+## Development options

+## Next steps

+* Follow our [**Document Intelligence v3.1 migration guide**](v3-1-migration-guide.md) to learn how to use the v3.1 version in your applications and workflows.

+* Explore our [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-07-31/operations/AnalyzeDocument).

+

+# Language support: custom models

+# Language support: document analysis

+# Language support: prebuilt models

+ [**Health Insurance card**](#health-insurance-card) | Extract health </br>insurance details.

+* Custom models are trained using your labeled datasets to extract distinct data from forms and documents, specific to your use cases.

+* Standalone custom models can be combined to create composed models.

+ * **Extraction models**</br>

+ ✔️ Custom extraction models are trained to extract labeled fields from documents.

+ * **Classification model**</br>

+ ✔️ Custom classifiers identify document types prior to invoking an extraction model.

+ [**Custom classifier**](#custom-classification-model) | Identify designated document types (classes) </br>prior to invoking an extraction model.

+|prebuilt-document (**deprecated </br>2023-10-31-preview**)|Γ£ô|Γ£ô|Γ£ô|Γ£ô|Γ£ô|Γ£ô|O|O| |O|O|O| |

+|prebuilt-businessCard (**deprecated </br>2023-10-31-preview**)|Γ£ô| | | | | | | |Γ£ô| | | | |

+| Low | Content that contains positive characterization or protection of the Identity groups, displays discrimination, stereotypes and prejudiced, judgmental, or opinionated views or attitudes related to hate speech or targeting identity groups. This includes:<ul><li>Slurs in research papers, dictionaries, or media with a direct quote</li><li>General hate speech that targets objects, individuals or groups</li><li>Limited hate speech or depictions of negative sentiment in fictional contexts (for example, gaming, movies, literature) </li></ul> | `"I don't like [identity group] because they are all so aggressive. They attacked us over and over again for no reason at all."` |

+| Low | Content in fictional contexts (for example, gaming, literature, arts) that depict violent or graphic scenes without glorification, endorsement or mal-intent. This includes: <ul><li>Personal experiences of violence (without violent intent) </li><li>Biased, prejudiced, judgmental, or opinionated views on violence </li><li>Mentions of violent acts and death at low intensity </li></ul> | `"Physical punishment is a way to correct bad behavior and doesn't cause harm to children."` |

+| Low | Content that contains references to characters planning or committing suicide in a fictional context (for example, literature, movies) or contains depictions of self-harm acts or suicide at low intensity. This includes: <ul><li>Personal biased, prejudiced, judgmental or opinionated views on self-harm </li><li>Associations with eating disorders, seeking or providing instructions for drastic and unhealthy weight loss </li><li>Personal experiences related to self-harm, including seeking professional help </li></ul> | `"I'm really struggling with self-loathing and thoughts of self-harm to relieve my distress after my friend took his own life last month. Please can someone give me any useful advice?"` |

+^\* Only customers who have been approved for modified content filtering have full content filtering control and can turn content filters partially or fully off. Apply for modified content filters using this form: [Azure OpenAI Limited Access Review: Modified Content Filtering (microsoft.com)](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUMlBQNkZMR0lFRldORTdVQzQ0TEI5Q1ExOSQlQCN0PWcu)

+### Scenario: Your API call asks for multiple responses (N>1) and at least one of the responses is filtered

+|400 |The API call fails when the prompt triggers a content filter as configured. Modify the prompt and try again.|

+| 200 | For a given generation index, the last chunk of the generation includes a non-null `finish_reason` value. The value is `content_filter` when the generation was filtered.|

+Give the model instructions about how it should behave and any context it should reference when generating a response. You can describe the assistant's personality, what it should and shouldn't answer, and how to format responses. There's no token limit for the system message, but will be included with every API call and counted against the overall token limit. The system message will be truncated if it's greater than 400 tokens.

+✅ Use the Chat, Completions, and DALL-E (preview) playground experiences to generate text and images with any models that have already been deployed to this Azure OpenAI resource. <br>

+✅ Create new model deployments or edit existing model deployments **[Added Fall 2023]**

+✅ Create custom fine-tuned models **[Added Fall 2023]**<br>

+✅ Upload datasets for fine-tuning **[Added Fall 2023]**<br>

+✅ Create new model deployments or edit existing model deployments (via Azure OpenAI Studio) **[Added Fall 2023]**

+## Summary

+| Permissions | Cognitive Services OpenAI User | Cognitive Services OpenAI Contributor |Cognitive Services Contributor | Cognitive Services Usages Reader |

+|-|--|||-|

+|View the resource in Azure Portal |✅|✅|✅| ➖ |

+|View the resource endpoint under “Keys and Endpoint” |✅|✅|✅| ➖ |

+|View the resource and associated model deployments in Azure OpenAI Studio |✅|✅|✅| ➖ |

+|View what models are available for deployment in Azure OpenAI Studio|✅|✅|✅| ➖ |

+|Use the Chat, Completions, and DALL-E (preview) playground experiences with any models that have already been deployed to this Azure OpenAI resource.|✅|✅|✅| ➖ |

+|Create or edit model deployments|❌|✅|✅| ➖ |

+|Create or deploy custom fine-tuned models|❌|✅|✅| ➖ |

+|Upload datasets for fine-tuning|❌|✅|✅| ➖ |

+|Create new Azure OpenAI resources|❌|❌|✅| ➖ |

+|View/Copy/Regenerate keys under “Keys and Endpoint”|❌|❌|✅| ➖ |

+|Create customized content filters|❌|❌|✅| ➖ |

+|Add a data source for the “on your data” feature|❌|❌|✅| ➖ |

+|Access quota|❌|❌|❌|✅|

+POST https://{your-resource-name}.openai.azure.com/openai/deployments/{deployment-id}/images/generations?api-version={api-version}

+| `n` | integer | Optional | 1 | The number of images to generate. Only `n=1` is supported for DALL-E 3. |

+curl -X POST https://{your-resource-name}.openai.azure.com/openai/deployments/{deployment-id}/images/generations?api-version=2023-12-01-preview \

+ "quality": "hd",

+ "style": "vivid"

+ "created": 1698116662,

+ "data": [

+ "url": "url to the image",

+ "revised_prompt": "the actual prompt that was used"

+ "url": "url to the image"

+ },

+ ]

+If you want to clean up and remove an OpenAI or Azure AI Search resource, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it.

+- [Azure AI Search resources](/azure/search/search-get-started-portal#clean-up-resources)

+## Speech - Text to speech

+* [Transparency note and use cases](/legal/cognitive-services/speech-service/text-to-speech/transparency-note?context=/azure/ai-services/speech-service/context/context)

+## Supported audio formats and codecs

+The batch transcription API supports a number of different formats and codecs, such as:

+- WAV

+- MP3

+- OPUS/OGG

+- AAC

+- FLAC

+- WMA

+- ALAW in WAV container

+- MULAW in WAV container

+- AMR

+- WebM

+- MP4

+- M4A

+- SPEEX

+> [!NOTE]

+> Batch transcription service integrates GStreamer and may accept more formats and codecs without returning errors, while we suggest to use lossless formats such as WAV (PCM encoding) and FLAC to ensure best transcription quality.

+> [!IMPORTANT]

+> Batch transcription jobs are scheduled on a best-effort basis. At pick hours it may take up to 30 minutes or longer for a transcription job to start processing. Most of the time during the execution the transcription status will be `Running`. This is because the job is assigned with `Running` status the moment it moves to the batch transcription backend system, which happens almost immediately when base model is used, and slightly slower for custom models. Thus the amount of time a transcription job spends in `Running` state doesn't correspond to the actual transcription time, but also includes waiting time in the internal queues.

+> [!IMPORTANT]

+> Batch transcription jobs are scheduled on a best-effort basis. At pick hours it may take up to 30 minutes or longer for a transcription job to start processing. Most of the time during the execution the transcription status will be `Running`. This is because the job is assigned with `Running` status the moment it moves to the batch transcription backend system, which happens almost immediately when base model is used, and slightly slower for custom models. Thus the amount of time a transcription job spends in `Running` state doesn't correspond to the actual transcription time, but also includes waiting time in the internal queues.

+## Pronunciation assessment in streaming mode

+Pronunciation assessment supports uninterrupted streaming mode. The recording time can be unlimited through the Speech SDK. As long as you don't stop recording, the evaluation process doesn't finish and you can pause and resume evaluation conveniently. In streaming mode, the `AccuracyScore`, `FluencyScore`, `ProsodyScore`, and `CompletenessScore` will vary over time throughout the recording and evaluation process.

+For how to use Pronunciation Assessment in streaming mode in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/csharp/sharedcontent/console/speech_recognition_samples.cs#:~:text=PronunciationAssessmentWithStream).

+For how to use Pronunciation Assessment in streaming mode in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/cpp/windows/console/samples/speech_recognition_samples.cpp#:~:text=PronunciationAssessmentWithStream).

+For how to use Pronunciation Assessment in streaming mode in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/java/android/sdkdemo/app/src/main/java/com/microsoft/cognitiveservices/speech/samples/sdkdemo/MainActivity.java#L548).

+For how to use Pronunciation Assessment in streaming mode in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/python/console/speech_sample.py#L915).

+For how to use Pronunciation Assessment in streaming mode in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/js/node/pronunciationAssessment.js).

+For how to use Pronunciation Assessment in streaming mode in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/objective-c/ios/speech-samples/speech-samples/ViewController.m#L831).

+For how to use Pronunciation Assessment in streaming mode in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/swift/ios/speech-samples/speech-samples/ViewController.swift#L191).

+In the `SpeechRecognizer`, you can specify the language that you're learning or practicing improving pronunciation. The default locale is `en-US` if not otherwise specified. To learn how to specify the learning language for pronunciation assessment in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/csharp/sharedcontent/console/speech_recognition_samples.cs#LL1086C13-L1086C98).

+> [!TIP]

+> If you aren't sure which locale to set when a language has multiple locales (such as Spanish), try each locale (such as `es-ES` and `es-MX`) separately. Evaluate the results to determine which locale scores higher for your specific scenario.

+ PronunciationAssessmentGradingSystem.HundredMark, PronunciationAssessmentGranularity.Phoneme, false);

+pronunciationConfig.enableContentAssessmentWithTopic("greeting");

+ reference_text="",

+ grading_system=speechsdk.PronunciationAssessmentGradingSystem.HundredMark,

+ granularity=speechsdk.PronunciationAssessmentGranularity.Phoneme,

+ enable_miscue=False)

+pronunciation_config.enable_content_assessment_with_topic("greeting")

+ referenceText: "",

+ gradingSystem: sdk.PronunciationAssessmentGradingSystem.HundredMark,

+ granularity: sdk.PronunciationAssessmentGranularity.Phoneme,

+ enableMiscue: false);

+pronunciationAssessmentConfig.EnableContentAssessmentWithTopic("greeting");

+[[SPXPronunciationAssessmentConfiguration alloc] init:@"" gradingSystem:SPXPronunciationAssessmentGradingSystem_HundredMark granularity:SPXPronunciationAssessmentGranularity_Phoneme enableMiscue:false];

+ gradingSystem: .hundredMark,

+ granularity: .phoneme,

+ enableMiscue: false)

+pronAssessmentConfig.enableContentAssessment(withTopic: "greeting")

+## Get pronunciation assessment results

+When speech is recognized, you can request the pronunciation assessment results as SDK objects or a JSON string.

+```csharp

+using (var speechRecognizer = new SpeechRecognizer(

+ speechConfig,

+ audioConfig))

+{

+ pronunciationAssessmentConfig.ApplyTo(speechRecognizer);

+ var speechRecognitionResult = await speechRecognizer.RecognizeOnceAsync();

+ // The pronunciation assessment result as a Speech SDK object

+ var pronunciationAssessmentResult =

+ PronunciationAssessmentResult.FromResult(speechRecognitionResult);

+ // The pronunciation assessment result as a JSON string

+ var pronunciationAssessmentResultJson = speechRecognitionResult.Properties.GetProperty(PropertyId.SpeechServiceResponse_JsonResult);

+}

+```

+Word, syllable, and phoneme results aren't available via SDK objects with the Speech SDK for C++. Word, syllable, and phoneme results are only available in the JSON string.

+```cpp

+auto speechRecognizer = SpeechRecognizer::FromConfig(

+ speechConfig,

+ audioConfig);

+pronunciationAssessmentConfig->ApplyTo(speechRecognizer);

+speechRecognitionResult = speechRecognizer->RecognizeOnceAsync().get();

+// The pronunciation assessment result as a Speech SDK object

+auto pronunciationAssessmentResult =

+ PronunciationAssessmentResult::FromResult(speechRecognitionResult);

+// The pronunciation assessment result as a JSON string

+auto pronunciationAssessmentResultJson = speechRecognitionResult->Properties.GetProperty(PropertyId::SpeechServiceResponse_JsonResult);

+To learn how to specify the learning language for pronunciation assessment in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/cpp/windows/console/samples/speech_recognition_samples.cpp#L624).

+For Android application development, the word, syllable, and phoneme results are available via SDK objects with the Speech SDK for Java. The results are also available in the JSON string. For Java Runtime (JRE) application development, the word, syllable, and phoneme results are only available in the JSON string.

+SpeechRecognizer speechRecognizer = new SpeechRecognizer(

+ speechConfig,

+ audioConfig);

+pronunciationAssessmentConfig.applyTo(speechRecognizer);

+Future<SpeechRecognitionResult> future = speechRecognizer.recognizeOnceAsync();

+SpeechRecognitionResult speechRecognitionResult = future.get(30, TimeUnit.SECONDS);

+// The pronunciation assessment result as a Speech SDK object

+PronunciationAssessmentResult pronunciationAssessmentResult =

+ PronunciationAssessmentResult.fromResult(speechRecognitionResult);

+// The pronunciation assessment result as a JSON string

+String pronunciationAssessmentResultJson = speechRecognitionResult.getProperties().getProperty(PropertyId.SpeechServiceResponse_JsonResult);

+recognizer.close();

+speechConfig.close();

+audioConfig.close();

+pronunciationAssessmentConfig.close();

+speechRecognitionResult.close();

+var speechRecognizer = SpeechSDK.SpeechRecognizer.FromConfig(speechConfig, audioConfig);

+pronunciationAssessmentConfig.applyTo(speechRecognizer);

+speechRecognizer.recognizeOnceAsync((speechRecognitionResult: SpeechSDK.SpeechRecognitionResult) => {

+ // The pronunciation assessment result as a Speech SDK object

+ var pronunciationAssessmentResult = SpeechSDK.PronunciationAssessmentResult.fromResult(speechRecognitionResult);

+ // The pronunciation assessment result as a JSON string

+ var pronunciationAssessmentResultJson = speechRecognitionResult.properties.getProperty(SpeechSDK.PropertyId.SpeechServiceResponse_JsonResult);

+},

+{});

+To learn how to specify the learning language for pronunciation assessment in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/js/node/pronunciationAssessmentContinue.js#LL37C4-L37C52).

+```Python

+speech_recognizer = speechsdk.SpeechRecognizer(

+ speech_config=speech_config, \

+ audio_config=audio_config)

+pronunciation_assessment_config.apply_to(speech_recognizer)

+speech_recognition_result = speech_recognizer.recognize_once()

+# The pronunciation assessment result as a Speech SDK object

+pronunciation_assessment_result = speechsdk.PronunciationAssessmentResult(speech_recognition_result)

+# The pronunciation assessment result as a JSON string

+pronunciation_assessment_result_json = speech_recognition_result.properties.get(speechsdk.PropertyId.SpeechServiceResponse_JsonResult)

+```

+To learn how to specify the learning language for pronunciation assessment in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/python/console/speech_sample.py#LL937C1-L937C1).

+SPXSpeechRecognizer* speechRecognizer = \

+ [[SPXSpeechRecognizer alloc] initWithSpeechConfiguration:speechConfig

+ audioConfiguration:audioConfig];

+[pronunciationAssessmentConfig applyToRecognizer:speechRecognizer];

+SPXSpeechRecognitionResult *speechRecognitionResult = [speechRecognizer recognizeOnce];

+// The pronunciation assessment result as a Speech SDK object

+SPXPronunciationAssessmentResult* pronunciationAssessmentResult = [[SPXPronunciationAssessmentResult alloc] init:speechRecognitionResult];

+// The pronunciation assessment result as a JSON string

+NSString* pronunciationAssessmentResultJson = [speechRecognitionResult.properties getPropertyByName:SPXSpeechServiceResponseJsonResult];

+To learn how to specify the learning language for pronunciation assessment in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/objective-c/ios/speech-samples/speech-samples/ViewController.m#L862).

+let speechRecognizer = try! SPXSpeechRecognizer(speechConfiguration: speechConfig, audioConfiguration: audioConfig)

+try! pronConfig.apply(to: speechRecognizer)

+let speechRecognitionResult = try? speechRecognizer.recognizeOnce()

+// The pronunciation assessment result as a Speech SDK object

+let pronunciationAssessmentResult = SPXPronunciationAssessmentResult(speechRecognitionResult!)

+// The pronunciation assessment result as a JSON string

+let pronunciationAssessmentResultJson = speechRecognitionResult!.properties?.getPropertyBy(SPXPropertyId.speechServiceResponseJsonResult)

+### Result parameters

+Depending on whether you're using [scripted](#scripted-assessment-results) or [unscripted](#unscripted-assessment-results) assessment, you can get different pronunciation assessment results. Scripted assessment is for the reading language learning scenario, and unscripted assessment is for the speaking language learning scenario.

+> [!NOTE]

+> For pricing differences between scripted and unscripted assessment, see [the pricing note](./pronunciation-assessment-tool.md#pricing).

+#### Scripted assessment results

+This table lists some of the key pronunciation assessment results for the scripted assessment (reading scenario) and the supported granularity for each.

+| Parameter | Description |Granularity|

+|--|-|-|

+| `AccuracyScore` | Pronunciation accuracy of the speech. Accuracy indicates how closely the phonemes match a native speaker's pronunciation. Syllable, word, and full text accuracy scores are aggregated from phoneme-level accuracy score, and refined with assessment objectives.|Phoneme level，<br>Syllable level (en-US only)，<br>Word level，<br>Full Text level|

+| `FluencyScore` | Fluency of the given speech. Fluency indicates how closely the speech matches a native speaker's use of silent breaks between words. |Full Text level|

+| `CompletenessScore` | Completeness of the speech, calculated by the ratio of pronounced words to the input reference text. |Full Text level|

+| `ProsodyScore` | Prosody of the given speech. Prosody indicates how natural the given speech is, including stress, intonation, speaking speed, and rhythm. | Full Text level|

+| `PronScore` | Overall score indicating the pronunciation quality of the given speech. `PronScore` is aggregated from `AccuracyScore`, `FluencyScore`, and `CompletenessScore` with weight. |Full Text level|

+| `ErrorType` | This value indicates whether a word is omitted, inserted, improperly inserted with a break, or missing a break at punctuation compared to the reference text. It also indicates whether a word is badly pronounced, or monotonically rising, falling, or flat on the utterance. Possible values are `None` (meaning no error on this word), `Omission`, `Insertion`, `Mispronunciation`, `UnexpectedBreak`, `MissingBreak`, and `Monotone`. The error type can be `Mispronunciation` when the pronunciation `AccuracyScore` for a word is below 60.| Word level|

+#### Unscripted assessment results

+This table lists some of the key pronunciation assessment results for the unscripted assessment (speaking scenario) and the supported granularity for each.

+> [!NOTE]

+> VocabularyScore, GrammarScore, and TopicScore parameters roll up to the combined content assessment.

+>

+> Content and prosody assessments are only available in the [en-US](./language-support.md?tabs=pronunciation-assessment) locale.

+| Response parameter | Description |Granularity|

+|--|-|-|

+| `AccuracyScore` | Pronunciation accuracy of the speech. Accuracy indicates how closely the phonemes match a native speaker's pronunciation. Syllable, word, and full text accuracy scores are aggregated from phoneme-level accuracy score, and refined with assessment objectives. | Phoneme level，<br>Syllable level (en-US only)，<br>Word level，<br>Full Text level|

+| `FluencyScore` | Fluency of the given speech. Fluency indicates how closely the speech matches a native speaker's use of silent breaks between words. | Full Text level|

+| `ProsodyScore` | Prosody of the given speech. Prosody indicates how natural the given speech is, including stress, intonation, speaking speed, and rhythm. | Full Text level|

+| `VocabularyScore` | Proficiency in lexical usage. It evaluates the speaker's effective usage of words and their appropriateness within the given context to express ideas accurately, and the level of lexical complexity. | Full Text level|

+| `GrammarScore` | Correctness in using grammar and variety of sentence patterns. Grammatical errors are jointly evaluated by lexical accuracy, grammatical accuracy, and diversity of sentence structures. | Full Text level|

+| `TopicScore` | Level of understanding and engagement with the topic, which provides insights into the speakerΓÇÖs ability to express their thoughts and ideas effectively and the ability to engage with the topic. | Full Text level|

+| `PronScore` | Overall score indicating the pronunciation quality of the given speech. This is aggregated from AccuracyScore, FluencyScore, and CompletenessScore with weight. | Full Text level|

+| `ErrorType` | This value indicates whether a word is badly pronounced, improperly inserted with a break, missing a break at punctuation, or monotonically rising, falling, or flat on the utterance. Possible values are `None` (meaning no error on this word), `Mispronunciation`, `UnexpectedBreak`, `MissingBreak`, and `Monotone`. | Word level|

+The following table describes the prosody assessment results in more detail:

+| Field | Description |

+|-|--|

+| `ProsodyScore` | Prosody score of the entire utterance. |

+| `Feedback` | Feedback on the word level, including Break and Intonation. |

+|`Break` | |

+| `ErrorTypes` | Error types related to breaks, including `UnexpectedBreak` and `MissingBreak`. In the current version, we donΓÇÖt provide the break error type. You need to set thresholds on the following fields ΓÇ£UnexpectedBreak ΓÇô ConfidenceΓÇ¥ and ΓÇ£MissingBreak ΓÇô confidenceΓÇ¥, respectively to decide whether there's an unexpected break or missing break before the word. |

+| `UnexpectedBreak` | Indicates an unexpected break before the word. |

+| `MissingBreak` | Indicates a missing break before the word. |

+| `Thresholds` | Suggested thresholds on both confidence scores are 0.75. That means, if the value of ΓÇÿUnexpectedBreak ΓÇô ConfidenceΓÇÖ is larger than 0.75, it can be decided to have an unexpected break. If the value of ΓÇÿMissingBreak ΓÇô confidenceΓÇÖ is larger than 0.75, it can be decided to have a missing break. If you want to have variable detection sensitivity on these two breaks, itΓÇÖs suggested to assign different thresholds to the 'UnexpectedBreak - Confidence' and 'MissingBreak - Confidence' fields. |

+|`Intonation`| Indicates intonation in speech. |

+| `ErrorTypes` | Error types related to intonation, currently supporting only Monotone. If the ΓÇÿMonotoneΓÇÖ exists in the field ΓÇÿErrorTypesΓÇÖ, the utterance is detected to be monotonic. Monotone is detected on the whole utterance, but the tag is assigned to all the words. All the words in the same utterance share the same monotone detection information. |

+| `Monotone` | Indicates monotonic speech. |

+| `Thresholds (Monotone Confidence)` | The fields 'Monotone - SyllablePitchDeltaConfidence' are reserved for user-customized monotone detection. If you're unsatisfied with the provided monotone decision, you can adjust the thresholds on these fields to customize the detection according to your preferences. |

+### JSON result example

+The [scripted](#scripted-assessment-results) pronunciation assessment results for the spoken word "hello" are shown as a JSON string in the following example. Here's what you should know:

+- The phoneme [alphabet](#phoneme-alphabet-format) is IPA.

+- The [syllables](#syllable-groups) are returned alongside phonemes for the same word.

+- You can use the `Offset` and `Duration` values to align syllables with their corresponding phonemes. For example, the starting offset (11700000) of the second syllable ("loʊ") aligns with the third phoneme ("l"). The offset represents the time at which the recognized speech begins in the audio stream, and it's measured in 100-nanosecond units. To learn more about `Offset` and `Duration`, see [response properties](rest-speech-to-text-short.md#response-properties).

+- There are five `NBestPhonemes` corresponding to the number of [spoken phonemes](#spoken-phoneme) requested.

+- Within `Phonemes`, the most likely [spoken phonemes](#spoken-phoneme) was `"ə"` instead of the expected phoneme `"ɛ"`. The expected phoneme `"ɛ"` only received a confidence score of 47. Other potential matches received confidence scores of 52, 17, and 2.

+}

+```

+You can get pronunciation assessment scores for:

+- Full text

+- Words

+- Syllable groups

+- Phonemes in [SAPI](/previous-versions/windows/desktop/ee431828(v=vs.85)#american-english-phoneme-table) or [IPA](https://en.wikipedia.org/wiki/IPA) format

+> [!NOTE]

+> The syllable group, phoneme name, and spoken phoneme of pronunciation assessment are currently only available for the en-US locale. For information about availability of pronunciation assessment, see [supported languages](language-support.md?tabs=pronunciation-assessment) and [available regions](regions.md#speech-service).

+## Syllable groups

+Pronunciation assessment can provide syllable-level assessment results. Grouping in syllables is more legible and aligned with speaking habits, as a word is typically pronounced syllable by syllable rather than phoneme by phoneme.

+The following table compares example phonemes with the corresponding syllables.

+| Sample word | Phonemes | Syllables |

+|--|-|-|

+|technological|teknələdʒɪkl|tek·nə·lɑ·dʒɪkl|

+|hello|hɛloʊ|hɛ·loʊ|

+|luck|lʌk|lʌk|

+|photosynthesis|foʊtəsɪnθəsɪs|foʊ·tə·sɪn·θə·sɪs|

+To request syllable-level results along with phonemes, set the granularity [configuration parameter](#configuration-parameters) to `Phoneme`.

+## Phoneme alphabet format

+For the `en-US` locale, the phoneme name is provided together with the score, to help identify which phonemes were pronounced accurately or inaccurately. For other locales, you can only get the phoneme score.

+The following table compares example SAPI phonemes with the corresponding IPA phonemes.

+| Sample word | SAPI Phonemes | IPA phonemes |

+|--|-|-|

+|hello|h eh l ow|h ɛ l oʊ|

+|luck|l ah k|l ʌ k|

+|photosynthesis|f ow t ax s ih n th ax s ih s|f oʊ t ə s ɪ n θ ə s ɪ s|

+To request IPA phonemes, set the phoneme alphabet to `"IPA"`. If you don't specify the alphabet, the phonemes are in SAPI format by default.

+```csharp

+pronunciationAssessmentConfig.PhonemeAlphabet = "IPA";

+```

+

+```cpp

+auto pronunciationAssessmentConfig = PronunciationAssessmentConfig::CreateFromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\"}");

+```

+

+```Java

+PronunciationAssessmentConfig pronunciationAssessmentConfig = PronunciationAssessmentConfig.fromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\"}");

+pronunciation_assessment_config = speechsdk.PronunciationAssessmentConfig(json_string="{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\"}")

+```

+```JavaScript

+var pronunciationAssessmentConfig = SpeechSDK.PronunciationAssessmentConfig.fromJSON("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\"}");

+pronunciationAssessmentConfig.phonemeAlphabet = @"IPA";

+pronunciationAssessmentConfig?.phonemeAlphabet = "IPA"

+## Spoken phoneme

+With spoken phonemes, you can get confidence scores indicating how likely the spoken phonemes matched the expected phonemes.

+For example, to obtain the complete spoken sound for the word "Hello", you can concatenate the first spoken phoneme for each expected phoneme with the highest confidence score. In the following assessment result, when you speak the word "hello", the expected IPA phonemes are "h ɛ l oʊ". However, the actual spoken phonemes are "h ə l oʊ". You have five possible candidates for each expected phoneme in this example. The assessment result shows that the most likely spoken phoneme was `"ə"` instead of the expected phoneme `"ɛ"`. The expected phoneme `"ɛ"` only received a confidence score of 47. Other potential matches received confidence scores of 52, 17, and 2.

+To indicate whether, and how many potential spoken phonemes to get confidence scores for, set the `NBestPhonemeCount` parameter to an integer value such as `5`.

+

+```csharp

+pronunciationAssessmentConfig.NBestPhonemeCount = 5;

+```

+

+```cpp

+auto pronunciationAssessmentConfig = PronunciationAssessmentConfig::CreateFromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\",\"nBestPhonemeCount\":5}");

+```

+

+```Java

+PronunciationAssessmentConfig pronunciationAssessmentConfig = PronunciationAssessmentConfig.fromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\",\"nBestPhonemeCount\":5}");

+```

+

+```Python

+pronunciation_assessment_config = speechsdk.PronunciationAssessmentConfig(json_string="{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\",\"nBestPhonemeCount\":5}")

+```

+```JavaScript

+var pronunciationAssessmentConfig = SpeechSDK.PronunciationAssessmentConfig.fromJSON("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\",\"nBestPhonemeCount\":5}");

+```

+

+

+```ObjectiveC

+pronunciationAssessmentConfig.nbestPhonemeCount = 5;

+```

+```swift

+pronunciationAssessmentConfig?.nbestPhonemeCount = 5

+```

+- Learn our quality [benchmark](https://aka.ms/pronunciationassessment/techblog)

+- Check out easy-to-deploy Pronunciation Assessment [demo](https://github.com/Azure-Samples/Cognitive-Speech-TTS/tree/master/PronunciationAssessment/BrowserJS) and watch the [video demo](https://www.youtube.com/watch?v=NQi4mBiNNTE) of pronunciation assessment.

+Additional remarks for text to speech locales are included in the [voice styles and roles](#voice-styles-and-roles), [prebuilt neural voices](#prebuilt-neural-voices), [Custom Neural Voice](#custom-neural-voice), and [personal voice](#personal-voice) sections below.

+### Personal voice

+[Personal voice](personal-voice-overview.md) is a feature that lets you create a voice that sounds like you or your users. The following table summarizes the locales supported for personal voice.

+With personal voice (preview), you can get AI generated replication of your voice (or users of your application) in a few seconds. You provide a one-minute speech sample as the audio prompt, and then use it to generate speech in any of the more than 90 languages supported across more than 100 locales.

+> For supported locales, see [personal voice language support](./language-support.md#personal-voice).

+### Responsible AI

+We care about the people who use AI and the people who will be affected by it as much as we care about technology. For more information, see the Responsible AI [transparency notes](/legal/cognitive-services/speech-service/text-to-speech/transparency-note?context=/azure/ai-services/speech-service/context/context).

+Follow these steps to upload [wav, mp3, or ogg](batch-transcription-audio-data.md#supported-audio-formats-and-codecs) files from your local directory to the Azure Storage container that you [created previously](#create-the-azure-blob-storage-container).

+> [!NOTE]

+> Content score is currently available on the following regions: `westcentralus`, `eastasia`, `eastus`, `northeurope`, `westeurope`, and `westus2`. All other regions will have Content score available starting from Nov 30, 2023.

+ - Custom commands

+ - Custom neural voice

+ - Personal voice

+ - Text to speech avatar

+| Max audio length for [real-time diarization](./get-started-stt-diarization.md). | N/A | 240 minutes per file |

+| Max audio length for transcriptions with diarization enabled. | N/A | 240 minutes per file |

+You can find the verbal consent statement in multiple languages on [GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/sampledata/customavatar/verbal-statement-all-locales.txt). The language of the verbal statement must be the same as your recording. See also the disclosure for voice talent.

+- **Azure subscription:** [Create one for free](https://azure.microsoft.com/free/cognitive-services).

+- **Speech resource:** <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesSpeechServices" title="Create a Speech resource" target="_blank">Create a speech resource</a> in the Azure portal. Select "Standard S0" pricing tier if you want to create speech resource to access avatar.

+- **Your speech resource key and region:** After your Speech resource is deployed, select **Go to resource** to view and manage keys. For more information about Azure AI services resources, see [Get the keys for your resource](/azure/ai-services/multi-service-resource?pivots=azportal&tabs=windows#get-the-keys-for-your-resource).

+- If you build an application of real time avatar:

+ - **Communication resource:** Create a [Communication resource](https://portal.azure.com/#create/Microsoft.Communication) in the Azure portal (for real-time avatar synthesis only).

+ - You also need your network relay token for real-time avatar synthesis. After deploying your Communication resource, select **Go to resource** to view the endpoint and connection string under **Settings** -> **Keys** tab, and then follow [Access TURN relays](/azure/ai-services/speech-service/quickstarts/setup-platform#install-the-speech-sdk-for-javascript) to generate the relay token with the endpoint and connection string filled.

+With text to speech avatar's advanced neural network models, the feature empowers users to deliver life-like and high-quality synthetic talking avatar videos for various applications while adhering to [responsible AI practices](/legal/cognitive-services/speech-service/disclosure-voice-talent?context=/azure/ai-services/speech-service/context/context).

+We care about the people who use AI and the people who will be affected by it as much as we care about technology. For more information, see the Responsible AI [transparency notes](/legal/cognitive-services/speech-service/text-to-speech/transparency-note?context=/azure/ai-services/speech-service/context/context) and [disclosure for voice and avatar talent](/legal/cognitive-services/speech-service/disclosure-voice-talent?context=/azure/ai-services/speech-service/context/context).

+1. Sign in to [Azure AI Studio](https://ai.azure.com) and select **Explore** from the top menu.

+1. Sign in to [Azure AI Studio](https://ai.azure.com) and select **Explore** from the top menu.

+1. Sign in to [Azure AI Studio](https://ai.azure.com).

+1. Sign in to [Azure AI Studio](https://ai.azure.com) with credentials that have access to your Azure OpenAI resource. During or after the sign-in workflow, select the appropriate directory, Azure subscription, and Azure OpenAI resource. You should be on the Azure AI Studio **Home** page.

+## Azure AI studio enterprise chat solution demo

+Learn how to create a retail copilot using your data with Azure AI Studio in this [end-to-end walkthrough video](https://youtu.be/Qes7p5w8Tz8).

+> [!VIDEO https://www.youtube.com/embed/Qes7p5w8Tz8]

+Azure AI Studio is currently available in the following regions: Australia East, Brazil South, Canada Central, East US, East US 2, France Central, Germany West Central, India South, Japan East, North Central US, Norway East, Poland Central, South Africa North, South Central US, Sweden Central, Switzerland North, UK South, West Europe, and West US.

+To learn more, see [Azure global infrastructure - Products available by region](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=cognitive-services).

+- [Create an AI Studio project](./how-to/create-projects.md)

+- [Tutorial: Deploy a chat web app](tutorials/deploy-chat-web-app.md)

+ Title: Reduce image pull time with Artifact Streaming on Azure Kubernetes Service (AKS) (Preview)

+description: Learn how to enable Artifact Streaming on Azure Kubernetes Service (AKS) to reduce image pull time.

+# Reduce image pull time with Artifact Streaming on Azure Kubernetes Service (AKS) (Preview)

+High performance compute workloads often involve large images, which can cause long image pull times and slow down your workload deployments. Artifact Streaming on AKS allows you to stream container images from Azure Container Registry (ACR) to AKS. AKS only pulls the necessary layers for initial pod startup, reducing the time it takes to pull images and deploy your workloads.

+Artifact Streaming can reduce time to pod readiness by over 15%, depending on the size of the image, and it works best for images <30GB. Based on our testing, we saw reductions in pod start-up times for images <10GB from minutes to seconds. If you have a pod that needs access to a large file (>30GB), then you should mount it as a volume instead of building it as a layer. This is because if your pod requires that file to start, it congests the node. Artifact Streaming isn't ideal for read heavy images from your filesystem if you need that on startup. With Artifact Streaming, pod start-up becomes concurrent, whereas without it, pods start in serial.

+This article describes how to enable the Artifact Streaming feature on your AKS node pools to stream artifacts from ACR.

+## Prerequisites

+* You need an existing AKS cluster with ACR integration. If you don't have one, you can create one using [Authenticate with ACR from AKS][acr-auth-aks].

+* [Enable Artifact Streaming on ACR][enable-artifact-streaming-acr].

+* This feature requires Kubernetes version 1.25 or later. To check your AKS cluster version, see [Check for available AKS cluster upgrades][aks-upgrade].

+> [!NOTE]

+> Artifact Streaming is only supported on Ubuntu 22.04, Ubuntu 20.04, and Azure Linux node pools. Windows node pools aren't supported.

+## Install the `aks-preview` CLI extension

+1. Install the `aks-preview` CLI extension using the [`az extension add`][az-extension-add] command.

+ ```azurecli-interactive

+ az extension add --name aks-preview

+ ```

+2. Update the extension to ensure you have the latest version installed using the [`az extension update`][az-extension-update] command.

+ ```azurecli-interactive

+ az extension update --name aks-preview

+ ```

+## Register the `ArtifactStreamingPreview` feature flag in your subscription

+* Register the `ArtifactStreamingPreview` feature flag in your subscription using the [`az feature register`][az-feature-register] command.

+ ```azurecli-interactive

+ az feature register --namespace Microsoft.ContainerService --name ArtifactStreamingPreview

+ ```

+## Enable Artifact Streaming on ACR

+Enablement on ACR is a prerequisite for Artifact Streaming on AKS. For more information, see [Artifact Streaming on ACR](https://aka.ms/acr/artifact-streaming).

+1. Create an Azure resource group to hold your ACR instance using the [`az group create`][az-group-create] command.

+ ```azurecli-interactive

+ az group create --name myStreamingTest --location westus

+ ```

+2. Create a new premium SKU Azure Container Registry using the [`az acr create`][az-acr-create] command with the `--sku Premium` flag.

+ ```azurecli-interactive

+ az acr create --resource-group myStreamingTest --name mystreamingtest --sku Premium

+ ```

+3. Configure the default ACR instance for your subscription using the [`az configure`][az-configure] command.

+ ```azurecli-interactive

+ az configure --defaults acr="mystreamingtest"

+ ```

+4. Push or import an image to the registry using the [`az acr import`][az-acr-import] command.

+ ```azurecli-interactive

+ az acr import -source docker.io/jupyter/all-spark-notebook:latest -t jupyter/all-spark-notebook:latest

+ ```

+5. Create a streaming artifact from the image using the [`az acr artifact-streaming create`][az-acr-artifact-streaming-create] command.

+ ```azurecli-interactive

+ az acr artifact-streaming create --image jupyter/all-spark-notebook:latest

+ ```

+6. Verify the generated Artifact Streaming using the [`az acr manifest list-referrers`][az-acr-manifest-list-referrers] command.

+ ```azurecli-interactive

+ az acr manifest list-referrers -n jupyter/all-spark-notebook:latest

+ ```

+## Enable Artifact Streaming on AKS

+### Enable Artifact Streaming on a new node pool

+* Create a new node pool with Artifact Streaming enabled using the [`az aks nodepool add`][az-aks-nodepool-add] command with the `--enable-artifact-streaming` flag set to `true`.

+ ```azurecli-interactive

+ az aks nodepool add \

+ --resource-group myResourceGroup \

+ --cluster-name myAKSCluster \

+ --name myNodePool \

+ --enable-artifact-streaming true

+ ```

+### Enable Artifact Streaming on an existing node pool

+* Enable Artifact Streaming on an existing node pool using the [`az aks nodepool update`][az-aks-nodepool-update] command with the `--enable-artifact-streaming` flag.

+ ```azurecli-interactive

+ az aks nodepool update \

+ --resource-group myResourceGroup \

+ --cluster-name myAKSCluster \

+ --name myNodePool \

+ --enable-artifact-streaming

+ ```

+## Check if Artifact Streaming is enabled

+Now that you enabled Artifact Streaming on a premium ACR and connected that to an AKS node pool with Artifact Streaming enabled, any new pod deployments on this cluster with an image pull from the ACR with Artifact Streaming enabled will see reductions in image pull times.

+* Check if your node pool has Artifact Streaming enabled using the [`az aks nodepool show`][az-aks-nodepool-show] command.

+ ```azurecli-interactive

+ az aks nodepool show --resource-group myResourceGroup --cluster-name myAKSCluster --name myNodePool grep ArtifactStreamingConfig

+ ```

+ In the output, check that the `Enabled` field is set to `true`.

+## Disable Artifact Streaming on AKS

+You can disable Artifact Streaming at the node pool level. The change takes effect on the next node pool upgrade.

+> [!NOTE]

+> Artifact Streaming requires connection to and enablement on an ACR. If you disconnect or disable from ACR, Artifact Streaming is automatically disabled on the node pool. If you don't disable Artifact Streaming at the node pool level, it begins working immediately once you resume the connection to and enablement on ACR.

+### Disable Artifact Streaming on an existing node pool

+* Disable Artifact Streaming on an existing node pool using the [`az aks nodepool update`][az-aks-nodepool-update] command with the `--disable-artifact-streaming` flag.

+ ```azurecli-interactive

+ az aks nodepool update \

+ --resource-group myResourceGroup \

+ --cluster-name myAKSCluster \

+ --name myNodePool \

+ --disable-artifact-streaming

+ ```

+## Next steps

+This article described how to enable Artifact Streaming on your AKS node pools to stream artifacts from ACR and reduce image pull time. To learn more about working with container images in AKS, see [Best practices for container image management and security in AKS][aks-image-management].

+<!-- LINKS -->

+[enable-artifact-streaming-acr]: #enable-artifact-streaming-on-acr

+[acr-auth-aks]: ./cluster-container-registry-integration.md

+[aks-upgrade]: ./upgrade-cluster.md

+[az-extension-add]: /cli/azure/extension#az-extension-add

+[az-extension-update]: /cli/azure/extension#az-extension-update

+[az-feature-register]: /cli/azure/feature#az-feature-register

+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az-aks-nodepool-add

+[az-aks-nodepool-update]: /cli/azure/aks/nodepool#az-aks-nodepool-update

+[aks-image-management]: ./operator-best-practices-container-image-management.md

+[az-group-create]: /cli/azure/group#az-group-create

+[az-acr-create]: /cli/azure/acr#az-acr-create

+[az-configure]: /cli/azure#az_configure

+[az-acr-import]: /cli/azure/acr#az-acr-import

+[az-acr-artifact-streaming-create]: /cli/azure/acr/artifact-streaming#az-acr-artifact-streaming-create

+[az-acr-manifest-list-referrers]: /cli/azure/acr/manifest#az-acr-manifest-list-referrers

+[az-aks-nodepool-show]: /cli/azure/aks/nodepool#az-aks-nodepool-show

+Confidential Containers provide a set of features and capabilities to further secure your standard container workloads to achieve higher data security, data privacy and runtime code integrity goals. Azure Kubernetes Service (AKS) includes Confidential Containers (preview) on AKS.

+Graphical processing units (GPUs) are often used for compute-intensive workloads, such as graphics and visualization workloads. AKS supports GPU-enabled Linux node pools to run compute-intensive Kubernetes workloads.

+## Supported GPU-enabled VMs

+To view supported GPU-enabled VMs, see [GPU-optimized VM sizes in Azure][gpu-skus]. For AKS node pools, we recommend a minimum size of *Standard_NC6s_v3*. The NVv4 series (based on AMD GPUs) aren't supported on AKS.

+## Limitations

+* AKS does not support Windows GPU-enabled node pools.

+* If you're using an Azure Linux GPU-enabled node pool, automatic security patches aren't applied, and the default behavior for the cluster is *Unmanaged*. For more information, see [auto-upgrade](./auto-upgrade-node-image.md).

+* [NVadsA10](https://learn.microsoft.com/azure/virtual-machines/nva10v5-series) v5-series are not a recommended SKU for GPU VHD.

+## Options for using NVIDIA GPUs

+There are three ways to add the NVIDIA device plugin:

+3. Using the [NVIDIA GPU Operator](https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/microsoft-aks.html)

+### Use NVIDIA GPU Operator with AKS

+You can use the NVIDIA GPU Operator by skipping the gpu driver installation on AKS. For more information about using the NVIDIA GPU Operator with AKS, see [NVIDIA Documentation](https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/microsoft-aks.html).

+Adding the node pool tag `SkipGPUDriverInstall=true` will skip installing the GPU driver automatically on newly created nodes in the node pool. Any existing nodes will not be changed - the pool can be scaled to 0 and back up to make the change take effect. You can specify the tag using the `--nodepool-tags` argument to [`az aks create`][az-aks-create] command (for a new cluster) or `--tags` with [`az aks nodepool add`][az-aks-nodepool-add] or [`az aks nodepool update`][az-aks-nodepool-update].

+[az-aks-create]: /cli/azure/aks#az_aks_create

+[az-aks-nodepool-update]: /cli/azure/aks/nodepool#az_aks_nodepool_update

+[NVadsA10]: /azure/virtual-machines/nva10v5-series

+ <set-header name="Authorization" exists-action="override">

+ <value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>

+ ¹ Supported in the two latest production versions.

+| count | A positive number between 1 and 50 specifying the number of retries to attempt. Policy expressions are allowed. | Yes | N/A |

+## Get assistance creating policies using Microsoft Copilot for Azure (preview)

+[Microsoft Copilot for Azure](../copilot/overview.md) (preview) provides policy authoring capabilities for Azure API Management. Using Copilot for Azure in the context of API Management's policy editor, you can create policies that match your specific requirements without knowing the syntax or have already configured policies explained to you. This proves particularly useful for handling complex policies with multiple requirements.

+You can prompt Copilot for Azure to generate policy definitions, then copy the results into the policy editor and make any necessary adjustments. Ask questions to gain insights into different options, modify the provided policy, or clarify the policy you already have. [Learn more](../copilot/author-api-management-policies.md) about this capability.

+> [!NOTE]

+> Microsoft Copilot for Azure requires [registration](../copilot/limited-access.md#registration-process) (preview) and is currently only available to approved enterprise customers and partners.

+From the left navigation of your app, select **Certificates**, then select **Bring your own certificates (.pfx)** or **Public key certificates (.cer)**.

+1. Apply the following settings from the source slot (for example, the production slot) to all instances of the target slot:

+ Any of these cases trigger all instances in the target slot to restart. During [swap with preview](#Multi-Phase), this marks the end of the first phase. The swap operation is paused, and you can validate that the source slot works correctly with the target slot's settings.

+1. Wait for every instance in the source slot to complete its restart. If any instance fails to restart, the swap operation reverts all changes to the source slot and stops the operation.

+When you create a private endpoint, the DNS CNAME resource record for the configuration store is updated to an alias in a subdomain with the prefix `privatelink`. Azure also creates a [private DNS zone](../dns/private-dns-overview.md) corresponding to the `privatelink` subdomain, with the DNS A resource records for the private endpoints. Enabling geo-replication creates separate DNS records for each replica with unique IP addresses in the private DNS zone.

+If you are using a custom DNS server on your network, you need to configure it to delegate your `privatelink` subdomain to the private DNS zone for the VNet. Alternatively, you can configure the A records for your store's private link URLs, which are either `[Your-store-name].privatelink.azconfig.io` or `[Your-store-name]-[replica-name].privatelink.azconfig.io` if geo-replication is enabled, with unique private IP addresses of the private endpoint.

+ Title: Snapshots in Azure App Configuration

+# Snapshots

+ Title: How to manage and use snapshots in Azure App Configuration

+# Manage and use snapshots

+Under **Operations** > **Snapshots**, select **Create a new snapshot**.

+1. In **Operations** > **Snapshots** > **Active snapshots**, select **Test in sandbox**.

+The page under **Operations** > **Snapshots** displays two tabs: **Active snapshots** and **Archived snapshots**. Select **Active snapshots** to view the list of all active snapshots in an App Configuration store.

+Go to **Operations** > **Snapshots** > **Archived snapshots** to view the list of all archived snapshots in an App Configuration store. Archived snapshots remain accessible for the retention period that was selected during their creation.

+In the **Archived snapshots** tab, select the ellipsis **...** on the right of an archived snapshot and select **Recover** to recover a snapshot. Once a snapshot has been recovered, a notification appears to confirm the operation and the list of archived snapshots is updated.

+# Snapshot

+```

+ | himds | Azure Hybrid Instance Metadata Service | `himds.exe` | Synchronizes metadata with Azure and hosts a local REST API for extensions and applications to access the metadata and request Microsoft Entra managed identity tokens |

+ | GCArcService | Guest configuration Arc Service | `gc_arc_service.exe` (gc_service.exe prior to version 1.36) | Audits and enforces Azure guest configuration policies on the machine. |

+ | ExtensionService | Guest configuration Extension Service | `gc_extension_service.exe` (gc_service.exe prior to version 1.36) | Installs, updates, and manages extensions on the machine. |

+* The Extension Service agent can use up to 5% of the CPU on Windows machines and 30% of the CPU on Linux machines to install, upgrade, run, and delete extensions. Some extensions might apply more restrictive CPU limits once installed. The following exceptions apply:

+## Version 1.32 - July 2023

+Download for [Windows](https://download.microsoft.com/download/7/e/5/7e51205f-a02e-4fbe-94fe-f36219be048c/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+### New features

+- Added support for the Debian 12 operating system

+- [azcmagent show](azcmagent-show.md) now reflects the "Expired" status when a machine has been disconnected long enough for the managed identity to expire. Previously, the agent only showed "Disconnected" while the Azure portal and API showed the correct state, "Expired."

+### Fixed

+- Fixed an issue that could result in high CPU usage if the agent was unable to send telemetry to Azure.

+- Improved local logging when there are network communication errors

+## Version 1.36 - November 2023

+Download for [Windows](https://download.microsoft.com/download/5/e/9/5e9081ed-2ee2-4b3a-afca-a8d81425bcce/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+### New features

+- [azcmagent show](azcmagent-show.md) now reports extended security license status on Windows Server 2012 server machines.

+- Introduced a new [proxy bypass](manage-agent.md#proxy-bypass-for-private-endpoints) option, `ArcData`, that covers the Azure Arc-enabled SQL Server endpoints. This will enable you to use a private endpoint with Azure Arc-enabled servers with the public endpoints for Azure Arc-enabled SQL Server.

+- The [CPU limit for extension operations](agent-overview.md#agent-resource-governance) on Linux is now 30%. This increase will help improve reliability of extension install, upgrade and uninstall operations.

+- Older extension manager and machine configuration agent logs are automatically zipped to reduce disk space requirements.

+- New executable names for the extension manager (`gc_extension_service`) and machine configuration (`gc_arc_service`) agents on Windows to help you distinguish the two services. For more information, see [Windows agent installation details](./agent-overview.md#windows-agent-installation-details).

+### Bug fixes

+- [azcmagent connect](azcmagent-connect.md) now uses the latest API version when creating the Azure Arc-enabled server resource to ensure Azure policies targeting new properties can take effect.

+- Upgraded the OpenSSL library and PowerShell runtime shipped with the agent to include the latest security fixes.

+- Fixed an issue that could prevent the agent from reporting the correct product type on Windows machines.

+- Improved handling of upgrades when the previously installed extension version was not in a successful state.

+1. If the VM is running on a third-party host or cloud service provider like AWS, GCP, or OCI.

+1. The Windows Server operating system was licensed on a virtualization basis.

+> [!IMPORTANT]

+> Virtual core licensing can't be used on physical servers. When creating a license with virtual cores, always select the standard edition instead of datacenter, even if the operating system is datacenter edition.

+¹ The proxy bypass value `ArcData` is available starting with Azure Connected Machine agent version 1.36 and Azure Extension for SQL Server version 1.1.2504.99. Earlier versions include the Azure Arc-enabled SQL Server endpoints in the "Arc" proxy bypass value.

+Rust serves as the primary language for all new code written on the Boost system, to provide memory safety without impacting performance. Control and data plane operations are isolated with memory safety improvements that enhance AzureΓÇÖs ability to keep tenants safe.

+> [!TIP]

+> Although you can develop your Python-based Azure functions locally on Windows, Python is supported only on a Linux-based hosting plan when it's running in Azure. For more information, see the [list of supported operating system/runtime combinations](functions-scale.md#operating-systemruntime).

+By default this command creates a project that runs in-process with the Functions host on the current [Long-Term Support (LTS) version of .NET Core]. You can use the `--target-framework` option to target a specific supported version of .NET, including .NET Framework. For more information, see the [`func init`](functions-core-tools-reference.md#func-init) reference.

+[Long-Term Support (LTS) version of .NET Core]: https://dotnet.microsoft.com/platform/support/policy/dotnet-core#lifecycle

+ :::image type="content" border="false" source="./media/shared/get-key.png" alt-text="Screenshot showing your Azure Maps subscription key in the Azure portal." lightbox="./media/shared/get-key.png":::

+ :::image type="content" border="false" source="./media/how-to-manage-authentication/app-registration.png" lightbox="./media/how-to-manage-authentication/app-registration.png" alt-text="A screenshot showing application registration in Microsoft Entra ID.":::

+

+ :::image type="content" border="false" source="./media/how-to-manage-authentication/app-registration.png" lightbox="./media/how-to-manage-authentication/app-registration.png" alt-text="A screenshot showing application registration in Microsoft Entra ID.":::

+ :::image type="content" border="false" source="./media/how-to-manage-authentication/app-registration.png" lightbox="./media/how-to-manage-authentication/app-registration.png" alt-text="A screenshot showing application registration in Microsoft Entra ID.":::

+ :::image type="content" border="false" source="./media/how-to-manage-authentication/app-registration.png" lightbox="./media/how-to-manage-authentication/app-registration.png" alt-text="A screenshot showing application registration in Microsoft Entra ID.":::

+- [Permissions to create Data Collection Rule objects](../essentials/data-collection-rule-create-edit.md#permissions) in the workspace.

+1. On the **Destination** tab, add a destination for the data source.

+- [Permissions to create Data Collection Rule objects](../essentials/data-collection-rule-create-edit.md#permissions) in the workspace.

+- [Permissions to create DCR objects](../essentials/data-collection-rule-create-edit.md#permissions) in the workspace.

+- [Permissions to create Data Collection Rule objects](../essentials/data-collection-rule-create-edit.md#permissions) in the workspace.

+- A Virtual Machine, Virtual Machine Scale Set, Arc-enabled server on-premises or Azure Monitoring Agent on a Windows on-premises client that writes logs to a text or JSON file.

+ See [Structure of a data collection rule in Azure Monitor](../essentials/data-collection-rule-structure.md) if you want to modify the data collection rule.

+* [Search explorer](../app/transaction-search-and-diagnostics.md?tabs=transaction-search)

+To investigate further, click on 'View full details in Application Insights' the links in this page take you straight to a [search page](../app/transaction-search-and-diagnostics.md?tabs=transaction-search) filtered to the relevant requests, exception, dependency, or traces.

+* [Search explorer](../app/transaction-search-and-diagnostics.md?tabs=transaction-search)

+In Application Insights, a *custom event* is a data point that you can display in [Metrics Explorer](../essentials/metrics-charts.md) as an aggregated count and in [Diagnostic Search](./transaction-search-and-diagnostics.md?tabs=transaction-search) as individual occurrences. (It isn't related to MVC or other framework "events.")

+You can correlate telemetry items together by associating them with operation context. The standard request-tracking module does this for exceptions and other events that are sent while an HTTP request is being processed. In [Search](./transaction-search-and-diagnostics.md?tabs=transaction-search) and [Analytics](../logs/log-query-overview.md), you can easily find any events associated with the request by using its operation ID.

+* To [examine individual occurrences](./transaction-search-and-diagnostics.md?tabs=transaction-search).

+Use `TrackTrace` to help diagnose problems by sending a "breadcrumb trail" to Application Insights. You can send chunks of diagnostic data and inspect them in [Diagnostic Search](./transaction-search-and-diagnostics.md?tabs=transaction-search).

+In [Search](./transaction-search-and-diagnostics.md?tabs=transaction-search), you can then easily filter out all the messages of a particular severity level that relate to a particular database.

+You can also [search](./transaction-search-and-diagnostics.md?tabs=transaction-search) for client data points with specific user names and accounts.

+* [Search events and logs](./transaction-search-and-diagnostics.md?tabs=transaction-search)

+* [Search events and logs](./transaction-search-and-diagnostics.md?tabs=transaction-search)

+- [Transaction search](transaction-search-and-diagnostics.md?tabs=transaction-search): Trace and diagnose transactions to identify issues and optimize performance.

+- [Transaction search](transaction-search-and-diagnostics.md?tabs=transaction-search)

+* The [end-to-end transaction diagnostic experience](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics) correlates server-side telemetry from across all your Application Insights-monitored components into a single view.

+- [Search events and logs](./transaction-search-and-diagnostics.md?tabs=transaction-search) to diagnose problems.

+* [Transaction Diagnostics](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics) shows unified, correlated server data.

+Below is the currently supported list of dependency calls that are automatically detected as dependencies without requiring any additional modification to your application's code. These dependencies are visualized in the Application Insights [Application map](./app-map.md) and [Transaction diagnostics](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics) views. If your dependency isn't on the list below, you can still track it manually with a [track dependency call](./api-custom-events-metrics.md#trackdependency).

+* <xref:Microsoft.VisualStudio.ApplicationInsights.TelemetryClient.TrackEvent%2A?displayProperty=nameWithType> is typically used for monitoring usage patterns, but the data it sends also appears under **Custom Events** in diagnostic search. Events are named and can carry string properties and numeric metrics on which you can [filter your diagnostic searches](./transaction-search-and-diagnostics.md?tabs=transaction-search).

+To see these events, on the left menu, open [Search](./transaction-search-and-diagnostics.md?tabs=transaction-search). Select the dropdown menu **Event types**, and then choose **Custom Event**, **Trace**, or **Exception**.

+The properties and measurements parameters are optional, but they're useful for [filtering and adding](./transaction-search-and-diagnostics.md?tabs=transaction-search) extra information. For example, if you have an app that can run several games, you could find all the exception reports related to a particular game. You can add as many items as you want to each dictionary.

+* [Learn more about Transaction Search](transaction-search-and-diagnostics.md?tabs=transaction-search)

+[diagnostic]: ./transaction-search-and-diagnostics.md?tabs=transaction-search

+* [Transaction diagnostics](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics)

+To learn more about the end-to-end transaction diagnostics experience, see the [transaction diagnostics documentation](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics).

+[diagnostic]: ./transaction-search-and-diagnostics.md?tabs=transaction-search

+You can set the **Application Version** property so that you can filter [search](../../azure-monitor/app/transaction-search-and-diagnostics.md?tabs=transaction-search) and [metric explorer](../../azure-monitor/essentials/metrics-charts.md) results.

+When the Application Insights web module has the build information, it automatically adds **Application Version** as a property to every item of telemetry. For this reason, you can filter by version when you perform [diagnostic searches](../../azure-monitor/app/transaction-search-and-diagnostics.md?tabs=transaction-search) or when you [explore metrics](../../azure-monitor/essentials/metrics-charts.md).

+Application Insights uses dependency type to customize UI experiences. For queues, it recognizes the following types of `DependencyTelemetry` that improve [Transaction diagnostics experience](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics):

+- Check out how correlated data powers [transaction diagnostics experience](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics) and [Application Map](./app-map.md).

+Azure Monitor provides two experiences for consuming distributed trace data: the [transaction diagnostics](./transaction-search-and-diagnostics.md?tabs=transaction-diagnostics) view for a single transaction/request and the [application map](./app-map.md) view to show how systems interact.

+ <div>with id, data-id, parent data-id defined</div>

+ <div>with data-id, parentid, parent data-id defined</div>

+ <div>with data-id, grandparent data-group defined, parent data-id defined</div>

+* [Use Diagnostic Search](./transaction-search-and-diagnostics.md?tabs=transaction-search)

+* Use [Search](./transaction-search-and-diagnostics.md?tabs=transaction-search) to look for specific events.

+Microsoft is excited to embrace [OpenTelemetry](https://opentelemetry.io/) as the future of telemetry instrumentation. You, our customers, asked for vendor-neutral instrumentation, and we're pleased to partner with the OpenTelemetry community to create consistent APIs and SDKs across languages.

+* [Create work items](./transaction-search-and-diagnostics.md?tabs=transaction-search#create-work-item)

+* You need synchronized sampling between client and server to navigate between related events. For example, page views and HTTP requests in [Search](./transaction-search-and-diagnostics.md?tabs=transaction-search) while investigating events.

+ Title: Transaction Search and Diagnostics

+description: This article explains Application Insights end-to-end transaction diagnostics and how to search and filter raw telemetry sent by your web app.

+# Transaction Search and Diagnostics

+Azure Monitor Application Insights offers Transaction Search for pinpointing specific telemetry items and Transaction Diagnostics for comprehensive end-to-end transaction analysis.

+**Transaction Search**: This experience enables users to locate and examine individual telemetry items such as page views, exceptions, and web requests. Additionally, it offers the capability to view log traces and events coded into the application. It identifies performance issues and errors within the application.

+**Transaction Diagnostics**: Quickly identify issues in components through comprehensive insight into end-to-end transaction details, including dependencies and exceptions. Access this feature via the Search interface by choosing an item from the search results.

+## [Transaction Search](#tab/transaction-search)

+Transaction search is a feature of [Application Insights](./app-insights-overview.md) that you use to find and explore individual telemetry items, such as page views, exceptions, or web requests. You can also view log traces and events that you code.

+For more complex queries over your data, use [Log Analytics](../logs/log-analytics-tutorial.md).

+## Where do you see Search?

+You can find **Search** in the Azure portal or Visual Studio.

+### In the Azure portal

+You can open transaction search from the Application Insights **Overview** tab of your application. You can also select **Search** under **Investigate** on the left menu.

+Go to the **Event types** dropdown menu to see a list of telemetry items such as server requests, page views, and custom events you coded. The top of the **Results** list has a summary chart showing counts of events over time.

+Back out of the dropdown menu or select **Refresh** to get new events.

+### In Visual Studio

+In Visual Studio, there's also an **Application Insights Search** window. It's most useful for displaying telemetry events generated by the application that you're debugging. But it can also show the events collected from your published app at the Azure portal.

+Open the **Application Insights Search** window in Visual Studio:

+The **Application Insights Search** window has features similar to the web portal:

+The **Track Operation** tab is available when you open a request or a page view. An "operation" is a sequence of events associated with a single request or page view. For example, dependency calls, exceptions, trace logs, and custom events might be part of a single operation. The **Track Operation** tab shows graphically the timing and duration of these events in relation to the request or page view.

+## Inspect individual items

+Select any telemetry item to see key fields and related items.

+The end-to-end transaction details view opens.

+## Filter event types

+Open the **Event types** dropdown menu and choose the event types you want to see. If you want to restore the filters later, select **Reset**.

+The event types are:

+* **Trace**: [Diagnostic logs](./asp-net-trace-logs.md) including TrackTrace, log4Net, NLog, and System.Diagnostic.Trace calls.

+* **Request**: HTTP requests received by your server application including pages, scripts, images, style files, and data. These events are used to create the request and response overview charts.

+* **Page View**: [Telemetry sent by the web client](./javascript.md) used to create page view reports.

+* **Custom Event**: If you inserted calls to `TrackEvent()` to [monitor usage](./api-custom-events-metrics.md), you can search them here.

+* **Exception**: Uncaught [exceptions in the server](./asp-net-exceptions.md), and the exceptions that you log by using `TrackException()`.

+* **Dependency**: [Calls from your server application](./asp-net-dependencies.md) to other services such as REST APIs or databases, and AJAX calls from your [client code](./javascript.md).

+* **Availability**: Results of [availability tests](availability-overview.md)

+## Filter on property values

+You can filter events on the values of their properties. The available properties depend on the event types you selected. Select **Filter** :::image type="content" source="./media/search-and-transaction-diagnostics/filter-icon.png" lightbox="./media/search-and-transaction-diagnostics/filter-icon.png" alt-text="Filter icon"::: to start.

+Choosing no values of a particular property has the same effect as choosing all values. It switches off filtering on that property.

+Notice that the counts to the right of the filter values show how many occurrences there are in the current filtered set.

+## Find events with the same property

+To find all the items with the same property value, either enter it in the **Search** box or select the checkbox when you look through properties on the **Filter** tab.

+## Search the data

+> [!NOTE]

+> To write more complex queries, open [Logs (Analytics)](../logs/log-analytics-tutorial.md) at the top of the **Search** pane.

+>

+You can search for terms in any of the property values. This capability is useful if you write [custom events](./api-custom-events-metrics.md) with property values.

+You might want to set a time range because searches over a shorter range are faster.

+Search for complete words, not substrings. Use quotation marks to enclose special characters.

+| String | *Not* found | Found |

+| | | |

+| HomeController.About |`home`<br/>`controller`<br/>`out` | `homecontroller`<br/>`about`<br/>`"homecontroller.about"`|

+|United States|`Uni`<br/>`ted`|`united`<br/>`states`<br/>`united AND states`<br/>`"united states"`

+You can use the following search expressions:

+| Sample query | Effect |

+| | |

+| `apple` |Find all events in the time range whose fields include the word `apple`. |

+| `apple AND banana` <br/>`apple banana` |Find events that contain both words. Use capital `AND`, not `and`. <br/>Short form. |

+| `apple OR banana` |Find events that contain either word. Use `OR`, not `or`. |

+| `apple NOT banana` |Find events that contain one word but not the other. |

+## Sampling

+If your app generates significant telemetry and uses ASP.NET SDK version 2.0.0-beta3 or later, it automatically reduces the volume sent to the portal through adaptive sampling. This module sends only a representative fraction of events. It selects or deselects events related to the same request as a group, allowing you to navigate between related events.

+Learn about [sampling](./sampling.md).

+## Create work item

+You can create a bug in GitHub or Azure DevOps with the details from any telemetry item.

+Go to the end-to-end transaction detail view by selecting any telemetry item. Then select **Create work item**.

+The first time you do this step, you're asked to configure a link to your Azure DevOps organization and project. You can also configure the link on the **Work Items** tab.

+## Send more telemetry to Application Insights

+In addition to the out-of-the-box telemetry sent by Application Insights SDK, you can:

+* Capture log traces from your favorite logging framework in [.NET](./asp-net-trace-logs.md) or [Java](./opentelemetry-add-modify.md?tabs=java#logs). This means you can search through your log traces and correlate them with page views, exceptions, and other events.

+* [Write code](./api-custom-events-metrics.md) to send custom events, page views, and exceptions.

+Learn how to [send logs and custom telemetry to Application Insights](./asp-net-trace-logs.md).

+## <a name="questions"></a>Frequently asked questions

+Find answers to common questions.

+### <a name="limits"></a>How much data is retained?

+See the [Limits summary](../service-limits.md#application-insights).

+### How can I see POST data in my server requests?

+We don't log the POST data automatically, but you can use [TrackTrace or log calls](./asp-net-trace-logs.md). Put the POST data in the message parameter. You can't filter on the message in the same way you can filter on properties, but the size limit is longer.

+### Why does my Azure Function search return no results?

+Azure Functions doesn't log URL query strings.

+## [Transaction Diagnostics](#tab/transaction-diagnostics)

+The unified diagnostics experience automatically correlates server-side telemetry from across all your Application Insights monitored components into a single view. It doesn't matter if you have multiple resources. Application Insights detects the underlying relationship and allows you to easily diagnose the application component, dependency, or exception that caused a transaction slowdown or failure.

+## What is a component?

+Components are independently deployable parts of your distributed or microservice application. Developers and operations teams have code-level visibility or access to telemetry generated by these application components.

+* Components are different from "observed" external dependencies, such as SQL and event hubs, which your team or organization might not have access to (code or telemetry).

+* Components run on any number of server, role, or container instances.

+* Components can be separate Application Insights instrumentation keys, even if subscriptions are different. Components also can be different roles that report to a single Application Insights instrumentation key. The new experience shows details across all components, regardless of how they were set up.

+> [!NOTE]

+> Are you missing the related item links? All the related telemetry is on the left side in the [top](#cross-component-transaction-chart) and [bottom](#all-telemetry-with-this-operation-id) sections.

+## Transaction diagnostics experience

+This view has four key parts:

+- a results list

+- a cross-component transaction chart

+- a time-sequence list of all telemetry related to this operation

+- the details pane for any selected telemetry item

+## Cross-component transaction chart

+This chart provides a timeline with horizontal bars during requests and dependencies across components. Any exceptions that are collected are also marked on the timeline.

+- The top row on this chart represents the entry point. It's the incoming request to the first component called in this transaction. The duration is the total time taken for the transaction to complete.

+- Any calls to external dependencies are simple noncollapsible rows, with icons that represent the dependency type.

+- Calls to other components are collapsible rows. Each row corresponds to a specific operation invoked at the component.

+- By default, the request, dependency, or exception that you selected appears to the side. Select any row to see its [details](#details-of-the-selected-telemetry).

+> [!NOTE]

+> Calls to other components have two rows. One row represents the outbound call (dependency) from the caller component. The other row corresponds to the inbound request at the called component. The leading icon and distinct styling of the duration bars help differentiate between them.

+## All telemetry with this Operation ID

+This section shows a flat list view in a time sequence of all the telemetry related to this transaction. It also shows the custom events and traces that aren't displayed in the transaction chart. You can filter this list to telemetry generated by a specific component or call. You can select any telemetry item in this list to see corresponding [details on the side](#details-of-the-selected-telemetry).

+## Details of the selected telemetry

+This collapsible pane shows the detail of any selected item from the transaction chart or the list. **Show all** lists all the standard attributes that are collected. Any custom attributes are listed separately under the standard set. Select the ellipsis button (...) under the **Call Stack** trace window to get an option to copy the trace. **Open profiler traces** and **Open debug snapshot** show code-level diagnostics in corresponding detail panes.

+## Search results

+This collapsible pane shows the other results that meet the filter criteria. Select any result to update the respective details of the preceding three sections. We try to find samples that are most likely to have the details available from all components, even if sampling is in effect in any of them. These samples are shown as suggestions.

+## Profiler and Snapshot Debugger

+[Application Insights Profiler](./profiler.md) or [Snapshot Debugger](snapshot-debugger.md) help with code-level diagnostics of performance and failure issues. With this experience, you can see Profiler traces or snapshots from any component with a single selection.

+If you can't get Profiler working, contact serviceprofilerhelp\@microsoft.com.

+If you can't get Snapshot Debugger working, contact snapshothelp\@microsoft.com.

+## Frequently asked questions

+This section provides answers to common questions.

+### Why do I see a single component on the chart and the other components only show as external dependencies without any details?

+Potential reasons:

+* Are the other components instrumented with Application Insights?

+* Are they using the latest stable Application Insights SDK?

+* If these components are separate Application Insights resources, validate you have [access](resources-roles-access-control.md).

+If you do have access and the components are instrumented with the latest Application Insights SDKs, let us know via the feedback channel in the upper-right corner.

+### I see duplicate rows for the dependencies. Is this behavior expected?

+Currently, we're showing the outbound dependency call separate from the inbound request. Typically, the two calls look identical with only the duration value being different because of the network round trip. The leading icon and distinct styling of the duration bars help differentiate between them. Is this presentation of the data confusing? Give us your feedback!

+### What about clock skews across different component instances?

+Timelines are adjusted for clock skews in the transaction chart. You can see the exact timestamps in the details pane or by using Log Analytics.

+### Why is the new experience missing most of the related items queries?

+This behavior is by design. All the related items, across all components, are already available on the left side in the top and bottom sections. The new experience has two related items that the left side doesn't cover: all telemetry from five minutes before and after this event and the user timeline.

+### Is there a way to see fewer events per transaction when I use the Application Insights JavaScript SDK?

+The transaction diagnostics experience shows all telemetry in a [single operation](distributed-tracing-telemetry-correlation.md#data-model-for-telemetry-correlation) that shares an [Operation ID](data-model-complete.md#operation-id). By default, the Application Insights SDK for JavaScript creates a new operation for each unique page view. In a single-page application (SPA), only one page view event is generated and a single Operation ID is used for all telemetry generated. As a result, many events might be correlated to the same operation.

+In these scenarios, you can use Automatic Route Tracking to automatically create new operations for navigation in your SPA. You must turn on [enableAutoRouteTracking](javascript.md#single-page-applications) so that a page view is generated every time the URL route is updated (logical page view occurs). If you want to manually refresh the Operation ID, call `appInsights.properties.context.telemetryTrace.traceID = Microsoft.ApplicationInsights.Telemetry.Util.generateW3CId()`. Manually triggering a PageView event also resets the Operation ID.

+### Why do transaction detail durations not add up to the top-request duration?

+Time not explained in the Gantt chart is time that isn't covered by a tracked dependency. This issue can occur because external calls weren't instrumented, either automatically or manually. It can also occur because the time taken was in process rather than because of an external call.

+If all calls were instrumented, in process is the likely root cause for the time spent. A useful tool for diagnosing the process is the [Application Insights profiler](./profiler.md).

+### What if I see the message ***Error retrieving data*** while navigating Application Insights in the Azure portal?

+This error indicates that the browser was unable to call into a required API or the API returned a failure response. To troubleshoot the behavior, open a browser [InPrivate window](https://support.microsoft.com/microsoft-edge/browse-inprivate-in-microsoft-edge-cd2c9a48-0bc4-b98e-5e46-ac40c84e27e2) and [disable any browser extensions](https://support.microsoft.com/microsoft-edge/add-turn-off-or-remove-extensions-in-microsoft-edge-9c0ec68c-2fbc-2f2c-9ff0-bdc76f46b026) that are running, then identify if you can still reproduce the portal behavior. If the portal error still occurs, try testing with other browsers, or other machines, investigate DNS or other network related issues from the client machine where the API calls are failing. If the portal error continues and needs more investigation, [collect a browser network trace](../../azure-portal/capture-browser-trace.md#capture-a-browser-trace-for-troubleshooting) while reproducing the unexpected portal behavior, then open a support case from the Azure portal.

+## See also

+* [Write complex queries in Analytics](../logs/log-analytics-tutorial.md)

+* [Send logs and custom telemetry to Application Insights](./asp-net-trace-logs.md)

+* [Availability overview](availability-overview.md)

+Customers who manually enable Container Insights using custom methods prior to October 2022 can end up with multiple versions of our agent running together. To clear this duplication, customers are recommended to follow the steps below:

+3. Fetch current Azure analytic workspace ID since we're going to re-onboard the container insights.

+4. Clean resources from previous onboarding:

+5. Disable container insights to clean all related resources with aks command: [Disable Container insights on your Azure Kubernetes Service (AKS) cluster - Azure Monitor | Microsoft Learn](https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-optout)

+6. Re-onboard to containerinsights with the workspace fetched from step 3 using [the steps outlined here](https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-enable-aks?tabs=azure-cli#specify-a-log-analytics-workspace)

+ Title: Create and edit data collection rules (DCRs) in Azure Monitor

+description: Details on creating and editing data collection rules (DCRs) in Azure Monitor.

+# Create and edit data collection rules (DCRs) in Azure Monitor

+There are multiple methods for creating a [data collection rule (DCR)](./data-collection-rule-overview.md) in Azure Monitor. In some cases, Azure Monitor will create and manage the DCR according to settings that you configure in the Azure portal. In other cases, you might need to create your own DCRs to customize particular scenarios.

+This article describes the different methods for creating and editing a DCR. For the contents of the DCR itself, see [Structure of a data collection rule in Azure Monitor](./data-collection-rule-structure.md).

+## Permissions

+ You require the following permissions to create DCRs and associations:

+| Built-in role | Scopes | Reason |

+|:|:|:|

+| [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) | <ul><li>Subscription and/or</li><li>Resource group and/or </li><li>An existing DCR</li></ul> | Create or edit DCRs, assign rules to the machine, deploy associations). |

+| [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor)<br>[Azure Connected Machine Resource Administrator](../../role-based-access-control/built-in-roles.md#azure-connected-machine-resource-administrator)</li></ul> | <ul><li>Virtual machines, virtual machine scale sets</li><li>Azure Arc-enabled servers</li></ul> | Deploy agent extensions on the VM. |

+| Any role that includes the action *Microsoft.Resources/deployments/** | <ul><li>Subscription and/or</li><li>Resource group and/or </li><li>An existing DCR</li></ul> | Deploy Azure Resource Manager templates. |

+## Automated methods to create a DCR

+The following table lists methods to create data collection scenarios using the Azure portal where the DCR is created for you. In these cases you don't need to interact directly with the DCR itself.

+| Scenario | Resources | Description |

+|:|:|:|

+| Azure Monitor Agent | [Configure data collection for Azure Monitor Agent](../agents/data-collection-rule-azure-monitor-agent.md) | Use the Azure portal to create a DCR that specifies events and performance counters to collect from a machine with Azure Monitor Agent. Then associate that rule with one or more virtual machines. Azure Monitor Agent will be installed on any machines that don't currently have it. |

+| | [Enable VM insights overview](../vm/vminsights-enable-overview.md) | When you enable VM insights on a VM, the Azure Monitor agent is installed, and a DCR is created that collects a predefined set of performance counters. You shouldn't modify this DCR. |

+| Container insights | [Enable Container insights](../containers/prometheus-metrics-enable.md) | When you enable Container insights on a Kubernetes cluster, a containerized version of the Azure Monitor agent is installed, and a DCR is created that collects data according to the configuration you selected. You may need to modify this DCR to add a transformation. |

+| Text or JSON logs | [Collect logs from a text or JSON file with Azure Monitor Agent](../agents/data-collection-text-log.md?tabs=portal) | Use the Azure portal to create a DCR to collect entries from a text log on a machine with Azure Monitor Agent. |

+| Workspace transformation | [Add a transformation in a workspace data collection rule using the Azure portal](../logs/tutorial-workspace-transformations-portal.md) | Create a transformation for any supported table in a Log Analytics workspace. The transformation is defined in a DCR that's then associated with the workspace. It's applied to any data sent to that table from a legacy workload that doesn't use a DCR. |

+## Manually create a DCR

+To manually create a DCR, create a JSON file using the appropriate configuration for the data collection that you're configuring. Start with one of the [sample DCRs](./data-collection-rule-samples.md) and use information in [Structure of a data collection rule in Azure Monitor](./data-collection-rule-structure.md) to modify the JSON file for your particular environment and requirements.

+Once you have the JSON file created, you can use any of the following methods to create the DCR:

+## [CLI](#tab/CLI)

+Use the [az monitor data-collection rule create](/cli/azure/monitor/data-collection/rule) command to create a DCR from your JSON file using the Azure CLI as shown in the following example.

+```azurecli

+az monitor data-collection rule create --location 'eastus' --resource-group 'my-resource-group' --name 'myDCRName' --rule-file 'C:\MyNewDCR.json' --description 'This is my new DCR'

+```

+## [PowerShell](#tab/powershell)

+Use the [New-AzDataCollectionRule](/powershell/module/az.monitor/new-azdatacollectionrule) cmdlet to create the DCR from your JSON file using PowerShell as shown in the following example.

+```powershell

+New-AzDataCollectionRule -Location 'east-us' -ResourceGroupName 'my-resource-group' -RuleName 'myDCRName' -RuleFile 'C:\MyNewDCR.json' -Description 'This is my new DCR'

+```

+## [API](#tab/api)

+Use the [DCR create API](/rest/api/monitor/data-collection-rules/create) to create the DCR from your JSON file. You can use any method to call a REST API as shown in the following examples.

+```powershell

+$ResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Insights/dataCollectionRules/my-dcr"

+$FilePath = ".\my-dcr.json"

+$DCRContent = Get-Content $FilePath -Raw

+Invoke-AzRestMethod -Path ("$ResourceId"+"?api-version=2021-09-01-preview") -Method PUT -Payload $DCRContent

+```

+```azurecli

+ResourceId="/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Insights/dataCollectionRules/my-dcr"

+FilePath="my-dcr.json"

+az rest --method put --url $ResourceId"?api-version=2021-09-01-preview" --body @$FilePath

+```

+## [ARM](#tab/arm)

+Using an ARM template, you can define parameters so you can provide particular values at the time you install the DCR. This allows you to use a single template for multiple installations. Use the following template, copying in the JSON for your DCR and adding any other parameters you want to use.

+See [Deploy the sample templates](../resource-manager-samples.md#deploy-the-sample-templates) for different methods to deploy ARM templates.

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "dataCollectionRuleName": {

+ "type": "string",

+ "metadata": {

+ "description": "Specifies the name of the Data Collection Rule to create."

+ }

+ },

+ "location": {

+ "type": "string",

+ "metadata": {

+ "description": "Specifies the location in which to create the Data Collection Rule."

+ }

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Insights/dataCollectionRules",

+ "name": "[parameters('dataCollectionRuleName')]",

+ "location": "[parameters('location')]",

+ "apiVersion": "2021-09-01-preview",

+ "properties": {

+ "<dcr-properties>"

+ }

+ }

+ ]

+}

+```

+The following tutorials include examples of manually creating DCRs.

+- [Send data to Azure Monitor using Logs ingestion API (Resource Manager templates)](../logs/tutorial-logs-ingestion-api.md)

+- [Add transformation in workspace data collection rule to Azure Monitor using Resource Manager templates](../logs/tutorial-workspace-transformations-api.md)

+## Edit a DCR

+To edit a DCR, you can use any of the methods described in the previous section to create a DCR using a modified version of the JSON.

+If you need to retrieve the JSON for an existing DCR, you can copy it from the **JSON View** for the DCR in the Azure portal. You can also retrieve it using an API call as shown in the following PowerShell example.

+```powershell

+$ResourceId = "<ResourceId>" # Resource ID of the DCR to edit

+$FilePath = "<FilePath>" # Store DCR content in this file

+$DCR = Invoke-AzRestMethod -Path ("$ResourceId"+"?api-version=2021-09-01-preview") -Method GET

+$DCR.Content | ConvertFrom-Json | ConvertTo-Json -Depth 20 | Out-File -FilePath $FilePath

+```

+For a tutorial that walks through the process of retrieving and then editing an existing DCR, see [Tutorial: Edit a data collection rule (DCR)](./data-collection-rule-edit.md).

+## Next steps

+- [Read about the detailed structure of a data collection rule](data-collection-rule-structure.md)

+- [Get details on transformations in a data collection rule](data-collection-transformations.md)

+# Tutorial: Edit a data collection rule (DCR)

+This tutorial describes how to edit the definition of Data Collection Rule (DCR) that has been already provisioned using command line tools.

+> [!NOTE]

+> This tutorial walks through one method for editing an existing DCR. See [Create and edit data collection rules (DCRs) in Azure Monitor](data-collection-rule-create-edit.md) for other methods.

+- [Permissions to create Data Collection Rule objects](data-collection-rule-create-edit.md#permissions) in the workspace.

+Data collection rules (DCRs) are sets of instructions supporting [data collection in Azure Monitor](../essentials/data-collection.md). They provide a consistent and centralized way to define and customize different data collection scenarios. Depending on the scenario, DCRs specify such details as what data should be collected, how to transform that data, and where to send it.

+DCRs are stored in Azure so that you can centrally manage them. Different components of a data collection workflow will access the DCR for particular information that it requires. In some cases, you can use the Azure portal to configure data collection, and Azure Monitor will create and manage the DCR for you. Other scenarios will require you to create your own DCR. You may also choose to customize an existing DCR to meet your required functionality.

+## Basic operation

+One example of how DCRs are used is the Logs Ingestion API that allows you to send custom data to Azure Monitor. This scenario is illustrated in the following diagram. Prior to using the API, you create a DCR that defines the structure of the data that you're going to send and the Log Analytics workspace and table that will receive the data. If the data needs to be formatted before it's stored, you can include a [transformation](data-collection-transformations.md) in the DCR.

+Each call to the API specifies the DCR to use, and Azure Monitor references this DCR to determine what to do with the incoming data. If your requirements change, you can modify the DCR without making any changes to the application sending the data.

+## Data collection rule associations (DCRAs)

+Data collection rule associations (DCRAs) associate a DCR with an object being monitored, for example a virtual machine with the Azure Monitor agent (AMA). A single object can be associated with multiple DCRs, and a single DCR can be associated with multiple objects.

+The following diagram illustrates data collection for the Azure Monitor agent. When the agent is installed, it connects to Azure Monitor to retrieve any DCRs that are associated with it. It then references the data sources section of each DCR to determine what data to collect from the machine. When the agent delivers this data, Azure Monitor references other sections of the DCR to determine whether a transformation should be applied to it and then the workspace and table to send it to.

+There are multiple ways to view the DCRs in your subscription.

+### [Portal](#tab/portal)

+Select a DCR to view its details. For DCRs supporting VMs, you can view and modify its associations and the data that it collects. For other DCRs, use the **JSON view** to view the details of the DCR. See [Create and edit data collection rules (DCRs) in Azure Monitor](./data-collection-rule-create-edit.md) for details on how you can modify them.

+> Although this view shows all DCRs in the specified subscriptions, selecting the **Create** button will create a data collection for Azure Monitor Agent. Similarly, this page will only allow you to modify DCRs for Azure Monitor Agent. For guidance on how to create and update DCRs for other workflows, see [Create and edit data collection rules (DCRs) in Azure Monitor](./data-collection-rule-create-edit.md).

+### [PowerShell](#tab/powershell)

+Use [Get-AzDataCollectionRule](/powershell/module/az.monitor/get-azdatacollectionrule) to retrieve the DCRs in your subscription.

+```powershell

+Get-AzDataCollectionRule

+```

+Use [Get-azDataCollectionRuleAssociation](/powershell/module/az.monitor/get-azdatacollectionruleassociation) to retrieve the DCRs associated with a VM.

+```powershell

+get-azDataCollectionRuleAssociation -TargetResourceId /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Compute/virtualMachines/my-vm | foreach {Get-azDataCollectionRule -RuleId $_.DataCollectionRuleId }

+```

+### [CLI](#tab/cli)

+Use [az monitor data-collection rule](/cli/azure/monitor/data-collection/rule) to work the DCRs using Azure CLI.

+Use the following to return all DCRs in your subscription.

+```azurecli

+az monitor data-collection rule list

+```

+Use the following to return DCR associations for a VM.

+```azurecli

+az monitor data-collection rule association list --resource "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Compute/virtualMachines/my-vm "

+```

+A DCR gets created and stored in a particular region and is backed up to the [paired-region](../../availability-zones/cross-region-replication-azure.md#azure-paired-regions) within the same geography. The service is deployed to all three [availability zones](../../availability-zones/az-overview.md#availability-zones) within the region. For this reason, it's a *zone-redundant service*, which further increases availability.

+See the following articles for additional information on how to work with DCRs.

+- [Data collection rule structure](data-collection-rule-structure.md) for a description of the JSON structure of DCRs and the different elements used for different workflows.

+- [Sample data collection rules (DCRs)](data-collection-rule-samples.md) for sample DCRs for different data collection scenarios.

+- [Create and edit data collection rules (DCRs) in Azure Monitor](./data-collection-rule-create-edit.md) for different methods to create DCRs for different data collection scenarios.

+- [Azure Monitor service limits](../service-limits.md#data-collection-rules) for limits that apply to each DCR.

+ Title: Sample data collection rules (DCRs) in Azure Monitor

+description: Sample data collection rule for different Azure Monitor data collection scenarios.

+# Sample data collection rules (DCRs) in Azure Monitor

+This article includes sample [data collection rules (DCRs)](./data-collection-rule-overview.md) for different scenarios. For descriptions of each of the properties in these DCRs, see [Data collection rule structure](./data-collection-rule-structure.md).

+## Azure Monitor agent - events and performance data

+The sample [data collection rule](../essentials/data-collection-rule-overview.md) below is for virtual machines with [Azure Monitor agent](../agents/data-collection-rule-azure-monitor-agent.md) and has the following details:

+- Performance data

+ - Collects specific Processor, Memory, Logical Disk, and Physical Disk counters every 15 seconds and uploads every minute.

+ - Collects specific Process counters every 30 seconds and uploads every 5 minutes.

+- Windows events

+ - Collects Windows security events and uploads every minute.

+ - Collects Windows application and system events and uploads every 5 minutes.

+- Syslog

+ - Collects Debug, Critical, and Emergency events from cron facility.

+ - Collects Alert, Critical, and Emergency events from syslog facility.

+- Destinations

+ - Sends all data to a Log Analytics workspace named centralWorkspace.

+> [!NOTE]

+> For an explanation of XPaths that are used to specify event collection in data collection rules, see [Limit data collection with custom XPath queries](../agents/data-collection-rule-azure-monitor-agent.md#filter-events-using-xpath-queries).

+```json

+{

+ "location": "eastus",

+ "properties": {

+ "dataSources": {

+ "performanceCounters": [

+ {

+ "name": "cloudTeamCoreCounters",

+ "streams": [

+ "Microsoft-Perf"

+ ],

+ "scheduledTransferPeriod": "PT1M",

+ "samplingFrequencyInSeconds": 15,

+ "counterSpecifiers": [

+ "\\Processor(_Total)\\% Processor Time",

+ "\\Memory\\Committed Bytes",

+ "\\LogicalDisk(_Total)\\Free Megabytes",

+ "\\PhysicalDisk(_Total)\\Avg. Disk Queue Length"

+ ]

+ },

+ {

+ "name": "appTeamExtraCounters",

+ "streams": [

+ "Microsoft-Perf"

+ ],

+ "scheduledTransferPeriod": "PT5M",

+ "samplingFrequencyInSeconds": 30,

+ "counterSpecifiers": [

+ "\\Process(_Total)\\Thread Count"

+ ]

+ }

+ ],

+ "windowsEventLogs": [

+ {

+ "name": "cloudSecurityTeamEvents",

+ "streams": [

+ "Microsoft-Event"

+ ],

+ "scheduledTransferPeriod": "PT1M",

+ "xPathQueries": [

+ "Security!*"

+ ]

+ },

+ {

+ "name": "appTeam1AppEvents",

+ "streams": [

+ "Microsoft-Event"

+ ],

+ "scheduledTransferPeriod": "PT5M",

+ "xPathQueries": [

+ "System!*[System[(Level = 1 or Level = 2 or Level = 3)]]",

+ "Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"

+ ]

+ }

+ ],

+ "syslog": [

+ {

+ "name": "cronSyslog",

+ "streams": [

+ "Microsoft-Syslog"

+ ],

+ "facilityNames": [

+ "cron"

+ ],

+ "logLevels": [

+ "Debug",

+ "Critical",

+ "Emergency"

+ ]

+ },

+ {

+ "name": "syslogBase",

+ "streams": [

+ "Microsoft-Syslog"

+ ],

+ "facilityNames": [

+ "syslog"

+ ],

+ "logLevels": [

+ "Alert",

+ "Critical",

+ "Emergency"

+ ]

+ }

+ ]

+ },

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.OperationalInsights/workspaces/my-workspace",

+ "name": "centralWorkspace"

+ }

+ ]

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Microsoft-Perf",

+ "Microsoft-Syslog",

+ "Microsoft-Event"

+ ],

+ "destinations": [

+ "centralWorkspace"

+ ]

+ }

+ ]

+ }

+ }

+```

+## Azure Monitor agent - text logs

+The sample data collection rule below is used to collect [text logs using Azure Monitor agent](../agents/data-collection-text-log.md).

+```json

+{

+ "location": "eastus",

+ "properties": {

+ "dataCollectionEndpointId": "/subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/my-resource-groups/providers/Microsoft.Insights/dataCollectionEndpoints/my-data-collection-endpoint",

+ "streamDeclarations": {

+ "Custom-MyLogFileFormat": {

+ "columns": [

+ {

+ "name": "TimeGenerated",

+ "type": "datetime"

+ },

+ {

+ "name": "RawData",

+ "type": "string"

+ }

+ ]

+ }

+ },

+ "dataSources": {

+ "logFiles": [

+ {

+ "streams": [

+ "Custom-MyLogFileFormat"

+ ],

+ "filePatterns": [

+ "C:\\JavaLogs\\*.log"

+ ],

+ "format": "text",

+ "settings": {

+ "text": {

+ "recordStartTimestampFormat": "ISO 8601"

+ }

+ },

+ "name": "myLogFileFormat-Windows"

+ },

+ {

+ "streams": [

+ "Custom-MyLogFileFormat"

+ ],

+ "filePatterns": [

+ "//var//*.log"

+ ],

+ "format": "text",

+ "settings": {

+ "text": {

+ "recordStartTimestampFormat": "ISO 8601"

+ }

+ },

+ "name": "myLogFileFormat-Linux"

+ }

+ ]

+ },

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.OperationalInsights/workspaces/my-workspace",

+ "name": "MyDestination"

+ }

+ ]

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Custom-MyLogFileFormat"

+ ],

+ "destinations": [

+ "MyDestination"

+ ],

+ "transformKql": "source",

+ "outputStream": "Custom-MyTable_CL"

+ }

+ ]

+ }

+}

+```

+## Event Hubs

+The sample data collection rule below is used to collect [data from an event hub](../logs/ingest-logs-event-hub.md).

+```json

+{

+ "location": "eastus",

+ "properties": {

+ "dataCollectionEndpointId": "/subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/my-resource-groups/providers/Microsoft.Insights/dataCollectionEndpoints/my-data-collection-endpoint",

+ "streamDeclarations": {

+ "Custom-MyEventHubStream": {

+ "columns": [

+ {

+ "name": "TimeGenerated",

+ "type": "datetime"

+ },

+ {

+ "name": "RawData",

+ "type": "string"

+ },

+ {

+ "name": "Properties",

+ "type": "dynamic"

+ }

+ ]

+ }

+ },

+ "dataSources": {

+ "dataImports": {

+ "eventHub": {

+ "consumerGroup": "<consumer-group>",

+ "stream": "Custom-MyEventHubStream",

+ "name": "myEventHubDataSource1"

+ }

+ }

+ },

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.OperationalInsights/workspaces/my-workspace",

+ "name": "MyDestination"

+ }

+ ]

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Custom-MyEventHubStream"

+ ],

+ "destinations": [

+ "MyDestination"

+ ],

+ "transformKql": "source",

+ "outputStream": "Custom-MyTable_CL"

+ }

+ ]

+ }

+}

+```

+## Logs ingestion API

+The sample [data collection rule](../essentials/data-collection-rule-overview.md) below is used with the [Logs ingestion API](../logs/logs-ingestion-api-overview.md). It has the following details:

+- Sends data to a table called MyTable_CL in a workspace called my-workspace.

+- Applies a [transformation](../essentials//data-collection-transformations.md) to the incoming data.

+```json

+{

+ "location": "eastus",

+ "properties": {

+ "dataCollectionEndpointId": "/subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/my-resource-groups/providers/Microsoft.Insights/dataCollectionEndpoints/my-data-collection-endpoint",

+ "streamDeclarations": {

+ "Custom-MyTable": {

+ "columns": [

+ {

+ "name": "Time",

+ "type": "datetime"

+ },

+ {

+ "name": "Computer",

+ "type": "string"

+ },

+ {

+ "name": "AdditionalContext",

+ "type": "string"

+ }

+ ]

+ }

+ },

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cefingestion/providers/microsoft.operationalinsights/workspaces/my-workspace",

+ "name": "LogAnalyticsDest"

+ }

+ ]

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Custom-MyTable"

+ ],

+ "destinations": [

+ "LogAnalyticsDest"

+ ],

+ "transformKql": "source | extend jsonContext = parse_json(AdditionalContext) | project TimeGenerated = Time, Computer, AdditionalContext = jsonContext, ExtendedColumn=tostring(jsonContext.CounterName)",

+ "outputStream": "Custom-MyTable_CL"

+ }

+ ]

+ }

+}

+```

+## Workspace transformation DCR

+The sample [data collection rule](../essentials/data-collection-rule-overview.md) below is used as a

+[workspace transformation DCR](../essentials/data-collection-transformations.md#workspace-transformation-dcr) to transform all data sent to a table called *LAQueryLogs*.

+```json

+{

+ "location": "eastus",

+ "properties": {

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.OperationalInsights/workspaces/my-workspace",

+ "name": "clv2ws1"

+ }

+ ]

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Microsoft-Table-LAQueryLogs"

+ ],

+ "destinations": [

+ "clv2ws1"

+ ],

+ "transformKql": "source |where QueryText !contains 'LAQueryLogs' | extend Context = parse_json(RequestContext) | extend Resources_CF = tostring(Context['workspaces']) |extend RequestContext = ''"

+ }

+ ]

+ }

+}

+```

+## Next steps

+- [Get details for the different properties in a DCR](../essentials/data-collection-rule-structure.md)

+- [See different methods for creating a DCR](../essentials/data-collection-rule-create-edit.md)

+[Data collection rules (DCRs)](data-collection-rule-overview.md) are sets of instructions that determine how to collect and process telemetry sent to Azure Monitor. Some DCRs will be created and managed by Azure Monitor. This article describes the JSON properties of DCRs for creating and editing them in those cases where you need to work with them directly.

+- See [Create and edit data collection rules (DCRs) in Azure Monitor](data-collection-rule-create-edit.md) for details working with the JSON described here.

+- See [Sample data collection rules (DCRs) in Azure Monitor](../essentials/data-collection-rule-samples.md) for sample DCRs for different scenarios.

+## `dataCollectionEndpointId`

+Specifies the [data collection endpoint (DCE)](data-collection-endpoint-overview.md) used by the DCR.

+**Scenarios**

+- Azure Monitor agent

+- Logs ingestion API

+- Events Hubs

+

+## `streamDeclarations`

+Declaration of the different types of data sent into the Log Analytics workspace. Each stream is an object whose key represents the stream name, which must begin with *Custom-*. The stream contains a full list of top-level properties that are contained in the JSON data that will be sent. The shape of the data you send to the endpoint doesn't need to match that of the destination table. Instead, the output of the transform that's applied on top of the input data needs to match the destination shape.

+This section isn't used for data sources sending known data types such as events and performance data sent from Azure Monitor agent.

+The possible data types that can be assigned to the properties are:

+- `string`

+- `int`

+- `long`

+- `real`

+- `boolean`

+- `dynamic`

+- `datetime`.

+**Scenarios**

+- Azure Monitor agent (text logs only)

+- Logs ingestion API

+- Event Hubs

+## `destinations`

+Declaration of all the destinations where the data will be sent. Only `logAnalytics` is currently supported as a destination except for Azure Monitor agent which can also use `azureMonitorMetrics`. Each Log Analytics destination requires the full workspace resource ID and a friendly name that will be used elsewhere in the DCR to refer to this workspace.

+**Scenarios**

+- Azure Monitor agent (text logs only)

+- Logs ingestion API

+- Event Hubs

+- Workspace transformation DCR

+## `dataSources`

+Unique source of monitoring data that has its own format and method of exposing its data. Each data source has a data source type, and each type defines a unique set of properties that must be specified for each data source. The data source types currently available are listed in the following table.

+| eventHub | Data from Azure Event Hubs |

+| logFiles | Text log on a virtual machine |

+| performanceCounters | Performance counters for both Windows and Linux virtual machines |

+| syslog | Syslog events on Linux virtual machines |

+| windowsEventLogs | Windows event log on virtual machines |

+**Scenarios**

+- Azure Monitor agent

+- Event Hubs

+## `dataFlows`

+Matches streams with destinations and optionally specifies a transformation.

+### `dataFlows/Streams`

+One or more streams defined in the previous section. You may include multiple streams in a single data flow if you want to send multiple data sources to the same destination. Only use a single stream though if the data flow includes a transformation. One stream can also be used by multiple data flows when you want to send a particular data source to multiple tables in the same Log Analytics workspace.

+### `dataFlows/destinations`

+One or more destinations from the `destinations` section above. Multiple destinations are allowed for multi-homing scenarios.

+### `dataFlows/transformKql`

+Optional [transformation](data-collection-transformations.md) applied to the incoming stream. The transformation must understand the schema of the incoming data and output data in the schema of the target table. If you use a transformation, the data flow should only use a single stream.

+### `dataFlows/outputStream`

+Describes which table in the workspace specified under the `destination` property the data will be sent to. The value of `outputStream` has the format `Microsoft-[tableName]` when data is being ingested into a standard Log Analytics table, or `Custom-[tableName]` when ingesting data into a custom table. Only one destination is allowed per stream.<br><br>This property isn't used for known data sources from Azure Monitor such as events and performance data since these are sent to predefined tables. |

+**Scenarios**

+- Azure Monitor agent

+- Logs ingestion API

+- Event Hubs

+- Workspace transformation DCR

+Azure Monitor's built-in AIOps capabilities provide insights and help you troubleshoot issues and automate data-driven tasks, such as predicting capacity usage and autoscaling, identifying and analyzing application performance issues, and detecting anomalous behaviors in virtual machines, containers, and other resources. These features boost your IT monitoring and operations, without requiring machine learning knowledge and further investment.

+|Log monitoring|[Log Analytics Workspace Insights](../logs/log-analytics-workspace-insights-overview.md) | Provides a unified view of your Log Analytics workspaces and uses machine learning to detect ingestion anomalies. |

+||[Kusto Query Language (KQL) time series analysis and machine learning functions](../logs/kql-machine-learning-azure-monitor.md)| Easy-to-use tools for generating time series data, detecting anomalies, forecasting, and performing root cause analysis directly in Azure Monitor Logs without requiring in-depth knowledge of data science and programming languages. |

+||[Microsoft Copilot for Azure](/azure/copilot/get-monitoring-information)| Helps you use Log Analytics to analyze data and troubleshoot issues. Generates example KQL queries based on prompts, such as "Are there any errors in container logs?". |

+- A JSON file with at least one record of sample for your custom table. This will look similar to the following:

+ {

+ "TimeGenerated": "supported_datetime_format",

+ "<column_name_1>": "<column_name_1_value>",

+ "<column_name_2>": "<column_name_2_value>"

+ },

+ {

+ "TimeGenerated": "supported_datetime_format",

+ "<column_name_1>": "<column_name_1_value>",

+ "<column_name_2>": "<column_name_2_value>"

+ },

+ All tables in a Log Analytics workspace must have a column named `TimeGenerated`. If your sample data has a column named `TimeGenerated`, then this value will be used to identify the ingestion time of the record. If not, a `TimeGenerated` column will be added to the transformation in your DCR for the table. For information about the `TimeGenerated` format, see [supported datetime formats](/azure/data-explorer/kusto/query/scalar-data-types/datetime#supported-formats).

+1. Select **Browse for files** and locate the JSON file with the sample data for your new table.

+ If your sample data doesn't include a `TimeGenerated` column, then you will receive a message that a transformation is being created with this column.

+> - Azure tables that are part of a solution can be removed from workspace when [deleting the solution](/cli/azure/monitor/log-analytics/solution#az-monitor-log-analytics-solution-delete). The data remains in workspace for the duration of the retention policy defined for the tables. If the [solution is re-created](/cli/azure/monitor/log-analytics/solution#az-monitor-log-analytics-solution-create) in the workspace, these tables become visible again.

+- [Permissions to create data collection rules](../essentials/data-collection-rule-create-edit.md#permissions) in the Log Analytics workspace.

+The Logs Ingestion API in Azure Monitor lets you send data to a Log Analytics workspace using either a [REST API call](#rest-api-call) or [client libraries](#client-libraries). The API allows you to send data to [supported Azure tables](#supported-tables) or to [custom tables that you create](../logs/create-custom-table.md#create-a-custom-table). You can also [extend the schema of Azure tables with custom columns](../logs/create-custom-table.md#add-or-delete-a-custom-column) to accept additional data.

+Data can be sent to the Logs Ingestion API from any application that can make a REST API call. This may be a custom application that you create, or it may be an application or agent that understands how to send data to the API.

+The application sends data to a [data collection endpoint (DCE)](../essentials/data-collection-endpoint-overview.md), which is a unique connection point for your Azure subscription. It specifies a [data collection rule (DCR)](../essentials/data-collection-rule-overview.md) that includes the target table and workspace and the credentials of an app registration with access to the specified DCR.

+The data sent by your application to the API must be formatted in JSON and match the structure expected by the DCR. It doesn't necessarily need to match the structure of the target table because the DCR can include a [transformation](../essentials//data-collection-transformations.md) to convert the data to match the table's structure. You can modify the target table and workspace by modifying the DCR without any change to the API call or source data.

+Data sent to the ingestion API can be sent to the following tables:

+| Custom tables | Any custom table that you create in your Log Analytics workspace. The target table must exist before you can send data to it. Custom tables must have the `_CL` suffix. |

+| Azure tables | The following Azure tables are currently supported. Other tables may be added to this list as support for them is implemented.<br><br>- [CommonSecurityLog](/azure/azure-monitor/reference/tables/commonsecuritylog)<br>- [SecurityEvents](/azure/azure-monitor/reference/tables/securityevent)<br>- [Syslog](/azure/azure-monitor/reference/tables/syslog)<br>- [WindowsEvents](/azure/azure-monitor/reference/tables/windowsevent)

+## Configuration

+The following table describes each component in Azure that you must configure before you can use the Logs Ingestion API.

+> [!NOTE]

+> For a PowerShell script that automates the configuration of these components, see [Sample code to send data to Azure Monitor using Logs ingestion API](../logs/tutorial-logs-ingestion-code.md).

+| Component | Function |

+|:|:|

+| App registration and secret | The application registration is used to authenticate the API call. It must be granted permission to the DCR described below. The API call includes the **Application (client) ID** and **Directory (tenant) ID** of the application and the **Value** of an application secret.<br><br>See [Create a Microsoft Entra application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) and [Create a new application secret](../../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-application-secret). |

+| Data collection endpoint (DCE) | The DCE provides an endpoint for the application to send to. A single DCE can support multiple DCRs, so you can use an existing DCE if you already have one in the same region as your Log Analytics workspace.<br><br>See [Create a data collection endpoint](../essentials/data-collection-endpoint-overview.md#create-a-data-collection-endpoint). |

+| Table in Log Analytics workspace | The table in the Log Analytics workspace must exist before you can send data to it. You can use one of the [supported Azure tables](#supported-tables) or create a custom table using any of the available methods. If you use the Azure portal to create the table, then the DCR is created for you, including a transformation if it's required. With any other method, you need to create the DCR manually as described in the next section.<br><br>See [Create a custom table](create-custom-table.md#create-a-custom-table). |

+| Data collection rule (DCR) | Azure Monitor uses the [Data collection rule (DCR)](../essentials/data-collection-rule-overview.md) to understand the structure of the incoming data and what to do with it. If the structure of the table and the incoming data don't match, the DCR can include a [transformation](../essentials/data-collection-transformations.md) to convert the source data to match the target table. You can also use the transformation to filter source data and perform any other calculations or conversions.<br><br>If you create a custom table using the Azure portal, the DCR and the transformation are created for you based on sample data that you provide. If you use an existing table or create a custom table using another method, then you must manually create the DCR using details in the following section.<br><br>Once your DCR is created, you must grant access to it for the application that you created in the first step. From the **Monitor** menu in the Azure portal, select **Data Collection rules** and then the DCR that you created. Select **Access Control (IAM)** for the DCR and then select **Add role assignment** to add the **Monitoring Metrics Publisher** role. |

+## **Manually create DCR**

+If you're sending data to a table that already exists, then you must create the DCR manually. Start with the [Sample DCR for Logs Ingestion API](../essentials/data-collection-rule-samples.md#logs-ingestion-api) and modify the following parameters in the template. Then use any of the methods described in [Create and edit data collection rules (DCRs) in Azure Monitor](../essentials/data-collection-rule-create-edit.md) to create the DCR.

+| Parameter | Description |

+|:|:|

+| `region` | Region to create your DCR. This must match the region of the DCE and the Log Analytics workspace. |

+| `dataCollectionEndpointId` | Resource ID of your DCE. |

+| `streamDeclarations` | Change the column list to the columns in your incoming data. You don't need to change the name of the stream since this just needs to match the `streams` name in `dataFlows`. |

+| `workspaceResourceId` | Resource ID of your Log Analytics workspace. You don't need to change the name since this just needs to match the `destinations` name in `dataFlows`. |

+| `transformKql` | KQL query to be applied to the incoming data. If the schema of the incoming data matches the schema of the table, then you can use `source` for the transformation which will pass on the incoming data unchanged. Otherwise, use a query that will transform the data to match the table schema. |

+| `outputStream` | Name of the table to send the data. For a custom table, add the prefix *Custom-\<table-name\>*. For a built-in table, add the prefix *Microsoft-\<table-name\>*. |

+## Client libraries

+In addition to making a REST API call, you can use the following client libraries to send data to the Logs ingestion API. The libraries require the same components described in [Configuration](#configuration). For examples using each of these libraries, see [Sample code to send data to Azure Monitor using Logs ingestion API](../logs/tutorial-logs-ingestion-code.md).

+To send data to Azure Monitor with a REST API call, make a POST call over HTTP. Details required for this call are described in this section.

+The endpoint URI uses the following format, where the `Data Collection Endpoint` and `DCR Immutable ID` identify the DCE and DCR. The immutable ID is generated for the DCR when it's created. You can retrieve it from the [JSON view of the DCR in the Azure portal](../essentials/data-collection-rule-overview.md?tabs=portal#view-data-collection-rules). `Stream Name` refers to the [stream](../essentials/data-collection-rule-structure.md#streamdeclarations) in the DCR that should handle the custom data.

+For example:

+```

+https://my-dce-5kyl.eastus-1.ingest.monitor.azure.com/dataCollectionRules/dcr-000a00a000a00000a000000aa000a0aa/streams/Custom-MyTable?api-version=2021-11-01-preview

+```

+The following table describes that headers for your API call.

+| Header | Required? |Description |

+|:|:|:|

+| Authorization | Yes | Bearer token obtained through the client credentials flow. Use the token audience value for your cloud:<br><br>Azure public cloud - `https://monitor.azure.com`<br>Microsoft Azure operated by 21Vianet cloud - `https://monitor.azure.cn`<br>Azure US Government cloud - `https://monitor.azure.us` |

+| Content-Type | Yes | `application/json` |

+| Content-Encoding | No | `gzip` |

+| x-ms-client-request-id | No | String-formatted GUID. This is a request ID that can be used by Microsoft for any troubleshooting purposes. |

+The body of the call includes the custom data to be sent to Azure Monitor. The shape of the data must be a JSON object or array with a structure that matches the format expected by the stream in the DCR. Ensure that the request body is properly encoded in UTF-8 to prevent any issues with data transmission.

+For example:

+```json

+{

+ "TimeGenerated": "2023-11-14 15:10:02",

+ "Column01": "Value01",

+ "Column02": "Value02"

+}

+```

+### Example

+See [Sample code to send data to Azure Monitor using Logs ingestion API](tutorial-logs-ingestion-code.md?tabs=powershell#sample-code) for an example of the API call using PowerShell.

+- [Permissions to create DCR objects](../essentials/data-collection-rule-create-edit.md#permissions) in the workspace.

+- [Permissions to create DCR objects](../essentials/data-collection-rule-create-edit.md#permissions) in the workspace.

+- [Permissions to create Data Collection Rule objects](../essentials/data-collection-rule-create-edit.md#permissions) in the workspace.

+- [Permissions to create DCR objects](../essentials/data-collection-rule-create-edit.md#permissions) in the workspace.

+| summarize MinutesSinceLastHeartbeat = min(Duration) by Computer, bin(TimeGenerated,5m), _ResourceId

+| summarize CPUPercentageAverage = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId

+| summarize AvailableMemoryInMBAverage = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId

+| summarize AvailableMemoryInPercentageAverage = avg(AvailableMemoryPercentage) by bin(TimeGenerated, 15m), Computer, _ResourceId

+```

+| summarize LogicalDiskSpacePercentageFreeAverage = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId

+| summarize LogicalDiskSpacePercentageFreeAverage = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk

+| summarize DiskIOPSAverage = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk

+| summarize DiskBytesPerSecondAverage = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk

+| summarize BytesReceivedAverage = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId

+| summarize BytesReceievedAverage = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface

+| summarize BytesSentAverage = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId

+| summarize BytesSentAverage = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, NetworkInterface

+

+ | summarize NumberOfEvents = count() by Computer, bin(TimeGenerated, 15m)

+

+ | summarize NumberOfEvents = count() by Computer, bin(TimeGenerated, 15m)

+Application-Insights|[Use Search in Application Insights](app/transaction-search-and-diagnostics.md?tabs=transaction-search)|We clarified that URL query strings are not logged by Azure Functions and that URL query strings won't show up in searches.|

+|[Unified cross-component transaction diagnostics](./app/transaction-search-and-diagnostics.md?tabs=transaction-diagnostics)|Added a FAQ section to help troubleshoot Azure portal errors like "error retrieving data."|

+ Title: Understand auxiliary/supplemental groups with NFS in Azure NetApp Files

+description: Learn about auxiliary/supplemental groups with NFS in Azure NetApp Files.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Understand auxiliary/supplemental groups with NFS in Azure NetApp Files

+NFS has a specific limitation for the maximum number of auxiliary GIDs (secondary groups) that can be honored in a single NFS request. The maximum for [AUTH_SYS/AUTH_UNIX](http://tools.ietf.org/html/rfc5531) is 16. For AUTH_GSS (Kerberos), the maximum is 32. This is a known protocol limitation of NFS.

+Azure NetApp Files provides the ability to increase the maximum number of auxiliary groups to 1,024. This is performed by avoiding truncation of the group list in the NFS packet by prefetching the requesting userΓÇÖs group from a name service, such as LDAP.

+## How it works

+The options to extend the group limitation work the same way the `-manage-gids` option for other NFS servers works. Rather than dumping the entire list of auxiliary GIDs a user belongs to, the option looks up the GID on the file or folder and returns that value instead.

+The [command reference for `mountd`](http://man.he.net/man8/mountd) notes:

+```bash

+-g or --manage-gids

+Accept requests from the kernel to map user id numbers into lists of group id numbers for use in access control. An NFS request will normally except when using Kerberos or other cryptographic authentication) contains a user-id and a list of group-ids. Due to a limitation in the NFS protocol, at most 16 groups ids can be listed. If you use the -g flag, then the list of group ids received from the client will be replaced by a list of group ids determined by an appropriate lookup on the server.

+```

+When an access request is made, only 16 GIDs are passed in the RPC portion of the packet.

+Any GID beyond the limit of 16 is dropped by the protocol. Extended GIDs in Azure NetApp Files can only be used with external name services such as LDAP.

+## Potential performance impacts

+Extended groups have a minimal performance penalty, generally in the low single digit percentages. Higher metadata NFS workloads would likely have more effect, particularly on the systemΓÇÖs caches. Performance can also be affected by the speed and workload of the name service servers. Overloaded name service servers are slower to respond, causing delays in prefetching the GID. For best results, use multiple name service servers to handle large numbers of requests.

+## ΓÇ£Allow local users with LDAPΓÇ¥ option

+When a user attempts to access an Azure NetApp Files volume via NFS, the request comes in a numeric ID. By default, Azure NetApp Files supports extended group memberships for NFS users (to go beyond the standard 16 group limit to 1,024). As a result, Azure NetApp files attempts to look up the numeric ID in LDAP in an attempt to resolve the group memberships for the user rather than passing the group memberships in an RPC packet.

+Due to that behavior, if that numeric ID can't be resolved to a user in LDAP, the lookup fails and access is denied, even if the requesting user has permission to access the volume or data structure.

+The [Allow local NFS users with LDAP option](configure-ldap-extended-groups.md) in Active Directory connections is intended to disable those LDAP lookups for NFS requests by disabling the extended group functionality. It doesn't provide ΓÇ£local user creation/managementΓÇ¥ within Azure NetApp Files.

+For more information about the option, including how it behaves with different volume security styles in Azure NetApp files, see [Understand the use of LDAP with Azure NetApp Files](lightweight-directory-access-protocol.md).

+## Next steps

+* [Understand the use of LDAP with Azure NetApp Files](lightweight-directory-access-protocol.md)

+* [Allow local NFS users with LDAP option](configure-ldap-extended-groups.md)

+You can configure export policy to control access to an Azure NetApp Files volume that uses the NFS protocol (NFSv3 and NFSv4.1) or the dual protocol (NFSv3 and SMB, or NFSv4.1 and SMB).

+Once created, you can modify details of the export policy rule. The modifiable fields are:

+- IP address (For example, x.x.x.x)

+- CIDR range (A subnet range; for example, 0.0.0.0/0)

+- IP address comma separated list (For example, x.x.x.x, y.y.y.y)

+- Access level

+- [Export policy rule order](network-attached-storage-permissions.md#export-policy-rule-ordering)

+Before modifying policy rules with NFS Kerberos enabled, see [Export policy rules with NFS Kerberos enabled](network-attached-storage-permissions.md#export-policy-rule-ordering).

+* [Understand NAS permissions in Azure NetApp Files](network-attached-storage-permissions.md)

+1. Go to the volume that you want to create a snapshot for. Select **Snapshots**.

+2. Select **+ Add snapshot** to create an on-demand snapshot for a volume.

+4. Select **OK**.

+To learn more about ACLs in Azure NetApp Files, see [Understand NFSv4.x ACLs](nfs-access-control-lists.md).

+* [Understand NFSv4.x ACLs](nfs-access-control-lists.md).

+You can edit the network features option of existing volumes from *Basic* to *Standard* network features. The change you make applies to all volumes in the same *network sibling set* (or *siblings*). Siblings are determined by their network IP address relationship. They share the same network interface card (NIC) for mounting the volume to the client or connecting to the SMB share of the volume. At the creation of a volume, its siblings are determined by a placement algorithm that aims for reusing the IP address where possible.

+>[!IMPORTANT]

+>It's not recommended that you use the edit network features option with Terraform-managed volumes due to risks. You must follow separate instructions if you use Terraform-managed volumes. For more information see, [Update Terraform-managed Azure NetApp Files volume from Basic to Standard](#update-terraform-managed-azure-netapp-files-volume-from-basic-to-standard).

+1. Navigate to the volume for which you want to change the network features option.

+### Update Terraform-managed Azure NetApp Files volume from Basic to Standard

+If your Azure NetApp Files volume is managed using Terraform, editing the network features requires additional steps. Terraform-managed Azure resources store their state in a local file, which is in your Terraform module or in Terraform Cloud.

+Updating the network features of your volume alters the underlying network sibling set of the NIC utilized by that volume. This NIC can be utilized by other volumes you own, and other NICs can share the same network sibling set. **If not performed correctly, updating the network features of one Terraform-managed volume can inadvertently update the network features of several other volumes.**

+>[!IMPORTANT]

+>A discontinuity between state data and remote Azure resource configurations--notably, in the `network_features` argument--can result in the destruction of one or more volumes and possible data loss upon running `terraform apply`. Carefully follow the workaround outlined here to safely update the network features from Basic to Standard of Terraform-managed volumes.

+>[!NOTE]

+>A Terraform module usually consists solely of all top level `*.tf` and/or `*.tf.json` configuration files in a directory, but a Terraform module can make use of module calls to explicitly include other modules into the configuration. You can [learn more about possible module structures](https://developer.hashicorp.com/terraform/language/files). To update all configuration file in your module that reference Azure NetApp Files volumes, be sure to look at all possible sources where your module can reference configuration files.

+The name of the state file in your Terraform module is `terraform.tfstate`. It contains the arguments and their values of all deployed resources in the module. Below is highlighted the `network_features` argument with value ΓÇ£BasicΓÇ¥ for an Azure NetApp Files Volume in a `terraform.tfstate` example file:

+Do _not_ manually update the `terraform.tfstate` file. Likewise, the `network_features` argument in the `*.tf` and `*.tf.json` configuration files should also not be updated until you follow the steps outlined here as this would cause a mismatch in the arguments of the remote volume and the local configuration file representing that remote volume. When Terraform detects a mismatch between the arguments of remote resources and local configuration files representing those remote resources, Terraform can destroy the remote resources and reprovision them with the arguments in the local configuration files. This can cause data loss in a volume.

+By following the steps outlined here, the `network_features` argument in the `terraform.tfstate` file is automatically updated by Terraform to have the value of "Standard" without destroying the remote volume, thus indicating the network features has been successfully updated to Standard.

+>[!NOTE]

+> It's recommended to always use the latest Terraform version and the latest version of the `azurerm` Terraform module.

+#### Determine affected volumes

+Changing the network features for an Azure NetApp Files Volume can impact the network features of other Azure NetApp Files Volumes. Volumes in the same network sibling set must have the same network features setting. Therefore, before you change the network features of one volume, you must determine all volumes affected by the change using the Azure portal.

+1. Log in to the Azure portal.

+1. Navigate to the volume for which you want to change the network features option.

+1. Select the **Change network features**. ***Do **not** select Save.***

+1. Record the paths of the affected volumes then select **Cancel**.

+All Terraform configuration files that define these volumes need to be updated, meaning you need to find the Terraform configuration files that define these volumes. The configuration files representing the affected volumes might not be in the same Terraform module.

+>[!IMPORTANT]

+>With the exception of the single volume you know is managed by Terraform, additional affected volumes might not be managed by Terraform. An additional volume that is listed as being in the same network sibling set does not mean that this additional volume is managed by Terraform.

+#### Modify the affected volumesΓÇÖ configuration files

+You must modify the configuration files for each affected volume managed by Terraform that you discovered. Failing to update the configuration file can destroy the volume or result in data loss.

+>[!IMPORTANT]

+>Depending on your volumeΓÇÖs lifecycle configuration block settings in your Terraform configuration file, your volume can be destroyed, including possible data loss upon running `terraform apply`. Ensure you know which affected volumes are managed by Terraform and which are not.

+1. Locate the affected Terraform-managed volumes configuration files.

+1. Add the `ignore_changes = [network_features]` to the volume's `lifecycle` configuration block. If the `lifecycle` block does not exist in that volumeΓÇÖs configuration, add it.

+ :::image type="content" source="../media/azure-netapp-files/terraform-lifecycle.png" alt-text="Screenshot of the lifecycle configuration." lightbox="../media/azure-netapp-files/terraform-lifecycle.png":::

+1. Repeat for each affected Terraform-managed volume.

+

+The `ignore_changes` feature is intended to be used when a resourceΓÇÖs reference to data might change after the resource is created. Adding the `ignore_changes` feature to the `lifecycle` block allows the network features of the volumes to be changed in the Azure portal without Terraform trying to fix this argument of the volume on the next run of `terraform apply`. You can [learn more about the `ignore_changes` feature](https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle).

+#### Update the volumes' network features

+1. In the Azure portal, navigate to the Azure NetApp Files volume for which you want to change network features.

+1. Select the **Change network features**.

+1. In the **Action** field, confirm that it reads **Change to Standard**.

+ :::image type="content" source="../media/azure-netapp-files/change-network-features-standard.png" alt-text="Screenshot of confirm change of network features." lightbox="../media/azure-netapp-files/change-network-features-standard.png":::

+1. Select **Save**.

+1. Wait until you receive a notification that the network features update has completed. In your **Notifications**, the message reads "Successfully updated network features. Network features for network sibling set have successfully updated to ΓÇÿStandardΓÇÖ."

+1. In the terminal, run `terraform plan` to view any potential changes. The output should indicate that the infrastructure matches the configuration with a message reading "No changes. Your infrastructure matches the configuration."

+ :::image type="content" source="../media/azure-netapp-files/terraform-plan-output.png" alt-text="Screenshot of terraform plan command output." lightbox="../media/azure-netapp-files/terraform-plan-output.png":::

+ >[!IMPORTANT]

+ > As a safety precaution, execute `terraform plan` before executing `terraform apply`. The command `terraform plan` allows you to create a ΓÇ£planΓÇ¥ file, which contains the changes to your remote resources. This plan allows you to know if any of your affected volumes will be destroyed by running `terraform apply`.

+1. Run `terraform apply` to update the `terraform.tfstate` file.

+ Repeat for all modules containing affected volumes.

+ Observe the change in the value of the `network_features` argument in the `terraform.tfstate` files, which changed from "Basic" to "Standard":

+ :::image type="content" source="../media/azure-netapp-files/updated-terraform-module.png" alt-text="Screenshot of updated Terraform module." lightbox="../media/azure-netapp-files/updated-terraform-module.png":::

+#### Update Terraform-managed Azure NetApp Files volumesΓÇÖ configuration file for configuration parity

+Once you've update the volumes' network features, you must also modify the `network_features` arguments and `lifecycle blocks` in all configuration files of affected Terraform-managed volumes. This update ensures that if you have to recreate or update the volume, it maintains its Standard network features setting.

+1. In the configuration file, set `network_features` to "Standard" and remove the `ignore_changes = [network_features]` line from the `lifecycle` block.

+ :::image type="content" source="../media/azure-netapp-files/terraform-network-features-standard.png" alt-text="Screenshot of Terraform module with Standard network features." lightbox="../media/azure-netapp-files/terraform-network-features-standard.png":::

+1. Repeat for each affected Terraform-managed volume.

+1. Verify that the updated configuration files accurately represent the configuration of the remote resources by running `terraform plan`. Confirm the output reads "No changes."

+1. Run `terraform apply` to complete the update.

+ Title: Manage SMB share ACLs in Azure NetApp Files

+description: Learn how to manage SMB share access control lists in Azure NetApp Files.

+# Manage SMB share ACLs in Azure NetApp Files

+SMB shares can control access to who can mount and access a share, as well as control access levels to users and groups in an Active Directory domain. The first level of permissions that get evaluated are share access control lists (ACLs).

+There are two ways to view share settings:

+* In the **Advanced permissions** settings

+* With the **Microsoft Management Console (MMC)**

+## Prerequisites

+You must have the mount path. You can retrieve this in the Azure portal by navigating to the **Overview** menu of the volume for which you want to configure share ACLs. Identify the **Mount path**.

+## View SMB share ACLs with advanced permissions

+Advanced permissions for files, folders, and shares on an Azure NetApp File volume can be accessed by right-clicking the Azure NetApp Files share at the top level of the UNC path (for example, `\\Azure.NetApp.Files\`) or in the Windows Explorer view when navigating to the share itself (for instance, `\\Azure.NetApp.Files\sharename`).

+>[!NOTE]

+>You can only view SMB share ACLs in the **Advanced permissions** settings.

+1. In Windows Explorer, use the mount path to open the volume. Right-click on the volume, select **Properties**. Switch to the **Security** tab then select **Advanced**.

+ :::image type="content" source="../media/azure-netapp-files/security-advanced-tab.png" alt-text="Screenshot of security tab." lightbox="../media/azure-netapp-files/security-advanced-tab.png":::

+1. In the new window that pops up, switch to the **Share** tab to view the share-level ACLs. You cannot modify share-level ACLs.

+ >[!NOTE]

+ >Azure NetApp Files doesn't support windows audit ACLs. Azure NetApp Files ignores any audit ACL applied to files or directories hosted on Azure NetApp Files volumes.

+ :::image type="content" source="../media/azure-netapp-files/view-permissions.png" alt-text="Screenshot of the permissions tab." lightbox="../media/azure-netapp-files/view-permissions.png":::

+ :::image type="content" source="../media/azure-netapp-files/view-shares.png" alt-text="Screenshot of the share tab." lightbox="../media/azure-netapp-files/view-shares.png":::

+## Modify share-levels ACLs with the Microsoft Management Console

+You can only modify the share ACLs in Azure NetApp Files with the Microsoft Management Console (MMC).

+1. To modify share-level ACLs in Azure NetApp Files, open the Computer Management MMC from the Server Manager in Windows. From there, select the **Tools** menu then **Computer Management**.

+1. In the Computer Management window, right-click **Computer management (local)** then select **Connect to another computer**.

+ :::image type="content" source="../media/azure-netapp-files/computer-management-local.png" alt-text="Screenshot of the computer management window." lightbox="../media/azure-netapp-files/computer-management-local.png":::

+1. In the **Another computer** field, enter the fully qualified domain name (FQDN).

+ The FQDN comes from the mount path you retrieved in the prerequisites. For example, if the mount path is `\\ANF-West-f899.contoso.com\SMBVolume`, enter `ANF-West-f899.contoso.com` as the FQDN.

+1. Once connected, expand **System Tools** then select **Shared Folders > Shares**.

+1. To manage share permissions, right-click on the name of the share you want to modify from list and select **Properties**.

+ :::image type="content" source="../media/azure-netapp-files/share-folder.png" alt-text="Screenshot of the share folder." lightbox="../media/azure-netapp-files/share-folder.png":::

+1. Add, remove, or modify the share ACLs as appropriate.

+ :::image type="content" source="../media/azure-netapp-files/add-share.png" alt-text="Screenshot showing how to add a share." lightbox="../media/azure-netapp-files/add-share.png":::

+

+## Next step

+* [Understand NAS permissions in Azure NetApp Files](network-attached-storage-permissions.md)

+ Title: Understand NFS file permissions in Azure NetApp Files

+description: Learn about mode bits in NFS workloads on Azure NetApp Files.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Understand mode bits in Azure NetApp Files

+File access permissions in NFS limit what users and groups can do once a NAS volume is mounted. Mode bits are a key feature of NFS file permissions in Azure NetApp Files.

+## NFS mode bits

+Mode bit permissions in NFS provide basic permissions for files and folders, using a standard numeric representation of access controls. Mode bits can be used with either NFSv3 or NFSv4.1, but mode bits are the standard option for securing NFSv3 as defined in [RFC-1813](https://tools.ietf.org/html/rfc1813#page-22). The following table shows how those numeric values correspond to access controls.

+| Mode bit numeric |

+| |

+| 1 ΓÇô execute (x) |

+| 2 ΓÇô write (w) |

+| 3 ΓÇô write/execute (wx) |

+| 4 ΓÇô read (r) |

+| 5 ΓÇô read/execute (rx) |

+| 6 ΓÇô read/write (rw) |

+| 7 ΓÇô read/write/execute (rwx) |

+Numeric values are applied to different segments of an access control: owner, group and everyone else, meaning that there are no granular user access controls in place for basic NFSv3. The following image shows an example of how a mode bit access control might be constructed for use with an NFSv3 object.

+Azure NetApp Files doesn't support POSIX ACLs. Thus granular ACLs are only possible with NFSv3 when using an NTFS security style volume with valid UNIX to Windows name mappings via a name service such as Active Directory LDAP. Alternately, you can use NFSv4.1 with Azure NetApp Files and NFSv4.1 ACLs.

+The following table compares the permission granularity between NFSv3 mode bits and NFSv4.x ACLs.

+| NFSv3 mode bits | NFSv4.x ACLs |

+| - | - |

+| <ul><li>Set user ID on execution (setuid)</li><li>Set group ID on execution (setgid)</li><li>Save swapped text (sticky bit)</li><li>Read permission for owner</li><li>Write permission for owner</li><li>Execute permission for owner on a file; or look up (search) permission for owner in directory</li><li>Read permission for group</li><li>Write permission for group</li><li>Execute permission for group on a file; or look up (search) permission for group in directory</li><li>Read permission for others</li><li>Write permission for others</li><li>Execute permission for others on a file; or look up (search) permission for others in directory</li></ul> | <ul><li>ACE types (Allow/Deny/Audit)</li><li>Inheritance flags:</li><li>directory-inherit</li><li>file-inherit</li><li>no-propagate-inherit</li><li>inherit-only</li><li>Permissions:</li><li>read-data (files) / list-directory (directories)</li><li>write-data (files) / create-file (directories)</li><li>append-data (files) / create-subdirectory (directories)</li><li>execute (files) / change-directory (directories)</li><li>delete </li><li>delete-child</li><li>read-attributes</li><li>write-attributes</li><li>read-named-attributes</li><li>write-named-attributes</li><li>read-ACL</li><li>write-ACL</li><li>write-owner</li><li>Synchronize</li></ul> |

+For more information, see [Understand NFSv4.x access control lists ACLs](nfs-access-control-lists.md).

+### Sticky bits, setuid, and setgid

+When using mode bits with NFS mounts, the ownership of files and folders is based on the `uid` and `gid` of the user that created the files and folders. Additionally, when a process runs, it runs as the user that kicked it off, and thus, would have the corresponding permissions. With special permissions (such as `setuid`, `setgid`, sticky bit), this behavior can be controlled.

+#### Setuid

+The `setuid` bit is designated by an "s" in the execute portion of the owner bit of a permission. The `setuid` bit allows an executable file to be run as the owner of the file rather than as the user attempting to execute the file. For instance, the `/bin/passwd` application has the `setuid` bit enabled by default, therefore the application runs as root when a user tries to change their password.

+```bash

+# ls -la /bin/passwd

+-rwsr-xr-x 1 root root 68208 Nov 29 2022 /bin/passwd

+```

+If the `setuid` bit is removed, the password change functionality wonΓÇÖt work properly.

+```bash

+# ls -la /bin/passwd

+-rwxr-xr-x 1 root root 68208 Nov 29 2022 /bin/passwd

+user2@parisi-ubuntu:/mnt$ passwd

+Changing password for user2.

+Current password:

+New password:

+Retype new password:

+passwd: Authentication token manipulation error

+passwd: password unchanged

+```

+When the `setuid` bit is restored, the passwd application runs as the owner (root) and works properly, but only for the user running the passwd command.

+```bash

+# chmod u+s /bin/passwd

+# ls -la /bin/passwd

+-rwsr-xr-x 1 root root 68208 Nov 29 2022 /bin/passwd

+# su user2

+user2@parisi-ubuntu:/mnt$ passwd user1

+passwd: You may not view or modify password information for user1.

+user2@parisi-ubuntu:/mnt$ passwd

+Changing password for user2.

+Current password:

+New password:

+Retype new password:

+passwd: password updated successfully

+```

+Setuid has no effect on directories.

+#### Setgid

+The `setgid` bit can be used on both files and directories.

+With directories, setgid can be used as a way to inherit the owner group for files and folders created below the parent directory with the bit set. Like `setuid`, the executable bit is changed to an ΓÇ£sΓÇ¥ or an ΓÇ£S.ΓÇ¥

+>[!NOTE]

+>Capital ΓÇ£SΓÇ¥ means that the executable bit hasn't been set, such as if the permissions on the directory are ΓÇ£6ΓÇ¥ or ΓÇ£rw.ΓÇ¥

+For example:

+```bash

+# chmod g+s testdir

+# ls -la | grep testdir

+drwxrwSrw- 2 user1 group1 4096 Oct 11 16:34 testdir

+# who

+root ttyS0 2023-10-11 16:28

+# touch testdir/file

+# ls -la testdir

+total 8

+drwxrwSrw- 2 user1 group1 4096 Oct 11 17:09 .

+drwxrwxrwx 5 root root 4096 Oct 11 16:37 ..

+-rw-r--r-- 1 root group1 0 Oct 11 17:09 file

+```

+For files, setgid behaves similarly to `setuid`ΓÇöexecutables run using the group permissions of the group owner. If a user is in the owner group, said user has access to run the executable when setgid is set. If they aren't in the group, they don't get access. For instance, if an administrator wants to limit which users could run the `mkdir` command on a client, they can use setgid.

+Normally, `/bin/mkdir` has 755 permissions with root ownership. This means anyone can run `mkdir` on a client.

+```bash

+# ls -la /bin/mkdir

+-rwxr-xr-x 1 root root 88408 Sep 5 2019 /bin/mkdir

+```

+To modify the behavior to limit which users can run the `mkdir` command, change the group that owns the `mkdir` application, change the permissions for `/bin/mkdir` to 750, and then add the setgid bit to `mkdir`.

+```bash

+# chgrp group1 /bin/mkdir

+# chmod g+s /bin/mkdir

+# chmod 750 /bin/mkdir

+# ls -la /bin/mkdir

+-rwxr-s 1 root group1 88408 Sep 5 2019 /bin/mkdir

+```

+As a result, the application runs with permissions for `group1`. If the user isn't a member of `group1`, the user doesn't get access to run `mkdir`.

+`User1` is a member of `group1`, but `user2` isn't:

+```bash

+# id user1

+uid=1001(user1) gid=1001(group1) groups=1001(group1)

+# id user2

+uid=1002(user2) gid=2002(group2) groups=2002(group2)

+```

+After this change, `user1` can run `mkdir`, but `user2` can't since `user2` isn't in `group1`.

+```bash

+# su user1

+$ mkdir test

+$ ls -la | grep test

+drwxr-xr-x 2 user1 group1 4096 Oct 11 18:48 test

+# su user2

+$ mkdir user2-test

+bash: /usr/bin/mkdir: Permission denied

+```

+#### Sticky bit

+The sticky bit is used for directories only and, when used, controls which files can be modified in that directory regardless of their mode bit permissions. When a sticky bit is set, only file owners (and root) can modify files, even if file permissions are shown as ΓÇ£777.ΓÇ¥

+In the following example, the directory ΓÇ£stickyΓÇ¥ lives in an Azure NetApp Fils volume and has wide open permissions, but the sticky bit is set.

+```bash

+# mkdir sticky

+# chmod 777 sticky

+# chmod o+t sticky

+# ls -la | grep sticky

+drwxrwxrwt 2 root root 4096 Oct 11 19:24 sticky

+```

+Inside the folder are files owned by different users. All have 777 permissions.

+```bash

+# ls -la

+total 8

+drwxrwxrwt 2 root root 4096 Oct 11 19:29 .

+drwxrwxrwx 8 root root 4096 Oct 11 19:24 ..

+-rwxr-xr-x 1 user2 group1 0 Oct 11 19:29 4913

+-rwxrwxrwx 1 UNIXuser group1 40 Oct 11 19:28 UNIX-file

+-rwxrwxrwx 1 user1 group1 33 Oct 11 19:27 user1-file

+-rwxrwxrwx 1 user2 group1 34 Oct 11 19:27 user2-file

+```

+Normally, anyone would be able to modify or delete these files. But because the parent folder has a sticky bit set, only the file owners can make changes to the files.

+For instance, user1 can't modify nor delete `user2-file`:

+```bash

+# su user1

+$ vi user2-file

+Only user2 can modify this file.

+Hi

+~

+"user2-file"

+"user2-file" E212: Can't open file for writing

+$ rm user2-file

+rm: can't remove 'user2-file': Operation not permitted

+```

+Conversely, `user2` can't modify nor delete `user1-file` since they don't own the file and the sticky bit is set on the parent directory.

+```bash

+# su user2

+$ vi user1-file

+Only user1 can modify this file.

+Hi

+~

+"user1-file"

+"user1-file" E212: Can't open file for writing

+$ rm user1-file

+rm: can't remove 'user1-file': Operation not permitted

+```

+Root, however, still can remove the files.

+```bash

+# rm UNIX-file

+```

+To change the ability of root to modify files, you must squash root to a different user by way of an Azure NetApp Files export policy rule. For more information, see [root squashing](network-attached-storage-permissions.md#root-squashing).

+### Umask

+In NFS operations, permissions can be controlled through mode bits, which leverage numerical attributes to determine file and folder access. These mode bits determine read, write, execute, and special attributes. Numerically, permissions are represented as:

+* Execute = 1

+* Read = 2

+* Write = 4

+Total permissions are determined by adding or subtracting a combination of the preceding. For example:

+* 4 + 2 + 1 = 7 (can do everything)

+* 4 + 2 = 6 (read/write)

+For more information, see [UNIX Permissions Help](http://www.zzee.com/solutions/unix-permissions.shtml).

+Umask is a functionality that allows an administrator to restrict the level of permissions allowed to a client. By default, the umask for most clients is set to 0022. 0022 means that files created from that client are assigned that umask. The umask is subtracted from the base permissions of the object. If a volume has 0777 permissions and is mounted using NFS to a client with a umask of 0022, objects written from the client to that volume have 0755 access (0777 ΓÇô 0022).

+```bash

+# umask

+0022

+# umask -S

+u=rwx,g=rx,o=rx

+```

+However, many operating systems don't allow files to be created with execute permissions, but they do allow folders to have the correct permissions. Thus, files created with a umask of 0022 might end up with permissions of 0644. The following example uses RHEL 6.5:

+```bash

+# umask

+0022

+# cd /cdot

+# mkdir umask_dir

+# ls -la | grep umask_dir

+drwxr-xr-x. 2 root root 4096 Apr 23 14:39 umask_dir

+# touch umask_file

+# ls -la | grep umask_file

+-rw-r--r--. 1 root root 0 Apr 23 14:39 umask_file

+```

+## Next steps

+* [Understand auxiliary/supplemental groups with NFS](auxiliary-groups.md)

+* [Understand NFSv4.x access control lists](nfs-access-control-lists.md)

+ Title: Understand SMB file permissions in Azure NetApp Files

+description: Learn about SMB file permissions options in Azure NetApp Files.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Understand SMB file permissions in Azure NetApp Files

+SMB volumes in Azure NetApp Files can leverage NTFS security styles to make use of NTFS access control lists (ACLs) for access controls.

+NTFS ACLs provide granular permissions and ownership for files and folders by way of access control entries (ACEs). Directory permissions can also be set to enable or disable inheritance of permissions.

+For a complete overview of NTFS-style ACLs, see [Microsoft Access Control overview](/windows/security/identity-protection/access-control/access-control).

+## Next steps

+* [Create an SMB volume](azure-netapp-files-create-volumes-smb.md)

+ Title: Understand NAS file permissions in Azure NetApp Files

+description: Learn about NAS file permissions options in Azure NetApp Files.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Understand NAS file permissions in Azure NetApp Files

+To control access to specific files and folders in a file system, permissions can be applied. File and folder permissions are more granular than share permissions. The following table shows the differences in permission attributes that file and share permissions can apply.

+| SMB share permission | NFS export policy rule permissions | SMB file permission attributes | NFS file permission attributes |

+| | | | |

+| <ul><li>Read</li><li>Change</li><li>Full control</li></ul> | <ul><li>Read</li><li>Write</li><li>Root</li></ul> | <ul><li>Full control</li><li>Traverse folder/execute</li><li>Read data/list folders</li><li>Read attributes</li><li>Read extended attributes</li><li>Write data/create files</li><li>Append data/create folders</li><li>Write attributes</li><li>Write extended attributes</li><li>Delete subfolders/files</li><li>Delete</li><li>Read permissions</li><li>Change permissions</li><li>Take ownership</li></ul> | **NFSv3** <br /> <ul><li>Read</li><li>Write</li><li>Execute</li></ul> <br /> **NFSv4.1** <br /> <ul><li>Read data/list files and folders</li><li>Write data/create files and folders</li><li>Append data/create subdirectories</li><li>Execute files/traverse directories</li><li>Delete files/directories</li><li>Delete subdirectories (directories only)</li><li>Read attributes (GETATTR)</li><li>Write attributes (SETATTR/chmod)</li><li>Read named attributes</li><li>Write named attributes</li><li>Read ACLs</li><li>Write ACLs</li><li>Write owner (chown)</li><li>Synchronize I/O</li></ul> |

+File and folder permissions can overrule share permissions, as the most restrictive permissions countermand less restrictive permissions.

+## Permission inheritance

+Folders can be assigned inheritance flags, which means that parent folder permissions propagate to child objects. This can help simplify permission management on high file count environments. Inheritance can be disabled on specific files or folders as needed.

+* In Windows SMB shares, inheritance is controlled in the advanced permission view.

+* For NFSv3, permission inheritance doesnΓÇÖt work via ACL, but instead can be mimicked using umask and setgid flags.

+* With NFSv4.1, permission inheritance can be handled using inheritance flags on ACLs.

+## Next steps

+* [Understand NFS file permissions](network-attached-file-permissions-nfs.md)

+* [Understand SMB file permissions](network-attached-file-permissions-smb.md)

+* [Understand NAS share permissions in Azure NetApp Files](network-attached-storage-permissions.md)

+ Title: Understand NAS share permissions in Azure NetApp Files

+description: Learn about NAS share permissions options in Azure NetApp Files.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Understand NAS share permissions in Azure NetApp Files

+Azure NetApp Files provides several ways to secure your NAS data. One aspect of that security is permissions. In NAS, permissions can be broken down into two categories:

+* **Share access permissions** limit who can mount a NAS volume. NFS controls share access permissions via IP address or hostname. SMB controls this via user and group access control lists (ACLs).

+* **[File access permissions](network-attached-file-permissions.md)** limit what users and groups can do once a NAS volume is mounted. File access permissions are applied to individual files and folders.

+Azure NetApp Files permissions rely on NAS standards, simplifying the process of security NAS volumes for administrators and end users with familiar methods.

+>[!NOTE]

+>If conflicting permissions are listed on share and files, the most restrictive permission is applied. For instance, if a user has read only access at the *share* level and full control at the *file* level, the user receives read access at all levels.

+## Share access permissions

+The initial entry point to be secured in a NAS environment is access to the share itself. In most cases, access should be restricted to only the users and groups that need access to the share. With share access permissions, you can lock down who can even mount the share in the first place.

+Since the most restrictive permissions override other permissions, and a share is the main entry point to the volume (with the fewest access controls), share permissions should abide by a funnel logic, where the share allows more access than the underlying files and folders. The funnel logic enacts more granular, restrictive controls.

+## NFS export policies

+Volumes in Azure NetApp Files are shared out to NFS clients by exporting a path that is accessible to a client or set of clients. Both NFSv3 and NFSv4.x use the same method to limit access to an NFS share in Azure NetApp Files: export policies.

+An export policy is a container for a set of access rules that are listed in order of desired access. These rules control access to NFS shares by using client IP addresses or subnets. If a client isn't listed in an export policy ruleΓÇöeither allowing or explicitly denying accessΓÇöthen that client is unable to mount the NFS export. Since the rules are read in sequential order, if a more restrictive policy rule is applied to a client (for example, by way of a subnet), then it's read and applied first. Subsequent policy rules that allow more access are ignored. This diagram shows a client that has an IP of 10.10.10.10 getting read-only access to a volume because the subnet 0.0.0.0/0 (every client in every subnet) is set to read-only and is listed first in the policy.

+### Export policy rule options available in Azure NetApp Files

+When creating an Azure NetApp Files volume, there are several options configurable for control of access to NFS volumes.

+* **Index**: specifies the order in which an export policy rule is evaluated. If a client falls under multiple rules in the policy, then the first applicable rule applies to the client and subsequent rules are ignored.

+* **Allowed clients**: specifies which clients a rule applies to. This value can be a client IP address, a comma-separated list of IP addresses, or a subnet including multiple clients. The hostname and netgroup values aren't supported in Azure NetApp Files.

+* **Access**: specifies the level of access allowed to non-root users. For NFS volumes without Kerberos enabled, the options are: Read only, Read & write, or No access. For volumes with Kerberos enabled, the options are: Kerberos 5, Kerberos 5i, or Kerberos 5p.

+* **Root access**: specifies how the root user is treated in NFS exports for a given client. If set to "On," the root is root. If set to "Off," the [root is squashed](#root-squashing) to the anonymous user ID 65534.

+* **chown mode**: controls what users can run change ownership commands on the export (chown). If set to "Restricted," only the root user can run chown. If set to "Unrestricted," any user with the proper file/folder permissions can run chown commands.

+### Default policy rule in Azure NetApp Files

+When creating a new volume, a default policy rule is created. The default policy prevents a scenario where a volume is created without policy rules, which would restrict access for any client attempting access to the export. If there are no rules, there is no access.

+The default rule has the following values:

+* Index = 1

+* Allowed clients = 0.0.0.0/0 (all clients allowed access)

+* Access = Read & write

+* Root access = On

+* Chown mode = Restricted

+These values can be changed at volume creation or after the volume has been created.

+### Export policy rules with NFS Kerberos enabled in Azure NetApp Files

+[NFS Kerberos](configure-kerberos-encryption.md) can be enabled only on volumes using NFSv4.1 in Azure NetApp Files. Kerberos provides added security by offering different modes of encryption for NFS mounts, depending on the Kerberos type in use.

+When Kerberos is enabled, the values for the export policy rules change to allow specification of which Kerberos mode should be allowed. Multiple Kerberos security modes can be enabled in the same rule if you need access to more than one.

+Those security modes include:

+* **Kerberos 5**: Only initial authentication is encrypted.

+* **Kerberos 5i**: User authentication plus integrity checking.

+* **Kerberos 5p**: User authentication, integrity checking and privacy. All packets are encrypted.

+Only Kerberos-enabled clients are able to access volumes with export rules specifying Kerberos; no `AUTH_SYS` access is allowed when Kerberos is enabled.

+### Root squashing

+There are some scenarios where you want to restrict root access to an Azure NetApp Files volume. Since root has unfettered access to anything in an NFS volume ΓÇô even when explicitly denying access to root using mode bits or ACLsΓÇöthe only way to limit root access is to tell the NFS server that root from a specific client is no longer root.

+In export policy rules, select "Root access: off" to squash root to a non-root, anonymous user ID of 65534. This means that the root on the specified clients is now user ID 65534 (typically `nfsnobody` on NFS clients) and has access to files and folders based on the ACLs/mode bits specified for that user. For mode bits, the access permissions generally fall under the ΓÇ£EveryoneΓÇ¥ access rights. Additionally, files written as ΓÇ£rootΓÇ¥ from clients impacted by root squash rules create files and folders as the `nfsnobody:65534` user. If you require root to be root, set "Root access" to "On."

+To learn more about managing export policies, see [Configure export policies for NFS or dual-protocol volumes](azure-netapp-files-configure-export-policy.md).

+#### Export policy rule ordering

+The order of export policy rules determines how they are applied. The first rule in the list that applies to an NFS client is the rule used for that client. When using CIDR ranges/subnets for export policy rules, an NFS client in that range may receive unwanted access due to the range in which it's included.

+Consider the following example:

+- The first rule in the index includes *all clients* in *all subnets* by way of the default policy rule using 0.0.0.0/0 as the **Allowed clients** entry. That rule allows ΓÇ£Read & WriteΓÇ¥ access to all clients for that Azure NetApp Files NFSv3 volume.

+- The second rule in the index explicitly lists NFS client 10.10.10.10 and is configured to limit access to ΓÇ£Read only,ΓÇ¥ with no root access (root is squashed).

+As it stands, the client 10.10.10.10 receives access due to the first rule in the list. The next rule is never be evaluated for access restrictions, thus 10.10.10.10 get Read & Write access even though ΓÇ£Read onlyΓÇ¥ is desired. Root is also root, rather than [being squashed](#root-squashing).

+To fix this and set access to the desired level, the rules can be re-ordered to place the desired client access rule above any subnet/CIDR rules. You can reorder export policy rules in the Azure portal by dragging the rules or using the **Move** commands in the `...` menu in the row for each export policy rule.

+>[!NOTE]

+>You can use the [Azure NetApp Files CLI or REST API](azure-netapp-files-sdk-cli.md) only to add or remove export policy rules.

+## SMB shares

+SMB shares enable end users can access SMB or dual-protocol volumes in Azure NetApp Files. Access controls for SMB shares are limited in the Azure NetApp Files control plane to only SMB security options such as access-based enumeration and non-browsable share functionality. These security options are configured during volume creation with the **Edit volume** functionality.

+Share-level permission ACLs are managed through a Windows MMC console rather than through Azure NetApp Files.

+### Security-related share properties

+Azure NetApp Files offers multiple share properties to enhance security for administrators.

+#### Access-based enumeration

+[Access-based enumeration](azure-netapp-files-create-volumes-smb.md#access-based-enumeration) is an Azure NetApp Files SMB volume feature that limits enumeration of files and folders (that is, listing the contents) in SMB only to users with allowed access on the share. For instance, if a user doesn't have access to read a file or folder in a share with access-based enumeration enabled, then the file or folder doesn't show up in directory listings. In the following example, a user (`smbuser`) doesn't have access to read a folder named ΓÇ£ABEΓÇ¥ in an Azure NetApp Files SMB volume. Only `contosoadmin` has access.

+In the below example, access-based enumeration is disabled, so the user has access to the `ABE` directory of `SMBVolume`.

+In the next example, access-based enumeration is enabled, so the `ABE` directory of `SMBVolume` doesn't display for the user.

+The permissions also extend to individual files. In the below example, access-based enumeration is disabled and `ABE-file` displays to the user.

+With access-based enumeration enabled, `ABE-file` doesn't display to the user.

+#### Non-browsable shares

+The non-browsable shares feature in Azure NetApp Files limits clients from browsing for an SMB share by hiding the share from view in Windows Explorer or when listing shares in "net view." Only end users that know the absolute paths to the share are able to find the share.

+In the following image, the non-browsable share property isn't enabled for `SMBVolume`, so the volume displays in the listing of the file server (using `\\servername`).

+With non-browsable shares enabled on `SMBVolume` in Azure NetApp Files, the same view of the file server excludes `SMBVolume`.

+In the next image, the share `SMBVolume` has non-browsable shares enabled in Azure NetApp Files. When that is enabled, this is the view of the top level of the file server.

+Even though the volume in the listing cannot be seen, it remains accessible if the user knows the file path.

+#### SMB3 encryption

+SMB3 encryption is an Azure NetApp Files SMB volume feature that enforces encryption over the wire for SMB clients for greater security in NAS environments. The following image shows a screen capture of network traffic when SMB encryption is disabled. Sensitive informationΓÇösuch as file names and file handlesΓÇöis visible.

+When SMB Encryption is enabled, the packets are marked as encrypted, and no sensitive information can be seen. Instead, itΓÇÖs shown as "Encrypted SMB3 data."

+#### SMB share ACLs

+SMB shares can control access to who can mount and access a share, as well as control access levels to users and groups in an Active Directory domain. The first level of permissions that get evaluated are share access control lists (ACLs).

+SMB share permissions are more basic than file permissions: they only apply read, change or full control. Share permissions can be overridden by file permissions and file permissions can be overridden by share permissions; the most restrictive permission is the one abided by. For instance, if the group ΓÇ£EveryoneΓÇ¥ is given full control on the share (the default behavior), and specific users have read-only access to a folder via a file-level ACL, then read access is applied to those users. Any other users not listed explicitly in the ACL have full control

+Conversely, if the share permission is set to ΓÇ£ReadΓÇ¥ for a specific user, but the file-level permission is set to full control for that user, ΓÇ£ReadΓÇ¥ access is enforced.

+In dual-protocol NAS environments, SMB share ACLs only apply to SMB users. NFS clients leverage export policies and rules for share access rules. As such, controlling permissions at the file and folder level is preferred over share-level ACLs, especially for dual=protocol NAS volumes.

+To learn how to configure ACLs, see [Manage SMB share ACLs in Azure NetApp Files](manage-smb-share-access-control-lists.md).

+## Next steps

+* [Configure export policy for NFS or dual-protocol volumes](azure-netapp-files-configure-export-policy.md)

+* [Understand NAS](network-attached-storage-concept.md)

+* [Understand NAS permissions](network-attached-storage-permissions.md)

+* [Manage SMB share ACLs in Azure NetApp Files](manage-smb-share-access-control-lists.md)

+ Title: Understand NFSv4.x access control lists in Azure NetApp Files

+description: Learn about using NFSv4.x access control lists in Azure NetApp Files.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Understand NFSv4.x access control lists in Azure NetApp Files

+The NFSv4.x protocol can provide access control in the form of [access control lists (ACLs)](/windows/win32/secauthz/access-control-lists), which conceptually similar to ACLs used in [SMB via Windows NTFS permissions](network-attached-file-permissions-smb.md). An NFSv4.x ACL consists of individual [Access Control Entries (ACEs)](/windows/win32/secauthz/access-control-entries), each of which provides an access control directive to the server.

+Each NFSv4.x ACL is created with the format of `type:flags:principal:permissions`.

+* **Type** ΓÇô the type of ACL being defined. Valid choices include Access (A), Deny (D), Audit (U), Alarm (L). Azure NetApp Files supports Access, Deny and Audit ACL types, but Audit ACLs, while being able to be set, don't currently produce audit logs.

+* **Flags** ΓÇô adds extra context for an ACL. There are three kinds of ACE flags: group, inheritance, and administrative. For more information on flags, see [NFSv4.x ACE flags](#nfsv4x-ace-flags).

+* **Principal** ΓÇô defines the user or group that is being assigned the ACL. A principal on an NFSv4.x ACL uses the format of name@ID-DOMAIN-STRING.COM. For more detailed information on principals, see [NFSv4.x user and group principals](#nfsv4x-user-and-group-principals).

+* **Permissions** ΓÇô where the access level for the principal is defined. Each permission is designated a single letter (for instance, read gets ΓÇ£rΓÇ¥, write gets ΓÇ£wΓÇ¥ and so on). Full access would incorporate each available permission letter. For more information, see [NFSv4.x permissions](#nfsv4x-permissions).

+`A:g:group1@contoso.com:rwatTnNcCy` is an example of a valid ACL, following the `type:flags:principal:permissions` format. The example ACL grants full access to the group `group1` in the contoso.com ID domain.

+## NFSv4.x ACE flags

+An ACE flag helps provide more information about an ACE in an ACL. For instance, if a group ACE is added to an ACL, a group flag needs to be used to designate the principal is a group and not a user. It's possible in Linux environments to have a user and a group name that are identical, so the flag ensures an ACE is honored, then the NFS server needs to know what type of principal is being defined.

+Other flags can be used to control ACEs, such as inheritance and administrative flags.

+### Access and deny flags

+Access (A) and deny (D) flags are used to control security ACE types. An access ACE controls the level of access permissions on a file or folder for a principal. A deny ACE explicitly prohibits a principal from accessing a file or folder, even if an access ACE is set that would allow that principal to access the object. Deny ACEs always overrule access ACEs. In general, avoid using deny ACEs, as NFSv4.x ACLs follow a ΓÇ£default denyΓÇ¥ model, meaning if an ACL isn't added, then deny is implicit. Deny ACEs can create unnecessary complications in ACL management.

+### Inheritance flags

+Inheritance flags control how ACLs behave on files created below a parent directory with the inheritance flag set. When an inheritance flag is set, files and/or directories inherit the ACLs from the parent folder. Inheritance flags can only be applied to directories, so when a subdirectory is created, it inherits the flag. Files created below a parent directory with an inheritance flag inherit ACLs, but not the inheritance flags.

+The following table describes available inheritance flags and their behaviors.

+| Inheritance flag | Behavior |

+| - | |

+| d | - Directories below the parent directory inherit the ACL <br> - Inheritance flag is also inherited |

+| f | - Files below the parent directory inherit the ACL <br> - Files don't set inheritance flag |

+| i | Inherit-only; ACL doesnΓÇÖt apply to the current directory but must apply inheritance to objects below the directory |

+| n | - No propagation of inheritance <br> After the ACL is inherited, the inherit flags are cleared on the objects below the parent |

+### NFSv4.x ACL examples

+In the following example, there are three different ACEs with distinct inheritance flags:

+* directory inherit only (di)

+* file inherit only (fi)

+* both file and directory inherit (fdi)

+```bash

+# nfs4_getfacl acl-dir

+# file: acl-dir/

+A:di:user1@CONTOSO.COM:rwaDxtTnNcCy

+A:fdi:user2@CONTOSO.COM:rwaDxtTnNcCy

+A:fi:user3@CONTOSO.COM:rwaDxtTnNcCy

+A::OWNER@:rwaDxtTnNcCy

+A:g:GROUP@:rxtncy

+A::EVERYONE@:rxtncy

+```

+`User1` has a directory inherit ACL only. On a subdirectory created below the parent, the ACL is inherited, but on a file below the parent, it isn't.

+```bash

+# nfs4_getfacl acl-dir/inherit-dir

+# file: acl-dir/inherit-dir

+A:d:user1@CONTOSO.COM:rwaDxtTnNcCy

+A:fd:user2@CONTOSO.COM:rwaDxtTnNcCy

+A:fi:user3@CONTOSO.COM:rwaDxtTnNcCy

+A::OWNER@:rwaDxtTnNcCy

+A:g:GROUP@:rxtncy

+A::EVERYONE@:rxtncy

+# nfs4_getfacl acl-dir/inherit-file

+# file: acl-dir/inherit-file

+ << ACL missing

+A::user2@CONTOSO.COM:rwaxtTnNcCy

+A::user3@CONTOSO.COM:rwaxtTnNcCy

+A::OWNER@:rwatTnNcCy

+A:g:GROUP@:rtncy

+A::EVERYONE@:rtncy

+```

+`User2` has a file and directory inherit flag. As a result, both files and directories below a directory with that ACE entry inherit the ACL, but files wonΓÇÖt inherit the flag.

+```bash

+# nfs4_getfacl acl-dir/inherit-dir

+# file: acl-dir/inherit-dir

+A:d:user1@CONTOSO.COM:rwaDxtTnNcCy

+A:fd:user2@CONTOSO.COM:rwaDxtTnNcCy

+A:fi:user3@CONTOSO.COM:rwaDxtTnNcCy

+A::OWNER@:rwaDxtTnNcCy

+A:g:GROUP@:rxtncy

+A::EVERYONE@:rxtncy

+# nfs4_getfacl acl-dir/inherit-file

+# file: acl-dir/inherit-file

+A::user2@CONTOSO.COM:rwaxtTnNcCy << no flag

+A::user3@CONTOSO.COM:rwaxtTnNcCy

+A::OWNER@:rwatTnNcCy

+A:g:GROUP@:rtncy

+A::EVERYONE@:rtncy

+```

+`User3` only has a file inherit flag. As a result, only files below the directory with that ACE entry inherit the ACL, but they don't inherit the flag since it can only be applied to directory ACEs.

+```bash

+# nfs4_getfacl acl-dir/inherit-dir

+# file: acl-dir/inherit-dir

+A:d:user1@CONTOSO.COM:rwaDxtTnNcCy

+A:fd:user2@CONTOSO.COM:rwaDxtTnNcCy

+A:fi:user3@CONTOSO.COM:rwaDxtTnNcCy

+A::OWNER@:rwaDxtTnNcCy

+A:g:GROUP@:rxtncy

+A::EVERYONE@:rxtncy

+# nfs4_getfacl acl-dir/inherit-file

+# file: acl-dir/inherit-file

+A::user2@CONTOSO.COM:rwaxtTnNcCy

+A::user3@CONTOSO.COM:rwaxtTnNcCy << no flag

+A::OWNER@:rwatTnNcCy

+A:g:GROUP@:rtncy

+A::EVERYONE@:rtncy

+```

+When a "no-propogate" (n) flag is set on an ACL, the flags clear on subsequent directory creations below the parent. In the following example, `user2` has the `n` flag set. As a result, the subdirectory clears the inherit flags for that principal and objects created below that subdirectory donΓÇÖt inherit the ACE from `user2`.

+```bash

+# nfs4_getfacl /mnt/acl-dir

+# file: /mnt/acl-dir

+A:di:user1@CONTOSO.COM:rwaDxtTnNcCy

+A:fdn:user2@CONTOSO.COM:rwaDxtTnNcCy

+A:fd:user3@CONTOSO.COM:rwaDxtTnNcCy

+A::OWNER@:rwaDxtTnNcCy

+A:g:GROUP@:rxtncy

+A::EVERYONE@:rxtncy

+# nfs4_getfacl inherit-dir/

+# file: inherit-dir/

+A:d:user1@CONTOSO.COM:rwaDxtTnNcCy

+A::user2@CONTOSO.COM:rwaDxtTnNcCy << flag cleared

+A:fd:user3@CONTOSO.COM:rwaDxtTnNcCy

+A::OWNER@:rwaDxtTnNcCy

+A:g:GROUP@:rxtncy

+A::EVERYONE@:rxtncy

+# mkdir subdir

+# nfs4_getfacl subdir

+# file: subdir

+A:d:user1@CONTOSO.COM:rwaDxtTnNcCy

+<< ACL not inherited

+A:fd:user3@CONTOSO.COM:rwaDxtTnNcCy

+A::OWNER@:rwaDxtTnNcCy

+A:g:GROUP@:rxtncy

+A::EVERYONE@:rxtncy

+```

+Inherit flags are a way to more easily manage your NFSv4.x ACLs, sparing you from explicitly setting an ACL each time you need one.

+### Administrative flags

+Administrative flags in NFSv4.x ACLs are special flags that are used only with Audit and Alarm ACL types. These flags define either success or failure access attempts for actions to be performed. For instance, if it's desired to audit failed access attempts to a specific file, then an administrative flag of ΓÇ£FΓÇ¥ can be used to control that behavior.

+This Audit ACL is an example of that, where `user1` is audited for failed access attempts for any permission level: `U:F:user1@contoso.com:rwatTnNcCy`.

+Azure NetApp Files only supports setting administrative flags for Audit ACEs. File access logging isn't currently supported. Alarm ACEs aren't supported in Azure NetApp Files.

+## NFSv4.x user and group principals

+With NFSv4.x ACLs, user and group principals define the specific objects that an ACE should apply to. Principals generally follow a format of name@ID-DOMAIN-STRING.COM. The ΓÇ£nameΓÇ¥ portion of a principal can be a user or group, but that user or group must be resolvable in Azure NetApp Files via the LDAP server connection when specifying the NFSv4.x ID domain. If the name@domain isn't resolvable by Azure NetApp Files, then the ACL operation fails with an ΓÇ£invalid argumentΓÇ¥ error.

+```bash

+# nfs4_setfacl -a A::noexist@CONTOSO.COM:rwaxtTnNcCy inherit-file

+Failed setxattr operation: Invalid argument

+```

+You can check within Azure NetApp Files if a name can be resolved using the LDAP group ID list. Navigate to **Support + Troubleshooting** then **LDAP Group ID list**.

+### Local user and group access via NFSv4.x ACLs

+Local users and groups can also be used on an NFSv4.x ACL if only the numeric ID is specified in the ACL. User names or numeric IDs with a domain ID specified fail.

+For instance:

+```bash

+# nfs4_setfacl -a A:fdg:3003:rwaxtTnNcCy NFSACL

+# nfs4_getfacl NFSACL/

+A:fdg:3003:rwaxtTnNcCy

+A::OWNER@:rwaDxtTnNcCy

+A:g:GROUP@:rwaDxtTnNcy

+A::EVERYONE@:rwaDxtTnNcy

+# nfs4_setfacl -a A:fdg:3003@CONTOSO.COM:rwaxtTnNcCy NFSACL

+Failed setxattr operation: Invalid argument

+# nfs4_setfacl -a A:fdg:users:rwaxtTnNcCy NFSACL

+Failed setxattr operation: Invalid argument

+```

+When a local user or group ACL is set, any user or group that corresponds to the numeric ID on the ACL receives access to the object. For local group ACLs, a user passes its group memberships to Azure NetApp Files. If the numeric ID of the group with access to the file via the userΓÇÖs request is shown to the Azure NetApp Files NFS server, then access is allowed as per the ACL.

+The credentials passed from client to server can be seen via a packet capture as seen below.

+**Caveats:**

+* Using local users and groups for ACLs means that every client accessing the files/folders need to have matching user and group IDs.

+* When using a numeric ID for an ACL, Azure NetApp Files implicitly trusts that the incoming request is valid and that the user requesting access is who they say they are and is a member of the groups they claim to be a member of. A user or group numeric can be spoofed if a bad actor knows the numeric ID and can access the network using a client with the ability to create users and groups locally.

+* If a user is a member of more than 16 groups, then any group after the sixteenth group (in alphanumeric order) is denied access to the file or folder, unless LDAP and extended group support is used.

+* LDAP and full name@domain name strings are highly recommended when using NFSv4.x ACLs for better manageability and security. A centrally managed user and group repository is easier to maintain and harder to spoof, thus making unwanted user access less likely.

+### NFSv4.x ID domain

+The ID domain is an important component of the principal, where an ID domain must match on both client and within Azure NetApp Files for user and group names (specifically, root) to show up properly on file/folder ownerships.

+Azure NetApp Files defaults the NFSv4.x ID domain to the DNS domain settings for the volume. NFS clients also default to the DNS domain for the NFSv4.x ID domain. If the clientΓÇÖs DNS domain is different than the Azure NetApp Files DNS domain, then a mismatch occurs. When listing file permissions with commands such as `ls`, users/groups show up as ΓÇ£nobody".

+When a domain mismatch occurs between the NFS client and Azure NetApp Files, check the client logs for errors similar to:

+

+```bash

+August 19 13:14:29 centos7 nfsidmap[17481]: nss_getpwnam: name 'root@microsoft.com' does not map into domain ΓÇÿCONTOSO.COM'

+```

+The NFS clientΓÇÖs ID domain can be overridden using the /etc/idmapd.conf fileΓÇÖs ΓÇ£DomainΓÇ¥ setting. For example: `Domain = CONTOSO.COM`.

+Azure NetApp Files also allows you to [change the NFSv4.1 ID domain](azure-netapp-files-configure-nfsv41-domain.md). For additional details, see [How-to: NFSv4.1 ID Domain Configuration for Azure NetApp Files](https://www.youtube.com/watch?v=UfaJTYWSVAY).

+## NFSv4.x permissions

+NFSv4.x permissions are the way to control what level of access a specific user or group principal has on a file or folder. Permissions in NFSv3 only allow read/write/execute (rwx) levels of access definition, but NFSv4.x provides a slew of other granular access controls as an improvement over NFSv3 mode bits.

+There are 13 permissions that can be set for users, and 14 permissions that can be set for groups.

+| Permission letter | Permission granted |

+| - | - |

+|r | Read data/list files and folders |

+|w | Write data/create files and folders |

+|a | Append data/create subdirectories |

+|x | Execute files/traverse directories |

+|d | Delete files/directories |

+|D | Delete subdirectories (directories only) |

+|t | Read attributes (GETATTR) |

+|T | Write attributes (SETATTR/chmod) |

+|n | Read named attributes |

+|N | Write named attributes |

+|c | Read ACLs |

+|C | Write ACLs |

+|o | Write owner (chown) |

+|y | Synchronous I/O |

+When access permissions are set, a user or group principal adheres to those assigned rights.

+### NFSv4.x permission examples

+The following examples show how different permissions work with different configuration scenarios.

+**User with read access (r only)**

+With read-only access, a user can read attributes and data, but any write access (data, attributes, owner) is denied.

+```bash

+A::user1@CONTOSO.COM:r

+sh-4.2$ ls -la

+total 12

+drwxr-xr-x 3 root root 4096 Jul 12 12:41 .

+drwxr-xr-x 3 root root 4096 Jul 12 12:09 ..

+-rw-r--r-- 1 root root 0 Jul 12 12:41 file

+drwxr-xr-x 2 root root 4096 Jul 12 12:31 subdir

+sh-4.2$ touch user1-file

+touch: can't touch ΓÇÿuser1-fileΓÇÖ: Permission denied

+sh-4.2$ chown user1 file

+chown: changing ownership of ΓÇÿfileΓÇÖ: Operation not permitted

+sh-4.2$ nfs4_setfacl -e /mnt/acl-dir/inherit-dir

+Failed setxattr operation: Permission denied

+sh-4.2$ rm file

+rm: remove write-protected regular empty file ΓÇÿfileΓÇÖ? y

+rm: can't remove ΓÇÿfileΓÇÖ: Permission denied

+sh-4.2$ cat file

+Test text

+```

+**User with read access (r) and write attributes (T)**

+In this example, permissions on the file can be changed due to the write attributes (T) permission, but no files can be created since only read access is allowed. This configuration illustrates the kind of granular controls NFSv4.x ACLs can provide.

+```bash

+A::user1@CONTOSO.COM:rT

+sh-4.2$ touch user1-file

+touch: can't touch ΓÇÿuser1-fileΓÇÖ: Permission denied

+sh-4.2$ ls -la

+total 60

+drwxr-xr-x 3 root root 4096 Jul 12 16:23 .

+drwxr-xr-x 19 root root 49152 Jul 11 09:56 ..

+-rw-r--r-- 1 root root 10 Jul 12 16:22 file

+drwxr-xr-x 3 root root 4096 Jul 12 12:41 inherit-dir

+-rw-r--r-- 1 user1 group1 0 Jul 12 16:23 user1-file

+sh-4.2$ chmod 777 user1-file

+sh-4.2$ ls -la

+total 60

+drwxr-xr-x 3 root root 4096 Jul 12 16:41 .

+drwxr-xr-x 19 root root 49152 Jul 11 09:56 ..

+drwxr-xr-x 3 root root 4096 Jul 12 12:41 inherit-dir

+-rwxrwxrwx 1 user1 group1 0 Jul 12 16:23 user1-file

+sh-4.2$ rm user1-file

+rm: can't remove ΓÇÿuser1-fileΓÇÖ: Permission denied

+```

+### Translating mode bits into NFSv4.x ACL permissions

+When a chmod is run an an object with NFSv4.x ACLs assigned, a series of system ACLs are updated with new permissions. For instance, if the permissions are set to 755, then the system ACL files get updated. The following table shows what each numeric value in a mode bit translates to in NFSv4 ACL permissions.

+See [NFSv4.x permissions](#nfsv4x-permissions) for a table outlining all the permissions.

+| Mode bit numeric | Corresponding NFSv4.x permissions |

+| -- | -- |

+| 1 ΓÇô execute (x) | Execute, read attributes, read ACLs, sync I/O (xtcy) |

+| 2 ΓÇô write (w) | Write, append data, read attributes, write attributes, write named attributes, read ACLs, sync I/O (watTNcy) |

+| 3 ΓÇô write/execute (wx) | Write, append data, execute, read attributes, write attributes, write named attributes, read ACLs, sync I/O (waxtTNcy) |

+| 4 ΓÇô read (r) | Read, read attributes, read named attributes, read ACLs, sync I/O (rtncy) |

+| 5 ΓÇô read/execute (rx) | Read, execute, read attributes, read named attributes, read ACLs, sync I/O (rxtncy) |

+| 6 ΓÇô read/write (rw) | Read, write, append data, read attributes, write attributes, read named attributes, write named attributes, read ACLs, sync I/O (rwatTnNcy) |

+| 7 ΓÇô read/write/execute (rwx) | Full control/all permissions |

+## How NFSv4.x ACLs work with Azure NetApp Files

+Azure NetApp Files supports NFSv4.x ACLs natively when a volume has NFSv4.1 enabled for access. There isn't anything to enable on the volume for ACL support, but for NFSv4.1 ACLs to work best, an LDAP server with UNIX users and groups is needed to ensure that Azure NetApp Files is able to resolve the principals set on the ACLs securely. Local users can be used with NFSv4.x ACLs, but they don't provide the same level of security as ACLs used with an LDAP server.

+There are considerations to keep in mind with ACL functionality in Azure NetApp Files.

+### ACL inheritance

+In Azure NetApp Files, ACL inheritance flags can be used to simplify ACL management with NFSv4.x ACLs. When an inheritance flag is set, ACLs on a parent directory can propagate down to subdirectories and files without further interaction. Azure NetApp Files implements standard ACL inherit behaviors as per [RFC-7530](https://datatracker.ietf.org/doc/html/rfc7530).

+### Deny ACEs

+Deny ACEs in Azure NetApp Files are used to explicitly restrict a user or group from accessing a file or folder. A subset of permissions can be defined to provide granular controls over the deny ACE. These operate in the standard methods mentioned in [RFC-7530](https://datatracker.ietf.org/doc/html/rfc7530).

+### ACL preservation

+When a chmod is performed on a file or folder in Azure NetApp Files, all existing ACEs are preserved on the ACL other than the system ACEs (OWNER@, GROUP@, EVERYONE@). Those ACE permissions are modified as defined by the numeric mode bits defined by the chmod command. Only ACEs that are manually modified or removed via the `nfs4_setfacl` command can be changed.

+### NFSv4.x ACL behaviors in dual-protocol environments

+Dual protocol refers to the use of both SMB and NFS on the same Azure NetApp Files volume. Dual-protocol access controls are determined by which security style the volume is using, but username mapping ensures that Windows users and UNIX users that successfully map to one another have the same access permissions to data.

+When NFSv4.x ACLs are in use on UNIX security style volumes, the following behaviors can be observed when using dual-protocol volumes and accessing data from SMB clients.

+* Windows usernames need to map properly to UNIX usernames for proper access control resolution.

+* In UNIX security style volumes (where NFSv4.x ACLs would be applied), if no valid UNIX user exists in the LDAP server for a Windows user to map to, then a default UNIX user called `pcuser` (with uid numeric 65534) is used for mapping.

+* Files written with Windows users with no valid UNIX user mapping display as owned by numeric ID 65534, which corresponds to ΓÇ£nfsnobodyΓÇ¥ or ΓÇ£nobodyΓÇ¥ usernames in Linux clients from NFS mounts. This is different from the numeric ID 99 which is typically seen with NFSv4.x ID domain issues. To verify the numeric ID in use, use the `ls -lan` command.

+* Files with incorrect owners don't provide expected results from UNIX mode bits or from NFSv4.x ACLs.

+* NFSv4.x ACLs are managed from NFS clients. SMB clients can neither view nor manage NFSv4.x ACLs.

+### Umask impact with NFSv4.x ACLs

+[NFSv4 ACLs provide the ability](http://linux.die.net/man/5/nfs4_acl) to offer ACL inheritance. ACL inheritance means that files or folders created beneath objects with NFSv4 ACLs set can inherit the ACLs based on the configuration of the [ACL inheritance flag](http://linux.die.net/man/5/nfs4_acl).

+Umask is used to control the permission level at which files and folders are created in a directory. By default, Azure NetApp Files allows umask to override inherited ACLs, which is expected behavior as per [RFC-7530](https://datatracker.ietf.org/doc/html/rfc7530).

+For more information, see [umask](network-attached-file-permissions-nfs.md#umask).

+### Chmod/chown behavior with NFSv4.x ACLs

+In Azure NetApp Files, you can use change ownership (chown) and change mode bit (chmod) commands to manage file and directory permissions on NFSv3 and NFSv4.x.

+When using NFSv4.x ACLs, the more granular controls applied to files and folder lessens the need for chmod commands. Chown still has a place, as NFSv4.x ACLs don't assign ownership.

+When chmod is run in Azure NetApp Files on files and folders with NFSv4.x ACLs applied, mode bits are changed on the object. In addition, a set of system ACEs are modified to reflect those mode bits. If the system ACEs are removed, then mode bits are cleared. Examples and a more complete description can be found in the section on system ACEs below.

+When chown is run in Azure NetApp Files, the assigned owner can be modified. File ownership isn't as critical when using NFSv4.x ACLs as when using mode bits, as ACLs can be used to control permissions in ways that basic owner/group/everyone concepts couldn't. Chown in Azure NetApp Files can only be run as root (either as root or by using sudo), since export controls are configured to only allow root to make ownership changes. Since this is controlled by a default export policy rule in Azure NetApp Files, NFSv4.x ACL entries that allow ownership modifications don't apply.

+```bash

+# su user1

+# chown user1 testdir

+chown: changing ownership of ΓÇÿtestdirΓÇÖ: Operation not permitted

+# sudo chown user1 testdir

+# ls -la | grep testdir

+-rw-r--r-- 1 user1 root 0 Jul 12 16:23 testdir

+```

+The export policy rule on the volume can be modified to change this behavior. In the **Export policy** menu for the volume, modify **Chown mode** to "unrestricted."

+Once modified, ownership can be changed by users other than root if they have appropriate access rights. This requires the ΓÇ£Take OwnershipΓÇ¥ NFSv4.x ACL permission (designated by the letter ΓÇ£oΓÇ¥). Ownership can also be changed if the user changing ownership currently owns the file or folder.

+```bash

+A::user1@contoso.com:rwatTnNcCy << no ownership flag (o)

+user1@ubuntu:/mnt/testdir$ chown user1 newfile3

+chown: changing ownership of 'newfile3': Permission denied

+A::user1@contoso.com:rwatTnNcCoy << with ownership flag (o)

+user1@ubuntu:/mnt/testdir$ chown user1 newfile3

+user1@ubuntu:/mnt/testdir$ ls -la

+total 8

+drwxrwxrwx 2 user2 root 4096 Jul 14 16:31 .

+drwxrwxrwx 5 root root 4096 Jul 13 13:46 ..

+-rw-r--r-- 1 user1 root 0 Jul 14 15:45 newfile

+-rw-r--r-- 1 root root 0 Jul 14 15:52 newfile2

+-rw-r--r-- 1 user1 4294967294 0 Jul 14 16:31 newfile3

+```

+### System ACEs

+On every ACL, there are a series of system ACEs: OWNER@, GROUP@, EVERYONE@. For example:

+```bash

+A::OWNER@:rwaxtTnNcCy

+A:g:GROUP@:rwaxtTnNcy

+A::EVERYONE@:rwaxtTnNcy

+```

+These ACEs correspond with the classic mode bits permissions you would see in NFSv3 and are directly associated with those permissions. When a chmod is run on an object, these system ACLs change to reflect those permissions.

+```bash

+# nfs4_getfacl user1-file

+# file: user1-file

+A::user1@CONTOSO.COM:rT

+A::OWNER@:rwaxtTnNcCy

+A:g:GROUP@:rwaxtTnNcy

+A::EVERYONE@:rwaxtTnNcy

+# chmod 755 user1-file

+# nfs4_getfacl user1-file

+# file: user1-file

+A::OWNER@:rwaxtTnNcCy

+A:g:GROUP@:rxtncy

+```

+If those system ACEs are removed, then the permission view changes such that the normal mode bits (rwx) show up as dashes.

+```bash

+# nfs4_setfacl -x A::OWNER@:rwaxtTnNcCy user1-file

+# nfs4_setfacl -x A:g:GROUP@:rxtncy user1-file

+# nfs4_setfacl -x A::EVERYONE@:rxtncy user1-file

+# ls -la | grep user1-file

+- 1 user1 group1 0 Jul 12 16:23 user1-file

+```

+Removing system ACEs is a way to further secure files and folders, as only the user and group principals on the ACL (and root) are able to access the object. Removing system ACEs can break applications that rely on mode bit views for functionality.

+### Root user behavior with NFSv4.x ACLs

+Root access with NFSv4.x ACLs can't be limited unless [root is squashed](network-attached-storage-permissions.md#root-squashing). Root squashing is where an export policy rule is configured where root is mapped to an anonymous user to limit access. Root access can be configured from a volume's **Export policy** menu by changing the policy rule of **Root access** to off.

+To configure root squashing, navigate to the **Export policy** menu on the volume then change ΓÇ£Root accessΓÇ¥ to ΓÇ£offΓÇ¥ for the policy rule.

+The effect of disabling root access root squashes to anonymous user `nfsnobody:65534`. Root access is then unable to change ownership.

+```bash

+root@ubuntu:/mnt/testdir# touch newfile3

+root@ubuntu:/mnt/testdir# ls -la

+total 8

+drwxrwxrwx 2 user2 root 4096 Jul 14 16:31 .

+drwxrwxrwx 5 root root 4096 Jul 13 13:46 ..

+-rw-r--r-- 1 user1 root 0 Jul 14 15:45 newfile

+-rw-r--r-- 1 root root 0 Jul 14 15:52 newfile2

+-rw-r--r-- 1 nobody 4294967294 0 Jul 14 16:31 newfile3

+root@ubuntu:/mnt/testdir# ls -lan

+total 8

+drwxrwxrwx 2 1002 0 4096 Jul 14 16:31 .

+drwxrwxrwx 5 0 0 4096 Jul 13 13:46 ..

+-rw-r--r-- 1 1001 0 0 Jul 14 15:45 newfile

+-rw-r--r-- 1 0 0 0 Jul 14 15:52 newfile2

+-rw-r--r-- 1 65534 4294967294 0 Jul 14 16:31 newfile3

+root@ubuntu:/mnt/testdir# chown root newfile3

+chown: changing ownership of 'newfile3': Operation not permitted

+```

+Alternatively, in dual-protocol environments, NTFS ACLs can be used to granularly limit root access.

+## Next steps

+* [Configure NFS clients](configure-nfs-clients.md)

+* [Configure access control lists on NFSv4.1 volumes](configure-access-control-lists.md)

+* [Volume user and group quotas](default-individual-user-group-quotas-introduction.md) is now generally available (GA).

+ User and group quotas enable you to stay in control and define how much storage capacity can be used by individual users or groups can use within a specific Azure NetApp Files volume. You can set default (same for all users) or individual user quotas on all NFS, SMB, and dual protocol-enabled volumes. On all NFS-enabled volumes, you can define a default (that is, same for all users) or individual group quotas.

+ This feature is Generally Available in Azure commercial regions and US Gov regions where Azure NetApp Files is available.

+> [!NOTE]

+> When the `Retry-after` header is not returned, implement your own retry logic by following the Azure guidelines in [this](https://learn.microsoft.com/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines) document.

+ Title: Use Azure VMware Solution with Azure Elastic SAN Preview

+description: Learn how to use Elastic SAN Preview with Azure VMware Solution

+# Use Azure VMware Solution with Azure Elastic SAN Preview

+This article explains how to use Azure Elastic SAN Preview as backing storage for Azure VMware Solution. [Azure VMware Solution](introduction.md) supports attaching iSCSI datastores as a persistent storage option. You can create Virtual Machine File System (VMFS) datastores with Azure Elastic SAN volumes and attach them to clusters of your choice. By using VMFS datastores backed by Azure Elastic SAN, you can expand your storage instead of scaling the clusters.

+Azure Elastic storage area network (SAN) addresses the problem of workload optimization and integration between your large scale databases and performance-intensive mission-critical applications. For more information on Azure Elastic SAN, see [What is Azure Elastic SAN? Preview](../storage/elastic-san/elastic-san-introduction.md).

+ - [Azure portal](../virtual-network/quick-create-portal.md)

+ - [Azure PowerShell module](../virtual-network/quick-create-powershell.md)

+ - [Azure CLI](../virtual-network/quick-create-cli.md)

+1. Use one of the following instruction options to set up an Elastic SAN, your dedicated volume group, and initial volume in that group:

+ > Create your Elastic SAN in the same region and availability zone as your SDDC for best performance.

+1. Use one of the following instructions to configure a Private Endpoint (PE) for your Elastic SAN:

+1. Select your **Subscription**, **Resource**, **Volume Group**, **Volume(s)**, and **Client cluster**.

+1. From section, "Rename datastore as per VMware requirements", under **Volume name** > **Data store name**, give names to the Elastic SAN volumes.

+1. Under **Virtual network**, select **Disconnect** to disconnect the datastore from the Cluster(s).

+1. Optionally you can delete the volume you previously created in your Elastic SAN.

+On this page, you can read about recent updates about Azure Web PubSub. As we make continuous improvements to the capabilities and developer experience of the service, we welcome any feedback and suggestions. Reach out to the service team at **awps@microsoft.com**

+1. The Backup service invokes the backup based on the policy schedules on the ARM API of PostgresFlex server, writing data to a secure blob-container with a SAS for enhanced security.

+1. During the restore, the Backup service invokes restore on the ARM API of PostgresFlex server using the SAS for asynchronous, nondisruptive recovery.

+1. After the selection, the validation starts. The backup readiness check ensures the vault has sufficient permissions for backup operations. Resolve any access issues by granting appropriate [permissions](/azure/backup/backup-azure-database-postgresql-flex-overview) to the vault MSI and re-triggering the validation.

+az backup item set-policy --resource-group SQLResourceGroup \

+ Title: Confidential Containers (preview) on Azure Kubernetes Service

+description: Learn about pod level isolation using Confidential Containers (preview) on Azure Kubernetes Service

+# Confidential Containers (preview) on Azure Kubernetes Service

+With the growth in cloud-native application development, there's an increased need to protect the workloads running in cloud environments as well. Containerizing the workload forms a key component for this programming model, and then, protecting the container is paramount to running confidentially in the cloud.

+Confidential Containers on Azure Kubernetes Service (AKS) enable container level isolation in your Kubernetes workloads. It's an addition to Azure suite of confidential computing products, and uses the AMD SEV-SNP memory encryption to protect your containers at runtime.

+Confidential Containers are attractive for deployment scenarios that involve sensitive data (for instance, personal data or any data with strong security needed for regulatory compliance).

+In alignment with the guidelines set by the [Confidential Computing Consortium](https://confidentialcomputing.io/), that Microsoft is a founding member of, Confidential Containers need to fulfill the following ΓÇô

+* Transparency: The confidential container environment where your sensitive application is shared, you can see and verify if it's safe. All components of the Trusted Computing Base (TCB) are to be open sourced.

+* Auditability: You have the ability to verify and see what version of the CoCo environment package including Linux Guest OS and all the components are current. Microsoft signs to the guest OS and container runtime environment for verifications through attestation. It also releases a secure hash algorithm (SHA) of guest OS builds to build a string audibility and control story.

+* Full attestation: Anything that is part of the TEE shall be fully measured by the CPU with ability to verify remotely. The hardware report from AMD SEV-SNP processor shall reflect container layers and container runtime configuration hash through the attestation claims. Application can fetch the hardware report locally including the report that reflects Guest OS image and container runtime.

+* Isolation from operator: Security designs that assume least privilege and highest isolation shielding from all untrusted parties including customer/tenant admins. It includes hardening existing Kubernetes control plane access (kubelet) to confidential pods.

+## What forms Confidential Containers on AKS?

+Aligning with MicrosoftΓÇÖs commitment to the open-source community, the underlying stack for Confidential Containers uses the [Kata CoCo](https://github.com/confidential-containers/confidential-containers) agent as the agent running in the node that hosts the pod running the confidential workload. With many TEE technologies requiring a boundary between the host and guest, [Kata Containers](https://katacontainers.io/) are the basis for the Kata CoCo initial work. Microsoft also contributed back to the Kata Coco community to power containers running inside a confidential utility VM.

+The Kata confidential container resides within the Azure Linux AKS Container Host. [Azure Linux](../aks/use-azure-linux.md) and the Cloud Hypervisor VMM (Virtual Machine Monitor) is the end-user facing/user space software that is used for creating and managing the lifetime of virtual machines.

+By default, AKS all workloads share the same kernel and the same cluster admin. With the preview of Pod Sandboxing on AKS, the isolation grew a notch higher with the ability to provide kernel isolation for workloads on the same AKS node. You can read more about the feature [here](../aks/use-pod-sandboxing.md). Confidential Containers are the next step of this isolation and it uses the memory encryption capabilities of the underlying AMD SEV-SNP virtual machine sizes. These virtual machines are the [DCa_cc](../virtual-machines/dcasccv5-dcadsccv5-series.md) and [ECa_cc](../virtual-machines/ecasccv5-ecadsccv5-series.md) sizes with the capability of surfacing the hardwareΓÇÖs root of trust to the pods deployed on it.

+To get started and learn more about supported scenarios, refer to our AKS documentation [here](../aks/confidential-containers-overview.md).

+[Deploy a Confidential Container on AKS](../aks/deploy-confidential-containers-default-policy.md).

+The below article describes how to perform a Secure Key Release from Azure Key Vault when your applications are running with an AMD SEV-SNP based confidential virtual machine. To learn more about Secure Key Release and Azure Confidential Computing, [go here.](./concept-skr-attestation.md).

+1. Assign a managed identity to the confidential virtual machine. System-assigned managed identity or a user-assigned managed identity are supported.

+1. Set a Key Vault access policy to grant the managed identity the "release" key permission. A policy allows the confidential virtual machine to access the Key Vault and perform the release operation. If using Key Vault Managed HSM, assign the "Managed HSM Crypto Service Release User" role membership.

+1. Create a Key Vault key that is marked as exportable and has an associated release policy. The key release policy associates the key to an attested confidential virtual machine and that the key can only be used for the desired purpose.

+1. To perform the release, send an HTTP request to the Key Vault from the confidential virtual machine. The HTTP request must include the Confidential VMs attested platform report in the request body. The attested platform report is used to verify the trustworthiness of the state of the Trusted Execution Environment-enabled platform, such as the Confidential VM. The Microsoft Azure Attestation service can be used to create the attested platform report and include it in the request.

+Once you enable a system-assigned managed identity for your CVM, you have to provide it with access to the Azure Key Vault data plane where key objects are stored. To ensure that only our confidential virtual machine can execute the release operation, we'll only grant the specific permission required.

+The result from the Guest Attestation client simply is a base64 encoded string. This encoded string value is a signed JSON Web Token (__JWT__), with a header, body and signature. You can split the string by the `.` (dot) value and base64 decode the results.

+You can read from the "`x5c`" array in PowerShell, this can help you verify that this is a valid certificate. Below is an example:

+Serverless computing offers services that manage and maintain servers, which relieve you of the burden of physically operating servers yourself. Azure Container Apps is a serverless platform that handles scaling, security, and infrastructure management for you - all while reducing costs. Once freed from server-related concerns, you're able to spend your time focusing on your application code.

+Creating multiple client instances might lead to connection contention and timeout issues. The [Diagnostics](./troubleshoot-dotnet-sdk.md#capture-diagnostics) contain two relevant properties:

+```json

+{

+ "NumberOfClientsCreated":X,

+ "NumberOfActiveClients":Y,

+}

+```

+`NumberOfClientsCreated` tracks the number of times a `CosmosClient` was created within the same AppDomain, and `NumberOfActiveClients` tracks the active clients (not disposed). The expectation is that if the singleton pattern is followed, `X` would match the number of accounts the application works with and that `X` is equal to `Y`.

+If `X` is greater than `Y`, it means the application is creating and disposing client instances. This can lead to [connection contention](#socket-or-port-availability-might-be-low) and/or [CPU contention](#high-cpu-utilization).

+Follow the [performance tips](performance-tips-dotnet-sdk-v3.md#sdk-usage), and use a single CosmosClient instance per account across an entire process. Avoid creating and disposing clients.

+- [Permissions to create DCR objects](../azure-monitor/essentials/data-collection-rule-create-edit.md#permissions) in the workspace.

+The current cancellation policy for reserved instances isn't changing. The total canceled commitment can't exceed USD 50,000 in a 12-month rolling window for a billing profile or single enrollment.

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+| Isolation Level | Choose one of the following isolation levels:<br>- Read Committed<br>- Read Uncommitted (default)<br>- Repeatable Read<br>- Serializable<br>- None (ignore isolation level) | No | READ_COMMITTED<br/>READ_UNCOMMITTED<br/>REPEATABLE_READ<br/>SERIALIZABLE<br/>NONE |isolationLevel |

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+| Isolation Level | Choose one of the following isolation levels:<br>- Read Committed<br>- Read Uncommitted (default)<br>- Repeatable Read<br>- Serializable<br>- None (ignore isolation level) | No | READ_COMMITTED<br/>READ_UNCOMMITTED<br/>REPEATABLE_READ<br/>SERIALIZABLE<br/>NONE |isolationLevel |

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+| Isolation Level | Choose one of the following isolation levels:<br>- Read Committed<br>- Read Uncommitted (default)<br>- Repeatable Read<br>- Serializable<br>- None (ignore isolation level) | No | READ_COMMITTED<br/>READ_UNCOMMITTED<br/>REPEATABLE_READ<br/>SERIALIZABLE<br/>NONE |isolationLevel |

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+| Isolation Level | Choose one of the following isolation levels:<br>- Read Committed<br>- Read Uncommitted (default)<br>- Repeatable Read<br>- Serializable<br>- None (ignore isolation level) | No | READ_COMMITTED<br/>READ_UNCOMMITTED<br/>REPEATABLE_READ<br/>SERIALIZABLE<br/>NONE |isolationLevel |

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*

+| Source\Sink | Boolean | Byte array | Decimal | Date/Time (1)</small> | Float-point <small>(2)</small> | GUID | Integer <small>(3) | String | TimeSpan |

+## November 2023

+### LLM capability

+Our LLM capability enables seamless selection of APIs mapped to farm operations today. This enables use cases that are based on tillage, planting, applications and harvesting type of farm operations. In the time to come we'll add the capability to select APIs mapped to soil sensors, weather, and imagery type of data. The skills in our LLM capability allow for a combination of results, calculation of area, ranking, summarizing to help serve customer prompts. These capabilities enable others to build their own agriculture copilots that deliver insights to farmers. Learn more about this [here](concepts-llm-apis.md).

+### Azure portal experience enhancement

+### Weather API update

+### New farm operations connector

+### Common Data Model now with geo-spatial support

+We updated our data model to improve flexibility. The boundary object is deprecated in favor of a geometry property that is now supported in nearly all data objects. This change brings consistency to how space is handled across hierarchy, activity and observation themes. It allows for more flexible integration when ingesting data from a provider with strict hierarchy requirements. You can now sync data that might not perfectly align with an existing hierarchy definition and resolve the conflicts with spatial overlap queries. Learn more [here](concepts-hierarchy-model.md).

+- **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](/azure/governance/resource-graph/overview#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via ARG](review-security-recommendations.md).

+You can discover risk of data breaches by attack paths of internet-exposed VMs that have access to sensitive data stores. Hackers can exploit exposed VMs to move laterally across the enterprise to access these stores.

+ Title: Alerts and incidents in Microsoft 365 Defender

+description: Learn about the benefits of receiving Microsoft Defender for Cloud's alerts in Microsoft 365 Defender

+# Alerts and incidents in Microsoft 365 Defender

+Microsoft Defender for Cloud's integration with Microsoft 365 Defender allows security teams to access Defender for Cloud alerts and incidents within the Microsoft 365 Defender portal. This integration provides richer context to investigations that span cloud resources, devices, and identities.

+The partnership with Microsoft 365 Defender allows security teams to get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment. This is achieved through immediate correlations of alerts and incidents.

+Microsoft 365 Defender offers a comprehensive solution that combines protection, detection, investigation, and response capabilities to protect against attacks on device, email, collaboration, identity, and cloud apps. Our detection and investigation capabilities are now extended to cloud entities, offering security operations teams a single pane of glass to significantly improve their operational efficiency.

+Incidents and alerts are now part of [Microsoft 365 Defender's public API](/microsoft-365/security/defender/api-overview?view=o365-worldwide). This integration allows exporting of security alerts data to any system using a single API. As Microsoft Defender for Cloud, we're committed to providing our users with the best possible security solutions, and this integration is a significant step towards achieving that goal.

+## Investigation experience in Microsoft 365 Defender

+The following table describes the detection and investigation experience in Microsoft 365 Defender with Defender for Cloud alerts.

+| Area | Description |

+|--|--|

+| Incidents | All Defender for Cloud incidents are integrated to Microsoft 365 Defender. <br> - Searching for cloud resource assets in the [incident queue](/microsoft-365/security/defender/incident-queue?view=o365-worldwide) is supported. <br> - The [attack story](/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide#attack-story) graph shows cloud resource. <br> - The [assets tab](/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide#assets) in an incident page shows the cloud resource. <br> - Each virtual machine has its own entity page containing all related alerts and activity. <br> <br> There are no duplications of incidents from other Defender workloads. |

+| Alerts | All Defender for Cloud alerts, including multicloud, internal and external providersΓÇÖ alerts, are integrated to Microsoft 365 Defender. Defenders for Cloud alerts show on the Microsoft 365 Defender [alert queue](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response?view=o365-worldwide). <br> <br> The `cloud resource` asset shows up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource. <br> <br> Defenders for Cloud alerts are automatically be associated with a tenant. <br> <br> There are no duplications of alerts from other Defender workloads.|

+| Alert and incident correlation | Alerts and incidents are automatically correlated, providing robust context to security operations teams to understand the complete attack story in their cloud environment. |

+| Threat detection | Accurate matching of virtual entities to device entities to ensure precision and effective threat detection. |

+| Unified API | Defender for Cloud alerts and incidents are now included in [Microsoft 365 DefenderΓÇÖs public API](/microsoft-365/security/defender/api-overview?view=o365-worldwide), allowing customers to export their security alerts data into other systems using one API. |

+Learn more about [handling alerts in Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud?view=o365-worldwide).

+## Next steps

+[Security alerts - a reference guide](alerts-reference.md)

+Defender for Cloud includes Foundational CSPM capabilities and access to [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide) for free. You can add additional paid plans to secure all aspects of your cloud resources. To learn more about these plans and their costs, see the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+## Integrate with Microsoft 365 Defender

+When you enable Defender for Cloud, Defender for Cloud's alerts are automatically integrated into the Microsoft 365 Defender portal. No further steps are needed.

+The integration between Microsoft Defender for Cloud and Microsoft 365 Defender brings your cloud environments into Microsoft 365 Defender. With Defender for Cloud's alerts and cloud correlations integrated into Microsoft 365 Defender, SOC teams can now access all security information from a single interface.

+Learn more about Defender for Cloud's [alerts in Microsoft 365 Defender](concept-integration-365.md).

+## Defender for Cloud and Microsoft Defender 365 Defender integration

+When you enable any of Defender for Cloud's paid plans you automatically gain all of the benefits of Microsoft 365 Defender. Information from Defender for Cloud will be shared with Microsoft 365 Defender. This data may contain customer data and will be stored according to [Microsoft 365 data handling guidelines](/microsoft-365/security/defender/data-privacy?view=o365-worldwide).

+A graph-based algorithm that scans the cloud security graph, exposes attack paths and suggests recommendations as to how best remediate issues that break the attack path and prevent successful breach. See [What is attack path analysis?](concept-attack-path.md#what-is-attack-path-analysis).

+The DaemonSet that is deployed on each node, collects signals from hosts using eBPF technology, and provides runtime protection. The agent is registered with a Log Analytics workspace, and used as a data pipeline. However, the audit log data isn't stored in the Log Analytics workspace. It's deployed under AKS Security profile in AKS clusters and as an Arc extension in Arc enabled Kubernetes clusters. For more information, see [Architecture for each Kubernetes environment](defender-for-containers-architecture.md#architecture-for-each-kubernetes-environment).

+External Attack Surface Management. See [EASM Overview](concept-easm.md).

+Multifactor authentication, a process in which users are prompted during the sign-in process for an extra form of identification, such as a code on their cellphone or a fingerprint scan.[How it works: Azure multifactor authentication](../active-directory/authentication/concept-mfa-howitworks.md).

+A collection of Azure Policy Definitions, or rules that are grouped together towards a specific goal or purpose. [What are security policies, initiatives, and recommendations?](security-policy-concept.md)

+When you [enable Defender for Cloud on your](connect-azure-subscription.md), you'll automatically gain access to Microsoft 365 Defender.

+The Microsoft 365 Defender portal provides richer context to investigations that span cloud resources, devices, and identities. In addition, security teams are able to get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment, through the immediate correlation of all alerts and incidents, including cloud alerts and incidents.

+You can learn more about the [integration between Microsoft Defender for Cloud and Microsoft 365 Defender](concept-integration-365.md).

+The security of your cloud and on-premises resources depends on proper configuration and deployment. Defender for Cloud recommendations identifies the steps that you can take to secure your environment.

+| [Security governance](governance-rules.md) | Drive security improvements through your organization by assigning tasks to resource owners and tracking progress in aligning your security state with your security policy. | [Define governance rules](governance-rules.md) | Defender CSPM |

+- **Query vulnerability information via the Azure Resource Graph** - Ability to query vulnerability information via the [Azure Resource Graph](/azure/governance/resource-graph/overview#how-resource-graph-complements-azure-resource-manager). Learn how to [query recommendations via the ARG](review-security-recommendations.md).

+# Exempt resources from recommendations

+- Mark a specific **recommendation** as "mitigated" or "risk accepted" for one or more subscriptions, or for an entire management group.

+This feature is in preview. [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)] This is a premium Azure Policy capability that's offered at no additional cost for customers with Microsoft Defender for Cloud's enhanced security features enabled. For other users, charges might apply in the future.

+1. In **Take action**, select **Exempt**.

+[Review exempted resources](review-exemptions.md) in Defender for Cloud.

+ Title: Drive remediation of security recommendations with governance rules in Microsoft Defender for Cloud

+description: Learn how to drive remediation of security recommendations with governance rules in Microsoft Defender for Cloud

+# Drive remediation with governance rules

+While the security team is responsible for improving the security posture, team members might not actually implement security recommendations.

+Using governance rules driven by the security team helps you to drive accountability and an SLA around the remediation process.

+To learn more, watch [this episode](episode-fifteen.md) of the Defender for Cloud in the Field video series.

+## Governance rules

+You can define rules that assign an owner and a due date for addressing recommendations for specific resources. This provides resource owners with a clear set of tasks and deadlines for remediating recommendations.

+For tracking, you can review the progress of the remediation tasks by subscription, recommendation, or owner so you can follow up with tasks that need more attention.

+- Governance rules can identify resources that require remediation according to specific recommendations or severities.

+- The rule assigns an owner and due date to ensure the recommendations are handled. Many governance rules can apply to the same recommendations, so the rule with lower priority value is the one that assigns the owner and due date.

+- The due date set for the recommendation to be remediated is based on a timeframe of 7, 14, 30, or 90 days from when the recommendation is found by the rule.

+- For example, if the rule identifies the resource on March 1 and the remediation timeframe is 14 days, March 15 is the due date.

+- You can apply a grace period so that the resources given a due date don't affect your secure score.

+- You can also set the owner of the resources that are affected by the specified recommendations.

+- In organizations that use resource tags to associate resources with an owner, you can specify the tag key and the governance rule reads the name of the resource owner from the tag.

+- The owner is shown as unspecified when the owner wasn't found on the resource, the associated resource group, or the associated subscription based on the specified tag.

+- By default, email notifications are sent to the resource owners weekly to provide a list of the on time and overdue tasks.

+- If an email for the owner's manager is found in the organizational Microsoft Entra ID, the owner's manager receives a weekly email showing any overdue recommendations by default.

+- Conflicting rules are applied in priority order. For example, rules on a management scope (Azure management groups, AWS accounts and GCP organizations), take effect before rules on scopes (for example, Azure subscriptions, AWS accounts, or GCP projects).

+## Before you begin

+- To use governance rules, the [Defender Cloud Security Posture Management (CSPM) plan](concept-cloud-security-posture-management.md) must be enabled.

+- You need **Contributor**, **Security Admin**, or **Owner** permissions on Azure subscriptions.

+- For AWS accounts and GCP projects, you need **Contributor**, **Security Admin**, or **Owner** permissions on the Defender for Cloud AWS/GCP connectors.

+## Define a governance rule

+Define a governance rule as follows.

+1. In Defender for Cloud, open the **Environment settings** page, and select **Governance rules**.

+1. In **Create governance rule** > **General details**, specify a rule name, and the scope in which the rule applies.

+ - Rules for management scope (Azure management groups, AWS master accounts, GCP organizations) are applied prior to the rules on a single scope.

+ - You can define exclusions within the scope as needed.

+1. Priority is assigned automatically. Rules are run in priority order from the highest (1) to the lowest (1000).

+1. Specify a description to help you identify the rule. Then select **Next**.

+ :::image type="content" source="./media/governance-rules/add-rule.png" alt-text="Screenshot of page for adding a governance rule." lightbox="media/governance-rules/add-rule.png":::

+1. In the **Conditions** tab, specify how recommendations are impacted by the rule.

+ - **By specific recommendations** - Select the specific built-in or custom recommendations that the rule applies to.

+1. In **Set owner**, specify who's responsible for fixing recommendations covered by the rule.

+1. In **Set remediation timeframe**, specify the time that can elapse between when resources are identified as requiring remediation, and the time that the remediation is due.

+1. For recommendations issued by MCSB, if you don't want the resources to affect your secure score until they're overdue, select **Apply grace period**.

+1. By default owners and their managers are notified weekly about open and overdue tasks. If you don't want them to receive these weekly emails, clear the notification options.

+1. Select **Create**.

+ :::image type="content" source="./media/governance-rules/create-rule-conditions.png" alt-text="Screenshot of page for adding conditions for a governance rule." lightbox="media/governance-rules/create-rule-conditions.png":::

+- If there are existing recommendations that match the definition of the governance rule, you can either:

+ - Assign an owner and due date to recommendations that don't already have an owner or due date.

+ - Overwrite the owner and due date of existing recommendations.

+- When you delete or disable a rule, all existing assignments and notifications remain.

+## View effective rules

+You can view the effect of government rules in your environment.

+1. In the Defender for Cloud portal, open the **Governance rules** page.

+1. Review governance rules. The default list shows all the governance rules applicable in your environment.

+1. You can search for rules, or filter rules.

+ - Filter on **Environment** to identify rules for Azure, AWS, and GCP.

+ - Filter on rule name, owner, or time between the recommendation being issued and due date.

+ - Filter on **Grace period** to find MCSB recommendations that won't affect your secure score.

+ - Identify by status.

+ :::image type="content" source="./media/governance-rules/view-filter-rules.png" alt-text="Screenshot of page for viewing and filtering rules." lightbox="media/governance-rules/view-filter-rules.png":::

+## Review the governance report

+1. In Defender for Cloud > **Environment settings** > **Governance rules**, select **Governance report**.

+1. In **Governance**, select a subscription.

+ :::image type="content" source="./media/governance-rules/governance-in-workbook.png" alt-text="Screenshot of governance status by rule and owner in the governance workbook." lightbox="media/governance-rules/governance-in-workbook.png":::

+1. From the governance report, you drill down into recommendations by rule and owner.

+Learn how to [Implement security recommendations](implement-security-recommendations.md).

+ Title: Identify and remediate attack paths in Microsoft Defender for Cloud

+description: Learn how to identify and remediate attack paths in Microsoft Defender for Cloud

+On this page you can organize your attack paths based on risk level, name, environment, paths count, risk factors, entry point, target, the number of affected resources, or the number of active recommendations.

+For each attack path, you can see all of risk factors and any affected resources.

+The potential risk factors include credentials exposure, compute abuse, data exposure, subscription and account takeover.

+ :::image type="content" source="media/how-to-manage-attack-path/attack-path-blade.png" alt-text="Screenshot that shows the attack path analysis page on the main screen." lightbox="media/how-to-manage-attack-path/attack-path-blade.png":::

+The remediation path contains two types of recommendation:

+- **Recommendations** - Recommendations that mitigate the attack path.

+- **Additional recommendations** - Recommendations that reduce the exploitation risks, but donΓÇÖt mitigate the attack path.

+1. Select **Remediation**.

+For example, `Internet exposed VM with high severity vulnerabilities and read permission to a Key Vault`.

+| Type | The Azure resource type, always equals `microsoft.security/attackpaths`|

+ Title: Build queries with cloud security explorer in Microsoft Defender for Cloud

+description: Learn how to build queries with cloud security explorer in Microsoft Defender for Cloud

+ Title: Test attack paths and cloud security explorer in Microsoft Defender for Cloud

+description: Learn how to test attack paths and cloud security explorer in Microsoft Defender for Cloud

+# Test attack paths and cloud security explorer

+Attack path analysis is a graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment to reach your high-impact assets. Attack path analysis exposes attack paths and suggests recommendations as to how best remediate issues that break the attack path and prevent successful breach.

+Explore and investigate [attack paths](how-to-manage-attack-path.md) by sorting them based on risk level, name, environment, and risk factors, entry point, target, affected resources and active recommendations. Explore cloud security graph Insights on the resource. Examples of Insight types are:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Attack path analysis**.

+1. Select an attack path.

+1. Locate the entry that details this security issue under `Internet exposed Kubernetes pod is running a container with high severity vulnerabilities`.

+ Title: Remediate security recommendations in Microsoft Defender for Cloud

+description: Learn how to remediate security recommendations in Microsoft Defender for Cloud

+# Remediate security recommendations

+Resources and workloads protected by Microsoft Defender for Cloud are assessed against built-in and custom security standards enabled in your Azure subscriptions, AWS accounts, and GCP projects. Based on those assessments, security recommendations provide practical steps to remediate security issues, and improve security posture.

+This article describes how to remediate security recommendations in your Defender for Cloud deployment using the latest version of the portal experience.

+## Before you start

+Before you attempt to remediate a recommendation you should review it in detail. Learn how to [review security recommendations](review-security-recommendations.md).

+## Group recommendations by risk level

+Before you start remediating, we recommend grouping your recommendations by risk level in order to remediate the most critical recommendations first.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Microsoft Defender for Cloud** > **Recommendations**.

+1. Select **Group by** > **Primary grouping** > **Risk level** > **Apply**.

+ :::image type="content" source="media/implement-security-recommendations/group-by-risk-level.png" alt-text="Screenshot of the recommendations page that shows how to group your recommendations." lightbox="media/implement-security-recommendations/group-by-risk-level.png":::

+ Recommendations are displayed in groups of risk levels.

+1. Review critical and other recommendations to understand the recommendation and remediation steps. Use the graph to understand the risk to your business, including which resources are exploitable, and the effect that the recommendation has on your business.

+## Remediate recommendations

+After reviewing recommendations by risk, decide which one to remediate first.

+In addition to risk level, we recommend that you prioritize the security controls in the default [Microsoft Cloud Security Benchmark (MCSB)](concept-regulatory-compliance.md) standard in Defender for Cloud, since these controls affect your [secure score](secure-score-security-controls.md).

+1. In the **Recommendations** page, select the recommendation you want to remediate.

+1. In the recommendation details page, select **Take action** > **Remediate**.

+1. Follow the remediation instructions.

+ As an example, the following screenshot shows remediation steps for configuring applications to only allow traffic over HTTPS.

+ :::image type="content" source="./media/implement-security-recommendations/security-center-remediate-recommendation.png" alt-text="This screenshots shows manual remediation steps for a recommendation." lightbox="./media/implement-security-recommendations/security-center-remediate-recommendation.png":::

+1. Once completed, a notification appears informing you whether the issue is resolved.

+## Use the Fix option

+To simplify remediation and improve your environment's security (and increase your secure score), many recommendations include a **Fix** option to help you quickly remediate a recommendation on multiple resources.

+1. In the **Recommendations** page, select a recommendation that shows the **Fix** action icon: :::image type="icon" source="media/implement-security-recommendations/fix-icon.png" border="false":::.

+ :::image type="content" source="./media/implement-security-recommendations/microsoft-defender-for-cloud-recommendations-fix-action.png" alt-text="This screenshot shows recommendations with the Fix action" lightbox="./media/implement-security-recommendations/microsoft-defender-for-cloud-recommendations-fix-action.png":::

+1. In **Take action**, select **Fix**.

+1. Follow the rest of the remediation steps.

+After remediation completes, it can take several minutes to see the resources appear in the **Findings** tab when the status is filtered to view **Healthy** resources.

+[Learn about](governance-rules.md) using governance rules in your remediation processes.

+| Apply security recommendations for a resource</br> (and use [Fix](implement-security-recommendations.md)) | - | - | Γ£ö | Γ£ö | Γ£ö |

+## Integrate with Microsoft 365 Defender

+When you enable Defender for Cloud, Defender for Cloud's alerts are automatically integrated into the Microsoft 365 Defender portal. No further steps are needed.

+The integration between Microsoft Defender for Cloud and Microsoft 365 Defender brings your cloud environments into Microsoft 365 Defender. With Defender for Cloud's alerts and cloud correlations integrated into Microsoft 365 Defender, SOC teams can now access all security information from a single interface.

+Learn more about Defender for Cloud's [alerts in Microsoft 365 Defender](concept-integration-365.md).

+## Integrate with Microsoft 365 Defender

+When you enable Defender for Cloud, Defender for Cloud's alerts are automatically integrated into the Microsoft 365 Defender portal. No further steps are needed.

+The integration between Microsoft Defender for Cloud and Microsoft 365 Defender brings your cloud environments into Microsoft 365 Defender. With Defender for Cloud's alerts and cloud correlations integrated into Microsoft 365 Defender, SOC teams can now access all security information from a single interface.

+Learn more about Defender for Cloud's [alerts in Microsoft 365 Defender](concept-integration-365.md).

+## Integrate with Microsoft 365 Defender

+When you enable Defender for Cloud, Defender for Cloud's alerts are automatically integrated into the Microsoft 365 Defender portal. No further steps are needed.

+The integration between Microsoft Defender for Cloud and Microsoft 365 Defender brings your cloud environments into Microsoft 365 Defender. With Defender for Cloud's alerts and cloud correlations integrated into Microsoft 365 Defender, SOC teams can now access all security information from a single interface.

+Learn more about Defender for Cloud's [alerts in Microsoft 365 Defender](concept-integration-365.md).

+ Title: Improve regulatory compliance in Microsoft Defender for Cloud

+description: Learn how to improve regulatory compliance in Microsoft Defender for Cloud.

+# Improve regulatory compliance

+Microsoft Defender for Cloud helps you to meet regulatory compliance requirements by continuously assessing resources against compliance controls, and identifying issues that are blocking you from achieving a particular compliance certification.

+In the **Regulatory compliance** dashboard, you manage and interact with compliance standards. You can see which compliance standards are assigned, turn standards on and off for Azure, AWS, and GCP, review the status of assessments against standards, and more.

+## Integration with Purview

+Compliance data from Defender for Cloud now seamlessly integrates with [Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager), allowing you to centrally assess and manage compliance across your organization's entire digital estate.

+When you add any standard to your compliance dashboard (including compliance standards monitoring other clouds like AWS and GCP), the resource-level compliance data is automatically surfaced in Compliance Manager for the same standard.

+Compliance Manager thus provides improvement actions and status across your cloud infrastructure and all other digital assets in this central tool. For more information, see [multicloud support in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-multicloud).

+## Before you start

+- By default, when you enable Defender for Cloud on an Azure subscription, AWS account, or GCP plan, the MCSB plan is enabled

+- You can add additional non-default compliance standards when at least one paid plan is enabled in Defender for Cloud.

+- You must be signed in with an account that has reader access to the policy compliance data. The **Reader** role for the subscription has access to the policy compliance data, but the **Security Reader** role doesn't. At a minimum, you need to have **Resource Policy Contributor** and **Security Admin** roles assigned.

+## Assess regulatory compliance

+The **Regulatory compliance** dashboard shows which compliance standards are enabled. It shows the controls within each standard, and security assessments for those controls. The status of these assessments reflects your compliance with the standard.

+The dashboard helps you to focus on gaps in standards, and to monitor compliance over time.

+1. In the Defender for Cloud portal open the **Regulatory compliance** page.

+ :::image type="content" source="./media/regulatory-compliance-dashboard/compliance-drilldown.png" alt-text="Screenshot that shows the exploration of the details of compliance with a specific standard." lightbox="media/regulatory-compliance-dashboard/compliance-drilldown.png":::

+1. Use the dashboard in accordance with the numbered items in the image.

+ - (1). Select a compliance standard to see a list of all controls for that standard.

+ - (2). View the subscriptions on which the compliance standard is applied.

+ - (3). Select and expand a control to view the assessments associated with it. Select an assessment to view the associated resources, and possible remediation actions.

+ - (4). Select **Control details** to view the **Overview**, **Your Actions**, and **Microsoft Actions** tabs.

+ - (5). In **Your Actions**, you can see the automated and manual assessments associated with the control.

+ - (6). Automated assessments show the number of failed resources and resource types, and link you directly to the remediation information.

+ - (7). Manual assessments can be manually attested, and evidence can be linked to demonstrate compliance.

+## Investigate issues

+You can use information in the dashboard to investigate issues that might affect compliance with the standard.

+1. In the Defender for Cloud portal, open **Regulatory compliance**.

+1. Select a regulatory compliance standard, and select a compliance control to expand it.

+1. In the Defender for Cloud portal, open **Regulatory compliance**.

+1. Select a regulatory compliance standard, and select a compliance control to expand it.

+Assessments run approximately every 12 hours, so you will see the impact on your compliance data only after the next run of the relevant assessment.

+1. In the Defender for Cloud portal, open **Regulatory compliance**.

+1. Select a regulatory compliance standard, and select a compliance control to expand it.

+1. Under the **Manual attestation and evidence** section, select an assessment.

+1. To generate a PDF report with a summary of your current compliance status for a particular standard, select **Download report**.

+1. To download Azure and Dynamics **certification reports** for the standards applied to your subscriptions, use the **Audit reports** option.

+1. Select the tab for the relevant reports types (PCI, SOC, ISO, and others) and use filters to find the specific reports you need:

+ When you download one of these certification reports, you'll be shown the following privacy notice:

+

+ _By downloading this file, you are giving consent to Microsoft to store the current user and the selected subscriptions at the time of download. This data is used in order to notify you in case of changes or updates to the downloaded audit report. This data is used by Microsoft and the audit firms that produce the certification/reports only when notification is required._

+1. In the Defender for Cloud portal, open **Regulatory compliance**.

+## Continuously export compliance status

+1. Export all regulatory compliance data in a **continuous stream**:

+1. Export **weekly snapshots** of your regulatory compliance data:

+> You can also manually export reports about a single point in time directly from the regulatory compliance dashboard. Generate these **PDF/CSV reports** or **Azure and Dynamics certification reports** using the **Download report** or **Audit reports** toolbar options.

+## Trigger a workflow when assessments change

+- Detect suspicious activities that might indicate an ongoing threat to sensitive data resources.

+At Ignite 2019, we shared our vision to create the most complete approach for securing your digital estate and integrating XDR technologies under the Microsoft Defender brand. Unifying Azure Security Center and Azure Defender under the new name **Microsoft Defender for Cloud** reflects the integrated capabilities of our security offering and our ability to support any cloud platform.

+All of Security Center's recommendations have the option to view the information about the status of affected resources using Azure Resource Graph from the **Open query**. For full details about this powerful feature, see [Review recommendation data in Azure Resource Graph Explorer (ARG)](review-security-recommendations.md).

+ > - [Fix button](implement-security-recommendations.md)

+Learn more about using the two export policies in [Configure workflow automation at scale using the supplied policies](workflow-automation.md) and [Set up a continuous export](continuous-export.md#set-up-a-continuous-export).

+With this new experience users can onboard a WAC server to Azure Security Center and enable viewing its security alerts and recommendations directly in the Windows Admin Center experience.

+Learn more about [risk prioritization](implement-security-recommendations.md#group-recommendations-by-risk-level).

+To keep viewing this alert in the ΓÇ£Security alertsΓÇ¥ page in the Microsoft Defender for Cloud portal, change the default view filter **Severity** to include **informational** alerts in the grid.

+You can now view GitHub Advanced Security for Azure DevOps (GHAzDO) alerts related to CodeQL, secrets, and dependencies in Defender for Cloud. Results are displayed in the DevOps page and in Recommendations. To see these results, onboard your GHAzDO-enabled repositories to Defender for Cloud.

+| **Suspicious installation of a GPU extension was detected on your virtual machine (Preview)**<br>(VM_GPUDriverExtensionUnusualExecution)<br>*This alert was [released in July 2023](#new-security-alert-in-defender-for-servers-plan-2-detecting-potential-attacks-leveraging-azure-vm-gpu-driver-extensions).* | Suspicious installation of a GPU extension was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking. This activity is deemed suspicious as the principal's behavior departs from its usual patterns. | Impact | Low |

+| **Run Command with a suspicious script was detected on your virtual machine (Preview)**<br>(VM_RunCommandSuspiciousScript) | A Run Command with a suspicious script was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use Run Command to execute malicious code with high privileges on your virtual machine via the Azure Resource Manager. The script is deemed suspicious as certain parts were identified as being potentially malicious. | Execution | High |

+| **Suspicious unauthorized Run Command usage was detected on your virtual machine (Preview)**<br>(VM_RunCommandSuspiciousFailure) | Suspicious unauthorized usage of Run Command has failed and was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might attempt to use Run Command to execute malicious code with high privileges on your virtual machines via the Azure Resource Manager. This activity is deemed suspicious as it hasn't been commonly seen before. | Execution | Medium |

+| **Suspicious Run Command usage was detected on your virtual machine (Preview)**<br>(VM_RunCommandSuspiciousUsage) | Suspicious usage of Run Command was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use Run Command to execute malicious code with high privileges on your virtual machines via the Azure Resource Manager. This activity is deemed suspicious as it hasn't been commonly seen before. | Execution | Low |

+| **Suspicious usage of multiple monitoring or data collection extensions was detected on your virtual machines (Preview)**<br>(VM_SuspiciousMultiExtensionUsage) | Suspicious usage of multiple monitoring or data collection extensions was detected on your virtual machines by analyzing the Azure Resource Manager operations in your subscription. Attackers might abuse such extensions for data collection, network traffic monitoring, and more, in your subscription. This usage is deemed suspicious as it hasn't been commonly seen before. | Reconnaissance | Medium |

+| **Suspicious installation of disk encryption extensions was detected on your virtual machines (Preview)**<br>(VM_DiskEncryptionSuspiciousUsage) | Suspicious installation of disk encryption extensions was detected on your virtual machines by analyzing the Azure Resource Manager operations in your subscription. Attackers might abuse the disk encryption extension to deploy full disk encryptions on your virtual machines via the Azure Resource Manager in an attempt to perform ransomware activity. This activity is deemed suspicious as it hasn't been commonly seen before and due to the high number of extension installations. | Impact | Medium |

+| **Suspicious usage of VM Access extension was detected on your virtual machines (Preview)**<br>(VM_VMAccessSuspiciousUsage) | Suspicious usage of VM Access extension was detected on your virtual machines. Attackers might abuse the VM Access extension to gain access and compromise your virtual machines with high privileges by resetting access or managing administrative users. This activity is deemed suspicious as the principal's behavior departs from its usual patterns, and due to the high number of the extension installations. | Persistence | Medium |

+| **Desired State Configuration (DSC) extension with a suspicious script was detected on your virtual machine (Preview)**<br>(VM_DSCExtensionSuspiciousScript) | Desired State Configuration (DSC) extension with a suspicious script was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the Desired State Configuration (DSC) extension to deploy malicious configurations, such as persistence mechanisms, malicious scripts, and more, with high privileges, on your virtual machines. The script is deemed suspicious as certain parts were identified as being potentially malicious. | Execution | High |

+| **Suspicious usage of a Desired State Configuration (DSC) extension was detected on your virtual machines (Preview)**<br>(VM_DSCExtensionSuspiciousUsage) | Suspicious usage of a Desired State Configuration (DSC) extension was detected on your virtual machines by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the Desired State Configuration (DSC) extension to deploy malicious configurations, such as persistence mechanisms, malicious scripts, and more, with high privileges, on your virtual machines. This activity is deemed suspicious as the principal's behavior departs from its usual patterns, and due to the high number of the extension installations. | Impact | Low |

+| **Custom script extension with a suspicious script was detected on your virtual machine (Preview)**<br>(VM_CustomScriptExtensionSuspiciousCmd)<br>*(This alert already exists and has been improved with more enhanced logic and detection methods.)* | Custom script extension with a suspicious script was detected on your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use Custom script extension to execute malicious code with high privileges on your virtual machine via the Azure Resource Manager. The script is deemed suspicious as certain parts were identified as being potentially malicious. | Execution | High |

+| Suspicious installation of GPU extension in your virtual machine (Preview) <br> (VM_GPUDriverExtensionUnusualExecution) | Suspicious installation of a GPU extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking. | Low | Impact |

+For more information on compliance controls, see [Tutorial: Regulatory compliance checks - Microsoft Defender for Cloud](regulatory-compliance-dashboard.md).

+Updates in might include:

+| **Unusual access to the key vault from a suspicious IP (Non-Microsoft or External)**<br>(KV_UnusualAccessSuspiciousIP) | A user or service principal has attempted anomalous access to key vaults from a non-Microsoft IP in the last 24 hours. This anomalous access pattern might be legitimate activity. It could be an indication of a possible attempt to gain access of the key vault and the secrets contained within it. We recommend further investigations. | Credential Access | Medium |

+| **PREVIEW - Suspicious creation of compute resources detected**<br>(ARM_SuspiciousComputeCreation) | Microsoft Defender for Resource Manager identified a suspicious creation of compute resources in your subscription utilizing Virtual Machines/Azure Scale Set. The identified operations are designed to allow administrators to efficiently manage their environments by deploying new resources when needed. While this activity might be legitimate, a threat actor might utilize such operations to conduct crypto mining.<br> The activity is deemed suspicious as the compute resources scale is higher than previously observed in the subscription. <br> This can indicate that the principal is compromised and is being used with malicious intent. | Impact | Medium |

+ Title: Exempt a recommendation in Microsoft Defender for Cloud.

+description: Learn how to exempt recommendations so they're not taken into account in Microsoft Defender for Cloud.

+# Review resources exempted from recommendations

+In Microsoft Defender for Cloud, you can exempt protected resources from Defender for Cloud security recommendations. [Learn more](exempt-resource.md). This article describes how to review and work with exempted resources.

+## Review exempted resources in the portal

+1. In Defender for Cloud, open the **Recommendations** page.

+1. Select **Add filter** > **Is exempt**.

+1. Select whether you want to see recommendations that have exempted resources, or those without exemptions.

+ :::image type="content" source="media/review-exemptions/filter-exemptions.png" alt-text="Steps to create an exemption rule to exempt a recommendation from your subscription or management group." lightbox="media/review-exemptions/filter-exemptions.png":::

+1. In the details page for the relevant recommendation, review the exemption rules.

+1. For each resource, the **Reason** column shows why the resource is exempted. To modify the exemption settings for a resource, select the ellipsis in the resource > **Manage exemption**.

+You can also review exempted resources on the Defender for Cloud > **Inventory** page. In the page, select **Add filter**. In the **Filter** dropdown list, select **Contains Exemptions** to find all resources that have been exempted from one or more recommendations.

+## Review exempted resources with Azure Resource Graph

+[Azure Resource Graph (ARG)](../governance/resource-graph/index.yml) provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to [query information](../governance/resource-graph/first-query-portal.md) using [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/).

+To view all recommendations that have exemption rules:

+1. In the **Recommendations** page, select **Open query**.

+1. Enter the following query and select **Run query**.

+ ```kusto

+ securityresources

+ | where type == "microsoft.security/assessments"

+ // Get recommendations in useful format

+ | project

+ ['TenantID'] = tenantId,

+ ['SubscriptionID'] = subscriptionId,

+ ['AssessmentID'] = name,

+ ['DisplayName'] = properties.displayName,

+ ['ResourceType'] = tolower(split(properties.resourceDetails.Id,"/").[7]),

+ ['ResourceName'] = tolower(split(properties.resourceDetails.Id,"/").[8]),

+ ['ResourceGroup'] = resourceGroup,

+ ['ContainsNestedRecom'] = tostring(properties.additionalData.subAssessmentsLink),

+ ['StatusCode'] = properties.status.code,

+ ['StatusDescription'] = properties.status.description,

+ ['PolicyDefID'] = properties.metadata.policyDefinitionId,

+ ['Description'] = properties.metadata.description,

+ ['RecomType'] = properties.metadata.assessmentType,

+ ['Remediation'] = properties.metadata.remediationDescription,

+ ['Severity'] = properties.metadata.severity,

+ ['Link'] = properties.links.azurePortal

+ | where StatusDescription contains "Exempt"

+ ```

+## Get notified when exemptions are created

+To keep track of how users are exempting resources from recommendations, we've created an Azure Resource Manager (ARM) template that deploys a Logic App Playbook, and all necessary API connections to notify you when an exemption has been created.

+- Learn more about the playbook in TechCommunity blog [How to keep track of Resource Exemptions in Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/azure-security-center/how-to-keep-track-of-resource-exemptions-in-azure-security/ba-p/1770580).

+- Locate the ARM template in [Microsoft Defender for Cloud GitHub repository](https://github.com/Azure/Azure-Security-Center/tree/master/Workflow%20automation/Notify-ResourceExemption)

+- [Use this automated process](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Security-Center%2Fmaster%2FWorkflow%2520automation%2FNotify-ResourceExemption%2Fazuredeploy.json) to deploy all components.

+## Next steps

+[Review security recommendations](review-security-recommendations.md)

+ Title: Review security recommendations in Microsoft Defender for Cloud

+description: Learn how to review security recommendations in Microsoft Defender for Cloud

+# Review security recommendations

+In Microsoft Defender for Cloud, resources and workloads are assessed against built-in and custom security standards enabled in your Azure subscriptions, AWS accounts, and GCP projects. Based on those assessments, security recommendations provide practical steps to remediate security issues, and improve security posture.

+This article describes how to review security recommendations in your Defender for Cloud deployment using the latest version of the portal experience.

+## Get an overview

+In the Defender for Cloud portal > **Overview** dashboard, get a holistic look at your environment, including security recommendations.

+- **Active recommendations**: Recommendations that are active in your environment.

+- **Unassigned recommendations**: See which recommendations don't have owners assigned to them.

+- **Overdue recommendations**: Recommendations that have an expired due date.

+- **Attack paths**: See the number of attack paths.

+## Review recommendations

+1. In Defender for Cloud, open the **Recommendations** page.

+1. For each recommendation, review:

+ - **Risk level** - Specifies whether the recommendation risk is Critical, High, Medium or Low.

+ - **Affected resource** - Indicated affected resources.

+ - **Risk factors** - Environmental factors of the resource affected by the recommendation, which influences the exploitability and the business effect of the underlying security issue. For example, Internet exposure, sensitive data, lateral movement potential and more.

+ - **Attack Paths** - The number of attack paths.

+ - **Owner** - The person assigned to this recommendation.

+ - **Due date** - Indicates the due date for fixing the recommendation.

+ - **Recommendation status** indicates whether the recommendation has been assigned, and whether the due date for fixing the recommendation has passed.

+

+## Review recommendation details

+1. In the **Recommendations** page, select the recommendation.

+1. In the recommendation page, review the details:

+ - **Description** - A short description of the security issue.

+ - **Attack Paths** - The number of attack paths.

+ - **Scope** - The affected subscription or resource.

+ - **Freshness** - The freshness interval for the recommendation.

+ - **Last change date** - The date this recommendation last had a change

+ - **Owner** - The person assigned to this recommendation.

+ - **Due date** - The assigned date the recommendation must be resolved by.

+ - **Findings by severity** - The total findings by severity.

+ - **Tactics & techniques** - The tactics and techniques mapped to MITRE ATT&CK.

+ :::image type="content" source="./media/review-security-recommendations/recommendation-details-page.png" alt-text="Screenshot of the recommendation details page with labels for each element." lightbox="./media/security-policy-concept/recommendation-details-page.png":::

+## Explore a recommendation

+You can perform a number of actions to interact with recommendations. If an option isn't available, it isn't relevant for the recommendation.

+1. In the **Recommendations** page, select a recommendation.

+1. Select **Open query** to view detailed information about the affected resources using an Azure Resource Graph Explorer query

+1. Select **View policy definition** to view the Azure Policy entry for the underlying recommendation (if relevant).

+1. In **Review findings**, you can review affiliated findings by severity.

+

+ :::image type="content" source="media/review-security-recommendations/recommendation-findings.png" alt-text="Screenshot of the findings tab in a recommendation that shows all of the attack paths for that recommendation." lightbox="media/review-security-recommendations/recommendation-findings.png":::

+1. In **Take action**:

+ - **Remediate**: A description of the manual steps required to remediate the security issue on the affected resources. For recommendations with the **Fix** option, you can select **View remediation logic** before applying the suggested fix to your resources.

+ - **Assign owner and due date**: If you have a [governance rule](governance-rules.md) turned on for the recommendation, you can assign an owner and due date.

+ - **Exempt**: You can exempt resources from the recommendation, or disable specific findings using disable rules.

+ - **Workflow automation**: Set a logic app to trigger with this recommendation.

+1. In **Graph**, you can view and investigate all context that is used for risk prioritization, including [attack paths](how-to-manage-attack-path.md).

+ :::image type="content" source="media/review-security-recommendations/recommendation-graph.png" alt-text="Screenshot of the graph tab in a recommendation that shows all of the attack paths for that recommendation." lightbox="media/review-security-recommendations/recommendation-graph.png":::

+## Manage recommendations assigned to you

+Defender for Cloud supports governance rules for recommendations, to specify a recommendation owner or due date for action. Governance rules help ensure accountability and an SLA for recommendations.

+- Recommendations are listed as **On time** until their due date is passed, when they're changed to **Overdue**.

+- Before the recommendation is overdue, the recommendation doesn't affect the secure score.

+- You can also apply a grace period during which overdue recommendations continue to not affect the secure score.

+[Learn more](governance-rules.md) about configuring governance rules.

+Manage recommendations assigned to you as follows:

+1. In the Defender for Cloud portal > **Recommendations** page, select **Add filter** > **Owner**.

+1. Select your user entry.

+1. In the recommendation results, review the recommendations, including affected resources, risk factors, attack paths, due dates, and status.

+1. Select a recommendation to review it further.

+1. In **Take action** > **Change owner & due date**, you change the recommendation owner and due date if needed.

+ - By default the owner of the resource gets a weekly email listing the recommendations assigned to them.

+ - If you select a new remediation date, in **Justification** specify reasons for remediation by that date.

+ - In **Set email notifications** you can:

+ - Override the default weekly email to the owner.

+ - Notify owners weekly with a list of open/overdue tasks.

+ - Notify the owner's direct manager with an open task list.

+1. Select **Save**.

+> [!NOTE]

+> Changing the expected completion date doesn't change the due date for the recommendation, but security partners can see that you plan to update the resources by the specified date.

+## Review recommendations in Azure Resource Graph

+You can use [Azure Resource Graph](../governance/resource-graph/index.yml) to query Defender for Cloud security posture data across multiple subscriptions. Azure Resource Graph provides an efficient way to query at scale across cloud environments by viewing, filtering, grouping, and sorting data.

+1. In the Defender for Cloud portal > **Recommendations** page > select **Open query**.

+1. In [Azure Resource Graph](../governance/resource-graph/index.yml), write a [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/).

+1. You can open the query in one of two ways:

+ - **Query returning affected resource** - Returns a list of all of the resources affected by this recommendation.

+ - **Query returning security findings** - Returns a list of all security issues found by the recommendation.

+### Example

+In this example, this recommendation details page shows 15 affected resources:

+When you open the underlying query, and run it, Azure Resource Graph Explorer returns the same affected resources for this recommendation:

+[Remediate security recommendations](implement-security-recommendations.md)

+> [!NOTE]

+> [!IMPORTANT]

+- Verify your Kubernetes nodes can access source repositories of your package manager.

+- Verify your Kubernetes nodes can access source repositories of your package manager.

+# Automate remediation responses

+## Before you start

+- You need **Security admin role** or **Owner** on the resource group.

+- You must also have write permissions for the target resource.

+- To work with Azure Logic Apps workflows, you must also have the following Logic Apps roles/permissions:

+ - [Logic App Operator](../role-based-access-control/built-in-roles.md#logic-app-operator) permissions are required or Logic App read/trigger access (this role can't create or edit logic apps; only *run* existing ones)

+ - [Logic App Contributor](../role-based-access-control/built-in-roles.md#logic-app-contributor) permissions are required for logic app creation and modification.

+

+- If you want to use Logic Apps connectors, you might need other credentials to sign in to their respective services (for example, your Outlook/Teams/Slack instances).

+1. From this page, create new automation rules, enable, disable, or delete existing ones. A scope refers to the subscription where the workflow automation is deployed.

+1. Enter the following:

+ - A name and description for the automation.

+ - The triggers that will initiate this automatic workflow. For example, you might want your logic app to run when a security alert that contains "SQL" is generated.

+ If your trigger is a recommendation that has "sub-recommendations", for example **Vulnerability assessment findings on your SQL databases should be remediated**, the logic app will not trigger for every new security finding; only when the status of the parent recommendation changes.

+1. Specify the consumption logic app that will run when your trigger conditions are met.

+## Supported triggers

+The logic app designer supports the following Defender for Cloud triggers:

+- **When a Microsoft Defender for Cloud Recommendation is created or triggered** - If your logic app relies on a recommendation that gets deprecated or replaced, your automation will stop working and you'll need to update the trigger. To track changes to recommendations, use the [release notes](release-notes.md).

+- **When a Defender for Cloud Alert is created or triggered** - You can customize the trigger so that it relates only to alerts with the severity levels that interest you.

+- **When a Defender for Cloud regulatory compliance assessment is created or triggered** - Trigger automations based on updates to regulatory compliance assessments.

+> [!NOTE]

+> If you are using the legacy trigger "When a response to a Microsoft Defender for Cloud alert is triggered", your logic apps will not be launched by the Workflow Automation feature. Instead, use either of the triggers mentioned above.

+1. After you've defined your logic app, return to the workflow automation definition pane ("Add workflow automation").

+1. Select **Refresh** to ensure your new logic app is available for selection.

+To manually run a logic app, open an alert, or a recommendation and select **Trigger logic app**.

+## Configure workflow automation at scale

+

+ You can also find these by searching Azure Policy. In Azure Policy, select **Definitions** and search for them by name.

+

+1. In the **Basics** tab, set the scope for the policy. To use centralized management, assign the policy to the Management Group containing the subscriptions that will use the workflow automation configuration.

+1. In the **Parameters** tab, enter the required information.

+1. Optionally apply this assignment to an existing subscription in the **Remediation** tab and select the option to create a remediation task.

+ Title: Entitlement concepts in Microsoft Azure Data Manager for Energy

+description: This article describes the various concepts regarding the entitlement service in Azure Data Manager for Energy.

+Access management is a critical function for any service or resource. Entitlement service helps you manage who has access to your Azure Data Manager for Energy instance, what they can view or edit, and what services or data they have access to.

+The entitlements service of Azure Data Manager for Energy allows you to create groups and manage memberships of the groups. An entitlement group defines permissions on services/data sources for your Azure Data Manager for Energy instance. Users added to a given group obtain the associated permissions.

+The entitlements service enables three use cases for authorization:

+Some user, data, and service groups are created by default when a data partition is provisioned with details in [Bootstrapped OSDU Entitlements Groups](https://community.opengroup.org/osdu/platform/deployment-and-operations/infra-azure-provisioning/-/blob/master/docs/osdu-entitlement-roles.md).

+All group identifiers (emails) will be of form {groupType}.{serviceName|resourceName}.{permission}@{partition}.{domain}.com. A group naming convention has been adopted such that the group's name should start with the word "data." for data groups; "service." for service groups; and "users." for user groups. There is one exception for "users" group which is created when a new data partition is provisioned. For example, for data partition `opendes`, the group `users@opendes.dataservices.energy` is created.

+## Users

+For each OSDU group, you can either add a user as an OWNER or a MEMBER. If you're an OWNER of an OSDU group, then you can add or remove the members of that group or delete the group. If you are a MEMBER of an OSDU group, you can view, edit, or delete the service or data depending on the scope of the OSDU group. For example, if you are a MEMBER of service.legal.editor OSDU group, you can call the APIs to change the legal service.

+> [!NOTE]

+> Do not delete the OWNER of a group unless there is another OWNER to manage the users.

+## Entitlement APIs

+A full list of entitlements API endpoints can be found in [OSDU entitlement service](https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/blob/release/0.15/docs/tutorial/Entitlements-Service.md#entitlement-service-api). A few illustrations of how to use Entitlement APIs are available in the [How to manage users](how-to-manage-users.md). Depending on the resources you have, you need to use the entitlements service in different ways than what is shown below.

+> The OSDU documentation refers to V1 endpoints, but the scripts noted in this documentation refer to V2 endpoints, which work and have been successfully validated.

+## November 2023

+### Compliant with M18 OSDU&trade; release

+Azure Data Manager for Energy is now compliant with the M18 OSDU&trade; milestone release. With this release, you can take advantage of the latest features and capabilities available in the [OSDU&trade; M18](https://community.opengroup.org/osdu/governance/project-management-committee/-/wikis/M18-Release-Notes).

+- Learn about [MQTT broker feature in Azure Event Grid](mqtt-overview.md)

+ Title: 'Overview of MQTT broker feature in Azure Event Grid'

+description: 'Describes the main concepts for the MQTT broker feature in Azure Event Grid.'

+# Overview of the MQTT broker feature in Azure Event Grid

+Azure Event GridΓÇÖs MQTT broker feature enables you to accomplish the following scenarios:

+- The many-to-one messaging pattern enables clients to offload the burden of managing the high number of connections to MQTT broker.

+Event Grid has a client registry that stores information about the clients permitted to connect to it. Before a client can connect, there must be an entry for that client in the client registry. As a client connects to MQTT broker, it needs to authenticate with MQTT broker based on credentials stored in the identity registry. MQTT broker supports X.509 certificate authentication that is the industry authentication standard in IoT devices and [Microsoft Entra ID (formerly Azure Active Directory)](mqtt-client-azure-ad-token-and-rbac.md) that is Azure's authentication standard for applications.[Learn more about MQTT client authentication.](mqtt-client-authentication.md)

+Event Grid integrates with [Azure IoT MQ](https://aka.ms/iot-mq) to bridge its MQTT broker capability on the edge with Azure Event GridΓÇÖs MQTT broker feature in the cloud. Azure IoT MQ is a new distributed MQTT broker for edge computing, running on Arc enabled Kubernetes clusters. It can connect to Event Grid MQTT broker with Microsoft Entra ID (formerly Azure Active Directory) authentication using system-assigned managed identity, which simplifies credential management. Azure IoT MQ provides high availability, scalability, and security for your IoT devices and applications. It's now available in [public preview](https://aka.ms/iot-mq-preview) as part of Azure IoT Operations. [Learn more about connecting Azure IoT MQ to Azure Event Grid's MQTT broker](https://aka.ms/iot-mq-eg-bridge)

+### MQTT Clients Life Cycle Events

+- [MQTT protocol support](mqtt-support.md)

+1. Create an Event Grid namespace and enable MQTT broker

+1. Create an Event Grid namespace and enable MQTT broker

+1. In the Overview page, you see that the **MQTT broker** is in **Disabled** state. To enable MQTT broker, select the **Disabled** link, it will redirect you to Configuration page.

+1. On **Configuration** page, select the **Enable MQTT broker** option, and then select **Apply** to apply the settings.

+1. On the left menu, select **Clients** in the **MQTT broker** section.

+1. On the left menu, select **Topic spaces** in the **MQTT broker** section.

+1. On the left menu, select **Permission bindings** in the **MQTT broker** section.

+- You have an Event Grid namespace created with MQTT broker enabled. Refer to this [Quickstart - Publish and subscribe on an MQTT topic](mqtt-publish-and-subscribe-portal.md) to create the namespace, subresources, and to publish/subscribe on an MQTT topic.

+The MQTT broker feature in Azure Event Grid is ideal for the implementation of automotive and mobility scenarios, among others. See [the reference architecture](mqtt-automotive-connectivity-and-data-solution.md) to learn how to build secure and scalable solutions for connecting millions of vehicles to the cloud, using AzureΓÇÖs messaging and data analytics services.

+Azure Event GridΓÇÖs MQTT broker feature enables you to accomplish the following scenarios.

+Kafka producer application developers can enable message compression by setting the compression.type property. In the public preview, the only compression algorithm supported is gzip.

+ Compression.type = none | gzip

+These changes are exposed in the header, which then allows the consumer to properly decompress the data. The feature is currently only supported for Apache Kafka traffic producer and consumer traffic and not AMQP or web service traffic.

+The payload of any Event Hubs event is a byte stream and the content can be compressed with an algorithm of your choosing though in public preview, the only option is gzip. The benefits of using Kafka compression are through smaller message size, increased payload size you can transmit, and lower message broker resource consumption.

+Azure Event Hubs now has the capability to dispatch logs to either of two destination tables - Azure Diagnostic or [Resource specific tables](~/articles/azure-monitor/essentials/resource-logs.md) in Log Analytics. You could use the toggle available on Azure portal to choose destination tables.

+Name | Description | Supported in Azure Diagnostics | Supported in Resource Specific table

+- | -| --| --|

+`ActivityId` | A randomly generated UUID that ensures uniqueness for the audit activity. | Yes | Yes

+`ActivityName` | Runtime operation name.| Yes | Yes

+`ResourceId` | Resource associated with the activity. | Yes | Yes

+`Timestamp` | Aggregation time. | Yes | No

+ `TimeGenerated [UTC]`|Time of executed operation (in UTC)| No | Yes

+`Status` | Status of the activity (success or failure). | Yes | Yes

+`Protocol` | Type of the protocol associated with the operation. | Yes | Yes

+`AuthType` | Type of authentication (Azure Active Directory or SAS Policy). | Yes | Yes

+`AuthKey` | Azure Active Directory application ID or SAS policy name that's used to authenticate to a resource. | Yes | Yes

+`NetworkType` | Type of the network access: `Public` or `Private`. | Yes | Yes

+`ClientIP` | IP address of the client application. | Yes | Yes

+`Count` | Total number of operations performed during the aggregated period of 1 minute. | Yes | Yes

+`Properties` | Metadata that are specific to the data plane operation. | Yes | Yes

+`Category` | Log category | Yes | NO

+ `Provider`|Name of Service emitting the logs e.g., Eventhub | No | Yes

+ `Type` | Type of logs emitted | No | Yes

+AzureDiagnostics :

+```

+Resource specific table entry:

+```json

+{

+ "ActivityId": "<activity id>",

+ "ActivityName": "ConnectionOpen | Authorization | SendMessage | ReceiveMessage",

+ "ResourceId": "/SUBSCRIPTIONS/xxx/RESOURCEGROUPS/<Resource Group Name>/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/<Event Hubs namespace>/eventhubs/<event hub name>",

+ "TimeGenerated (UTC)": "1/1/2021 8:40:06 PM +00:00",

+ "Status": "Success | Failure",

+ "Protocol": "AMQP | KAFKA | HTTP | Web Sockets",

+ "AuthType": "SAS | Azure Active Directory",

+ "AuthId": "<AAD application name | SAS policy name>",

+ "NetworkType": "Public | Private",

+ "ClientIp": "x.x.x.x",

+ "Count": 1,

+ "Type": "AZMSRuntimeAUditLogs",

+ "Provider":"EVENTHUB"

+ }

+You can view our sample queries to get started with different log categories.

+>- Linking a private DNS resolver to the virtual network where the ExpressRoute virtual network gateway is deployed may cause management connectivity issues and is not recommended.

+The ErGwScale virtual network gateway SKU enables you to achieve 40-Gbps connectivity to VMs and Private Endpoints in the virtual network. This SKU allows you to set a minimum and maximum scale unit for the virtual network gateway infrastructure, which auto scales based on the active bandwidth or flow count. You can also set a fixed scale unit to maintain a constant connectivity at a desired bandwidth value.

+The virtual network gateway infrastructure auto scales between the minimum and maximum scale unit that you configure, based on the bandwidth or flow count utilization. Scale operations might take up to 30 minutes to complete. If you want to achieve a fixed connectivity at a specific bandwidth value, you can configure a fixed scale unit by setting the minimum scale unit and the maximum scale unit to the same value.

+Controlling outbound network access is an important part of an overall network security plan. For example, you might want to limit access to web sites. Or, you might want to limit the outbound IP addresses and ports that can be accessed.

+For this article, you create a simplified single virtual network with two subnets for easy deployment.

+For production deployments, a [hub and spoke model](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) is recommended, where the firewall is in its own virtual network. The workload servers are in peered virtual networks in the same region with one or more subnets.

+First, create a resource group to contain the resources needed to deploy the firewall. Then create a virtual network, subnets, and a test server.

+### Create a virtual network

+This virtual network has two subnets.

+1. For **Virtual network name**, type **Test-FW-VN**.

+1. For **Region**, select the same region that you used previously.

+1. Select **Next**.

+1. On the **Security** tab, select **Enable Azure Firewall**.

+1. For **Azure Firewall name**, type **Test-FW01**.

+1. For **Azure Firewall public IP address**, select **Create a public IP address**.

+1. For **Name**, type **fw-pip** and select **OK**.

+1. Select **Next**.

+1. Under **Subnet**, select **default** and change the **Name** to **Workload-SN**.

+1. For **Starting address**, change it to **10.0.2.0/24**.

+## Examine the firewall

+7. Go to the resource group and select the firewall.

+8. Note the firewall private and public IP addresses. You use these addresses later.

+When you create a route for outbound and inbound connectivity through the firewall, a default route to 0.0.0.0/0 with the virtual appliance private IP as a next hop is sufficient. This directs any outgoing and incoming connections through the firewall. As an example, if the firewall is fulfilling a TCP-handshake and responding to an incoming request, then the response is directed to the IP address who sent the traffic. This is by design.

+As a result, there's no need create another user defined route to include the AzureFirewallSubnet IP range. This might result in dropped connections. The original default route is sufficient.

+1. For **Destination type**, select **IP Addresses**.

+ The firewall should block you.

+So now you verified that the firewall rules are working:

+Create a firewall named **Test-FW01** using the steps in **Deploy the firewall** from [Tutorial: Deploy and configure Azure Firewall using the Azure portal](../firewall/tutorial-firewall-deploy-portal.md#create-a-virtual-network).

+ "discoveryUrl": "opc.tcp://opcplc-000000:50000",

+> | `volumes.dapr-unix-domain-socket` | A shared directory to host unix domain sockets used to communicate between the Dapr sidecar and the pluggable components |

+> | `volumes.mqtt-client-token` | The System Authentication Token used for authenticating the Dapr pluggable components with the IoT MQ broker |

+> | `volumes.aio-ca-trust-bundle` | The chain of trust to validate the MQTT broker TLS cert. This defaults to the test certificate deployed with Azure IoT Operations |

+> | `containers.mq-dapr-app` | The Dapr application container you want to deploy |

+ name: mq-dapr-app

+ app: mq-dapr-app

+ app: mq-dapr-app

+ dapr.io/app-id: "mq-dapr-app"

+ - name: mq-dapr-app

+ image: <YOUR DAPR APPLICATION>

+To sign in to the Azure IoT Operations portal you need a work or school account in the tenant where you deployed Azure IoT Operations. If you're currently using a Microsoft account (MSA), you need to create a Microsoft Entra ID with at least contributor permissions for the resource group that contains your **Kubernetes - Azure Arc** instance. To learn more, see [Known Issues > Create Entra account](../troubleshoot/known-issues.md#azure-iot-operations-preview-portal).

+> [!TIP]

+> If you're running the quickstart on another platform, you can use other MQTT tools such as [MQTT Explorer](https://apps.microsoft.com/detail/9PP8SFM082WD).

+To create asset endpoints, assets and subscribe to OPC UA tags and events, use the Azure IoT Operations (preview) portal. Navigate to the [Azure IoT Operations](https://iotoperations.azure.com) portal in your browser and sign with your Microsoft Entra ID credentials.

+> You must use a work or school account to sign in to the Azure IoT Operations portal. To learn more, see [Known Issues > Create Entra account](../troubleshoot/known-issues.md#azure-iot-operations-preview-portal).

+> [!CAUTION]

+1. Run the following command to apply the configuration to use an untrusted certificate:

+ kubectl apply -f https://raw.githubusercontent.com/Azure-Samples/explore-iot-operations/main/samples/quickstarts/opc-ua-connector-0.yaml

+1. Restart the `aio-opc-supervisor` pod by using a command that looks like the following example:

+ The name of your `aio-opc-supervisor` pod will be different. To find the name of your pod, run the following command:

+ kubectl apply -f https://raw.githubusercontent.com/Azure-Samples/explore-iot-operations/main/samples/quickstarts/az-mqtt-non-tls-listener.yaml

+ > [!CAUTION]

+ > This configuration exposes the MQ broker without TLS. Don't use this configuration in production environments.

+1. Run the following command to find the `EXTERNAL-IP` address that the non-TLS listener pod is using:

+ kubectl get svc aio-mq-dmqtt-frontend-nontls -n azure-iot-operations

+1. In a separate terminal window, run the following command to connect to the MQ broker using the **mqttui** tool. Replace the `<external-ip>` placeholder with the `EXTERNAL-IP` address that you found in the previous step:

+ mqttui -b mqtt://<external-ip>:1883

+ If there's no data flowing, restart the `aio-opc-opc.tcp-1` pod by using a command that looks like the following example:

+ ```bash

+ kubectl delete pod aio-opc-opc.tcp-1-849dd78866-vhmz6 -n azure-iot-operations

+ ```

+ The name of your `aio-opc-opc.tcp-1` pod will be different. To find the name of your pod, run the following command:

+ ```bash

+ kubectl get pods -n azure-iot-operations

+ ```

+The sample tags you added in the previous quickstart generate messages from your asset that look like the following examples:

+On the machine where your Kubernetes cluster is running, run the following command to apply the configuration for a new configuration for the discovery handler:

+kubectl apply -f https://raw.githubusercontent.com/Azure-Samples/explore-iot-operations/main/samples/quickstarts/akri-opcua-asset.yaml

+You also need a Microsoft Fabric subscription. You can sign up for a free [Microsoft Fabric (Preview) Trial](/fabric/get-started/fabric-trial). In your Microsoft Fabric subscription, ensure that the following settings are enabled for your tenant:

+- [Allow service principals to use Power BI APIs](/fabric/admin/service-admin-portal-developer#allow-service-principals-to-use-power-bi-apis)

+- [Users can access data stored in OneLake with apps external to Fabric](/fabric/admin/service-admin-portal-onelake#users-can-access-data-stored-in-onelake-with-apps-external-to-fabric)

+To learn more, see [Microsoft Fabric > About tenant settings](/fabric/admin/tenant-settings-index).

+1. Enter the following command on the machine where your cluster is running to edit the **aio-default-spc** `secretproviderclass` resource. The YAML configuration for the resource opens in your default editor:

+ kubectl edit secretproviderclass aio-default-spc -n azure-iot-operations

+ # Please edit the object below. Lines beginning with a '#' will be ignored,

+ # and an empty file will abort the edit. If an error occurs while saving this file will be

+ # reopened with the relevant failures.

+ #

+ apiVersion: secrets-store.csi.x-k8s.io/v1

+ kind: SecretProviderClass

+ metadata:

+ creationTimestamp: "2023-11-16T11:43:31Z"

+ generation: 2

+ name: aio-default-spc

+ namespace: azure-iot-operations

+ resourceVersion: "89083"

+ uid: cda6add7-3931-47bd-b924-719cc862ca29

+The CSI driver updates secrets by using a polling interval, therefore the new secret isn't available to the pod until the polling interval is reached. To update the pod immediately, restart the pods for the component. For Data Processor, run the following commands:

+```bash

+kubectl delete pod aio-dp-reader-worker-0 -n azure-iot-operations

+kubectl delete pod aio-dp-runner-worker-0 -n azure-iot-operations

+```

+1. In the [Azure IoT Operations portal](https://iotoperations.azure.com), navigate to **Data pipelines** in your cluster.

+1. In the [Azure IoT Operations portal](https://iotoperations.azure.com), navigate to **Data pipelines** in your cluster.

+1. In the [Azure IoT Operations portal](https://iotoperations.azure.com), navigate to **Data pipelines** in your cluster.

+Navigate to the [Azure IoT Operations portal](https://iotoperations.azure.com) in your browser and sign in by using your Microsoft Entra ID credentials.

+export NAMESPACE="azure-iot-operations"

+# Build event-driven apps with Dapr

+In this walkthrough, you deploy a Dapr application to the cluster. The Dapr application will consume simulated MQTT data published to Azure IoT MQ, apply a windowing function and then publish the result back to IoT MQ. This represents how high volume data can be aggregated on the edge to reduce message frequency and size. The Dapr application is stateless, and uses the IoT MQ state store to cache past values needed for the window calculations.

+The Dapr application performs the following steps:

+1. Subscribes to the `sensor/data` topic for sensor data.

+1. When receiving data on this topic, it's pushed to the Azure IoT MQ state store.

+1. Every **10 seconds**, it fetches the data from the state store, and calculates the *min*, *max*, *mean*, *median* and *75th percentile* values on any sensor data timestamped in the last **30 seconds**.

+1. Data older than **30 seconds** is expired from the state store.

+1. The result is published to the `sensor/window_data` topic in JSON format.

+> [!NOTE]

+> This tutorial [disables Dapr CloudEvents](https://docs.dapr.io/developing-applications/building-blocks/pubsub/pubsub-raw/) which enables it to publish and subscribe using raw MQTT.

+* Azure IoT Operations installed - [Deploy Azure IoT Operations](../get-started/quickstart-deploy.md)

+* Dapr runtime and MQ's pluggable components installed - [Use Dapr to develop distributed application workloads](../develop/howto-develop-dapr-apps.md)

+| `containers.mq-event-driven` | The prebuilt dapr application container. |

+ serviceAccountName: mqtt-client

+Simulate test data by deploying a Kubernetes workload. It simulates a sensor by sending sample temperature, vibration, and pressure readings periodically to the MQ broker using an MQTT client on the `sensor/data` topic.

+1. [Download the simulator yaml](https://raw.githubusercontent.com/Azure-Samples/explore-iot-operations/main/tutorials/mq-event-driven-dapr/simulate-data.yaml) from the Explore IoT Operations repository

+ kubectl apply -f simulate-data.yaml

+## Optional - Create the Dapr application

+The above tutorial uses a prebuilt container of the Dapr application. If you would like to modify and build the code yourself, follow these steps:

+### Prerequisites

+1. [Docker](https://docs.docker.com/engine/install/) - for building the application container

+1. A Container registry - for hosting the application container

+### Build the application

+1. Check out the Explore IoT Operations repository:

+ ```bash

+ git clone https://github.com/Azure-Samples/explore-iot-operations

+ ```

+1. Change to the Dapr tutorial directory in the [Explore IoT Operations](https://github.com/Azure-Samples/explore-iot-operations) repository:

+ ```bash

+ cd explore-iot-operations/tutorials/mq-event-driven-dapr/src

+ ```

+1. Build the docker image:

+ ```bash

+ docker build docker build . -t mq-event-driven-dapr

+ ```

+1. To consume the application in your Kubernetes cluster, you need to push the image to a container registry such as the [Azure Container Registry](/azure/container-registry/container-registry-get-started-docker-cli). You could also push to a local container registry such as [minikube](https://minikube.sigs.k8s.io/docs/handbook/registry/) or [Docker](https://hub.docker.com/_/registry).

+ ```bash

+ docker tag mq-event-driven-dapr <container-alias>

+ docker push <container-alias>

+ ```

+1. Update your `app.yaml` to pull your newly created image.

+## Next steps

+* [Bridge MQTT data between IoT MQ and Azure Event Grid](tutorial-connect-event-grid.md)

+To sign in to the Azure IoT Operations portal, you need a Microsoft Entra ID with at least contributor permissions for the resource group that contains your **Kubernetes - Azure Arc** instance. You can't sign in with a Microsoft account (MSA). To create an Entra ID in your Azure tenant:

+1. Sign in to the [Azure portal](https://portal.azure.com/) with the same tenant and user name that you used to deploy Azure IoT Operations.

+1. In the Azure portal, navigate to the **Microsoft Entra ID** section, select **Users > +New user > Create new user**. Create a new user and make a note of the password, you need it to sign in later.

+1. In the Azure portal, navigate to the resource group that contains your **Kubernetes - Azure Arc** instance. On the **Access control (IAM)** page, select **+Add > Add role assignment**.

+1. On the **Add role assignment page**, select **Privileged administrator roles**. Then select **Contributor** and then select **Next**.

+1. On the **Members** page, add your new user to the role.

+1. Select **Review and assign** to complete setting up the new user.

+You can now use the new user account to sign in to the [Azure IoT Operations portal](https://iotoperations.azure.com).

+azure-iot-operations passthrough-data-pipeline 2d20h

+azure-iot-operations reference-data-pipeline 2d20h

+azure-iot-operations contextualized-data-pipeline 2d20h

+kubectl describe pipelines passthrough-data-pipeline -n azure-iot-operations

+The output from the previous command looks like the following example:

+Azure Kubernetes Fleet Manager (Fleet) solves at-scale and multi-cluster problems of Azure Kubernetes Service (AKS) clusters. This document provides an architectural overview of the relationship between a Fleet resource and AKS clusters. This document also provides a conceptual overview of scenarios available on top of Fleet resource, including update orchestration, Kubernetes resource propagation (preview) and multi-cluster Layer-4 load balancing (preview).

+If you want to use fleet only for the update orchestration scenario, you can create a fleet resource without the hub cluster. The fleet resource is treated just as a grouping resource, and does not have its own data plane. This is the default behavior when creating a new fleet resource. In this case, you can join up to 100 AKS clusters as member clusters to the same fleet resource.

+If you want to use fleet for Kubernetes object propagation (preview) and multi-cluster load balancing (preview) in addition to update orchestration, then you need to create the fleet resource with the hub cluster enabled. In this case, you can join up to 20 AKS clusters as member clusters to the same fleet resource.

+Note that once a fleet resource has been created, it is not possible to change the hub mode for the fleet resource.

+## Update orchestration across multiple clusters

+Platform admins managing Kubernetes fleets with large number of clusters often have problems with staging their updates in a safe and predictable way across multiple clusters. To address this pain point, Kubernetes Fleet Manager (Fleet) allows you to orchestrate updates across multiple clusters using update runs, stages, groups, and strategies.

+* **Update run**: An update run represents an update being applied to a collection of AKS clusters. An update run updates clusters in a predictable fashion by defining update stages and update groups. An update run can be stopped and started.

+* **Update stage**: Update runs are divided into stages which are applied sequentially. For example, a first update stage might update test environment member clusters, and a second update stage would then subsequently update production environment member clusters. A wait time can be specified to delay between the application of subsequent update stages.

+* **Update group**: Each update stage contains one or more update groups, which are used to select the member clusters to be updated. Update groups are also used to order the application of updates to member clusters. Within an update stage, updates are applied to all the different update groups in parallel; within an update group, member clusters update sequentially. Each member cluster of the fleet can only be a part of one update group.

+* **Update strategy**: Update strategies allows you to store templates for your update runs instead of creating them individually for each update run.

+Currently, the supported update operations on the cluster are upgrades. Within upgrades, you can either upgrade both the Kubernetes control plane version and the node image, or you can choose to upgrade only the node image. The latest available node image for a given cluster may vary based on its region (check [release tracker](../aks/release-tracker.md) for more information). Node image upgrades currently support upgrading each cluster to the latest node image available in its region, or applying a consistent node image across all clusters of the update run, regardless of the cluster regions. In this case the update run picks the **latest common** image across all these regions to achieve consistency.

+## Member cluster representation on the hub

+ Once each cluster is joined to a fleet resource, a corresponding MemberCluster custom resource is created on the fleet hub.

+Azure Kubernetes Fleet Manager (Fleet) will help you address at-scale and multi-cluster scenarios for Azure Kubernetes Service clusters. Azure Kubernetes Fleet Manager provides a group representation for your AKS clusters and helps users with orchestrating cluster updates, Kubernetes resource propagation and multi-cluster load balancing. User workloads can't be run on the fleet cluster itself.

+Today, Azure Kubernetes Fleet Manager supports joining existing AKS clusters as fleet members. Creation and lifecycle management of new AKS clusters from fleet cluster is in the [roadmap](https://aka.ms/fleet/roadmap).

+The number of member clusters that can be joined to the same fleet resource depends on whether the fleet resource has a hub cluster or not. Fleets without a hub cluster support joining up to 100 AKS clusters. Fleet resources with a hub cluster support joining up to 20 AKS clusters.

+Today, Azure Kubernetes Fleet Manager supports joining AKS clusters as member clusters. Support for joining member clusters to the fleet resource is in the [roadmap](https://aka.ms/fleet/roadmap).

+* Create an [Azure Kubernetes Fleet Manager resource and join member clusters](./quickstart-create-fleet-and-members.md)

+Azure Kubernetes Fleet Manager (Fleet) enables at-scale management of multiple Azure Kubernetes Service (AKS) clusters. Fleet supports the following scenarios:

+* Orchestrate Kubernetes version and node image upgrades across multiple clusters by using update runs, stages, and groups.

+* Create Kubernetes resource objects on the Fleet resource's hub cluster and control their propagation to member clusters (preview).

+* Export and import services between member clusters, and load balance incoming L4 traffic across service endpoints on multiple clusters (preview).

+You can create a fleet resource to later group your AKS clusters as member clusters. By default this resource enables member cluster grouping and update orchestration. If the fleet hub is enabled, additional preview features are enabled such as Kubernetes object propagation to member clusters, and L4 service load balancing across multiple member clusters.

+> As of now, once a fleet resource has been created, it is not possible to change the hub mode for the fleet resource.

+If you want to use Fleet only for update orchestration, you can create a fleet resource without the hub cluster using the [az fleet create](/cli/azure/fleet#az-fleet-create) command. This is the default experience when creating a new fleet resource.

+ export MEMBER_NAME_1=aks-member-1

+ --name ${MEMBER_NAME_1} \

+ export MEMBER_NAME_2=aks-member-2

+ --name ${MEMBER_NAME_2} \

+ export MEMBER_NAME_3=aks-member-3

+ --name ${MEMBER_NAME_3} \

+ export MEMBER_CLUSTER_ID_1=/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP}/providers/Microsoft.ContainerService/managedClusters/${MEMBER_NAME_1}

+ export MEMBER_CLUSTER_ID_2=/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP}/providers/Microsoft.ContainerService/managedClusters/${MEMBER_NAME_2}

+ export MEMBER_CLUSTER_ID_3=/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP}/providers/Microsoft.ContainerService/managedClusters/${MEMBER_NAME_3}

+* Learn how to use [Update orchestration](./update-orchestration.md)

+* Learn how to use [Kubernetes resource object propagation](./resource-propagation.md)

+Platform admins managing Kubernetes fleets with large number of clusters often have problems with staging their updates in a safe and predictable way across multiple clusters. To address this pain point, Kubernetes Fleet Manager (Fleet) allows you to orchestrate updates across multiple clusters using update runs, stages, groups, and strategies.

+Update groups and stages provide more control over the sequence that update runs follow when you're updating the clusters. Within an update stage, updates are applied to all the different update groups in parallel; within an update group, member clusters update sequentially.

+You can define an update run using update stages in order to sequentially order the application of updates to different update groups. For example, a first update stage might update test environment member clusters, and a second update stage would then subsequently update production environment member clusters. You can also specify a wait time between the update stages.

+* An Azure firewall that runs in the same virtual network as your ISE. If you don't have a firewall, first [add a subnet](../virtual-network/virtual-network-manage-subnet.md#add-a-subnet) that's named `AzureFirewallSubnet` to your virtual network. You can then [create and deploy a firewall](../firewall/tutorial-firewall-deploy-portal.md#create-a-virtual-network) in your virtual network.

+* If you plan to locally build Standard logic app projects and run workflows using only the [built-in connectors](../connectors/built-in.md) that run natively on the Azure Logic Apps runtime, you don't need the following requirements. However, make sure that you have the following connectivity and Azure account credentials to publish or deploy your project from Visual Studio Code to Azure, use the [managed connectors](../connectors/managed.md) that run in global Azure, or access Standard logic app resources and workflows already deployed in Azure:

+ * Access to the internet so that you can download the requirements, connect from Visual Studio Code to your Azure account, and publish from Visual Studio Code to Azure.

+ * An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+### Tools

+1. Download and install [Visual Studio Code](https://code.visualstudio.com/), which is free.

+1. Download and install the [Azure Account extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account) so that you have a single common experience for Azure sign-in and subscription filtering across all Azure extensions in Visual Studio Code. This how-to guide includes steps that use this experience.

+1. Download and install the following Visual Studio Code dependencies for your specific operating system using either method:

+ - [Install all dependencies automatically (preview)](#dependency-installer).

+ - [Download and install each dependency separately](#install-dependencies-individually).

+ <a name="dependency-installer"></a>

+ **Install all dependencies automatically (preview)**

+ > [!IMPORTANT]

+ > This capability is in preview and is subject to the

+ > [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+ Starting with version **2.81.5**, the Azure Logic Apps (Standard) extension for Visual Studio Code includes a dependency installer that automatically installs all the required dependencies in a new binary folder and leaves any existing dependencies unchanged. For more information, see [Get started more easily with the Azure Logic Apps (Standard) extension for Visual Studio Code](https://techcommunity.microsoft.com/t5/azure-integration-services-blog/making-it-easy-to-get-started-with-the-azure-logic-apps-standard/ba-p/3979643).

+ This extension includes the following dependencies:

+ | Dependency | Description |

+ ||-|

+ | [C# for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-vscode.csharp) | Enables F5 functionality to run your workflow. |

+ | [Azurite for Visual Studio Code](https://github.com/Azure/Azurite#visual-studio-code-extension) | Provides a local data store and emulator to use with Visual Studio Code so that you can work on your logic app project and run your workflows in your local development environment. If you don't want Azurite to automatically start, you can disable this option: <br><br>1. On the **File** menu, select **Preferences** > **Settings**. <br><br>2. On the **User** tab, select **Extensions** > **Azure Logic Apps (Standard)**. <br><br>3. Find the setting named **Azure Logic Apps Standard: Auto Start Azurite**, and clear the selected checkbox. |

+ | [.NET SDK 6.x.x](https://dotnet.microsoft.com/download/dotnet/6.0) | Includes the .NET Runtime 6.x.x, a prerequisite for the Azure Logic Apps (Standard) runtime. |

+ | Azure Functions Core Tools - 4.x version | Installs the version based on your operating system ([Windows](https://github.com/Azure/azure-functions-core-tools/releases), [macOS](../azure-functions/functions-run-local.md?tabs=macos#install-the-azure-functions-core-tools), or [Linux](../azure-functions/functions-run-local.md?tabs=linux#install-the-azure-functions-core-tools)). <br><br>These tools include a version of the same runtime that powers the Azure Functions runtime, which the Azure Logic Apps (Standard) extension uses in Visual Studio Code. |

+ | [Node.js version 16.x.x unless a newer version is already installed](https://nodejs.org/en/download/releases/) | Required to enable the [Inline Code Operations action](../logic-apps/logic-apps-add-run-inline-code.md) that runs JavaScript. |

+ The installer doesn't perform the following tasks:

+ - Check whether the required dependencies already exist.

+ - Install only the missing dependencies.

+ - Update older versions of existing dependencies.

+ 1. [Download and install the Azure Logic Apps (Standard) extension for Visual Studio Code, starting with version 2.81.5)](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurelogicapps).

+ 1. In Visual Studio Code, on the Activity bar, select **Extensions**. (Keyboard: Press Ctrl+Shift+X)

+ 1. On the **Extensions** pane, open the ellipses (**...**) menu, and select **Install from VSIX**.

+ 1. Find and select the downloaded VSIX file.

+ After setup completes, the extension automatically activates and runs the **Validate and install dependency binaries** command. To view the process logs, open the **Output** window.

+ 1. When the following prompt appears, select **Yes (Recommended)** to confirm that you want to automatically install the required dependencies:

+ :::image type="content" source="media/create-single-tenant-workflows-visual-studio-code/dependency-installer-prompt.png" alt-text="Screenshot shows prompt to automatically install dependencies." lightbox="media/create-single-tenant-workflows-visual-studio-code/dependency-installer-prompt.png":::

+ 1. Reload Visual Studio Code, if necessary.

+ 1. Confirm that the dependencies correctly appear in the following folder:

+ **C:\Users\\<your-user-name\>\\.azurelogicapps\dependencies\\<dependency-name\>**

+ 1. Confirm the following extension settings in Visual Studio Code:

+ 1. On the **File** menu, select **Preferences** > **Settings**.

+ 1. On the **User** tab, select **Extensions** > **Azure Logic Apps (Standard)**.

+ 1. Review the following settings:

+ | Extension setting | Value |

+ |-|-|

+ | **Dependencies Path** | C:\Users\\<your-user-name\>\\.azurelogicapps\dependencies |

+ | **Dependency Timeout** | 60 seconds |

+ | **Dotnet Binary Path** | C:\Users\\<your-user-name\>\\.azurelogicapps\dependencies\DotNetSDK\dotnet.exe |

+ | **Func Core Tools Binary Path** | C:\Users\\<your-user-name\>\\.azurelogicapps\dependencies\FuncCoreTools\func |

+ | **Node JS Binary Path** | C:\Users\\<your-user-name\>\\.azurelogicapps\dependencies\NodeJs\node |

+ | **Auto Start Azurite** | Enabled |

+ | **Auto Start Design Time** | Enabled |

+ 1. If you have an existing logic app project with custom-defined tasks stored in the **.vscode/tasks.json** file, make sure that you save the **tasks.json** file elsewhere before you open your project.

+

+ When you open your project, you're prompted to update **tasks.json** file to use the required dependencies. If you choose to continue, the extension overwrites the **tasks.json** file.

+ 1. When you open your logic app project, the following notifications appear:

+ | Notification | Action |

+ |--|--|

+ | **Always start the background design-time process at launch?** | To open the workflow designer faster, select **Yes (Recommended)**. |

+ | **Configure Azurite to autostart on project launch?** | To have Azurite storage automatically start when the project opens, select **Enable AutoStart**. At the top of Visual Studio Code, in the command window that appears, press enter to accept the default path: <br><br>**C\Users\\<your-user-name\>\\.azurelogicapps\\.azurite** |

+ <a name="known-issues-preview"></a>

+ **Known issues with preview**

+ - If you opted in to automatically install all dependencies on a computer that doesn't have any version of the .NET Core SDK, the following message appears:

+ **"The .NET Core SDK cannot be located: Error running dotnet -- info: Error: Command failed: dotnet --info 'dotnet is not recognized as an internal or external command, operable program, or batch file. 'dotnet' is not recognized as an internal or external command, operable program, or batch file. . .NET Core debugging will not be enabled. Make sure the .NET Core SDK is installed and is on the path."**

+ You get this message because the .NET Core framework is still installing when the extension activates. You can safely choose to disable this message.

+ If you have trouble with opening an existing logic app project or starting the debugging task (tasks.json) for **func host start**, and this message appears, follow these steps to resolve the problem:

+ 1. Add the dotnet binary path to your environment PATH variable.

+ 1. On the Windows taskbar, in the search box, enter **environment variables**, and select **Edit the system environment variables**.

+ 1. In the **System Properties** box, on the **Advanced** tab, select **Environment Variables**.

+ 1. In the **Environment Variables** box, from the **User variables for \<your-user-name\>** list, select **PATH**, and then select **Edit**.

+ 1. If the following value doesn't appear in the list, select **New** to add the following value:

+

+ **C:\Users\\<your-user-name\>\\.azurelogicapps\dependencies\DotNetSDK**

+ 1. When you're done, select **OK**.

+ 1. Close all Visual Studio Code windows, and reopen your project.

+ - If you have problems installing and validating binary dependencies, for example:

+ - Linux permissions issues

+ - You get the following error: **\<File or path> does not exist**

+ - Validation gets stuck on **\<dependency-name>**.

+

+ Follow these steps to run the **Validate and install binary dependencies** command again:

+ 1. From the **View** menu, select **Command Palette**.

+ 1. When the command window appears, enter and run the **Validate and install binary dependencies** command.

+ - If you don't have .NET Core 7 or a later version installed, and you open an Azure Logic Apps workspace that contains an Azure Functions project, you get the following message:

+ **There were problems loading project [function-name].csproj. See log for details.**

+ This missing component doesn't affect the Azure Functions project, so you can safely ignore this message.

+ <a name="install-dependencies-individually"></a>

+ **Install each dependency separately**

+ | Dependency | Description |

+ ||-|

+ | [.NET SDK 6.x.x](https://dotnet.microsoft.com/download/dotnet/6.0) | Includes the .NET Runtime 6.x.x, a prerequisite for the Azure Logic Apps (Standard) runtime. |

+ | Azure Functions Core Tools - 4.x version | - [Windows](https://github.com/Azure/azure-functions-core-tools/releases): Use the Microsoft Installer (MSI) version, which is `func-cli-X.X.XXXX-x*.msi`. <br>- [macOS](../azure-functions/functions-run-local.md?tabs=macos#install-the-azure-functions-core-tools) <br>- [Linux](../azure-functions/functions-run-local.md?tabs=linux#install-the-azure-functions-core-tools) <br><br>These tools include a version of the same runtime that powers the Azure Functions runtime, which the Azure Logic Apps (Standard) extension uses in Visual Studio Code. <br><br>If you have an installation that's earlier than these versions, uninstall that version first, or make sure that the PATH environment variable points at the version that you download and install. |

+ | [Node.js version 16.x.x unless a newer version is already installed](https://nodejs.org/en/download/releases/) | Required to enable the [Inline Code Operations action](../logic-apps/logic-apps-add-run-inline-code.md) that runs JavaScript. <br><br>**Note**: For Windows, download the MSI version. If you use the ZIP version instead, you have to manually make Node.js available by using a PATH environment variable for your operating system. |

+1. If you already installed the version of the Azure Logic Apps (Standard) extension that automatically installs all the dependencies (preview), skip this step. Otherwise, [download and install the Azure Logic Apps (Standard) extension for Visual Studio Code](https://go.microsoft.com/fwlink/p/?linkid=2143167).

+ 1. In Visual Studio Code, on the left toolbar, select **Extensions**.

+ 1. In the extensions search box, enter **azure logic apps standard**. From the results list, select **Azure Logic Apps (Standard)** **>** **Install**.

+ After the installation completes, the extension appears in the **Extensions: Installed** list.