- - Invokes the [callApiWithToken](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/3-Authorization-II/2-call-api-b2c/SPA/src/fetch.js) function to fetch the data from the REST API and renders the result using the **DataDisplay** component.

-1. Under **Redirect URI (optional)**, select **Web** and enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp`. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your tenant, and `your-domain-name` with your custom domain.

->To integrate Nevis into your sign-up policy flow, configure the Azure AD B2C environment to use custom policies. </br>See, [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](/azure/active-directory-b2c/tutorial-create-user-flows).

-The **Azure AD Provisioning Service** provisions users to SaaS apps and other systems by connecting to a System for Cross-Domain Identity Management (SCIM) 2.0 user management API endpoint provided by the application vendor. This SCIM endpoint allows Azure AD to programmatically create, update, and remove users. For selected applications, the provisioning service can also create, update, and remove additional identity-related objects, such as groups and roles. The channel used for provisioning between Azure AD and the application is encrypted using HTTPS TLS 1.2 encryption.

-Credentials are required for Azure AD to connect to the application's user management API. While you're configuring automatic user provisioning for an application, you'll need to enter valid credentials. For gallery applications, you can find credential types and requirements for the application by referring to the app tutorial. For non-gallery applications, you can refer to the [SCIM](./use-scim-to-provision-users-and-groups.md#authorization-to-provisioning-connectors-in-the-application-gallery) documentation to understand the credential types and requirements. In the Azure portal, you'll be able to test the credentials by having Azure AD attempt to connect to the app's provisioning app using the supplied credentials.

-* **Groups.** With an Azure AD Premium license plan, you can use groups to assign access to a SaaS application. Then, when the provisioning scope is set to **Sync only assigned users and groups**, the Azure AD provisioning service will provision or de-provision users based on whether they're members of a group that's assigned to the application. The group object itself isn't provisioned unless the application supports group objects. Ensure that groups assigned to your application have the property "SecurityEnabled" set to "True".

-> You can optionally disable the **Create**, **Update**, or **Delete** operations by using the **Target object actions** check boxes in the [Mappings](customize-application-attributes.md) section. The logic to disable a user during an update is also controlled via an attribute mapping from a field such as "accountEnabled".

-Once properly formatted as a CSV file, a Global Administrator can then sign in to the Azure portal, navigate to **Azure Active Directory** > **Security** > **Multifactor authentication** > **OATH tokens**, and upload the resulting CSV file.

-Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Microsoft Authenticator app, configured for use at any time. Hardware OATH tokens cannot be assigned to guest users in the resource tenant.

->[!IMPORTANT]

->The preview is only supported in Azure Global and Azure Government clouds.

-Users can have a combination of up to five OATH hardware tokens or authenticator applications, such as the Microsoft Authenticator app, configured for use at any time.

-1. In Azure, open the **Access control (IAM)** page.

-> To view the **Remediation** dashboard, your must have **Viewer**, **Controller**, or **Administrator** permissions. To make changes on this dashboard, you must have **Controller** or **Administrator** permissions. If you don't have these permissions, contact your system administrator.

- - **Authorization System**: Select from a **List** of accounts and **Folders***.

- - **Search**: Enter criteria to find specific tasks.

-On Azure AD joined and hybrid Azure AD joined devices, unlocking the device, or signing in interactively will only refresh the Primary Refresh Token (PRT) every 4 hours. The last refresh timestamp recorded for PRT compared with the current timestamp must be within the time allotted in SIF policy for PRT to satisfy SIF and grant access to a PRT that has an existing MFA claim. On [Azure AD registered devices](/active-directory/devices/concept-azure-ad-register), unlock/sign-in would not satisfy the SIF policy because the user is not accessing an Azure AD registered device via an Azure AD account. However, the [Azure AD WAM](/azure/active-directory/develop/scenario-desktop-acquire-token-wam) plugin can refresh a PRT during native application authentication using WAM.

-* If you're ready to configure Conditional Access policies for your environment, see the article [Plan a Conditional Access deployment](plan-conditional-access.md).

-`HttpClient` is intended to be instantiated once and then reused throughout the life of an application. See [Remarks](/dotnet/api/system.net.http.httpclient#remarks).

-If you're using the MSAL library directly in an ASP.NET Core app, consider moving to use [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web), which provides a simpler, higher-level API. Otherwise, see the [Non-ASP.NET Core web apps and web APIs](/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=aspnet#configuring-the-token-cache), which covers direct MSAL usage.

-[ms-identity-aspnet-webapp-openidconnect](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) | ASP.NET (net472) | Example of token cache serialization in an ASP.NET MVC application (using MSAL.NET). In particular, see [MsalAppBuilder](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/master/WebApp/Utils/MsalAppBuilder.cs).

-Install the [Microsoft Graph Identity Sign-ins module](/powershell/module/microsoft.graph.identity.signins/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Identity.SignIns) and the [Microsoft Graph Users module](/powershell/module/microsoft.graph.users/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Users).

-Connect-MgGraph -Scopes user.readwrite.all

- Remove-AzureADUser -ObjectId "<UPN>"

-For example: `Remove-AzureADUser -UserId john_contoso.com#EXT#@fabrikam.onmicrosoft.com`

-If you select **Inbound access** of the added organization, you'll see the **Cross-tenant sync (Preview)** tab and the **Allow users sync into this tenant** check box. Cross-tenant synchronization is a one-way synchronization service in Azure AD that automates creating, updating, and deleting B2B collaboration users across tenants in an organization. For more information, see [Configure cross-tenant synchronization](../../active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure.md) and the [Multi-tenant organizations documentation](/azure/active-directory/multi-tenant-organizations).

-> When configuring settings for an organization, you'll notice a **Cross-tenant sync (Preview)** tab. This tab doesn't apply to your B2B direct connect configuration. Instead, this feature is used by multi-tenant organizations to enable B2B collaboration across their tenants. For more information, see the [multi-tenant organization documentation](/azure/active-directory/multi-tenant-organizations).

-[Configure cross-tenant access settings for B2B collaboration](cross-tenant-access-settings-b2b-collaboration.md)

-Based on your organizationΓÇÖs requirements you might use cross-tenant synchronization (preview) in multi-tenant organizations. For more information about this new feature, see the [multi-tenant organization documentation](/azure/active-directory/multi-tenant-organizations) and the [feature comparison](../multi-tenant-organizations/overview.md#compare-multi-tenant-capabilities).

-Azure AD has a new feature for multi-tenant organizations called cross-tenant synchronization (preview), which allows for a seamless collaboration experience across Azure AD tenants. Cross-tenant synchronization settings are configured under the **Organization-specific access settings**. To learn more about multi-tenant organizations and cross-tenant synchronization see the [Multi-tenant organizations documentation](/azure/active-directory/multi-tenant-organizations).

-| **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It doesn't restrict access to Azure AD data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. <br>It doesn't restrict access as long as a user is assigned a custom role (or any role). </p><p></p><p>**When should I use this switch?** <br>Use this option to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Don't use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management will block non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management will target access to all Azure management. |

-| **Restrict non-admin users from creating tenants** | Users can create tenants in the Azure AD and Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category DirectoryManagement and activity Create Company. Anyone who creates a tenant will become the Global Administrator of that tenant. The newly created tenant does not inherit any settings or configurations. </p><p></p><p>**What does this switch do?** <br> Setting this option to **Yes** restricts creation of Azure AD tenants to the Global Administrator or tenant creator roles. Setting this option to **No** allows non-admin users to create Azure AD tenants. Tenant create will continue to be recorded in the Audit log. </p><p></p><p>**How do I grant only a specific non-administrator users the ability to create new tenants?** <br> Set this option to Yes, then assign them the tenant creator role.|

-For more details on how to enable this feature, see: [Cloud Sync directory extensions and custom attribute mapping](/azure/active-directory/cloud-sync/custom-attribute-mapping)

-# Emergency Rotation of the AD FS certificates

-In the event that you need to rotate the AD FS certificates immediately, you can follow the steps outlined below in this section.

-> Conducting the steps below in the AD FS environment will revoke the old certificates immediately. Because this is done immediately, the normal time usually allowed for your federation partners to consume your new certificate is by-passed. It might result in a service outage as trusts update to use the new certificates. This should resolve once all of the federation partners have the new certificates.

-> Microsoft highly recommends using a Hardware Security Module (HSM) to protect and secure certificates.

-> For more information, see [Hardware Security Module](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#hardware-security-module-hsm) under best practices for securing AD FS.

-In order to revoke the old Token Signing Certificate which AD FS is currently using, you need to determine the thumbprint of the token-signing certificate. To do this, use the following steps below:

- 1. Connect to the Microsoft Online Service

-`PS C:\>Connect-MsolService`

- 2. Document both your on-premises and cloud Token Signing Certificate thumbprint and expiration dates.

-`PS C:\>Get-MsolFederationProperty -DomainName <domain>`

- 3. Copy down the thumbprint. It will be used later to remove the existing certificates.

-You can also get the thumbprint by using AD FS Management, navigating to Service/Certificates, right-clicking on the certificate, select View certificate and then selecting Details.

-By default, AD FS is configured to generate token signing and token decryption certificates automatically, both at the initial configuration time and when the certificates are approaching their expiration date.

-The AutoCertificateRollover property describes whether AD FS is configured to renew token signing and token decrypting certificates automatically. If AutoCertificateRollover is set to TRUE, follow the instructions outlined below in [Generating new self-signed certificate if AutoCertificateRollover is set to TRUE](#generating-new-self-signed-certificate-if-autocertificaterollover-is-set-to-true). If AutoCertificateRollover is set to FALSE, follow the instructions outlined below in [Generating new certificates manually if AutoCertificateRollover is set to FALSE](#generating-new-certificates-manually-if-autocertificaterollover-is-set-to-false).

-## Generating new self-signed certificate if AutoCertificateRollover is set to TRUE

-In this section, you will be creating **two** token-signing certificates. The first will use the **-urgent** flag, which will replace the current primary certificate immediately. The second will be used for the secondary certificate.

->The reason we are creating two certificates is because Azure holds on to information regarding the previous certificate. By creating a second one, we are forcing Azure to release information about the old certificate and replace it with information about the second certificate.

->If you do not create the second certificate and update Azure with it, it may be possible for the old token-signing certificate to authenticate users.

-You can use the following steps to generate the new token-signing certificates.

- 1. Ensure that you are logged on to the primary AD FS server.

- 2. Open Windows PowerShell as an administrator.

- 3. Check to make sure that your AutoCertificateRollover is set to True.

-`PS C:\>Get-AdfsProperties | FL AutoCert*, Certificate*`

- 4. To generate a new token signing certificate: `Update-ADFSCertificate ΓÇôCertificateType token-signing -Urgent`.

- 5. Verify the update by running the following command: `Get-ADFSCertificate ΓÇôCertificateType token-signing`

- 6. Now generate the second token signing certificate: `Update-ADFSCertificate ΓÇôCertificateType token-signing`.

- 7. You can verify the update by running the following command again: `Get-ADFSCertificate ΓÇôCertificateType token-signing`

-## Generating new certificates manually if AutoCertificateRollover is set to FALSE

-If you are not using the default automatically generated, self-signed token signing and token decryption certificates, you must renew and configure these certificates manually. This involves creating two new token-signing certificates and importing them. Then you promote one to primary, revoke the old certificate and configure the second certificate as the secondary certificate.

-First, you must obtain a two new certificates from your certificate authority and import them into the local machine personal certificate store on each federation server. For instructions, see the [Import a Certificate](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754489(v=ws.11)) article.

->The reason we are creating two certificates is because Azure holds on to information regarding the previous certificate. By creating a second one, we are forcing Azure to release information about the old certificate and replace it with information about the second certificate.

->If you do not create the second certificate and update Azure with it, it may be possible for the old token-signing certificate to authenticate users.

-### To configure a new certificate as a secondary certificate

-Then you must configure one certificate as the secondary AD FS token signing or decryption certificate and then promote it to the primary

-1. Once you have imported the certificate. Open the **AD FS Management** console.

-2. Expand **Service** and then select **Certificates**.

-3. In the Actions pane, click **Add Token-Signing Certificate**.

-4. Select the new certificate from the list of displayed certificates, and then click OK.

-### To promote the new certificate from secondary to primary

-Now that the new certificate has been imported and configured in AD FS, you need to set as the primary certificate.

-2. Expand **Service** and then select **Certificates**.

-3. Click the secondary token signing certificate.

-4. In the **Actions** pane, click **Set As Primary**. Click Yes at the confirmation prompt.

-5. Once you promoted the new certificate as the primary certificate, you should remove the old certificate because it can still be used. See the [Remove your old certificates](#remove-your-old-certificates) section below.

-Now that you have added the first certificate and made it primary and removed the old one, import the second certificate. Then you must configure the certificate as the secondary AD FS token signing certificate

-1. Once you have imported the certificate. Open the **AD FS Management** console.

-2. Expand **Service** and then select **Certificates**.

-3. In the Actions pane, click **Add Token-Signing Certificate**.

-4. Select the new certificate from the list of displayed certificates, and then click OK.

-Open the Microsoft Azure Active Directory Module for Windows PowerShell. Alternatively, open Windows PowerShell and then run the command `Import-Module msonline`

-Connect to Azure AD by running the following command: `Connect-MsolService`, and then, enter your Hybrid Identity Administrator credentials.

->[!Note]

-> If you are running these commands on a computer that is not the primary federation server, enter the following command first: `Set-MsolADFSContext ΓÇôComputer <servername>`. Replace \<servername\> with the name of the AD FS server. Then enter the administrator credentials for the AD FS server when prompted.

-Optionally, verify whether an update is required by checking the current certificate information in Azure AD. To do so, run the following command: `Get-MsolFederationProperty`. Enter the name of the Federated domain when prompted.

-To update the certificate information in Azure AD, run the following command: `Update-MsolFederatedDomain` and then enter the domain name when prompted.

->[!Note]

-> If you see an error when running this command, run the following command: `Update-MsolFederatedDomain ΓÇôSupportMultipleDomain`, and then enter the domain name when prompted.

-In the event that you need to replace your token-signing certificate because of a compromise, you should also revoke and replace the SSL certificates for AD FS and your WAP servers.

-Revoking your SSL certificates must be done at the certificate authority (CA) that issued the certificate. These certificates are often issued by 3rd party providers such as GoDaddy. For an example, see (Revoke a certificate | SSL Certificates - GoDaddy Help US). For more information, see [How Certificate Revocation Works](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee619754(v=ws.10)).

-Once the old SSL certificate has been revoked and a new one issued, you can replace the SSL certificates. For more information, see [Replacing the SSL certificate for AD FS](/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap#replacing-the-ssl-certificate-for-ad-fs).

-Once you have replaced your old certificates, you should remove the old certificate because it can still be used. To do this, follow the steps below:

-1. Ensure that you are logged on to the primary AD FS server.

-2. Open Windows PowerShell as an administrator.

-4. To remove the old token signing certificate: `Remove-ADFSCertificate ΓÇôCertificateType token-signing -thumbprint <thumbprint>`.

-## Updating federation partners who can consume Federation Metadata

-If you have renewed and configure a new token signing or token decryption certificate, you must make sure that the all your federation partners (resource organization or account organization partners that are represented in your AD FS by relying party trusts and claims provider trusts) have picked up the new certificates.

-## Updating federation partners who can NOT consume Federation Metadata

-If your federation partners cannot consume your federation metadata, you must manually send them the public key of your new token-signing / token-decrypting certificate. Send your new certificate public key (.cer file or .p7b if you wish to include the entire chain) to all of your resource organization or account organization partners (represented in your AD FS by relying party trusts and claims provider trusts). Have the partners implement changes on their side to trust the new certificates.

-## Revoke refresh tokens via PowerShell

-Now we want to revoke refresh tokens for users who may have them and force them to re-logon and get new tokens. This will log users out of their phone, current webmail sessions, along with other items that are using Tokens and Refresh Tokens. Information can be found [here](/powershell/module/azuread/revoke-azureaduserallrefreshtoken?preserve-view=true&view=azureadps-2.0) and you can also reference how to [Revoke user access in Azure Active Directory](../../active-directory/enterprise-users/users-revoke-access.md).

-description: AD FS management with Azure AD Connect and customization of user AD FS sign-in experience with Azure AD Connect and PowerShell.

-# Manage and customize Active Directory Federation Services by using Azure AD Connect

-This article describes how to manage and customize Active Directory Federation Services (AD FS) by using Azure Active Directory (Azure AD) Connect. It also includes other common AD FS tasks that you might need to do for a complete configuration of an AD FS farm.

-| Topic | What it covers |

-| [Repair the trust](#repairthetrust) |How to repair the federation trust with Microsoft 365. |

-| [Federate with Azure AD using alternate login ID](#alternateid) | Configure federation using alternate login ID |

-| [Add an AD FS server](#addadfsserver) |How to expand an AD FS farm with an additional AD FS server. |

-| [Add an AD FS Web Application Proxy server](#addwapserver) |How to expand an AD FS farm with an additional Web Application Proxy (WAP) server. |

-| [Add a federated domain](#addfeddomain) |How to add a federated domain. |

-| [Update the TLS/SSL certificate](how-to-connect-fed-ssl-update.md)| How to update the TLS/SSL certificate for an AD FS farm. |

-| [Add a custom company logo or illustration](#customlogo) |How to customize an AD FS sign-in page with a company logo and illustration. |

-| [Add a sign-in description](#addsignindescription) |How to add a sign-in page description. |

-| [Modify AD FS claim rules](#modclaims) |How to modify AD FS claims for various federation scenarios. |

-You can perform various AD FS-related tasks in Azure AD Connect with minimal user intervention by using the Azure AD Connect wizard. After you've finished installing Azure AD Connect by running the wizard, you can run the wizard again to perform additional tasks.

-## <a name="repairthetrust"></a>Repair the trust

-You can use Azure AD Connect to check the current health of the AD FS and Azure AD trust and take appropriate actions to repair the trust. Follow these steps to repair your Azure AD and AD FS trust.

-1. Select **Repair AAD and ADFS Trust** from the list of additional tasks.

- 

-2. On the **Connect to Azure AD** page, provide your Hybrid Identity Administrator credentials for Azure AD, and click **Next**.

-3. On the **Remote access credentials** page, enter the credentials for the domain administrator.

- 

- After you click **Next**, Azure AD Connect checks for certificate health and shows any issues.

- 

- The **Ready to configure** page shows the list of actions that will be performed to repair the trust.

- 

-4. Click **Install** to repair the trust.

-> Azure AD Connect can only repair or act on certificates that are self-signed. Azure AD Connect can't repair third-party certificates.

-## <a name="alternateid"></a>Federate with Azure AD using AlternateID

-It is recommended that the on-premises User Principal Name(UPN) and the cloud User Principal Name are kept the same. If the on-premises UPN uses a non-routable domain (ex. Contoso.local) or cannot be changed due to local application dependencies, we recommend setting up alternate login ID. Alternate login ID allows you to configure a sign-in experience where users can sign in with an attribute other than their UPN, such as mail. The choice for User Principal Name in Azure AD Connect defaults to the userPrincipalName attribute in Active Directory. If you choose any other attribute for User Principal Name and are federating using AD FS, then Azure AD Connect will configure AD FS for alternate login ID. An example of choosing a different attribute for User Principal Name is shown below:

-

-Configuring alternate login ID for AD FS consists of two main steps:

-1. **Configure the right set of issuance claims**: The issuance claim rules in the Azure AD relying party trust are modified to use the selected UserPrincipalName attribute as the alternate ID of the user.

-2. **Enable alternate login ID in the AD FS configuration**: The AD FS configuration is updated so that AD FS can look up users in the appropriate forests using the alternate ID. This configuration is supported for AD FS on Windows Server 2012 R2 (with KB2919355) or later. If the AD FS servers are 2012 R2, Azure AD Connect checks for the presence of the required KB. If the KB is not detected, a warning will be displayed after configuration completes, as shown below:

- 

- To rectify the configuration in case of missing KB, install the required [KB2919355](https://go.microsoft.com/fwlink/?LinkID=396590) and then repair the trust using [Repair AAD and AD FS Trust](#repairthetrust).

-> For more information on alternateID and steps to manually configure, read [Configuring Alternate Login ID](/windows-server/identity/ad-fs/operations/configuring-alternate-login-id)

-> To add an AD FS server, Azure AD Connect requires the PFX certificate. Therefore, you can perform this operation only if you configured the AD FS farm by using Azure AD Connect.

-1. Select **Deploy an additional Federation Server**, and click **Next**.

- 

-2. On the **Connect to Azure AD** page, enter your Hybrid Identity Administratoristrator credentials for Azure AD, and click **Next**.

-3. Provide the domain administrator credentials.

- 

-4. Azure AD Connect asks for the password of the PFX file that you provided while configuring your new AD FS farm with Azure AD Connect. Click **Enter Password** to provide the password for the PFX file.

- 

- 

-5. On the **AD FS Servers** page, enter the server name or IP address to be added to the AD FS farm.

- 

-6. Click **Next**, and go through the final **Configure** page. After Azure AD Connect has finished adding the servers to the AD FS farm, you will be given the option to verify the connectivity.

- 

- 

-> To add a WAP server, Azure AD Connect requires the PFX certificate. Therefore, you can only perform this operation if you configured the AD FS farm by using Azure AD Connect.

-2. Provide the Azure Hybrid Identity Administrator credentials.

-3. On the **Specify SSL certificate** page, provide the password for the PFX file that you provided when you configured the AD FS farm with Azure AD Connect.

-4. Add the server to be added as a WAP server. Because the WAP server might not be joined to the domain, the wizard asks for administrative credentials to the server being added.

-5. On the **Proxy trust credentials** page, provide administrative credentials to configure the proxy trust and access the primary server in the AD FS farm.

-6. On the **Ready to configure** page, the wizard shows the list of actions that will be performed.

- 

-7. Click **Install** to finish the configuration. After the configuration is complete, the wizard gives you the option to verify the connectivity to the servers. Click **Verify** to check connectivity.

-1. To add a federated domain, select the task **Add an additional Azure AD domain**.

- 

-2. On the next page of the wizard, provide the global administrator credentials for Azure AD.

- 

-3. On the **Remote access credentials** page, provide the domain administrator credentials.

- 

-4. On the next page, the wizard provides a list of Azure AD domains that you can federate your on-premises directory with. Choose the domain from the list.

- 

- After you choose the domain, the wizard provides you with appropriate information about further actions that the wizard will take and the impact of the configuration. In some cases, if you select a domain that isn't yet verified in Azure AD, the wizard provides you with information to help you verify the domain. See [Add your custom domain name to Azure Active Directory](../fundamentals/add-custom-domain.md) for more details.

-5. Click **Next**. The **Ready to configure** page shows the list of actions that Azure AD Connect will perform. Click **Install** to finish the configuration.

- 

-> Users from the added federated domain must be synchronized before they will be able to login to Azure AD.

-## AD FS customization

-The following sections provide details about some of the common tasks that you might have to perform when you customize your AD FS sign-in page.

-Set-AdfsGlobalWebContent -SignInPageDescriptionText "<p>Sign-in to Contoso requires device registration. Click <A href='http://fs1.contoso.com/deviceregistration/'>here</A> for more information.</p>"

-Azure AD Connect lets you specify an attribute to be used as a source anchor when objects are synced to Azure AD. If the value in the custom attribute is not empty, you might want to issue an immutable ID claim.

-For example, you might select **ms-ds-consistencyguid** as the attribute for the source anchor and issue **ImmutableID** as **ms-ds-consistencyguid** in case the attribute has a value against it. If there's no value against the attribute, issue **objectGuid** as the immutable ID. You can construct the set of custom claim rules as described in the following section.

-In this rule, you're querying the values of **ms-ds-consistencyguid** and **objectGuid** for the user from Active Directory. Change the store name to an appropriate store name in your AD FS deployment. Also change the claims type to a proper claims type for your federation, as defined for **objectGuid** and **ms-ds-consistencyguid**.

-Also, by using **add** and not **issue**, you avoid adding an outgoing issue for the entity, and can use the values as intermediate values. You will issue the claim in a later rule after you establish which value to use as the immutable ID.

-**Rule 2: Check if ms-ds-consistencyguid exists for the user**

-This rule defines a temporary flag called **idflag** that is set to **useguid** if there's no **ms-ds-consistencyguid** populated for the user. The logic behind this is the fact that AD FS doesn't allow empty claims. So when you add claims `http://contoso.com/ws/2016/02/identity/claims/objectguid` and `http://contoso.com/ws/2016/02/identity/claims/msdsconsistencyguid` in Rule 1, you end up with an **msdsconsistencyguid** claim only if the value is populated for the user. If it isn't populated, AD FS sees that it will have an empty value and drops it immediately. All objects will have **objectGuid**, so that claim will always be there after Rule 1 is executed.

-This is an implicit **Exist** check. If the value for the claim exists, then issue that as the immutable ID. The previous example uses the **nameidentifier** claim. You'll have to change this to the appropriate claim type for the immutable ID in your environment.

-**Rule 4: Issue objectGuid as immutable ID if ms-ds-consistencyGuid is not present**

-In this rule, you're simply checking the temporary flag **idflag**. You decide whether to issue the claim based on its value.

-You can add more than one domain to be federated by using Azure AD Connect, as described in [Add a new federated domain](how-to-connect-fed-management.md#addfeddomain). Azure AD Connect version 1.1.553.0 and latest creates the correct claim rule for issuerID automatically. If you cannot use Azure AD Connect version 1.1.553.0 or latest, it is recommended that [Azure AD RPT Claim Rules](https://aka.ms/aadrptclaimrules) tool is used to generate and set correct claim rules for the Azure AD relying party trust.

-description: Describes the Azure AD Connect Health AD FS risky IP report.

-# Risky IP report (public preview)

-AD FS customers may expose password authentication endpoints to the internet to provide authentication services for end users to access SaaS applications such as Microsoft 365. It is possible for a bad actor to attempt logins against your AD FS system to guess an end userΓÇÖs password and get access to application resources. AD FS provides the extranet account lockout functionality to prevent these types of attacks since AD FS in Windows Server 2012 R2. If you are on a lower version, we strongly recommend that you upgrade your AD FS system to Windows Server 2016. <br />

-Additionally, it is possible for a single IP address to attempt multiple logins against multiple users. In these cases, the number of attempts per user may be under the threshold for account lockout protection in AD FS. Azure AD Connect Health now provides the ΓÇ£Risky IP reportΓÇ¥ that detects this condition and notifies administrators. The following are the key benefits for this report:

-> To use this report, you must ensure that AD FS auditing is enabled. For more information, see [Enable Auditing for AD FS](how-to-connect-health-agent-install.md#enable-auditing-for-ad-fs). <br />

-> To access preview, Global Administrator or [Security Reader](../../role-based-access-control/built-in-roles.md#security-reader) permission is required.  

-## What is in the report?

-The failed sign in activity client IP addresses are aggregated through Web Application Proxy servers. Each item in the Risky IP report shows aggregated information about failed AD FS sign-in activities that have exceeded the designated threshold. It provides the following information:

-

-| Report Item | Description |

-| Time Stamp | Shows the time stamp based on Azure portal local time when the detection time window starts.<br /> All daily events are generated at mid-night UTC time. <br />Hourly events have the timestamp rounded to the beginning of the hour. You can find first activity start time from ΓÇ£firstAuditTimestampΓÇ¥ in the exported file. |

-| Trigger Type | Shows the type of detection time window. The aggregation trigger types are per hour or per day. Helpful in determing between a high frequency brute force attack versus a slow attack where the number of attempts is distributed throughout the day. |

-| IP Address | The single risky IP address that had either bad password or extranet lockout sign-in activities. It can be either IPv4 or an IPv6 address. |

-| Bad Password Error Count | The count of Bad Password error occurred from the IP address during the detection time window. The Bad Password errors can happen multiple times to certain users. Notice this does not include failed attempts due to expired passwords. |

-| Extranet Lock Out Error Count | The count of Extranet Lockout error occurred from the IP address during the detection time window. The Extranet Lockout errors can happen multiple times to certain users. This will only be seen if Extranet Lockout is configured in AD FS (versions 2012R2 or higher). <b>Note</b> We strongly recommend enabling this feature if you allow extranet logins using passwords. |

-| Unique Users Attempted | The count of unique user accounts attempted from the IP address during the detection time window. Differentiates between a single user attack pattern versus multi-user attack pattern. |

-For example, the below report item indicates from the 6pm to 7pm hour window on 02/28/2018, IP address <i>104.2XX.2XX.9</i> had no bad password errors and 284 extranet lockout errors. 14 unique users were impacted within the criteria. The activity event exceeded the designated report hourly threshold.

-> - Only activities exceeding designated threshold will be showing in the report list.

-> - This report can be trace back at most 30 days.

-> - This alert report does not show Exchange IP addresses or private IP addresses. They are still included in the export list.

->

-

-Load balancer aggregate failed sign-in activities and hit the alert threshold. If you are seeing load balancer IP addresses, it is highly likely that your external load balancer is not sending the client IP address when it passes the request to the Web Application Proxy server. Configure your load balancer correctly to pass forward client IP address.

-## Download risky IP report

-| firstAuditTimestamp | Shows the first timestamp when the failed activities started during the detection time window. |

-| lastAuditTimestamp | Shows the last timestamp when the failed activities ended during the detection time window. |

-| isWhitelistedIpAddress | The flag if the IP address is filtered from alerting and reporting. Private IP addresses (<i>10.x.x.x, 172.x.x.x & 192.168.x.x</i>) and Exchange IP addresses are filtered and marked as True. If you are seeing private IP address ranges, it is highly likely that your external load balancer is not sending the client IP address when it passes the request to the Web Application Proxy server. |

-Admin contacts of the report can be updated through the **Notification Settings**. By default, the risky IP alert email notification is in off state. You can enable the notification by toggle the button under ΓÇ£Get email notifications for IP addresses exceeding failed activity threshold reportΓÇ¥

-Like generic alert notification settings in Connect Health, it allows you to customize designated notification recipient list about risky IP report from here. You can also notify all Hybrid Identity Administrators while making the change.

-Alerting threshold can be updated through Threshold Settings. To start with, system has threshold set by default. The default values are given below. There are four categories in the risk IP report threshold settings:

-

-| Threshold Item | Description |

-| (Bad U/P + Extranet Lockout) / Day | Threshold setting to report the activity and trigger alert notification when the count of Bad Password plus the count of Extranet Lockout exceeds it per **day**. Default value is 100.|

-| (Bad U/P + Extranet Lockout) / Hour | Threshold setting to report the activity and trigger alert notification when the count of Bad Password plus the count of Extranet Lockout exceeds it per **hour**. Default Value is 50.|

-| Extranet Lockout / Day | Threshold setting to report the activity and trigger alert notification when the count of Extranet Lockout exceeds it per **day**. Default value is 50.|

-| Extranet Lockout / Hour| Threshold setting to report the activity and trigger alert notification when the count of Extranet Lockout exceeds it per **hour**. Default value is 25|

-> - The change of report threshold will be applied after an hour of the setting change.

-> - We recommend that you analyze the number of events seen within your environment and adjust the threshold appropriately.

-**Why am I seeing private IP address ranges in the report?** <br />

-Private IP addresses (<i>10.x.x.x, 172.x.x.x & 192.168.x.x</i>) and Exchange IP addresses are filtered and marked as True in the IP approved list. If you are seeing private IP address ranges, it is highly likely that your external load balancer is not sending the client IP address when it passes the request to the Web Application Proxy server.

-**Why am I seeing load balancer IP addresses in the report?** <br />

-If you are seeing load balancer IP addresses, it is highly likely that your external load balancer is not sending the client IP address when it passes the request to the Web Application Proxy server. Configure your load balancer correctly to pass forward client IP address.

-**What do I do to block the IP address?** <br />

-You should add identified malicious IP address to the firewall or block in Exchange. <br />

-**Why am I not seeing any items in this report?** <br />

-**Why am I seeing no access to the report?** <br />

-Global Administrator or [Security Reader](../../role-based-access-control/built-in-roles.md#security-reader) permission is required. Contact your Global Administrator to get access.

-* [Azure AD Connect Health Agent Installation](how-to-connect-health-agent-install.md)

-For more information, see the [Microsoft Graph documentation for recommendations](/graph/api/resources/recommendation).

- In the **Sign-on URL** text box, type the URL:

- `https://www.agiloft.com`

- > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Agiloft Contract Management Suite Client support team](https://www.agiloft.com/support-login.htm) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-# Control access to cluster resources using Kubernetes role-based access control and Azure Active Directory identities in Azure Kubernetes Service

-* This article assumes that you have an existing AKS cluster enabled with Azure AD integration. If you need an AKS cluster, see [Integrate Azure AD with AKS][azure-ad-aks-cli].

-* Kubernetes RBAC is enabled by default during AKS cluster creation. If Kubernetes RBAC wasn't enabled when you originally deployed your cluster, you'll need to delete and recreate your cluster.

-Use the Azure portal or Azure CLI to verify if Kubernetes RBAC is enabled.

-Verify Kubernetes RBAC is enabled using the Azure portal:

-* Navigate to Kubernetes services, and from the left-hand pane select **Cluster configuration**.

-* Under the **Authentication and Authorization** section, check to see if the **Local accounts with Kubernetes RBAC** or the **Azure AD authentication with Kubernetes RBAC** option is shown.

-Verify Kubernetes RBAC is enabled using Azure CLI, with the `az aks show` command:

-If it's enabled, the output will show the value for `enableRbac` is `true`.

-[azure-resource-locks]: /azure/azure-resource-manager/management/lock-resources

-If `managedNatGateway` or `userAssignedNatGateway` are selected for `outboundType`, AKS relies on [Azure Networking NAT gateway](/azure/virtual-network/nat-gateway/manage-nat-gateway) for cluster egress.

-[byo-route-table]: configure-kubenet.md#bring-your-own-subnet-and-route-table-with-kubenet

-An internal load balancer makes a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. This article shows you how to create and use an internal load balancer with AKS.

-Public IP tags can be utilized on node public IPs to utilize the [Azure Routing Preference](/azure/virtual-network/ip-services/routing-preference-overview.md) feature.

-If a network security group is in place on the subnet with a cluster using bring-your-own virtual network, an allow rule must be added to that network security group. This can be limited to the nodes in a given node pool by adding the node pool to an [application security group](/azure/virtual-network/network-security-groups-overview#application-security-groups) (ASG). A managed ASG will be created by default in the managed resource group if allowed host ports are specified. Nodes can also be added to one or more custom ASGs by specifying the resource ID of the NSG(s) in the node pool parameters.

-[drain-nodes]: resize-node-pool.md#drain-the-existing-nodes

- - name: testwasm

-The mappings can also evolve. Since API Management creates a façade in front of the microservices, it allows us to refactor and right-size our microservices over time.

-Through integrating with an Azure virtual network (VNet) from your [Azure App Service app](./overview.md), you can reach private resources from your app within the virtual network. The VNet integration feature has two variations:

-* **Regional virtual network integration**: Connect to Azure virtual networks in the same region. You must have a dedicated subnet in the virtual network you're integrating with.

-* **Gateway-required virtual network integration**: When you connect directly to a virtual network in other regions or to a classic virtual network in the same region, you must use gateway-required virtual network integration.

-This article describes how to set up regional virtual network integration.

-The VNet integration feature requires:

-The subnet must be delegated to Microsoft.Web/serverFarms. If the delegation isn't done before integration, the provisioning process will configure this delegation. The subnet must be allocated an IPv4 `/28` block (16 addresses). We recommend that you have a minimum of 64 addresses (IPv4 `/26` block) to allow for maximum horizontal scale.

-During the integration, your app is restarted. When integration is finished, you'll see details on the virtual network you're integrated with.

-> The command checks if the subnet is delegated to Microsoft.Web/serverFarms and applies the necessary delegation if it isn't configured. If the subnet was configured, and you don't have permissions to check it, or if the virtual network is in another subscription, you can use the *--skip-delegation-check* parameter to bypass the validation.

-Configure VNet Integration.

-5. From the **Review + create** tab, check that your configuration is correct, and select **Create**. Your App Service Environment can take up to two hours to create.

-It takes about two hours for the App Service Environment to be created.

-If you're running an application on App Service [Azure Monitor Application Insights](../azure-monitor/overview.md#application-insights) offers more types of alerts.

-When virtual network integration is enabled, your app makes outbound calls through your virtual network. The outbound addresses that are listed in the app properties portal are the addresses still used by your app. However, if your outbound call is to a virtual machine or private endpoint in the integration virtual network or peered virtual network, the outbound address will be an address from the integration subnet. The private IP assigned to an instance is exposed via the environment variable, WEBSITE_PRIVATE_IP.

-When all traffic routing is enabled, all outbound traffic is sent into your virtual network. If all traffic routing isn't enabled, only private traffic (RFC1918) and service endpoints configured on the integration subnet will be sent into the virtual network. Outbound traffic to the internet will be routed directly from the app.

-^*Assumes that you'll need to scale up or down in either size or SKU at some point.

-If the virtual network is in a different subscription than the app, you must ensure that the subscription with the virtual network is registered for the `Microsoft.Web` resource provider. You can explicitly register the provider [by following this documentation](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider), but it will also automatically be registered when creating the first web app in a subscription.

-Through application routing or configuration routing options, you can configure what traffic will be sent through the virtual network integration. Traffic is only subject to [network routing](#network-routing) if it's sent through the virtual network integration.

-* When **Route All** is enabled, the source address for your outbound public traffic from your app is still one of the IP addresses that are listed in your app properties. If you route your traffic through a firewall or a NAT gateway, the source IP address will then originate from this service.

-When you're using virtual network integration, you can configure how parts of the configuration traffic are managed. By default, configuration traffic will go directly over the public route, but for the mentioned individual components, you can actively configure it to be routed through the virtual network integration.

-App settings using Key Vault references will attempt to get secrets over the public route. If the Key Vault is blocking public traffic and the app is using virtual network integration, an attempt will then be made to get the secrets through the virtual network integration.

-Route tables and network security groups only apply to traffic routed through the virtual network integration. See [application routing](#application-routing) and [configuration routing](#configuration-routing) for details. Routes won't apply to replies from inbound app requests and inbound rules in an NSG don't apply to your app. Virtual network integration affects only outbound traffic from your app. To control inbound traffic to your app, use the [access restrictions](./overview-access-restrictions.md) feature or [private endpoints](./networking/private-endpoint.md).

-When configuring network security groups or route tables that applies to outbound traffic, you must make sure you consider your application dependencies. Application dependencies include endpoints that your app needs during runtime. Besides APIs and services the app is calling, these endpoints could also be derived endpoints like certificate revocation list (CRL) check endpoints and identity/authentication endpoint, for example Azure Active Directory. If you're using [continuous deployment in App Service](./deploy-continuous-deployment.md), you might also need to allow endpoints depending on type and language. Specifically for [Linux continuous deployment](https://github.com/microsoft/Oryx/blob/main/doc/hosts/appservice.md#network-dependencies), you'll need to allow `oryx-cdn.microsoft.io:443`.

-The private IP assigned to the instance is exposed via the environment variable WEBSITE_PRIVATE_IP. Kudu console UI also shows the list of environment variables available to the web app. This IP is assigned from the address range of the integrated subnet. This IP will be used by the web app to connect to the resources through the Azure virtual network.

-The feature is easy to set up, but that doesn't mean your experience will be problem free. If you encounter problems accessing your desired endpoint, there are various steps you can take depending on what you are observing. For more information, see [virtual network integration troubleshooting guide](/troubleshoot/azure/app-service/troubleshoot-vnet-integration-apps).

-If you deleted the app or the App Service plan without disconnecting the virtual network integration first, you won't be able to do any update/delete operations on the virtual network or subnet that was used for the integration with the deleted resource. A subnet delegation 'Microsoft.Web/serverFarms' will remain assigned to your subnet and will prevent the update/delete operations.

-git clone https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app

-If a [built-in](../role-based-access-control/built-in-roles.md) role doesn't provide the right permission, you can [create and assign a custom role](../role-based-access-control/custom-roles-portal.md) for this purpose.

-If you're creating or running an application which use Application Gateway [Azure Monitor Application Insights](../azure-monitor/overview.md#application-insights) may offer additional types of alerts.

-* An **Azure data science VM** for [**Windows**](/azure/machine-learning/data-science-virtual-machine/provision-vm) or [**Linux/Ubuntu**](/azure/machine-learning/data-science-virtual-machine/dsvm-ubuntu-intro) to optionally deploy a data science VM in the virtual network to test the secure connections being established.

-> [Access Azure Storage from a web app using managed identities](../../app-service/scenario-secure-app-access-storage.md?bc=%2fazure%2fapplied-ai-services%2fform-recognizer%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fapplied-ai-services%2fform-recognizer%2ftoc.json)

-Microsoft Azure Attestation is a unified solution for attesting different types of Trusted Execution Environments (TEEs) such as [Intel® Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) enclaves. While attesting SGX enclaves, Azure Attestation validates the evidence against Azure default Trusted Computing Base (TCB) baseline. The default TCB baseline is provided by an Azure service named [Trusted Hardware Identity Management](/azure/security/fundamentals/trusted-hardware-identity-management) (THIM) and includes collateral fetched from Intel like certificate revocation lists (CRLs), Intel certificates, Trusted Computing Base (TCB) information and Quoting Enclave identity (QEID). The default TCB baseline from THIM might lag the latest baseline offered by Intel. This is to prevent any attestation failure scenarios for ACC customers who require more time for patching platform software (PSW) updates.

-The custom TCB baseline enforcement feature in Azure Attestation will empower you to perform SGX attestation against a desired TCB baseline. It is always recommended for [Azure Confidential Computing](/azure/confidential-computing/overview) (ACC) SGX customers to install the latest PSW version supported by Intel and configure their SGX attestation policy with the latest TCB baseline supported by Azure.

-Before you migrate from a Run As account to a managed identity:

-To migrate from an Automation Run As account to a managed identity for your runbook authentication, follow these steps:

-| Query Store | Yes |

-This article describes the data that Azure Arc-enabled data services transmits to Microsoft.

-Neither Azure Arc-enabled data services nor any of the applicable data services store any customer data. This applies to Azure Arc-enabled SQL Managed Instance and Azure Arc-enabled PostgreSQL.

-## Related products

-## Directly connected

-|Operational Data|Metrics and logs|Automatic, when configured to do so|No

-Billing & inventory data|Inventory such as number of instances, and usage such as number of vCores consumed|Automatic |Yes

-## Indirectly connected

-|Operational Data|Metrics and logs|Manual|No

-Billing & inventory data|Inventory such as number of instances, and usage such as number of vCores consumed|Manual |Yes

-## Detailed description of data

-This section provides more details about the information included with the Azure Arc-enabled data services transmits to Microsoft.

-### Operational data

-### Billing and inventory data

-Billing data is used for purposes of tracking usage that is billable. This data is essential for running of the service and needs to be transmitted manually or automatically in all modes.

-### Data controller

-### Azure Arc-enabled PostgreSQL

-### SQL Managed Instance

-### Examples

-

-Billing data captures the start time (ΓÇ£createdΓÇ¥) and end time (ΓÇ£deletedΓÇ¥) of a given instance.as well as any start and time whenever a change in the number of cores available to a given instance (ΓÇ£core limitΓÇ¥) happens.

-```json

-{

- "requestType": "usageUpload",

- "clusterId": "4b0917dd-e003-480e-ae74-1a8bb5e36b5d",

- "name": "DataControllerTestName",

- "subscriptionId": "<subscription_id>",

- "resourceGroup": "production-resources",

- "location": "eastus",

- "uploadRequest": {

- "exportType": "usages",

- "dataTimestamp": "2020-06-17T22:32:24Z",

- "data": "[{\"name\":\"sqlInstance001\",

- \"namespace\":\"arc\",

- \"type\":\"<resource type>\",

- \"eventSequence\":1,

- \"eventId\":\"50DF90E8-FC2C-4BBF-B245-CB20DC97FF24\",

- \"startTime\":\"2020-06-17T19:11:47.7533333\",

- \"endTime\":\"2020-06-17T19:59:00\",

- \"quantity\":1,

- \"id\":\"<subscription_id>\"}]",

- "signature":"MIIE7gYJKoZIhvcNAQ...2xXqkK"

-### Diagnostic data

-|||

-| VMware | [Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid) | TKGm 1.6.0; upstream K8s v1.23.8+vmware.2 <br>TKGm 1.5.3; upstream K8s v1.22.8+vmware.1 <br>TKGm 1.4.0; upstream K8s v1.21.2+vmware.1 <br>TKGm 1.3.1; upstream K8s v1.20.5_vmware.2 <br>TKGm 1.2.1; upstream K8s v1.19.3+vmware.1 |

-Creates the configuration files used by Arc resource bridge. Credentials that are provided during `createconfig`, such as vCenter credentials for VMware vSphere, are stored in a configuration file and locally within Arc resource bridge. These credentials should be a separate user account used only by Arc resource bridge, with permission to view, create, delete, and manage on-premises resources. If the credentials change, then the credentials on the resource bridge should be rotated.

-The `createconfig` command features two modes: interactive and non-interactive. Interactive mode provides helpful prompts that explain the parameter and what to pass. To initiate interactive mode, pass only the three required parameters. Non-interactive mode allows you to pass all the parameters needed to create the configuration files without being prompted, which saves time and is useful for automation scripts. Three configuration files are generated: resource.yaml, appliance.yaml and infra.yaml. These files should be kept and stored in a secure location, as they're required for maintenance of Arc resource bridge.

-Checks the configuration files for a valid schema, cloud and core validations (such as management machine connectivity to required URLs), network settings, and no proxy settings.

-Downloads the OS images from Microsoft and uploads them to the on-premises cloud image gallery to prepare for the creation of the appliance VM.

-This command can take up to 30 minutes to complete, depending on the network download speed. Allow the command to complete before continuing with the deployment.

-Deploys an on-premises instance of Arc resource bridge as an appliance VM, bootstrapped to be a Kubernetes management cluster. Gets all necessary pods into a running state.

-Creates Arc resource bridge in Azure as an ARM resource, then establishes the connection between the ARM resource and on-premises appliance VM.

-Running this command is the last step in the deployment process.

-Gets the ARM resource information for Arc resource bridge. This information helps you monitor the status of the appliance. Successful appliance creation results in `ProvisioningState = Succeeded` and `Status = Running`.

-Deletes the appliance VM and Azure resources. It doesn't clean up the OS image, which remains in the on-premises cloud gallery.

-If a deployment fails, you must run this command to clean up the environment before you attempt to deploy again.

-While the function app is running, Netherite will publish load information about its active partitions to an Azure Storage table named "DurableTaskPartitions". You can use [Azure Storage Explorer](/azure/vs-azure-tools-storage-manage-with-storage-explorer) to check that it's working as expected. If Netherite is running correctly, the table won't be empty; see the example below.

-You need to create an Azure Functions app on Azure. To do this, follow the instructions in the **Create a function app** section of [these instructions](/azure/azure-functions/functions-create-function-app-portal#create-a-function-app-a-function).

-Follow [these steps](/azure/event-hubs/event-hubs-create#create-an-event-hubs-namespace) to create an Event Hubs namespace on the Azure portal. When creating the namespace, you may be prompted to:

-Azure Functions Java has its own set of Azure-specific annotations, but these annotations aren't necessary when you're using Quarkus on Azure Functions in a simple capacity as we're doing here. For more information about Azure Functions Java annotations, see the [Azure Functions Java developer guide](/azure/azure-functions/functions-reference-java).

-* Monitor the performance of your Azure function. For more information, see [Monitoring Azure Functions](/azure/azure-functions/monitor-functions).

-* Explore telemetry. For more information, see [Analyze Azure Functions telemetry in Application Insights](/azure/azure-functions/analyze-telemetry-data).

-* Set up logging. For more information, see [Enable streaming execution logs in Azure Functions](/azure/azure-functions/streaming-logs).

-* [Azure Functions Java developer guide](/azure/azure-functions/functions-reference-java)

-* [Quickstart: Create a Java function in Azure using Visual Studio Code](/azure/azure-functions/create-first-function-vs-code-java)

-* [Azure Functions documentation](/azure/azure-functions/)

-* [Quarkus guide to deploying on Azure](https://quarkus.io/guides/deploying-to-azure-cloud)

-For information about which bindings are in preview or are approved for production use, see [Supported languages](supported-languages.md).

-If you're creating or running an application that run on Functions [Azure Monitor Application Insights](../azure-monitor/overview.md#application-insights) may offer other types of alerts.

-[Host daemon]: /azure/azure-maps/how-to-secure-daemon-app#host-a-daemon-on-non-azure-resources

-[java elevation sample]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/maps/azure-maps-elevation/src/samples/java/com/azure/maps/elevation/samples

-[Azure AD]: /azure/active-directory/develop/v2-overview

-[migration guide]: /azure/active-directory/develop/msal-compare-msal-js-and-adal-js

-[Azure Maps Blog]: https://techcommunity.microsoft.com/t5/azure-maps-blog/bg-p/AzureMapsBlog

- - For **Defender for Cloud**, you will only be [billed once per machine](/azure/defender-for-cloud/auto-deploy-azure-monitoring-agent#impact-of-running-with-both-the-log-analytics-and-azure-monitor-agents) when running both agents

-> You can use the same resource name across different resource groups, but it can be beneficial to use a globally unique name. If you plan to [perform cross-resource queries](../logs/cross-workspace-query.md#identifying-an-application), using a globally unique name simplifies the required syntax.

-Maximum length: 1,024

-This field is the IP address of the client device. IPv4 and IPv6 are supported. When telemetry is sent from a service, the location context is about the user that initiated the operation in the service. Application Insights extract the geo-location information from the client IP and then truncate it. The client IP by itself can't be used as user identifiable information.

-Maximum length: 46

-Maximum length: 64

-Maximum length: 128

-Maximum length: 128

-Maximum length: 1,024

-Maximum length: 1,024

-Maximum length: 64

-Anonymous user ID (User.Id) represents the user of the application. When telemetry is sent from a service, the user context is about the user who initiated the operation in the service.

-Maximum length: 128

-Maximum length: 1,024

-The account ID, in multi-tenant applications, is the tenant account ID or name that the user is acting with. It's used for more user segmentation when a user ID and an authenticated user ID aren't sufficient. Examples might be a subscription ID for Azure portal or the blog name for a blogging platform.

-Maximum length: 1,024

-Maximum length: 256

-Maximum length: 256

-Maximum length: 64

-Maximum length: 256

-description: Learn how to effectively use the GetMetric() call to capture locally pre-aggregated metrics for .NET and .NET Core applications with Azure Monitor Application Insights

-The Azure Monitor Application Insights .NET and .NET Core SDKs have two different methods of collecting custom metrics, `TrackMetric()`, and `GetMetric()`. The key difference between these two methods is local aggregation. `TrackMetric()` lacks pre-aggregation while `GetMetric()` has pre-aggregation. The recommended approach is to use aggregation, therefore, `TrackMetric()` is no longer the preferred method of collecting custom metrics. This article will walk you through using the GetMetric() method, and some of the rationale behind how it works.

-## Pre-aggregating vs non pre-aggregating API

-`TrackMetric()` sends raw telemetry denoting a metric. It's inefficient to send a single telemetry item for each value. `TrackMetric()` is also inefficient in terms of performance since every `TrackMetric(item)` goes through the full SDK pipeline of telemetry initializers and processors. Unlike `TrackMetric()`, `GetMetric()` handles local pre-aggregation for you and then only submits an aggregated summary metric at a fixed interval of one minute. So if you need to closely monitor some custom metric at the second or even millisecond level you can do so while only incurring the storage and network traffic cost of only monitoring every minute. This behavior also greatly reduces the risk of throttling occurring since the total number of telemetry items that need to be sent for an aggregated metric are greatly reduced.

-In Application Insights, custom metrics collected via `TrackMetric()` and `GetMetric()` aren't subject to [sampling](./sampling.md). Sampling important metrics can lead to scenarios where alerting you may have built around those metrics could become unreliable. By never sampling your custom metrics, you can generally be confident that when your alert thresholds are breached, an alert will fire. But since custom metrics aren't sampled, there are some potential concerns.

-Trend tracking in a metric every second, or at an even more granular interval can result in:

-Throttling is a concern as it can lead to missed alerts. The condition to trigger an alert could occur locally and then be dropped at the ingestion endpoint due to too much data being sent. We don't recommend using `TrackMetric()` for .NET and .NET Core unless you've implemented your own local aggregation logic. If you're trying to track every instance an event occurs over a given time period, you may find that [`TrackEvent()`](./api-custom-events-metrics.md#trackevent) is a better fit. Though keep in mind that unlike custom metrics, custom events are subject to sampling. You can still use `TrackMetric()` even without writing your own local pre-aggregation, but if you do so be aware of the pitfalls.

-In summary `GetMetric()` is the recommended approach since it does pre-aggregation, it accumulates values from all the Track() calls and sends a summary/aggregate once every minute. `GetMetric()` can significantly reduce the cost and performance overhead by sending fewer data points, while still collecting all relevant information.

-> Only the .NET and .NET Core SDKs have a GetMetric() method. If you are using Java, see [sending custom metrics using micrometer](./java-standalone-config.md#auto-collected-micrometer-metrics-including-spring-boot-actuator-metrics). For JavaScript and Node.js you would still use `TrackMetric()`, but keep in mind the caveats that were outlined in the previous section. For Python you can use [OpenCensus.stats](./opencensus-python.md#metrics) to send custom metrics but the metrics implementation is different.

-## Getting started with GetMetric

-For our examples, we're going to use a basic .NET Core 3.1 worker service application. If you would like to replicate the test environment used with these examples, follow steps 1-6 of the [monitoring worker service article](worker-service.md#net-core-lts-worker-service-application). These steps will add Application Insights to a basic worker service project template and the concepts apply to any general application where the SDK can be used including web apps and console apps.

-### Sending metrics

-When running the sample code, you'll see the while loop repeatedly executing with no telemetry being sent in the Visual Studio output window. A single telemetry item will be sent by around the 60-second mark, which in our test looks as follows:

-This single telemetry item represents an aggregate of 41 distinct metric measurements. Since we were sending the same value over and over again we have a *standard deviation (stDev)* of 0 with an identical *maximum (max)*, and *minimum (min)* values. The *value* property represents a sum of all the individual values that were aggregated.

-> GetMetric does not support tracking the last value (i.e. "gauge") or tracking histograms/distributions.

-If we examine our Application Insights resource in the Logs (Analytics) experience, the individual telemetry item would look as follows:

-

-> While the raw telemetry item did not contain an explicit sum property/field once ingested we create one for you. In this case both the `value` and `valueSum` property represent the same thing.

-You can also access your custom metric telemetry in the [_Metrics_](../essentials/metrics-charts.md) section of the portal. As both a [log-based, and custom metric](pre-aggregated-metrics-log-metrics.md). (The screenshot below is an example of log-based.)

-

-### Caching metric reference for high-throughput usage

-Metric values may be observed frequently in some cases. For example, a high-throughput service that processes 500 requests/second may want to emit 20 telemetry metrics for each request. The result means tracking 10,000 values per second. In such high-throughput scenarios, users may need to help the SDK by avoiding some lookups.

-For example, the example above performed a lookup for a handle for the metric "ComputersSold" and then tracked an observed value 42. Instead, the handle may be cached for multiple track invocations:

-In addition to caching the metric handle, the example above also reduced the `Task.Delay` to 50 milliseconds so that the loop would execute more frequently resulting in 772 `TrackValue()` invocations.

-## Multi-dimensional metrics

-The examples in the previous section show zero-dimensional metrics. Metrics can also be multi-dimensional. We currently support up to 10 dimensions.

-Running the sample code for at least 60 seconds will result in three distinct telemetry items being sent to Azure, each representing the aggregation of one of the three form factors. As before you can further examine in the Logs (Analytics) view:

-

-In the Metrics explorer experience:

-

-However, you'll notice that you aren't able to split the metric by your new custom dimension, or view your custom dimension with the metrics view:

-

-By default multi-dimensional metrics within the Metric explorer experience aren't turned on in Application Insights resources.

-### Enable multi-dimensional metrics

-To enable multi-dimensional metrics for an Application Insights resource, Select **Usage and estimated costs** > **Custom Metrics** > **Enable alerting on custom metric dimensions** > **OK**. More details about can be found [here](pre-aggregated-metrics-log-metrics.md#custom-metrics-dimensions-and-pre-aggregation).

-Once you have made that change and send new multi-dimensional telemetry, you'll be able to **Apply splitting**.

-

-And view your metric aggregations for each _FormFactor_ dimension:

-

-### How to use MetricIdentifier when there are more than three dimensions

-Currently 10 dimensions are supported however, greater than three dimensions requires the use of `MetricIdentifier`:

-If you want to alter the metric configuration, you need make alterations in the place where the metric is initialized.

-Metrics don't use the telemetry context of the `TelemetryClient` used to access them, special dimension names available as constants in `MetricDimensionNames` class is the best workaround for this limitation.

-Metric aggregates sent by the below "Special Operation Request Size"-metric will **not** have their `Context.Operation.Name` set to "Special Operation". Whereas `TrackMetric()` or any other TrackXXX() will have `OperationName` set correctly to "Special Operation".

-In this circumstance, use the special dimension names listed in the `MetricDimensionNames` class in order to specify `TelemetryContext` values.

-For example, when the metric aggregate resulting from the next statement is sent to the Application Insights cloud endpoint, its `Context.Operation.Name` data field will be set to "Special Operation":

-The values of this special dimension will be copied into the `TelemetryContext` and won't be used as a 'normal' dimension. If you want to also keep an operation dimension for normal metric exploration, you need to create a separate dimension for that purpose:

- To prevent the telemetry subsystem from accidentally using up your resources, you can control the maximum number of data series per metric. The default limits are no more than 1000 total data series per metric, and no more than 100 different values per dimension.

- In the context of dimension and time series capping, we use `Metric.TrackValue(..)` to make sure that the limits are observed. If the limits are already reached, `Metric.TrackValue(..)` will return "False" and the value won't be tracked. Otherwise it will return "True". This behavior is useful if the data for a metric originates from user input.

-* `seriesCountLimit` is the max number of data time series a metric can contain. Once this limit is reached, calls to `TrackValue()` that would normally result in a new series will return false.

-* [Learn more ](./worker-service.md)about monitoring worker service applications.

-* For further details on [log-based and pre-aggregated metrics](./pre-aggregated-metrics-log-metrics.md).

-* [Metric Explorer](../essentials/metrics-getting-started.md)

-* How to enable Application Insights for [ASP.NET Core Applications](asp-net-core.md)

-* How to enable Application Insights for [ASP.NET Applications](asp-net.md)

-For more information, see [Monitoring Azure Functions with Azure Monitor Application Insights](./monitor-functions.md#distributed-tracing-for-java-applications-public-preview).

-description: How to install and use Angular plugin for Application Insights JavaScript SDK.

-# Angular plugin for Application Insights JavaScript SDK

-The Angular plugin for the Application Insights JavaScript SDK, enables:

-> Angular plugin is NOT ECMAScript 3 (ES3) compatible.

-> [!IMPORTANT]

-> When we add support for a new Angular version, our NPM package becomes incompatible with down-level Angular versions. Continue to use older NPM packages until you're ready to upgrade your Angular version.

-## Getting started

-Install npm package:

-To track uncaught exceptions, setup ApplicationinsightsAngularpluginErrorService in `app.module.ts`:

-## Enable Correlation

-Correlation generates and sends data that enables distributed tracing and powers the [application map](../app/app-map.md), [end-to-end transaction view](../app/app-map.md#go-to-details), and other diagnostic tools.

-In JavaScript correlation is turned off by default in order to minimize the telemetry we send by default. To enable correlation please reference [JavaScript client-side correlation documentation](./javascript.md#enable-distributed-tracing).

-The Angular Plugin automatically tracks route changes and collects other Angular specific telemetry.

-> `enableAutoRouteTracking` should be set to `false` if it set to true then when the route changes duplicate PageViews may be sent.

-If a custom `PageView` duration is not provided, `PageView` duration defaults to a value of 0.

-description: Azure Monitor seamlessly integrates with your application running on Kubernetes, and allows you to spot the problems with your apps in no time.

-> Currently you can enable monitoring for your Java apps running on Kubernetes without instrumenting your code - use the [Java standalone agent](./opentelemetry-enable.md?tabs=java).

-> While the solution to seamlessly enabling application monitoring is in the works for other languages, use the SDKs to monitor your apps running on AKS: [ASP.NET Core](./asp-net-core.md), [ASP.NET](./asp-net.md), [Node.js](./nodejs.md), [JavaScript](./javascript.md), and [Python](./opencensus-python.md).

-Currently, only Java lets you enable application monitoring without instrumenting the code. To monitor applications in other languages use the SDKs.

-For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

-Once enabled, the Java agent will automatically collect a multitude of requests, dependencies, logs, and metrics from the most widely used libraries and frameworks.

-Follow [the detailed instructions](./opentelemetry-enable.md?tabs=java) to monitor your Java apps running in Kubernetes apps, as well as other environments.

-For the applications in other languages we currently recommend using the SDKs:

-* Learn more about [Azure Monitor](../overview.md) and [Application Insights](./app-insights-overview.md)

-* Get an overview of [Distributed Tracing](./distributed-tracing.md) and see what [Application Map](./app-map.md?tabs=net) can do for your business

-# Monitoring Azure Functions with Azure Monitor Application Insights

-[Azure Functions](../../azure-functions/functions-overview.md) offers built-in integration with Azure Application Insights to monitor functions. For languages other than .NET and .NET Core, other language-specific workers/extensions are needed to get the full benefits of distributed tracing.

-Application Insights collects log, performance, and error data, and automatically detects performance anomalies. Application Insights includes powerful analytics tools to help you diagnose issues and to understand how your functions are used. When you have the visibility into your application data, you can continuously improve performance and usability. You can even use Application Insights during local function app project development.

-The required Application Insights instrumentation is built into Azure Functions. The only thing you need is a valid connection string to connect your function app to an Application Insights resource. The connection string should be added to your application settings when your function app resource is created in Azure. If your function app doesn't already have a connection string, you can set it manually. For more information, read more about [monitoring Azure Functions](../../azure-functions/functions-monitoring.md?tabs=cmd) and [connection strings](sdk-connection-string.md).

-For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

-## Distributed tracing for Java applications (public preview)

-> [!IMPORTANT]

-> This feature is currently in public preview for Java Azure Functions both Windows and Linux

-> This feature used to have a 8-9 second cold startup implication, which has been reduced to less than 1 sec. If you were an early adopter of this feature (i.e. prior to Feb 2023), then review the troubleshooting section to update to the current version and benefit from the new faster startup.

-To view more data from your Java-based Azure Functions applications than is [collected by default](../../azure-functions/functions-monitoring.md?tabs=cmd), you can enable the [Application Insights Java 3.x agent](./java-in-process-agent.md). This agent allows Application Insights to automatically collect and correlate dependencies, logs, and metrics from popular libraries and Azure SDKs, in addition to the request telemetry already captured by Functions.

-By using the application map and having a more complete view of end-to-end transactions, you can better diagnose issues and see a topological view of how systems interact, along with data on average performance and error rates. You have more data for end-to-end diagnostics and the ability to use the application map to easily find the root cause of reliability issues and performance bottlenecks on a per request basis.

-For more advanced use cases, you're able to modify telemetry (add spans, update span status, add span attributes) or send custom telemetry using standard APIs.

-### How to enable distributed tracing for Java Function apps

-Navigate to the functions app Overview pane and go to configurations. Under Application Settings, select "+ New application setting".

-> 

-Add the following application settings with below values, then select Save on the upper left. DONE!

-Your Java Functions may have slow startup times if you adopted this feature before Feb 2023. Follow the steps to fix the issue.

-1. Check to see if the following settings exist and remove them.

-```

-XDT_MicrosoftApplicationInsights_Java -> 1

-ApplicationInsightsAgent_EXTENSION_VERSION -> ~2

-```

-2. Enable the latest version by adding this setting.

-```

-APPLICATIONINSIGHTS_ENABLE_AGENT: true

-```

-1. Check to see if the following settings exist and remove it.

-```

-ApplicationInsightsAgent_EXTENSION_VERSION -> ~3

-```

-2. Enable the latest version by adding this setting.

-```

-APPLICATIONINSIGHTS_ENABLE_AGENT: true

-```

-> If the latest version of the Application Insights Java agent isn't available in Azure Function, you can upload it manually by following [these instructions](https://github.com/Azure/azure-functions-java-worker/wiki/Distributed-Tracing-for-Java-Azure-Functions#customize-distribute-agent).

-## Distributed tracing for Python Function apps

-To collect custom telemetry from services such as Redis, Memcached, MongoDB, and more, you can use the [OpenCensus Python Extension](https://github.com/census-ecosystem/opencensus-python-extensions-azure) and [log your telemetry](../../azure-functions/functions-reference-python.md?tabs=azurecli-linux%2capplication-level#log-custom-telemetry). You can find the list of supported services [here](https://github.com/census-instrumentation/opencensus-python/tree/master/contrib).

-## Next Steps

-* Read more instructions and information about monitoring [Monitoring Azure Functions](../../azure-functions/functions-monitoring.md)

-* Get an overview of [Distributed Tracing](./distributed-tracing.md)

-* See what [Application Map](./app-map.md?tabs=net) can do for your business

-* Read about [requests and dependencies for Java apps](./java-in-process-agent.md)

-* Learn more about [Azure Monitor](../overview.md) and [Application Insights](./app-insights-overview.md)

-| [Planning](best-practices-plan.md) | Things that you should consider before starting your implementation. Includes design decisions and information about your organization and requirements that you should gather. |

-| [Configure data collection](best-practices-data-collection.md) | Tasks required to collect monitoring data from your Azure and hybrid applications and resources. |

-| [Analysis and visualizations](best-practices-analysis.md) | Standard features and additional visualizations that you can create to analyze collected monitoring data. |

-| [Alerts and automated responses](best-practices-alerts.md) | Configure notifications and processes that are automatically triggered when an alert is created. |

-|Compute||||

-|Networking||||

-|Storage||||

-|Databases||||

-|Security||||

-|Monitor||||

- | [Azure Monitor for Resource Groups](resource-group-insights.md) | GA | No | Triage and diagnose any problems your individual resources encounter, while offering context for the health and performance of the resource group as a whole. |

-|Integration||||

- | [Azure Service Bus Insights](../../service-bus-messaging/service-bus-insights.md) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/serviceBusInsights) | Azure Service Bus Insights provide a view of the overall performance, failures, capacity, and operational health of all your Service Bus resources in a unified interactive experience. |

-|Workloads||||

-|Other||||

- | [Azure Virtual Desktop Insights](../../virtual-desktop/azure-monitor.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_WVD/WvdManagerMenuBlade/insights/menuId/insights) | Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that helps IT professionals understand their Azure Virtual Desktop environments. |

- | [Azure Stack HCI Insights](/azure-stack/hci/manage/azure-stack-hci-insights) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/azureStackHCIInsights) | Based on Azure Monitor Workbooks. Provides health, performance, and usage insights about registered Azure Stack HCI version 21H2 clusters that are connected to Azure and enrolled in monitoring. It stores its data in a Log Analytics workspace, which allows it to deliver powerful aggregation and filtering and analyze data trends over time. |

-|Not in Azure portal Insight hub||||

-|Analytics||||

-| where IsBillable = false

-description: This article describes how you can query against resources from multiple workspaces and App Insights app in your subscription.

-Azure Monitor Logs support querying across multiple Log Analytics workspaces and Application Insights apps in the same resource group, another resource group, or another subscription. This provides you with a system-wide view of your data.

-There are two methods to query data that is stored in multiple workspace and apps:

-1. Explicitly by specifying the workspace and app details. This technique is detailed in this article.

-2. Implicitly using [resource-context queries](manage-access.md#access-mode). When you query in the context of a specific resource, resource group or a subscription, the relevant data will be fetched from all workspaces that contains data for these resources. Application Insights data that is stored in apps, will not be fetched.

-> If you are using a [workspace-based Application Insights resource](../app/create-workspace-resource.md), telemetry is stored in a Log Analytics workspace with all other log data. Use the workspace() expression to write a query that includes applications in multiple workspaces. For multiple applications in the same workspace, you don't need a cross workspace query.

-## Cross-resource query limits

-* References to cross resource such as another workspace, should be explicit and cannot be parameterized. See [Identifying workspace resources](#identifying-workspace-resources) for examples.

-## Querying across Log Analytics workspaces and from Application Insights

-To reference another workspace in your query, use the [*workspace*](../logs/workspace-expression.md) identifier, and for an app from Application Insights, use the [*app*](./app-expression.md) identifier.

-### Identifying workspace resources

-The following examples demonstrate queries across Log Analytics workspaces to return summarized counts of logs from the Update table on a workspace named *contosoretail-it*.

-Identifying a workspace can be accomplished one of several ways:

-* Resource name - is a human-readable name of the workspace, sometimes referred to as *component name*.

- >Because app and workspace names are not unique, this identifier might be ambiguous. It's recommended that reference is by Qualified name, Workspace ID, or Azure Resource ID.

-* Qualified name - is the "full name" of the workspace, composed of the subscription name, resource group, and component name in this format: *subscriptionName/resourceGroup/componentName*.

- >Because Azure subscription names are not unique, this identifier might be ambiguous.

-* Workspace ID - A workspace ID is the unique, immutable, identifier assigned to each workspace represented as a globally unique identifier (GUID).

-* Azure Resource ID ΓÇô the Azure-defined unique identity of the workspace. You use the Resource ID when the resource name is ambiguous. For workspaces, the format is: */subscriptions/subscriptionId/resourcegroups/resourceGroup/providers/microsoft.OperationalInsights/workspaces/componentName*.

-### Identifying an application

-The following examples return a summarized count of requests made against an app named *fabrikamapp* in Application Insights.

-Identifying an application in Application Insights can be accomplished with the *app(Identifier)* expression. The *Identifier* argument specifies the app using one of the following:

-* Resource name - is a human readable name of the app, sometimes referred to as the *component name*.

-* Qualified name - is the ΓÇ£full nameΓÇ¥ of the app, composed of the subscription name, resource group, and component name in this format: *subscriptionName/resourceGroup/componentName*.

- >Because Azure subscription names are not unique, this identifier might be ambiguous.

-* ID - the app GUID of the application.

-* Azure Resource ID - the Azure-defined unique identity of the app. You use the Resource ID when the resource name is ambiguous. The format is: */subscriptions/subscriptionId/resourcegroups/resourceGroup/providers/microsoft.OperationalInsights/components/componentName*.

-### Performing a query across multiple resources

-You can query multiple resources from any of your resource instances, these can be workspaces and apps combined.

-

-Example for query across two workspaces:

-## Using cross-resource query for multiple resources

-When using cross-resource queries to correlate data from multiple Log Analytics workspaces and Application Insights resources, the query can become complex and difficult to maintain. You should leverage [functions in Azure Monitor log queries](./functions.md) to separate the query logic from the scoping of the query resources, which simplifies the query structure. The following example demonstrates how you can monitor multiple Application Insights resources and visualize the count of failed requests by application name.

-Create a query like the following that references the scope of Application Insights resources. The `withsource= SourceApp` command adds a column that designates the application name that sent the log. [Save the query as function](./functions.md#create-a-function) with the alias _applicationsScoping_.

-You can now [use this function](./functions.md#use-a-function) in a cross-resource query like the following. The function alias _applicationsScoping_ returns the union of the requests table from all the defined applications. The query then filters for failed requests and visualizes the trends by application. The _parse_ operator is optional in this example. It extracts the application name from _SourceApp_ property.

-> This method can't be used with log alerts because the access validation of the alert rule resources, including workspaces and applications, is performed at alert creation time. Adding new resources to the function after the alert creation isnΓÇÖt supported. If you prefer to use function for resource scoping in log alerts, you need to edit the alert rule in the portal or with a Resource Manager template to update the scoped resources. Alternatively, you can include the list of resources in the log alert query.

-

-Deleting a linked workspace is permitted while linked to cluster. If you decide to [recover](./delete-workspace.md#recover-workspace) the workspace during the [soft-delete](./delete-workspace.md#soft-delete-behavior) period, it returns to previous state and remains linked to cluster.

-# Delete and recover Azure Log Analytics workspace

-This article explains the concept of Azure Log Analytics workspace soft-delete and how to recover deleted workspace.

-## Considerations when deleting a workspace

-When you delete a Log Analytics workspace, a soft-delete operation is performed to allow the recovery of the workspace including its data and connected agents within 14 days, whether the deletion was accidental or intentional.

-After the soft-delete period, the workspace resource and its data are non-recoverable and queued for purged completely within 30 days. The workspace name is 'released' and you can use it to create a new workspace.

-You want to exercise caution when you delete a workspace because there might be important data and configuration that may negatively impact your service operation. Review what agents, solutions and other Azure services store their data in Log Analytics, such as:

-* Management solutions

-* Azure Automation

-* Agents running on Windows and Linux virtual machines

-* Agents running on Windows and Linux computers in your environment

-* System Center Operations Manager

-The soft-delete operation deletes the workspace resource and any associated users' permission is broken. If users are associated with other workspaces, then they can continue using Log Analytics with those other workspaces.

-The workspace delete operation removes the workspace Resource Manager resource, but its configuration and data are kept for 14 days, while giving the appearance that the workspace is deleted. Any agents and System Center Operations Manager management groups configured to report to the workspace remain in an orphaned state during the soft-delete period. The service further provides a mechanism for recovering the deleted workspace including its data and connected resources, essentially undoing the deletion.

-> [!NOTE]

-> Installed solutions and linked services like your Azure Automation account are permanently removed from the workspace at deletion time and can't be recovered. These should be reconfigured after the recovery operation to bring the workspace to its previously configured state.

-You can delete a workspace using [PowerShell](/powershell/module/azurerm.operationalinsights/remove-azurermoperationalinsightsworkspace), [REST API](/rest/api/loganalytics/workspaces/delete), or in the [Azure portal](https://portal.azure.com).

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. In the Azure portal, select **All services**. In the list of resources, type **Log Analytics**. As you begin typing, the list filters based on your input. Select **Log Analytics workspaces**.

-3. In the list of Log Analytics workspaces, select a workspace and then click **Delete** from the top of the middle pane.

-4. A confirmation page appears that shows the data ingestion to the workspace over the past week.

-5. If you want to permanently delete the workspace removing the option to later recover it, select the **Delete the workspace permanently** checkbox.

-6. Type in the name of the workspace to confirm and then click **Delete**.

- 

-The soft-delete method may not fit in some scenarios such as development and testing, where you need to repeat a deployment with the same settings and workspace name. In such cases you can permanently delete your workspace and "override" the soft-delete period. The permanent workspace delete operation releases the workspace name and you can create a new workspace using the same name.

-> Use permanent workspace delete operation with caution since its irreversible and you won't be able to recover your workspace and its data.

-To permanently delete a workspace using the Azure portal, select the **Delete the workspace permanently** checkbox before clicking the **Delete** button.

-To permanently delete a workspace using PowerShell, add '-ForceDelete' tag to permanently delete your workspace. The '-ForceDelete' option is currently available with Az.OperationalInsights 2.3.0 or higher.

-## Recover workspace

-When you delete a Log Analytics workspace accidentally or intentionally, the service places the workspace in a soft-delete state making it inaccessible to any operation. The name of the deleted workspace is preserved during the soft-delete period and can't be used for creating a new workspace. After the soft-delete period, the workspace is non-recoverable, it is scheduled for permanent deletion and its name it released and can be used for creating a new workspace.

-You can recover your workspace during the soft-delete period including its data, configuration and connected agents. You need to have Contributor permissions to the subscription and resource group where the workspace was located before the soft-delete operation. The workspace recovery is performed by re-creating the Log Analytics workspace with the details of the deleted workspace including:

-> If your workspace was deleted as part of resource group delete operation, you must first re-create the resource group.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. In the Azure portal, select **All services**. In the list of resources, type **Log Analytics**. As you begin typing, the list filters based on your input. Select **Log Analytics workspaces**. You see the list of workspaces you have in the selected scope.

-3. Click **Recover** on the top left menu to open a page with workspaces in soft-delete state that can be recovered.

- 

-4. Select the workspace and click **Recover** to recover that workspace.

- 

-The workspace and all its data are brought back after the recovery operation. Solutions and linked services were permanently removed from the workspace when it was deleted and these should be reconfigured to bring the workspace to its previously configured state. Some of the data may not be available for query after the workspace recovery until the associated solutions are re-installed and their schemas are added to the workspace.

-You must have at least *Log Analytics Contributor* permissions to delete a workspace.

-* If you aren't sure if deleted workspace is in soft-delete state and can be recovered, click [Open recycle bin](#recover-workspace) in *Log Analytics workspaces* page to see a list of soft-deleted workspaces per subscription. Permanently deleted workspaces aren't included in the list.

-* If you get an error message *This workspace name is already in use* or *conflict* when creating a workspace, it could be since:

- * The workspace name isn't available and being used by someone in your organization, or by other customer.

- * The workspace was deleted in the last 14 days and its name kept reserved for the soft-delete period. To override the soft-delete and permanently delete your workspace to create a new workspace with the same name, follow these steps to recover the workspace first and then perform permanent delete:<br>

- 1. [Recover](#recover-workspace) your workspace.

- 2. [Permanently delete](#permanent-workspace-delete) your workspace.

- 3. Create a new workspace using the same workspace name.

-

- After the deletion call is successfully completed on the back end, you can restore the workspace and complete the permanent delete operation in one of the methods suggested earlier.

-* If you get 204 response code with *Resource not found* when deleting a workspace, a consecutive retries operations may occurred. 204 is an empty response, which usually means that the resource doesn't exist, so the delete completed without doing anything.

-* If you delete your resource group and your workspace included, you can see the deleted workspace in [Open recycle bin](#recover-workspace) page, however the recovery operation will fail with error code 404 since the resource group does not exist -- Re-create your resource group and try the recovery again.

-A function is a log query in Azure Monitor that can be used in other log queries as though it's a command. Functions allow developers to provide solutions to different customers and for you to reuse query logic in your own environment. This article provides details on how to use functions and how to create your own.

-## Viewing functions

-You can view solution functions and workspace functions in the current workspace from the **Functions** tab in the left pane of a Log Analytics workspace. Use the **Filter** button to filter the functions included in the list and **Group by** to change their grouping. Type a string into the **Search** box to locate a particular function. Hover over a function to view details about it including a description and parameters.

-Use a function in a query by typing its name with values for any parameters just as you would type in a command. The output of the function can either be returned as results or piped to another command.

-Add a function to the current query by double-clicking on its name or hovering over it and selecting **Use in editor**. Functions in the workspace will also be included in intellisense as you type in a query.

-If a query requires parameters, provide them using the syntax: `function_name(param1,param2,...)`.

-To create a function from the current query in the editor, select **Save** and then **Save as function**.

-Create a function with Log Analytics in the Azure portal by clicking **Save** and then providing the information in the following table.

-| Function Name | Name for the function. This may not include a space or any special characters. It also may not start with an underscore (_) since this character is reserved for solution functions. |

-| Legacy category | User defined category to help filter and group functions. |

-| Parameters | Add a parameter for each variable in the function that requires a value when it's used. See [Function parameters](#function-parameters) for details. |

-You can add parameters to a function so that you can provide values for certain variables when calling it. This allows the same function to be used in different queries, each providing different values for the parameters. Parameters are defined by the following properties.

-| Name | Name for the parameter. This is the name that must be used in the query to replace with the parameter value. |

-Parameters are ordered as they are created with any parameters that have no default value positioned in front of those that have a default value.

-## Working with function code

-You can view the code of a function either to gain insight into how it works or to modify the code for a workspace function. Select **Load the function code** to add the function code to the current query in the editor. If you add it to an empty query or the first line of an existing query, then it will add the function name to the tab. If it's a workspace function, then this enables the option to edit the function details.

-Edit the properties or the code of a function by creating a new query and then hover over the name of the function and select **load function code**. Make any modifications that you want to the code and select **Save** and then **Edit function details**. Make any changes you want to the properties and parameters of the function before clicking **Save**.

-The following sample function returns all events in the Azure Activity log since a particular date and that match a particular category.

-Start with the following query using hardcoded values. This verifies that the query works as expected.

-Next, replace the hardcoded values with parameter names and then save the function by selecting **Save** and then **Save as function**.

- Provide the following values for the function properties.

-Define the following parameters before saving the function.

-Create a new query and view the new function by hovering over it. Note the order of the parameters since this is the order they must be specified when you use the function.

-Select **Use in editor** to add the new function to a query and then add values for the parameters. Note that you don't need to specify a value for CategoryParam because it has a default value.

-See other lessons for writing Azure Monitor log queries:

-|Splunk Observability|[Azure Monitor](../overview.md) is an end-to-end solution for collecting, analyzing, and acting on telemetry from your cloud, multicloud, and on-premises environments, built over a powerful data ingestion pipeline that's shared with Microsoft Sentinel. Azure Monitor offers enterprises a comprehensive solution for monitoring cloud, hybrid, and on-premises environments, with [network isolation](../logs/private-link-security.md), [resilience features and protection from data center failures](../logs/availability-zones.md), [reporting](../overview.md#insights-and-curated-visualizations), and [alerts and response](../overview.md#respond-to-critical-situations) capabilities.|

-|Azure Monitor Logs |Similar Splunk concept|Description|

-||||

-|[Log Analytics workspace](../logs/log-analytics-workspace-overview.md)|Namespace|A Log Analytics workspace is an environment in which you can collect log data from all Azure and non-Azure monitored resources. The data in the workspace is available for querying and analysis, Azure Monitor features, and other Azure services. Similar to a Splunk namespace, you can manage access to the data and artifacts, such as alerts and workbooks, in your Log Analytics workspace. |

-|[Table management](../logs/manage-logs-tables.md)|Indexing|Azure Monitor Logs ingests log data into tables in a managed [Azure Data Explorer](/azure/data-explorer/data-explorer-overview) database. During ingestion, the service automatically indexes and timestamps the data, which means you can store various types of data and access the data quickly using Kusto Query Language (KQL) queries.<br/>Use table properties to manage the table schema, data retention and archive, and whether to store the data for occasional auditing and troubleshooting or for ongoing analysis and use by features and services.<br/>For a comparison of Splunk and Azure Data Explorer data handling and querying concepts, see [Splunk to Kusto Query Language map](/azure/data-explorer/kusto/query/splunk-cheat-sheet).||

-|[Basic and Analytics log data plans](../logs/basic-logs-configure.md)| |Azure Monitor Logs offers two log data plans that let you reduce log ingestion and retention costs and take advantage of Azure Monitor's advanced features and analytics capabilities based on your needs.<br/>The **Analytics** plan makes log data available for interactive queries and use by features and services.<br/>The **Basic** log data plan provides a low-cost way to ingest and retain logs for troubleshooting, debugging, auditing, and compliance. |

-|[Archiving and quick access to archived data](../logs/data-retention-archive.md)|Data bucket states (hot, warm, cold, thawed), archiving, Dynamic Data Active Archive (DDAA) |The cost-effective archive option keeps your logs in your Log Analytics workspace and lets you access archived log data immediately, when you need it. Archive configuration changes are effective immediately because data isn't physically transferred to external storage. You can [restore archived data](../logs/restore.md) or run a [search job](../logs/search-jobs.md) to make a specific time range of archived data available for real-time analysis. |

-|[Access control](../logs/manage-access.md)|Role-based user access, permissions |Role-based access control lets you define which people in your organization have access to read, write, and perform operations in a Log Analytics workspace. You can configure permissions at the workspace level, at the resource level, and at the table level, so you have granular control over specific resources and log types.|

-|[Data transformations](../essentials/data-collection-transformations.md)|Transforms, field extractions |Transformations let you filter or modify incoming data before it's sent to a Log Analytics workspace. Use transformations to remove sensitive data, enrich data in your Log Analytics workspace, perform calculations, and filter out data you don't need to reduce data costs. |

-|[Data collection rules](../essentials/data-collection-rule-overview.md)|Data inputs, data pipeline|Define which data to collect, how to transform that data, and where to send the data. |

-|[Kusto Query Language (KQL)](/azure/kusto/query/)|Splunk Search Processing Language (SPL)|Azure Monitor Logs uses a large subset of KQL that's suitable for simple log queries but also includes advanced functionality such as aggregations, joins, and smart analytics. Use the [Splunk to Kusto Query Language map](/azure/data-explorer/kusto/query/splunk-cheat-sheet) to translate your Splunk SPL knowledge to KQL. You can also [learn KQL with tutorials](../logs/get-started-queries.md) and [KQL training modules](/training/modules/analyze-logs-with-kql/).|

-|[Cost optimization](../../azure-monitor/best-practices-cost.md)||Azure Monitor provides [tools and best practices to help you understand, monitor, and optimize your costs](../../azure-monitor/best-practices-cost.md) based on your needs. |

-|Lookups|Azure Monitor provides various ways to enrich data, including:<br>- [Data collection rules](../essentials/data-collection-rule-overview.md), which let you send data from multiple sources to a Log Analytics workspace, and perform calculations and transformations before ingesting the data.<br>- KQL operators, such as the [join operator](/data-explorer/kusto/query/joinoperator?pivots=azuremonitor), which combines data from different tables, and the [externaldata operator](/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuremonitor), which returns data from external storage.<br>- Integration with services, such as [Azure Machine Learning](/azure/machine-learning/overview-what-is-azure-machine-learning) or [Azure Event Hubs](/azure/event-hubs/event-hubs-about), to apply advanced machine learning and stream in additional data.|

-After data sources are connected to the target workspace, ingested data is stored in the target workspace. Older data stays in the original workspace and is subject to the retention policy. You can perform a [cross-workspace query](./cross-workspace-query.md#performing-a-query-across-multiple-resources). If both workspaces were assigned the same name, use a qualified name (*subscriptionName/resourceGroup/componentName*) in the workspace reference.

-While new data is being ingested to your new workspace, older data in the original workspace remains available for query and is subject to the retention policy defined in the workspace. We recommend that you keep the original workspace for as long as you need older data to [query across](./cross-workspace-query.md#performing-a-query-across-multiple-resources) workspaces.

-description: Describes different options for parsing log data in Azure Monitor records when the data is ingested and when it's retrieved in a query, comparing the relative advantages for each.

-Some log data collected by Azure Monitor will include multiple pieces of information in a single property. Parsing this data into multiple properties make it easier to use in queries. A common example is a [custom log](../agents/data-sources-custom-logs.md) that collects an entire log entry with multiple values into a single property. By creating separate properties for the different values, you can search and aggregate on each.

-You can parse data either at ingestion time when the data is collected or at query time when analyzing the data with a query. Each strategy has unique advantages as described below.

-When you parse data at collection time, you configure [Custom Fields](../logs/custom-fields.md) that create new properties in the table. Queries don't have to include any parsing logic and simply use these properties as any other field in the table.

-Advantages to this method include the following:

-

-Disadvantages to this method include the following:

-Advantages to this method include the following:

-

-Disadvantages to this method include the following:

-See [Create custom fields in Azure Monitor](../logs/custom-fields.md) for details on parsing data as it's collected. This creates custom properties in the table that can be used by queries just like any other property.

-## Parse data in query using patterns

-When the data you want to parse can be identified by a pattern repeated across records, you can use different operators in the [Kusto query language](/azure/kusto/query/) to extract the specific piece of data into one or more new properties.

-Use the [parse](/azure/kusto/query/parseoperator) operator in your query to create one or more custom properties that can be extracted from a string expression. You specify the pattern to be identified and the names of the properties to create. This is particularly useful for data with key-value strings with a form similar to _key=value_.

-Consider a custom log with data in the following format.

-The following query would parse this data into individual properties. The line with _project_ is added to only return the calculated properties and not _RawData_, which is the single property holding the entire entry from the custom log.

-Following is another example that breaks out the user name of a UPN in the _AzureActivity_ table.

-If your data can be identified with a regular expression, you can use [functions that use regular expressions](/azure/kusto/query/re2) to extract individual values. The following example uses [extract](/azure/kusto/query/extractfunction) to break out the _UPN_ field from _AzureActivity_ records and then return distinct users.

-To enable efficient parsing at large scale, Azure Monitor uses re2 version of Regular Expressions, which is similar but not identical to some of the other regular expression variants. Refer to the [re2 expression syntax](https://aka.ms/kql_re2syntax) for details.

-Delimited data separates fields with a common character such as a comma in a CSV file. Use the [split](/azure/kusto/query/splitfunction) function to parse delimited data using a delimiter that you specify. You can use this with [extend](/azure/kusto/query/extendoperator) operator to return all fields in the data or to specify individual fields to be included in the output.

-> Since split returns a dynamic object, the results may need to be explicitly cast to data types such as string to be used in operators and filters.

-Consider a custom log with data in the following CSV format.

-The following query would parse this data and summarize by two of the calculated properties. The first line splits the _RawData_ property into a string array. Each of the next lines gives a name to individual properties and adds them to the output using functions to convert them to the appropriate data type.

-If your data is formatted in a known structure, you may be able to use one of the functions in the [Kusto query language](/azure/kusto/query/) for parsing predefined structures:

-The following example query parses the _Properties_ field of the _AzureActivity_ table, which is structured in JSON. It saves the results to a dynamic property called _parsedProp_, which includes the individual named value in the JSON. These values are used to filter and summarize the query results.

-These parsing functions can be processor intensive, so they should be used only when your query uses multiple properties from the formatted data. Otherwise, simple pattern matching processing will be faster.

-The following example shows the breakdown of domain controller TGT Preauth type. The type exists only in the EventData field, which is an XML string, but no other data from this field is needed. In this case, [parse](/azure/kusto/query/parseoperator) is used to pick out the required piece of data.

-## Use function to simulate a table

-You may have multiple queries that perform the same parsing of a particular table. In this case, [create a function](../logs/functions.md) that returns the parsed data instead of replicating the parsing logic in each query. You can then use the function alias in place of the original table in other queries.

-Consider the comma-delimited custom log example above. In order to use the parsed data in multiple queries, create a function using the following query and save it with the alias _MyCustomCSVLog_.

-You can now use the alias _MyCustomCSVLog_ in place of the actual table name in queries like the following.

-* Learn about [log queries](./log-query-overview.md) to analyze the data collected from data sources and solutions.

- * [Recover](../logs/delete-workspace.md#recover-workspace) your workspace.

-Query packs act as containers for log queries in Azure Monitor and let you save log queries and share them across workspaces and other contexts in Log Analytics.

-You can view and manage query packs in the Azure portal from the **Log Analytics query packs** menu. Select a query pack to view and edit its permissions. See below for details on creating a query pack using the API.

-[](media/query-packs/view-query-pack.png#lightbox)

-A query pack, called **DefaultQueryPack** is automatically created in each subscription in a resource group called **LogAnalyticsDefaultResources** when the first query is saved. You can create queries in this query pack or create additional query packs depending on your requirements.

-## Using multiple query packs

-The single default query pack will be sufficient for most users to save and reuse queries. There are reasons that you may want to create multiple query packs for users in your organization though, including loading different sets of queries in different Log Analytics sessions and providing different permissions for different collections of queries.

-When you create a new query pack using the API, you can add tags that classify queries according to your business requirements. For example, you could tag a query pack to relate it to a particular department in your organization or to severity of issues that the included queries are meant to address. This allows you to create different sets of queries intended for different sets of users and different situations.

-Each query pack is defined in a JSON file that includes the definition for one or more queries. Each query is represented by a block as follows:

-Each query in the query pack has the following properties.

-| displayName | Display name listed in Log Analytics for each query. |

-| body | Query written in KQL. |

-| related | Related categories, resource types, and solutions for the query. Used for grouping and filtering in Log Analytics by the user to help locate their query. Each query can have up to ten of each type. Retrieve allowed values from https://api.loganalytics.io/v1/metadata?select=resourceTypes,solutions,categories. |

-| tags | Additional tags used by the user for sorting and filtering in Log Analytics. Each tag will be added to Category, Resource Type, and Solution when [grouping and filtering queries](queries.md#find-and-filter-queries). |

-You can create a query pack using the REST API or from the **Log Analytics query packs** pane in the Azure portal. Currently the **Log Analytics query packs** pane shows up under **Other** category of **All services** page in the Azure portal.

-### Create token

-You require a token for authentication of the API request. There are multiple methods to get a token including using **armclient**.

-First log in to Azure using the following command:

-Then create the token with the following command. The token is automatically copied to the clipboard so you can paste it into another tool.

-### Create payload

-The payload of the request is the JSON defining one or more queries and the location where the query pack should be stored. The name of the query pack is specified in the API request described in the next section.

-### Create request

-Use the following request to create a new query pack using the REST API. The request should use bearer token authorization. Content type should be application/json.

-Use a tool that can submit a REST API request such as Fiddler or Postman to submit the request using the payload described in the previous section. The query ID will be generated and returned in the payload.

- 1. [Recover](../logs/delete-workspace.md#recover-workspace) your workspace.

- "name": "ExtendedColumn",

- "description": "An additional column extended at ingestion time"

-The [DCR](../essentials/data-collection-rule-overview.md) defines the schema of data that's being sent to the HTTP endpoint. It also defines the transformation that will be applied to it. The DCR also defines the destination workspace and table the transformed data will be sent to.

- - `dataFlows`: Matches the stream with the destination workspace and specifies the transformation query and the destination table.

- "defaultValue": "westus2",

- "allowedValues": [

- "westus2",

- "eastus2",

- "eastus2euap"

- ],

- "transformKql": "source | extend jsonContext = parse_json(AdditionalContext) | project TimeGenerated = Time, Computer, AdditionalContext = jsonContext, ExtendedColumn=tostring(jsonContext.CounterName)",

-1. Copy the **Resource ID** for the DCR. You'll use it in the next step.

- :::image type="content" source="media/tutorial-workspace-transformations-api/data-collection-rule-json-view.png" lightbox="media/tutorial-workspace-transformations-api/data-collection-rule-json-view.png" alt-text="Screenshot that shows DCR JSON view.":::

- $uri = "$dceEndpoint/dataCollectionRules/$dcrImmutableId/streams/Custom-MyTableRawData?api-version=2021-11-01-preview"

-description: Reference of all services and other resources monitored by Azure Monitor.

-# What is monitored by Azure Monitor?

-This article is a reference of the different applications and services that are monitored by Azure Monitor.

-Azure Monitor data is collected and stored based on resource provider namespaces. Each resource in Azure has a unique ID. The resource provider namespace is part of all unique IDs. For example, a key vault resource ID would be similar to `/subscriptions/d03b04c7-d1d4-eeee-aaaa-87b6fcb38b38/resourceGroups/KeyVaults/providers/Microsoft.KeyVault/vaults/mysafekeys ` . *Microsoft.KeyVault* is the resource provider namespace. *Microsoft.KeyVault/vaults/* is the resource provider.

-For a list of Azure resource provider namespaces, see [Resource providers for Azure services](../azure-resource-manager/management/azure-services-resource-providers.md).

-For a list of resource providers that support Azure Monitor

-## Services that require agents

-Azure Monitor can't see inside a service running its own application, operating system or container. That type of service requires one or more agents to be installed. The agent then runs as well to collect metrics, logs, traces and changes and forward them to Azure Monitor. The following services require agents for this reason.

-In addition, applications also require either the Application Insights SDK or auto-instrumentation (via an agent) to collect information and write it to the Azure Monitor data platform.

-## Services with Insights

-Some services have curated monitoring experiences call "insights". Insights are meant to be a starting point for monitoring a service or set of services. Some insights may also automatically pull additional data that's not captured or stored in Azure Monitor. For more information on monitoring insights, see [Insights Overview](insights/insights-overview.md).

-## Product integrations

-The services and [older monitoring solutions](insights/solutions.md) in the following table store their data in Azure Monitor Logs so that it can be analyzed with other log data collected by Azure Monitor.

-| Product/Service | Description |

-|:|:|

-| [Azure Automation](../automation/index.yml) | Manage operating system updates and track changes on Windows and Linux computers. See [Change tracking](../automation/change-tracking/overview.md) and [Update management](../automation/update-management/overview.md). |

-| [Azure Information Protection](/azure/information-protection/) | Classify and optionally protect documents and emails. See [Central reporting for Azure Information Protection](/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports). |

-| [Defender for the Cloud](../defender-for-cloud/defender-for-cloud-introduction.md) | Collect and analyze security events and perform threat analysis. See [Data collection in Defender for the Cloud](../defender-for-cloud/monitoring-components.md). |

-| [Microsoft Sentinel](../sentinel/index.yml) | Connect to different sources including Office 365 and Amazon Web Services Cloud Trail. See [Connect data sources](../sentinel/connect-data-sources.md). |

-| [Microsoft Intune](/intune/) | Create a diagnostic setting to send logs to Azure Monitor. See [Send log data to storage, Event Hubs, or log analytics in Intune (preview)](/intune/fundamentals/review-logs-using-azure-monitor). |

-| Network [Traffic Analytics](../network-watcher/traffic-analytics.md) | Analyze Network Watcher network security group flow logs to provide insights into traffic flow in your Azure cloud. |

-| [System Center Operations Manager](/system-center/scom) | Collect data from Operations Manager agents by connecting their management group to Azure Monitor. See [Connect Operations Manager to Azure Monitor](agents/om-agents.md).<br> Assess the risk and health of your System Center Operations Manager management group with the [Operations Manager Assessment](insights/scom-assessment.md) solution. |

-| [Microsoft Teams Rooms](/microsoftteams/room-systems/azure-monitor-deploy) | Integrated, end-to-end management of Microsoft Teams Rooms devices. |

-| [Visual Studio App Center](/appcenter/) | Build, test, and distribute applications and then monitor their status and usage. See [Start analyzing your mobile app with App Center and Application Insights](https://github.com/Microsoft/appcenter). |

-| Windows | [Windows Update Compliance](/windows/deployment/update/update-compliance-get-started) - Assess your Windows desktop upgrades.<br>[Desktop Analytics](/configmgr/desktop-analytics/overview) - Integrates with Configuration Manager to provide insight and intelligence to make more informed decisions about the update readiness of your Windows clients. |

-| **The following solutions also integrate with parts of Azure Monitor. Note that solutions, which are based on Azure Monitor Logs and Log Analytics, are no longer under active development. Use [Insights](insights/insights-overview.md) instead.** | |

-| Network - [Network Performance Monitor solution](insights/network-performance-monitor.md) |

-| Network - [Azure Application Gateway solution](insights/azure-networking-analytics.md#azure-application-gateway-analytics) | .

-| [Office 365 solution](insights/solution-office-365.md) | Monitor your Office 365 environment. Updated version with improved onboarding available through Microsoft Sentinel. |

-| [SQL Analytics solution](insights/azure-sql.md) | Use SQL Insights instead. |

-| [Surface Hub solution](insights/surface-hubs.md) | |

-## Third-party integration

-| Integration | Description |

-|:|:|

-| [ITSM](alerts/itsmc-overview.md) | The IT Service Management (ITSM) Connector allows you to connect Azure and a supported ITSM product/service. |

-| [Azure Monitor Partners](./partners.md) | A list of partners that integrate with Azure Monitor in some form. |

-| [Azure Monitor Partner integrations](../partner-solutions/overview.md)| Specialized integrations between Azure Monitor and other non-Microsoft monitoring platforms if you've already built on them. Examples include Datadog and Elastic.|

-## Resources outside of Azure

-Azure Monitor can collect data from resources outside of Azure by using the methods listed in the following table.

-| Resource | Method |

-|:|:|

-| Applications | Monitor web applications outside of Azure by using Application Insights. See [What is Application Insights?](./app/app-insights-overview.md). |

-| Virtual machines | Use agents to collect data from the guest operating system of virtual machines in other cloud environments or on-premises. See [Overview of Azure Monitor agents](agents/agents-overview.md). |

-| REST API Client | Separate APIs are available to write data to Azure Monitor Logs and Metrics from any REST API client. See [Send log data to Azure Monitor with the HTTP Data Collector API](logs/data-collector-api.md) for Logs. See [Send custom metrics for an Azure resource to the Azure Monitor metric store by using a REST API](essentials/metrics-store-custom-rest-api.md) for Metrics. |

-## Next steps

-description: Describes the

-# Observability data in Azure Monitor

-Enabling observability across today's complex computing environments running distributed applications that rely on both cloud and on-premises services, requires collection of operational data from every layer and every component of the distributed system. You need to be able to perform deep insights on this data and consolidate it into a single pane of glass with different perspectives to support the multitude of stakeholders in your organization.

-[Azure Monitor](overview.md) collects and aggregates data from various sources into a common data platform where it can be used for analysis, visualization, and alerting. It provides a consistent experience on top of data from multiple sources, which gives you deep insights across all your monitored resources and even with data from other services that store their data in Azure Monitor.

-## Pillars of observability

-Metrics, logs, distributed traces, and changes are commonly referred to as the pillars of observability. These are the different kinds of data that a monitoring tool must collect and analyze to provide sufficient observability of a monitored system. Observability can be achieved by correlating data from multiple pillars and aggregating data across the entire set of resources being monitored. Because Azure Monitor stores data from multiple sources together, the data can be correlated and analyzed using a common set of tools. It also correlates data across multiple Azure subscriptions and tenants, in addition to hosting data for other services.

-Azure resources generate a significant amount of monitoring data. Azure Monitor consolidates this data along with monitoring data from other sources into either a Metrics or Logs platform. Each is optimized for particular monitoring scenarios, and each supports different features in Azure Monitor. Features such as data analysis, visualizations, or alerting require you to understand the differences so that you can implement your required scenario in the most efficient and cost effective manner. Insights in Azure Monitor such as [Application Insights](app/app-insights-overview.md) or [VM insights](vm/vminsights-overview.md) have analysis tools that allow you to focus on the particular monitoring scenario without having to understand the differences between the two types of data.

-## Metrics

-[Metrics](essentials/data-platform-metrics.md) are numerical values that describe some aspect of a system at a particular point in time. They are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels. Metrics can be aggregated using a variety of algorithms, compared to other metrics, and analyzed for trends over time.

-Metrics in Azure Monitor are stored in a time-series database which is optimized for analyzing time-stamped data. This makes metrics ideal for alerting and fast detection of issues. They can tell you how your system is performing but typically need to be combined with logs to identify the root cause of issues.

-Metrics are available for interactive analysis in the Azure portal with [Azure Metrics Explorer](essentials/metrics-getting-started.md). They can be added to an [Azure dashboard](app/tutorial-app-dashboards.md) for visualization in combination with other data and used for near-real time [alerting](alerts/alerts-metric.md).

-Read more about Azure Monitor Metrics including their sources of data in [Metrics in Azure Monitor](essentials/data-platform-metrics.md).

-## Logs

-[Logs](logs/data-platform-logs.md) are events that occurred within the system. They can contain different kinds of data and may be structured or free-form text with a timestamp. They may be created sporadically as events in the environment generate log entries, and a system under heavy load will typically generate more log volume.

-Logs in Azure Monitor are stored in a Log Analytics workspace that's based on [Azure Data Explorer](/azure/data-explorer/) which provides a powerful analysis engine and [rich query language](/azure/kusto/query/). Logs typically provide enough information to provide complete context of the issue being identified and are valuable for identifying root case of issues.

-> [!NOTE]

-> It's important to distinguish between Azure Monitor Logs and sources of log data in Azure. For example, subscription level events in Azure are written to an [activity log](essentials/platform-logs-overview.md) that you can view from the Azure Monitor menu. Most resources will write operational information to a [resource log](essentials/platform-logs-overview.md) that you can forward to different locations. Azure Monitor Logs is a log data platform that collects activity logs and resource logs along with other monitoring data to provide deep analysis across your entire set of resources.

-You can work with [log queries](logs/log-query-overview.md) interactively with [Log Analytics](logs/log-query-overview.md) in the Azure portal or add the results to an [Azure dashboard](app/tutorial-app-dashboards.md) for visualization in combination with other data. You can also create [log alerts](alerts/alerts-log.md) which will trigger an alert based on the results of a schedule query.

-Read more about Azure Monitor Logs including their sources of data in [Logs in Azure Monitor](logs/data-platform-logs.md).

-## Distributed traces

-Traces are series of related events that follow a user request through a distributed system. They can be used to determine behavior of application code and the performance of different transactions. While logs will often be created by individual components of a distributed system, a trace measures the operation and performance of your application across the entire set of components.

-Distributed tracing in Azure Monitor is enabled with the [Application Insights SDK](app/distributed-tracing.md), and trace data is stored with other application log data collected by Application Insights. This makes it available to the same analysis tools as other log data including log queries, dashboards, and alerts.

-Read more about distributed tracing at [What is Distributed Tracing?](app/distributed-tracing.md).

-## Changes

-Change Analysis alerts you to live site issues, outages, component failures, or other change data. It also provides insights into those application changes, increases observability, and reduces the mean time to repair. You automatically register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription by going to Change Analysis via the Azure portal. For web app in-guest changes, you can enable the [Change Analysis tool via the Change Analysis portal](./change/change-analysis-enable.md#enable-azure-functions-and-web-app-in-guest-change-collection-via-the-change-analysis-portal).

-Change Analysis builds on [Azure Resource Graph](../governance/resource-graph/overview.md) to provide a historical record of how your Azure resources have changed over time. It detects managed identities, platform operating system upgrades, and hostname changes. Change Analysis securely queries IP configuration rules, TLS settings, and extension versions to provide more detailed change data.

-Read more about Change Analysis at [Use Change Analysis in Azure Monitor](./change/change-analysis.md). [Try Change Analysis for observability into your Azure subscriptions](https://aka.ms/cahome).

-## Next steps

-Azure Monitor helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. This information helps you understand how your applications are performing and proactively identify issues that affect them and the resources they depend on.

-A few examples of what you can do with Azure Monitor include:

-## Overview

-The following diagram gives a high-level view of Azure Monitor.

-## Observability and the Azure Monitor data platform

-Metrics, logs, and distributed traces are commonly referred to as the three pillars of observability. Observability can be achieved by aggregating and correlating these different types of data across the entire system being monitored.

-Natively, Azure Monitor stores data as metrics, logs, or changes. Traces are stored in the Logs store. Each storage platform is optimized for particular monitoring scenarios, and each supports different features in Azure Monitor. It's important for you to understand the differences between features such as data analysis, visualizations, or alerting, so that you can implement your required scenario in the most efficient and cost effective manner.

-| Pillar | Description |

-|:|:|

-| Metrics | Metrics are numerical values that describe some aspect of a system at a particular point in time. Metrics are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels. Metrics can be aggregated using various algorithms, compared to other metrics, and analyzed for trends over time.<br><br>Metrics in Azure Monitor are stored in a time-series database, which is optimized for analyzing time-stamped data. For more information, see [Azure Monitor Metrics](essentials/data-platform-metrics.md). |

-| Logs | [Logs](logs/data-platform-logs.md) are events that occurred within the system. They can contain different kinds of data and may be structured or free-form text with a timestamp. They may be created sporadically as events in the environment generate log entries, and a system under heavy load will typically generate more log volume.<br><br>Azure Monitor stores logs in the Azure Monitor Logs store. The store allows you to segregate logs into separate "Log Analytics workspaces". There you can analyze them using the Log Analytics tool. Log Analytics workspaces are based on [Azure Data Explorer](/azure/data-explorer/), which provides a powerful analysis engine and the [Kusto rich query language](/azure/kusto/query/). For more information, see [Azure Monitor Logs](logs/data-platform-logs.md). |

-| Distributed traces | Traces are series of related events that follow a user request through a distributed system. They can be used to determine behavior of application code and the performance of different transactions. While logs will often be created by individual components of a distributed system, a trace measures the operation and performance of your application across the entire set of components.<br><br>Distributed tracing in Azure Monitor is enabled with the [Application Insights SDK](app/distributed-tracing.md). Trace data is stored with other application log data collected by Application Insights and stored in Azure Monitor Logs. For more information, see [What is Distributed Tracing?](app/distributed-tracing.md). |

-| Changes | Changes are tracked using [Change Analysis](change/change-analysis.md). Changes are a series of events that occur in your Azure application and resources. Change Analysis is a subscription-level observability tool that's built on the power of Azure Resource Graph. <br><br> Once Change Analysis is enabled, the `Microsoft.ChangeAnalysis` resource provider is registered with an Azure Resource Manager subscription. Change Analysis' integrations with Monitoring and Diagnostics tools provide data to help users understand what changes might have caused the issues. Read more about Change Analysis in [Use Change Analysis in Azure Monitor](./change/change-analysis.md). |

-Azure Monitor aggregates and correlates data across multiple Azure subscriptions and tenants, in addition to hosting data for other services. Because this data is stored together, it can be correlated and analyzed using a common set of tools.

-> [!NOTE]

-> It's important to distinguish between Azure Monitor Logs and sources of log data in Azure. For example, subscription level events in Azure are written to an [activity log](essentials/platform-logs-overview.md) that you can view from the Azure Monitor menu. Most resources will write operational information to a [resource log](essentials/platform-logs-overview.md) that you can forward to different locations. Azure Monitor Logs is a log data platform that collects activity logs and resource logs along with other monitoring data to provide deep analysis across your entire set of resources.

-For many Azure resources, you'll see data collected by Azure Monitor right in their overview page in the Azure portal. Look at any virtual machine (VM), for example, and you'll see several charts that display performance metrics. Select any of the graphs to open the data in [Metrics Explorer](essentials/metrics-charts.md) in the Azure portal. With Metrics Explorer, you can chart the values of multiple metrics over time. You can view the charts interactively or pin them to a dashboard to view them with other visualizations.

-

-Log data collected by Azure Monitor can be analyzed with [queries](logs/log-query-overview.md) to quickly retrieve, consolidate, and analyze collected data. You can create and test queries by using the [Log Analytics](./logs/log-query-overview.md) user interface in the Azure portal. You can then either directly analyze the data by using different tools or save queries for use with [visualizations](best-practices-analysis.md) or [alert rules](alerts/alerts-overview.md).

-Azure Monitor Logs uses a version of the [Kusto Query Language](/azure/kusto/query/) that's suitable for simple log queries but also includes advanced functionality such as aggregations, joins, and smart analytics. You can quickly learn the query language by using [multiple lessons](logs/get-started-queries.md). Particular guidance is provided to users who are already familiar with [SQL](/azure/data-explorer/kusto/query/sqlcheatsheet) and [Splunk](/azure/data-explorer/kusto/query/splunk-cheat-sheet).

-

-Change Analysis alerts you to live site issues, outages, component failures, or other change data. It also provides insights into those application changes, increases observability, and reduces the mean time to repair. You automatically register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription by going to Change Analysis via the Azure portal. For web app in-guest changes, you can enable Change Analysis by using the [Diagnose and solve problems tool](./change/change-analysis-enable.md#enable-azure-functions-and-web-app-in-guest-change-collection-via-the-change-analysis-portal).

-Change Analysis builds on [Azure Resource Graph](../governance/resource-graph/overview.md) to provide a historical record of how your Azure resources have changed over time. It detects managed identities, platform operating system upgrades, and hostname changes. Change Analysis securely queries IP configuration rules, TLS settings, and extension versions to provide more detailed change data.

-## What data can Azure Monitor collect?

-Azure Monitor can collect data from [sources](monitor-reference.md) that range from your application to any operating system and services it relies on, down to the platform itself. Azure Monitor collects data from each of the following tiers:

-As soon as you create an Azure subscription and add resources such as VMs and web apps, Azure Monitor starts collecting data. [Activity logs](essentials/platform-logs-overview.md) record when resources are created or modified. [Metrics](essentials/data-platform-metrics.md) tell you how the resource is performing and the resources that it's consuming.

-[Enable diagnostics](essentials/platform-logs-overview.md) to extend the data you're collecting into the internal operation of the resources. [Add an agent](agents/agents-overview.md) to compute resources to collect telemetry from their guest operating systems.

-Enable monitoring for your application with [Application Insights](app/app-insights-overview.md) to collect detailed information including page views, application requests, and exceptions. Further verify the availability of your application by configuring an [availability test](app/monitor-web-app-availability.md) to simulate user traffic.

-### Custom sources

-Azure Monitor can collect log data from any REST client by using the [Data Collector API](logs/data-collector-api.md). You can create custom monitoring scenarios and extend monitoring to resources that don't expose telemetry through other sources.

-## Insights and curated visualizations

-Monitoring data is only useful if it can increase your visibility into the operation of your computing environment. Some Azure resource providers have a "curated visualization," which gives you a customized monitoring experience for that particular service or set of services. They generally require minimal configuration. Larger, scalable, curated visualizations are known as "insights" and marked with that name in the documentation and the Azure portal.

-For more information, see [List of insights and curated visualizations using Azure Monitor](insights/insights-overview.md). Some of the larger insights are described here.

-### Application Insights

-[Application Insights](app/app-insights-overview.md) monitors the availability, performance, and usage of your web applications whether they're hosted in the cloud or on-premises. It takes advantage of the powerful data analysis platform in Azure Monitor to provide you with deep insights into your application's operations. You can use it to diagnose errors without waiting for a user to report them. Application Insights includes connection points to various development tools and integrates with Visual Studio to support your DevOps processes.

-

-### Container insights

-[Container insights](containers/container-insights-overview.md) monitors the performance of container workloads that are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service. It gives you performance visibility by collecting metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API. Container logs are also collected. After you enable monitoring from Kubernetes clusters, these metrics and logs are automatically collected for you through a containerized version of the Log Analytics agent for Linux.

-

-### VM insights

-[VM insights](vm/vminsights-overview.md) monitors your Azure VMs at scale. It analyzes the performance and health of your Windows and Linux VMs and identifies their different processes and interconnected dependencies on external processes. The solution includes support for monitoring performance and application dependencies for VMs hosted on-premises or another cloud provider.

-

-## Respond to critical situations

-In addition to allowing you to interactively analyze monitoring data, an effective monitoring solution must be able to proactively respond to critical conditions identified in the data that it collects. The response could be sending a text or email to an administrator responsible for investigating an issue. Or you could launch an automated process that attempts to correct an error condition.

-### Alerts

-[Alerts in Azure Monitor](alerts/alerts-overview.md) proactively notify you of critical conditions and potentially attempt to take corrective action. Alert rules based on metrics provide near-real-time alerts based on numeric values. Rules based on logs allow for complex logic across data from multiple sources.

-Alert rules in Azure Monitor use [action groups](alerts/action-groups.md), which contain unique sets of recipients and actions that can be shared across multiple rules. Based on your requirements, action groups can perform such actions as using webhooks to have alerts start external actions or to integrate with your IT service management tools.

-

-### Autoscale

-Autoscale allows you to have the right amount of resources running to handle the load on your application. Create rules that use metrics collected by Azure Monitor to determine when to automatically add resources when load increases. Save money by removing resources that are sitting idle. You specify a minimum and maximum number of instances and the logic for when to increase or decrease resources.

-

-## Visualize monitoring data

-[Visualizations](best-practices-analysis.md) such as charts and tables are effective tools for summarizing monitoring data and presenting it to different audiences. Azure Monitor has its own features for visualizing monitoring data and uses other Azure services for publishing it to different audiences.

-### Dashboards

-[Azure dashboards](../azure-portal/azure-portal-dashboards.md) allow you to combine different kinds of data into a single pane in the [Azure portal](https://portal.azure.com). You can optionally share the dashboard with other Azure users. Add the output of any log query or metrics chart to an Azure dashboard. For example, you could create a dashboard that combines tiles that show a graph of metrics, a table of Activity logs, a usage chart from Application Insights, and the output of a log query.

-

-### Workbooks

-[Workbooks](visualize/workbooks-overview.md) provide a flexible canvas for data analysis and the creation of rich visual reports in the Azure portal. You can use them to tap into multiple data sources from across Azure and combine them into unified interactive experiences. Use workbooks provided with Insights or create your own from predefined templates.

-

-### Power BI

-[Power BI](https://powerbi.microsoft.com) is a business analytics service that provides interactive visualizations across various data sources. It's an effective means of making data available to others within and outside your organization. You can configure Power BI to [automatically import log data from Azure Monitor](./logs/log-powerbi.md) to take advantage of these visualizations.

-

-## Integrate and export data

-You'll often have the requirement to integrate Azure Monitor with other systems and to build custom solutions that use your monitoring data. Other Azure services work with Azure Monitor to provide this integration.

-### Event Hubs

-[Azure Event Hubs](../event-hubs/index.yml) is a streaming platform and event ingestion service. It can transform and store data by using any real-time analytics provider or batching/storage adapters. Use Event Hubs to [stream Azure Monitor data](essentials/stream-monitoring-data-event-hubs.md) to partner SIEM and monitoring tools.

-### Logic Apps

-[Azure Logic Apps](https://azure.microsoft.com/services/logic-apps) is a service you can use to automate tasks and business processes by using workflows that integrate with different systems and services. Activities are available that read and write metrics and logs in Azure Monitor.

-### API

-Multiple APIs are available to read and write metrics and logs to and from Azure Monitor in addition to accessing generated alerts. You can also configure and retrieve alerts. With APIs, you have unlimited possibilities to build custom solutions that integrate with Azure Monitor.

-Learn more about:

-* [Metrics and logs](./data-platform.md#metrics) for the data collected by Azure Monitor.

-* [Data sources](data-sources.md) for how the different components of your application send telemetry.

-* [Log queries](logs/log-query-overview.md) for analyzing collected data.

-* [Best practices](/azure/architecture/best-practices/monitoring) for monitoring cloud applications and services.

-Log Analytics dashboards can visualize all of your saved log queries, giving you the ability to find, correlate, and share IT operational data in the organization. This tutorial covers creating a log query that will be used to support a shared dashboard that will be accessed by your IT operations support team. You learn how to:

-> * Create a shared dashboard in the Azure portal

-> * Visualize a performance log query

-> * Add a log query to a shared dashboard

-> * Customize a tile in a shared dashboard

-To complete the example in this tutorial, you must have an existing virtual machine [connected to the Log Analytics workspace](../vm/monitor-virtual-machine.md).

-

-## Sign in to Azure portal

-Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).

-Select **Dashboard** to open your default [dashboard](../../azure-portal/azure-portal-dashboards.md). Your dashboard will look different than the example below.

-

-Here you can bring together operational data that is most important to IT across all your Azure resources, including telemetry from Azure Log Analytics. Before we step into visualizing a log query, let's first create a dashboard and share it. We can then focus on our example performance log query, which will render as a line chart, and add it to the dashboard.

-> The following chart types are supported in Azure dashboards using log queries:

-> - areachart

-> - columnchart

-> - piechart (will render in dashboard as donut)

-> - scatterchart

-> - timechart

-To create a dashboard, select the **New dashboard** button next to the current dashboard's name.

-

-This action creates a new, empty, private dashboard and puts you into customization mode where you can name your dashboard and add or rearrange tiles. Edit the name of the dashboard and specify *Sample Dashboard* for this tutorial, and then select **Done customizing**.<br><br> 

-When you create a dashboard, it is private by default, which means you are the only person who can see it. To make it visible to others, use the **Share** button that appears alongside the other dashboard commands.

-

-You are asked to choose a subscription and resource group for your dashboard to be published to. For convenience, the portal's publishing experience guides you towards a pattern where you place dashboards in a resource group called **dashboards**. Verify the subscription selected and then click **Publish**. Access to the information displayed in the dashboard is controlled with [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md).

-[Log Analytics](../logs/log-analytics-tutorial.md) is a dedicated portal used to work with log queries and their results. Features include the ability to edit a query on multiple lines, selectively execute code, context sensitive Intellisense, and Smart Analytics. In this tutorial, you will use Log Analytics to create a performance view in graphical form, save it for a future query, and pin it to the shared dashboard created earlier.

-Open Log Analytics by selecting **Logs** in the Azure Monitor menu. It starts with a new blank query.

-

-Enter the following query to return processor utilization records for both Windows and Linux computers, grouped by Computer and TimeGenerated, and displayed in a visual chart. Click **Run** to run the query and view the resulting chart.

-Save the query by selecting the **Save** button from the top of the page.

-In the **Save Query** control panel, provide a name such as *Azure VMs - Processor Utilization* and a category such as *Dashboards* and then click **Save**. This way you can create a library of common queries that you can use and modify. Finally, pin this to the shared dashboard created earlier by selecting the **Pin to dashboard** button from the top right corner of the page and then selecting the dashboard name.

-Now that we have a query pinned to the dashboard, you will notice it has a generic title and comment below it.

- We should rename it to something meaningful that can be easily understood by those viewing it. Click the edit button to customize the title and subtitle for the tile, and then click **Update**. A banner will appear asking you to publish changes or discard. Click **Save a copy**.

-In this tutorial, you learned how to create a dashboard in the Azure portal and add a log query to it. Follow this link to see pre-built Log Analytics script samples.

-description: A filter in an Azure Monitor view allows users to filter the data in the view by the value of a particular property without modifying the view itself. This article describes how to use a filter and add one to a custom view.

-> Views in Azure Monitor [are being retired](https://azure.microsoft.com/updates/view-designer-in-azure-monitor-is-retiring-on-31-august-2023/) and transitioned to [workbooks](workbooks-overview.md) which provide additional functionality. See [Azure Monitor view designer to workbooks transition guide](view-designer-conversion-overview.md) for details on converting your existing views to workbooks.

-A **filter** in an [Azure Monitor view](view-designer.md) allows users to filter the data in the view by the value of a particular property without modifying the view itself. For example, you could allow users of your view to filter the view for data only from a particular computer or set of computers. You can create multiple filters on a single view to allow users to filter by multiple properties. This article describes how to use a filter and add one to a custom view.

-## Using a filter

-Click the date time range at the top of a view to open the drop down where you can change the date time range for the view.

-

-Click the **+** to add a filter using custom filters that are defined for the view. Either select a value for the filter from the dropdown or type in a value. Continue to add filters by clicking the **+**.

-

-If you remove all of the values for a filter, then that filter will no longer be applied.

-## Creating a filter

-Create a filter from the **Filters** tab when [editing a view](view-designer.md). The filter is global for the view and applies to all parts in the view.

-

-| Field Name | Name of the field used for filtering. This field must match the summarize field in **Query for Values**. |

-| Query for Values | Query to run to populate filter dropdown for the user. This query must use either [summarize](/azure/kusto/query/summarizeoperator) or [distinct](/azure/kusto/query/distinctoperator) to provide unique values for a particular field, and it must match the **Field Name**. You can use [sort](/azure/kusto/query/sortoperator) to sort the values that are displayed to the user. |

-The following table includes a few examples of common filters.

-| Field Name | Query for Values | Tag |

-For a filter to have any effect, you must modify any queries in the view to filter on the selected values. If you don't modify any queries in the view, then any values the user selects will have no effect.

-The syntax for using a filter value in a query is:

-For example, if your view has a query that returns events and uses a filter called _Computers_, you could use the following query.

-If you added another filter called Severity, you could use the following query to use both filters.

-* Learn more about the [Visualization Parts](view-designer-parts.md) you can add to your custom view.

-# Troubleshooting the Log Analytics VM extension in Azure Monitor

-This article provides help troubleshooting errors you might experience with the Log Analytics VM extension for Windows and Linux virtual machines running on Microsoft Azure, and suggests possible solutions to resolve them.

-To verify the status of the extension, perform the following steps from the Azure portal.

-1. Sign into the [Azure portal](https://portal.azure.com).

-2. In the Azure portal, click **All services**. In the list of resources, type **virtual machines**. As you begin typing, the list filters based on your input. Select **Virtual machines**.

-3. In your list of virtual machines, find and select it.

-3. On the virtual machine, click **Extensions**.

-4. From the list, check to see if the Log Analytics extension is enabled or not. For Linux, the agent is listed as **OMSAgentforLinux** and for Windows, the agent is listed as **MicrosoftMonitoringAgent**.

- 

-4. Click on the extension to view details.

- 

-## Troubleshooting Azure Windows VM extension

-If the *Microsoft Monitoring Agent* VM extension is not installing or reporting, you can perform the following steps to troubleshoot the issue.

-1. Check if the Azure VM agent is installed and working correctly by using the steps in [KB 2965986](https://support.microsoft.com/kb/2965986#mt1).

- * You can also review the VM agent log file `C:\WindowsAzure\logs\WaAppAgent.log`

- * If the log does not exist, the VM agent is not installed.

- * [Install the Azure VM Agent](../../virtual-machines/extensions/agent-windows.md#install-the-vm-agent)

-2. Review the Microsoft Monitoring Agent VM extension log files in `C:\Packages\Plugins\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent`

-3. Ensure the virtual machine can run PowerShell scripts

-4. Ensure permissions on C:\Windows\temp havenΓÇÖt been changed

-5. View the status of the Microsoft Monitoring Agent by typing the following in an elevated PowerShell window on the virtual machine `(New-Object -ComObject 'AgentConfigManager.MgmtSvcCfg').GetCloudWorkspaces() | Format-List`

-6. Review the Microsoft Monitoring Agent setup log files in `C:\WindowsAzure\Logs\Plugins\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\1.0.18053.0\`. Note that this path will change based on the version number of the agent.

-For more information, see [troubleshooting Windows extensions](../../virtual-machines/extensions/oms-windows.md).

-## Troubleshooting Linux VM extension

-If the *Log Analytics agent for Linux* VM extension is not installing or reporting, you can perform the following steps to troubleshoot the issue.

-1. If the extension status is *Unknown* check if the Azure VM agent is installed and working correctly by reviewing the VM agent log file `/var/log/waagent.log`

- * If the log does not exist, the VM agent is not installed.

- * [Install the Azure VM Agent on Linux VMs](../../virtual-machines/extensions/agent-linux.md#installation)

-2. For other unhealthy statuses, review the Log Analytics agent for Linux VM extension logs files in `/var/log/azure/Microsoft.EnterpriseCloud.Monitoring.OmsAgentForLinux/*/extension.log` and `/var/log/azure/Microsoft.EnterpriseCloud.Monitoring.OmsAgentForLinux/*/CommandExecution.log`

-3. If the extension status is healthy, but data is not being uploaded review the Log Analytics agent for Linux log files in `/var/opt/microsoft/omsagent/log/omsagent.log`

-For additional troubleshooting guidance related to the Log Analytics agent for Linux, see [Troubleshoot Azure Log Analytics Linux Agent](../agents/agent-linux-troubleshoot.md).

-Azure Monitor focuses on operational data like Activity logs, Metrics, and Log Analytics supported sources, including Windows Events (excluding security events), performance counters, logs, and Syslog. Security monitoring in Azure is performed by [Microsoft Defender for Cloud](/azure/defender-for-cloud/) and [Microsoft Sentinel](/azure/sentinel/). Configuration of these services is not included in this guide.

-[Deploy the Azure Monitor agent to your virtual machines](monitor-virtual-machine-agent.md)

-Azure NetApp Files only supports file and directory names that are encoded with the UTF-8 Unicode Character Encoding format for both NFS and SMB volumes.

-If you try to create files or directories with names that use supplementary characters or surrogate pairs such as non-regular characters and emoji that are not supported by UTF-8, the operation will fail. In this case, an error from a Windows client might read ΓÇ£The file name you specified is not valid or too long. Specify a different file name.ΓÇ¥

-To reduce confusion in your template, delete any dependsOn entries which are not necessary. Bicep automatically infers most resource dependencies as long as template expressions reference other resources via symbolic names rather than strings with hard-coded IDs or names.

-resource appServicePlan 'Microsoft.Web/serverfarms@2020-12-01' = {

- location: resourceGroup().location

-resource webApplication 'Microsoft.Web/sites@2018-11-01' = {

- location: resourceGroup().location

-resource appServicePlan 'Microsoft.Web/serverfarms@2020-12-01' = {

- location: resourceGroup().location

-resource webApplication 'Microsoft.Web/sites@2018-11-01' = {

- location: resourceGroup().location

-To fix it, you will need to remove the secret data from the output. The recommended practice is to output the resourceId of the resource containing the secret and retrieve the secret when the resource needing the information is created or updated. Secrets may also be stored in KeyVault for more complex deployment scenarios.

-Sometimes this rule will alert on template outputs that do not actually contain secrets. For instance, not all [`list*`](./bicep-functions-resource.md#list) functions actually return sensitive data. In these cases, you can disable the warning for this line by adding `#disable-next-line outputs-should-not-contain-secrets` before the line with the warning.

-#disable-next-line outputs-should-not-contain-secrets // Does not contain a password

-It is good practice to add a comment explaining why the rule does not apply to this line.

-Use string interpolation instead of the concat function.

-The following example fails this test because the concat function is used.

-You can fix it by replacing concat with string interpolation. The following example passes this test.

-resource AutomationAccount 'Microsoft.Automation/automationAccounts@2020-01-13-preview' = {

-resource AutomationAccount 'Microsoft.Automation/automationAccounts@2020-01-13-preview' = {

-Some of the following default limits and quotas can be increased. To request a change, create a [change request](/azure/communications-gateway/request-changes.md) stating the limit you want to change.

-* [Naming rules and restrictions for Azure resources](resource-name-rules.md)

-Batch pools in the Virtual Machine configuration support almost all [VM sizes](../virtual-machines/sizes.md). The supported VM sizes in a region can be obtained via [Batch Management APIs](batch-apis-tools.md#batch-management-apis), as well as the [command line tools](batch-apis-tools.md#batch-command-line-tools) (PowerShell cmdlets and Azure CLI). For example, the [Azure Batch CLI command](/cli/azure/batch/location#az-batch-location-list-skus) to list supported VM sizes in a region is:

-az batch location list-skus --location

- [--filter]

- [--maxresults]

- [--subscription]

-For each VM series, the following table also lists whether the VM series and VM sizes are supported by Batch.

-| VM series | Supported sizes |

-|||

-| Basic A | All sizes *except* Basic_A0 (A0) |

-| A | All sizes *except* Standard_A0, Standard_A8, Standard_A9, Standard_A10, Standard_A11 |

-| Av2 | All sizes |

-| B | Not supported |

-| DCsv2 | All sizes |

-| Dv2, DSv2 | All sizes |

-| Dv3, Dsv3 | All sizes |

-| Dav4, Dasv4 | All sizes |

-| Ddv4, Ddsv4 | All sizes |

-| Dv4, Dsv4 | Not supported |

-| Ev3, Esv3 | All sizes, except for E64is_v3 |

-| Eav4, Easv4 | All sizes |

-| Edv4, Edsv4 | All sizes |

-| Ev4, Esv4 | Not supported |

-| F, Fs | All sizes |

-| Fsv2 | All sizes |

-| FX¹ | All sizes |

-| G, Gs | All sizes |

-| H | All sizes |

-| HB | All sizes |

-| HBv2 | All sizes |

-| HBv3 | All sizes |

-| HC | All sizes |

-| Ls | All sizes |

-| Lsv2 | All sizes |

-| M | All sizes |

-| Mv2¹ | All sizes |

-| NC | All sizes |

-| NCv2 | All sizes |

-| NCv3 | All sizes |

-| NCasT4_v3 | All sizes |

-| NC_A100_v4 | All sizes |

-| ND | All sizes |

-| NDv4 | All sizes |

-| NDv2 | None - not yet available |

-| NP | All sizes |

-| NV | All sizes |

-| NVv3 | All sizes |

-| NVv4 | All sizes |

-| SAP HANA | Not supported |

-¹ These VM series can only be used with generation 2 VM Images.

-Some VM series, such as [Mv2](../virtual-machines/mv2-series.md), can only be used with [generation 2 VM images](../virtual-machines/generation-2.md). Generation 2 VM images are specified like any VM image, using the 'sku' property of the ['imageReference'](/rest/api/batchservice/pool/add#imagereference) configuration; the 'sku' strings have a suffix such as "-g2" or "-gen2". To get a list of VM images supported by Batch, including generation 2 images, use the ['list supported images'](/rest/api/batchservice/account/listsupportedimages) API, [PowerShell](/powershell/module/az.batch/get-azbatchsupportedimage), or [Azure CLI](/cli/azure/batch/pool/supported-images).

-It is strongly recommended to avoid images with impending Batch support end of life (EOL) dates. These dates can be discovered via the [`ListSupportedImages` API](/rest/api/batchservice/account/listsupportedimages), [PowerShell](/powershell/module/az.batch/get-azbatchsupportedimage), or [Azure CLI](/cli/azure/batch/pool/supported-images). Please see the [Batch best practices guide](best-practices.md) for more information regarding Batch pool VM image selection.

-> Besides the Speech service, you can also use the [Translator service](/azure/cognitive-services/translator/translator-overview). To execute text translation between supported source and target languages in real time see [Text translation](/azure/cognitive-services/translator/text-translation-overview).

-* [Speech translation quickstart](get-started-speech-translation.md)

-Azure Cognitive Services are cloud-based artificial intelligence (AI) services that help developers build cognitive intelligence into applications without having direct AI or data science skills or knowledge. They are available through REST APIs and client library SDKs in popular development languages. Azure Cognitive Services enables developers to easily add cognitive features into their applications with cognitive solutions that can see, hear, speak, and analyze.

-* **Vision** - Computer Vision, Custom Vision, Face

-

-1. Select the following links to create a Speech resource:

-1. If you want to delete only the Cognitive Service resource, select the resource group to see all the resources within it. On the next page, select the resource that you want to delete, select the ellipsis menu for that row, and select **Delete**.

-Azure Traffic Manager routes requests among the selected regions. The SRMR currently supports [Priority](/azure/traffic-manager/traffic-manager-routing-methods#priority-traffic-routing-method), [Performance](/azure/traffic-manager/traffic-manager-routing-methods#performance-traffic-routing-method) and [Weighted](/azure/traffic-manager/traffic-manager-routing-methods#weighted-traffic-routing-method) profiles and is currently available for the following

-* [Computer Vision](/azure/cognitive-services/computer-vision/overview)

-* [Immersive Reader](/azure/applied-ai-services/immersive-reader/overview)

-* [Univariate Anomaly Detector](/azure/cognitive-services/anomaly-detector/overview)

-If you use Priority or Weighted traffic manager profiles, your configuration will behave according to the [Traffic Manager documentation](/azure/traffic-manager/traffic-manager-routing-methods).

-|Count of utterances per project | 1 | 25,000|

-|Count of intents per project | 1 | 500|

-|Count of entities per project | 1 | 500|

-|Count of list synonyms per entity| 0 | 20,000 |

-|Count of prebuilt components per entity| 0 | 7 |

-|Count of regular expressions per project| 0 | 20 |

-|Count of trained models per project| 0 | 10 |

-|Count of deployments per project| 0 | 10 |

- "prompt":"Text example"

- , "n": 3

- , "stream": false

- "prompt":"Text example"

- , "n": 3

- , "stream": false

- "prompt":"Text example"

- , "n": 3

- , "stream": true

- "prompt":"Text example"

- , "n": 3

- , "stream": true

- "prompt":"Text example"

- , "n": 1

- , "stream": false

-Customization performs better with high-quality examples and the more you have, generally the better the model will perform. We recommend that you provide at least a few hundred high-quality examples to achieve a model that will perform better than using well-designed prompts with a base model. From there, performance tends to linearly increase with every doubling of the number of examples. Increasing the number of examples is usually the best and most reliable way of improving performance.

-Fine-tuning can solve a variety of problems, and the optimal way to use it may depend on your specific use case. Below, we've listed the most common use cases for fine-tuning and corresponding guidelines.

-For this use case we fine-tuned an ada model since it will be faster and cheaper, and the performance will be comparable to larger models because it's a classification task.

-Let's say you'd like to categorize incoming email into one of a large number of predefined categories. For classification into a large number of categories, we recommend you convert those categories into numbers, which will work well up to ~500 categories. We've observed that adding a space before the number sometimes slightly helps the performance, due to tokenization. You may want to structure your training data as follows:

-{"prompt":"Subject: <email_subject>\nFrom:<customer_name>\nDate:<date>\nContent:<email_body>\n\n###\n\n", "completion":" <numerical_category>"}

-{"prompt":"Subject: Update my address\nFrom:Joe Doe\nTo:support@ourcompany.com\nDate:2021-06-03\nContent:Hi,\nI would like to update my billing address to match my delivery address.\n\nPlease let me know once done.\n\nThanks,\nJoe\n\n###\n\n", "completion":" 4"}

-{"prompt":"<Product Name>\n<Wikipedia description>\n\n###\n\n", "completion":" <engaging ad> END"}

-{"prompt":"Samsung Galaxy Feel\nThe Samsung Galaxy Feel is an Android smartphone developed by Samsung Electronics exclusively for the Japanese market. The phone was released in June 2017 and was sold by NTT Docomo. It runs on Android 7.0 (Nougat), has a 4.7 inch display, and a 3000 mAh battery.\nSoftware\nSamsung Galaxy Feel runs on Android 7.0 (Nougat), but can be later updated to Android 8.0 (Oreo).\nHardware\nSamsung Galaxy Feel has a 4.7 inch Super AMOLED HD display, 16 MP back facing and 5 MP front facing cameras. It has a 3000 mAh battery, a 1.6 GHz Octa-Core ARM Cortex-A53 CPU, and an ARM Mali-T830 MP1 700 MHz GPU. It comes with 32GB of internal storage, expandable to 256GB via microSD. Aside from its software and hardware specifications, Samsung also introduced a unique a hole in the phone's shell to accommodate the Japanese perceived penchant for personalizing their mobile phones. The Galaxy Feel's battery was also touted as a major selling point since the market favors handsets with longer battery life. The device is also waterproof and supports 1seg digital broadcasts using an antenna that is sold separately.\n\n###\n\n", "completion":"Looking for a smartphone that can do it all? Look no further than Samsung Galaxy Feel! With a slim and sleek design, our latest smartphone features high-quality picture and video capabilities, as well as an award winning battery life. END"}

-This is similar to a language transformation task. To improve the performance, it's best to either sort different extracted entities alphabetically or in the same order as they appear in the original text. This will help the model to keep track of all the entities which need to be generated in order. The dataset could look as follows:

-{"prompt":"<any text, for example news article>\n\n###\n\n", "completion":" <list of entities, separated by a newline> END"}

-{"prompt":"Portugal will be removed from the UK's green travel list from Tuesday, amid rising coronavirus cases and concern over a \"Nepal mutation of the so-called Indian variant\". It will join the amber list, meaning holidaymakers should not visit and returnees must isolate for 10 days...\n\n###\n\n", "completion":" Portugal\nUK\nNepal mutation\nIndian variant END"}

-A chatbot will normally contain relevant context about the conversation (order details), summary of the conversation so far as well as most recent messages. For this use case the same past conversation can generate multiple rows in the dataset, each time with a slightly different context, for every agent generation as a completion. This use case will require a few thousand examples, as it will likely deal with different types of requests, and customer issues. To ensure the performance is of high quality we recommend vetting the conversation samples to ensure the quality of agent messages. The summary can be generated with a separate text transformation fine tuned model. The dataset could look as follows:

-{"prompt":"Item=handbag, Color=army_green, price=$99, size=S->", "completion":" This stylish small green handbag will add a unique touch to your look, without costing you a

-fortune."}

-{"prompt":"Item is a handbag. Colour is army green. Price is midrange. Size is small.->", "completion":" This stylish small green handbag will add a unique touch to your look, without costing you a fortune."}

-Many companies will have a large amount of high quality content generated in a specific voice. Ideally all generations from our API should follow that voice for the different use cases. Here we can use the trick of leaving the prompt empty, and feeding in all the documents which are good examples of the company voice. A fine-tuned model can be used to solve a number of different use cases with similar prompts to the ones used for base models, but the outputs are going to follow the company voice much more closely than previously.

-Generative tasks have a potential to leak training data when requesting completions from the model, so additional care needs to be taken that this is addressed appropriately. For example personal or sensitive company information should be replaced by generic information or not be included into fine-tuning in the first place.

-| Requests per second per deployment | 20 requests per second for: text-davinci-003, text-davinci-002, text-davinci-fine-tune-002, code-cushman-002, code-davinci-002, code-davinci-fine-tune-002 <br ><br> 50 requests per second for all other text models.

- |

-| Max fine-tuned model deployments | 2 |

-| Max training job size (tokens in training file * # of epochs) | **Ada**: 40-M tokens <br> **Babbage**: 40-M tokens <br> **Curie**: 40-M tokens <br> **Cushman**: 40-M tokens <br> **Davinci**: 10-M |

-### Request an increase to a limit on transactions-per-second or number of fine-tuned models deployed

-The limit of concurrent requests defines how high the service can scale before it starts to throttle your requests.

-#### Have the required information ready

-

-How to get this information:

-1. Go to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Select the Azure OpenAI resource for which you would like to increase the request limit.

-1. From the **Resource Management** group, select **Properties**.

-1. Copy and save the values of the following fields:

- - **Resource ID**

- - **Location** (your endpoint region)

-1. From the **Resource Management** group, select **Deployments**.

- - Copy and save the name of the Deployment you're requesting a limit increase

-## Create and submit a support request

-Initiate the increase of the limit for concurrent requests for your resource, or if necessary check the current limit, by submitting a support request. Here's how:

-1. Ensure you have the required information listed in the previous section.

-1. Go to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Select the OpenAI service resource for which you would like to increase (or to check) the concurrency request limit.

-1. In the **Support + troubleshooting** group, select **New support request**. A new window will appear, with auto-populated information about your Azure subscription and Azure resource.

-1. In **Summary**, describe what you want (for example, "Increase OpenAI request limit").

-1. In **Problem type**, select **Quota or Subscription issues**.

-1. In **Problem subtype**, select **Increasing limits or access to specific functionality**

-1. Select **Next: Solutions**. Proceed further with the request creation.

-1. On the **Details** tab, in the **Description** field, enter the following:

- - Include details on which limit you're requesting an increase for.

- - The Azure resource information you [collected previously](#have-the-required-information-ready).

- - Any other required information.

-1. On the **Review + create** tab, select **Create**.

-1. Note the support request number in Azure portal notifications. You'll be contacted shortly about your request.

-"training_file": "file-XGinujblHPwGLSztz8cPS8XY" ,ΓÇï

-"hyperparams": { ΓÇï

- "batch_size": 4,ΓÇï

- "learning_rate_multiplier": 0.1,ΓÇï

- "n_epochs": 4,ΓÇï

- "prompt_loss_weight": 0.1, ΓÇï

- }ΓÇï

-"training_file": "file-XGinujblHPwGLSztz8cPS8XY" ,ΓÇï

-"batch_size": 4,ΓÇï

-ΓÇ£learning_rate_multiplier": 0.1,ΓÇï

-"n_epochs": 4,ΓÇï

-"prompt_loss_weight": 0.1, ΓÇï

-Azure AD user with [Teams administrator role](/azure/active-directory/roles/permissions-reference#teams-administrator) can run PowerShell cmdlet with MicrosoftTeams module to enable the Communication Services resource in the tenant. First, open the PowerShell and validate the existence of the Teams module with the following command:

-Microsoft will indicate to you via the Azure Communication Services API that recording or transcription has commenced. You must communicate this fact in real time to your users within your application's user interface. You agree to indemnify Microsoft for all costs and damages incurred due to your failure to comply with this obligation.

-Azure Active Directory provides a range of security features for Microsoft Teams to help handle common security threats and provide a secure collaboration environment. Azure AD helps to secure user authentication and authorization, allowing administrators to manage user access to Teams and other applications through a single, centralized platform. Azure AD also integrates with Teams to provide multi-factor authentication and conditional access policies, which can be used to enforce security policies and control access to sensitive information. The security framework for Azure Active Directory is based on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security that covers all stages of development. Azure AD undergoes regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Azure AD integrates with other Azure security services, such as Azure Information Protection, to provide customers with a comprehensive security solution. You can learn here more about [Azure identity management security](/azure/security/fundamentals/identity-management-overview).

-Learn more about [throttle limits](/azure/communication-services/concepts/service-limits#chat).

-Try the [chat bot demo app](https://github.com/Azure/communication-preview/tree/master/samples/AzureBotService-Sample-App) for a 1:1 chat between a chat user and a bot via the BotFramework WebChat UI component.

-This article describes the monitoring data generated by Azure Communications Gateway. Azure Communications Gateway uses [Azure Monitor](/azure/azure-monitor/overview). If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource).

- For clarification on the different types of metrics available in Azure Monitor, see [Monitoring data from Azure resources](/azure/azure-monitor/essentials/monitor-azure-resource#monitoring-data-from-Azure-resources).

-1. Create a Key Vault. Follow the steps in [Create a Vault](/azure/key-vault/general/quick-create-portal).

-To configure MAPS, follow the instructions in [Azure Internet peering for Communications Services walkthrough](/azure/internet-peering/walkthrough-communications-services-partner).

-> [Prepare to deploy an Azure Communications Gateway resource](prepare-to-deploy.md)

-Azure Communications Gateway doesn't support [Customer Lockbox for Microsoft Azure](/azure/security/fundamentals/customer-lockbox-overview). However Microsoft engineers can only access data on a just-in-time basis, and only for diagnostic purposes.

-[acr-authentication]: /azure/container-registry/container-registry-authentication?tabs=azure-cli

-[az-acr-create]: /azure/container-registry/container-registry-get-started-azure-cli

-[azure-cli-install]: /cli/azure/install-azure-cli

-[acr-authentication]: /azure/container-registry/container-registry-authentication?tabs=azure-cli

-[az-acr-create]: /azure/container-registry/container-registry-get-started-azure-cli

-[azure-cli-install]: /cli/azure/install-azure-cli

-Follow the [Prerequisites](/azure/container-registry/container-registry-tutorial-quick-task#prerequisites) to build the source code context and then create a scheduled task with context.

-[azure-cli-install]: /cli/azure/install-azure-cli

-If the payment authorization is approved by the bank, it will immediately be reversed. You won't receive a notification. However, if the payment authorization is declined, you'll receive an email, text message, and Azure portal notification asking you to update your payment method before your account is disabled.

-Billing starts 14 days after a device is marked as **Shipped** and ends when you initiate return of your device.

-> Protecting a public IP resource attached to a Public Load Balancer is not supported for DDoS IP Proteciton SKU.

-|**Cacls** | Change access control list, Microsoft Windows native command-line utility often used for modifying the security permission on folders and files.| [access-control-lists](/windows/win32/secauthz/access-control-lists) |

-**Regulatory Compliance** | Regulatory compliance refers to the discipline and process of ensuring that a company follows the laws enforced by governing bodies in their geography or rules required | [Regulatory Compliance Overview](/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance) |

-To ensure your code is scanned for secrets, make sure you've [onboarded your repositories](/azure/defender-for-cloud/quickstart-onboard-devops?branch=main) to Defender for Cloud.

-In addition to onboarding resources, you must have the [Microsoft Security DevOps (MSDO) Azure DevOps extension](/azure/defender-for-cloud/azure-devops-extension?branch=main) configured for your pipelines. The extension runs secret scan along with other scanners.

-description: This article provides a reference of all alerts that are generated by Microsoft Defender for IoT network sensors.

-# Microsoft Defender for IoT alert types and descriptions

-This article provides a reference of the [alerts](how-to-manage-cloud-alerts.md) that are generated by Microsoft Defender for IoT network sensors. You might use this reference to [map alerts into playbooks](iot-advanced-threat-monitoring.md#automate-response-to-defender-for-iot-alerts), [define forwarding rules](how-to-forward-alert-information-to-partners.md) on an OT network sensor, or other custom activity.

- - To view settings that others have defined, sign in with a [Security Reader](../../role-based-access-control/built-in-roles.md#security-reader), [Security admin](/azure/role-based-access-control/built-in-roles#security-admin), [Contributor](/azure/role-based-access-control/built-in-roles#contributor), or [Owner](/azure/role-based-access-control/built-in-roles#owner) role for the subscription.

- - To define or update settings, sign in with [Security admin](/azure/role-based-access-control/built-in-roles#security-admin), [Contributor](/azure/role-based-access-control/built-in-roles#contributor), or [Owner](/azure/role-based-access-control/built-in-roles#owner) role.

-> [Manage OT sensors from the sensor console](how-to-manage-individual-sensors.md)

-For more information, see [Export troubleshooting logs](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md)

-# Tutorial: Integrate ServiceNow with Microsoft Defender for IoT (legacy)

-[Playbooks](/azure/sentinel/tutorial-respond-threats-playbook) are collections of automated remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.

-Start by enabling the [Defender for IoT data connector](/azure/sentinel/data-connectors-reference.md#microsoft-defender-for-iot) to stream all your Defender for IoT events into Microsoft Sentinel.

-> [Install the **Microsoft Defender for IoT** solution](iot-advanced-threat-monitoring.md)

-> If you're integrating with Microsoft Sentinel, make sure to manage your alert status only from the [incident](/azure/sentinel/investigate-incidents) in Microsoft Sentinel. Alerts statuses are not synchronized from Defender for IoT to Microsoft Sentinel.

-> [Enhance security posture with security recommendations](recommendations.md)

-# Tutorial: Integrate ClearPass with Microsoft Defender for IoT

-# Tutorial: Integrate CyberArk with Microsoft Defender for IoT

-# Tutorial: Integrate Forescout with Microsoft Defender for IoT

-# Tutorial: Integrate Fortinet with Microsoft Defender for IoT

-# Tutorial: Integrate Palo-Alto with Microsoft Defender for IoT

-# Tutorial: Integrate Splunk with Microsoft Defender for IoT

-The **Alerts** page in the Azure portal is now out for General Availability. Microsoft Defender for IoT alerts enhance your network security and operations with real-time details about events detected in your network. Alerts are triggered when OT or Enterprise IoT network sensors, or the [Defender for IoT micro agent](/azure/defender-for-iot/device-builders/), detect changes or suspicious activity in network traffic that need your attention.

-[Getting started with Defender for IoT](getting-started.md)

-1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).

-> [Create a dev box](./quickstart-create-dev-box.md)

-| West US 3 | | Central India |

- |azure-api.net | azure-api.us | azure-api.cn

-description: This article provides a walkthrough of creating a Java application that sends/receives events to/from Azure Event Hubs using the latest azure-messaging-eventhubs package.

-# Use Java to send events to or receive events from Azure Event Hubs (azure-messaging-eventhubs)

-First, create a new **Maven** project for a console/shell application in your favorite Java development environment. Update the `pom.xml` file with the following dependency. The Java client library for Event Hubs is available in the [Maven Central Repository](https://search.maven.org/search?q=a:azure-messaging-eventhubs).

-3. [Get the connection string to the storage account](../storage/common/storage-configure-connection-string.md)

- Note down the **connection string** and the **container name**. You'll use them in the receive code.

-[Azure Database for PostgreSQL](../postgresql/overview.md) is a relational database service based on the community version of open-source PostgreSQL database engine, and is available in two deployment options: Single Server and Hyperscale (Citus). [Follow these instructions](../postgresql/quickstart-create-server-database-portal.md) to create an Azure Database for PostgreSQL server using the Azure portal.

-* If you receive events with different partition IDs, this result is expected. Partitions are a data organization mechanism that relates to the downstream parallelism required in consuming applications. The number of partitions in an event hub directly relates to the number of concurrent readers you expect to have. For more information, see [Learn more about partitions](/azure/event-hubs/event-hubs-features#partitions).

-For all the samples (both synchronous and asynchronous) on GitHub, go to [Azure Event Hubs client library for Python samples](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/eventhub/azure-eventhub/samples).

-| Added to inventory | The date than an asset was added to inventory, whether automatically to the ΓÇ£Approved InventoryΓÇ¥ state or in another state (e.g. ΓÇ£CandidateΓÇ¥). | All |

-| Last updated | The date that the asset was last updated, whether by new data discovered in a scan or manual user actions (e.g. a state change). | All |

-> In addition, Azure Virtual Network NAT integration is not currently supported in secured virtual hub network architectures. You must deploy using a hub virtual network architecture. For detailed guidance on integrating NAT gateway with Azure Firewall in a hub and spoke network architecture refer to the [NAT gateway and Azure Firewall integration tutorial](/azure/virtual-network/nat-gateway/tutorial-hub-spoke-nat-firewall). For more information about Azure Firewall architecture options, see [What are the Azure Firewall Manager architecture options?](../firewall-manager/vhubs-and-vnets.md).

-For more information about endpoints in Front Door, please read [Endpoints in Azure Front Door](/azure/frontdoor/endpoint).

-For more information about origins, origin groups and health probes, please read [Origins and origin groups in Azure Front Door](/azure/frontdoor/origin)

-To learn more about routes in Azure Front Door, please read [Traffic routing methods to origin](/azure/frontdoor/routing-methods).

-To learn more about WAF policy settings for Front Door, please read [Policy settings for Web Application Firewall on Azure Front Door](/azure/web-application-firewall/afds/waf-front-door-policy-settings).

-To learn more about managed rules in Front Door, please read [Web Application Firewall DRS rule groups and rules](/azure/web-application-firewall/afds/waf-front-door-drs).

-> [Add a custom domain](standard-premium/how-to-add-custom-domain.md)

-> To learn how to save a custom query in Log Analytics, see [Save a query in Azure Monitor Log Analytics](/azure/azure-monitor/logs/save-query)

-> To learn how to save a query in Log Analytics, see [Save a query in Azure Monitor Log Analytics](/azure/azure-monitor/logs/save-query)

-> [Frequently asked questions about the MedTech service](frequently-asked-questions.md)

-The device message event hub uses the MedTech service's [system-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types) and [Azure resource-based access control (Azure RBAC)](/azure/role-based-access-control/overview) for secure access to the device message event hub.

-The FHIR service uses the MedTech service's [system-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types) and [Azure resource-based access control (Azure RBAC)](/azure/role-based-access-control/overview) for secure access to the FHIR service.

-FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

-If the command succeeds, you see output that looks like the following:

-For highly available device connectivity, an IoT Central application always have at least two IoT hubs. For exceptions to to this rule, see [Limitations](#limitations). The number of hubs can grow or shrink as IoT Central scales the application in response to changes in the load profile.

- :::image type="content" source="media/howto-manage-devices-individually/device-list.png" alt-text="Screenshot showing the device list." lightbox="media/howto-manage-devices-individually/device-list.png":::

-1. If the device status is **Waiting for Approval**, it means the **Auto approve** option is disabled. An operator must explicitly approve a device before it starts sending data. Devices not registered manually on the **Devices** page, but connected with valid credentials will have the device status **Waiting for Approval**. Operators can approve these devices from the **Devices** page using the **Approve** button.

-description: Azure IoT Central is an IoT application platform that simplifies the creation of IoT solutions. This guide describes how IoT devices connect to your IoT Central application. After a device connects, it uses telemetry to send streaming data and properties to report device state. Iot Central can set device state using writable properties and call commands on a device.

-description: This tutorial shows you how to deploy and use the continuous patient monitoring application template for IoT Central.

-# Tutorial: Deploy and walkthrough the continuous patient monitoring application template

-In the healthcare IoT space, continuous patient monitoring is one of the key enablers of reducing the risk of readmissions, managing chronic diseases more effectively, and improving patient outcomes. Continuous patient monitoring can be split into two major categories:

-1. **In-patient monitoring**: Using medical wearables and other devices in the hospital, care teams can monitor patient vital signs and medical conditions without having to send a nurse to check up on a patient multiple times a day. Care teams can understand the moment that a patient needs critical attention through notifications and prioritizes their time effectively.

-1. **Remote patient monitoring**: By using medical wearables and patient reported outcomes (PROs) to monitor patients outside of the hospital, the risk of readmission can be lowered. Data from chronic disease patients and rehabilitation patients can be collected to ensure that patients are adhering to care plans and that alerts of patient deterioration can be surfaced to care teams before they become critical.

-Many medical wearables used in healthcare IoT solutions are BLE devices. These devices can't communicate directly to the cloud and need to use a gateway to exchange data with your cloud solution. This architecture uses a mobile phone application as the gateway.

-The mobile phone application's primary function is to collect BLE data from medical devices and communicate it to IoT Central. The app also guides patients through device setup and lets them view their personal health data. Other solutions could use a tablet gateway or a static gateway in a hospital room. An open-source sample mobile application is available for Android and iOS to use as a starting point for your application development. To learn more, see the [Continuous patient monitoring sample mobile app on GitHub](https://github.com/iot-for-all/iotc-cpm-sample).

-Azure IoT Central is HIPAA-compliant and HITRUST&reg; certified. You can also send patient health data to other services using the [Azure API for FHIR](../../healthcare-apis/fhir/overview.md). Azure API for FHIR is a standards-based API for clinical health data. The [Azure IoT connector for FHIR](../../healthcare-apis/fhir/iot-fhir-portal-quickstart.md) lets you use the Azure API for FHIR as a continuous data export destination from IoT Central.

-Use the Azure API for FHIR data to build a patient insights dashboard or integrate it directly into an electronic medical record used by care teams. Care teams can use the dashboard to assist patients and identify early warning signs of deterioration. To learn more, see the [Build a Power BI provider dashboard](tutorial-health-data-triage.md) tutorial.

-After deploying the application template, you'll first land on the **Lamna in-patient monitoring dashboard**. Lamna Healthcare is a fictitious hospital system that contains two hospitals: Woodgrove Hospital and Burkville Hospital. On the Woodgrove Hospital operator dashboard, you can:

-You can also select **Go to remote patient dashboard** to see the Burkville Hospital operator dashboard. This dashboard contains a similar set of actions, telemetry, and information. You can also see multiple devices in use and choose to **update the firmware** on each.

-If you select **Device templates**, you see the two device types in the template:

-If you select the device groups tab, you see a default device group for each device template in the application. There are also created two additional sample device groups called **Provision devices** and **Devices with outdated firmware**. You can use these sample device groups as inputs to run some of the [Jobs](#jobs) in the application.

-If you select **Rules**, you see the three rules in the template:

-Jobs let you run bulk operations on a set of devices, using [device groups](#device-groups) as the input. The application template has two sample jobs that an operator can run:

-* **Re-provision devices**: You have a set of devices that have recently been returned to the hospital. This job finds devices in the device group **Provision devices** and runs a command to re-provision them for the next set of patients.

-Select the **Devices** tab and then select an instance of the **Smart Knee Brace**. There are three views to explore information about the particular device that you've selected. These views are created and published when you build the device template for your device. therefore, these views are consistent across all the devices that you connect or simulate.

-Advance to the next article to learn how to create a provider dashboard that connects to your IoT Central application.

-> [Build a provider dashboard](tutorial-health-data-triage.md)

-description: Tutorial - Learn to build a health data triage dashboard using Azure IoT Central application templates.

-# Tutorial: Build a Power BI provider dashboard

-When building your continuous patient monitoring solution, you can also create a dashboard for a hospital care team to visualize patient data. In this tutorial, you will learn how to create a Power BI real-time streaming dashboard from your IoT Central continuous patient monitoring application template.

-The basic architecture will follow this structure:

-In this tutorial, you learn how to:

-## Prerequisites

-* An Azure subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/).

-* An Azure IoT Central continuous patient monitoring application template. If you don't have one already, you can follow steps to [Deploy an application template](overview-iot-central-healthcare.md).

-* An Azure [Event Hubs namespace and Event Hub](../../event-hubs/event-hubs-create.md).

-* The Logic App that you want to access your Event Hub. To start your Logic App with an Azure Event Hubs trigger, you need a [blank Logic App](../../logic-apps/quickstart-create-first-logic-app-workflow.md).

-* A Power BI service account. If you don't have one already, you can [create a free trial account for Power BI service](https://app.powerbi.com/). If you haven't used Power BI before, it might be helpful to go through [Get started with Power BI](/power-bi/service-get-started).

-## Set up a continuous data export to Azure Event Hubs

-You will first need to set up a continuous data export from your Azure IoT Central application template to the Azure Event Hub in your subscription. You can do so by following the steps in this Azure IoT Central tutorial for [Exporting to Event Hubs](../core/howto-export-data.md). You will only need to export for the telemetry for the purposes of this tutorial.

-## Create a Power BI streaming dataset

-1. Sign in to your Power BI account.

-1. In your preferred Workspace, create a new streaming dataset by selecting the **+ Create** button in the upper-right corner of the toolbar. You will need to create a separate dataset for each patient that you would like to have on your dashboard.

- :::image type="content" source="media/create-streaming-dataset.png" alt-text="Create streaming dataset":::

-1. Choose **API** for the source of your dataset.

-1. Enter a **name** (for example, a patient's name) for your dataset and then fill out the values from your stream. You can see an example below based on values coming from the simulated devices in the continuous patient monitoring application template. The example has two patients:

- * Teddy Silvers, who has data from the Smart Knee Brace.

- * Yesenia Sanford, who has data from the Smart Vitals Patch.

- :::image type="content" source="media/enter-dataset-values.png" alt-text="Enter dataset values":::

-To learn more about streaming datasets in Power BI, you can read this document on [real-time streaming in Power BI](/power-bi/service-real-time-streaming).

-## Connect your Logic App to Azure Event Hubs

-To connect your Logic App to Azure Event Hubs, you can follow the instructions outlined in this document on [Sending events with Azure Event Hubs and Azure Logic Apps](../../connectors/connectors-create-api-azure-event-hubs.md#add-event-hubs-action). Here are some suggested parameters:

-|Parameter|Value|

-|||

-|Content type|application/json|

-|Interval|3|

-|Frequency|Second|

-At the end of this step, your Logic App Designer should look like this:

->[!div class="mx-imgBorder"]

->

-## Stream data to Power BI from your Logic App

-The next step will be to parse the data coming from your Event Hub to stream it into the Power BI datasets that you have previously created.

-Before you can do this, you will need to understand the JSON payload that is being sent from your device to your Event Hub. You can do so by looking at this [sample schema](../core/howto-export-data.md#telemetry-format) and modifying it to match your schema or using [Service Bus explorer](https://github.com/paolosalvatori/ServiceBusExplorer) to inspect the messages. If you are using the continuous patient monitoring applications, your messages will look like this:

-**Smart Vitals Patch telemetry**

-```json

-{

- "HeartRate": 80,

- "RespiratoryRate": 12,

- "HeartRateVariability": 64,

- "BodyTemperature": 99.08839032397609,

- "BloodPressure": {

- "Systolic": 23,

- "Diastolic": 34

- },

- "Activity": "walking"

-}

-```

-**Smart Knee Brace telemetry**

-```json

-{

- "Acceleration": {

- "x": 72.73510947763711,

- "y": 72.73510947763711,

- "z": 72.73510947763711

- },

- "RangeOfMotion": 123,

- "KneeBend": 3

-}

-```

-**Properties**

-```json

-{

- "iothub-connection-device-id": "1qsi9p8t5l2",

- "iothub-connection-auth-method": "{\"scope\":\"device\",\"type\":\"sas\", \"issuer\":\"iothub\",\"acceptingIpFilterRule\":null}",

- "iothub-connection-auth-generation-id": "637063718586331040",

- "iothub-enqueuedtime": 1571681440990,

- "iothub-message-source": "Telemetry",

- "iothub-interface-name": "Patient_health_data_3bk",

- "x-opt-sequence-number": 7,

- "x-opt-offset": "3672",

- "x-opt-enqueued-time": 1571681441317

-}

-```

-1. Now that you have inspected your JSON payloads, go back to your Logic App Designer and select **+ New Step**. Search and add **Initialize variable** as your next step and enter the following parameters:

- |Parameter|Value|

- |||

- |Name|Interface Name|

- |Type|String|

- Select **Save**.

-1. Add another variable called **Body** with Type as **String**. Your Logic App will have these actions added:

- :::image type="content" source="media/initialize-string-variables.png" alt-text="Initialize variables":::

-

-1. Select **+ New Step** and add a **Parse JSON** action. Rename this to **Parse Properties**. For the Content, choose **Properties** coming from the Event Hub. Select **Use sample payload to generate schema** at the bottom, and paste the sample payload from the Properties section above.

-1. Next, choose the **Set variable** action and update your **Interface Name** variable with the **iothub-interface-name** from the parsed JSON properties.

-1. Add a **Split** Control as your next action and choose the **Interface Name** variable as the On parameter. You will use this to funnel the data to the correct dataset.

-1. In your Azure IoT Central application, find the Interface Name for the Smart Vitals Patch health data and the Smart Knee Brace health data from the **Device Templates** view. Create two different cases for the **Switch** Control for each Interface Name and rename the control appropriately. You can set the Default case to use the **Terminate** Control and choose what status you would like to show.

- :::image type="content" source="media/split-by-interface.png" alt-text="Split control":::

-1. For the **Smart Vitals Patch** case, add a **Parse JSON** action. For the Content, choose **Content** coming from the Event Hub. Copy and paste the sample payloads for the Smart Vitals Patch above to generate the schema.

-1. Add a **Set variable** action and update the **Body** variable with the **Body** from the parsed JSON in Step 7.

-1. Add a **Condition** Control as your next action and set the condition to **Body**, **contains**, **HeartRate**. This will make sure that you have the right set of data coming from the Smart Vitals Patch before populating the Power BI dataset. Steps 7-9 will look like this:

- :::image type="content" source="media/smart-vitals-pbi.png" alt-text="Smart Vitals add condition":::

-1. For the **True** case of the Condition, add an action that calls the **Add rows to a dataset** Power BI functionality. You will have to sign into Power BI for this. Your **False** case can again use the **Terminate** control.

-1. Choose the appropriate **Workspace**, **Dataset**, and **Table**. Select **Add new parameter** > **Payload**. Map the parameters that you specified when creating your streaming dataset in Power BI to the parsed JSON values that are coming from your Event Hub. Then, enter valid JSON contents into the Payload field. Your filled-out actions should look like this:

- 

-1. For the **Smart Knee Brace** switch case, add a **Parse JSON** action to parse the content, similar to Step 7. Then **Add rows to a dataset** to update your Teddy Silvers dataset in Power BI.

- :::image type="content" source="media/knee-brace-pbi.png" alt-text="Screenshot that shows how to add rows to a datasets":::

-1. Press **Save** and then run your Logic App.

-## Build a real-time dashboard for patient vitals

-Now go back to Power BI and select **+ Create** to create a new **Dashboard**. Give your dashboard a name and hit **Create**.

-Select the three dots in the top navigation bar and then select **+ Add tile**.

-Choose the type of tile you would like to add and customize your app however you'd like.

-## Clean up resources

-If you're not going to continue to use this application, delete your resources with the following steps:

-1. From the Azure portal, you can delete the Event Hub and Logic Apps resources that you created.

-1. For your IoT Central application, go to the **Application > Management** tab and select **Delete**.

-# Tutorial: Deploy and walk through the micro-fulfillment center application template

-The IoT Central _micro-fulfillment center_ application template enables you to monitor and manage all aspects of your fully automated fulfillment centers. The template includes a set of simulated condition monitoring sensors and robotic carriers to accelerate the solution development process. These sensor devices capture meaningful signals that can be converted into business insights allowing retailers to reduce their operating costs and create experiences for their customers.

-A micro-fulfillment center solution will likely have a large set of robotic carriers generating different kinds of telemetry signals. These signals can be ingested by a gateway device, aggregated, and then sent to IoT Central as reflected by the left side of the architecture diagram.

-An IoT solution starts with a set of sensors capturing meaningful signals from within your fulfillment center. It's reflected by different kinds of sensors on the far left of the architecture diagram above.

-Azure IoT Central also provides a tailored experience to the store operator enabling them to remotely monitor and manage the infrastructure devices.

-The Azure IoT Central application within a solution can be configured to export raw or aggregated insights to a set of Azure PaaS (Platform-as-a-Service) services that can perform data manipulation and enrich these insights before landing them in a business application.

-After successfully deploying the application template, you see the **Northwind Traders micro-fulfillment center dashboard**. Northwind Traders is a fictitious retailer that has a micro-fulfillment center being managed in this Azure IoT Central application. On this dashboard, you see information and telemetry about the devices in this template, along with a set of commands, jobs, and actions that you can take. The dashboard is logically split into two sections. On the left, you can monitor the environmental conditions within the fulfillment structure, and on the right, you can monitor the health of a robotic carrier within the facility.

-* See device telemetry, such as the number of picks, the number of orders processed, and properties, such as the structure system status.

-* **Robotic Carrier**: This device template represents the definition for a functioning robotic carrier that has been deployed in the fulfillment structure, and is performing appropriate storage and retrieval operations. If you select the template, you see that the robot is sending device data, such as temperature and axis position, and properties like the robotic carrier status.

-* **Structure Condition Monitoring**: This device template represents a device collection that allows you to monitor environment condition, as well as the gateway device hosting various edge workloads to power your fulfillment center. The device sends telemetry data, such as the temperature, the number of picks, and the number of orders. It also sends information about the state and health of the compute workloads running in your environment.

-* For 500-series server errors, retry your [connection](/azure/iot-dps/concepts-deploy-at-scale#iot-hub-connectivity-considerations) using cached credentials or a [Device Registration Status Lookup API](/rest/api/iot-dps/device/runtime-registration/device-registration-status-lookup#deviceregistrationresult) call.

-For related best practices, such as retrying operations, see [Best practices for large-scale IoT device deployments](/azure/iot-dps/concepts-deploy-at-scale).

-To learn more, see the [STRIDE model](/azure/security/develop/threat-modeling-tool-threats#stride-model).

-Read about IoT Hub security in [Control access to IoT Hub](../iot-hub/iot-hub-devguide-security.md) in the IoT Hub developer guide.

-Get more details about [How to choose the right IoT Hub tier](iot-hub-scaling.md).

-If you are creating or running an application which runs on Azure Key Vault, [Azure Monitor Application Insights](../../azure-monitor/overview.md#application-insights) may offer additional types of alerts.

-> When assigning roles, be sure to review the [actions](../../role-based-access-control/role-definitions.md) specified for each role. In some cases, even though roles with [`DataActions`](../../role-based-access-control/role-definitions.md#dataactions) permission are not supported, the actions included in a role may allow access to data, where data is exposed through access keys and not accessed via the user's identity. For example, the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles) role includes the `Microsoft.Storage/storageAccounts/listKeys/action` action, which returns storage account access keys that could be used to retrieve certain customer data.

-12. Select the **Review + create** tab select **Review + create**.

-If you're creating or running an application, which run on Load Balancer [Azure Monitor Application Insights](../azure-monitor/overview.md#application-insights) may offer other types of alerts.

- In Azure, [availability zones](../reliability/availability-zones-overview.md#availability-zones) provide resiliency, distributed availability, and active-active-active zone scalability. To increase availability for your logic app workloads, you can [enable availability zone support](/azure/logic-apps/set-up-zone-redundancy-availability-zones), but only when you create your logic app. You'll need at least three separate availability zones in any Azure region that supports and enables zone redundancy. The Azure Logic Apps platform distributes these zones and logic app workloads across these zones. This capability is a key requirement for enabling resilient architectures and providing high availability if datacenter failures happen in a region. For more information, see [Build solutions for high availability using availability zones](/azure/architecture/high-availability/building-solutions-for-high-availability).

-> [Migration approaches for BizTalk Server to Azure Integration Services](biztalk-server-azure-integration-services-migration-approaches.md)

- > Azure service tags are only supported by some Azure services. For a list of service tags supported with network security groups and Azure Firewall, see the [Virtual network service tags](/azure/virtual-network/service-tags-overview) article.

-> A network security group (NSG) is created by default for this traffic. For more information, see [Default security rules](/azure/virtual-network/network-security-groups-overview#inbound).

- > * __Azure Virtual Network NAT with a public IP__: For more information on using Virtual Network Nat, see the [Virtual Network NAT](/azure/virtual-network/nat-gateway/nat-overview) documentation.

-| Scenario | Inference HTTP Server | Local endpoint |

-Here we describe logs of the AzureML Inference HTTP Server. You can get the log when you run the `azureml-inference-server-http` locally, or [get container logs](how-to-troubleshoot-online-endpoints.md#get-container-logs) if you're using online endpoints.

-> [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview) is __not__ supported with Azure Machine Learning.

-Learn how to engage a data labeling vendor company to help you label your data. You can learn more about these companies and the labeling services they provide in their listing pages in [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/consulting-services?page=1&search=AzureMLVend).

-Once the contract with the vendor labeling company is in place:

-1. Create the labeling project in [Azure Machine Learning studio](https://ml.azure.com). For more details on creating a project, see how to create an [image labeling project](how-to-create-image-labeling-projects.md) or [text labeling project](how-to-create-text-labeling-projects.md).

-1. You're not limited to using a data labeling provider from Azure Marketplace. But if you do use a provider from Azure Marketplace:

- > The vendor labeling company name cannot be changed after you create the labeling project.

-1. For any provider, whether found through Azure Marketplace or elsewhere, enable access (`labeler` role, `techlead` role) to the vendor labeling company using Azure Role Based Access (RBAC). These roles will allow the company to access resources to annotate your data.

-Microsoft has identified some labeling service providers with knowledge and experience who may be able to meet your needs. You can learn about the labeling service providers and choose a provider, taking into account the needs and requirements of your project(s) in their listing pages in [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/consulting-services?page=1&search=AzureMLVend).

-> You can learn more about these companies and the labeling services they provide in their listing pages in Azure Marketplace. You are responsible for any decision to use a labeling company that offers services through Azure Marketplace, and you should independently assess whether a labeling company and its experience, services, staffing, terms, etc. will meet your project requirements. You may contact a labeling company that offers services through Azure Marketplace using the **Contact me** option in Azure Marketplace, and you can expect to hear from a contacted company within three business days. You will contract with and make payment to the labeling company directly.

-* If a provider is removed, it won't affect any existing projects, or that company's access to those projects.

-## Enter into a contract

-After you have selected the labeling company you want to work with, you need to enter into a contract directly with the labeling company setting forth the terms of your engagement. Microsoft is not a party to this agreement and plays no role in determining or negotiating its terms. Amounts payable under this agreement will be paid directly to the labeling company.

-If you enable ML Assisted labeling in a labeling project, Microsoft will charge you separately for the compute resources consumed in connection with this service. All other charges associated with your use of Azure Machine Learning (such as storage of data used in your Azure Machine Learning workspace) are governed by the terms of your agreement with Microsoft.

-In order for the vendor labeling company to have access into your projects, you'll next [add them as labelers to your project](how-to-add-users.md). If you are planning to use multiple vendor labeling companies for different labeling projects, we recommend you create separate workspaces for each company.

-> You, and not Microsoft, are responsible for all aspects of your engagement with a labeling company, including but not limited to issues relating to scope, quality, schedule, and pricing.

- - [Azure's outbound connectivity methods](/azure/load-balancer/load-balancer-outbound-connections#scenarios).

- For more information on service tags that can be used with Azure Firewall, see the [Virtual network service tags](/azure/virtual-network/service-tags-overview) article.

-* [Use a firewall](how-to-access-azureml-behind-firewall.md)

-> [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview) is __not__ supported with Azure Machine Learning.

-Data access error codes are hierarchical. Error codes are delimited by the full stop character `.` and are more specific the more segments there are.

-The database or server defined in the datastore couldn't be found or no longer exists. Check if the database still exists in Azure portal or linked to from the Azure Machine Learning studio datastore details page. If it doesn't exist, recreating it with the same name will enable the existing datastore to be used. If a new server name or database is used, the datastore will have to be deleted, and recreated to use the new name.

-The authentication failed while trying to connect to the database. The authentication method is stored inside the datastore and supports SQL authentication, service principal, or no stored credential (identity based access). Enabling workspace MSI makes the authentication use the workspace MSI when previewing data in Azure Machine Learning studio. A SQL server user needs to be created for the service principal and workspace MSI (if applicable) and granted classic database permissions. More info can be found [here](/azure/azure-sql/database/authentication-aad-service-principal-tutorial#create-the-service-principal-user-in-azure-sql-database).

- - The server under the subscription and resource group couldn't be found. Check that the subscription ID and resource group defined in the datastore matches that of the server and update the values if needed.

- > Use the subscription ID and resource group of the server and not of the workspace. If the datastore is cross subscription or cross resource group server, these will be different.

- - The identity doesn't have permission to read firewall settings of the target server. Contact your data admin to the Reader role to the workspace MSI.

-The executed SQL query took too long and timed out. The timeout can be specified at time of data asset creation. If a new timeout is needed, a new asset must be created, or a new version of the current asset must be created. In Azure Machine Learning studio SQL preview, there will have a fixed query timeout, but the defined value will always be honored for jobs.

-The authentication failed while trying to connect to the storage account. The authentication method is stored inside the datastore and depending on the datastore type, can support account key, SAS token, service principal or no stored credential (identity based access). Enabling workspace MSI makes the authentication use the workspace MSI when previewing data in Azure Machine Learning studio.

- - The target storage account is using a virtual network but the logged in session isn't connecting to the workspace via a private endpoint. Add a private endpoint to the workspace and ensure that the virtual network or subnet of the private endpoint is allowed by the storage virtual network settings. Add the logged in session's public IP to the storage firewall allowlist.

- - The target storage account's firewall settings don't permit this data access. Check that your logged in session is within compatible network settings with the storage account. If Workspace MSI is used, check that it has Reader access to the storage account and to the private endpoints associated with the storage account.

- - The storage account under the subscription and resource group couldn't be found. Check that the subscription ID and resource group defined in the datastore matches that of the storage account and update the values if needed.

- > Use the subscription ID and resource group of the server and not of the workspace. If the datastore is cross subscription or cross resource group server, these will be different.

-The specified file or folder path doesn't exist. Check that the provided path exists in Azure portal or if using a datastore, that the right datastore is used (including the datastore's account and container). If the storage account is an HNS enabled Blob storage, otherwise known as ADLS Gen2, or an `abfs[s]` URI, that storage ACLs may restrict particular folders or paths. This error will appear as a "NotFound" error instead of an "Authentication" error.

-* URIs (`uri_folder`, `uri_file`) - a Uniform Resource Identifier that is a reference to a storage location on your local computer or in the cloud that makes it easy to access data in your jobs.

-* MLTable - a method to abstract the schema definition for tabular data so that it's easier for consumers of the data to materialize the table into a Pandas/Dask/Spark dataframe.

-This article gives a comparison of data scenario(s) in SDK v1 and SDK v2.

- For more information on Azure RBAC with networking, see the [Networking built-in roles](/azure/role-based-access-control/built-in-roles.md#networking)

- * If your workspace associated resources, such as storage, are in a different virtual network than the cluster, set up global virtual network peering between the networks. For more information, see [Virtual network peering](/azure/virtual-network/virtual-network-peering-overview).

- - [Azure's outbound connectivity methods](/azure/load-balancer/load-balancer-outbound-connections#scenarios).

- > To learn how the NSGs filter your network traffic, see [How network security groups filter network traffic](/azure/virtual-network/network-security-group-how-it-works).

- > These resources are limited by the subscription's [resource quotas](/azure/azure-resource-manager/management/azure-subscription-service-limits). If the virtual network resource group is locked then deletion of compute cluster/instance will fail. Load balancer cannot be deleted until the compute cluster/instance is deleted. Also please ensure there is no Azure Policy assignment which prohibits creation of network security groups.

-> [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview) is __not__ supported with Azure Machine Learning.

-> Offers will be billed to customers in the customersΓÇÖ agreement currency, using the local market price that was published at the time the offer was created. The amount that customers pay, and that ISVs are paid, depends on the Foreign Exchange rates at the time the customer transacts the offer. Learn more on ["How we convert currency?"](/azure/marketplace/marketplace-geo-availability-currencies#how-we-convert-currency).

-> Offers will be billed to customers in the customersΓÇÖ agreement currency, using the local market price that was published at the time the offer was created. The amount that customers pay, and that ISVs are paid, depends on the Foreign Exchange rates at the time the customer transacts the offer. Learn more on ["How we convert currency?"](/azure/marketplace/marketplace-geo-availability-currencies).

- > Customers can find their billing account ID in 2 ways. 1) In the [Azure portal](https://aka.ms/PrivateOfferAzurePortal) under **Cost Management + Billing** > **Properties** > **ID**. A user in the customer organization should have access to the billing account to see the ID in Azure Portal. 2) If the customer knows the subscription they plan to use for the purchase, click on **Subscriptions**, click on the relevant subscription > **Properties** (or Billing Properties) > **Billing Account ID**. See [Billing account scopes in the Azure portal](/azure/cost-management-billing/manage/view-all-accounts).

-**vCenter Server permissions** | A read-only account for vCenter Server.

-### Build your WordPress docker image

-Download the [latest WordPress](https://wordpress.org/download/) version. Create new directory ```my-wordpress-app``` for your project and use this simple folder structure

-```wordpress

-ΓööΓöÇΓöÇΓöÇmy-wordpress-app

- ΓööΓöÇΓöÇΓöÇpublic

- Γö£ΓöÇΓöÇΓöÇwp-admin

- Γöé Γö£ΓöÇΓöÇΓöÇcss

- . . . . . . .

- Γö£ΓöÇΓöÇΓöÇwp-content

- Γöé Γö£ΓöÇΓöÇΓöÇplugins

- . . . . . . .

- ΓööΓöÇΓöÇΓöÇwp-includes

- . . . . . . .

- Γö£ΓöÇΓöÇΓöÇwp-config-sample.php

- Γö£ΓöÇΓöÇΓöÇindex.php

- . . . . . . .

- ΓööΓöÇΓöÇΓöÇ Dockerfile

-```

-Rename ```wp-config-sample.php``` to ```wp-config.php``` and replace lines from beginingin of ```// ** MySQL settings - You can get this info from your web host ** //``` until the line ```define( 'DB_COLLATE', '' );``` with the code snippet below. The code below is reading the database host, username and password from the Kubernetes manifest file.

-```php

-//Using environment variables for DB connection information

-// ** MySQL settings - You can get this info from your web host ** //

-/** The name of the database for WordPress */

-$connectstr_dbhost = getenv('DATABASE_HOST');

-$connectstr_dbusername = getenv('DATABASE_USERNAME');

-$connectstr_dbpassword = getenv('DATABASE_PASSWORD');

-$connectst_dbname = getenv('DATABASE_NAME');

-/** MySQL database name */

-define('DB_NAME', $connectst_dbname);

-/** MySQL database username */

-define('DB_USER', $connectstr_dbusername);

-/** MySQL database password */

-define('DB_PASSWORD',$connectstr_dbpassword);

-/** MySQL hostname */

-define('DB_HOST', $connectstr_dbhost);

-/** Database Charset to use in creating database tables. */

-define('DB_CHARSET', 'utf8');

-/** The Database Collate type. Don't change this if in doubt. */

-define('DB_COLLATE', '');

-/** SSL*/

-define('MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL);

-```

-### Create a Dockerfile

-Create a new Dockerfile and copy this code snippet. This Dockerfile in setting up Apache web server with PHP and enabling mysqli extension.

-```docker

-FROM php:7.2-apache

-COPY public/ /var/www/html/

-RUN docker-php-ext-install mysqli

-RUN docker-php-ext-enable mysqli

-```

-### Build your docker image

-Make sure you're in the directory ```my-wordpress-app``` in a terminal using the ```cd``` command. Run the following command to build the image:

-``` bash

-docker build --tag myblog:latest .

-```

-Deploy your image to [Docker hub](https://docs.docker.com/get-started/part3/#create-a-docker-hub-repository-and-push-your-image) or [Azure Container registry](../../container-registry/container-registry-get-started-azure-cli.md).

-> - Replace ```[DOCKER-HUB-USER/ACR ACCOUNT]/[YOUR-IMAGE-NAME]:[TAG]``` with your actual WordPress docker image name and tag, for example ```docker-hub-user/myblog:latest```.

- name: wordpress-blog

- app: wordpress-blog

- app: wordpress-blog

- - name: wordpress-blog

- image: [DOCKER-HUB-USER-OR-ACR-ACCOUNT]/[YOUR-IMAGE-NAME]:[TAG]

- - name: DATABASE_HOST

- value: "SERVERNAME.mysql.database.azure.com" #Update here

- - name: DATABASE_USERNAME

- value: "YOUR-DATABASE-USERNAME" #Update here

- - name: DATABASE_PASSWORD

- value: "YOUR-DATABASE-PASSWORD" #Update here

- - name: DATABASE_NAME

- value: "flexibleserverdb"

- - wordpress-blog

- name: php-svc

- app: wordpress-blog

- Use a different subscription. Or, check if your EA subscription is enabled for Marketplace purchase. For more information, see [Enable Marketplace purchases](/azure/cost-management-billing/manage/ea-azure-marketplace#enabling-azure-marketplace-purchases). If those options don't solve the problem, contact [Datadog support](https://www.datadoghq.com/support).

- - **Send Azure Active Directory logs** ΓÇô Azure Active Directory logs allow you to route the audit, sign-in, and provisioning logs to Dynatrace. The details are listed in [Azure AD activity logs in Azure Monitor](/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor). The global administrator or security administrator for your Azure Active Directory (AAD) tenant can enable AAD logs.

-1. To send Azure resource logs to Dynatrace, select **Send Azure resource logs for all defined resources**. The types of Azure resource logs are listed in [Azure Monitor Resource Log categories](/azure/azure-monitor/essentials/resource-logs-categories).

- | **Resource group** |Specify whether you want to create a new resource group or use an existing one. A [resource group](/azure/azure-resource-manager/management/overview) is a container that holds related resources for an Azure solution.|

- These logs provide insight into the operations on your resources at the [control plane](/azure/azure-resource-manager/management/control-plane-and-data-plane). These logs also include updates on service-health events.

-1. To send Azure resource logs to New Relic, select **Azure resource logs** for all supported resource types. The types of Azure resource logs are listed in [Azure Monitor Resource Log categories](/azure/azure-monitor/essentials/resource-logs-categories).

- These logs provide insight into operations that were taken on an Azure resource at the [data plane](/azure/azure-resource-manager/management/control-plane-and-data-plane). For example, getting a secret from a key vault is a data plane operation. Making a request to a database is also a data plane operation. The content of resource logs varies by the Azure service and resource type.

-To set up New Relic on Azure, you must have owner access on the Azure subscription. [Confirm that you have the appropriate access](/azure/role-based-access-control/check-access) before you start the setup.

-A purchase can fail because a valid credit card isn't connected to the Azure subscription, or because a payment method isn't associated with the subscription. To solve this problem, use a different Azure subscription. Or, add or update the credit card or payment method for the subscription. For more information, see [Add, update, or delete a payment method](/azure/cost-management-billing/manage/change-credit-card).

-A purchase can also fail because an Enterprise Agreement (EA) subscription doesn't allow Azure Marketplace purchases. Try to use a different subscription. Or, check if your EA subscription is enabled for Azure Marketplace purchases. For more information, see [Enabling Azure Marketplace purchases](/azure/cost-management-billing/manage/ea-azure-marketplace#enabling-azure-marketplace-purchases).

-To find the New Relic offering on Azure and set up the service, you must first register the `NewRelic.Observability` resource provider in your Azure subscription. To register the resource provider by using the Azure portal, follow the guidance in [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types).

-Only resource types in [supported categories](/azure/azure-monitor/essentials/resource-logs-categories) send logs to New Relic through the integration. To check whether the resource is set up to send logs to New Relic, go to the [Azure diagnostic settings](/azure/azure-monitor/platform/diagnostic-settings) for that resource. Then, verify that there's a New Relic diagnostic setting.

-If your Azure subscription is suspended or deleted because of payment-related issues, resource monitoring in New Relic automatically stops. Use a different Azure subscription. Or, add or update the credit card or payment method for the subscription. For more information, see [Add, update, or delete a payment method](/azure/cost-management-billing/manage/change-credit-card).

-1. Create a [delegated subnet](/azure/virtual-network/subnet-delegation-overview) to the Qumulo service:

- |**Resource group** | Specify whether you want to create a new resource group or use an existing one. A resource group is a container that holds related resources for an Azure solution. For more information, seeΓÇ»[Azure resource group overview](/azure/azure-resource-manager/management/overview). |

-1. Select **Review + Create** to create the resource.

-Try using a different Azure subscription. Or, add or update the credit card or payment method for the subscription. For more information, see [Update the credit and payment method](/azure/cost-management-billing/manage/change-credit-card).

-Try using a different subscription, or [enable your subscription for Azure Marketplace purchases](/azure/cost-management-billing/manage/ea-azure-marketplace#enabling-azure-marketplace-purchases).