | domain | privatelink.eventgrid.azure.us | eventgrid.azure.us |

+| Microsoft Purview (Microsoft.Purview) | account | privatelink.purview.azure.com | purview.azure.com |

+| Microsoft Purview (Microsoft.Purview) | portal | privatelink.purviewstudio.azure.com | purview.azure.com </br> purviewstudio.azure.com |

+| Azure Health Data Services (Microsoft.HealthcareApis/workspaces) | healthcareworkspace | privatelink.workspace.azurehealthcareapis.us </br> privatelink.fhir.azurehealthcareapis.us </br> privatelink.dicom.azurehealthcareapis.us | workspace.azurehealthcareapis.us </br> fhir.azurehealthcareapis.us </br> dicom.azurehealthcareapis.us |

+| Azure Databricks (Microsoft.Databricks/workspaces) | databricks_ui_api </br> browser_authentication | privatelink.databricks.azure.us | databricks.azure.us |

+This article describes reliability support in [Azure Container Apps](/azure/container-apps/overview), and covers both regional resiliency with availability zones and cross-region resiliency with disaster recovery. For a more detailed overview of reliability in Azure, see [Azure reliability](/azure/well-architected/resiliency/).

+## Cross-region disaster recovery and business continuity

+This article describes reliability support in [Azure Storage Mover](/azure/storage-mover/service-overview) and covers both intra-regional resiliency with [availability zones](#availability-zone-support) and [cross-region disaster recovery and business continuity](#cross-region-disaster-recovery-and-business-continuity). For a more detailed overview of reliability principles in Azure, see [Azure reliability](/azure/architecture/framework/resiliency/overview).

+## Availability zone support

+Azure Storage Mover supports a zone-redundant deployment model.

+When you deploy an Azure Storage Mover resource, you must [select a particular region](/azure/storage-mover/deployment-planning#select-an-azure-region-for-your-deployment) in which the resource's instance metadata is stored.

+If the region supports availability zones, the instance metadata is automatically replicated across multiple availability zones within that region.

+>[!IMPORTANT]

+>Azure Storage Mover instance metadata includes projects, endpoints, agents, job definitions, and job run history, but doesn't include the actual data to be migrated. Azure storage accounts that are used as migration targets have their own reliability support.

+### Prerequisites

+- To deploy with availability zone support, you must choose a region that supports availability zones. To see which regions supports availability zones, see the [list of supported regions](availability-zones-service-support.md#azure-regions-with-availability-zone-support).

+- (Optional) If your target storage account doesn't support availability zones, and you would like to migrate the account to AZ support, see [Migrate Azure Storage accounts to availability zone support](migrate-storage.md).

+During a zone-wide outage, no action is required during zone recovery. Azure Storage Mover is designed to self-heal and re-balance itself to take advantage of the healthy zone automatically.

+Any migration target storage account may require its own recovery steps. This requirement depends on the redundancy options chosen for each storage account. See the [storage account disaster recovery guide](/azure/storage/common/storage-disaster-recovery-guidance) to determine whether more steps are necessary.

+If a local storage was chosen in lieu of redundancy options, you may need to create a new storage account for use in migrations during the outage.

+## Cross-region disaster recovery and business continuity

+When a Storage Mover agent is registered, it connects to the region in which the Storage Mover resource is registered. If an agent's Azure region experiences an outage, the agent itself isn't affected, but management operations that rely on Azure may be unable to complete. In addition, any active data migrations to storage accounts located within the affected region may fail.

+Storage Mover supports two forms of disaster recovery:

+- [Azure initiated disaster recovery](#azure-initiated-disaster-recovery)

+- [Customer initiated disaster recovery](#customer-initiated-disaster-recovery)

+>[!IMPORTANT]

+>Disaster recovery for on-premises data sources is the responsibility of the customer.

+### Azure initiated disaster recovery

+Azure initiated disaster recovery is only applicable to those [regions that have region pairs](./cross-region-replication-azure.md#azure-paired-regions). When cross-region replication is utilized, instance metadata is replicated to each region, but is never permitted to leave the geography.

+Azure Storage Mover uses Cosmos DB for storing instance metadata. Data loss may occur only with an unrecoverable disaster in the Azure Cosmos DB . For more information, see [Region outages](/azure/cosmos-db/high-availability). Azure initiated recovery is active-passive, and full recovery of a region may be up to 24 hours.

+### Customer initiated disaster recovery

+Customer initiated disaster recovery isn't restricted to paired regions.

+**Before a regional outage occurs:**

+- Deploy a zone-redundant Storage Mover by creating Storage Mover resources in a region that supports availability zones.

+- Periodically - either on a schedule or after you make substantial changes - take a snapshot of your Storage Mover resources. Storing the snapshots using a version control system is a good way to store and track history of the snapshots. You'll use the last good snapshot in the event of a disaster where you need to recover your resources in a new region.

+**During a regional outage:**

+You can do one of two things:

+- Choose to wait for Azure to recover the region.

+- Minimize downtime by [redeploying your resources to a different region](#deploy-resources-to-a-different-region). Since access to your resources may be impacted during an outage, you'll want to use the last good snapshot of your resources.

+>[!TIP]

+>Either one of these strategies still may require that you need to take further steps prior to a disaster, so be sure to review and plan accordingly.

+#### Deploy resources to a different region

+#### Registering the new agent

+#### Assigning the agent to job definitions

+#### Granting agent access to the target storage container

+- [Reliability in Azure](./overview.md)

+- [Storage account disaster recovery](/azure/storage/common/storage-disaster-recovery-guidance)

+ Title: Reliability and availability in Azure Deployment Environments

+description: Learn how Azure Deployment Environments supports disaster recovery. Understand reliability and availability within a single region and across regions.

+# Reliability in Azure Deployment Environments

+This article describes reliability support in Azure Deployment Environments, and covers intra-regional resiliency with availability zones and inter region resiliency with disaster recovery. For a more detailed overview of reliability in Azure, see [Azure reliability](/azure/well-architected/resiliency/overview).

+## Availability zone support

+Availability zone support for all resources in Azure Deployment Environments is enabled automatically. There's no action for you to take.

+Regions supported:

+- West US 2

+- South Central US

+- UK South

+- West Europe

+- East US

+- Australia East

+- East US 2

+- North Europe

+- West US 3

+- Japan East

+- East Asia

+- Central India

+- Korea Central

+- Canada Central

+For more detailed information on availability zones in Azure, seeΓÇ»[Regions and availability zones](../reliability/availability-zones-overview.md).

+## Cross-region disaster recovery and business continuity

+You can replicate the following Deployment Environments resources in an alternate region to prevent data loss if a cross-region failover occurs:

+

+- Dev center

+- Project

+- Catalog

+- Catalog items

+- Dev center environment type

+- Project environment type

+- Environments

+For more information on Azure disaster recovery architecture, seeΓÇ»[Azure to Azure disaster recovery architecture](../site-recovery/azure-to-azure-architecture.md).

+## Next steps

+- To learn more about how Azure supports reliability, see [Azure reliability](/azure/reliability).

+- To learn more about Deployment Environments resources, see [Azure Deployment Environments key concepts](../deployment-environments/concept-environments-key-concepts.md).

+- To get started with Deployment Environments, see [Quickstart: Create and configure the Azure Deployment Environments dev center](../deployment-environments/quickstart-create-and-configure-devcenter.md).

+ Title: Reliability in Azure Data Manager for Energy

+description: Find out about reliability in Azure Data Manager for Energy

+# Reliability in Azure Data Manager for Energy

+This article describes reliability support in [Azure Data Manager for Energy](/azure/energy-data-services/), and covers both regional resiliency with availability zones and cross-region resiliency with disaster recovery. For a more detailed overview of reliability in Azure, see [Azure reliability](/azure/well-architected/resiliency/overview).

+## Availability zone support

+Azure Data Manager for Energy supports zone-redundant instance by default and there's no additional configuration required.

+## Prerequisites

+The Azure Data Manager for Energy supports availability zones in the following regions:

+| Americas | Europe |

+||-|

+| South Central US | North Europe |

+| East US | West Europe |

+| Brazil South | |

+### Zone down experience

+During a zone-wide outage, no action is required during zone recovery. There may be a brief degradation of performance until the service self-heals and rebalances underlying capacity to adjust to healthy zones. During this period, you may experience 5xx errors and you may have to retry API calls until the service is restored.

+## Cross-region disaster recovery and business continuity

+### Disaster recovery in multi-region geography

+Azure Data Manager for Energy is a regional service and, therefore, is susceptible to region-down service failures. Azure Data Manager for Energy follows an active-passive failover configuration to recover from regional disaster. An active-passive configuration keeps warm Azure Data Manager for Energy resource running in the secondary region, but doesn't send traffic there unless the primary region fails.

+Below is the list of primary and secondary regions for regions where disaster recovery is supported:

+| Geography | Primary | Secondary |

+||-||

+|Americas | South Central US | North Central US |

+|Americas | East US | West US |

+|Europe | North Europe | West Europe |

+|Europe | West Europe | North Europe |

+Azure Data Manager for Energy uses Azure Storage, Azure Cosmos DB and Elasticsearch index as underlying data stores for persisting your data partition data. These data stores offer high durability, availability, and scalability. Azure Data Manager for Energy uses [geo-zone-redundant storage](../storage/common/storage-redundancy.md#geo-zone-redundant-storage) or GZRS to automatically replicate data to a secondary region that's hundreds of miles away from the primary region. The same security features enabled in the primary region (for example, encryption at rest using your encryption key) to protect your data are applicable to the secondary region. Similarly, Azure Cosmos DB is a globally distributed data service, which replicates the metadata (catalog) across regions. Elasticsearch index snapshots are taken at regular intervals and geo-replicated to the secondary region. All inflight data are ephemeral and therefore subject to loss. For example, in-transit data that is part of an on-going ingestion job that isn't persisted yet is lost, and you must restart the ingestion process upon recovery.

+> [!IMPORTANT]

+> In the following regions, disaster recovery is not available. For more information please contact your Microsoft sales or customer representative.

+> 1. Brazil South

+#### Set up disaster recovery and outage detection

+Azure Data Manager for Energy service continuously monitors service health in the primary region. If a hard service down failure is detected in the primary region, we attempt recovery before initiating failover to the secondary region on your behalf. We will notify you about the failover progress. Once the failover completes, you could connect to the Azure Data Manager for Energy resource in the secondary region and continue operations. However, there could be slight degradation in performance due to any capacity constraints in the secondary region.

+##### Managing the resources in your subscription

+You must handle the failover of your business apps connecting to Azure Data Manager for Energy resource and hosted in the same primary region. Additionally, you're responsible for recovering any diagnostic logs stored in your Log Analytics Workspace.

+If you [set up private links](../energy-data-services/how-to-set-up-private-links.md) to your Azure Data Manager for Energy resource in the primary region, then you must create a secondary private endpoint to the same resource in the [paired region](cross-region-replication-azure.md#azure-paired-regions).

+

+> [!CAUTION]

+> If you don't enable public access networks or create a secondary private endpoint before an outage, you'll lose access to the failed over Azure Data Manager for Energy resource in the secondary region. You will be able to access the Azure Data Manager for Energy resource only after the primary region failback is complete.

+

+> [!IMPORTANT]

+> After failover and until the primary region failback completes, you will be unable to perform state modifications to Azure Data Manager for Energy resource created in your subscription. For example,

+> - you cannot **Enable** or **Disable** public access networks.

+> - you cannot **Approve** or **Reject** private endpoint connection to Azure Data Manager for Energy resource

+> - you cannot create a new data partition.

+## Next steps

+- [Reliability in Azure](availability-zones-overview.md)

+[Azure Container Apps](reliability-azure-container-apps.md)|

+For information on how to enable availability zones support when you create your VM, see [create availability zone support](#create-a-resource-with-availability-zones-enabled).

+### Create a resource with availability zones enabled

+> | [Cognitive Services Usages Reader](#cognitive-services-usages-reader) | Minimal permission to view Cognitive Services usages. | bba48692-92b0-4667-a9ad-c31c7b334ac2 |

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",

+Lets you create, read, update, delete and manage keys of Cognitive Services. [Learn more](../ai-services/openai/how-to/role-based-access-control.md)

+Full access including the ability to fine-tune, deploy and generate text [Learn more](../ai-services/openai/how-to/role-based-access-control.md)

+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/deployments/write | Writes deployments. |

+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/deployments/delete | Deletes deployments. |

+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/raiPolicies/read | Gets all applicable policies under the account including default policies. |

+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/raiPolicies/write | Create or update a custom Responsible AI policy. |

+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/raiPolicies/delete | Deletes a custom Responsible AI policy that's not referenced by an existing deployment. |

+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/commitmentplans/read | Reads commitment plans. |

+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/commitmentplans/write | Writes commitment plans. |

+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/commitmentplans/delete | Deletes commitment plans. |

+ "Microsoft.CognitiveServices/accounts/deployments/write",

+ "Microsoft.CognitiveServices/accounts/deployments/delete",

+ "Microsoft.CognitiveServices/accounts/raiPolicies/read",

+ "Microsoft.CognitiveServices/accounts/raiPolicies/write",

+ "Microsoft.CognitiveServices/accounts/raiPolicies/delete",

+ "Microsoft.CognitiveServices/accounts/commitmentplans/read",

+ "Microsoft.CognitiveServices/accounts/commitmentplans/write",

+ "Microsoft.CognitiveServices/accounts/commitmentplans/delete",

+Read access to view files, models, deployments. The ability to create completion and embedding calls. [Learn more](../ai-services/openai/how-to/role-based-access-control.md)

+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/accounts/OpenAI/images/generations/action | Create image generations. |

+ "description": "Ability to view files, models, deployments. Readers are able to call inference operations such as chat completions and image generation.",

+ "Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/write",

+ "Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action"

+### Cognitive Services Usages Reader

+Minimal permission to view Cognitive Services usages. [Learn more](../ai-services/openai/how-to/role-based-access-control.md)

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.CognitiveServices](resource-provider-operations.md#microsoftcognitiveservices)/locations/usages/read | Read all usages data |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Minimal permission to view Cognitive Services usages.",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/bba48692-92b0-4667-a9ad-c31c7b334ac2",

+ "name": "bba48692-92b0-4667-a9ad-c31c7b334ac2",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.CognitiveServices/locations/usages/read"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Cognitive Services Usages Reader",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+```terraform

+xxx_vm_image = {

+ os_type = ""

+ source_image_id = ""

+ publisher = "Canonical"

+ offer = "0001-com-ubuntu-server-focal"

+ sku = "20_04-lts"

+ version = "latest"

+ type = "marketplace"

+> | Variable | Description | Type | Notes |

+> | - | -- | - | - |

+> | `environment` | Identifier for the workload zone (max five characters) | Mandatory | For example, `PROD` for a production environment and `NP` for a nonproduction environment. |

+> | `location` | The Azure region in which to deploy | Required | |

+> | `custom_prefix` | Specifies the custom prefix used in the resource naming | Optional | |

+> | `use_prefix` | Controls if the resource naming includes the prefix | Optional | DEV-WEEU-SAP01-X00_xxxx |

+> | `name_override_file` | Name override file | Optional | See [Custom naming](naming-module.md). |

+> | `save_naming_information` | Creates a sample naming JSON file | Optional | See [Custom naming](naming-module.md). |

+> | `tags` | A dictionary of tags to associate with all resources. | Optional | |

+> | `resourcegroup_name` | Name of the resource group to be created | Optional |

+## Infrastructure parameters

+This section contains the parameters related to the Azure infrastructure.

+> [!div class="mx-tdCol2BreakAll "]

+> | Variable | Description | Type |

+> | - | -- | - |

+> | `disk_encryption_set_id` | The disk encryption key to use for encrypting managed disks by using customer-provided keys. | Optional |

+> | `proximityplacementgroup_arm_ids` | Specifies the Azure resource identifiers of existing proximity placement groups. | |

+> | `proximityplacementgroup_names` | Specifies the names of the proximity placement groups. | |

+> | `resource_offset` | Provides an offset for resource naming. | Optional |

+> | `use_loadbalancers_for_standalone_deployments` | Controls if load balancers are deployed for standalone installations. | Optional |

+> | `use_scalesets_for_deployment` | Use Flexible Virtual Machine Scale Sets for the deployment | Optional |

+> | `use_msi_for_clusters` | If defined, configures the Pacemaker cluster by using managed identities. | Optional |

+> | `use_simple_mount` | Specifies if simple mounts are used (applicable for SLES 15 SP# or newer). | Optional |

+> | `custom_disk_sizes_filename` | Defines the disk sizing file name, See [Custom sizing](configure-extra-disks.md). | Optional |

+The `resource_offset` parameter controls the naming of resources. For example, if you set the `resource_offset` to 1, the first disk will be named `disk1`. The default value is 0.

+## SAP Application parameters

+This section contains the parameters related to the SAP Application.

+> [!div class="mx-tdCol2BreakAll "]

+> | Variable | Description | Type |

+> | -- | -- | - |

+> | `sid` | Defines the SAP application SID | Required |

+> | `database_sid` | Defines the database SID | Required |

+> | `scs_instance_number` | The instance number of SCS | Optional |

+> | `ers_instance_number` | The instance number of ERS | Optional |

+> | `pas_instance_number` | The instance number of the Primary Application Server | Optional |

+> | `app_instance_number` | The instance number of the Application Server | Optional |

+> | `web_instance_number` | The instance number of the Web Dispatcher | Optional |

+> | `use_secondary_ips` | Boolean flag that indicates if SAP should be installed by using virtual hostnames | Optional |

+See [High-availability configuration](configure-system.md#high-availability-configuration) for information on how to configure high availability.

+> | Variable | Description | Type | Notes |

+> | - | - | | |

+> | `database_platform` | Defines the database back end | Required | |

+> | `database_high_availability` | Defines if the database tier is deployed highly available | Optional | |

+> | `database_server_count` | Defines the number of database servers | Optional | |

+> | `database_vm_zones` | Defines the availability zones for the database servers | Optional | |

+> | `database_vm_use_DHCP` | Controls if Azure subnet-provided IP addresses should be used | Optional | |

+> | `database_vm_db_nic_ips` | Defines the IP addresses for the database servers (database subnet) | Optional | |

+> | `database_vm_db_nic_secondary_ips` | Defines the secondary IP addresses for the database servers (database subnet) | Optional | |

+> | `database_vm_admin_nic_ips` | Defines the IP addresses for the database servers (admin subnet) | Optional | |

+> | `database_vm_image` | Defines the virtual machine image to use | Optional | |

+> | `database_vm_authentication_type` | Defines the authentication type (key/password) | Optional | |

+> | `database_use_avset` | Controls if the database servers are placed in availability sets | Optional | |

+> | `database_use_ppg` | Controls if the database servers are placed in proximity placement groups | Optional | |

+> | `database_vm_avset_arm_ids` | Defines the existing availability sets Azure resource IDs | Optional | Primarily used with ANF pinning. |

+> | `database_use_premium_v2_storage` | Controls if the database tier will use premium storage v2 (HANA) | Optional | |

+> | `hana_dual_nics` | Controls if the HANA database servers will have dual network interfaces | Optional | |

+## Common application tier parameters

+## SAP central services parameters

+## Application server parameters

+## Web dispatcher parameters

+> | `user_keyvault_id` | Azure resource identifier for existing system credentials key vault | Optional | |

+> | `spn_keyvault_id` | Azure resource identifier for existing deployment credentials (SPNs) key vault | Optional | |

+> | `ANF_HANA_use_AVG` | Use Application Volume Group for the volumes. | Optional | |

+> | `ANF_HANA_use_Zones` | Deploy the Azure NetApp Files volume zonally. | Optional | |

+> | | | | |

+You can use the `configuration_settings` variable to let Terraform add them to sap-parameters.yaml file.

+```terraform

+configuration_settings = {

+ ora_release = "19",

+ ora_version = "19.0.0",

+ oracle_sbp_patch = "SAP19P_2202-70004508.ZIP",

+ oraclegrid_sbp_patch = "GIRU19P_2202-70004508.ZIP",

+ }

+```

+### Cluster parameters

+This section contains the parameters related to the cluster configuration.

+> [!div class="mx-tdCol2BreakAll "]

+> | Variable | Description | Type |

+> | - | | - |

+> | `database_cluster_disk_lun` | Specifies the The LUN of the shared disk for the Database cluster. | Optional |

+> | `database_cluster_disk_size` | The size of the shared disk for the Database cluster. | Optional |

+> | `database_cluster_type` | Cluster quorum type; AFA (Azure Fencing Agent), ASD (Azure Shared Disk), ISCSI | Optional |

+> | `fencing_role_name` | Specifies the Azure role assignment to assign to enable fencing. | Optional |

+> | `scs_cluster_disk_lun` | Specifies the The LUN of the shared disk for the Central Services cluster. | Optional |

+> | `scs_cluster_disk_size` | The size of the shared disk for the Central Services cluster. | Optional |

+> | `scs_cluster_type` | Cluster quorum type; AFA (Azure Fencing Agent), ASD (Azure Shared Disk), ISCSI | Optional |

+> | `use_msi_for_clusters` | If defined, configures the Pacemaker cluster by using managed identities. | Optional |

+> | `use_simple_mount` | Specifies if simple mounts are used (applicable for SLES 15 SP# or newer). | Optional |

+> | `idle_timeout_scs_ers` | Sets the idle timeout setting for the SCS and ERS loadbalancer. | Optional |

+> | `tags` | A dictionary of tags to associate with all resources. | Optional | |

+> | `enable_purge_control_for_keyvaults` | Disables the purge protection for Azure key vaults | Optional | Use only for test environments. |

+> | `spn_keyvault_id` | Azure resource identifier for existing deployment credentials (SPNs) key vault | Optional | |

+> | `user_keyvault_id` | Azure resource identifier for existing system credentials key vault | Optional | |

+> | `create_transport_storage` | If defined, create storage for the transport directories. | Optional | |

+> | `export_install_path` | If provided, export mount path for the installation media. | Optional | |

+> | `export_transport_path` | If provided, export mount path for the transport share. | Optional | |

+> | `install_private_endpoint_id` | Azure resource ID for the `install` private endpoint. | Optional | For existing endpoints|

+> | `install_volume_size` | Defines the size (in GB) for the `install` volume. | Optional | |

+> | `transport_volume_size` | Defines the size (in GB) for the `transport` volume. | Optional | |

+> | `use_AFS_for_installation_media | If provided, uses AFS for the installation media. | Optional | |

+> | `management_dns_resourcegroup_name` | Resource group that contains the private DNS zone. | Optional |

+> | `management_dns_subscription_id` | Subscription ID for the subscription that contains the private DNS zone. | Optional |

+> | `use_custom_dns_a_registration` | Use an existing private DNS zone. | Optional |

+> | `enable_purge_control_for_keyvaults` | If purge control is enabled on the key vault. | Optional | Use only for test deployments. |

+> | `place_delete_lock_on_resources` | Places delete locks on the key vaults and the virtual network | Optional | |

+> | `iscsi_authentication_username` | Administrator account name | Optional | |

+> | `iscsi_count` | The number of iSCSI virtual machines | Optional | |

+> | `iscsi_image` | Defines the virtual machine image to use (next table) | Optional | |

+> | `iscsi_subnet_address_prefix` | The address range for the `iscsi` subnet | Mandatory | For green-field deployments |

+> | `iscsi_subnet_arm_id` | The Azure resource identifier for the `iscsi` subnet | Mandatory | For brown-field deployments |

+> | `iscsi_subnet_name` | The name of the `iscsi` subnet | Optional | |

+> | `iscsi_subnet_nsg_arm_id` | The Azure resource identifier for the `iscsi` network security group | Mandatory | For brown-field deployments |

+> | `iscsi_subnet_nsg_name` | The name of the `iscsi` network security group | Optional | |

+> | `iscsi_use_DHCP` | Controls whether to use dynamic IP addresses provided by the Azure subnet | Optional | |

+> | `iscsi_vm_zones` | Availability zones for the iSCSI Virtual Machines | Optional | |

+> | `utility_vm_size` | Defines the SKU for the utility virtual machines | Optional | Default: Standard_D4ds_v4 |

+> | `utility_vm_useDHCP` | Defines if Azure subnet provided IPs should be used | Optional | |

+ Title: Extensibility for the SAP Deployment Automation Framework

+description: Describe how to extend the SAP Deployment Automation Framework.

+# Extending the SAP Deployment Automation Framework

+Within the SAP Deployment Automation Framework (SDAF), we recognize the importance of adaptability and customization to meet the unique needs of various deployments. This document describes the ways to extend the framework's capabilities, ensuring that it aligns with your specific requirements.

+Forking the Source Code Repository: One method of extending SDAF is by forking the source code repository. This approach grants you the flexibility to make tailored modifications within your own forked version of the code. By doing so, you gain control over the framework's core functionality, enabling you to tailor it precisely to your deployment objectives.

+Adding Stages to the SAP Configuration Pipeline: Another way to customization is by adding stages to the SAP configuration pipeline. This approach allows you to integrate specific processes or steps that are integral to your deployment workflows into the automation pipeline.

+Streamlined Extensibility: This capability allows you to effortlessly incorporate your existing Ansible playbooks directly into the SDAF. By using this feature, you can seamlessly integrate your Ansible automation scripts with the framework, further enhancing its versatility.

+Configuration extensibility: This feature allows you to extend the framework's configuration capabilities by adding custom repositories, packages, kernel parameters, logical volumes, mounts, and exports without the need to write any code.

+Throughout this documentation, we provide comprehensive guidance on each of these extensibility options, ensuring that you have the knowledge and tools needed to tailor the SAP Deployment Automation Framework to your specific deployment needs.

+> [!NOTE]

+> If you fork the source code repository, you must maintain your fork of the code. You must also merge the changes from the source code repository into your fork of the code whenever there is a new release of the SDAF codebase.

+## Executing your own Ansible playbooks as part of the Azure DevOps orchestration

+You can implement your own Ansible playbooks, which are automatically be called as part of the Azure DevOps 'OS Configuration and SAP Installation' pipeline.

+The Ansible playbooks must be located in a folder called 'Ansible' located in the root folder in your configuration repository. They're called with the same parameter files as the SDAF playbooks so you have access to all the configuration.

+The Ansible playbooks must be named according to the following naming convention:

+'Playbook name_pre' for playbooks to be run before the SDAF playbook and 'Playbook name_post' for playbooks to be run after the SDAF playbook.

+| Playbook name | Playbook name for 'pre' tasks | Playbook name for 'post' tasks | Description |

+| -- | | - | -- |

+| `playbook_01_os_base_config.yaml` | `playbook_01_os_base_config_pre.yaml` | `playbook_01_os_base_config_post.yaml` | Base operating system configuration |

+| `playbook_02_os_sap_specific_config.yaml` | `playbook_02_os_sap_specific_config_pre.yaml` | `playbook_02_os_sap_specific_config_post.yaml` | SAP specific configuration |

+| `playbook_03_bom_processing.yaml` | `playbook_03_bom_processing_pre.yaml` | `playbook_03_bom_processing_post.yaml` | Bill of Material processing |

+| `playbook_04_00_00_db_install.yaml` | `playbook_04_00_00_db_install_pre.yaml` | `playbook_04_00_00_db_install_post.yaml` | Database server installation |

+| `playbook_04_00_01_db_ha.yaml` | `playbook_04_00_01_db_ha_pre.yaml` | `playbook_04_00_01_db_ha_post.yaml` | Database High Availability configuration |

+| `playbook_05_00_00_sap_scs_install.yaml` | `playbook_05_00_00_sap_scs_install_pre.yaml` | `playbook_05_00_00_sap_scs_install_post.yaml` | Central Services Installation and High Availability configuration |

+| `playbook_05_01_sap_dbload.yaml` | `playbook_05_01_sap_dbload_pre.yaml` | `playbook_05_01_sap_dbload_post.yaml` | Database load |

+| `playbook_05_02_sap_pas_install.yaml` | `playbook_05_02_sap_pas_install_pre.yaml` | `playbook_05_02_sap_pas_install_post.yaml` | Primary Application Server installation |

+| `playbook_05_03_sap_app_install.yaml` | `playbook_05_03_sap_app_install_pre.yaml` | `playbook_05_03_sap_app_install_post.yaml` | Additional Application Server installation |

+| `playbook_05_04_sap_web_install.yaml` | `playbook_05_04_sap_web_install_pre.yaml` | `playbook_05_04_sap_web_install.yaml` | Web dispatcher installation |

+### Sample Ansible playbook

+```yaml

+# /*8

+# | |

+# | Run commands on all remote hosts |

+# | |

+# +4--*/

+- hosts: "{{ sap_sid | upper }}_DB :

+ {{ sap_sid | upper }}_SCS :

+ {{ sap_sid | upper }}_ERS :

+ {{ sap_sid | upper }}_PAS :

+ {{ sap_sid | upper }}_APP :

+ {{ sap_sid | upper }}_WEB"

+ name: "Examples on how to run commands on remote hosts"

+ gather_facts: true

+ tasks:

+ - name: "Calculate information about the OS distribution"

+ ansible.builtin.set_fact:

+ distro_family: "{{ ansible_os_family | upper }}"

+ distribution_id: "{{ ansible_distribution | lower ~ ansible_distribution_major_version }}"

+ distribution_full_id: "{{ ansible_distribution | lower ~ ansible_distribution_version }}"

+ - name: "Show information"

+ ansible.builtin.debug:

+ msg:

+ - "Distro family: {{ distro_family }}"

+ - "Distribution id: {{ distribution_id }}"

+ - "Distribution full id: {{ distribution_full_id }}"

+ - name: "Show how to run a command on all remote host"

+ ansible.builtin.command: "whoami"

+ register: whoami_results

+ - name: "Show results"

+ ansible.builtin.debug:

+ var: whoami_results

+ verbosity: 0

+ - name: "Show how to run a command on just the 'SCS' and 'ERS' hosts"

+ ansible.builtin.command: "whoami"

+ register: whoami_results

+ when:

+ - "'scs' in supported_tiers or 'ers' in supported_tiers "

+...

+```

+## Updating the user and group IDs (Linux)

+If you want to change the user and group IDs used by the framework, you can add the following section to the sap-parameters.yaml file.

+```yaml

+# User and group IDs

+sapadm_uid: "3000"

+sidadm_uid: "3100"

+sapinst_gid: "300"

+sapsys_gid: "400"

+```

+You can use the `configuration_settings` variable to let Terraform add them to sap-parameters.yaml file.

+```terraform

+configuration_settings = {

+ sapadm_uid = "3000",

+ sidadm_uid = "3100",

+ sapinst_gid = "300",

+ sapsys_gid = "400"

+}

+## Adding custom repositories (Linux)

+If you need to register extra Linux package repositories to the Virtual Machines deployed by the framework, you can add the following section to the sap-parameters.yaml file.

+In this example, the repository 'epel' is registered on all the hosts in your SAP deployment that are running RedHat 8.2.

+```yaml

+custom_repos:

+ redhat8.2:

+ - { tier: 'ha', repo: 'epel', url: 'https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm', state: 'present' }

+```

+## Adding custom packages (Linux)

+If you need to install more Linux packages to the Virtual Machines deployed by the framework, you can add the following section to the sap-parameters.yaml file.

+In this example, the package 'openssl' is installed on all the hosts in your SAP deployment that are running SUSE Enterprise Linux for SAP Applications version 15.3.

+```yaml

+custom_packages:

+ sles_sap15.3:

+ - { tier: 'os', package: 'openssl', node_tier: 'all', state: 'present' }

+```

+If you want to install a package on a specific server type (`app`, `ers`, `pas`, `scs`, `hana`) you can add the following section to the sap-parameters.yaml file.

+```yaml

+custom_packages:

+ sles_sap15.3:

+ - { tier: 'ha', package: 'pacemaker', node_tier: 'hana', state: 'present' }

+```

+## Adding custom kernel parameters (Linux)

+You can extend the SAP Deployment Automation Framework by adding custom kernel parameters to the SDAF installation.

+When you add the following section to the sap-parameters.yaml file, the parameter 'fs.suid_dumpable' is set to 0 on all the hosts in your SAP deployment.

+```yaml

+custom_parameters:

+ common:

+ - { tier: 'os', node_tier: 'all', name: 'fs.suid_dumpable', value: '0', state: 'present' }

+```

+## Adding custom services (Linux)

+If you need to manage additional services on the Virtual Machines deployed by the framework, you can add the following section to the sap-parameters.yaml file.

+In this example, the 'firewalld' service is stopped and disabled on all the hosts in your SAP deployment that are running RedHat 7.x.

+```yaml

+custom_

+ redhat7:

+ - { tier: 'os', service: 'firewalld', node_tier: 'all', state: 'stopped' }

+ - { tier: 'os', service: 'firewalld', node_tier: 'all', state: 'disabled' }

+```

+## Adding custom logical volumes (Linux)

+You can extend the SAP Deployment Automation Framework by adding logical volumes based on additional disks in your SDAF installation.

+When you add the following section to the sap-parameters.yaml file, a logical volume 'lv_custom' is created on all Virtual machines with a disk with the name 'custom' in your SAP deployment. A filesystem is mounted on the logical volume and available on '/custompath'.

+```yaml

+custom_logical_volumes:

+ - tier: 'sapos'

+ node_tier: 'all'

+ vg: 'vg_custom'

+ lv: 'lv_custom'

+ size: '100%FREE'

+ fstype: 'xfs'

+ path: '/custompath'

+```

+> [!NOTE]

+> In order to use this functionality you need to add an additional disk named 'custom' to one or more of your Virtual machines. See [Custom disk sizing](configure-extra-disks.md) for more information.

+You can use the `configuration_settings` variable to let Terraform add them to sap-parameters.yaml file.

+```terraform

+configuration_settings = {

+ custom_logical_volumes = [

+ {

+ tier = 'sapos'

+ node_tier = 'all'

+ vg = 'vg_custom'

+ lv = 'lv_custom'

+ size = '100%FREE'

+ fstype = 'xfs'

+ path = '/custompath'

+ }

+ ]

+}

+```

+## Adding custom mount (Linux)

+You can extend the SAP Deployment Automation Framework by mounting additional mount points in your installation.

+When you add the following section to the sap-parameters.yaml file, a filesystem '/usr/custom' is mounted from an NFS share on "xxxxxxxxx.file.core.windows.net:/xxxxxxxxx/custom".

+```yaml

+custom_mounts:

+ - path: "/usr/custom"

+ opts: "vers=4,minorversion=1,sec=sys"

+ mount: "xxxxxxxxx.file.core.windows.net:/xxxxxxxx/custom"

+ target_nodes: "scs,pas,app"

+```

+The `target_nodes` attribute defines which nodes have the mount defined. Use 'all' if you want all nodes to have the mount defined.

+You can use the `configuration_settings` variable to let Terraform add them to sap-parameters.yaml file.

+```terraform

+configuration_settings = {

+ custom_mounts = [

+ {

+ path = "/usr/custom",

+ opts = "vers=4,minorversion=1,sec=sys",

+ mount = "xxxxxxxxx.file.core.windows.net:/xxxxxxxx/custom",

+ target_nodes = "scs,pas,app"

+ }

+ ]

+}

+```

+## Adding custom export (Linux)

+You can extend the SAP Deployment Automation Framework by adding additional folders to be exported from the Central Services virtual machine.

+When you add the following section to the sap-parameters.yaml file, a filesystem '/usr/custom' will be exported from the Central Services virtual machine and available via NFS.

+```yaml

+custom_exports:

+ path: "/usr/custom"

+```

+You can use the `configuration_settings` variable to let Terraform add them to sap-parameters.yaml file.

+```terraform

+configuration_settings = {

+ custom_mounts = [

+ {

+ path = "/usr/custom",

+ }

+ ]

+}

+```

+> [!NOTE]

+> This applies only for deployments with NFS_Provider set to 'NONE' as this makes the Central Services server an NFS Server.

+## Next step

+> [!div class="nextstepaction"]

+> [Configure custom naming](naming-module.md)

+ Title: Soft stop individual SAP instances and HANA database

+description: Learn how to soft stop SAP system and HANA database through the Virtual Instance for SAP solutions (VIS) resource in Azure Center for SAP solutions.

+#Customer intent: As a developer, I want to stop SAP systems by draining existing connections gracefully when using Azure Center for SAP solutions.

+# Soft stop SAP systems, application server instances and HANA database

+In this how-to guide, you'll learn to soft stop your SAP systems, individual instances and HANA database through the Virtual Instance for SAP solutions (VIS) resource in Azure Center for SAP solutions. You can stop your system smoothly by making sure that existing user connections, batch processes, etc. are drained first.

+Using the [Azure PowerShell](/powershell/module/az.workloads) and [REST API](/rest/api/workloads) interfaces, you can:

+- Soft stop the entire SAP system, that is the application server instances and central services instance.

+- Soft stop specific SAP application server instances.

+- Soft stop HANA database.

+## Prerequisites

+- An SAP system that you've [created in Azure Center for SAP solutions](prepare-network.md) or [registered with Azure Center for SAP solutions](register-existing-system.md).

+- Check that your Azure account has **Azure Center for SAP solutions administrator** or equivalent role access on the Virtual Instance for SAP solutions resources. For more information, see [how to use granular permissions that govern start and stop actions on the VIS, individual SAP instances and HANA databases](manage-with-azure-rbac.md#start-sap-system).

+- For HA deployments, the HA interface cluster connector for SAP (`sap_vendor_cluster_connector`) must be installed on the ASCS instance. For more information, see the [SUSE connector specifications](https://www.suse.com/c/sap-netweaver-suse-cluster-integration-new-sap_suse_cluster_connector-version-3-0-0/) and [RHEL connector specifications](https://access.redhat.com/solutions/3606101).

+- For HANA Database, Stop operation is initiated only when the cluster maintenance mode is in **Disabled** status.

+## Soft stop SAP system

+Currently, you can initiate a soft stop operation from the Azure PowerShell and REST API interfaces. You must use the stop operation along with a soft stop timeout value in seconds to initiate a soft stop. Once you initiate soft stop on VIS and the operation is successfully triggered on the SAP system, then monitor the Health and Status of the VIS to check if the system has stopped.

+> [!NOTE]

+> When attempting to soft stop an SAP system or applicaton server instance using Azure Center for SAP solutions, soft stop timeout value must be greater than 0 and less than 82800 seconds.

+### Soft stop system in PowerShell

+Use the [Stop-AzWorkloadsSapVirtualInstance](/powershell/module/az.workloads/Stop-AzWorkloadsSapVirtualInstance) command:

+```powershell

+ Stop-AzWorkloadsSapVirtualInstance -InputObject /subscriptions/sub1/resourceGroups/rg1/providers/Microsoft.Workloads/sapVirtualInstances/DB0 --SoftStopTimeoutSecond 300 `

+```

+### Soft stop system using REST API

+Use this [sample payload](/rest/api/workloads/2023-04-01/sap-virtual-instances/stop?tabs=HTTP#sapvirtualinstances_stop) to soft stop an SAP system. You can specify the soft stop timeout value in seconds.

+## Soft stop SAP Application server instance

+You can soft stop a specific application server in Azure Center for SAP solutions using Azure PowerShell and REST API interfaces. Once you initiate soft stop on application server and the operation is successfully triggered, then monitor Health and Status of the application server instance to check if it has stopped.

+To soft stop an application server represented as an *App server instance for SAP solutions* resource:

+### Using PowerShell

+Use the [Stop-AzWorkloadsSapApplicationInstance](/powershell/module/az.workloads/stop-azworkloadssapapplicationinstance) command:

+```powershell

+ Stop-AzWorkloadsSapApplicationInstance -InputObject /subscriptions/Sub1/resourceGroups/RG1/providers/Microsoft.Workloads/sapVirtualInstances/DB0/applicationInstances/app0 --SoftStopTimeoutSecond 300 `

+```

+### Using REST API

+Use this [sample payload](/rest/api/workloads/2023-04-01/sap-application-server-instances/stop-instance?tabs=HTTP#stop-the-sap-application-server-instance) to soft stop an application server instance. You can specify the soft stop timeout value in seconds.

+## Soft stop HANA database

+You can soft stop the HANA database so that the database stops gracefully after all running statements have finished. You can use the Azure PowerShell and REST API interfaces to soft stop database. Once you initiate soft stop on HANA database and the operation is successfully triggered on the database instance, then monitor the status of the database instance on the VIS to check if it has stopped.

+> [!NOTE]

+> When attempting to soft stop HANA database instance using Azure Center for SAP solutions, soft stop timeout value must be greater than 0 and less than 1800 seconds.

+### Using PowerShell

+Use the [Stop-AzWorkloadsSapDatabaseInstance](/powershell/module/az.workloads/stop-azworkloadssapdatabaseinstance) command:

+```powershell

+ Stop-AzWorkloadsSapDatabaseInstance -InputObject /subscriptions/Sub1/resourceGroups/RG1/providers/Microsoft.Workloads/sapVirtualInstances/DB0/databaseInstances/ab0 --SoftStopTimeoutSecond 300 `

+```

+### Using REST API

+Use this [sample payload](/rest/api/workloads/2023-04-01/sap-database-instances/stop-instance?tabs=HTTP#stop-the-database-instance-of-the-sap-system.) to soft stop HANA database. You can specify the soft stop timeout value in seconds.

+ Title: Start and stop SAP systems, instances and HANA database

+description: Learn how to start or stop an SAP system, specific instances and HANA database through the Virtual Instance for SAP solutions (VIS) resource in Azure Center for SAP solutions through the Azure portal, PowerShell, CLI.

+# Start and stop SAP systems, instances and HANA database

+Through the Azure portal, [Azure PowerShell](/powershell/module/az.workloads), [CLI](/cli/azure/workloads/sap-virtual-instance) and [REST API](/rest/api/workloads) interfaces, you can start and stop:

+- Specific SAP instance, such as the application server instance.

+> [!NOTE]

+> When multiple application server instances run on a single virtual machine and you intend to stop all these instances, you can currently stop them one instance at a time only. If you attempt to stop them in parallel, only one stop request is accepted and all others would fail.

+ Title: Start and stop SAP and underlying VMs

+description: Learn how to Stop and Start SAP and underlying VMs through the Virtual Instance for SAP solutions (VIS) resource in Azure Center for SAP solutions.

+#Customer intent: As a developer, I want to start and stop SAP systems including VMs when they are not needed to be run.

+# Start and Stop SAP systems, instances, HANA database and their underlying Virtual machines

+In this how-to guide, you'll learn how to start and stop SAP systems and their underlying virtual machines through the Virtual Instance for SAP solutions (VIS) resource in Azure Center for SAP solutions. This simplifies the process to stop and start SAP systems by shutting down and bringing up underlying infrastructure and SAP application in one command.

+Using the [REST API](/rest/api/workloads) interfaces, you can:

+- Start and stop the entire SAP application tier and its Virtual machines, which includes ABAP SAP Central Services (ASCS) and Application Server instances.

+- Start and stop a specific SAP instance, such as the application server instance, and its Virtual machines.

+- Start and stop HANA database instance and its Virtual machines.

+> [!IMPORTANT]

+> The ability to start and stop virtual machines of an SAP system is available from API Version 2023-10-01.

+> [!NOTE]

+> You can schedule stop and start of SAP systems, HANA database at scale for your SAP landscapes using the [ARM template](https://aka.ms/SnoozeSAPSystems). This ARM template can be customized to suit your own requirements.

+## Prerequisites

+- An SAP system that you've [created in Azure Center for SAP solutions](prepare-network.md) or [registered with Azure Center for SAP solutions](register-existing-system.md).

+- Check that your Azure account has **Azure Center for SAP solutions administrator** or equivalent role access on the Virtual Instance for SAP solutions resources. You can learn more about the granular permissions that govern Start and Stop actions on the VIS, individual SAP instances and HANA Database [in this article](manage-with-azure-rbac.md#start-sap-system).

+- Check that the **User Assigned Managed Identity** associated with the VIS resource has **Virtual Machine Contributor** or equivalent role access. This is needed to be able to Start and Stop VMs.

+## Unsupported scenarios

+The following scenarios are not currently supported when using the Start and Stop of SAP, individual SAP instances, HANA database and their underlying VMs:

+- Starting and stopping systems when multiple SIDs on the same set of Virtual Machines.

+- Starting and stopping HANA databases with MCOS (Multiple Components in One System) architecture, where multiple HANA instances run on the same set of virtual machines.

+- Starting and stopping SAP application server or central services instances where instances of multiple SIDs or multiple instances of the same SID run on the same virtual machine.

+> [!IMPORTANT]

+> For single-server deployments, when you want to stop SAP, HANA DB and the VM, use stop VIS action to stop SAP application tier and then stop HANA database with 'deallocateVm' set to true. This ensures that SAP application and HANA database are both stopped before stopping the VM.

+> [!NOTE]

+> When stopping a VIS or an instance with 'DeallocateVm' option set to true, only that VIS or instance is stopped and then the virtual machine is shutdown. SAP instances of other SIDs are not stopped. Use the virtual machine stop option only after all instances running on the VM are stopped.

+## Start and Stop SAP system and underlying Virtual machines

+You can start and stop the entire SAP application tier and underlying VMs using [REST API version 2023-10-01](/rest/api/workloads).

+### Start SAP system and its VMs

+To start the virtual machines and the SAP application on it, use the following REST API with "startVm" parameter set to true. This command starts the VMs associated with Central services instance and Application server instances.

+```http

+POST https://management.azure.com/subscriptions/Sub1/resourceGroups/test-rg/providers/Microsoft.Workloads/sapVirtualInstances/X00/start?api-version=2023-10-01-preview

+{

+ "startVm": true

+}

+```

+### Stop SAP system and its VMs

+To stop the SAP application and its VMs, use the following REST API with "deallocateVm" parameter set to true.

+```http

+POST https://management.azure.com/subscriptions/Sub1/resourceGroups/test-rg/providers/Microsoft.Workloads/sapVirtualInstances/X00/stop?api-version=2023-10-01-preview

+{

+ "deallocateVm": true

+}

+```

+## Start and Stop HANA Database and its VMs

+You can start and stop HANA database and its underlying VMs using [REST API version 2023-10-01](/rest/api/workloads).

+### Start HANA database and its VMs

+To start the virtual machines and the HANA database on it, use the following REST API with "startVm" parameter set to true.

+```http

+POST https://management.azure.com/subscriptions/Sub1/resourceGroups/test-rg/providers/Microsoft.Workloads/sapVirtualInstances/X00/databaseInstances/db0/start?api-version=2023-10-01-preview

+ {

+ "startVm": true

+ }

+```

+### Stop HANA database and its VMs

+To stop HANA database and its underlying VMs, use the following REST API with `deallocateVm` parameter set to `true`.

+```http

+POST https://management.azure.com/subscriptions/Sub1/resourceGroups/test-rg/providers/Microsoft.Workloads/sapVirtualInstances/X00/databaseInstances/db0/stop?api-version=2023-10-01-preview

+ {

+ "deallocateVm": true

+ }

+```

+Activity logs are collected [free of charge](../azure-monitor/cost-usage.md#pricing-model), with no configuration required. Data retention is 90 days, but you can configure durable storage for longer retention.

+Metrics are collected [free of charge](../azure-monitor/cost-usage.md#pricing-model), with no configuration required. Platform metrics are stored for 93 days. However, in the portal you can only query a maximum of 30 days' worth of platform metrics data on any single chart.

+Alerts help you to identify and address issues before they become a problem for application users. You can set alerts on [metrics](../azure-monitor/alerts/alerts-metric-overview.md), [resource logs](../azure-monitor/alerts/alerts-unified-log.md), and [activity logs](../azure-monitor/alerts/activity-log-alerts.md). Alerts are billable (see the [Pricing model](../azure-monitor/cost-usage.md#pricing-model) for details).

+Resource logging is billable (see the [Pricing model](../azure-monitor/cost-usage.md#pricing-model) for details), starting when you create a diagnostic setting. See [Diagnostic settings in Azure Monitor](../azure-monitor/essentials/diagnostic-settings.md) for general guidance.

+| Details | <p>Authentication is the process where an entity proves its identity, typically through credentials, such as a user name and password. There are multiple authentication protocols available which might be considered. Some of them are listed below:</p><ul><li>Client certificates</li><li>Windows based</li><li>Forms based</li><li>Federation - ADFS</li><li>Federation - Microsoft Entra ID</li><li>Federation - Identity Server</li></ul><p>Consider using a standard authentication mechanism to identify the source process</p>|

+| Details | <p>Password and account policy in compliance with organizational policy and best practices should be implemented.</p><p>To defend against brute-force and dictionary based guessing: Strong password policy must be implemented to ensure that users create complex password (e.g., 12 characters minimum length, alphanumeric and special characters).</p><p>Account lockout policies might be implemented in the following manner:</p><ul><li>**Soft lock-out:** This can be a good option for protecting your users against brute force attacks. For example, whenever the user enters a wrong password three times the application could lock down the account for a minute in order to slow down the process of brute forcing their password making it less profitable for the attacker to proceed. If you were to implement hard lock-out countermeasures for this example you would achieve a "DoS" by permanently locking out accounts. Alternatively, application might generate an OTP (One Time Password) and send it out-of-band (through email, sms etc.) to the user. Another approach might be to implement CAPTCHA after a threshold number of failed attempts is reached.</li><li>**Hard lock-out:** This type of lockout should be applied whenever you detect a user attacking your application and counter them by means of permanently locking out their account until a response team had time to do their forensics. After this process you can decide to give the user back their account or take further legal actions against them. This type of approach prevents the attacker from further penetrating your application and infrastructure.</li></ul><p>To defend against attacks on default and predictable accounts, verify that all keys and passwords are replaceable, and are generated or replaced after installation time.</p><p>If the application has to auto-generate passwords, ensure that the generated passwords are random and have high entropy.</p>|

+| **Applicable Technologies** | On-premises |

+| **Applicable Technologies** | On-premises, SQL Azure |

+| **Steps** | The absence of an enforced password policy might increase the likelihood of a weak credential being established in a contained database. Leverage Windows Authentication. |

+| **Component** | Azure Event Hubs |

+| **Steps** | <p>Authentication is the process where an entity proves its identity, typically through credentials, such as a user name and password. There are multiple authentication protocols available which might be considered. Some of them are listed below:</p><ul><li>Client certificates</li><li>Windows based</li><li>Forms based</li><li>Federation - ADFS</li><li>Federation - Microsoft Entra ID</li><li>Federation - Identity Server</li></ul><p>Links in the references section provide low-level details on how each of the authentication schemes can be implemented to secure a Web API.</p>|

+| **References** | [Authentication Scenarios for Microsoft Entra ID](/entra/identity-platform/authentication-vs-authorization), [Microsoft Entra code Samples](/entra/identity-platform/sample-v2-code), [Microsoft Entra developer's guide](/entra/identity-platform/index) |

+| **References** | [Token cache serialization in MSAL.NET](/entra/msal/dotnet/how-to/token-cache-serialization) |

+Please note that to test the effectiveness of this configuration, sign in into your local OIDC-protected application and capture the request to `"/signin-oidc"` endpoint in fiddler. When the protection is not in place, replaying this request in fiddler will set a new session cookie. When the request is replayed after the TokenReplayCache protection is added, the application will throw an exception as follows: `SecurityTokenReplayDetectedException: IDX10228: The securityToken has previously been validated, securityToken: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ1......`

+| **References** | [MSAL](/entra/identity-platform/msal-overview) |

+| **Steps** | <p>By default, a container and any blobs within it might be accessed only by the owner of the storage account. To give anonymous users read permissions to a container and its blobs, one can set the container permissions to allow public access. Anonymous users can read blobs within a publicly accessible container without authenticating the request.</p><p>Containers provide the following options for managing container access:</p><ul><li>Full public read access: Container and blob data can be read via anonymous request. Clients can enumerate blobs within the container via anonymous request, but cannot enumerate containers within the storage account.</li><li>Public read access for blobs only: Blob data within this container can be read via anonymous request, but container data is not available. Clients cannot enumerate blobs within the container via anonymous request</li><li>No public read access: Container and blob data can be read by the account owner only</li></ul><p>Anonymous access is best for scenarios where certain blobs should always be available for anonymous read access. For finer-grained control, one can create a shared access signature, which enables to delegate restricted access using different permissions and over a specified time interval. Ensure that containers and blobs, which might potentially contain sensitive data, are not given anonymous access accidentally</p>|

+ - [Data transfers charges using Log Analytics ](../azure-monitor/cost-usage.md#data-transfer-charges).

+- Connectors that are based on diagnostics settings do not incur in-bandwidth costs. For more information, see [Data transfers charges using Log Analytics](../azure-monitor/cost-usage.md#data-transfer-charges).

+This table shows how Microsoft Sentinel and Log Analytics no charge costs appear in the **Service name** and **Meter** columns of your Azure bill for free data services when billing is at a simplified pricing tier. For more information, see [View Data Allocation Benefits](../azure-monitor/cost-usage.md#view-data-allocation-benefits).

+This table shows how Microsoft Sentinel and Log Analytics no charge costs appear in the **Service name** and **Meter** columns of your Azure bill for free data services when billing is at a classic pricing tier. For more information, see [View Data Allocation Benefits](../azure-monitor/cost-usage.md#view-data-allocation-benefits).

+This document contains two sets of information regarding entities and entity types in Microsoft Sentinel.

+- The [**Entity types and identifiers**](#entity-types-and-identifiers) table shows the different types of entities that can be used in [entity mapping](map-data-fields-to-entities.md) in both [analytics rules](detect-threats-custom.md) and [hunting](hunting.md). The table also shows, for each entity type, the different identifiers that can be used to identify an entity.

+- The [**Entity schema**](#entity-type-schemas) section shows the data structure and schema for entities in general and for each entity type in particular, including some types that are not represented in the entity mapping feature.

+The following table shows the **entity types** currently available for mapping in Microsoft Sentinel, and the **attributes** available as **identifiers** for each entity type. Nearly all of these attributes appear in the **Identifiers** drop-down list in the [entity mapping](map-data-fields-to-entities.md) section of the [analytics rule wizard](detect-threats-custom.md) (see footnotes for exceptions).

+You can use up to three identifiers for a single entity mapping. **Strong identifiers** alone are sufficient to uniquely identify an entity, whereas **weak identifiers** can do so only in combination with other identifiers.

+Learn more about [strong and weak identifiers](entities.md#strong-and-weak-identifiers).

+| Entity type | Identifiers | Strong identifiers | Weak identifiers |

+| [**Account**](#account) | Name<br>*FullName \**<br>NTDomain<br>DnsDomain<br>UPNSuffix<br>Sid<br>AadTenantId<br>AadUserId<br>PUID<br>IsDomainJoined<br>*DisplayName \**<br>ObjectGuid | Name+UPNSuffix<br>AADUserId<br>Sid [\*\*](#strong-identifiers-of-an-account-entity)<br>Sid+*Host* [\*\*](#strong-identifiers-of-an-account-entity)<br>Name+*Host*+NTDomain [\*\*](#strong-identifiers-of-an-account-entity)<br>Name+NTDomain [\*\*](#strong-identifiers-of-an-account-entity)<br>Name+DnsDomain<br>PUID<br>ObjectGuid | Name |

+| [**Host**](#host) | DnsDomain<br>NTDomain<br>HostName<br>*FullName \**<br>NetBiosName<br>AzureID<br>OMSAgentID<br>OSFamily<br>OSVersion<br>IsDomainJoined | HostName+NTDomain<br>HostName+DnsDomain<br>NetBiosName+NTDomain<br>NetBiosName+DnsDomain<br>AzureID<br>OMSAgentID | HostName<br>NetBiosName |

+| [**IP**](#ip) | Address<br>AddressScope | Address [\*\*](#strong-identifiers-of-an-ip-entity)<br>Address+AddressScope [\*\*](#strong-identifiers-of-an-ip-entity) | |

+| [**URL**](#url) | Url | Url *(if absolute URL)* [\*\*](#strong-identifiers-of-a-url-entity) | Url *(if relative URL)* [\*\*](#strong-identifiers-of-a-url-entity) |

+| [**Cloud application**](#cloud-application)<br>*(CloudApplication)* | AppId<br>Name<br>InstanceName | AppId<br>Name<br>AppId+InstanceName<br>Name+InstanceName | |

+| [**DNS Resolution**](#dns-resolution) | DomainName | DomainName+*DnsServerIp*+*HostIpAddress* | DomainName+*HostIpAddress* |

+| [**File**](#file) | Directory<br>Name | Directory+Name | |

+| [**File hash**](#file-hash)<br>*(FileHash)* | Algorithm<br>Value | Algorithm+Value | |

+| [**Malware**](#malware) | Name<br>Category | Name+Category | |

+| [**Process**](#process) | ProcessId<br>CommandLine<br>ElevationToken<br>CreationTimeUtc | *Host*+ProcessID+CreationTimeUtc<br>*Host*+*ParentProcessId*+<br>&nbsp;&nbsp;&nbsp;CreationTimeUtc+CommandLine<br>*Host*+ProcessId+<br>&nbsp;&nbsp;&nbsp;CreationTimeUtc+*ImageFile*<br>*Host*+ProcessId+<br>&nbsp;&nbsp;&nbsp;CreationTimeUtc+*ImageFile*+<br>&nbsp;&nbsp;&nbsp;*FileHash* | ProcessId+CreationTimeUtc+<br>&nbsp;&nbsp;&nbsp;CommandLine (no Host)<br>ProcessId+CreationTimeUtc+<br>&nbsp;&nbsp;&nbsp;*ImageFile* (no Host) |

+| [**Registry key**](#registry-key) | Hive<br>Key | Hive+Key | |

+| [**Registry value**](#registry-value) | Name<br>Value<br>ValueType<br> | *Key*+Name | Name (no Key) |

+| [**Mail cluster**](#mail-cluster) | NetworkMessageIds<br>CountByDeliveryStatus<br>CountByThreatType<br>CountByProtectionStatus<br>Threats<br>Query<br>QueryTime<br>MailCount<br>IsVolumeAnomaly<br>Source<br>*ClusterSourceIdentifier \**<br>*ClusterSourceType \**<br>*ClusterQueryStartTime \**<br>*ClusterQueryEndTime \**<br>*ClusterGroup \** | Query+Source | |

+| [**Mail message**](#mail-message) | Recipient<br>Urls<br>Threats<br>Sender<br>*P1Sender \**<br>*P1SenderDisplayName \**<br>*P1SenderDomain \**<br>SenderIP<br>*P2Sender \**<br>*P2SenderDisplayName \**<br>*P2SenderDomain \**<br>ReceivedDate<br>NetworkMessageId<br>InternetMessageId<br>Subject<br>*BodyFingerprintBin1 \**<br>*BodyFingerprintBin2 \**<br>*BodyFingerprintBin3 \**<br>*BodyFingerprintBin4 \**<br>*BodyFingerprintBin5 \**<br>AntispamDirection<br>DeliveryAction<br>DeliveryLocation<br>*Language \**<br>*ThreatDetectionMethods \** | NetworkMessageId+Recipient | |

+| [**Submission mail**](#submission-mail) | NetworkMessageId<br>Timestamp<br>Recipient<br>Sender<br>SenderIp<br>Subject<br>ReportType<br>SubmissionId<br>SubmissionDate<br>Submitter | SubmissionId+NetworkMessageId+<br>&nbsp;&nbsp;&nbsp;Recipient+Submitter | |

+**Table footnotes:**

+- \* These identifiers appear in the list of identifiers that can be used in entity mapping, but strictly speaking they are not part of the entity schema.

+- \*\* These identifiers are considered strong only under certain conditions. Follow the asterisks' links to see the conditions that apply, under the relevant entity's listing in the [entity schemas section below](#entity-type-schemas).

+- *Italicized identifier names* (without an asterisk) represent internal entities, which means that one entity type can have other entity types as attributes (see the [entity schemas section below](#entity-type-schemas)). Follow the identifier's link to see the internal entity's own schema.

+The following section contains a more in-depth look at the full schemas of each entity type. You'll notice that many of these schemas include links to other entity types. For example, the Account schema includes a link to the Host entity type, since one attribute of a user account is the host it's defined on. These entities-as-attributes are known as "internal entities", and they can't be used as identifiers for entity mapping, but they are very useful in giving a complete picture of entities on entity pages and the investigation graph.

+### List of entity type schemas

+- [Account](#account)

+- [Host](#host)

+- [IP](#ip)

+- [Malware](#malware)

+- [File](#file)

+- [Process](#process)

+- [Cloud application](#cloud-application)

+- [DNS resolution](#dns-resolution)

+- [Azure resource](#azure-resource)

+- [File hash](#file-hash)

+- [Registry key](#registry-key)

+- [Registry value](#registry-value)

+- [Security group](#security-group)

+- [URL](#url)

+- [IoT device](#iot-device)

+- [Mailbox](#mailbox)

+- [Mail cluster](#mail-cluster)

+- [Mail message](#mail-message)

+- [Submission mail](#submission-mail)

+- [Sentinel entities](#sentinel-entities)

+### Account

+| **Type** | String | 'account' |

+| **Name** | String | The name of the account. This field should hold only the name without any domain added to it. |

+| ***FullName*** | -- | *Not part of schema, included for backward compatibility with old version of entity mapping.* |

+| **NTDomain** | String | The NETBIOS domain name as it appears in the alert format&mdash;domain\username. Examples: Finance, NT AUTHORITY |

+| **DnsDomain** | String | The fully qualified domain DNS name. Examples: finance.contoso.com |

+| **UPNSuffix** | String | The user principal name suffix for the account. In many cases the UPN Suffix is also the domain name. Examples: contoso.com |

+| **Host** | Entity ([Host](#host)) | The host that contains the account, if it's a local account. |

+| **Sid** | String | The account's security identifier. |

+| **AadTenantId** | Guid? | The Microsoft Entra tenant ID, if known. |

+| **AadUserId** | Guid? | The Microsoft Entra account object ID, if known. |

+| **PUID** | Guid? | The Microsoft Entra Passport User ID, if known. |

+| **IsDomainJoined** | Bool? | Indicates whether the account is a domain account. |

+| ***DisplayName*** | -- | *Not part of schema, included for backward compatibility with old version of entity mapping.* |

+| **ObjectGuid** | Guid? | The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by Active Directory. |

+| **CloudAppAccountId** | String | The AccountID in alerts from the CloudApp provider. Refers to account IDs in third-party apps that are not supported in other Microsoft products. |

+| **IsAnonymized** | Bool? | Indicates whether the user name is anonymized. Optional. Default value: `false`. |

+| **Stream** | Stream | The source of discovery logs related to the specific account. Optional. |

+#### Strong identifiers of an account entity

+- **Name + UPNSuffix**

+- **AadUserId**

+- **Sid**

+\*\* This identifier is strong as long as the account **is not** one of the built-in accounts listed in the **Note** below.

+- **Sid + [*Host*](#host)**

+\*\* When the account is one of the built-in accounts listed in the **Note** below, the Host component is required to make this identifier a strong one.

+- **Name + NTDomain**

+\*\* This combination is a strong identifier when the account is a domain account, since NTDomain is not a built-in domain/workgroup and is different from the host name. In this case, this is a strong identifier even without the Host component.

+- **Name + NTDomain + [*Host*](#host)**

+\*\* The Host component is necessary to create a strong identifier when the account is a local account, meaning that the NTDomain is a built-in domain/workgroup.

+- **Name + DnsDomain**

+- **PUID**

+- **ObjectGuid**

+#### Weak identifiers of an account entity

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Host

+| **Type** | String | 'host' |

+| **IpInterfaces** | List<Entity ([Ip](#ip))> | List of all IP interfaces on the host machine. |

+| **DnsDomain** | String | The DNS domain that this host belongs to. Should contain the complete DNS suffix for the domain, if known. |

+| **NTDomain** | String | The NT domain that this host belongs to. |

+| **HostName** | String | The hostname without the domain suffix. |

+| **NetBiosName** | String | The host name (pre-Windows 2000). |

+| **IoTDevice** | Entity ([IoT Device](#iot-device)) | The IoT Device entity (if this host represents an IoT Device). |

+| **AzureID** | String | The Azure resource ID of the VM, if known. |

+| **OMSAgentID** | String | The OMS agent ID, if the host has OMS agent installed. |

+| **OSFamily** | Enum? | One of the following values: <li>Linux<li>Windows<li>Android<li>IOS<li>Mac |

+| **OSVersion** | String | A free-text representation of the operating system.<br>This field is meant to hold specific versions the are more fine-grained than OSFamily, or future values not supported by OSFamily enumeration. |

+| **IsDomainJoined** | Bool | Indicates whether this host belongs to a domain. |

+#### Strong identifiers of a host entity

+- **HostName + NTDomain**

+- **HostName + DnsDomain**

+- **NetBiosName + NTDomain**

+- **NetBiosName + DnsDomain**

+- **AzureID**

+- **OMSAgentID**

+- ***IoTDevice***

+#### Weak identifiers of a host entity

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### IP

+| **Type** | String | 'ip' |

+| **Address** | String | The IP address as string, for example. 127.0.0.1 (either in IPv4 or IPv6). |

+| **AddressScope** | String | Name of the host, subnet, or private network for private, non-global IP addresses. Null or empty for global IP addresses (default). |

+| **Location** | GeoLocation | The geo-location context attached to the IP entity. <br><br>For more information, see also [Enrich entities in Microsoft Sentinel with geolocation data via REST API (Public preview)](geolocation-data-api.md). |

+| **Stream** | Stream | The source of discovery logs related to the specific IP. Optional. |

+#### Strong identifiers of an IP entity

+- **Address**

+\*\* Address alone is a unique, strong identifier when the IP address is a global address.

+- **Address + AddressScope**

+\*\* For private/internal, non-global IP addresses, the AddressScope component is required to make this a strong identifer.

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Malware

+| **Type** | String | 'malware' |

+| **Name** | String | The malware name assigned by the (detection?) vendor, such as `Win32/Toga!rfn`. |

+| **Category** | String | The malware category assigned by the (detection?) vendor, for example. Trojan. |

+| **Files** | List\<Entity ([File](#file))> | List of linked file entities on which the malware was found. Can contain the File entities inline or as reference.<br>See the [File](#file) entity for more details on structure. |

+| **Processes** | List\<Entity ([Process](#process))> | List of linked process entities on which the malware was found. This would often be used when the alert triggered on fileless activity.<br>See the [Process](#process) entity for more details on structure. |

+#### Strong identifiers of a malware entity

+- **Name + Category**

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### File

+| **Type** | String | 'file' |

+| **Directory** | String | The full path to the file. |

+| **Name** | String | The file name without the path (some alerts might not include path). |

+| **AlternateDataStreamName** | String | The file stream name in NTFS filesystem (null for the main stream). |

+| **Host** | Entity ([Host](#host)) | The host on which the file was stored. |

+| **HostUrl** | Entity ([URL](#url)) | URL where the file was downloaded from <br>([Mark of the Web](/deployedge/per-site-configuration-by-policy)). |

+| **WindowsSecurityZoneType** | WindowsSecurityZone | Windows Security Zone to which the URL belongs <br>([Mark of the Web](/deployedge/per-site-configuration-by-policy)). |

+| **ReferrerUrl** | Entity ([URL](#url)) | Referrer URL of the file download HTTP request <br>([Mark of the Web](/deployedge/per-site-configuration-by-policy)). |

+| **SizeInBytes** | Long? | The size of the file in bytes. |

+| **FileHashes** | List\<Entity ([FileHash](#file-hash))> | The file hashes associated with this file. |

+#### Strong identifiers of a file entity

+- **Name + Directory**

+- **Name + *FileHash***

+- **Name + Directory + *FileHash***

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Process

+| **Type** | String | 'process' |

+| **ProcessId** | String | The process ID. |

+| **CommandLine** | String | The command line used to create the process. |

+| **ElevationToken** | Enum? | The elevation token associated with the process.<br>Possible values:<li>TokenElevationTypeDefault<li>TokenElevationTypeFull<li>TokenElevationTypeLimited |

+| **CreationTimeUtc** | DateTime? | The time when the process started to run. |

+| **ImageFile** | Entity ([File](#file)) | Can contain the File entity inline or as reference.<br>See the [File](#file) entity for more details on structure. |

+| **Account** | Entity ([Account](#account)) | The account running the processes.<br>Can contain the Account entity inline or as reference.<br>See the [Account](#account) entity for more details on structure. |

+| **ParentProcess** | Entity ([Process](#process)) | The parent process entity. <br>Can contain partial data, for example, only the PID. |

+| **Host** | Entity ([Host](#host)) | The host on which the process was running. |

+| **LogonSession** | Entity (HostLogonSession) | The session in which the process was running. |

+#### Strong identifiers of a process entity

+- ***Host* + ProcessId + CreationTimeUtc**

+- ***Host* + *ParentProcessId* + CreationTimeUtc + CommandLine**

+- ***Host* + ProcessId + CreationTimeUtc + *ImageFile***

+- ***Host* + ProcessId + CreationTimeUtc + *ImageFile.FileHash***

+#### Weak identifiers of a process entity

+- ProcessId + CreationTimeUtc + *ImageFile* (and no Host)

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Cloud application

+| **Type** | String | 'cloud-application' |

+| **AppId** | Int | Deprecated; use SaasId field instead. The technical identifier of the application. Possible values are those defined in the list of [cloud application identifiers](#cloud-application-identifiers). Value optional. Should not contain InstanceId. |

+| **SaasId** | Int | Replaces deprecated AppId field. The technical identifier of the application. Possible values are those defined in the list of [cloud application identifiers](#cloud-application-identifiers). Value optional. Should not contain InstanceId. |

+| **Name** | String | The name of the related cloud application. Value optional. |

+| **InstanceName** | String | The user-defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has. |

+| **InstanceId** | Int | The identifier of the specific session of the application. This is a zero-based running number. Value optional. |

+| **Risk** | AppRisk? | Lets you filter apps by risk score so that you can focus on, for example, reviewing only highly risky apps. Possible values like Low, Medium, High or Unknown. |

+| **Stream** | Stream | The source of discovery logs related to the specific cloud app. Optional. |

+#### Strong identifiers of a cloud application entity

+- **AppId (without InstanceName)**

+- **Name (without InstanceName)**

+- **AppId + InstanceName**

+- **Name + InstanceName**

+[List of cloud application identifiers](#cloud-application-identifiers)

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### DNS resolution

+| **Type** | String | 'dns' |

+| **DomainName** | String | The name of the DNS record associated with the alert. |

+| **IpAddress** | List\<Entity ([IP](#ip))> | Entities corresponding to the resolved IP addresses. |

+| **DnsServerIp** | Entity ([IP](#ip)) | An entity representing the DNS server resolving the request. |

+| **HostIpAddress** | Entity ([IP](#ip)) | An entity representing the DNS request client. |

+#### Strong identifiers of a DNS entity

+- **DomainName + *DnsServerIp* + *HostIpAddress***

+#### Weak identifiers of a DNS entity

+- DomainName + *HostIpAddress*

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Azure resource

+| **Type** | String | 'azure-resource' |

+| **ResourceId** | String | The Azure resource ID of the resource. Mandatory. |

+| **SubscriptionId** | String | The subscription ID of the resource. |

+| **ActiveContacts** | List\<ActiveContact> | Active contacts associated with the resource. |

+| **ResourceType** | String | The type of the resource. |

+| **ResourceName** | String | The name of the resource. |

+#### Strong identifiers of an Azure resource entity

+- **ResourceId**

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### File hash

+| **Type** | String | 'filehash' |

+| **Algorithm** | Enum | The hash algorithm type. Mandatory. Possible values:<li>Unknown<li>MD5<li>SHA1<li>SHA256<li>SHA256AC |

+| **Value** | String | The hash value. Mandatory. |

+#### Strong identifiers of a file hash entity

+- **Algorithm + Value**

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Registry key

+| **Type** | String | 'registry-key' |

+| **Hive** | Enum? | One of the following values:<li>HKEY_LOCAL_MACHINE<li>HKEY_CLASSES_ROOT<li>HKEY_CURRENT_CONFIG<li>HKEY_USERS<li>HKEY_CURRENT_USER_LOCAL_SETTINGS<li>HKEY_PERFORMANCE_DATA<li>HKEY_PERFORMANCE_NLSTEXT<li>HKEY_PERFORMANCE_TEXT<li>HKEY_A<li>HKEY_CURRENT_USER |

+| **Key** | String | The registry key path. |

+#### Strong identifiers of a registry key entity

+- **Hive + Key**

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Registry value

+| **Type** | String | 'registry-value' |

+| **Host** | Entity ([Host](#host)) | The host that the registry belongs to. |

+| **Key** | Entity ([RegistryKey](#registry-key)) | The registry key entity. |

+| **Name** | String | The registry value name. |

+| **Value** | String | String-formatted representation of the value data. |

+| **ValueType** | Enum? | One of the following values:<li>String<li>Binary<li>DWord<li>Qword<li>MultiString<li>ExpandString<li>None<li>Unknown<br>Values should conform to Microsoft.Win32.RegistryValueKind enumeration. |

+#### Strong identifiers of a registry value entity

+- ***Key* + Name**

+#### Weak identifiers of a registry value entity

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Security group

+| **Type** | String | 'security-group' |

+| **DistinguishedName** | String | The group distinguished name. |

+| **SID** | String | A single-value attribute that specifies the security identifier (SID) of the group. |

+| **ObjectGuid** | Guid? | A single-value attribute that is the unique identifier for the object, assigned by Active Directory. |

+#### Strong identifiers of a security group entity

+- **DistinguishedName**

+- **SID**

+- **ObjectGuid**

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### URL

+| Url | Uri | A full URL the entity points to. Mandatory. |

+#### Strong identifiers of a URL entity

+- **Url** (\*\* This identifier is strong when the URL is an absolute URL.)

+#### Weak identifiers of a URL entity

+- Url (\*\* This identifier is weak when the URL is a relative URL.)

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### IoT device

+| **Type** | String | 'iotdevice' |

+| **IoTHub** | Entity ([AzureResource](#azure-resource)) | The AzureResource entity representing the IoT Hub the device belongs to. |

+| **DeviceId** | String | The ID of the device in the context of the IoT Hub. Mandatory. |

+| **DeviceName** | String | The friendly name of the device. |

+| **Owners** | List\<String> | The owners for the device. |

+| **IoTSecurityAgentId** | Guid? | The ID of the *Defender for IoT* agent running on the device. |

+| **DeviceType** | String | The type of the device ('temperature sensor', 'freezer', 'wind turbine' etc.). |

+| **DeviceTypeId** | String | A unique ID to identify each device type according to the device type schema, as the device type itself is a display name and not reliable in comparisons.<br><br>Possible values:<br>Unclassified = 0<br>Miscellaneous = 1<br>Network Device = 2<br>Printer = 3<br>Audio and Video = 4<br>Media and Surveillance = 5<br>Communication = 7<br>Smart Appliance = 9<br>Workstation = 10<br>Server = 11<br>Mobile = 12<br>Smart Facility = 13<br>Industrial = 14<br>Operational Equipment = 15 |

+| **Source** | String | The source (Microsoft/Vendor) of the device entity. |

+| **SourceRef** | Entity ([Url](#url)) | A URL reference to the source item where the device is managed. |

+| **Manufacturer** | String | The manufacturer of the device. |

+| **Model** | String | The model of the device. |

+| **OperatingSystem** | String | The operating system the device is running. |

+| **IpAddress** | Entity ([IP](#ip)) | The current IP address of the device. |

+| **MacAddress** | String | The MAC address of the device. |

+| **Nics** | Entity (Nic) | The current NICs on the device. |

+| **Protocols** | List\<String> | A list of protocols that the device supports. |

+| **SerialNumber** | String | The serial number of the device. |

+| **Site** | String | The site location of the device. |

+| **Zone** | String | The zone location of the device within a site. |

+| **Sensor** | String | The sensor monitoring the device. |

+| **Importance** | Enum? | One of the following values:<li>Low<li>Normal<li>High |

+| **PurdueLayer** | String | The Purdue Layer of the device. |

+| **IsProgramming** | Bool? | Indicates whether the device classified as programming device. |

+| **IsAuthorized** | Bool? | Indicates whether the device classified as authorized device. |

+| **IsScanner** | Bool? | Indicates whether the device classified as a scanner device. |

+| **DevicePageLink** | Entity ([Url](#url)) | A URL to the device page in Defender for IoT portal. |

+| **DeviceSubType** | String | The name of the device subtype. |

+#### Strong identifiers of an IoT device entity

+- **IoTHub + DeviceId**

+#### Weak identifiers of an IoT device entity

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Mailbox

+| **Type** | String | 'mailbox' |

+| **MailboxPrimaryAddress** | String | The mailbox's primary address. |

+| **DisplayName** | String | The mailbox's display name. |

+| **Upn** | String | The mailbox's UPN. |

+| **AadId** | String | The mailbox's Azure AD identifier of the user. |

+| **RiskLevel** | RiskLevel? | The risk level of this mailbox. Possible values:<li>None<li>Low<li>Medium<li>High |

+| **ExternalDirectoryObjectId** | Guid? | The AzureAD identifier of mailbox. Similar to AadUserId in the Account entity, but this property is specific to mailbox object on the Office side. |

+#### Strong identifiers of a mailbox entity

+- **MailboxPrimaryAddress**

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Mail cluster

+*Entity name: MailCluster*

+| **Type** | String | 'mail-cluster' |

+| **NetworkMessageIds** | IList\<String> | The mail message IDs that are part of the mail cluster. |

+| **CountByDeliveryStatus** | IDictionary\<String,Int> | Count of mail messages by DeliveryStatus string representation. |

+| **CountByThreatType** | IDictionary\<String,Int> | Count of mail messages by ThreatType string representation. |

+| **CountByProtectionStatus** | IDictionary\<String,long> | Count of mail messages by Protection status string representation. |

+| **CountByDeliveryLocation** | IDictionary\<String,long> | Count of mail messages by Delivery location string representation. |

+| **Threats** | IList\<String> | The threats of mail messages that are part of the mail cluster. |

+| **Query** | String | The query that was used to identify the messages of the mail cluster. |

+| **QueryTime** | DateTime? | The query time. |

+| **MailCount** | Int? | The number of mail messages that are part of the mail cluster. |

+| **IsVolumeAnomaly** | Bool? | Indicates whether the mail cluster is a volume anomaly mail cluster. |

+| **Source** | String | The source of the mail cluster (default is `O365 ATP`). |

+#### Strong identifiers of a mail cluster entity

+- **Query + Source**

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Mail message

+| **Type** | String | 'mail-message' |

+| **Files** | IList\<Entity ([File](#file))> | The File entities of this mail message's attachments. |

+| **Recipient** | String | The recipient of this mail message. In the case of multiple recipients, the mail message is copied, and each copy has one recipient. |

+| **Urls** | IList\<String> | The URLs contained in this mail message. |

+| **Threats** | IList\<String> | The threats contained in this mail message. |

+| **Sender** | String | The sender's email address. |

+| **SenderIP** | String | The sender's IP address. |

+| **ReceivedDate** | DateTime | The received date of this message. |

+| **NetworkMessageId** | Guid? | The network message ID of this mail message. |

+| **InternetMessageId** | String | The internet message ID of this mail message. |

+| **Subject** | String | The subject of this mail message. |

+| **AntispamDirection** | Enum? | The directionality of this mail message. Possible values:<li>Unknown<li>Inbound<li>Outbound<li>Intraorg (internal) |

+| **DeliveryAction** | Enum? | The delivery action of this mail message. Possible values:<li>Unknown<li>DeliveredAsSpam<li>Delivered<li>Blocked<li>Replaced |

+| **DeliveryLocation** | Enum? | The delivery location of this mail message. Possible values:<li>Unknown<li>Inbox<li>JunkFolder<li>DeletedFolder<li>Quarantine<li>External<li>Failed<li>Dropped<li>Forwarded |

+| **CampaignId** | String | The identifier of the campaign in which this mail message is present. |

+| **SuspiciousRecipients** | IList\<String> | The list of recipients who were detected as suspicious. |

+| **ForwardedRecipients** | IList\<String> | The list of all recipients on the forwarded mail. |

+| **ForwardingType** | IList\<String> | The forwarding type of the mail, such as SMTP, ETR, etc. |

+#### Strong identifiers of a mail message entity

+- **NetworkMessageId + Recipient**

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Submission mail

+| **Type** | String | 'SubmissionMail' |

+| **SubmissionId** | Guid? | The Submission ID. |

+| **SubmissionDate** | DateTime? | Reported Date time for this submission. |

+| **Submitter** | String | The submitter email address. |

+| **NetworkMessageId** | Guid? | The network message ID of email to which submission belongs. |

+| **Timestamp** | DateTime? | The Time stamp when the message is received (Mail). |

+| **Recipient** | String | The recipient of the mail. |

+| **Sender** | String | The sender of the mail. |

+| **SenderIp** | String | The sender's IP. |

+| **Subject** | String | The subject of submission mail. |

+| **ReportType** | String | The submission type for the given instance. Possible values are Junk, Phish, Malware, or NotJunk. |

+#### Strong identifiers of a SubmissionMail entity

+- **SubmissionId, Submitter, NetworkMessageId, Recipient**

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+### Sentinel entities

+| **Entities** | String | A list of the entities identified in the alert. This list is the **entities** column from the SecurityAlert schema ([see documentation](security-alert-schema.md)). |

+[Back to list of entity type schemas](#list-of-entity-type-schemas) | [Back to entity identifiers table](#entity-types-and-identifiers)

+|**US**<br><br>ΓÇó Central US<br>ΓÇó Central US EUAP<br>ΓÇó East US<br>ΓÇó East US 2<br>ΓÇó East US 2 EUAP<br>ΓÇó North Central US<br>ΓÇó South Central US<br>ΓÇó West US<br>ΓÇó West US 2<br>ΓÇó West US 3<br>ΓÇó West Central US<br>ΓÇó USNat East<br>ΓÇó USNat West<br>ΓÇó USSec East<br>ΓÇó USSec West<br><br>**Azure government**<br><br>ΓÇó USGov Non-Regional<br>ΓÇó USGov Arizona<br>ΓÇó USGov Texas<br>ΓÇó USGov Virginia<br><br>**Canada**<br><br>ΓÇó Canada Central<br>ΓÇó Canada East |ΓÇó Brazil South<br>ΓÇó Brazil Southeast |ΓÇó East Asia<br>ΓÇó Southeast Asia<br>ΓÇó Qatar Central<br><br>**Japan**<br><br>ΓÇó Japan East<br>ΓÇó Japan West<br><br>**China 21Vianet**<br><br>ΓÇó China East 2<br><br>**India**<br><br>ΓÇó Central India<br>ΓÇó South India<br>ΓÇó West India<br>ΓÇó Jio India West<br>ΓÇó Jio India Central<br><br>**Korea**<br><br>ΓÇó Korea Central<br>ΓÇó Korea South<br><br>**UAE**<br><br>ΓÇó UAE Central<br>ΓÇó UAE North |ΓÇó North Europe<br>ΓÇó West Europe<br><br>**France**<br><br>ΓÇó France Central<br>ΓÇó France South<br><br>**Germany**<br><br>ΓÇó Germany West Central<br>ΓÇó Germany North<br><br>**Norway**<br><br>ΓÇó Norway East<br>ΓÇó Norway West<br><br>**Switzerland**<br><br>ΓÇó Switzerland North<br>ΓÇó Switzerland West<br><br>**UK**<br><br>ΓÇó UK South<br>ΓÇó UK West |ΓÇó Australia Central<br>Australia Central 2<br>ΓÇó Australia East<br>ΓÇó Australia Southeast |ΓÇó South Africa North<br>ΓÇó South Africa West |

+- [Account](entities-reference.md#account)

+- [IP](entities-reference.md#ip)

+- [DNS](entities-reference.md#dns-resolution)

+In order to authenticate to Microsoft Sentinel, the request to the upload indicators API requires a valid Microsoft Entra access token. For more information on application registration, see [Register an application with the Microsoft identity platform](/entr#register-an-azure-ad-application) setup.

+Acquire a Microsoft Entra access token with [OAuth 2.0 authentication](../active-directory/fundamentals/auth-oauth2.md). [V1.0 and V2.0](/entra/identity-platform/access-tokens#token-formats) are valid tokens accepted by the API.

+The version of the token (v1.0 or v2.0) that your application receives is determined by the `accessTokenAcceptedVersion` property in the [app manifest](/entra/identity-platform/reference-app-manifest#manifest-reference) of the API that your application is calling. If `accessTokenAcceptedVersion` is set to 1, then your application will receive a v1.0 token.

+Use Microsoft Authentication Library [MSAL](/entra/identity-platform/msal-overview) to acquire either a v1.0 or v2.0 access token. Or, send requests to the REST API in the following format:

+If `accessTokenAcceptedVersion` in the app manifest is set to 1, your application will receive a v1.0 access token even though it's calling the v2 token endpoint.

+|`pattern` (required) | string | The detection pattern for this indicator *might* be expressed as a [STIX Patterning](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_e8slinrhxcc9) or another appropriate language such as SNORT, YARA, etc. |

+|`lang` (optional) | string | The `lang` property identifies the language of the text content in this object. When present, it *must* be a language code conformant to [RFC5646](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#kix.yoz409d7eis1). If the property isn't present, then the language of the content is `en` (English).<br><br>This property *should* be present if the object type contains translatable text properties (for example, name, description).<br><br>The language of individual fields in this object *might* override the `lang` property in granular markings (see section [7.2.3](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_robezi5egfdr)).|

+|`object_marking_refs` (optional, including TLP) | list of strings | The `object_marking_refs` property specifies a list of ID properties of marking-definition objects that apply to this object. For example, use the Traffic Light Protocol (TLP) marking definition ID to designate the sensitivity of the indicator source. For details of what marking-definition IDs to use for TLP content, see section [7.2.1.4](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_yd3ar14ekwrs)<br><br>In some cases, though uncommon, marking definitions themselves might be marked with sharing or handling guidance. In this case, this property *must not* contain any references to the same Marking Definition object (that is, it can't contain any circular references).<br><br>See section [7.2.2](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_bnienmcktc0n) for further definition of data markings.|

+|`granular_markings` (optional) | list of [granular-marking](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_robezi5egfdr) | The `granular_markings` property helps define parts of the indicator differently. For example, the indicator language is English, `en` but the description is German, `de`.<br><br>In some cases, though uncommon, marking definitions themselves might be marked with sharing or handling guidance. In this case, this property *must not* contain any references to the same Marking Definition object (i.e., it can't contain any circular references).<br><br>See section [7.2.3](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_robezi5egfdr) for further definition of data markings.|

+- [Microsoft Applied Skill - Configure SIEM security operations using Microsoft Sentinel](#microsoft-applied-skill-available-for-microsoft-sentinel)

+### Microsoft Applied Skill available for Microsoft Sentinel

+This month Microsoft Worldwide Learning announced [Applied Skills](https://techcommunity.microsoft.com/t5/microsoft-learn-blog/announcing-microsoft-applied-skills-the-new-credentials-to/ba-p/3775645) to help you acquire the technical skills you need to reach your full potential. Microsoft Sentinel is included in the initial set of credentials offered! This credential is based on the learning path with the same name.

+- **Learning path** - [Configure SIEM security operations using Microsoft Sentinel](/training/paths/configure-security-information-event-management-operations-using-microsoft-sentinel/)

+ <br>Learn at your own pace, and the modules require you to have your own Azure subscription.

+- **Applied Skill** - [Configure SIEM security operations using Microsoft Sentinel](/credentials/applied-skills/configure-siem-security-operations-using-microsoft-sentinel/)

+ <br>A 2 hour assessment is contained in a sandbox virtual desktop. You are provided an Azure subscription with some features already configured.

+> To understand costs associated with Azure Monitor, see [Azure Monitor cost and usage](../azure-monitor/cost-usage.md). To understand the time it takes for your data to appear in Azure Monitor, see [Log data ingestion time](../azure-monitor/logs/data-ingestion-time.md).

+#### Sample code

+#### Sample code

+#### Sample code

+This page shows supported authentication methods and clients, and shows sample code you can use to connect Azure Service Bus to other cloud services using Service Connector. You might still be able to connect to Service Bus in other programming languages without using Service Connector.

+Use the connection details below to connect compute services to Service Bus. This page also shows default environment variable names and values or Spring Boot configuration you get when you create service connections, as well as sample code. For each example below, replace the placeholder texts `<Service-Bus-namespace>`, `<access-key-name>`, `<access-key-value>` `<client-ID>`, `<client-secret>`, and `<tenant-id>` with your own Service Bus namespace, shared access key name, shared access key value, client ID, client secret and tenant ID. For more information about naming conventions, check the [Service Connector internals](concept-service-connector-internals.md#configuration-naming-convention) article.

+### System-assigned managed identity

+#### SpringBoot client type

+| Default environment variable name | Description | Sample value |

+|--|--|--|

+| spring.cloud.azure.servicebus.namespace | Service Bus namespace | `<Service-Bus-namespace>.servicebus.windows.net` |

+#### Other client types

+#### Sample code

+Refer to the steps and code below to connect to Service Bus using a system-assigned managed identity.

+### User-assigned managed identity

+#### SpringBoot client type

+| Default environment variable name | Description | Sample value |

+|--|--|--|

+| spring.cloud.azure.servicebus.namespace | Service Bus namespace | `<Service-Bus-namespace>.servicebus.windows.net` |

+| spring.cloud.azure.client-id | Your client ID | `<client-ID>` |

+#### Other client types

+#### Sample code

+Refer to the steps and code below to connect to Service Bus using a user-assigned managed identity.

+### Connection string

+#### SpringBoot client type

+#### Other client types

+> [!div class="mx-tdBreakAll"]

+> |Default environment variable name | Description | Sample value |

+> | -- | -- | |

+> | AZURE_SERVICEBUS_CONNECTIONSTRING | Service Bus connection string | `Endpoint=sb://<Service-Bus-namespace>.servicebus.windows.net/;SharedAccessKeyName=<access-key-name>;SharedAccessKey=<access-key-value>` |

+#### Sample code

+Refer to the steps and code below to connect to Service Bus using a connection string.

+### Service principal

+#### SpringBoot client type

+#### Other client types

+| Default environment variable name | Description | Sample value |

+| --| | -- |

+| AZURE_SERVICEBUS_FULLYQUALIFIEDNAMESPACE | Service Bus namespace | `<Service-Bus-namespace>.servicebus.windows.net` |

+| AZURE_SERVICEBUS_CLIENTID | Your client ID | `<client-ID>` |

+| AZURE_SERVICEBUS_CLIENTSECRET | Your client secret | `<client-secret>` |

+| AZURE_SERVICEBUS_TENANTID | Your tenant ID | `<tenant-id>` |

+#### Sample code

+Refer to the steps and code below to connect to Service Bus using a service principal.

+### Set up your environment

+## Deploy the application to an Azure hosting service

+Finally, deploy your application to an Azure hosting service. That source service can use a managed identity to connect to the target database on Azure.

+### [App Service](#tab/appservice)

+For Azure App Service, you can deploy the application code via the `az webapp deploy` command. For more information, see [Quickstart: Deploy an ASP.NET web app](../app-service/quickstart-dotnetcore.md).

+### [Spring Apps](#tab/springapp)

+For Azure Spring Apps, you can deploy the application code via the `az spring app deploy` command. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](../spring-apps/quickstart.md).

+### [Container Apps](#tab/containerapp)

+For Azure Container Apps, you can deploy the application code via the `az containerapp create` command. For more information, see [Quickstart: Deploy your first container app](../container-apps/get-started.md).

+Then you can check the log or call the application to see if it can connect to the Azure database successfully.

+If you encounter any permission-related errors, confirm the Azure CLI signed-in user with the command `az account show`. Make sure you log in with the correct account. Next, confirm that you have the following permissions that might be required to create a passwordless connection with Service Connector.

+If you don't log in interactively, you might also get the error and `Interactive authentication is needed`. To resolve the error, log in with the `az login` command.

+#### Network connectivity

+If your database server is in Virtual Network, ensure your environment that runs the Azure CLI command can access the server in the Virtual Network.

+If your database server is in Virtual Network, ensure your environment that runs the Azure CLI command can access the server in the Virtual Network.

+If your database server disallows public access, ensure your environment that runs the Azure CLI command can access the server through the private endpoint.

+Public IP addresses serve two purposes in Azure. First, they allow inbound communication from Internet resources to Azure resources. Secondly, they enable Azure resources to communicate outbound to the Internet and public-facing Azure services that have an IP address assigned to the resource.

+- Allow inbound communication from the Internet to the resource, such as Azure Virtual Machines (VM), Azure Application Gateways, Azure Load Balancers, Azure VPN Gateways, and others. You can still communicate with some resources, such as VMs, from the Internet, if a VM doesn't have a public IP address assigned to it, as long as the VM is part of a load balancer back-end pool, and the load balancer is assigned a public IP address.

+- Learn about [Traffic Manager with Azure Site Recovery](../site-recovery/concepts-traffic-manager-with-site-recovery.md)

+- Learn about Traffic Manager [routing methods](../traffic-manager/traffic-manager-routing-methods.md).

+description: Summarizes the advantages of using Azure Migrate for migration instead of Site Recovery.

+For migration, we recommend that you use the Azure Migrate service to migrate your VMs and servers to Azure, instead of using Azure Site Recovery service. Learn about [Azure Migrate](../migrate/migrate-services-overview.md).

+Using Azure Migrate for migration provides many advantages:

+- Azure Migrate can be used to identify modernization opportunities and migration previews.

+- Some key features like OS upgrade are only available with Azure Migrate

+## Which service to use for migration?

+

+We recommend using Azure Migrate to migrate on-premises servers to Azure. However, if you've already started your migration journey with Site Recovery, consider the following details:

+- If you're already using Azure Site Recovery to replicate your servers, you don't need to deploy a Migrate appliance. Remove the BCDR protection, and replicate with a new appliance.

+- However, there are benefits to conducting assessment, dependency analysis, and business case review with the Azure Migrate discovery appliance even for workloads that are already replicating.

+- There could be architecture changes required to support the workload in the long term. In this case, address the requirements while continuing to use Azure Site Recovery to replicate so that you don't lose protections.

+## Conclusion

+Suggestions to choose between Azure Migrate and Site Recovery: