+| Create emergency access account | This emergency access account helps you gain access to your Azure AD B2C tenant in circumstances such as the only administrator is unreachable when the credential is needed. [Learn how to create an emergency access account](tenant-management-emergency-access-account.md#create-emergency-access-account) |

+description: Learn how to call the Video Retrieval APIs to vectorize video frames and search terms.

+Azure AI Video Retrieval APIs are part of Azure AI Vision and enable developers to create an index, add documents (videos and images) to it, and search with natural language. Developers can define metadata schemas for each index and ingest metadata to the service to help with retrieval. Developers can also specify what features to extract from the index (vision, speech) and filter their search based on features.

+To use the Video Retrieval APIs in a typical pattern, you would do the following steps:

+The Video Retrieval APIs allows a user to add metadata to video files. Metadata is additional information associated with video files such as "Camera ID," "Timestamp," or "Location" that can be used to organize, filter, and search for specific videos. This example demonstrates how to create an index, add video files with associated metadata, and perform searches using different features.

+ Title: What is Video Analysis?

+description: This document explains the basic concepts and features of Azure Spatial Analysis and Video Retrieval.

+# What is Video Analysis?

+Video Analysis includes video-related features like Spatial Analysis and Video Retrieval.

+## Spatial Analysis

+You can use Azure AI Vision Spatial Analysis to detect the presence and movements of people in video. Ingest video streams from cameras, extract insights, and generate events to be used by other systems. The service can do things like count the number of people entering a space or measure compliance with face mask and social distancing guidelines. By processing video streams from physical spaces, you're able to learn how people use them and maximize the space's value to your organization.

+Video Retrieval is a service that lets you create a search index, add documents (videos and images) to it, and search with natural language. Developers can define metadata schemas for each index and ingest metadata to the service to help with retrieval. Developers can also specify what features to extract from the index (vision, speech) and filter their search based on features.

+> [!div class="nextstepaction"]

+> [Call the Video Retrieval APIs](./how-to/video-retrieval.md)

+#### [Spatial Analysis](#tab/sa)

+#### [Video Retrieval](#tab/vr)

+To learn how to use Spatial Analysis technology responsibly, see the [Transparency note](/legal/cognitive-services/computer-vision/transparency-note-spatial-analysis?context=%2fazure%2fcognitive-services%2fComputer-vision%2fcontext%2fcontext). Microsoft's transparency notes help you understand how our AI technology works and the choices system owners can make that influence system performance and behavior. They focus on the importance of thinking about the whole system including the technology, people, and environment.

+| [Video Analysis](intro-to-spatial-analysis-public-preview.md)| Video Analysis includes video-related features like Spatial Analysis and Video Retrieval. Spatial Analysis analyzes the presence and movement of people on a video feed and produces events that other systems can respond to. Install the [Spatial Analysis container](spatial-analysis-container.md) to get started. [Video Retrieval](/azure/ai-services/computer-vision/how-to/video-retrieval) lets you create an index of videos that you can search with natural language.|

+ Title: Language support for Immersive Reader

+description: Learn more about the human languages that Immersive Reader supports.

+# Language support for Azure AI Immersive Reader

+Immersive Reader supports the following human languages.

+description: Learn how you can use Immersive Reader to help people with learning differences or help new readers and language learners improve reading comprehension.

+[Immersive Reader](https://www.onenote.com/learningtools), part of [Azure AI services](../../ai-services/what-are-ai-services.md), is an inclusively designed tool that implements proven techniques to improve reading comprehension for new readers, language learners, and people with learning differences such as dyslexia. With the Immersive Reader client library, you can leverage the same technology used in Microsoft Word and Microsoft OneNote to improve your web applications.

+* **[Quickstart guides](quickstarts/client-libraries.md)** provide instructions to help you get started making requests to the service.

+## Use Immersive Reader to improve reading accessibility

+Immersive Reader is designed to make reading easier and more accessible for everyone. Take a look at a few of Immersive Reader's core features.

+Immersive Reader isolates content to improve readability.

+Immersive Reader displays pictures for commonly used terms.

+Immersive Reader can help learners understand parts of speech and grammar by highlighting verbs, nouns, pronouns, and more.

+Speech synthesis, or text to speech, is baked into the Immersive Reader service. Readers can select text to be read aloud.

+Immersive Reader can translate text into many languages in real time, which helps to improve comprehension for readers learning a new language.

+With Immersive Reader, you can break words into syllables to improve readability or to sound out new words.

+Immersive Reader is a standalone web application. When it's invoked, the Immersive Reader client library displays on top of your existing web application in an `iframe`. When your web application calls the Immersive Reader service, you specify the content to show the reader. The Immersive Reader client library handles the creation and styling of the `iframe` and communication with the Immersive Reader backend service. The Immersive Reader service processes the content for parts of speech, text to speech, translation, and more.

+## Next step

+The Immersive Reader client library is available in C#, JavaScript, Java (Android), Kotlin (Android), and Swift (iOS). Get started with:

+ Title: "Immersive Reader JavaScript SDK release notes"

+description: Learn about what's new in the Immersive Reader JavaScript SDK.

+# Release notes for Immersive Reader JavaScript SDK

+This release contains new features, security vulnerability fixes, and updates to code samples.

+#### New features

+* Updated code samples to use v1.4.0

+#### New features

+* Updated code samples to use v1.3.0

+* Updated code samples to demonstrate the usage of latest options from v1.2.0

+#### New features

+* Added option to set the theme to light or dark

+* Added option to set the parent node where the iframe/webview container is placed

+* Added option to disable the Grammar experience

+* Added option to disable the Translation experience

+* Added option to disable Language Detection

+* Added title and aria modal attributes to the iframe

+* Updated code samples to use v1.2.0

+* Added React code sample

+* Added Ember code sample

+* Added Azure function code sample

+* Added C# code sample demonstrating how to call the Azure Function for authentication

+* Added Android Kotlin code sample demonstrating how to call the Azure Function for authentication

+* Updated the Swift code sample to be Objective C compliant

+* Updated Advanced C# code sample to demonstrate the usage of new options: parent node, disableGrammar, disableTranslation, and disableLanguageDetection

+* Fixed multiple security vulnerabilities by upgrading TypeScript packages

+* Fixed bug where renderButton rendered a duplicate icon and label in the button

+#### New features

+* Enabled saving and loading user preferences across different browsers and devices

+* Enabled configuring default display options

+* Added option to set the translation language, enable word translation, and enable document translation when launching Immersive Reader

+* Added support for configuring Read Aloud via options

+* Added ability to disable first run experience

+* Added ImmersiveReaderView for UWP

+* Updated the Android code sample HTML to work with the latest SDK

+* Updated launch response to return the number of characters processed

+* Updated code samples to use v1.1.0

+* Doesn't allow launchAsync to be called when already loading

+* Checked for invalid content by ignoring messages where the data isn't a string

+* Wrapped call to window in an if clause to check browser support of Promise

+* Fixed dependabot by removing yarn.lock from gitignore

+* Fixed security vulnerability by upgrading pug to v3.0.0 in quickstart-nodejs code sample

+* Fixed multiple security vulnerabilities by upgrading Jest and TypeScript packages

+* Fixed a security vulnerability by upgrading Microsoft.IdentityModel.Clients.ActiveDirectory to v5.2.0

+#### Breaking changes

+#### New features

+* Added support to enable or disable cookies

+* Added Android Kotlin quick start code sample

+* Added Android Java quick start code sample

+* Added Node quick start code sample

+* Updated Node.js advanced README.md

+* Changed Python code sample from advanced to quick start

+* Moved iOS Swift code sample into js/samples

+* Updated code samples to use v1.0.0

+* Fixed for Node.js advanced code sample

+* Added missing files for advanced-csharp-multiple-resources

+* Removed en-us from hyperlinks

+#### New features

+* Added iOS Swift code sample

+* Added C# advanced code sample demonstrating use of multiple resources

+* Added support to disable the full screen toggle feature

+* Added support to hide the Immersive Reader application exit button

+* Added a callback function that may be used by the host application upon exiting the Immersive Reader

+* Updated code samples to use Azure Active Directory Authentication

+* Updated C# advanced code sample to include Word document

+* Updated code samples to use v0.0.3

+* Upgraded lodash to version 4.17.14 to fix security vulnerability

+* Updated C# MSAL library to fix security vulnerability

+* Upgraded mixin-deep to version 1.3.2 to fix security vulnerability

+* Upgraded jest, webpack and webpack-cli which were using vulnerable versions of set-value and mixin-deep to fix security vulnerability

+#### New features

+* Added Python advanced code sample

+* Added Java quick start code sample

+* Added simple code sample

+* Renamed resourceName to cogSvcsSubdomain

+* Moved secrets out of code and use environment variables

+* Updated code samples to use v0.0.2

+* Fixed Immersive Reader button accessibility bugs

+* Fixed broken scrolling

+* Upgraded handlebars package to version 4.1.2 to fix security vulnerability

+* Fixed bugs in SDK unit tests

+* Fixed JavaScript Internet Explorer 11 compatibility bugs

+* Updated SDK urls

+* Added Immersive Reader JavaScript SDK

+* Added support to specify the UI language

+* Added a timeout to determine when the launchAsync function should fail with a timeout error

+* Added support to specify the z-index of the Immersive Reader iframe

+* Added support to use a webview tag instead of an iframe, for compatibility with Chrome Apps

+* Added SDK unit tests

+* Added Node.js advanced code sample

+* Added C# advanced code sample

+* Added C# quick start code sample

+* Added package configuration, Yarn and other build files

+* Added git configuration files

+* Added README.md files to code samples and SDK

+* Added MIT License

+* Added Contributor instructions

+* Added static icon button SVG assets

+## Related content

+* [Immersive Reader client library reference](./reference.md)

+* [Immersive Reader client library on GitHub](https://github.com/microsoft/immersive-reader-sdk)

+| Region | `gpt-35-turbo (0613)` | `gpt-35-turbo (1106)` | `gpt-4 (0613)` | `gpt-4 (1106)` |

+|--|||||

+| Australia East | ✅ | ✅ | ✅ |✅ |

+| East US 2 | ✅ | ⬜| ✅ |✅ |

+| Sweden Central | ✅ |✅ |✅ |✅|

+Follow these steps to set up a video retrieval system and integrate it with your AI chat model.

+> To use Vision enhancement, you need an Azure AI Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.

+> [!TIP]

+> If you prefer, you can carry out the below steps using a Jupyter notebook instead: [Video chat completions notebook](https://github.com/Azure-Samples/azureai-samples/blob/main/scenarios/GPT-4V/video/video_chatcompletions_example_restapi.ipynb).

+### Create a video retrieval index

+1. Create an index to store and organize the video files and their metadata. The example command below demonstrates how to create an index named `my-video-index` using the **[Create Index](/azure/ai-services/computer-vision/reference-video-search)** API. Save the index name to a temporary location; you'll need it in later steps.

+ > [!TIP]

+ > For more detailed instructions on creating a video index, see [Do video retrieval using vectorization](/azure/ai-services/computer-vision/how-to/video-retrieval).

+

+ ```bash

+ curl.exe -v -X PUT "https://<YOUR_ENDPOINT_URL>/computervision/retrieval/indexes/my-video-index?api-version=2023-05-01-preview" -H "Ocp-Apim-Subscription-Key: <YOUR_SUBSCRIPTION_KEY>" -H "Content-Type: application/json" --data-ascii "

+ {

+ 'metadataSchema': {

+ 'fields': [

+ {

+ 'name': 'cameraId',

+ 'searchable': false,

+ 'filterable': true,

+ 'type': 'string'

+ },

+ {

+ 'name': 'timestamp',

+ 'searchable': false,

+ 'filterable': true,

+ 'type': 'datetime'

+ }

+ ]

+ },

+ 'features': [

+ {

+ 'name': 'vision',

+ 'domain': 'surveillance'

+ },

+ {

+ 'name': 'speech'

+ }

+ ]

+ }"

+ ```

+1. Add video files to the index with their associated metadata. The example below demonstrates how to add two video files to the index using SAS URLs with the **[Create Ingestion](/azure/ai-services/computer-vision/reference-video-search)** API. Save the SAS URLs and `documentId` values to a temporary location; you'll need them in later steps.

+

+ ```bash

+ curl.exe -v -X PUT "https://<YOUR_ENDPOINT_URL>/computervision/retrieval/indexes/my-video-index/ingestions/my-ingestion?api-version=2023-05-01-preview" -H "Ocp-Apim-Subscription-Key: <YOUR_SUBSCRIPTION_KEY>" -H "Content-Type: application/json" --data-ascii "

+ {

+ 'videos': [

+ {

+ 'mode': 'add',

+ 'documentId': '02a504c9cd28296a8b74394ed7488045',

+ 'documentUrl': 'https://example.blob.core.windows.net/videos/02a504c9cd28296a8b74394ed7488045.mp4?sas_token_here',

+ 'metadata': {

+ 'cameraId': 'camera1',

+ 'timestamp': '2023-06-30 17:40:33'

+ }

+ },

+ {

+ 'mode': 'add',

+ 'documentId': '043ad56daad86cdaa6e493aa11ebdab3',

+ 'documentUrl': '[https://example.blob.core.windows.net/videos/043ad56daad86cdaa6e493aa11ebdab3.mp4?sas_token_here',

+ 'metadata': {

+ 'cameraId': 'camera2'

+ }

+ }

+ ]

+ }"

+ ```

+1. After you add video files to the index, the ingestion process starts. It might take some time depending on the size and number of files. To ensure the ingestion is complete before performing searches, you can use the **[Get Ingestion](/en-us/azure/ai-services/computer-vision/reference-video-search)** API to check the status. Wait for this call to return `"state" = "Completed"` before proceeding to the next step.

+

+ ```bash

+ curl.exe -v -X GET "https://<YOUR_ENDPOINT_URL>/computervision/retrieval/indexes/my-video-index/ingestions?api-version=2023-05-01-preview&$top=20" -H "ocp-apim-subscription-key: <YOUR_SUBSCRIPTION_KEY>"

+ ```

+### Integrate your video index with GPT-4 Turbo with Vision

+In your Python script, call the client's **create** method as in the previous sections, but include the *extra_body* parameter. Here, it contains the `enhancements` and `dataSources` fields. `enhancements` represents the specific Vision enhancement features requested in the chat. It has a `video` field, which has a boolean `enabled` property. Use this to request the video retrieval service.

+^`1` Customers with a resource located in Switzerland North or Switzerland West can ensure that their Text API requests are served within Switzerland. To ensure that requests are handled in Switzerland, create the Translator resource in the `Resource region` `Switzerland North` or `Switzerland West`, then use the resource's custom endpoint in your API requests.

+For example: If you create a Translator resource in Azure portal with `Resource region` as `Switzerland North` and your resource name is `my-swiss-n`, then your custom endpoint is `https&#8203;://my-swiss-n.cognitiveservices.azure.com`. And a sample request to translate is:

+> [!NOTE]

+> In this tutorial, `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` is being set to `/healthz`. This means if the response code of the requests to `/healthz` is not `200`, the entire ingress controller will be down. You can modify the value to other URI in your own scenario. You cannot delete this part or unset the value, or the ingress controller will still be down.

+> The package `ingress-nginx` used in this tutorial, which is provided by [Kubernetes official](https://github.com/kubernetes/ingress-nginx), will always return `200` response code if requesting `/healthz`, as it is designed as [default backend](https://kubernetes.github.io/ingress-nginx/user-guide/default-backend/) for users to have a quick start, unless it is being overwritten by ingress rules.

+- Deploy an AKS cluster using the Azure Developer CLI (AZD).

+- Teardown and clean up containers using AZD.

+If your cluster already has the Prometheus addon deployed, then you can simply run an `az aks update` to ensure the cluster updates to start collecting control plane metrics.

+```azurecli

+az aks update -n <cluster-name> -g <resource-group>

+```

+## Preview flag enabled after Managed Prometheus setup

+If the preview flag(`AzureMonitorMetricsControlPlanePreview`) was enabled on an existing Managed Prometheus cluster, it will require forcing an update for the cluster to emit control plane metrics

+You can run an az aks update to ensure the cluster updates to start collecting control plane metrics.

+```azurecli

+az aks update -n <cluster-name> -g <resource-group>

+```

+description: This article describes how to set up rules to control autoscale behavior for an Azure API Management instance.

+An Azure API Management service instance can scale automatically based on a set of rules. This behavior can be enabled and configured through [Azure Monitor autoscale](../azure-monitor/autoscale/autoscale-overview.md#supported-services-for-autoscale) and is currently supported only in the **Basic**, **Standard**, and **Premium** tiers of the Azure API Management service.

+ For example, a scale-out rule could trigger addition of 1 API Management unit, when the average capacity metric over the previous 30 minutes exceeds 70%. The following table provides an example configuration for such a rule. Review the preceding [limitations](#azure-api-management-autoscale-limitations) when defining a scale-out rule in your environment.

+ | Metric name | Capacity | [Capacity metric](api-management-capacity.md) is an API Management metric reflecting usage of resources by an Azure API Management instance. |

+ | Metric threshold | 70% | The threshold for the averaged capacity metric. For considerations on setting this threshold, see [Using capacity for scaling decisions](api-management-capacity.md#use-capacity-for-scaling-decisions). |

+ This time, a scale-in rule needs to be defined. It ensures that resources aren't being wasted, when the usage of APIs decreases.

+ For example, a scale-in rule could trigger a removal of 1 API Management unit when the average capacity metric over the previous 30 minutes is lower than 35%. The following table provides an example configuration for such a rule.

+1. Select **Save**. Your autoscale is configured.

+## Related content

+- [Optimize and save on your cloud spending](../cost-management-billing/costs/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn)

+ protocol: 'https'

+ "protocol": "https",

+|4XX Errors | (The 4xx error codes indicate that there was an issue with the client's request, and the Application Gateway can't fulfill it.) |

+|5XX Errors | Description |

+### 1.8.2 (February 2023)

+Flux version: [Release v2.1.2](https://github.com/fluxcd/flux2/releases/tag/v2.1.2)

+- source-controller: v1.1.2

+- kustomize-controller: v1.1.1

+- helm-controller: v0.36.2

+- notification-controller: v1.1.0

+- image-automation-controller: v0.36.1

+- image-reflector-controller: v0.30.0

+Changes made for this version:

+- Improve the identity token generation logic to handle token generation failures

+# Use Microsoft Entra ID (preview) for cache authentication

+- [Access keys](cache-configure.md#access-keys)

+- [Microsoft Entra ID (preview)](cache-configure.md#preview-microsoft-entra-authentication)

+Although access key authentication is simple, it comes with a set of challenges around security and password management. For contrast, in this article, you learn how to use a Microsoft Entra token for cache authentication.

+Azure Cache for Redis offers a password-free authentication mechanism by integrating with [Microsoft Entra ID (preview)](/azure/active-directory/fundamentals/active-directory-whatis). This integration also includes [role-based access control](/azure/role-based-access-control/) functionality provided through [access control lists (ACLs)](https://redis.io/docs/management/security/acl/) supported in open source Redis.

+- Microsoft Entra ID-based authentication is supported for SSL connections and TLS 1.2 or higher.

+> Once a connection is established using Microsoft Entra token, client applications must periodically refresh Microsoft Entra token before expiry, and send an `AUTH` command to Redis server to avoid disruption of connections. For more information, see [Configure your Redis client to use Microsoft Entra ID](#configure-your-redis-client-to-use-microsoft-entra-id).

+## Enable Microsoft Entra ID authentication on your cache

+1. Select **Authentication** from the Resource menu.

+1. In the working pane, select **(PREVIEW) Enable Microsoft Entra Authentication**.

+1. Select **Enable Microsoft Entra Authentication**, and enter the name of a valid user. The user you enter is automatically assigned _Data Owner Access Policy_ by default when you select **Save**. You can also enter a managed identity or service principal to connect to your cache instance.

+ :::image type="content" source="media/cache-azure-active-directory-for-authentication/cache-enable-microsoft-entra.png" alt-text="Screenshot showing authentication selected in the resource menu and the enable Microsoft Entra authentication checked.":::

+1. A popup dialog box displays asking if you want to update your configuration, and informing you that it takes several minutes. Select **Yes.**

+ > [!IMPORTANT]

+ > Once the enable operation is complete, the nodes in your cache instance reboots to load the new configuration. We recommend performing this operation during your maintenance window or outside your peak business hours. The operation can take up to 30 minutes.

+## Using data access configuration with your cache

+If you would like to use a custom access policy instead of Redis Data Owner, go to the **Data Access Configuration** on the Resource menu. For more information, see [Configure a custom data access policy for your application](cache-configure-role-based-access-control.md#configure-a-custom-data-access-policy-for-your-application).

+1. In the Azure portal, select the Azure Cache for Redis instance where you'd like to add to the Data Access Configuration.

+1. Select **(PREVIEW) Data Access Configuration** from the Resource menu.

+1. Select **Add** and choose **New Redis User**.

+1. On the **Access Policy** tab, select one the available policies in the table: **Data Owner**, **Data Contributor**, or **Data Reader**. Then, select the **Next:Redis Users**.

+ :::image type="content" source="media/cache-azure-active-directory-for-authentication/cache-new-redis-user.png" alt-text="Screenshot showing the available Access Policies.":::

+1. Choose either the **User or service principal** or **Managed Identity** to determine how to assign access to your Azure Cache for Redis instance. If you select **User or service principal**,and you want to add a _user_, you must first [enable Microsoft Entra Authentication](#enable-microsoft-entra-id-authentication-on-your-cache).

+1. Then, select **Select members** and select **Select**. Then, select **Next : Review + Assign**.

+ :::image type="content" source="media/cache-azure-active-directory-for-authentication/cache-select-members.png" alt-text="Screenshot showing members to add as New Redis Users.":::

+Because most Azure Cache for Redis clients assume that a password and access key are used for authentication, you likely need to update your client workflow to support authentication using Microsoft Entra ID. In this section, you learn how to configure your client applications to connect to Azure Cache for Redis using a Microsoft Entra token.

+<!-- :::image type="content" source="media/cache-azure-active-directory-for-authentication/azure-ad-token.png" alt-text="Architecture diagram showing the flow of a token from Microsoft Entra ID to a customer application to a cache."::: -->

+1. Configure your client application to acquire a Microsoft Entra token for scope, `https://redis.azure.com/.default` or `acca5fbb-b7e4-4009-81f1-37e38fd66d78/.default`, using the [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview).

+1. Update your Redis connection logic to use following `User` and `Password`:

+ - `User` = Object ID of your managed identity or service principal

+ - `User` = Object ID of your managed identity or service principal

+ Permissions string: `+@read ~*`

+1. To add a user to the access policy using Microsoft Entra ID, you must first enable Microsoft Entra ID by selecting **Authentication** from the Resource menu.

+1. Select **(PREVIEW) Enable Microsoft Entra Authentication** as the tab in the working pane.

+1. If not checked already, check the box labeled **(PREVIEW) Enable Microsoft Entra Authentication** and select **OK**. Then, select **Save**.

+ :::image type="content" source="media/cache-azure-active-directory-for-authentication/cache-enable-microsoft-entra.png" alt-text="Screenshot of Microsoft Entra ID access authorization.":::

+1. A popup dialog box displays asking if you want to update your configuration, and informing you that it takes several minutes. Select **Yes.**

+Now that you have configured Redis User and Data access policy for configuring role based access control, you need to update your client workflow to support authenticating using a specific user/password. To learn how to configure your client application to connect to your cache instance as a specific Redis User, see [Configure your Redis client to use Microsoft Entra ID](cache-azure-active-directory-for-authentication.md#configure-your-redis-client-to-use-microsoft-entra-id).

+ - [Authentication](#authentication)

+- [Authentication](#authentication)

+ - [Access keys](#access-keys)

+ - [(Preview) Microsoft Entra Authentication](#preview-microsoft-entra-authentication)

+### Authentication

+You have two options for authentication: access keys and Microsoft Entra Authentication.

+#### Access keys

+#### (Preview) Microsoft Entra Authentication

+Select **(Preview) Microsoft Entra Authentication** to a password-free authentication mechanism by integrating with Microsoft Entra ID. This integration also includes role-based access control functionality provided through access control lists (ACLs) supported in open source Redis.

+The **maxmemory-reserved** setting configures the amount of memory in MB per instance in a cluster that is reserved for noncache operations, such as replication during failover. Setting this value allows you to have a more consistent Redis server experience when your load varies. This value should be set higher for workloads that write large amounts of data. When memory is reserved for such operations, it's unavailable for storage of cached data. The minimum and maximum values on the slider are 10% and 60%, shown in megabytes. You must set the value in that range.

+When choosing a new memory reservation value (**maxmemory-reserved** or **maxfragmentationmemory-reserved**), consider how this change might affect a cache that is already running with large amounts of data in it. For instance, if you have a 53-GB cache with 49 GB of data, then change the reservation value to 8 GB, this change drops the max available memory for the system down to 45 GB. If either your current `used_memory` or your `used_memory_rss` values are higher than the new limit of 45 GB, then the system has to evict data until both `used_memory` and `used_memory_rss` are below 45 GB. Eviction can increase server load and memory fragmentation. For more information on cache metrics such as `used_memory` and `used_memory_rss`, see [Create your own metrics](cache-how-to-monitor.md#create-your-own-metrics).

+The **Schedule updates** section allows you to choose a maintenance window for Redis server updates for your cache.

+**Geo-replication**, on the Resource menu, provides a mechanism for linking two Premium tier Azure Cache for Redis instances. One cache is named as the primary linked cache, and the other as the secondary linked cache. The secondary linked cache becomes read-only, and data written to the primary cache is replicated to the secondary linked cache. This functionality can be used to replicate a cache across Azure regions.

+Importing data is an easy way to create a cache with prepopulated data. During the import process, Azure Cache for Redis loads the RDB files from Azure storage into memory, and then inserts the keys into the cache.

+The **Reboot** item allows you to reboot the nodes of your cache. This reboot capability enables you to test your application for resiliency if there's a failure of a cache node.

+The **Advisor recommendations** displays recommendations for your cache. During normal operations, no recommendations are displayed.

+1. When scaling is complete, the status changes from **Scaling** to **Running**.

+### Can I use all the features of Premium tier after scaling?

+- When clustering is enabled, only database 0 is available. If your client application uses multiple databases and it tries to read or write to a database other than 0, the following exception is thrown: `Unhandled Exception: StackExchange.Redis.RedisConnectionException: ProtocolFailure on GET >` `StackExchange.Redis.RedisCommandException: Multiple databases are not supported on this server; cannot switch to database: 6`

+- If you're using [StackExchange.Redis](https://www.nuget.org/packages/StackExchange.Redis/), you must use 1.0.481 or later. You connect to the cache using the same [endpoints, ports, and keys](cache-configure.md#properties) that you use when connecting to a cache where clustering is disabled. The only difference is that all reads and writes must be done to database 0.

+- If your application uses multiple key operations batched into a single command, all keys must be located in the same shard. To locate keys in the same shard, see [How are keys distributed in a cluster?](#how-are-keys-distributed-in-a-cluster)

+- If you're using Redis ASP.NET Session State provider, you must use 2.0.1 or higher. See [Can I use clustering with the Redis ASP.NET Session State and Output Caching providers?](#can-i-use-clustering-with-the-redis-aspnet-session-state-and-output-caching-providers)

+- Keys with a hash tag - if any part of the key is enclosed in `{` and `}`, only that part of the key is hashed for the purposes of determining the hash slot of a key. For example, the following three keys would be located in the same shard: `{key}1`, `{key}2`, and `{key}3` since only the `key` part of the name is hashed. For a complete list of keys hash tag specifications, see [Keys hash tags](https://redis.io/topics/cluster-spec#keys-hash-tags).

+- Keys without a hash tag - the entire key name is used for hashing, resulting in a statistically even distribution across the shards of the cache.

+You can connect to your cache using the same [endpoints](cache-configure.md#properties), [ports](cache-configure.md#properties), and [keys](cache-configure.md#authentication) that you use when connecting to a cache that doesn't have clustering enabled. Redis manages the clustering on the backend so you don't have to manage it from your client.

+- **Redis Output Cache provider** - no changes required.

+- **Redis Session State provider** - to use clustering, you must use [RedisSessionStateProvider](https://www.nuget.org/packages/Microsoft.Web.RedisSessionStateProvider) 2.0.1 or higher or an exception is thrown, which is a breaking change. For more information, see [v2.0.0 Breaking Change Details](https://github.com/Azure/aspnet-redis-providers/wiki/v2.0.0-Breaking-Change-Details).

+1. Go to your Azure OpenAI resource in the Azure portal.

+ [CosmosDB(

+ containerName: "HttpManagementPayloads",

+ Connection = "CosmosDBConnectionSetting")]out dynamic document)

+ |**Enter new app setting name**| Type `CosmosDbConnectionSetting`.|

+ |**Enter value for "CosmosDbConnectionSetting"**| Paste the connection string of your Azure Cosmos DB account you copied. You can also configure [Microsoft Entra identity](./functions-bindings-cosmosdb-v2-trigger.md#connections) as an alternative.|

+ This creates an application setting named connection `CosmosDbConnectionSetting` in your function app in Azure. Now, you can download this setting to your local.settings.json file.

+dotnet add package Microsoft.Azure.Functions.Worker.Extensions.CosmosDB

+dotnet add package Microsoft.Azure.WebJobs.Extensions.CosmosDB

+Specific attributes specify the name of the container and the name of its parent database. The connection string for your Azure Cosmos DB account is set by the `CosmosDbConnectionSetting`.

+| **Select setting from "local.setting.json"** | `CosmosDbConnectionSetting` | The name of an application setting that contains the connection string for the Azure Cosmos DB account. |

+ "containerName": "my-container",

+ "connection": "CosmosDbConnectionSetting"

+| **Select setting from "local.setting.json"** | `CosmosDbConnectionSetting` | The name of an application setting that contains the connection string for the Azure Cosmos DB account. |

+ "containerName": "my-container",

+ "connection": "CosmosDbConnectionSetting"

+ container_name="my-container", connection="CosmosDbConnectionSetting")

+In this code, `arg_name` identifies the binding parameter referenced in your code, `database_name` and `container_name` are the database and collection names that the binding writes to, and `connection` is the name of an application setting that contains the connection string for the Azure Cosmos DB account, which is in the `CosmosDbConnectionSetting` setting in the *local.settings.json* file.

+ containerName: "my-container",

+ Connection = "CosmosDbConnectionSetting")]IAsyncCollector<dynamic> documentsOut,

+@app.cosmos_db_output(arg_name="outputDocument", database_name="my-database", container_name="my-container", connection="CosmosDbConnectionSetting")

+ CosmosDBConnectionSetting=$COSMOS_DB_CONNECTION_STRING

+ CosmosDBConnectionSetting=%COSMOS_DB_CONNECTION_STRING%

+ displayName: "Set Python version to 3.9"

+ versionSpec: '3.9'

+ displayName: "Set Python version to 3.9"

+ versionSpec: '3.9'

+| January 2024 |**Known Issues**<ul><li>The agent extension code size is beyond the deployment limit set by Arc, thus 1.29.5 won't install on Arc enabled servers. Fix is coming in 1.29.6.</li></ul>**Windows**<ul><li>Added support for Transport Layer Security 1.3</li><li>Reverted a change to enable multiple IIS subscriptions to use same filter. Feature will be redeployed once memory leak is fixed.</li><li>Improved ETW event throughput rate</li></ul>**Linux**<ul><li>Fix Error messages logged intended for mdsd.err went to mdsd.warn instead in 1.29.4 only. Likely error messages: "Exception while uploading to Gig-LA : ...", "Exception while uploading to ODS: ...", "Failed to upload to ODS: ..."</li><li>Syslog time zones incorrect: AMA now uses machine current time when AMA receives an event to populate the TimeGenerated field. The previous behavior parsed the time zone from the Syslog event which caused incorrect times if a device sent an event from a time zone different than the AMA collector machine.</li></ul> | 1.23.0 | 1.29.5 |

+| December 2023 |**Known Issues**<ul><li>The agent extension code size is beyond the deployment limit set by Arc, thus 1.29.4 won't install on Arc enabled servers. Fix is coming in 1.29.6.</li><li>Multiple IIS subscriptions causes a memory leak. feature reverted in 1.23.0.</ul>**Windows** <ul><li>Prevent CPU spikes by not using bookmark when resetting an Event Log subscription</li><li>Added missing fluentbit exe to AMA client setup for Custom Log support</li><li>Updated to latest AzureCredentialsManagementService and DsmsCredentialsManagement package</li><li>Update ME to v2.2023.1027.1417</li></ul>**Linux**<ul><li>Support for TLS V1.3</li><li>Support for nopri in Syslog</li><li>Ability to set disk quota from DCR Agent Settings</li><li>Add ARM64 Ubuntu 22 support</li><li>**Fixes**<ul><li>SysLog</li><ul><li>Parse syslog Palo Alto CEF with multiple space characters following the hostname</li><li>Fix an issue with incorrectly parsing messages containing two '\n' chars in a row</li><li>Improved support for non-RFC compliant devices</li><li>Support infoblox device messages containing both hostname and IP headers</li></ul><li>Fix AMA crash in RHEL 7.2</li><li>Remove dependency on "which" command</li><li>Fix port conflicts due to AMA using 13000 </li><li>Reliability and Performance improvements</li></ul></li></ul>| 1.22.0 | 1.29.4|

+| October 2023| **Windows** <ul><li>Minimize CPU spikes when resetting an Event Log subscription</li><li>Enable multiple IIS subscriptions to use same filter</li><li>Cleanup files and folders for inactive tenants in multitenant mode</li><li>AMA installer won't install unnecessary certs</li><li>AMA emits Telemetry table locally</li><li>Update Metric Extension to v2.2023.721.1630</li><li>Update AzureSecurityPack to v4.29.0.4</li><li>Update AzureWatson to v1.0.99</li></ul>**Linux**<ul><li> Add support for Process metrics counters for Log Analytics upload and Azure Monitor Metrics</li><li>Use rsyslog omfwd TCP for improved syslog reliability</li><li>Support Palo Alto CEF logs where hostname is followed by 2 spaces</li><li>Bug and reliability improvements</li></ul> |1.21.0|1.28.11|

+| September 2023| **Windows** <ul><li>Fix issue with high CPU usage due to excessive Windows Event Logs subscription reset</li><li>Reduce fluentbit resource usage by limiting tracked files older than 3 days and limiting logging to errors only</li><li>Fix race-condition where resource_id is unavailable when agent is restarted</li><li>Fix race-condition when vm-extension provision agent (also known as GuestAgent) is issuing a disable-vm-extension command to AMA.</li><li>Update MetricExtension version to 2.2023.721.1630</li><li>Update Troubleshooter to v1.5.14 </li></ul>|1.20.0| None |

+| June 2023| **Windows** <ul><li>Add new FilePath column to custom logs table. You must manually add the column to your custom table.</li><li>Config setting to disable custom IMDS endpoint in Tenant.json file</li><li>FluentBit binaries signed with Microsoft customer Code Sign cert</li><li>Minimize number of retries on calls to refresh tokens</li><li>Don't overwrite resource ID with empty string</li><li>AzSecPack updated to version 4.27</li><li>AzureProfiler and AzurePerfCollector updated to version 1.0.0.990</li><li>MetricsExtension updated to version 2.2023.513.10</li><li>Troubleshooter updated to version 1.5.0</li></ul>**Linux** <ul><li>Add new column CollectorHostName to syslog table to identify forwarder/collector machine</li><li>Link OpenSSL dynamically</li><li>**Fixes**<ul><li>Allow uploads soon after AMA startup</li><li>Run LocalSink GC on a dedicated thread to avoid thread pool scheduling issues</li><li>Fix upgrade restart of disabled services</li><li>Handle Linux Hardening where sudo on root is blocked</li><li>CEF processing fixes for noncompliant RFC 5424 logs</li><li>ASA tenant can fail to start up due to config-cache directory permissions</li><li>Fix auth proxy in AMA</li><li>Fix to remove null characters in agentlauncher.log after log rotation</li><li>Fix for authenticated proxy(1.27.3)</li><li>Fix regression in VM Insights(1.27.4)</ul></li></ul>|1.17.0 |1.27.4|

+| May 2023 | **Windows** <ul><li>Enable Large Event support for all regions.</li><li>Update to TroubleShooter 1.4.0.</li><li>Fixed issue when Event Log subscription became invalid and wouldn't resubscribe.</li><li>AMA: Fixed issue with Large Event sending too large data. Also affecting Custom Log.</li></ul> **Linux** <ul><li>Support for CIS and SELinux [hardening](./agents-overview.md)</li><li>Include Ubuntu 22.04 (Jammy) in azure-mdsd package publishing</li><li>Move storage SDK patch to build container</li><li>Add system Telegraf counters to AMA</li><li>Drop msgpack and syslog data if not configured in active configuration</li><li>Limit the events sent to Public ingestion pipeline</li><li>**Fixes** <ul><li>Fix mdsd crash in init when in persistent mode </li><li>Remove FdClosers from ProtocolListeners to avoid a race condition</li><li>Fix sed regex special character escaping issue in rpm macro for Centos 7.3.Maipo</li><li>Fix latency and future timestamp issue</li><li>Install AMA syslog configs only if customer is opted in for syslog in DCR</li><li>Fix heartbeat time check</li><li>Skip unnecessary cleanup in fatal signal handler</li><li>Fix case where fast-forwarding may cause intervals to be skipped</li><li>Fix comma separated custom log paths with fluent</li><li>Fix to prevent events folder growing too large and filling the disk</li><li>hot fix (1.26.3) for Syslog</li></ul><</li><ul> | 1.16.0.0 | 1.26.2-1.26.5^Hotfix|

+- **Disk Space**: Required disk space can vary greatly depending upon how an agent is utilized or if the agent is unable to communicate with the destinations where it is instructed to send monitoring data. By default the agent requires 10Gb of disk space to run. The following provides guidance for capacity planning:

+For example, the following setting scrapes pods with annotations only in the namespaces `kube-system` and `my-namespace`:

+* Volume resize operations are nearly instantaneous but not always immediate. There can be a short delay for the volume's updated size to appear in the portal. Verify the size from a host perspective before re-attempting the resize operation.

+ Title: Understand path lengths in Azure NetApp Files

+description: Learn how file path limits and lengths are calculated in Azure NetApp Files.

+# Understand path lengths in Azure NetApp Files

+File and path length refers to the number of Unicode characters in a file path, including directories. This limit is a factor if the individual character lengths, which are determined by the size of the character in bytes. For instance, NFS and SMB allow path components of 255 bytes. The file encoding format of ASCII uses 8-bit encoding, meaning file path components (such as a file or folder name) in ASCII can be up to 255 characters since ASCII characters are 1 byte in size.

+The following table shows the supported component and path lengths in Azure NetApp Files volumes:

+| Component | NFS | SMB |

+| - | - | - |

+| Path component size | 255 bytes | 255 bytes |

+| Path length size | Unlimited | Default: 255 bytes <br /> Maximum in later Windows versions: 32,767 bytes |

+| Maximum path size for transversal | 4,096 bytes | 255 bytes |

+>[!NOTE]

+>Dual-protocol volumes use the lowest maximum value.

+If an SMB share name is `\\SMB-SHARE`, the share name adds 11 Unicode characters to the path length because each character is 1 byte. If the path to a specific file is `\\SMB-SHARE\apps\archive\file`, it's 29 Unicode characters; each character, including the slashes, is 1 byte. For NFS mounts, the same concepts apply. The mount path `/AzureNetAppFiles` is 17 Unicode characters of 1 byte each.

+Azure NetApp Files supports the same path length for SMB shares that modern Windows servers support: [up to 32,767 bytes](/windows/win32/fileio/maximum-file-path-limitation). However, depending on the version of the Windows client, some applications can't [support paths longer than 260 bytes](/windows/win32/fileio/naming-a-file). Individual path components (the values between slashes, such as file or folder names) support up to 255 bytes. For instance, a file name using the Latin capital ΓÇ£AΓÇ¥ (which takes up 1 byte per character) in a file path in Azure NetApp Files can't exceed 255 characters.

+```

+# mkdir 256charsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

+mkdir: cannot create directory ΓÇÿ256charsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaΓÇÖ: File name too long

+# mkdir 255charsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

+# ls | grep 255

+255charsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

+```

+## Discerning character sizes

+The Linux utility [`uniutils`](https://billposer.org/Software/unidesc.html) can be used to find the byte size of Unicode characters by typing multiple instances of the character instance and viewing the **bytes** field.

+**Example 1:** The Latin capital A increments by 1 byte each time it's used (using a single hex value of 41, which is in the 0-255 range of ASCII characters).

+```

+# printf %b 'AAA' | uniname

+character byte UTF-32 encoded as glyph name

+ 0 0 000041 41 A LATIN CAPITAL LETTER A

+ 1 1 000041 41 A LATIN CAPITAL LETTER A

+ 2 2 000041 41 A LATIN CAPITAL LETTER A

+```

+**Result 1:** The name AAA uses 3 bytes out of 255.

+**Example 2:** The Japanese character σ¡ù increments 3 bytes each instance. This can be also calculated by the 3 separate hex code values (E5, AD, 97) under the **encoded as** field. Each hex value represents 1 byte:

+```

+# printf %b 'σ¡ùσ¡ùσ¡ù' | uniname

+character byte UTF-32 encoded as glyph name

+ 0 0 005B57 E5 AD 97 σ¡ù CJK character Nelson 1281

+ 1 3 005B57 E5 AD 97 σ¡ù CJK character Nelson 1281

+ 2 6 005B57 E5 AD 97 σ¡ù CJK character Nelson 1281

+```

+**Result 2:** A file named σ¡ùσ¡ùσ¡ù uses 9 bytes out of 255.

+**Example 3:** The letter Ä with diaeresis uses 2 bytes per instance (C3 + 84).

+```

+# printf %b 'ÄÄÄ' | uniname

+character byte UTF-32 encoded as glyph name

+ 0 0 0000C4 C3 84 Ä LATIN CAPITAL LETTER A WITH DIAERESIS

+ 1 2 0000C4 C3 84 Ä LATIN CAPITAL LETTER A WITH DIAERESIS

+ 2 4 0000C4 C3 84 Ä LATIN CAPITAL LETTER A WITH DIAERESIS

+```

+**Result 3:** A file named ÄÄÄ uses 6 bytes out of 255.

+**Example 4:** A special character, such as the 😃 emoji, falls into an undefined range that exceeds the 0-3 bytes used for Unicode characters. As a result, it uses a surrogate pair for its character encoding. In this case, each instance of the character uses 4 bytes.

+```

+# printf %b '😃😃😃' | uniname

+character byte UTF-32 encoded as glyph name

+ 0 0 01F603 F0 9F 98 83 😃 Character in undefined range

+ 1 4 01F603 F0 9F 98 83 😃 Character in undefined range

+ 2 8 01F603 F0 9F 98 83 😃 Character in undefined range

+```

+**Result 4:** A file named 😃😃😃 uses 12 bytes out of 255.

+Most emojis fall into the 4-byte range but can go up to 7 bytes. Of the more than one thousand standard emojis, approximately 180 are in the [Basic Multilingual Plane (BMP)](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane), which means they can be displayed as text or emoji in Azure NetApp Files, depending on the clientΓÇÖs support for the language type.

+For more detailed information on the BMP and other Unicode planes, see [Understand volume languages in Azure NetApp Files](understand-volume-languages.md).

+## Character byte impact on path lengths

+Although a path length is thought to be the number of characters in a file or folder name, it's actually the _size_ of the supported bytes in the path. Since each character adds a byte size to a name, different character sets in different languages support different file name lengths.

+Consider the following scenarios:

+- **A file or folder repeats the Latin alphabet character ΓÇ£AΓÇ¥ for its file name.** (for example, AAAAAAAA)

+ Since ΓÇ£AΓÇ¥ uses 1 byte and 255 bytes is the path component size limit, then 255 instances of ΓÇ£AΓÇ¥ would be allowed in a file name.

+- **A file or folder repeats the Japanese character σ¡ù in its name.**

+ Since ΓÇ£σ¡ùΓÇ¥ has a size of 3 bytes, the file name length limit would be 85 instances of σ¡ù (3 byte * 85 = 255 bytes), or a total of 85 characters.

+- **A file or folder repeats the grinning face emoji (😃) in its name.**

+A grinning face emoji (😃) uses 4 bytes, meaning a file name with only that emoji would allow a total of 64 characters (255 bytes/4 bytes).

+- A file or folder uses a combination of different characters (ie, Name字😃).

+When different characters with different byte sizes are used in a file or folder name, each character’s byte size factors in to the file or folder length. A file or folder name of Name字😃 would use 1+1+1+1+3+4 bytes (11 bytes) of the total 255-byte length.

+#### Special emoji concepts

+Special emojis, such as a flag emoji, exist under the BMP classification: the emoji renders as text or image depending on client support. When a client doesn't support the image designation, it instead uses regional text-based designations.

+For instance, the [United States flag](https://emojipedia.org/flag-united-states) use the characters "us" (which resemble the Latin characters U+S, but are actually special characters that use different encodings). Uniname shows the differences between the characters.

+```

+# printf %b 'US' | uniname

+character byte UTF-32 encoded as glyph name

+ 0 0 000055 55 U LATIN CAPITAL LETTER U

+ 1 1 000053 53 S LATIN CAPITAL LETTER S

+# printf %b '🇺🇸' | uniname

+character byte UTF-32 encoded as glyph name

+ 0 0 01F1FA F0 9F 87 BA 🇺 Character in undefined range

+ 1 4 01F1F8 F0 9F 87 B8 🇸 Character in undefined range

+```

+Characters designated for the flag emojis translate to flag images in supported systems, but remain as text values in unsupported systems. These characters use 4 bytes per character for a total of 8 bytes when a flag emoji is used. As such, a total of 31 flag emojis are allowed in a file name (255 bytes/8 bytes).

+## SMB path limits

+By default, Windows servers and clients support path lengths up to 260 bytes, but the actual file path lengths are shorter due to metadata added to Windows paths such as [the `<NUL>` value](/windows/win32/fileio/maximum-file-path-limitation?tabs=registry) and domain information.

+When a path limit is exceeded in Windows, a dialog box appears:

+SMB path lengths can be extended when using Windows 10/Windows Server 2016 version 1607 or later by changing a registry value as covered in [Maximum Path Length Limitation](/windows/win32/fileio/maximum-file-path-limitation?tabs=registry). When this value is changed, path lengths can extend out to up to 32,767 bytes (minus metadata values).

+Once this feature is enabled, you must access the SMB share needs using `\\?\` in the path to allow longer path lengths. This method doesn't support UNC paths, so the SMB share needs to be mapped to a drive letter.

+Using `\\?\Z:` instead allows access and supports longer file paths.

+>[!NOTE]

+>The Windows CMD doesn't currently support the use of `\\?\`.

+### Workaround if the max path length cannot be increased

+If the max path length can't be enabled in the Windows environment or the Windows client versions are too low, there's a workaround. You can mount the SMB share deeper into the directory structure can reduce the queried path length.

+For example, rather than mapping `\\NAS-SHARE\AzureNetAppFiles` to `Z:`, map `\\NAS-SHARE\AzureNetAppFiles\folder1\folder2\folder3\folder4` to `Z:`.

+## NFS path limits

+NFS path limits with Azure NetApp Files volumes have the same 255-byte limit for individual path components. Each component, however, is evaluated one at a time and can process up to 4,096 bytes per request with a near limitless total path length. For instance, if each path component is 255 bytes, an NFS client can evaluate up to 15 components per request (including `/` characters). As such, a `cd` request to a path over the 4,096-byte limit yields a "File name too long" error message.

+In most cases, Unicode characters are 1 byte or less, so the 4,096-byte limit corresponds to 4,096 characters. If a character is larger than 1 byte in size, then the path length is less than 4,096 characters. Characters with a size greater than 1 byte in size count more against the total character count than 1-byte characters.

+The path length max can be queried using the `getconf PATH_MAX /NFSmountpoint` command.

+>[!NOTE]

+>The limit is defined in the `limits.h` file on the NFS client. You shouldn't adjust these limits.

+## Dual-protocol volume considerations

+When using Azure NetApp Files for dual-protocol access, the difference in how path lengths are handled in NFS and SMB protocols can create incompatibilities across file and folders. For instance, Windows SMB supports up to 32,767 characters in a path (provided the long path feature is enabled on the SMB client), but NFS support can exceed that amount. As such, if a path length is created in NFS that exceeds the support of SMB, clients are unable to access the data once the path length maximums have been reached. In those cases, either take care to consider the lower end limits of file path lengths across protocols when creating file and folder names (and folder path depth) or map SMB shares closer to the desired folder path to reduce the path length.

+Instead of mapping the SMB share to the top level of the volume to navigate down to a path of `\\share\folder1\folder2\folder3\folder4`, consider mapping the SMB share to the entire path of `\\share\folder1\folder2\folder3\folder4`. As a result, a drive letter mapping to `Z:` lands in the desired folder and reduces the path length from `Z:\folder1\folder2\folder3\folder4\file` to `Z:\file`.

+### Special character considerations

+Azure NetApp Files volumes use a language type of [C.UTF-8](/cpp/build/reference/utf-8-set-source-and-executable-character-sets-to-utf-8), which covers many countries and languages including German, Cyrillic, Hebrew, and most Chinese/Japanese/Korean (CJK). Most common text characters in Unicode are 3 bytes or less. Special characters--such as emojis, musical symbols, and mathematical symbols--are often larger than 3 bytes. Some use [UTF-16 surrogate pair logic](/windows/win32/intl/surrogates-and-supplementary-characters).

+If you use a character that Azure NetApp Files doesn't support, you might see a warning requesting a different file name.

+Rather than the name being too long, the error actually results from the character byte size being too large for the Azure NetApp Files volume to use over SMB. There's no workaround in Azure NetApp Files for this limitation. For more information on special character handling in Azure NetApp Files, see [Protocol behavior with special character sets](understand-volume-languages.md#protocol-behaviors-with-special-character-sets).

+## Next steps

+* [Understand volume languages](understand-volume-languages.md)

+ Title: Understand volume languages in Azure NetApp Files

+description: Learn about the supported languages and character sets with NFS, SMB, and dual-protocol configurations in Azure NetApp Files.

+# Understand volume languages in Azure NetApp Files

+Volume language (akin to system locales on client operating systems) on an Azure NetApp Files volume controls the supported languages and character sets when using [NFS and SMB protocols](network-attached-storage-protocols.md). Azure NetApp Files uses a default volume language of C.UTF-8, which provides POSIX compliant UTF-8 encoding for character sets. The C.UTF-8 language natively supports characters with a size of 0-3 bytes, which includes a majority of the worldΓÇÖs languages on the [Basic Multilingual Plane (BMP)](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) (including Japanese, German, and most of Hebrew and Cyrillic). For more information about the BMP, see [Unicode](#unicode).

+Characters outside of the BMP sometimes exceed the 3-byte size supported by Azure NetApp Files. They thus need to use [surrogate pair logic](/globalization/encoding/surrogate-pairs), where multiple character byte sets are combined to form new characters. Emoji symbols, for example, fall into this category and are supported in Azure NetApp Files in scenarios where UTF-8 isn't enforced: such as Windows clients that use UTF-16 encoding or NFSv3 that doesn't enforce UTF-8. NFSv4.x does enforce UTF-8, meaning surrogate pair characters don't display properly when using NFSv4.x.

+Nonstandard encoding, such as [Shift-JIS](https://wikipedia.org/wiki/Shift_JIS) and less common [CJK characters](https://en.wikipedia.org/wiki/List_of_CJK_fonts), also don't display properly when UTF-8 is enforced in Azure NetApp Files.

+>[!TIP]

+> You should send and receive text using UTF-8 to avoid situations where characters can't be translated properly, which can cause file creation/rename or copy error scenarios.

+The volume language settings currently can't be modified in Azure NetApp Files. For more information, see [Protocol behaviors with special character sets](#protocol-behaviors-with-special-character-sets).

+For best practices, see [Character set best practices](#character-set-best-practices).

+## Character encoding in Azure NetApp Files NFS and SMB volumes

+In an Azure NetApp Files file sharing environment, file and folder names are represented by a series of characters that end users read and interpret. The way those characters are displayed depends on how the client sends and receives encoding of those characters. For instance, if a client is sending legacy [ASCII (American Standard Code for Information Interchange)](https://www.ascii-code.com/) encoding to the Azure NetApp Files volume when accessing it, then it's limited to displaying only characters that are supported in the ASCII format.

+For instance, the Japanese character for data is 資. Since this character can't be represented in ASCII, a client using ASCII encoding show a “?” instead of 資.

+[ASCII supports only 95 printable characters](https://en.wikipedia.org/wiki/ASCII#Printable_characters), principally those found in the English language. Each of those characters uses 1 byte, which is factored into the [total file path length](understand-path-lengths.md) on an Azure NetApp Files volume. This limits the internationalization of datasets, since file names can have a variety of characters not recognized by ASCII, from Japanese to Cyrillic to emoji. An international standard ([ISO/IEC 8859](https://en.wikipedia.org/wiki/ISO/IEC_8859)) attempted to support more international characters, but also had its limitations. Most modern clients send and receive characters using some form of Unicode.

+### Unicode

+As a result of the limitations of ASCII and ISO/IEC 8859 encodings, the [Unicode](https://home.unicode.org/) standard was established so anyone can view their home region's language from their devices.

+* Unicode supports over one million character sets by increasing both the number of bytes per character allowed (up to 4 bytes) and the total number of bytes allowed in a file path as opposed to older encodings, such as ASCII.

+* Unicode supports backwards compatibility by reserving the first 128 characters for ASCII, while also ensuring the first 256 code points are identical to ISO/IEC 8859 standards.

+* In the Unicode standard, character sets are broken down into planes. A plane is a continuous group of 65,536 code points. In total, there are 17 planes (0-16) in the Unicode standard. The limit is 17 due to the limitations of UTF-16.

+* Plane 0 is the [Basic Multilingual Plane (BMP)](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane). This plane contains the most commonly used characters across multiple languages.

+* Of the 17 planes, only five currently have assigned character sets as of [Unicode version 15.1](https://www.unicode.org/versions/Unicode15.1.0/).

+* Planes 1-17 are known as [Supplementary Multilingual Planes (SMP)](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Supplementary_Multilingual_Plane) and contain less-used character sets, for example ancient writing systems such as cuneiform and hieroglyphs, as well as special Chinese/Japanese/Korean (CJK) characters.

+* For methods to see character lengths and path sizes and to control the encoding sent to a system, see [Converting files to different encodings](#converting-files-to-different-encodings).

+Unicode uses [Unicode Transformation Format](https://unicode.org/faq/utf_bom.html) as its standard, with UTF-8 and UTF-16 being the two main formats.

+#### Unicode planes

+Unicode leverages 17 planes of 65,536 characters (256 code points multiplied by 256 boxes in the plane), with Plane 0 as the [Basic Multilingual Plane (BMP)](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane). This plane contains the most commonly used characters across multiple languages. Because the world's languages and character sets exceed 65536 characters, more planes are needed to support less commonly used character sets.

+For instance, Plane 1 (the [Supplementary Multilingual Planes (SMP)](https://unicodeplus.com/plane/1)) includes historic scripts like cuneiform and Egyptian hieroglyphs as well as some [Osage](https://en.wikipedia.org/wiki/Osage_script), [Warang Citi](https://en.wikipedia.org/wiki/Warang_Citi), [Adlam](https://en.wikipedia.org/wiki/Adlam_script), [Wancho](https://en.wikipedia.org/wiki/Wancho_language#Orthography) and [Toto](https://en.wikipedia.org/wiki/Toto_language#Writing_system). Plane 1 also includes some symbols and [emoticon](https://en.wikipedia.org/wiki/Emoticons_(Unicode_block)) characters.

+Plane 2 ΓÇô the [Supplementary Ideographic Plane (SIP)](https://unicodeplus.com/plane/2) ΓÇô contains Chinese/Japanese/Korean (CJK) Unified Ideographs. Characters in planes 1 and 2 generally are 4 bytes in size.

+For example:

+- The ["grinning face with big eyes" emoticon "😃"](https://www.unicode.org/emoji/charts/full-emoji-list.html#1f603) in plane 1 is 4 bytes in size.

+- The [Egyptian hieroglyph "≡ôÇÇ](https://unicodeplus.com/U+13000)" in plane 1 is 4 bytes in size.

+- The [Osage character "𐒸](https://unicodeplus.com/U+104B8)" in plane 1 is 4 bytes in size.

+- The [CJK character "𫝁"](https://unicodeplus.com/U+2B741) in plane 2 is 4 bytes in size.

+Because these characters are all \>3 bytes in size, they require the use of surrogate pairs to work properly. Azure NetApp Files natively supports surrogate pairs, but the display of the characters varies depending on the protocol in use, the client's locale settings and the settings of the remote client access application.

+#### UTF-8

+UTF-8 uses 8-bit encoding and can have up to 1,112,064 code points (or characters). UTF-8 is the standard encoding across all languages in Linux-based operating systems. Because UTF-8 uses 8-bit encoding, the maximum unsigned integer possible is 255 (2^8 ΓÇô 1), which is also the maximum file name length for that encoding. UTF-8 is used on over 98% of pages on the Internet, making it by far the most adopted encoding standard. The [Web Hypertext Application Technology Working Group (WHATWG)](https://en.wikipedia.org/wiki/WHATWG) considers UTF-8 "the mandatory encoding for all [text]" and that for security reasons browser applications shouldn't use UTF-16.

+Characters in UTF-8 format each use 1 to 4 bytes, but nearly all characters in all languages use between 1 and 3 bytes. For instance:

+- The Latin alphabet letter "A" uses 1 byte. (One of the 128 reserved ASCII characters)

+- A copyright symbol "©" uses 2 bytes.

+- The character "ä" uses 2 bytes. (1 byte for "a" + 1 byte for the umlaut)

+- The Japanese Kanji symbol for data (資) uses 3 bytes.

+- A grinning face emoji (😃) uses 4 bytes.

+Language locales can use either computer standard UTF-8 (C.UTF-8) or a more [region-specific format](https://docs.moodle.org/403/en/Table_of_locales), such as en\_US.UTF-8, ja.UTF-8, etc. You should use UTF-8 encoding for Linux clients when accessing Azure NetApp Files whenever possible. As of OS X, macOS clients also use UTF-8 for its default encoding and shouldn't be adjusted.

+Windows clients use UTF-16. In most cases, this setting should be left as the default for the OS locale, but newer clients offer beta support for UTF-8 characters via a checkbox. Terminal clients in Windows can also be adjusted to use UTF-8 in PowerShell or CMD as needed. For more information, see [Dual protocol behaviors with special character sets](#dual-protocol-behaviors).

+#### UTF-16

+UTF-16 uses 16-bit encoding and is capable of encoding all 1,112,064 code points of Unicode. The encoding for UTF-16 can use one or two 16-bit code units, each 2 bytes in size. All characters in UTF-16 use 2 or 4-byte sizes. Characters in UTF-16 that use 4 bytes leverage [surrogate pairs](/windows/win32/intl/surrogates-and-supplementary-characters), which combine two separate 2-byte characters to create a new character. These supplementary characters fall outside of the standard BMP plane and into one of the other multilingual planes.

+UTF-16 is used in Windows operating systems and APIs, Java, and JavaScript. Since it doesn't support backwards compatibility with ASCII formats, it never gained popularity on the web. UTF-16 only makes up around 0.002% of all pages on the internet. The [Web Hypertext Application Technology Working Group (WHATWG)](https://en.wikipedia.org/wiki/WHATWG) considers UTF-8 "the mandatory encoding for all text" and recommends applications not use UTF-16 for browser security.

+Azure NetApp Files supports most UTF-16 characters, including surrogate pairs. In cases where the character isn't supported, Windows clients report an error of "file name you specified isn't valid or too long."

+## Character set handling over remote clients

+Remote connections to clients that mount Azure NetApp Files volumes (such as SSH connections to Linux clients to access NFS mounts) can be configured to send and receive specific volume language encodings. The language encoding sent to the client via the remote connection utility controls how character sets are created and viewed. As a result, a remote connection that uses a different language encoding than another remote connection (such as two different PuTTY windows) may show different results for characters when listing file and folder names in the Azure NetApp Files volume. In most cases, this won't create discrepancies (such as for Latin/English characters), but in the cases of special characters, such as emojis, results can vary.

+For instance, using an encoding of UTF-8 for the remote connection shows predictable results for characters in Azure NetApp Files volumes since C.UTF-8 is the volume language. The Japanese character for "data" (資) displays differently depending on the encoding being sent by the terminal.

+### Character encoding in PuTTY

+When a [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) window uses UTF-8 (found in Windows's translation settings), the character is represented properly for an NFSv3 mounted volume in Azure NetApp Files:

+If the PuTTY window uses a different encoding, such as _ISO-8859-1:1998 (Latin-1, West Europe)_, the same character displays differently even though the file name is the same.

+PuTTY, by default, doesn't contain CJK encodings. There are [patches available](https://hp.vector.co.jp/authors/VA024651/PuTTYkj.html) to add those language sets to PuTTY.

+### Character encodings in Bastion

+Microsoft Azure recommends using Bastion for remote connectivity to virtual machines (VMs) in Azure. When using Bastion, the language encoding sent and received isn't exposed in the configuration but leverages standard UTF-8 encoding. As a result, most character sets seen in PuTTY using UTF-8 should also be visible in Bastion, provided the character sets are supported in the protocol being used.

+>[!TIP]

+>Other SSH terminals can be used such as [TeraTerm](https://sourceforge.net/projects/tera-term/). TeraTerm provides a wider range of supported character sets by default, including CJK encodings and nonstandard encodings such as Shift-JIS.

+## Protocol behaviors with special character sets

+Azure NetApp Files volumes use UTF-8 encoding and natively support characters that don't exceed 3 bytes. All characters in the ASCII and UTF-8 set display properly because they fall in the 1 to 3-byte range. For example:

+- The Latin alphabet character "A" uses 1 byte (one of the 128 reserved ASCII characters).

+- A copyright symbol © uses 2 bytes.

+- The character "ä" uses 2 bytes (1 byte for "a" and 1 byte for the umlaut).

+- The Japanese Kanji symbol for data (資) uses 3 bytes.

+Azure NetApp Files also support some characters that exceed 3 bytes via surrogate pair logic (such as emoji), provided the client encoding and protocol version supports them. For more information about protocol behaviors, see:

+- [SMB behaviors](#smb-behaviors)

+- [NFS behaviors](#nfs-behaviors)

+- [Dual-protocol behaviors](#dual-protocol-behaviors)

+## SMB behaviors

+In SMB volumes, Azure NetApp Files creates and maintains two names for files or directories in any directory that has access from an SMB client: the original long name and a name in [8.3 format](/openspecs/windows_protocols/ms-fscc/18e63b13-ba43-4f5f-a5b7-11e871b71f14).

+### File names in SMB with Azure NetApp Files

+When file or directory names exceed the allowed character bytes or use unsupported characters, Azure NetApp Files generates an 8.3-format name as follows:

+- It truncates the original file or directory name.

+- It appends a tilde (~) and a numeral (1-5) to file or directory names that are no longer unique after being truncated.

+ If there are more than five files with nonunique names, Azure NetApp Files creates a unique name with no relation to the original name. For files, Azure NetApp Files truncates the file name extension to three characters.

+

+For example, if an NFS client creates a file named `specifications.html`, Azure NetApp Files creates the file name `specif~1.htm` following the 8.3 format. If this name already exists, Azure NetApp Files uses a different number at the end of the file name. For example, if an NFS client then creates another file named `specifications\_new.html`, the 8.3 format of `specifications\_new.html` is `specif~2.htm`.

+### Special character in SMB with Azure NetApp Files

+When using SMB with Azure NetApp Files volumes, characters that exceed 3 bytes used in file and folder names (including emoticons) are allowed due to surrogate pair support. The following is what Windows Explorer sees for characters outside of the BMP on a folder created from a Windows client when using English with the default UTF-16 encoding.

+>[!NOTE]

+>The default font in Windows Explorer is Segoe UI. Font changes can affect how some characters display on clients.

+How the characters display on the client depends on the system font and the language and locale settings. In general, characters that fall into the BMP are supported across all protocols, regardless if the encoding is UTF-8 or UTF-16.

+When using either CMD or [PowerShell](/powershell/scripting/dev-cross-plat/vscode/understanding-file-encoding), the character set view may depend on the font settings. These utilities have limited font choices by default. CMD uses Consolas as the default font.

+File names might not display as expected depending on the font used as some consoles don't natively support Segoe UI or other fonts that render special characters properly.

+This issue can be addressed on Windows clients by using [PowerShell ISE](/powershell/scripting/windows-powershell/ise/introducing-the-windows-powershell-ise), which provides more robust font support. For instance, setting the PowerShell ISE to Segoe UI displays the file names with supported characters properly.

+However, PowerShell ISE is designed for scripting, rather than managing shares. Newer Windows versions offer [Windows Terminal](https://www.microsoft.com/p/windows-terminal/9n0dx20hk701), which allows for control over the fonts and encoding values.

+>[!NOTE]

+> Use the [`chcp`](/windows-server/administration/windows-commands/chcp) command to view the encoding for the terminal. For a complete list of code pages, see [Code page identifiers](/windows/win32/intl/code-page-identifiers).

+If the volume is enabled for dual-protocol (both NFS and SMB), you might observe different behaviors. For more information, see [Dual-protocol behaviors with special character sets](#dual-protocol-behaviors).

+## NFS behaviors

+How NFS displays special characters depends on the version of NFS used, the client's locale settings, installed fonts, and the settings of the remote connection client in use. For instance, using Bastion to access an Ubuntu client may handle character displays differently than a PuTTY client set to a different locale on the same VM. The ensuing NFS examples rely on these locale settings for the Ubuntu VM:

+```

+~$ locale

+LANG=C.UTF-8

+LANGUAGE=

+LC\_CTYPE="C.UTF-8"

+LC\_NUMERIC="C.UTF-8"

+LC\_TIME="C.UTF-8"

+LC\_COLLATE="C.UTF-8"

+LC\_MONETARY="C.UTF-8"

+LC\_MESSAGES="C.UTF-8"

+LC\_PAPER="C.UTF-8"

+LC\_NAME="C.UTF-8"

+LC\_ADDRESS="C.UTF-8"

+LC\_TELEPHONE="C.UTF-8"

+LC\_MEASUREMENT="C.UTF-8"

+LC\_IDENTIFICATION="C.UTF-8"

+LC\_ALL=

+```

+### NFSv3 behavior

+NFSv3 doesn't enforce UTF encoding on files and folders. In most cases, special character sets should have no issues. However, the connection client being used can affect how characters are sent and received. For instance, using Unicode characters outside of the BMP for a folder name in the Azure connection client Bastion can result in some unexpected behavior due to how the client encoding works.

+In the following screenshot, Bastion is unable to copy and paste the values to the CLI prompt from outside of the browser when naming a directory over NFSv3. When attempting to copy and paste the value of `NFSv3Bastion𓀀𫝁😃𐒸`, the special characters display as quotation marks in the input.

+The copy-paste command is permitted over NFSv3, but the characters are created as their numeric values, affecting their display:

+`NFSv3Bastion'$'\262\270\355\240\214\355\260\200\355\241\255\355\275\201\355\240\275\355\270\203\355\240\201\355`

+This display is due to the encoding used by Bastion for sending text values when copying and pasting.

+When using PuTTY to create a folder with the same characters over NFSv3, the folder name than differently in Bastion than when Bastion was used to create it. The emoticon shows as expected (due to the installed fonts and locale setting), but the other characters (such as the Osage "𐒸") don't.

+From a PuTTY window, the characters display correctly:

+### NFSv4.x behavior

+NFSv4.x enforces UTF-8 encoding in file and folder names per the [RFC-8881 internationalization specs](https://www.rfc-editor.org/rfc/rfc8881.html#internationalization).

+As a result, if a special character is sent with non-UTF-8 encoding, NFSv4.x might not allow the value.

+In some cases, a command may be allowed using a character outside of the [Basic Multilingual Plane (BMP)](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane), but it might not display the value after it's created.

+For instance, issuing `mkdir` with a folder name including the characters "𓀀𫝁😃𐒸" (characters in the [Supplementary Multilingual Planes (SMP)](https://unicodeplus.com/plane/1) and the [Supplementary Ideographic Plane (SIP)](https://unicodeplus.com/plane/2)) seems to succeed in NFSv4.x. The folder won't be visible when running the `ls` command.

+```

+root@ubuntu:/NFSv4/NFS$ mkdir "NFSv4 Putty 𓀀𫝁😃𐒸"

+root@ubuntu:/NFSv4/NFS$ ls -la

+total 8

+drwxrwxr-x 3 nobody 4294967294 4096 Jan 10 17:15 .

+drwxrwxrwx 4 root root 4096 Jan 10 17:15 ..

+root@ubuntu:/NFSv4/NFS$

+```

+The folder exists in the volume. Changing to that hidden directory name works from the PuTTY client, and a file can be created inside of that directory.

+```

+root@ubuntu:/NFSv4/NFS$ cd "NFSv4 Putty 𓀀𫝁😃𐒸"

+root@ubuntu:/NFSv4/NFS/NFSv4 Putty 𓀀𫝁😃𐒸$ sudo touch Unicode.txt

+root@ubuntu:/NFSv4/NFS/NFSv4 Putty 𓀀𫝁😃𐒸$ ls -la

+-rw-r--r-- 1 root root 0 Jan 10 17:31 Unicode.txt

+```

+A stat command from PuTTY also confirms the folder exists:

+```

+root@ubuntu:/NFSv4/NFS$ stat "NFSv4 Putty 𓀀𫝁😃𐒸"

+**File: NFSv4 Putty** **𓀀**** 𫝁 ****😃**** 𐒸**

+Size: 4096 Blocks: 8 IO Block: 262144 **directory**

+Device: 3ch/60d Inode: 101 Links: 2

+Access: (0775/drwxrwxr-x) Uid: ( 0/ root) Gid: ( 0/ root)

+Access: 2024-01-10 17:15:44.860775000 +0000

+Modify: 2024-01-10 17:31:35.049770000 +0000

+Change: 2024-01-10 17:31:35.049770000 +0000

+Birth: -

+```

+Even though the folder is confirmed to exist, wildcard commands don't work, as the client can't officially "see" the folder in the display.

+```

+root@ubuntu:/NFSv4/NFS$ cp \* /NFSv3/

+cp: can't stat '\*': No such file or directory

+```

+NFSv4.1 sends an error to the client when it encounters a character that doesn't rely on UTF-8 encoding.

+For example, when using Bastion to attempt access to the same directory we created using PuTTY over NFSv4.1, this is the result:

+```

+root@ubuntu:/NFSv4/NFS$ cd "NFSv4 Putty 𓀀𫝁😃�"

+-bash: cd: $'NFSv4 Putty \262\270\355\240\214\355\260\200\355\241\255\355\275\201\355\240\275\355\270\203\355\240\201\355': Invalid argument

+The "invalid argument" error message doesn't help diagnose the root cause, but a packet capture shines a light on the problem:

+78 1.704856 y.y.y.y x.x.x.x NFS 346 V4 Call (Reply In 79) LOOKUP DH: 0x44caa451/NFSv4 Putty ��������

+79 1.705058 x.x.x.x y.y.y.y NFS 166 V4 Reply (Call In 25) OPEN Status: NFS4ERR\_INVAL

+```

+[NFS4ERR_INVAL](https://www.rfc-editor.org/rfc/rfc8881.html#name-utf-8-related-errors) is covered in RFC-8881.

+Since the folder can be accessed from PuTTY (due to the encoding being sent and received), it can be copied if the name is specified. After copying that folder from the NFSv4.1 Azure NetApp Files volume to the NFSv3 Azure NetApp Files volume, the folder name displays:

+```

+root@ubuntu:/NFSv4/NFS$ cp -r /NFSv4/NFS/"NFSv4 Putty 𓀀𫝁😃𐒸" /NFSv3/NFSv3/

+root@ubuntu:/NFSv4/NFS$ ls -la /NFSv3/NFSv3 | grep v4

+drwxrwxr-x 2 root root 4096 Jan 10 17:49 NFSv4 Putty 𓀀𫝁😃𐒸

+```

+The same `NFS4ERR\_INVAL` error can be seen if a file conversion (using `[iconv](https://linux.die.net/man/1/iconv)``) to a non-UTF-8 format is attempted, such as Shift-JIS.

+```

+# echo "Test file with SJIS encoded filename" \> "$(echo 'テストファイル.txt' | iconv -t SJIS)"

+ -bash: $(echo 'テストファイル.txt' | iconv -t SJIS): Invalid argument

+```

+For more information, see [Converting files to different encodings](#converting-files-to-different-encodings).

+## Dual protocol behaviors

+Azure NetApp Files allows volumes to be accessed by both NFS and SMB via dual-protocol access. Because of the vast differences in the language encoding used by NFS (UTF-8) and SMB (UTF-16), character sets, file and folder names, and path lengths can have very different behaviors across protocols.

+### Viewing NFS-created files and folders from SMB

+When Azure NetApp Files is used for dual-protocol access (SMB and NFS), a character set unsupported by UTF-16 might be used in a file name created using UTF-8 via NFS. In those scenarios, when SMB accesses a file with unsupported characters, the name is truncated in SMB using the [8.3 short file name convention](/openspecs/windows_protocols/ms-fscc/18e63b13-ba43-4f5f-a5b7-11e871b71f14).

+#### NFSv3-created files and SMB behaviors with character sets

+NFSv3 doesn't enforce UTF-8 encoding. Characters using nonstandard language encodings (such as Shift-JIS) work with Azure NetApp Files when using NFSv3.

+In the following example, a series of folder names using different character sets from various planes in Unicode were created in an Azure NetApp Files volume using NFSv3. When viewed from NFSv3, these show up correctly.

+```

+root@ubuntu:/NFSv3/dual$ ls -la

+drwxrwxr-x 2 root root 4096 Jan 10 19:43 NFSv3-BMP-English

+drwxrwxr-x 2 root root 4096 Jan 10 19:43 NFSv3-BMP-Japanese-German-資ä

+drwxrwxr-x 2 root root 4096 Jan 10 19:43 NFSv3-BMP-copyright-©

+drwxrwxr-x 2 root root 4096 Jan 10 19:44 NFSv3-CJK-plane2-𫝁

+drwxrwxr-x 2 root root 4096 Jan 10 19:44 NFSv3-emoji-plane1-😃

+```

+From Windows SMB, the folders with characters found in the BMP display properly, but characters outside of that plane display with the 8.3 name format due to the UTF-8/UTF-16 conversion being incompatible for those characters.

+#### NFSv4.1-created files and SMB behaviors with character sets

+In the previous examples, a folder named `NFSv4 Putty 𓀀𫝁😃𐒸` was created on an Azure NetApp Files volume over NFSv4.1, but wasn't viewable using NFSv4.1. However, it can be seen using SMB. The name is truncated in SMB to a supported 8.3 format due to the unsupported character sets created from the NFS client and the incompatible UTF-8/UTF-16 conversion for characters in different Unicode planes.

+When a folder name uses standard UTF-8 characters found in the BMP (English or otherwise), then SMB translates the names properly.

+```

+root@ubuntu:/NFSv4/NFS$ mkdir NFS-created-English

+root@ubuntu:/NFSv4/NFS$ mkdir NFS-created-資ä

+root@ubuntu:/NFSv4/NFS$ ls -la

+total 16

+drwxrwxr-x 5 nobody 4294967294 4096 Jan 10 18:26 .

+drwxrwxrwx 4 root root 4096 Jan 10 17:15 ..

+**drwxrwxr-x 2 root root 4096 Jan 10 18:21 NFS-created-English**

+**drwxrwxr-x 2 root root 4096 Jan 10 18:26 NFS-created-**** 資 ****ä**

+```

+#### SMB-created files and folders over NFS

+Windows clients are the primary type of clients that are used to access SMB shares. These clients default to UTF-16 encoding. It's possible to support some UTF-8 encoded characters in Windows by enabling it in region settings:

+When a file or folder is created over an SMB share in Azure NetApp Files, the character set in use encode as UTF-16. As a result, clients using UTF-8 encoding (such as Linux-based NFS clients) may not be able to translate some character sets properly ΓÇô particularly characters that fall outside of the [Basic Multilingual Plane (BMP)](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane).

+##### Unsupported character behavior

+In those scenarios, when an NFS client accesses a file created using SMB with unsupported characters, the name displays as a series of numeric values representing the Unicode values for the character.

+For instance, this folder was created in Windows Explorer using characters outside of the BMP.

+```

+PS Z:\SMB\> dir

+Directory: Z:\SMB

+Mode LastWriteTime Length Name

+- - -

+d-- 1/9/2024 9:53 PM SMB𓀀𫝁😃𐒸

+```

+Over NFSv3, the SMB-created folder shows up:

+```

+$ ls -la

+drwxrwxrwx 2 root daemon 4096 Jan 9 21:53 'SMB'$'\355\240\214\355\260\200\355\241\255\355\275\201\355\240\275\355\270\203\355\240\201\355\262\270'

+```

+Over NFSv4.1, the SMB-created folder shows up as follows:

+```

+$ ls -la

+drwxrwxrwx 2 root daemon 4096 Jan 4 17:09 'SMB'$'\355\240\214\355\260\200\355\241\255\355\275\201\355\240\275\355\270\203\355\240\201\355\262\270'

+```

+##### Supported character behavior

+When the characters are in the BMP, there are no issues between the SMB and NFS protocols and their versions.

+For instance, a folder name created using SMB on an Azure NetApp Files volume with characters found in the BMP across multiple languages (English, German, Cyrillic, Runic) shows up fine across all protocols and versions.

+- [Basic Latin](https://unicodeplus.com/block/0000) "SMB"

+- [Greek](https://unicodeplus.com/block/0370) "ͶΘΩ"

+- [Cyrillic](https://unicodeplus.com/block/0400) "ЁЄЊ"

+- [Runic](https://unicodeplus.com/block/16A0) "ᚠᚱᛯ"

+- [CJK Compatibility Ideographs](https://unicodeplus.com/block/F900) "豈滑虜"

+This is how the name appears in SMB:

+```powershell

+PS Z:\SMB\> mkdir SMBͶΘΩЁЄЊᚠᚱᛯ豈滑虜

+Mode LastWriteTime Length Name

+- - -

+d-- 1/11/2024 8:00 PM SMBͶΘΩЁЄЊᚠᚱᛯ豈滑虜

+```

+This is how the name appears from NFSv3:

+```

+$ ls | grep SMBͶΘΩЁЄЊᚠᚱᛯ豈滑虜

+SMBͶΘΩЁЄЊᚠᚱᛯ豈滑虜

+```

+This is how the name appears from NFSv4.1:

+```

+$ ls /NFSv4/SMB | grep SMBͶΘΩЁЄЊᚠᚱᛯ豈滑虜

+SMBͶΘΩЁЄЊᚠᚱᛯ豈滑虜

+```

+## Converting files to different encodings

+File and folder names aren't the only portions of file system objects that utilize language encodings. File contents (such as special characters inside a text file) also can play a part. For instance, if a file is attempted to be saved with special characters in an incompatible format, then an error message may be seen. In this case, a file with Katagana characters can't be saved in ANSI, as those characters don't exist in that encoding.

+Once that file is saved in that format, the characters get converted to question marks:

+File encodings can be viewed from NAS clients. On Windows clients, you can use an application like Notepad or Notepad++ to view an encoding of a file. If [Windows Subsystem for Linux (WSL)](https://apps.microsoft.com/detail/9P9TQF7MRM4R) or [Git](https://git-scm.com/download/win) are installed on the client, the `file` command can be used.

+These applications also allow you to change the file's encoding by saving as different encoding types. In addition, PowerShell can be used to convert encoding on files with the [`Get-Content`](/powershell/module/microsoft.powershell.management/get-content) and [`Set-Content`](/powershell/module/microsoft.powershell.management/set-content) cmdlets.

+For example, the file `utf8-text.txt` is encoded as UTF-8 and contains characters outside of the BMP. Because UTF-8 is used, the characters are displayed properly.

+If the encoding is converted to UTF-32, the characters don't display properly.

+```powershell

+PS Z:\SMB\> Get-Content .\utf8-text.txt |Set-Content -Encoding UTF32 -Path utf32-text.txt

+```

+`Get-Content` can also be used to display the file contents. By default, PowerShell uses UTF-16 encoding (Code page 437) and the font selections for the console are limited, so the UTF-8 formatted file with special characters can't be displayed properly:

+Linux clients can use the [`file`](https://www.man7.org/linux/man-pages/man1/file.1.html) command to view the encoding of the file. In dual-protocol environments, if a file is created using SMB, the Linux client using NFS can check the file encoding.

+```

+$ file -i utf8-text.txt

+utf8-text.txt: text/plain; charset=utf-8

+$ file -i utf32-text.txt

+utf32-text.txt: text/plain; charset=utf-32le

+```

+File encoding conversion can be performed on Linux clients using the [`iconv`](https://www.man7.org/linux/man-pages/man1/iconv.1.html) command. To see the list of supported encoding formats, use `iconv -l`.

+For instance, the UTF-8 encoded file can be converted to UTF-16.

+```

+$ iconv -t UTF16 utf8-text.txt \> utf16-text.txt

+$ file -i utf8-text.txt

+utf8-text.txt: text/plain; **charset=utf-8**

+$ file -i utf16-text.txt

+utf16-text.txt: text/plain; **charset=utf-16le**

+```

+If the character set on the file's name or in the file's contents aren't supported by the destination encoding, then conversion isn't allowed. For instance, Shift-JIS can't support the characters in the file's contents.

+```

+$ iconv -t SJIS utf8-text.txt SJIS-text.txt

+iconv: illegal input sequence at position 0

+```

+If a file has characters that are supported by the encoding, then conversion will succeed. For instance, if the file contains the Katagana characters テストファイル, then Shift-JIS conversion will succeed over NFS. Since the NFS client being used here doesn't understand Shift-JIS due to locale settings, the encoding shows "unknown-8bit."

+```

+$ cat SJIS.txt

+テストファイル

+$ file -i SJIS.txt

+SJIS.txt: text/plain; charset=utf-8

+$ iconv -t SJIS SJIS.txt \> SJIS2.txt

+$ file -i SJIS.txt

+SJIS.txt: text/plain; **charset=utf-8**

+$ file -i SJIS2.txt

+SJIS2.txt: text/plain; **charset=unknown-8bit**

+```

+Because Azure NetApp Files volumes only support UTF-8 compatible formatting, the Katagana characters are converted to an unreadable format.

+```

+$ cat SJIS2.txt

+ΓûÆeΓûÆXΓûÆgΓûÆtΓûÆ@ΓûÆCΓûÆΓûÆ

+```

+When using NFSv4.x, conversion is allowed when noncompatible characters are present inside of the file's contents, even though NFSv4.x enforces UTF-8 encoding. In this example, a UTF-8 encoded file with Katagana characters located on an Azure NetApp Files volume shows the contents of a file properly.

+```

+$ file -i SJIS.txt

+SJIS.txt: text/plain; charset=utf-8

+S$ cat SJIS.txt

+テストファイル

+```

+But once it's converted, the characters in the file display improperly due to the incompatible encoding.

+```

+$ cat SJIS2.txt

+ΓûÆeΓûÆXΓûÆgΓûÆtΓûÆ@ΓûÆCΓûÆΓûÆ

+```

+If the file's name contains unsupported characters for UTF-8, then conversion succeeds over NFSv3, but fails over NFSv4.x due to the protocol version's UTF-8 enforcement.

+```

+# echo "Test file with SJIS encoded filename" \> "$(echo 'テストファイル.txt' | iconv -t SJIS)"

+-bash: $(echo 'テストファイル.txt' | iconv -t SJIS): Invalid argument

+```

+## Character set best practices

+When using special characters or characters outside of the standard [Basic Multilingual Plane (BMP)](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) on Azure NetApp Files volumes, some best practices should be kept in consideration.

+- Since Azure NetApp Files volumes use UTF-8 volume language, the file encoding for NFS clients should also use UTF-8 encoding for consistent results.

+- Character sets in file names or contained in file contents should be UTF-8 compatible for proper display and functionality.

+- Because SMB uses UTF-16 character encoding, characters outside of the BMP might not display properly over NFS in dual-protocol volumes. As possible, minimize the use of special characters in file contents.

+- Avoid using special characters outside of the BMP in file names, especially when using NFSv4.1 or dual-protocol volumes.

+- For character sets not in the BMP, UTF-8 encoding should allow display of the characters in Azure NetApp Files when using a single file protocol (SMB only or NFS only). However, dual-protocol volumes aren't able to accommodate these character sets in most cases.

+- Nonstandard encoding (such as Shift-JIS) isn't supported on Azure NetApp Files volumes.

+- Surrogate pair characters (such as emoji) are supported on Azure NetApp Files volumes.

+## Next steps

+* [Understand path lengths in Azure NetApp Files](understand-path-lengths.md)

+The following video covers basic concepts of Azure Resource Manager.

+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=d257e6ec-abab-47f4-a209-22049e7a40b4]

+* **Bicep file** - A file for declaratively deploying Azure resources. Bicep is a language that was designed to provide the best authoring experience for infrastructure as code solutions in Azure. See [Bicep overview](../bicep/overview.md).

+ If a resource group's region is temporarily unavailable, you may not be able to update resources in the resource group because the metadata is unavailable. The resources in other regions still function as expected, but you may not be able to update them. This condition may also apply to global resources like Azure DNS, Azure DNS Private Zones, Azure Traffic Manager, and Azure Front Door. You can view which types have their metadata managed by Azure Resource Manager via the [list of types for the Azure Resource Graph resources table](../../governance/resource-graph/reference/supported-tables-resources.md#resources).

+| [VMSA-2023-023](https://www.vmware.com/security/advisories/VMSA-2023-0023.html) VMware vCenter Server Out-of-Bounds Write Vulnerability (CVE-2023-34048) publicized in October 2023 | October 2023 | A risk assessment of CVE-2023-03048 was conducted and it was determined that sufficient controls are in place within Azure VMware Solution to reduce the risk of CVE-2023-03048 from a CVSS Base Score of 9.8 to an adjusted Environmental Score of [6.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAC:L/MPR:H/MUI:R) or lower. Adjustments from the base score were possible due to the network isolation of the Azure VMware Solution vCenter Server (ports 2012, 2014, and 2020 are not exposed via any interactive network path) and multiple levels of authentication and authorization necassary to gain interactive access to the vCenter network segment. Microsoft is working on a plan to roll out security fixes soon to completely remediate the security vulnerability. | October 2023 |

+- Communications are drafted when necassary and published according to the risk rating assigned.

+>Communications are surfaced through [Azure Service Health Portal](/azure/service-health/service-health-portal-update), [Known Issues](/azure/azure-vmware/azure-vmware-solution-known-issues) or Email.

+- Arc-enabled servers

+To recover from failed deployments:

+Repeat the previous steps for one or more virtual machine, network, resource pool, and VM template resources.

+2. Choose a __Connectivity Method__ for the Arc agent.

+3. Provide an Administrator/Root access username and password for the VM.

+From here additional extensions can be installed. See the [VM extensions](/azure/azure-arc/servers/manage-vm-extensions?branch=main) for a list of current extensions.

+### Install extensions

+To add extensions, follow these steps:

+1. Go to **vCenter Server Inventory >** **Virtual Machines** and select the virtual machine to which you need to add an extension.

+2. Locate **Settings >** **Extensions** from the left navigation and select **Add**. Alternatively, in the **Overview** page an **Extensions** click-through is listed under Properties.

+1. Select the extension you want to install. Some extensions require additional information.

+4. When you're done, select **Review + create**.

+**Supported SQL Server versions** | SQL Server 2022 Express, SQL Server 2022, SQL Server 2019, SQL Server 2017 as detailed on the [Search product lifecycle page](https://support.microsoft.com/lifecycle/search?alpha=SQL%20server%202017), SQL Server 2016 and SPs as detailed on the [Search product lifecycle page](https://support.microsoft.com/lifecycle/search?alpha=SQL%20server%202016%20service%20pack), SQL Server 2014, SQL Server 2012, SQL Server 2008 R2, SQL Server 2008 <br/><br/> Enterprise, Standard, Web, Developer, Express.<br><br>Express Local DB versions aren't supported.

+## Step 4: Restart the Azure Chaos Agent service in the VM

+## Step 5: Run your Agent-based experiment using private endpoints

+> - [Argentina](../numbers/phone-number-management-for-argentina.md)

+> - [Brazil](../numbers/phone-number-management-for-brazil.md)

+> - [Chile](../numbers/phone-number-management-for-chile.md)

+> - [Colombia](../numbers/phone-number-management-for-colombia.md)

+> - [Mexico](../numbers/phone-number-management-for-mexico.md)

+## Argentina telephony offers

+### Phone number leasing charges

+|Number type |Monthly fee |

+|--|--|

+|Toll-Free |USD 25.00/mo |

+### Usage charges

+|Number type |To make calls |To receive calls |

+|-||--|

+|Toll-free |N/A |USD 0.2347/min |

+## Brazil telephony offers

+### Phone number leasing charges

+|Number type |Monthly fee |

+|--|--|

+|Toll-Free |USD 35.00/mo |

+### Usage charges

+|Number type |To make calls |To receive calls |

+|-||--|

+|Toll-free |N/A |Starting at USD 0.1888/min |

+## Chile telephony offers

+### Phone number leasing charges

+|Number type |Monthly fee |

+|--|--|

+|Toll-Free |USD 32.00/mo |

+### Usage charges

+|Number type |To make calls |To receive calls |

+|-||--|

+|Toll-free |N/A |USD 0.1621/min |

+## Colombia telephony offers

+### Phone number leasing charges

+|Number type |Monthly fee |

+|--|--|

+|Toll-Free |USD 25.00/mo |

+### Usage charges

+|Number type |To make calls |To receive calls |

+|-||--|

+|Toll-free |N/A |USD 0.1707/min |

+## Mexico telephony offers

+### Phone number leasing charges

+|Number type |Monthly fee |

+|--|--|

+|Toll-Free |USD 30.00/mo |

+### Usage charges

+|Number type |To make calls |To receive calls |

+|-||--|

+|Toll-free |N/A |USD 0.2161/min |

+The Azure confidential ledger, a REST API service, allows users to interact with the ledger through administrative and functional API calls. When data is recorded to the ledger, it is sent to the permissioned blockchain nodes that are secure enclaved backed replicas. The replicas follow a consensus concept. A user can also retrieve receipts for the data that was committed to the ledger.

+Code samples and users can authenticate Azure confidential ledger nodes.

+When initializing, code samples get the node certificate by querying the Identity Service. The code sample retrieves the node certificate before querying the ledger to get a quote, which is then validated using the Host Verify binaries. If the verification succeeds, the code sample proceeds to ledger operations.

+Users can validate the authenticity of Azure confidential ledger nodes to confirm they are indeed interfacing with their ledger's enclave. You can build trust in Azure confidential ledger nodes in a few ways, which can be stacked on one another to increase the overall level of confidence. As such, steps 1 and 2 are important confidence building mechanisms for users of Azure confidential ledger enclave as part of the initial TLS handshake and authentication within functional workflows. Furthermore, a persistent client connection is maintained between the user's client and the confidential ledger.

+1. **Validating a confidential ledger node**: A confidential ledger node is validated by querying the identity service hosted by Microsoft, which provides a service certificate and thus helps verify that the ledger node is presenting a certificate endorsed/signed by the service certificate for that specific instance. A well-known Certificate Authority (CA) or intermediate CA signs a server's certificate using PKI-based HTTPS. In the case of Azure confidential ledger, the CA certificate is returned by the Identity Service in the form of the service certificate. If this node certificate isn't signed by the returned service certificate, the client connection should fail (as implemented in the sample code).

+2. **Validating a confidential ledger enclave**: A confidential ledger runs in an Intel® SGX enclave represented by a remote attestation report (or quote), a data blob generated inside that enclave. It can be used by any other entity to verify that the quote has been produced from an application running with Intel® SGX protections. The quote contains claims that help identify various properties of the enclave and the application that it's running. In particular, it contains the SHA-256 hash of the public key contained in the confidential ledger node's certificate. The quote of a confidential ledger node can be retrieved by calling a functional workflow API. The retrieved quote can then be validated following the steps described [here](https://microsoft.github.io/CCF/main/use_apps/verify_quote.html).

+Microsoft Azure confidential ledger (ACL) is a new and highly secure service for managing sensitive data records. It runs exclusively on hardware-backed secure enclaves, a heavily monitored and isolated runtime environment, which keeps potential attacks at bay. Furthermore, Azure confidential ledger runs on a minimalistic Trusted Computing Base (TCB), which ensures that no oneΓüáΓÇönot even MicrosoftΓüáΓÇöis "above" the ledger.

+The confidential ledger is exposed through REST APIs, which can be integrated into new or existing applications. Administrators can manage the confidential ledger with Administrative APIs (Control Plane). The confidential ledger can also be called directly by application code through Functional APIs (Data Plane). The Administrative APIs support basic operations such as create, update, get and, delete. The Functional APIs allow direct interaction with your instantiated ledger and include operations such as put and get data.

+The data to the ledger is sent through TLS 1.3 connection and the TLS 1.3 connection terminates inside the hardware backed security enclaves (Intel® SGX enclaves), ensuring that no one can intercept the connection between a customer's client and the confidential ledger server nodes.

+Administrators can manage the confidential ledger with Administrative APIs (Control Plane), and the confidential ledger can be called directly by your application code through Functional APIs (Data Plane). The Administrative APIs support basic operations such as create, update, get and, delete.

+| Commit | A confirmation that a transaction was appended to the ledger. |

+| Receipt | Proof that the ledger processed a transaction. |

+Azure confidential ledger is a cloud service that provides a high integrity store for sensitive data logs and records that must be kept intact. In this quickstart, you use the [Azure CLI](/cli/azure/) to create a confidential ledger, view and update its properties, and delete it.

+For more information on Azure confidential ledger and examples of what can be stored in a confidential ledger, see [About Microsoft Azure confidential ledger](overview.md).

+To create a confidential ledger, you need your Microsoft Entra principal ID (also called your object ID). To obtain your principal ID, use the Azure CLI [az ad signed-in-user](/cli/azure/ad/signed-in-user) command, and filter the results by `objectId`:

+Your result is in the format `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`.

+A successful operation returns the properties of the newly created ledger. Take note of the **ledgerUri**. In our example, this URI is "https://myledger.confidential-ledger.azure.com".

+You need this URI to transact with the confidential ledger from the data plane.

+If you again run [az confidentialledger show](/cli/azure/confidentialledger#az-confidentialledger-show), you see that the role is updated.

+In this quickstart, you created a confidential ledger by using the Azure CLI. To learn more about Azure confidential ledger and how to integrate it with your applications, continue on to these articles.

+You also need a running confidential ledger, and a registered user with the `Administrator` privileges. You can create a confidential ledger (and an administrator) using the [Azure portal](quickstart-portal.md), the [Azure CLI](quickstart-cli.md), or [Azure PowerShell](quickstart-powershell.md).

+For this quickstart, you also need to install the Azure SDK client library for Azure Identity:

+The Azure confidential ledger client library for .NET allows you to create an immutable ledger entry in the service. The [Code examples](#code-examples) section shows how to create a write to the ledger and retrieve the transaction ID.

+In this quickstart, logged in user is used to authenticate to Azure confidential ledger, which is preferred method for local development. The name of your confidential ledger is expanded to the key vault URI, in the format "https://\<your-confidential-ledger-name\>.confidential-ledger.azure.com". This example is using ['DefaultAzureCredential()'](/dotnet/api/azure.identity.defaultazurecredential) class from [Azure Identity Library](/dotnet/api/overview/azure/identity-readme), which allows to use the same code across different environments with different options to provide identity.

+Azure confidential ledger is a cloud service that provides a high integrity store for sensitive data logs and records that require data to be kept intact. For more information on Azure confidential ledger and examples of what can be stored in a confidential ledger, see [About Microsoft Azure confidential ledger](overview.md).

+1. You must now add a Microsoft Entra ID-based or certificate-based user to your confidential ledger with a role of "Administrator." In this quickstart, you add a Microsoft Entra ID-based user. Select **+ Add Microsoft Entra ID-Based User**.

+1. Select **Review + Create**. After validation, select **Create**.

+When the deployment is complete, select **Go to resource**.

+Take note of these two properties:

+- **confidential ledger name**: In the example, it is "test-create-ledger-demo." Use this name for other steps.

+Azure confidential ledger is a cloud service that provides a high integrity store for sensitive data logs and records that must be kept intact. In this quickstart, you use [Azure PowerShell](/powershell/azure/) to create a confidential ledger, view and update its properties, and delete it. For more information on Azure confidential ledger and examples of what can be stored in a confidential ledger, see [About Microsoft Azure confidential ledger](overview.md).

+In this quickstart, you create a confidential ledger with [Azure PowerShell](/powershell/azure/). If you choose to install and use PowerShell locally, this tutorial requires Azure PowerShell module version 1.0.0 or later. Type `$PSVersionTable.PSVersion` to find the version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you're running PowerShell locally, you also need to run `Login-AzAccount` to create a connection with Azure.

+To create a confidential ledger, use your Microsoft Entra principal ID (also called your object ID). To obtain your principal ID, use the Azure PowerShell [Get-AzADUser](/powershell/module/az.resources/get-azaduser) cmdlet, with the `-SignedIn` flag:

+Your result is listed under "Id", in the format `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`.

+Use the Azure PowerShell [New-AzConfidentialLedger](/powershell/module/az.confidentialledger/new-azconfidentialledger) command to create a confidential ledger in your new resource group.

+A successful operation returns the properties of the newly created ledger. Take note of the **ledgerUri**. In the example above, this URI is "https://myledger.confidential-ledger.azure.com".

+You need this URI to transact with the confidential ledger from the data plane.

+If you again run [Get-AzConfidentialLedger](/powershell/module/az.confidentialledger/get-azconfidentialledger), you see that the role is updated.

+Get started with the Microsoft Azure confidential ledger client library for Python. Follow the steps in this article to install the package and try out example code for basic tasks.

+Microsoft Azure confidential ledger is a new and highly secure service for managing sensitive data records. Based on a permissioned blockchain model, Azure confidential ledger offers unique data integrity advantages, such as immutability (making the ledger append-only) and tamper proofing (to ensure all records are kept intact).

+- Python versions [supported by the Azure SDK for Python](https://github.com/Azure/azure-sdk-for-python#prerequisites).

+We can now start writing our Python application. First, import the required packages.

+Next, use the [DefaultAzureCredential Class](/python/api/azure-identity/azure.identity.defaultazurecredential) to authenticate the app.

+Finish setup by setting some variables for use in your application: the resource group (myResourceGroup), the name of ledger you want to create, and two urls to be used by the data plane client library.

+The control plane client library (azure.mgmt.confidentialledger) allows operations on ledgers, such as creation, modification, deletion, listing the ledgers associated with a subscription, and getting the details of a specific ledger.

+In the code, first create a control plane client by passing the ConfidentialLedgerAPI the credential variable and your Azure subscription ID (both of which are set above).

+Now that we have a ledger, interact with it using the data plane client library (azure.confidentialledger).

+First, we generate and save a confidential ledger certificate.

+Container Apps checks for a new version of the image whenever a container is started. In Docker or Kubernetes terminology, Container Apps sets each container's image pull policy to `always`.

+1. Create a container app revision with a private image and the user-assigned managed identity.

+### Create a container app with a private image

+If you don't want to start by creating a container app with a public image, you can also do the following.

+1. Create a user-assigned managed identity.

+1. Add the `acrpull` role to the user-assigned managed identity.

+1. Create a container app with a private image and the user-assigned managed identity.

+This method is typical in Infrastructure as Code (IaC) scenarios.

+ Title: Use the Explorer to manage your data

+description: Learn about the Azure Cosmos DB Explorer, a standalone web-based interface that allows you to view and manage the data stored in Azure Cosmos DB.

+# CustomerIntent: As a database developer, I want to access the Explorer so that I can observe my data and make queries against my data.

+# Use the Azure Cosmos DB Explorer to manage your data

+Azure Cosmos DB Explorer is a standalone web-based interface that allows you to view and manage the data stored in Azure Cosmos DB. Azure Cosmos DB Explorer is equivalent to the existing **Data Explorer** section that is available in Azure portal for Azure Cosmos DB accounts.

+The Azure Cosmos DB Explorer has a few key advantages when compared to the Data explorer, including:

+- Full screen real-estate to browse data, run queries, and observe query results

+- Ability to provide users without access to the Azure portal or an Azure subscription read or read-write capabilities over data in containers

+- Ability to share query results with users who don't have an Azure subscription or Azure portal access

+## Prerequisites

+- An existing Azure Cosmos DB account.

+ - If you don't have an Azure subscription, [Try Azure Cosmos DB free](https://cosmos.azure.com/try/).

+## Access the Explorer directly using your Azure subscription

+You can use access the Explorer directly and use your existing credentials to quickly get started with the tool.

+1. Navigate to <https://cosmos.azure.com>.

+1. Select **Sign In**. Sign in using your existing credentials that have access to the Azure Cosmos DB account.

+1. Next, select your Azure subscription and target account from the **Select a Database Account** menu.

+ 

+## Access the Explorer from the Azure portal using your Azure subscription

+If you're already comfortable with the Azure portal, you can navigate directly from the in-portal Data Explorer to the standalone Explorer.

+1. Sign in to [Azure portal](https://portal.azure.com/).

+1. Navigate to your existing Azure Cosmos DB account.

+1. In the resource menu, select **Data Explorer**.

+1. Next, select the **Open Full Screen** menu option.

+ 

+## Grant someone else access to the Explorer using a connection string

+Use either the **read-write** or **read-only** key to give another user access to your Azure Cosmos DB account. This method works even if the user doesn't have access to an Azure subscription or the Azure portal.

+1. Sign in to [Azure portal](https://portal.azure.com/).

+1. Navigate to your existing Azure Cosmos DB account.

+1. In the resource menu, select **Keys**.

+1. On the **keys** page, select either the **Read-write Keys** or **Read-only Keys** option. Then, copy the value of the **Primary Connection String** field. You use this value in a later step.

+ | | Description |

+ | | |

+ | **Read-write key** | Provides access to view and modify the databases, containers, queries, and other resources associated with that specific account |

+ | **Read-only key** | Provides access to view databases, containers, queries, and other resources associated with that specific account |

+ > [!TIP]

+ > If you want to share results of a query with your teammates who don't have access to an Azure Subscription or the Azure portal, you can provide them with the read-only .

+1. Now, have the other user navigate to <https://cosmos.azure.com>.

+1. Select **Connect to your account with connection string**. Then, have the user enter the connection string copied earlier and select **Connect**.

+## Configure request unit threshold

+In the Explorer, you can configure a limit to the request units per second (RU/s) that queries use. Use this functionality to control the cost and performance in request units (RU) of your queries. This functionality can also cancel high-cost queries automatically.

+1. Start in the Explorer for the target Azure Cosmos DB account.

+1. Select the **Settings** menu option.

+ 

+1. In the **Settings** dialog, configure whether you want to **Enable RU threshold** and the actual **RU threshold** value.

+ 

+ > [!TIP]

+ > The RU threshold is enabled automatically with a default value of **5,000** RUs.

+Here are a few currently known issues:

+- Browsing items that contain a UUID isn't supported in Data Explorer. This limitation doesn't affect loading containers, only viewing individual items or queries that include these items. To view and manage these items, users should continue to use the same tooling/SDKs that was originally used to create these items.

+- HTTP 401 errors could occur due to insufficient role-based access control permissions for your Microsoft Entra ID account. This condition can be true particularly if the account has a custom role. Any custom roles must have the `Microsoft.DocumentDB/databaseAccounts/listKeys/*` action included to use the Explorer.

+## Next step

+> [!div class="nextstepaction"]

+> [Getting started with queries](nosql/query/getting-started.md)

+> [!NOTE]

+> If you are experiencing challenges connecting to your Azure Cosmos DB account from the Data Explorer, review the [Data Explorer troubleshooting guide](/troubleshoot/azure/cosmos-db/data-explorer).

+- To learn more about creating the private marketplace, see [Create private Azure Marketplace](/marketplace/create-manage-private-azure-marketplace-new#create-private-azure-marketplace).

+The Azure Dedicated HSM Service provides a physical device for sole customer use with complete administrative control and management responsibility. The device made available is a [Thales Luna 7 HSM model A790](https://cpl.thalesgroup.com/encryption/hardware-security-modules/network-hsms). Microsoft has no administrative access once provisioned by a customer, beyond physical serial port attachment as a monitoring role. As a result, customers are responsible for typical operational activities including comprehensive monitoring and log analysis.

+Customers are fully responsible for applications that use the HSMs and should work with Thales for support or consulting assistance. Due to the extent of customer ownership of operational hygiene, it is not possible for Microsoft to offer any kind of high availability guarantee for this service. It is the customer's responsibility to ensure their applications are correctly configured to achieve high availability. Microsoft monitors and maintains device health and network connectivity.

+The Thales Luna 7 HSM device in use has by default SNMP and serial port as options for monitoring the device. Microsoft has used the serial port connection as a physical means to connect to the device to retrieve basic telemetry on device health, including temperature and component status (such as power supplies and fans).

+To do so, Microsoft uses a nonadministrative "monitor" role set up on the Thales device. This role gives the ability to retrieve the telemetry but does not give any access to the device in terms of administrative task or in any way viewing cryptographic information. Our customers can be assured their device is truly their own to manage, administer, and use for sensitive cryptographic key storage. In case any customer is not satisfied with this minimal access for basic health monitoring, they do have the option to disable the monitoring account. The obvious consequence of this is that Microsoft will have no information and hence no ability to provide any proactive notification of device health issues. In this situation, the customer is responsible for the health of the device.

+Use the [Defender for Endpoint status workbook](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Defender%20for%20Servers%20Deployment%20Status) to verify installation and deployment status of Defender for Endpoint on a Linux machine.

+You can use the [Defender for Endpoint deployment status workbook](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workbooks/Defender%20for%20Servers%20Deployment%20Status) to track the Defender for Endpoint deployment status on your Azure VMs and non-Azure machines that are connected via Azure Arc. The interactive workbook provides an overview of machines in your environment showing their Microsoft Defender for Endpoint extension deployment status.

+**To investigate a security alert**:

+1. Select an alert. A side pane opens and shows a description of the alert and all the affected resources.

+ In this example, the alerts with severity of `Informational` for the resource `ASC-AKS-CLOUD-TALK` are selected.

+1. Use the checkboxes to select the alerts to be processed.

+ In this example, all alerts are selected. The **Change status** button is now available.

+The alerts shown in the current page have their status changed to the selected value.

+1. Review the **Mitigate the threat** section for the manual investigation steps necessary to mitigate the issue.

+1. We encourage you to provide feedback about the alert to Microsoft:

+ :::image type="content" source="./media/managing-and-responding-alerts/alert-feedback.png" alt-text="Screenshot of the provide feedback to Microsoft window that allows you to select the usefulness of an alert.":::

+Also ensure your Log Analytics agent is [properly configured to send data to Defender for Cloud](working-with-log-analytics-agent.md#manual-agent).

+ - When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Defender for Cloud doesn't override existing connections to user workspaces. Defender for Cloud will store security data from the VM in the workspace already connected, if the "Security" or "SecurityCenterFree" solution was installed on it. Defender for Cloud might upgrade the extension version to the latest version in this process.

+This table shows the availability details for the components required by the protections offered by [Microsoft Defender for Containers](defender-for-containers-introduction.md).

+| Clouds: | **Defender agent**:<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet<br>**Azure Policy for Kubernetes**:<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet|**Defender agent**:<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet<br>**Azure Policy for Kubernetes**:<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government, Microsoft Azure operated by 21Vianet|

+description: Learn how to enforce multifactor authentication for your Azure subscriptions using Microsoft Defender for Cloud.

+ ```Kusto

+You can use Azure Policy to enable Microsoft Defender for Cloud on all the Azure subscriptions within the same management group (MG). This is more convenient than accessing them individually from the portal, and works even if the subscriptions belong to different owners.

+1. Select **Remediation**, and select **Create a remediation task** to ensure all existing subscriptions that don't have Defender for Cloud enabled will get onboarded.

+There are various ways you might choose to modify the Azure Policy definition:

+ > When any Microsoft Defender plan is enabled, it's described in a policy definition as being on the 'Standard' setting. When it's disabled, it's 'Free'. To learn about the differences between these plans, see [Microsoft Defender for Cloud's Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads).

+ ```json

+ ```json

+ The supplied definition's `deployment` section has a parameter `pricingTier`. By default, this is set to `free`, but you can modify it.

+## Next steps

+Now that you onboarded an entire management group, enable the enhanced security features.

+Through relying on the 42Crunch [Audit](https://42crunch.com/api-security-audit) and [Scan](https://42crunch.com/api-conformance-scan/) services, developers can proactively test and harden APIs within their CI/CD pipelines through static and dynamic testing of APIs against the top OWASP API risks and OpenAPI specification best practices. The security scan results from 42Crunch are now available within Defender for Cloud, ensuring central security teams have visibility into the health of APIs within the Defender for Cloud recommendation experience, and can take governance steps natively available through Defender for Cloud recommendations.

+This feature requires a GitHub connector in Defender for Cloud. See [how to onboard your GitHub organizations](quickstart-onboard-github.md).

+1. Select **Actions**.

+1. Select **New Workflow**.

+1. Choose **Setup a workflow yourself**.

+1. Rename the workflow from `main.yaml` to `42crunch-audit.yml`.

+ :::image type="content" source="media/onboarding-guide-42crunch/new-action.png" alt-text="Screenshot showing new action running." lightbox="media/onboarding-guide-42crunch/new-action.png":::

+You now verified that the Audit results are showing in GitHub Code Scanning. Next, we verify that these Audit results are available within Defender for Cloud. It might take up to 30 minutes for results to show in Defender for Cloud.

+The selected recommendation shows all 42Crunch Audit findings. You completed the onboarding for the 42Crunch Audit step.

+The scan requires a nonproduction live API endpoint, and the required credentials (API key/access token). [Follow these steps](https://github.com/42Crunch/apisecurity-tutorial) to configure the 42Crunch Scan.

+Yes. 42Crunch includes the ability to enforce compliance using [Security Quality Gates (SQG)](https://docs.42crunch.com/latest/content/concepts/security_quality_gates.htm). SQGs are composed of certain criteria that must be met to successfully pass an Audit or Scan. For example, an SQG can ensure that an Audit or Scan with one or more critical severity issues doesn't pass. In CI/CD, the 42Crunch Audit or Scan can be configured to fail a build if it fails to pass an SQG, thus requiring a developer to resolve the underlying issue before pushing their code.

+A limited free trial version of the 42Crunch security Audit and Conformance scan can be deployed in CI/CD, which generates reports locally without the need for a 42Crunch SaaS connection. In this version, there's no data shared with the 42Crunch platform.

+42Crunch is licensed based on a combination of the number of APIs and the number of developers that are provisioned on the platform. For example pricing bundles, see [this marketplace listing](https://azuremarketplace.microsoft.com/marketplace/apps/42crunch1580391915541.42crunch_developer_first_api_security_platform?tab=overview). Custom pricing is available through private offers on the Azure commercial marketplace. For a custom quote, reach out to <mailto:sales@42crunch.com>.

+For the free version of 42Crunch, the 42Crunch CI/CD plugins work standalone, with no requirement to sign in to the 42Crunch platform. Audit and scanning results are then made available in Microsoft Defender for Cloud, as well as within the CI/CD platform. Audits and scans are limited to up to 25 executions per month each, per repo, with a maximum of three repositories.

+| Registries and images | **Supported**<br> ΓÇó ACR registries <br> ΓÇó [ACR registries protected with Azure Private Link](/azure/container-registry/container-registry-private-link) (Private registries requires access to Trusted Services) <br> ΓÇó Container images in Docker V2 format <br> ΓÇó Images with [Open Container Initiative (OCI)](https://github.com/opencontainers/image-spec/blob/main/spec.md) image format specification <br> **Unsupported**<br> ΓÇó Super-minimalist images such as [Docker scratch](https://hub.docker.com/_/scratch/) images<br> is currently unsupported <br>

+| Registries and images | **Supported**<br> ΓÇó ECR registries <br> ΓÇó Container images in Docker V2 format <br> ΓÇó Images with [Open Container Initiative (OCI)](https://github.com/opencontainers/image-spec/blob/main/spec.md) image format specification <br> **Unsupported**<br> ΓÇó Super-minimalist images such as [Docker scratch](https://hub.docker.com/_/scratch/) images is currently unsupported <br> ΓÇó Public repositories <br> ΓÇó Manifest lists <br>|

+| Registries and images | **Supported**<br> ΓÇó Google Registries (GAR, GCR) <br> ΓÇó Container images in Docker V2 format <br> ΓÇó Images with [Open Container Initiative (OCI)](https://github.com/opencontainers/image-spec/blob/main/spec.md) image format specification <br> **Unsupported**<br> ΓÇó Super-minimalist images such as [Docker scratch](https://hub.docker.com/_/scratch/) images is currently unsupported <br> ΓÇó Public repositories <br> ΓÇó Manifest lists <br>|

+For details on the new API version, see [Microsoft Defender for Cloud REST APIs](/rest/api/defenderforcloud/operation-groups?view=rest-defenderforcloud-2023-09-01-preview).

+|**ABB** | ABB 800xA DCS (IEC61850 MMS including ABB extension)<br> CNCP<br> RNRP<br> ABB IAC<br> ABB Totalflow <br> ABB NetConfig |

+|**DICOM** | Dicom |

+|**FANUC** | FANUC FOCUS |

+|**FieldComm Group**| HART-IP |

+|**Rockwell Automation** | CSP2<br> ENIP<br> EtherNet/IP CIP (including Rockwell extension)<br> EtherNet/IP CIP FW version 27 and above <br>Rockwell AADvance Discover <br> Rockwell AADvance SNCP/IXL |

+|**Schneider Electric** | Modbus/TCP<br> Modbus TCPΓÇôSchneider Unity Extensions<br> OASYS (Schneider Electric Telvant)<br> Schneider TSAA <br> Schneider NetManage |

+ Title: Accelerate OT alert workflows - Microsoft Defender for IoT

+# Accelerate OT alert workflows

+> [!NOTE]

+> Noted features are in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+- **Create suppression rules** from the Azure portal to reduce the alerts triggered by your sensors. If you're working in an air-gapped environment, do this by creating alert exclusion rules on the on-premises management console.

+Before you use the procedures on this page, note the following prerequisites:

+|To ... |You must have ... |

+|||

+|[Create alert suppression rules on the Azure portal](#create-alert-suppression-rules-on-the-azure-portal-public-preview) | A Defender for IoT subscription with at least one cloud-connected OT sensor and access as a [Security Admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner). |

+|[Create a DNS allowlist on an OT sensor](#allow-internet-connections-on-an-ot-network) | An OT network sensor installed and access to the sensor as the default *Admin* user. |

+|[Create alert comments on an OT sensor](#create-alert-comments-on-an-ot-sensor) | An OT network sensor installed and access to the sensor as any user with an **Admin** role. |

+|[Create custom alert rules on an OT sensor](#create-custom-alert-rules-on-an-ot-sensor) | An OT network sensor installed and access to the sensor as any user with an **Admin** role. |

+|[Create alert exclusion rules on an on-premises management console](#create-alert-exclusion-rules-on-an-on-premises-management-console) | An on-premises management console installed and access to the on-premises management console as any user with an **Admin** role. |

+For more information, see:

+- [Install OT monitoring software on OT sensors](ot-deploy/install-software-ot-sensor.md)

+- [Azure user roles and permissions for Defender for IoT](roles-azure.md)

+- [On-premises users and roles for OT monitoring with Defender for IoT](roles-on-premises.md)

+## Suppress irrelevant alerts

+Configure your OT sensors to suppress alerts for specific traffic on your network that would otherwise trigger an alert. For example, if all the OT devices monitored by a specific sensor are going through maintenance procedures for two days, you might want to define a rule to suppress all alerts generated by that sensor during the maintenance period.

+- For cloud connected OT sensors, create alert suppression rules on the Azure portal to ignore specified traffic on your network that would otherwise trigger an alert.

+- For locally managed sensors, create alert exclusion rules on the on-premises management console, either using the UI or the API.

+> [!IMPORTANT]

+> Rules configured on the Azure portal override any rules configured for the same sensor on the on-premises management console. If you're currently using alert exclusion rules on your on-premises management console, we recommend that you [migrate them to the Azure portal](#migrate-suppression-rules-from-an-on-premises-management-console-public-preview) as suppression rules before you start.

+>

+### Create alert suppression rules on the Azure portal (Public Preview)

+This section describes how to create an alert suppression rule on the Azure portal, and is supported for cloud-connected sensors only.

+**To create an alert suppression rule**:

+1. In [Defender for IoT](https://ms.portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/~/Getting_started) on the Azure portal, select **Alerts** > :::image type="icon" source="media/how-to-accelerate-alert-incident-response/suppression-rules.png" border="false"::: **Suppression rules**.

+1. On the **Suppression rules (Preview)** page, select **+ Create**.

+1. In the **Create suppression rule** pane **Details** tab, enter the following details:

+ 1. Select your Azure subscription from the drop-down list.

+ 1. Enter a meaningful name for your rule and an optional description.

+ 1. Toggle on **Enabled** to have the rule start running as configured. You can also leave this option toggled off to start using the rule only later on.

+ 1. In the **Suppress by time range** area, toggle on **Expiration date** to define a specific start and end date and time for your rule. Select **Add range** to add multiple time ranges.

+ 1. In the **Apply on** area, select whether you want to apply the rule to all sensors on your subscription, or only on specific sites or sensors. If you select **Apply on custom selection**, select the sites and/or sensors where you want the rule to run.

+ When you select a specific site, the rule applies to all existing and future sensors associated with the site.

+ 1. Select **Next** and confirm the override message.

+1. In the **Create suppression rule** pane **Conditions** tab:

+ 1. In the **Alert name** dropdown list, select one or more alerts for your rule. Selecting the name of an alert engine instead of a specific rule name applies the rule to all existing and future alerts associated with that engine.

+ 1. Optionally filter your rule further by defining additional conditions, such as for traffic coming from specific sources, to specific destinations, or on specific subnets.

+ 1. When you're finished configuring your rule conditions, select **Next**.

+1. In the **Create suppression rule** pane **Review and create** tab, review the details of the rule you're creating and then select **Create**.

+Your rule is added to the list of suppression rules on the **Suppression rules (Preview)** page. Select a rule to edit or delete it as needed.

+> [!TIP]

+> If you need to export suppression rules, select the **Export** button from the toolbar. All rules configured are exported to a single .CSV file, which you can save locally.

+### Migrate suppression rules from an on-premises management console (Public Preview)

+If you're currently using an on-premises management console with cloud-connected sensors, we recommend that you migrate any exclusion rules to the Azure portal as suppression rules before you start creating new suppression rules. Any suppression rules configured on the Azure portal override alert exclusion rules that exist for the same sensors on the on-premises management console.

+**To export alert exclusion rules and import them to the Azure portal**:

+1. Sign into your on-premises management console and select **Alert Exclusion**.

+1. On the **Alert Exclusion** page, select :::image type="icon" source="media/how-to-accelerate-alert-incident-response/export.png" border="false"::: **Export** to export your rules to a .CSV file.

+1. In [Defender for IoT](https://ms.portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/~/Getting_started) on the Azure portal, select **Alerts** > **Suppression rules**.

+1. On the **Suppression rules (Preview)** page, select **Migrate local manager rules**, and then browse to and select the .CSV file you'd downloaded from the on-premises management console.

+1. In the **Migrate suppression rules** pane, review the uploaded list of suppression rules you're about to migrate, then select **Approve migration**.

+1. Confirm the override message.

+Your rules are added to the list of suppression rules on the **Suppression rules (Preview)** page. Select a rule to edit or delete it as needed.

+### Create alert exclusion rules on an on-premises management console

+We recommend creating alert exclusion rules on an on-premises management console only for locally managed sensors. For cloud-connected sensors, any suppression rules created on the Azure portal will override exclusion rules created on the on-premises management console for that sensor.

+**To create an alert exclusion rule**:

+1. Sign into your on-premises management console and select **Alert Exclusion** on the left-hand menu.

+1. On the **Alert Exclusion** page, select the **+** button at the top-right to add a new rule.

+1. In the **Create Exclusion Rule** dialog, enter the following details:

+ |Name |Description |

+ |||

+ |**Name** | Enter a meaningful name for your rule. The name can't contain quotes (`"`). |

+ |**By Time Period** | Select a time zone and the specific time period you want the exclusion rule to be active, and then select **ADD**. <br><br>Use this option to create separate rules for different time zones. For example, you might need to apply an exclusion rule between 8:00 AM and 10:00 AM in three different time zones. In this case, create three separate exclusion rules that use the same time period and the relevant time zone. |

+ |**By Device Address** | Select and enter the following values, and then select **ADD**: <br><br>- Select whether the designated device is a source, destination, or both a source and destination device. <br>- Select whether the address is an IP address, MAC address, or subnet <br>- Enter the value of the IP address, MAC address, or subnet. |

+ |**By Alert Title** | Select one or more alerts to add to the exclusion rule and then select **ADD**. To find alert titles, enter all, or part of an alert title and select the one you want from the dropdown list. |

+ |**By Sensor Name** | Select one or more sensors to add to the exclusion rule and then select **ADD**. To find sensor names, enter all or part of the sensor name and select the one you want from the dropdown list. |

+ > [!IMPORTANT]

+ > Alert exclusion rules are `AND` based, which means that alerts are only excluded when all rule conditions are met.

+ > If a rule condition is not defined, all options are included. For example, if you don't include the name of a sensor in the rule, the rule is applied to all sensors.

+ A summary of the rule parameters is shown at the bottom of the dialog.

+1. Check the rule summary shown at the bottom of the **Create Exclusion Rule** dialog and then select **SAVE**

+**To create alert exclusion rules via API**:

+Use the [Defender for IoT API](references-work-with-defender-for-iot-apis.md) to create on-premises management console alert exclusion rules from an external ticketing system or other system that manage network maintenance processes.

+Use the [maintenanceWindow (Create alert exclusions)](api/management-alert-apis.md#maintenancewindow-create-alert-exclusions) API to define the sensors, analytics engines, start time, and end time to apply the rule. Exclusion rules created via API are shown in the on-premises management console as read-only.

+For more information, see [Defender for IoT API reference](references-work-with-defender-for-iot-apis.md).

+## Create alert comments on an OT sensor

+1. Sign into your OT sensor and select **System Settings** > **Network Monitoring** > **Alert Comments**.

+1. In the **Alert comments** pane, in the **Description** field, enter the new comment, and select **Add**. The new comment appears in the **Description** list below the field.

+ For example:

+ :::image type="content" source="media/alerts/create-custom-comment.png" alt-text="Screenshot of the Alert comments pane on the OT sensor.":::

+1. Select **Submit** to add your comment to the list of available comments in each alert on your sensor.

+Custom comments are available in each alert on your sensor for team members to add. For more information, see [Add alert comments](how-to-view-alerts.md#add-alert-comments).

+## Create custom alert rules on an OT sensor

+Add custom alert rules to trigger alerts for specific activity on your network that's not covered by out-of-the-box functionality.

+For example, for an environment running MODBUS, you might add a rule to detect any written commands to a memory register on a specific IP address and ethernet destination.

+**To create a custom alert rule**:

+1. Sign into your OT sensor and select **Custom alert rules** > **+ Create rule**.

+1. In the **Create custom alert rule** pane, define the following fields:

+ |Name |Description |

+ |||

+ |**Alert name** | Enter a meaningful name for the alert. |

+ |**Alert protocol** | Select the protocol you want to detect. <br> In specific cases, select one of the following protocols: <br> <br> - For a database data or structure manipulation event, select **TNS** or **TDS**. <br> - For a file event, select **HTTP**, **DELTAV**, **SMB**, or **FTP**, depending on the file type. <br> - For a package download event, select **HTTP**. <br> - For an open ports (dropped) event, select **TCP** or **UDP**, depending on the port type. <br> <br> To create rules that track specific changes in one of your OT protocols, such as S7 or CIP, use any parameters found on that protocol, such as `tag` or `sub-function`. |

+ |**Message** | Define a message to display when the alert is triggered. Alert messages support alphanumeric characters and any traffic variables detected. <br> <br> For example, you might want to include the detected source and destination addresses. Use curly brackets (**{}**) to add variables to the alert message. |

+ |**Direction** | Enter a source and/or destination IP address where you want to detect traffic. |

+ |**Conditions** | Define one or more conditions that must be met to trigger the alert. <br><br>- Select the **+** sign to create a condition set with multiple conditions that use the **AND** operator. The **+** sign is enabled only after selecting an **Alert protocol** value.<br>- If you select a MAC address or IP address as a variable, you must convert the value from a dotted-decimal address to decimal format. <br><br> You must add at least one condition to create a custom alert rule. |

+ |**Detected** | Define a date and/or time range for the traffic you want to detect. Customize the days and time range to fit with maintenance hours or set working hours. |

+ |**Action** | Define an action you want Defender for IoT to take automatically when the alert is triggered. <br>Have Defender for IoT create either an alert or event, with the specified severity. |

+ |**PCAP included** | If you've selected to create an event, clear the **PCAP included** option as needed. If you've selected to create an alert, the PCAP is always included, and can't be removed. |

+ For example:

+ :::image type="content" source="media/how-to-accelerate-alert-incident-response/create-custom-alert-rule.png" alt-text="Screenshot of the Create custom alert rule pane for creating custom alert rules." lightbox="media/how-to-accelerate-alert-incident-response/create-custom-alert-rule.png":::

+1. Select **Save** when you're done to save the rule.

+### Edit a custom alert rule

+To edit a custom alert rule, select the rule and then select the options (**...**) menu > **Edit**. Modify the alert rule as needed and save your changes.

+Edits made to custom alert rules, such as changing a severity level or protocol, are tracked in the **Event timeline** page on the OT sensor.

+For more information, see [Track sensor activity](how-to-track-sensor-activity.md).

+### Disable, enable, or delete custom alert rules

+Disable custom alert rules to prevent them from running without deleting them altogether.

+In the **Custom alert rules** page, select one or more rules, and then select **Disable**, **Enable**, or **Delete** in the toolbar as needed.

+- **To manage alerts on the Azure portal**, you must have access as a [Security Admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner). Alert management activities include modifying their statuses or severities, *Learning* an alert, accessing PCAP data, or using alert suppression rules.

+> [!TIP]

+> If you're seeing more alerts than expected, you might want to create suppression rules to prevent alerts from being triggered for legitimate network activity. For more information, see [Suppress irrelevant alerts](how-to-accelerate-alert-incident-response.md#suppress-irrelevant-alerts).

+ |**L60** | Default storage is 10 GB; limit is 25 GB. |

+> Defender for IoT software versions require a minimum disk size of 100 GB. The L60 hardware profile, which only supports 60 GB of hard disk, has been deprecated.

+> If you have a legacy sensor, such as the L60 hardware profile, you can migrate it to a supported profile can be found by following the [back up and restore a sensor](back-up-restore-sensor.md) process.

+| **OT network sensor** | Dependent on the sensor's storage capacity allocated for PCAP files, which is determined by its [hardware profile](ot-appliance-sizing.md): <br><br>- **C5600**: 130 GB <br>- **E1800**: 130 GB <br>- **E1000** : 78 GB<br>- **E500**: 78 GB <br>- **L500**: 7 GB <br>- **L100**: 2.5 GB<br><br> If a sensor exceeds its maximum storage capacity, the oldest PCAP file is deleted to accommodate the new one. <br><br> For more information, see [Access alert PCAP data](how-to-view-alerts.md#access-alert-pcap-data) and [Pre-configured physical appliances for OT monitoring](ot-pre-configured-appliances.md). |

+| **24.1** | | | |

+| 24.1.0 |02/2024 | Major |01/2025 |

+## Versions 24.1.x

+### Version 24.1.0

+**Release date**: 02/2024

+**Supported until**: 03/2025

+This version includes the following updates and enhancements:

+- [Alert suppression rules from the Azure portal](how-to-accelerate-alert-incident-response.md#suppress-irrelevant-alerts)

+- [Focused alerts in OT/IT environments](alerts.md#focused-alerts-in-otit-environments)

+- [Alert ID (ID field) is now aligned on the Azure portal and sensor console](how-to-manage-cloud-alerts.md#view-alerts-on-the-azure-portal)

+- [Newly supported protocols](concept-supported-protocols.md)

+- [L60 hardware profile is no longer supported](ot-appliance-sizing.md#production-line-monitoring-medium-and-small-deployments)

+**Release date**: 12/2023

+**Supported until**: 11/2024

+For more information about the features listed in this article, see [What's new in Microsoft Defender for IoT](whats-new.md) and [What's new archive for in Microsoft Defender for IoT for organizations](release-notes-archive.md).

+| **[Modify Azure alerts](how-to-manage-cloud-alerts.md) (write access - change status, learn, download PCAP, suppression rules)** <br>Apply per subscription or site| - | Γ£ö |Γ£ö | Γ£ö |

+| **OT networks** | - [Alert suppression rules from the Azure portal (Public preview)](#alert-suppression-rules-from-the-azure-portal-public-preview)<br>- [Focused alerts in OT/IT environments](#focused-alerts-in-otit-environments)<br>- [Alert ID now aligned on the Azure portal and sensor console](#alert-id-now-aligned-on-the-azure-portal-and-sensor-console)<br>- [Newly supported protocols](#newly-supported-protocols)|

+### Alert suppression rules from the Azure portal (Public preview)

+Now you can configure alert suppression rules from the Azure portal to instruct your OT sensors to specified traffic on your network that would otherwise trigger an alert.

+- Configure which alerts to suppress by specifying an alert title, IP/MAC address, hostname, subnet, sensor, or site.

+- Set each suppression rule to be active always, or only during a predefined period, such as for a specific maintenance window.

+> [!TIP]

+> If you're currently using exclusion rules on the on-premises management console, we recommend that you migrate them to suppression rules on the Azure portal.

+For more information, see [Suppress irrelevant alerts](how-to-accelerate-alert-incident-response.md#suppress-irrelevant-alerts).

+### Newly supported protocols

+We now support these protocols:

+- HART-IP

+- FANUC FOCAS

+- Dicom

+- ABB NetConfig

+- Rockwell AADvance Discover

+- Rockwell AADvance SNCP/IXL

+- Schneider NetManage

+[See the updated protocol list](concept-supported-protocols.md).

+### L60 hardware profile is no longer supported

+The L60 hardware profile is no longer supported and is removed from support documentation. Hardware profiles now require a minimum of 100GB (the minimum hardware profile is now [L100](ot-virtual-appliances.md)).

+To migrate from the L60 profile to a supported profile follow the [Back up and restore OT network sensor](back-up-restore-sensor.md) procedure.

+| **OT networks** |**Version 24.1.0**: <br>- [Alert suppression rules from the Azure portal (Public preview)](#alert-suppression-rules-from-the-azure-portal-public-preview)|

+Due to the operating system switch, the software update from your legacy version to version 23.2.0 might be longer and heavier than usual.

+When running a sensor update from the Azure portal, a new progress bar appears in the **Sensor version** column during the update process. As the update progresses the bar shows the percentage of the update completed, showing you that the process is ongoing, isn't stuck or has failed. For example:

+description: How to create an ARM template of a cluster in Azure HDInsight on AKS

+# Export cluster ARM template - Azure portal

+This article describes how to generate an ARM template for your cluster automatically. You can use the ARM template to modify, clone, or recreate a cluster starting from the existing cluster's configurations.

+1. In the Azure portal search bar, type "HDInsight on AKS cluster" and select "Azure HDInsight on AKS clusters" from the drop-down list.

+1. Select your cluster name from the list page.

+1. Navigate to the "Export template" blade of your cluster and click "Download" to export the template.

+ :::image type="content" source="./media/create-cluster-using-arm-template-script/export-template-download-view.png" alt-text="Screenshot showing export template option from the Azure portal." border="true" lightbox="./media/create-cluster-using-arm-template-script/export-template-download-view.png":::

+Now, your cluster ARM template is ready. You can update the properties of the cluster and finally deploy the ARM template to refresh the resources. To redeploy, you can either use the "Deploy" option in your cluster under "Export template" blade by replacing the existing template with the modified template or see [deploy an ARM template using Azure portal](/azure/azure-resource-manager/templates/deploy-portal#deploy-resources-from-custom-template).

+description: Learn how to Create cluster ARM template using Azure CLI

+# Export cluster ARM template - Azure CLI

+This article describes how to generate an ARM template using Azure CLI.

+## Steps to generate ARM template for the cluster

+

+1. Run the following command.

+ ```azurecli-interactive

+ az group export --resource-group "{cluster-rg}" --resource-ids "{resource_id}" --include-parameter-default-value --include-comments

+ # cluster-rg = Resource group of your cluster

+ # resource_id = Cluster resource id. You can get it from "JSON view" in the overview blade of your cluster in the Azure portal.

+ ```

+ :::image type="content" source="./media/create-cluster-using-arm-template/command-execution-output.png" alt-text="Screenshot showing output of the command executed to get the ARM template of the HDInsight on AKS Cluster." border="true" lightbox="./media/create-cluster-using-arm-template/command-execution-output.png":::

+

+ * Set DNS server in container engine settings

+### Set DNS server in container engine settings

+Specify the DNS server for your environment in the container engine settings. The DNS server setting applies to all container modules started by the engine.

+1. In the `/etc/docker` directory on your device, edit the `daemon.json` file. Create the file if it doesn't exists.

+1. Add the **dns** key and set the DNS server address to a publicly accessible DNS service. If your edge device can't access a public DNS server, use an accessible DNS server address in your network. For example:

+ ```json

+ {

+ "dns": ["1.1.1.1"]

+ }

+ ```

+ Title: Back up a secret, key, or certificate stored in Azure Key Vault | Microsoft Docs

+description: Use this document to help back up a secret, key, or certificate stored in Azure Key Vault.

+#Customer intent: As an Azure Key Vault administrator, I want to back up a secret, key, or certificate in my key vault.

+# Azure Key Vault backup and restore

+This document shows you how to back up secrets, keys, and certificates stored in your key vault. A backup is intended to provide you with an offline copy of all your secrets in the unlikely event that you lose access to your key vault.

+## Overview

+Azure Key Vault automatically provides features to help you maintain availability and prevent data loss. Back up secrets only if you have a critical business justification. Backing up secrets in your key vault may introduce operational challenges such as maintaining multiple sets of logs, permissions, and backups when secrets expire or rotate.

+Key Vault maintains availability in disaster scenarios and will automatically fail over requests to a paired region without any intervention from a user. For more information, see [Azure Key Vault availability and redundancy](./disaster-recovery-guidance.md).

+If you want protection against accidental or malicious deletion of your secrets, configure soft-delete and purge protection features on your key vault. For more information, see [Azure Key Vault soft-delete overview](./soft-delete-overview.md).

+## Limitations

+> [!IMPORTANT]

+> Key Vault does not support the ability to backup more than 500 past versions of a key, secret, or certificate object. Attempting to backup a key, secret, or certificate object may result in an error. It is not possible to delete previous versions of a key, secret, or certificate.

+Key Vault doesn't currently provide a way to back up an entire key vault in a single operation and keys, secrets and certitificates must be backup indvidually.

+Also consider the following issues:

+* Backing up secrets that have multiple versions might cause time-out errors.

+* A backup creates a point-in-time snapshot. Secrets might renew during a backup, causing a mismatch of encryption keys.

+* If you exceed key vault service limits for requests per second, your key vault will be throttled, and the backup will fail.

+## Design considerations

+When you back up a key vault object, such as a secret, key, or certificate, the backup operation will download the object as an encrypted blob. This blob can't be decrypted outside of Azure. To get usable data from this blob, you must restore the blob into a key vault within the same Azure subscription and [Azure geography](https://azure.microsoft.com/global-infrastructure/geographies/).

+## Prerequisites

+To back up a key vault object, you must have:

+* Contributor-level or higher permissions on an Azure subscription.

+* A primary key vault that contains the secrets you want to back up.

+* A secondary key vault where secrets will be restored.

+## Back up and restore from the Azure portal

+Follow the steps in this section to back up and restore objects by using the Azure portal.

+### Back up

+1. Go to the Azure portal.

+2. Select your key vault.

+3. Go to the object (secret, key, or certificate) you want to back up.

+ 

+4. Select the object.

+5. Select **Download Backup**.

+ 

+

+6. Select **Download**.

+ 

+

+7. Store the encrypted blob in a secure location.

+### Restore

+1. Go to the Azure portal.

+2. Select your key vault.

+3. Go to the type of object (secret, key, or certificate) you want to restore.

+4. Select **Restore Backup**.

+ 

+

+5. Go to the location where you stored the encrypted blob.

+6. Select **OK**.

+## Back up and restore from the Azure CLI or Azure PowerShell

+# [Azure CLI](#tab/azure-cli)

+```azurecli

+## Log in to Azure

+az login

+## Set your subscription

+az account set --subscription {AZURE SUBSCRIPTION ID}

+## Register Key Vault as a provider

+az provider register -n Microsoft.KeyVault

+## Back up a certificate in Key Vault

+az keyvault certificate backup --file {File Path} --name {Certificate Name} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

+## Back up a key in Key Vault

+az keyvault key backup --file {File Path} --name {Key Name} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

+## Back up a secret in Key Vault

+az keyvault secret backup --file {File Path} --name {Secret Name} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

+## Restore a certificate in Key Vault

+az keyvault certificate restore --file {File Path} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

+## Restore a key in Key Vault

+az keyvault key restore --file {File Path} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

+## Restore a secret in Key Vault

+az keyvault secret restore --file {File Path} --vault-name {Key Vault Name} --subscription {SUBSCRIPTION ID}

+```

+# [Azure PowerShell](#tab/powershell)

+```azurepowershell

+## Log in to Azure

+Connect-AzAccount

+## Set your subscription

+Set-AzContext -Subscription '{AZURE SUBSCRIPTION ID}'

+## Back up a certificate in Key Vault

+Backup-AzKeyVaultCertificate -VaultName '{Key Vault Name}' -Name '{Certificate Name}'

+## Back up a key in Key Vault

+Backup-AzKeyVaultKey -VaultName '{Key Vault Name}' -Name '{Key Name}'

+## Back up a secret in Key Vault

+Backup-AzKeyVaultSecret -VaultName '{Key Vault Name}' -Name '{Secret Name}'

+## Restore a certificate in Key Vault

+Restore-AzKeyVaultCertificate -VaultName '{Key Vault Name}' -InputFile '{File Path}'

+## Restore a key in Key Vault

+Restore-AzKeyVaultKey -VaultName '{Key Vault Name}' -InputFile '{File Path}'

+## Restore a secret in Key Vault

+Restore-AzKeyVaultSecret -VaultName '{Key Vault Name}' -InputFile '{File Path}'

+```

+## Next steps

+- [Move an Azure key vault across regions](move-region.md)

+- [Enable Key Vault logging](howto-logging.md) for Key Vault

+Azure Load Balancer rules have a default timeout range of 4 minutes to 100 minutes for Load Balancer rules, Outbound Rules, and Inbound NAT rules. The default setting is 4 minutes. If a period of inactivity is longer than the timeout value, there's no guarantee that the TCP or HTTP session is maintained between the client and your service.

+1. In the load-balancing rule, input your timeout value into **Idle timeout (minutes)**.

+> [Create a cross-region Azure Load Balancer using the Azure portal](tutorial-cross-region-portal.md)

+Instance types are an Azure Machine Learning concept that allows targeting certain types of compute nodes for training and inference workloads. For example, in an Azure virtual machine, an instance type is `STANDARD_D2_V3`. This article teaches you how to create and manage instance types for your computation requirements.

+Creation of custom instance types must meet the following parameters and definition rules, or it fails:

+If you use the `resources` section, a valid resource definition needs to meet the following rules. An invalid resource definition causes the model deployment to fail.

+| `limits:`<br>`cpu:` | Optional <br>(required only when you need GPU) | String values, which can't be zero or empty. <br>You can specify the CPU in millicores; for example, `100m`. You can also specify it in full numbers. For example, `"1"` is equivalent to `1000m`. |

+There are many ways to create a training job with Azure Machine Learning. You can use the CLI (see [Train models (create jobs)](how-to-train-model.md)), the REST API (see [Train models with REST (preview)](how-to-train-with-rest.md)), or you can use the UI to directly create a training job. In this article, you learn how to use your own data and code to train a machine learning model with a guided experience for submitting training jobs in Azure Machine Learning studio.

+* You may enter the job creation UI from the homepage. Select **Create new** and select **Job**.

+In this step, you can select your method of training, complete the rest of the submission form based on your selection, and submit the training job. Below we walk through the form with the steps for running a custom script (command job).

+[](media/how-to-train-with-ui/training-method.png)

+The first step is configuring basic information about your training job. You can proceed next if you're satisfied with the defaults we chose for you, or make changes to your desired preference.

+[](media/how-to-train-with-ui/basic-settings.png)

+|Experiment name| This helps organize the job in Azure Machine Learning studio. Each job's run record is organized under the corresponding experiment in the studio's "Experiment" tab. By default, Azure puts the job in the **Default** experiment.|

+|Timeout| Specify number of hours the entire training job is allowed to run. Once this limit is reached the system cancels the job including any child jobs.|

+[](media/how-to-train-with-ui/training-script-code.png)

+[](media/how-to-train-with-ui/training-script-inputs.png)

+If you're using Azure Machine Learning for the first time, you see an empty list and a link to create a new compute. For more information on creating the various types, see:

+Custom environments are environments you specified yourself. You can specify an environment or reuse an environment that you already created. To learn more, see [Manage software environments in Azure Machine Learning studio (preview)](how-to-manage-environments-in-studio.md#create-an-environment).

+Once you configured the job, choose **Next** to go to the **Review** page. To modify a setting, choose the pencil icon and make the change.

+To launch the job, choose **Submit training job**. Once the job is created, Azure shows you the job details page, where you can monitor and manage your training job.

+In this article, you learn how to troubleshoot common workload errors on the [Kubernetes compute](./how-to-attach-kubernetes-to-workspace.md). Common errors include training jobs and endpoint errors.

+The common Kubernetes endpoint errors on Kubernetes compute are categorized into two scopes: **compute scope** and **cluster scope**. The compute scope errors are related to the compute target, such as the compute target isn't found, or the compute target isn't accessible. The cluster scope errors are related to the underlying Kubernetes cluster, such as the cluster itself isn't reachable, or the cluster isn't found.

+ The following are common error types in **compute scope** that you might encounter when using Kubernetes compute to create online endpoints and online deployments for real-time model inference. You can trouble shoot by following the linked sections for guidelines:

+* Sign in into any of them run `kubectl exec -it -n azureml {scorin_fe_pod_name} bash`.

+When the proxy and workspace are correctly set up with a private link, you should observe an attempt to connect to an internal IP. A response with an HTTP 401 status code is expected in this scenario if a token isn't provided.

+### Kubernetes compute update doesn't take effect

+At this time, the CLI v2 and SDK v2 don't allow updating any configuration of an existing Kubernetes compute. For example, changing the namespace doesn't take effect.

+ Title: 'CLI (v2) MLtable YAML schema'

+# CLI (v2) MLtable YAML schema

+You can find the source JSON schema at https://azuremlschemas.azureedge.net/latest/MLTable.schema.json.

+This article presents information about the `MLTable` YAML schema only. For more information about MLTable, including

+- `MLTable` file authoring

+- MLTable *artifacts* creation

+- consumption in Pandas and Spark

+- end-to-end examples

+visit [Working with tables in Azure Machine Learning](how-to-mltable.md).

+| `$schema` | string | The YAML schema. If you use the Azure Machine Learning Visual Studio Code extension to author the YAML file, you can invoke schema and resource completions if you include `$schema` at the top of your file | | |

+| `type` | const | `mltable` abstracts the schema definition for tabular data. Data consumers can more easily materialize the table into a Pandas/Dask/Spark dataframe | `mltable` | `mltable`|

+| `paths` | array | Paths can be a `file` path, `folder` path, or `pattern` for paths. `pattern` supports *globbing* patterns that specify sets of filenames with wildcard characters (`*`, `?`, `[abc]`, `[a-z]`). Supported URI types: `azureml`, `https`, `wasbs`, `abfss`, and `adl`. Visit [Core yaml syntax](reference-yaml-core-syntax.md) for more information about use of the `azureml://` URI format |`file`<br>`folder`<br>`pattern` | |

+| `transformations`| array | A defined transformation sequence, applied to data loaded from defined paths. Visit [Transformations](#transformations) for more information |`read_delimited`<br>`read_parquet`<br>`read_json_lines`<br>`read_delta_lake`<br>`take`<br>`take_random_sample`<br>`drop_columns`<br>`keep_columns`<br>`convert_column_types`<br>`skip`<br>`filter`<br>`extract_columns_from_partition_format` ||

+|`read_delimited` | Adds a transformation step to read the delimited text file(s) provided in `paths` | `infer_column_types`: Boolean to infer column data types. Defaults to True. Type inference requires that the current compute can access the data source. Currently, type inference only pulls the first 200 rows.<br><br>`encoding`: Specify the file encoding. Supported encodings: `utf8`, `iso88591`, `latin1`, `ascii`, `utf16`, `utf32`, `utf8bom`, and `windows1252`. Default encoding: `utf8`.<br><br>`header`: the user can choose one of these options: `no_header`, `from_first_file`, `all_files_different_headers`, `all_files_same_headers`. Defaults to `all_files_same_headers`.<br><br>`delimiter`: The separator that splits the columns.<br><br>`empty_as_string`: Specifies if empty field values should load as empty strings. The default value (False) reads empty field values as nulls. Passing this setting as *True* reads empty field values as empty strings. For values converted to numeric or datetime data types, this setting has no effect, because empty values are converted to nulls.<br><Br>`include_path_column`: Boolean to keep path information as column in the table. Defaults to False. This setting helps when reading multiple files, and you want to know the originating file for a specific record. Additionally, you can keep useful information in the file path.<br><br>`support_multi_line`: By default (`support_multi_line=False`), all line breaks, including line breaks in quoted field values, are interpreted as a record break. This approach to data reading increases speed, and it offers optimization for parallel execution on multiple CPU cores. However, it might result in silent production of more records with misaligned field values. Set this value to `True` when the delimited files are known to contain quoted line breaks |

+| `read_parquet` | Adds a transformation step to read the Parquet formatted file(s) provided in `paths` | `include_path_column`: Boolean to keep the path information as a table column. Defaults to False. This setting helps when you read multiple files, and you want to know the originating file for a specific record. Additionally, you can keep useful information in the file path.<br><br>**NOTE:** MLTable only supports reads of parquet files that have columns consisting of primitive types. Columns containing arrays are **not** supported |

+| `read_delta_lake` | Adds a transformation step to read a Delta Lake folder provided in `paths`. You can read the data at a particular timestamp or version | `timestamp_as_of`: String. Timestamp to be specified for time-travel on the specific Delta Lake data. To read data at a specific point in time, the datetime string should have an [RFC-3339/ISO-8601 format](https://wikipedia.org/wiki/ISO_8601) (for example: "2022-10-01T00:00:00Z", "2022-10-01T00:00:00+08:00", "2022-10-01T01:30:00-08:00").<br><br>`version_as_of`: Integer. Version to be specified for time-travel on the specific Delta Lake data.<br><br>**You must provide one value of `timestamp_as_of` or `version_as_of`**

+| `read_json_lines` | Adds a transformation step to read the json file(s) provided in `paths` | `include_path_column`: Boolean to keep path information as an MLTable column. Defaults to False. This setting helps when you read multiple files, and you want to know the originating file for a specific record. Additionally, you can keep useful information in the file path<br><br>`invalid_lines`: Determines how to handle lines that have invalid JSON. Supported values: `error` and `drop`. Defaults to `error`<br><br>`encoding`: Specify the file encoding. Supported encodings: `utf8`, `iso88591`, `latin1`, `ascii`, `utf16`, `utf32`, `utf8bom`, and `windows1252`. Defaults to `utf8`

+|`convert_column_types` | Adds a transformation step to convert the specified columns into their respective specified new types | `columns`<br>An array of column names to convert<br><br>`column_type`<br>The type into which you want to convert (`int`, `float`, `string`, `boolean`, `datetime`) | <code>- convert_column_types:<br>&emsp; &emsp;- columns: [Age]<br>&emsp; &emsp;&emsp; column_type: int</code><br> Convert the Age column to integer.<br><br><code>- convert_column_types:<br>&emsp; &emsp;- columns: date<br>&emsp; &emsp; &emsp;column_type:<br>&emsp; &emsp;&emsp; &emsp;&emsp; &emsp;datetime:<br>&emsp; &emsp;&emsp; &emsp;&emsp; &emsp;&emsp; &emsp;formats:<br>&emsp; &emsp;&emsp; &emsp;&emsp; &emsp;&emsp; &emsp;- "%d/%m/%Y"</code><br>Convert the date column to the format `dd/mm/yyyy`. Read [`to_datetime`](/python/api/mltable/mltable.datatype#mltable-datatype-to-datetime) for more information about datetime conversion.<br><br><code>- convert_column_types:<br>&emsp; &emsp;- columns: [is_weekday]<br>&emsp; &emsp; &emsp;column_type:<br>&emsp; &emsp;&emsp; &emsp;&emsp; &emsp;boolean:<br>&emsp; &emsp;&emsp; &emsp;&emsp; &emsp;&emsp; &emsp;true_values:['yes', 'true', '1']<br>&emsp; &emsp;&emsp; &emsp;&emsp; &emsp;&emsp; &emsp;false_values:['no', 'false', '0']</code><br> Convert the is_weekday column to a boolean; yes/true/1 values in the column map to `True`, and no/false/0 values in the column map to `False`. Read [`to_bool`](/python/api/mltable/mltable.datatype#mltable-datatype-to-bool) for more information about boolean conversion

+|`drop_columns` | Adds a transformation step to remove specific columns from the dataset | An array of column names to drop | `- drop_columns: ["col1", "col2"]`

+| `keep_columns` | Adds a transformation step to keep the specified columns, and remove all others from the dataset | An array of column names to preserve | `- keep_columns: ["col1", "col2"]` |

+|`extract_columns_from_partition_format` | Adds a transformation step to use the partition information of each path, and then extract them into columns based on the specified partition format.| partition format to use |`- extract_columns_from_partition_format: {column_name:yyyy/MM/dd/HH/mm/ss}` creates a datetime column, where 'yyyy', 'MM', 'dd', 'HH', 'mm' and 'ss' are used to extract year, month, day, hour, minute, and second values for the datetime type |

+|`filter` | Filter the data, leaving only the records that match the specified expression. | An expression as a string | `- filter: 'col("temperature") > 32 and col("location") == "UK"'` <br>Only leave rows where the temperature exceeds 32, and UK is the location |

+|`take_random_sample` | Adds a transformation step to randomly select each row of this MLTable, with probability chance. | `probability`<br>The probability of selecting an individual row. Must be in the range [0,1].<br><br>`seed`<br>Optional random seed | <code>- take_random_sample:<br>&emsp; &emsp;probability: 0.10<br>&emsp; &emsp;seed:123</code><br> Take a 10 percent random sample of rows using a random seed of 123

+Examples of MLTable use. Find more examples at:

+- the [examples GitHub repository](https://github.com/Azure/azureml-examples/tree/main/sdk/python/assets/data)

+This quickstart reads the famous iris dataset from a public https server. To proceed, you must place the `MLTable` files in a folder. First, create the folder and `MLTable` file with:

+Next, place this content in the `MLTable` file:

+You can then materialize into Pandas with:

+> You must have the `mltable` Python SDK installed. Install this SDK with:

+>

+Ensure that the data includes a new column named `Path`. This column contains the `https://azuremlexamples.blob.core.windows.net/datasets/iris.csv` data path.

+The CLI can create a data asset:

+The folder containing the `MLTable` automatically uploads to cloud storage (the default Azure Machine Learning datastore).

+> An Azure Machine Learning data asset is similar to web browser bookmarks (favorites). Instead of remembering long URIs (storage paths) that point to your most frequently-used data, you can create a data asset, and then access that asset with a friendly name.

+- [Working with tables in Azure Machine Learning](how-to-mltable.md)

+ Title: Use VPN with Azure Managed Instance for Apache Cassandra

+description: Discover how to secure your cluster with vpn when you use Azure Managed Instance for Apache Cassandra.

+ms.devlang: azurecli

+# Use VPN with Azure Managed Instance for Apache Cassandra

+Azure Managed Instance for Apache Cassandra nodes requires access to many other Azure services when injected into your VNet. Normally this is enabled by ensuring your VNet has outbound access to the internet. If your security policy prohibits outbound access, you can also configure firewall rules or UDRs for the appropriate access, for more information, see [here](network-rules.md).

+However, if you have internal security concerns around data exfiltration, your security policy might also even prohibit direct access to these services from your VNet. By using a VPN with your Azure Managed Instance for Apache Cassandra, you can ensure that data nodes in the VNet communicate only to a single secure VPN endpoint, with no direct access to any other services.

+> [!IMPORTANT]

+> Using VPN with Azure Managed Instance for Apache Cassandra is in public preview.

+> This feature is provided without a service level agreement, and it's not recommended for production workloads.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## How to use VPN with Azure Managed Instance for Apache Cassandra

+1. Create a cluster of Cassandra Managed Instance using "VPN" as the value for the `--azure-connection-method` option:

+ ```bash

+ az managed-cassandra cluster create \

+ --cluster-name "vpn-test-cluster" \

+ --resource-group "vpn-test-rg" \

+ --location "eastus2" \

+ --azure-connection-method "VPN" \

+ --initial-cassandra-admin-password "password"

+ ```

+1. Use the following command to see the cluster properties. From the output, make a copy of the `privateLinkResourceId` ID:

+ ```bash

+ az managed-cassandra cluster show \

+ --resource-group "vpn-test-rg" \

+ --cluster-name "vpn-test-cluster"

+ ```

+1. On the portal, [create a private endpoint](../cosmos-db/how-to-configure-private-endpoints.md)

+ 1. On the Resource tab, select "Connect to an Azure resource by resource ID or alias." as the connection method and `Microsoft.Network/privateLinkServices` as the resource type. Enter the `privateLinkResourceId` from step (2).

+ 1. On the Virtual Network tab, select your virtual network's subnet and make sure to select the option for "Statically allocate IP address."

+ 1. Validate and create.

+ > [!NOTE]

+ > At the moment, the connection between our management service and your private endpoint requires the Azure Managed Instance for Apache Cassandra team cassandra-preview@microsoft.com to approve it.

+

+1. Get the IP address of your private endpoint NIC.

+1. Create a new data center using the IP address from (5) as the `--private-endpoint-ip-address` parameter.

+## Next steps

+- Learn about [hybrid cluster configuration](configure-hybrid-cluster.md) in Azure Managed Instance for Apache Cassandra.

+**Java web application** | The tool currently supports: <br/><br/> - Applications running on Tomcat 8 or Tomcat 9.<br/> - Application servers on Ubuntu Linux 16.04/18.04/20.04, Debian 7/8, CentOS 6/7, Red Hat Enterprise Linux 5/6/7. <br/> - Applications using Java 7 or Java 8. <br/> If you have version outside of this, find an image that supports your required versions and modify the dockerfile to replace image <br/><br/> The tool currently doesn't support: <br/><br/> - Application servers running multiple Tomcat instances <br/>

+description: Use this tutorial to learn how to migrate outbound access in your virtual network to an Azure NAT gateway.

+# Customer intent: As a network engineer, I want to learn how to migrate my outbound access to a NAT gateway.

+In this tutorial, you learn how to migrate your outbound connectivity from [default outbound access](../virtual-network/ip-services/default-outbound-access.md) to a NAT gateway. You learn how to change your outbound connectivity from load balancer outbound rules to a NAT gateway. You reuse the IP address from the outbound rule configuration for the NAT gateway.

+Azure NAT Gateway is the recommended method for outbound connectivity. A NAT gateway is a fully managed and highly resilient Network Address Translation (NAT) service. A NAT gateway doesn't have the same limitations of Source Network Address Translation (SNAT) port exhaustion as default outbound access. A NAT gateway replaces the need for outbound rules in a load balancer for outbound connectivity.

+For more information about Azure NAT Gateway, see [What is Azure NAT Gateway?](nat-overview.md)

+* A standard public load balancer in your subscription. The load balancer must have a separate frontend IP address and outbound rules configured. For more information on creating an Azure Load Balancer, see [Quickstart: Create a public load balancer to load balance VMs using the Azure portal](../load-balancer/quickstart-load-balancer-standard-public-portal.md).

+

+In this section, you learn how to change your outbound connectivity method from default outbound access to a NAT gateway.

+1. In the search box at the top of the portal, enter **NAT gateway**. Select **NAT gateways**.

+1. In **NAT gateways**, select **+ Create**.

+1. In **Create network address translation (NAT) gateway**, enter or select the following information in the **Basics** tab.

+1. Select the **Outbound IP** tab, or select **Next: Outbound IP** at the bottom of the page.

+1. In **Public IP addresses** in the **Outbound IP** tab, select **Create a new public IP address**.

+1. In **Add a public IP address**, enter **myNATgatewayIP** in **Name**. Select **OK**.

+1. Select the **Subnet** tab, or select **Next: Subnet** at the bottom of the page.

+1. In the pull-down box for **Virtual network**, select your virtual network.

+1. In **Subnet name**, select the checkbox next to your subnet.

+1. Select the **Review + create** tab, or select **Review + create** at the bottom of the page.

+1. Select **Create**.

+In this section, you learn how to change your outbound connectivity method from outbound rules to a NAT gateway. You keep the same frontend IP address used for the outbound rules. You remove the outbound ruleΓÇÖs frontend IP configuration then create a NAT gateway with the same frontend IP address. A public load balancer is used throughout this section.

+1. In the search box at the top of the portal, enter **Load balancer**. Select **Load balancers** in the search results.

+1. Select **myLoadBalancer** or your load balancer.

+1. In **myLoadBalancer**, select **Frontend IP configuration** in **Settings**.

+1. Note the **IP address** in **Frontend IP configuration** that you wish to migrate to a **NAT gateway**. You'll need this information in the next section. In this example, it's **myFrontendIP-outbound**.

+1. Select **Delete** next to the IP configuration you wish to remove. In this example, it's **myFrontendIP-outbound**.

+1. Select **Delete**.

+1. In **Delete myFrontendIP-outbound**, select the check box next to **I have read and understood that this frontend IP configuration as well as the associated resources listed above will be deleted**.

+1. Select **Delete**. This procedure deletes the frontend IP configuration and the outbound rule associated with the frontend.

+In this section, you create a NAT gateway with the IP address previously used for outbound rule and assign it to your precreated subnet within your virtual network. The subnet name for this example is **myBackendSubnet**.

+1. In **NAT gateways**, select **+ Create**.

+1. In **Create network address translation (NAT) gateway**, enter or select the following information in the **Basics** tab.

+1. Select the **Outbound IP** tab, or select **Next: Outbound IP** at the bottom of the page.

+1. In **Public IP addresses** in the **Outbound IP** tab, select the IP address you noted from the previous section. In this example, it's **myPublicIP-outbound**.

+1. Select the **Subnet** tab, or select **Next: Subnet** at the bottom of the page.

+1. In the pull-down box for **Virtual network**, select your virtual network.

+1. In **Subnet name**, select the checkbox for your subnet. In this example, it's **myBackendSubnet**.

+1. Select the **Review + create** tab, or select **Review + create** at the bottom of the page.

+1. Select **Create**.

+1. Select the **myResourceGroup** resource group.

+1. Select **Delete resource group**.

+1. Enter **myResourceGroup** and select **Delete**.

+## Next step

+- The latest version of [Azure PowerShell](/powershell/azure/install-azure-powershell).

+- An existing instance of Network Watcher. If you don't already have one, [create an instance of Network Watcher](network-watcher-create.md).

+- An existing virtual machine in the same region as Network Watcher with the [Windows extension](../virtual-machines/extensions/network-watcher-windows.md) or [Linux virtual machine extension](../virtual-machines/extensions/network-watcher-linux.md).

+In this example, a virtual machine (VM) has more outgoing traffic than usual and you want to be alerted. Similarly, you can create alerts for any condition.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the portal, enter *function app*. Select **Function App** from the search results

+ :::image type="content" source="./media/network-watcher-alert-triggered-packet-capture/function-app-portal-search.png" alt-text="Screenshot shows how to search for the function app in Azure portal." lightbox="./media/network-watcher-alert-triggered-packet-capture/function-app-portal-search.png":::

+1. Select **+ Create**.

+1. In the **Basics** tab of **Create Function App**, enter or select values for the following settings:

+ - Under **Project Details**, select the **Subscription** for which you want to create the Function app and the **Resource Group** to contain the app.

+ - Under **Instance details**, do the following:

+ - Enter the name of the Function app. This name will be appended by *.azurewebsites.net*.

+ - In **Publish**, select the mode of publishing, either *Code* or *Docker Container*.

+ - Select a **Runtime stack**.

+ - Select the version of the Runtime stack in **Version**.

+ - Select the **Region** in which you want to create the function app.

+ - Select **OK** to create the app.

+ - Under **Operating System**, select the type of Operating system that you're currently using. Azure recommends the type of Operating system based on your runtime stack selection.

+ - Under **Plan**, select the type of plan that you want to use for the function app. Choose from the following options:

+ :::image type="content" source="./media/network-watcher-alert-triggered-packet-capture/create-function-app-basics.png" alt-text="Screenshot of the Create function app page in the Azure portal." lightbox="./media/network-watcher-alert-triggered-packet-capture/create-function-app-basics.png":::

+1. Select **Review + create** to create the app.

+4. In the **Template details** section:

+ - Enter the name of the function in the **New function** field.

+ - Select **Function** as the **Authorization level** and select **Create**.

+#CustomerIntent: As an Azure administrator, I want to log my virtual network IP traffic using Network Watcher VNet flow logs so that I can analyze it later.

+To download VNet flow logs from your storage account, use the [az storage blob download](/cli/azure/storage/blob#az-storage-blob-download) command.

+VNet flow log files are saved to the storage account at the following path:

+> [!NOTE]

+> You can also access and download VNet flow logs files from the storage account container using the Azure Storage Explorer. Storage Explorer is a standalone app that you can conveniently use to access and work with Azure Storage data. For more information, see [Get started with Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md).

+#CustomerIntent: As an Azure administrator, I want to log my virtual network IP traffic using Network Watcher VNet flow logs so that I can analyze it later.

+To download VNet flow logs from your storage account, use [Get-AzStorageBlobContent](/powershell/module/az.storage/get-azstorageblobcontent) cmdlet.

+VNet flow log files are saved to the storage account at the following path:

+> [!NOTE]

+> You can also access and download VNet flow logs files from the storage account container using the Azure Storage Explorer. Storage Explorer is a standalone app that you can conveniently use to access and work with Azure Storage data. For more information, see [Get started with Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md).

+## Related content

+<li>Add or remove additional worker nodes as required.

+## Monitor Azure Virtual Machine Scale Sets by using the New Relic agent

+You can install New Relic agent on Azure Virtual Machine Scale Sets as an extension.

+1. Select **Virtual Machine Scale Sets** under **New Relic account config** in the Resource menu.

+1. In the working pane, you see a list of all virtual machine scale sets in the subscription.

+Virtual Machine Scale Sets is an Azure Compute resource that can be used to deploy and manage a set of identical VMs. For more information, see [Virtual Machine Scale Sets](../../virtual-machine-scale-sets/overview.md).

+For more information on the orchestration modes available [orchestration modes](../../virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes.md).

+Use native integration to install an agent on both the uniform and flexible scale-sets. The new instances (VMs) of a scale set, in any mode, receive the agent extension during scale-up. Virtual Machine Scale Sets resources in a uniform orchestration mode support _Automatic_, _Rolling_, and _Manual_ upgrade policy. Resources in Flexible orchestration mode only support manual upgrade.

+If a manual upgrade policy is set for a resource, upgrade the instances manually by installing the agent extension for the already scaled up instances. For more information on autoscaling and instance orchestration, see [autoscaling-and-instance-orchestration](../../virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes.md#autoscaling-and-instance-orchestration).

+> In manual upgrade policy, pre-existing VM instances don't receive the extension automatically. The agent status shows as **Partially Installed**. Upgrade the VM instances by manually installing the extension on them from the VM extensions Resource menu, or go to specific Virtual Machine Scale Sets and select **Instances** from the Resource menu.

+> The agent installation dashboard supports the automatic and rolling upgrade policy for Flex orchestration mode in the next release when similar support is available from Virtual Machine Scale Sets Flex resources.

+ | **App Service plan** | The plan configured for the app service.|

+Azure Payment HSM supports several SKUs; for a list, see [Azure Payment HSM overview: supported SKUs](support-guide.md#supported-skus). The SKU you specify during the creation process initially determines the performance license level of your payment HSM.

+You can change performance level of an existing payment HSM by changing its SKU. There is no interruption in your production payment HSMs while performance level is being updated.

+You can update the SKU of your payment HSM using the [Azure Resource Manager client tool](https://github.com/projectkudu/ARMClient), which is a simple command line tool that calls the Azure Resource Manager API. Installation instructions are at <https://github.com/projectkudu/ARMClient>.

+ A Thales Customer ID is created, so you can submit payShield 10K support issues as well as download documentation, software, and firmware from Thales portal. The customer team can use the Thales Customer ID to create individual account access to Thales support portal.

+5. Contact Microsoft support to get your subscription approved and receive feature registration, to access the Azure payment HSM service. See [Register the Azure Payment HSM resource providers](register-payment-hsm-resource-providers.md?tabs=azure-cli). There is no charge at this step.

+6. To create payment HSMs, follow the [Tutorials](create-payment-hsm.md) and [How-To Guides](register-payment-hsm-resource-providers.md). Customer billing starts when the HSM resource is created.

+9. Monitor your payShield 10K using standard SNMP V3 tools. payShield Monitor is another product available to provide continuous monitoring of HSMs. Contact Thales Sales rep for licensing information.

+To create a subnet, you must know the name, resource group, and address space of the existing virtual network. To find them, use the Azure CLI [az network vnet list](/cli/azure/network/vnet#az-network-vnet-list) command. The output is easier to read if you format it as a table using the -o flag:

+Make note of the subnet's ID, as it is needed for the next step. The ID of the subnet ends with the name of the subnet:

+To create a subnet, you must know the name, resource group, and address space of the existing virtual network. To find them, use the Azure PowerShell [Get-AzVirtualNetwork](/powershell/module/az.network/get-azvirtualnetwork) cmdlet.

+Make note of the subnet's ID, as it is needed for the next step. The ID of the subnet ends with the name of the subnet:

+Now that the subnet is added to your existing virtual network, you can create a payment HSM by following the steps in [Create a payment HSM](create-payment-hsm.md#create-a-payment-hsm). You need the resource group; name and address space of the virtual network; and name, address space, and ID of the subnet.

+- Customers must download and review the "Hosted HSM End User Guide," which is available through the Thales CPL Customer Support Portal. The Hosted HSM End User Guide provides more details on the changes to payShield to this service.

+- If a customer is using payShield on premises today with custom firmware, they must conduct a porting exercise to update the firmware to a version compatible with the Azure deployment. To request a quote, contact a Thales account manager.

+The HSM base firmware installed is Thales payShield10K base software version 1.4a 1.8.3. Versions less than 1.4a 1.8.3. are not supported. Customers must ensure that they only upgrade to a firmware version that meets their compliance requirements.

+- From the Azure portal homepage, select the "Support + troubleshooting" icon (a question mark in a circle).

+- On the "New support request" screen, select "Technical" as your issue type, and then "Payment HSM" as the service type.

+All Azure Payment HSM customers have an Enhanced Support Plan with Thales. The [Thales Welcome Pack for Authentication and Encryption Products](https://supportportal.thalesgroup.com/csm?sys_kb_id=1d2bac074f13f340102400818110c7d9&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=e7f1843d87f3c9107b0664e80cbb352e&sysparm_article=KB0019882) is an important reference for customers, as it explains the Thales support plan, scope, and responsiveness. Download the [Thales Welcome Pack PDF](https://supportportal.thalesgroup.com/sys_attachment.do?sys_id=52681fca1b1e0110e2af520f6e4bcb96).

+> [!NOTE]

+> Several extensions listed as not applicable (N/A) for Postgres 16 are expected to be accessible in all regions by March 31, 2024.

+|Azure Health Insights|[Reliability in Azure Health Insights](reliability-health-insights.md)|[Reliability in Azure Health Insights](reliability-health-insights.md)|

+ Title: Reliability in Azure AI Health Insights

+description: This article describes Reliability in Azure AI Health Insights service.

+# Reliability in Azure AI Health Insights

+This article describes reliability support in Azure AI Health Insights, and covers both regional reliability with availability zones and cross-region resiliency with disaster recovery . For a more detailed overview of reliability in Azure, see [Azure reliability](/azure/architecture/framework/resiliency/overview).

+When you create a Health Insights resource in the Azure portal, you specify a region. From then on, your resource and all of its operations stay associated with that particular Azure region. It's rare, but not impossible, to encounter a network issue that hits an entire region.

+If your solution needs to always be available, then you should design it to either fail-over into another region or split the workload between two or more regions.

+## Availability zone support

+Azure availability zones are at least three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. In the case of a local zone failure, availability zones are designed so that if the one zone is affected, regional services, capacity, and high availability are supported by the remaining two zones.

+Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see Regions and availability zones.

+Azure availability zones-enabled services are designed to provide the right level of reliability and flexibility. Azure AI Health Insights support 'zonal' configuration, which means instances are pinned to a specific zone.

+## Zone down experience

+During a zone-wide outage, the customer should expect a brief degradation of performance, until the service's self-healing rebalances underlying capacity to adjust to healthy zones. This isn't dependent on zone restoration; it's expected that the Microsoft-managed service self-healing state compensates for a lost zone, using capacity from other zones.

+## Cross-region disaster recovery in multi-region geography

+Disaster recovery (DR) is about recovering from high-impact events, such as natural disasters or failed deployments that result in downtime. Regardless of the cause, the best remedy for a disaster is a well-defined and tested DR plan and an application design that actively supports DR.

+When it comes to DR, Microsoft uses the [shared responsibility model](/azure/reliability/business-continuity-management-program#shared-responsibility-model). In a shared responsibility model, Microsoft ensures that the baseline infrastructure and platform services are available. For those services, you are responsible for setting up a disaster recovery plan that works for your workload.

+For Azure AI Health Insights, the service does not store data for a long period, rather only when processing of the data. If a region failure occurs, all data associated to the requests that are in progress will be lost.

+If your solution needs to always be available, then you should design it to either fail-over into another region or split the workload between two or more regions. When you plan to deploy your application for DR, it's helpful to understand Azure regions and geographies. For more information, see [Azure cross-region replication](/azure/reliability/cross-region-replication-azure).

+## Next steps

+> [!div class="nextstepaction"]

+> [Reliability in Azure](/azure/availability-zones/overview)

+- `{resourceGroupName}` is the name of the containing resource group.

+- [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation)

+ $PasswordProfile = @{ Password = "<Password>" }

+1. Create a new user for your domain using the [New-MgUser](/powershell/module/microsoft.graph.users/new-mguser) command.

+ New-MgUser -DisplayName "RBAC Tutorial User" -PasswordProfile $PasswordProfile `

+ -UserPrincipalName "rbacuser@example.com" -AccountEnabled:$true -MailNickName "rbacuser"

+ ```output

+ DisplayName Id Mail UserPrincipalName

+ -- -- - --

+ RBAC Tutorial User 11111111-1111-1111-1111-111111111111 rbacuser@example.com

+1. Delete the user using the [Remove-MgUser](/powershell/module/microsoft.graph.users/remove-mguser) command.

+ $User = Get-MgUser -Filter "DisplayName eq 'RBAC Tutorial User'"

+ Remove-MgUser -UserId $User.Id

+1. **[A]** Enable the SBD services.

+2. **[A]** Make sure that the attached disk is available.

+3. **[A]** Retrieve the IDs of the attached disks.

+4. **[1]** Create the SBD device.

+5. **[A]** Adapt the SBD configuration.

+6. Create the `softdog` configuration file.

+7. Load the module.

+Because Azure AI Search is a text and vector search solution, the purpose of AI enrichment is to improve the utility of your content in search-related scenarios. Source content must be textual (you can't enrich vectors), but the content created by an enrichment pipeline can be vectorized and indexed in a vector store using skills like [Text Split skill](cognitive-search-skill-textsplit.md) for chunking and [AzureOpenAiEmbedding skill](cognitive-search-skill-azure-openai-embedding.md) for encoding.

+AI enrichment is based on [*skills*](cognitive-search-working-with-skillsets.md).

+Built-in skills tap Azure AI services. They apply the following transformations and processing to raw content:

+Custom skills run your external code. Custom skills can be used for any custom processing that you want to include in the pipeline.

+|stemmer|StemmerTokenFilter|Language-specific stemming filter.<br><br> **Options**<br><br> language (type: string) - Allowed values include: <br> - [`arabic`](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/ar/ArabicStemmer.html)<br>- [`armenian`](https://snowballstem.org/algorithms/armenian/stemmer.html)<br>- [`basque`](https://snowballstem.org/algorithms/basque/stemmer.html)<br>- [`brazilian`](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/br/BrazilianStemmer.html)<br>- `bulgarian`<br>- [`catalan`](https://snowballstem.org/algorithms/catalan/stemmer.html)<br>- [`czech`](https://portal.acm.org/citation.cfm?id=1598600)<br>- [`danish`](https://snowballstem.org/algorithms/danish/stemmer.html)<br>- [`dutch`](https://snowballstem.org/algorithms/dutch/stemmer.html)<br>- [`dutchKp`](https://snowballstem.org/algorithms/kraaij_pohlmann/stemmer.html)<br>- [`english`](https://snowballstem.org/algorithms/porter/stemmer.html)<br>- [`lightEnglish`](https://ciir.cs.umass.edu/pubfiles/ir-35.pdf)<br>- [`minimalEnglish`](https://www.researchgate.net/publication/220433848_How_effective_is_suffixing)<br>- [`possessiveEnglish`](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/en/EnglishPossessiveFilter.html)<br>- [`porter2`](https://snowballstem.org/algorithms/english/stemmer.html)<br>- [`lovins`](https://snowballstem.org/algorithms/lovins/stemmer.html)<br>- [`finnish`](https://snowballstem.org/algorithms/finnish/stemmer.html)<br>- `lightFinnish`<br>- [`french`](https://snowballstem.org/algorithms/french/stemmer.html)<br>- [`lightFrench`](https://dl.acm.org/citation.cfm?id=1141523)<br>- [`minimalFrench`](https://dl.acm.org/citation.cfm?id=318984)<br>- `galician`<br>- `minimalGalician`<br>- [`german`](https://snowballstem.org/algorithms/german/stemmer.html)<br>- [`german2`](https://snowballstem.org/algorithms/german2/stemmer.html)<br>- [`lightGerman`](https://dl.acm.org/citation.cfm?id=1141523)<br>- `minimalGerman`<br>- [`greek`](https://sais.se/mthprize/2007/ntais2007.pdf)<br>- `hindi`<br>- [`hungarian`](https://snowballstem.org/algorithms/hungarian/stemmer.html)<br>- [`lightHungarian`](https://dl.acm.org/citation.cfm?id=1141523&dl=ACM&coll=DL&CFID=179095584&CFTOKEN=80067181)<br>- [`indonesian`](https://eprints.illc.uva.nl/741/2/MoL-2003-03.text.pdf)<br>- [`irish`](https://snowballstem.org/algorithms/irish/stemmer.html)<br>- [`italian`](https://snowballstem.org/algorithms/italian/stemmer.html)<br>- [`lightItalian`](https://www.ercim.eu/publication/ws-proceedings/CLEF2/savoy.pdf)<br>- [`sorani`](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/ckb/SoraniStemmer.html)<br>- [`latvian`](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/lv/LatvianStemmer.html)<br>- [`norwegian`](https://snowballstem.org/algorithms/norwegian/stemmer.html)<br>- [`lightNorwegian`](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/no/NorwegianLightStemmer.html)<br>- [`minimalNorwegian`](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/no/NorwegianMinimalStemmer.html)<br>- [`lightNynorsk`](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/no/NorwegianLightStemmer.html)<br>- [`minimalNynorsk`](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/no/NorwegianMinimalStemmer.html)<br>- [`portuguese`](https://snowballstem.org/algorithms/portuguese/stemmer.html)<br>- [`lightPortuguese`](https://dl.acm.org/citation.cfm?id=1141523&dl=ACM&coll=DL&CFID=179095584&CFTOKEN=80067181)<br>- [`minimalPortuguese`](https://web.archive.org/web/20230425141918/https://www.inf.ufrgs.br/~buriol/papers/Orengo_CLEF07.pdf)<br>- [`portugueseRslp`](https://web.archive.org/web/20230422082818/https://www.inf.ufrgs.br/~viviane/rslp/index.htm)<br>- [`romanian`](https://snowballstem.org/otherapps/romanian/)<br>- [`russian`](https://snowballstem.org/algorithms/russian/stemmer.html)<br>- [`lightRussian`](https://doc.rero.ch/lm.php?url=1000%2C43%2C4%2C20091209094227-CA%2FDolamic_Ljiljana_-_Indexing_and_Searching_Strategies_for_the_Russian_20091209.pdf)<br>- [`spanish`](https://snowballstem.org/algorithms/spanish/stemmer.html)<br>- [`lightSpanish`](https://www.ercim.eu/publication/ws-proceedings/CLEF2/savoy.pdf)<br>- [`swedish`](https://snowballstem.org/algorithms/swedish/stemmer.html)<br>- `lightSwedish`<br>- [`turkish`](https://snowballstem.org/algorithms/turkish/stemmer.html)|

+> [!IMPORTANT]

+> These benchmarks in no way guarantee a certain level of performance from your service, however, they can serve as a useful guide for estimating potential performance under similar configurations.

+>

+Azure AI Search's performance depends on a [variety of factors](search-performance-tips.md) including the size of your search service and the types of queries you're sending. To help estimate the size of search service needed for your workload, we've run several benchmarks to document the performance for different search services and configurations.

+ Title: Search index overview

+# Search indexes in Azure AI Search

+Search subscribers, or the person who created the search service, can manage the search service in the Azure portal. An Azure subscription requires Contributor or above permissions to create or delete services. You can [sign in to the Azure portal](https://portal.azure.com) for a direct connection to your search service.

+For other clients, we recommend reviewing the quickstarts for connection steps:

+You can set a [**vector filter modes on a vector query**](vector-search-how-to-query.md) to specify whether you want filtering before or after query execution.

+Filters determine the scope of a vector query. Filters are set on and iterate over nonvector string and numeric fields attributed as `filterable` in the index, but the purpose of a filter determines *what* the vector query executes over: the entire searchable space, or the contents of a search result.

+Indexes had an identical construction: one key field, one vector field, one text field, and one numeric filterable field. The following index is defined using the 2023-07-01-preview syntax.

+ {"name": "content_vector", "type": "Collection(Edm.Single)", "dimensions": dimensions,

+ "sortable": False, "facetable": False},

+ "retrievable": True, "sortable": True, "facetable": True}

+## Update a vector store

+To update a vector store, modify the schema and if necessary, reload documents to populate new fields. APIs for schema updates include [Create or Update Index (REST)](/rest/api/searchservice/indexes/create-or-update), [CreateOrUpdateIndex](/dotnet/api/azure.search.documents.indexes.searchindexclient.createorupdateindexasync) in the Azure SDK for .NET, [create_or_update_index](/python/api/azure-search-documents/azure.search.documents.indexes.searchindexclient?view=azure-python#azure-search-documents-indexes-searchindexclient-create-or-update-index&preserve-view=true) in the Azure SDK for Python, and similar methods in other Azure SDKs.

+The standard guidance for updating an index is covered in [Drop and rebuild an index](search-howto-reindex.md).

+Key points include:

+ + Add new fields to a fields collection.

+ + Add new vector configurations, assigned to new fields but not existing fields that have already been vectorized.

+ + Change "retrievable" (values are true or false) on an existing field. Vector fields must be searchable and retrievable, but if you want to disable access to a vector field in situations where drop and rebuild isn't feasible, you can set retrievable to false.

+## How to determine service creation date

+Find out whether your search service was created before July 1, 2023. If it's an older service, consider creating a new search service to benefit from the higher limits. Newer services at the same tier offer at least twice as much vector storage.

+1. In Azure portal, open the resource group.

+1. On the left nav pane, under **Settings**, select **Deployments**.

+1. Locate your search service deployment. If there are many deployments, use the filter to look for "search".

+1. Select the deployment. If you have more than one, click through to see if it resolves to your search service.

+ :::image type="content" source="media/vector-search-index-size/resource-group-deployments.png" alt-text="Screenshot of a filtered deployments list.":::

+1. Expand deployment details. You should see *Created* and the creation date.

+ :::image type="content" source="media/vector-search-index-size/deployment-details.png" alt-text="Screenshot of the deployment details showing creation date.":::

+1. Now that you know the age of your search service, review the vector quota limits based on service creation:

+ + [Before July 1, 2023](search-limits-quotas-capacity.md#services-created-before-july-1-2023)

+ + [After July 1, 2023](search-limits-quotas-capacity.md#services-created-after-july-1-2023-in-supported-regions)

+A request for vector metrics is a data plane operation. You can use the Azure portal, REST APIs, or Azure SDKs to get vector usage at the service level through service statistics and for individual indexes.

+### [**Portal**](#tab/portal-vector-quota)

+Usage information can be found on the **Overview** page's **Usage** tab. Portal pages refresh every few minutes so if you recently updated an index, wait a bit before checking results.

+The following screenshot is for a newer Standard 1 (S1) tier, configured for one partition and one replica. Vector index quota, measured in megabytes, refers to the internal vector indexes created for each vector field. Overall, indexes consume almost 460 megabytes of available storage, but the vector index component takes up just 93 megabytes of the 460 used on this search service.

+The tile on the Usage tab tracks vector index consumption at the search service level. If you increase or decrease search service capacity, the tile reflects the changes accordingly.

+### [**REST**](#tab/rest-vector-quota)

+Use the following data plane REST APIs (version 2023-11-01 or later) for vector usage statistics:

+Azure AI Search provides vector storage and configurations for [vector search](vector-search-overview.md) and [hybrid search](hybrid-search-overview.md). Support is implemented at the field level, which means you can combine vector and nonvector fields in the same search corpus.

+## Schema of a vector store

+The following examples highlight the differences in field composition for solutions build for generative AI or classic search.

+An index schema for a vector store requires a name, a key field (string), one or more vector fields, and a vector configuration. Nonvector fields are recommended for hybrid queries, or for returning verbatim human readable content that doesn't have to go through a language model. For instructions about vector configuration, see [Create a vector store](vector-search-how-to-create-index.md).

+A vector field, such as `"content_vector"` in the following example, is of type `Collection(Edm.Single)`. It must be searchable and retrievable. It can't be filterable, facetable, or sortable, and it can't have analyzers, normalizers, or synonym map assignments. It must have dimensions set to the number of embeddings generated by the embedding model. For instance, if you're using text-embedding-ada-002, it generates 1,536 embeddings. A vector search profile is specified in a separate vector search configuration and assigned to a vector field using a profile name.

+```json

+{

+ "name": "content_vector",

+ "type": "Collection(Edm.Single)",

+ "searchable": true,

+ "retrievable": true,

+ "dimensions": 1536,

+ "vectorSearchProfile": "my-vector-profile"

+}

+```

+### Fields collection for basic vector workloads

+Here's an example showing a vector field in context, with other fields in a collection.

+The key field (required) is `"id"` in this example. The `"content"` field is the human readable equivalent of the `"content_vector"` field. Although if you're using language models exclusively for response formulation, you can skip nonvector content fields. Metadata fields are useful for filters, especially if metadata includes origin information about the source document. You can't filter on a vector field directly, but you can set prefilter or postfilter modes to filter before or after vector query execution.

+"name": "example-basic-vector-idx",

+ { "name": "content_vector", "type": "Collection(Edm.Single)", "searchable": true, "retrievable": true, "dimensions": 1536, "vectorSearchProfile": null },

+The bias of this schema is that search documents are built around data chunks. If a language model formulates the response, as is typical for RAG apps, you want a schema designed around data chunks.

+### Schema for RAG and chat-style apps

+If you're designing storage for generative search, you can create separate indexes for the static content that you indexed and vectorized, and a second index for conversations that can be used in prompt flows. The following indexes are created from the [**chat-with-your-data-solution-accelerator**](https://github.com/Azure-Samples/azure-search-openai-solution-accelerator) accelerator.

+Fields from the chat index that support generative search experience:

+```json

+"name": "example-index-from-accelerator",

+"fields": [

+ { "name": "id", "type": "Edm.String", "searchable": false, "filterable": true, "retrievable": true },

+ { "name": "content", "type": "Edm.String", "searchable": true, "filterable": false, "retrievable": true },

+ { "name": "content_vector", "type": "Collection(Edm.Single)", "searchable": true, "retrievable": true, "dimensions": 1536, "vectorSearchProfile": "my-vector-profile"},

+ { "name": "metadata", "type": "Edm.String", "searchable": true, "filterable": false, "retrievable": true },

+ { "name": "title", "type": "Edm.String", "searchable": true, "filterable": true, "retrievable": true, "facetable": true },

+ { "name": "source", "type": "Edm.String", "searchable": true, "filterable": true, "retrievable": true },

+ { "name": "chunk", "type": "Edm.Int32", "searchable": false, "filterable": true, "retrievable": true },

+ { "name": "offset", "type": "Edm.Int32", "searchable": false, "filterable": true, "retrievable": true }

+]

+```

+Here's a screenshot showing [Search explorer](search-explorer.md) search results for the conversations index. The search score is 1.00 because the search was unqualified. Notice the fields that exist to support orchestration and prompt flows. A conversation ID identifies a specific chat. `"type"` indicates whether the content is from the user or the assistant. Dates are used to age out chats from the history.

+## Physical structure and size

+In Azure AI Search, the physical structure of an index is largely an internal implementation. You can access its schema, load and query its content, monitor its size, and manage capacity, but the clusters themselves (indexes, [shards](search-capacity-planning.md#concepts-search-units-replicas-partitions-shards), and other files and folders) are managed internally by Microsoft.

+The size and substance of an index is determined by:

+Vector store index limits and estimations are covered in [another article](vector-search-index-size.md), but it's highlighted here to emphasize that maximum storage varies by service tier, and also by when the search service was created. Newer same-tier services have significantly more capacity for vector indexes.

+In terms of usage metrics, a vector index is an internal data structure created for each vector field. As such, a vector storage is always a fraction of the overall index size. Other nonvector fields and data structures consume the remainder of the quota for index size and consumed storage at the service level.

+## Basic operations and interaction

+This section introduces vector run time operations, including connecting to and securing a single index.

+> [!NOTE]

+> When managing an index, be aware that there is no portal or API support for moving or copying an index. Instead, customers typically point their application deployment solution at a different search service (if using the same index name), or revise the name to create a copy on the current search service, and then build it.

+### Continuously available

+An index is immediately available for queries as soon as the first document is indexed, but won't be fully operational until all documents are indexed. Internally, an index is [distributed across partitions and executes on replicas](search-capacity-planning.md#concepts-search-units-replicas-partitions-shards). The physical index is managed internally. The logical index is managed by you.

+An index is continuously available, with no ability to pause or take it offline. Because it's designed for continuous operation, any updates to its content, or additions to the index itself, happen in real time. As a result, queries might temporarily return incomplete results if a request coincides with a document update.

+Notice that query continuity exists for document operations (refreshing or deleting) and for modifications that don't affect the existing structure and integrity of the current index (such as adding new fields). If you need to make structural updates (changing existing fields), those are typically managed using a drop-and-rebuild workflow in a development environment, or by creating a new version of the index on production service.

+To avoid an [index rebuild](search-howto-reindex.md), some customers who are making small changes choose to "version" a field by creating a new one that coexists alongside a previous version. Over time, this leads to orphaned content in the form of obsolete fields or obsolete custom analyzer definitions, especially in a production index that is expensive to replicate. You can address these issues on planned updates to the index as part of index lifecycle management.

+### Secure access to vector data

+<!-- Azure AI Search supports comprehensive security. Authentication and authorization -->

+### Manage vector stores

+Azure provides a monitoring platform that includes diagnostic logging and alerting.

+## Secure confidential input

+Whatever authentication is used by your CCP data connector, take these steps to ensure confidential information is kept secure. The goal is to pass along credentials from the ARM template to the CCP without leaving readable confidential objects in your deployments history.

+### Create label

+The data connector definition creates a UI element to prompt for security credentials. For example, if your data connector authenticates to a log source with OAuth, your data connector definition section includes the `OAuthForm` type in the instructions. This sets up the ARM template to prompt for the credentials.

+```json

+"instructions": [

+ {

+ "type": "OAuthForm",

+ "parameters": {

+ "UsernameLabel": "Username",

+ "PasswordLabel": "Password",

+ "connectButtonLabel": "Connect",

+ "disconnectButtonLabel": "Disconnect"

+ }

+ }

+],

+```

+### Store confidential input

+A section of the ARM deployment template provides a place for the administrator deploying the data connector to enter the password. Use `securestring` to keep the confidential information secured in an object that isn't readable after deployment. For more information, see [Security recommendations for parameters](../azure-resource-manager/templates/best-practices.md#security-recommendations-for-parameters).

+```json

+"mainTemplate": {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "[variables('dataConnectorCCPVersion')]",

+ "parameters": {

+ "Username": {

+ "type": "securestring",

+ "minLength": 1,

+ "metadata": {

+ "description": "Enter the username to connect to your data source."

+ },

+ "Password": {

+ "type": "securestring",

+ "minLength": 1,

+ "metadata": {

+ "description": "Enter the API key, client secret or password required to connect."

+ }

+ },

+ // more deployment template information

+ }

+}

+```

+### Use the securestring objects

+Finally, the CCP utilizes the credential objects in the data connector section.

+```json

+"auth": {

+ "type": "OAuth2",

+ "ClientSecret": "[[parameters('Password')]",

+ "ClientId": "[[parameters('Username')]",

+ "GrantType": "client_credentials",

+ "TokenEndpoint": "https://api.contoso.com/oauth/token",

+ "TokenEndpointHeaders": {

+ "Content-Type": "application/x-www-form-urlencoded"

+ },

+ "TokenEndpointQueryParameters": {

+ "grant_type": "client_credentials"

+ }

+},

+```

+>[!Note]

+> The strange syntax for the credential object, `"ClientSecret": "[[parameters('Password')]",` isn't a typo!

+> In order to create the deployment template which also uses parameters, you need to escape the parameters in that section with an extra starting`[`. This allows the parameters to assign a value based on the user interaction with the connector.

+>

+> For more information, see [Template expressions escape characters](../azure-resource-manager/templates/template-expressions.md#escape-characters).

+

+In addition to the example template, published solutions available in the Microsoft Sentinel content hub use the CCP for their data connector. Review the following solutions as more examples of how to stitch the components together into an ARM template.

+- [Ermes Browser Security](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ermes%20Browser%20Security/Package/mainTemplate.json)

+- [Palo Alto Prisma Cloud CWPP](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ermes%20Browser%20Security/Package/mainTemplate.json)

+For more information, see [Parameters in ARM templates](../azure-resource-manager/templates/parameters.md).

+>[!Warning]

+> Use `securestring` for all passwords and secrets in objects readable after resource deployment.

+> For more information, see [Secure confidential input](#secure-confidential-input) and [Security recommendations for parameters](../azure-resource-manager/templates/best-practices.md#security-recommendations-for-parameters).

+ // "defaultValue": "",

+https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.OperationalInsights/workspaces/{{workspaceName}}/providers/Microsoft.SecurityInsights/dataConnectors/{{dataConnectorId}}?api-version={{apiVersion}}

+For more information about the latest API version, see [Data Connectors - Create or Update URI Parameters](/rest/api/securityinsights/data-connectors/create-or-update#uri-parameters).

+As a best practice, use parameters in the auth section instead of hard-coding credentials. For more information, see [Secure confidential input](create-codeless-connector.md#secure-confidential-input).

+In order to create the deployment template which also uses parameters, you need to escape the parameters in this section with an extra starting `[`. This allows the parameters to assign a value based on the user interaction with the connector. For more information, see [Template expressions escape characters](../azure-resource-manager/templates/template-expressions.md#escape-characters).

+To enable the credentials to be entered from the UI, the `connectorUIConfig` section requires `instructions` with the desired parameters. For more information, see [Data connector definitions reference for the Codeless Connector Platform](data-connector-ui-definitions-reference.md#instructions).

+| **ApiKey** | True | string | user secret key | |

+| **AuthorizationCode** | True when grantType = `authorization_code` | String | If grant type is `authorization_code` this field value will be the authorization code returned from the auth serve. |

+| **RedirectUri** | True when grantType = `authorization_code` | String | URL for redirect, must be `https://portal.azure.com/TokenAuthorize` |

+ "redirectUri": "https://portal.azure.com/TokenAuthorize",

+ "pagingType" : "PersistentLinkHeader",

+https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.OperationalInsights/workspaces/{{workspaceName}}/providers/Microsoft.SecurityInsights/dataConnectorDefinitions/{{dataConnectorDefinitionName}}?api-version={{apiVersion}}

+For more information about the latest API version, see [Data Connector Definitions - Create or Update URI Parameters](/rest/api/securityinsights/data-connector-definitions/create-or-update#uri-parameters)

+| **dataConnectorDefinitionName** | The data connector definition must be a unique name and is the same as the `name` parameter in the [request body](#request-body).|

+|Array Property | Required | Type |Description |

+||||--|

+| **title** | | String | Defines a title for your instructions. |

+| **description** | | String | Defines a meaningful description for your instructions. |

+| **innerSteps** | | Array | Defines an array of inner instruction steps. |

+| **instructions** | True | Array of [instructions](#instructions) | Defines an array of instructions of a specific parameter type. |

+| Array Value | Required | Type |Description |

+|**fillWith** | | ENUM | Array of environment variables used to populate a placeholder. Separate multiple placeholders with commas. For example: `{0},{1}` <br><br>Supported values: `workspaceId`, `workspaceName`, `primaryKey`, `MicrosoftAwsAccount`, `subscriptionId` |

+|**label** | True | String | Defines the text for the label above a text box. |

+|**value** | True | String | Defines the value to present in the text box, supports placeholders. |

+|**rows** | | Rows | Defines the rows in the user interface area. By default, set to **1**. |

+|**wideLabel** | | Boolean | Determines a wide label for long strings. By default, set to `false`. |

+|Array Value | Required | Type |Description |

+|||||

+|**title** | True | String | Defines the title for the instruction step. |

+|**description** | | String | Optional descriptive text. |

+|**canCollapseAllSections** | | Boolean | Determines whether the section is a collapsible accordion or not. |

+|**noFxPadding** | | Boolean | If `true`, reduces the height padding to save space. |

+|**expanded** | | Boolean | If `true`, shows as expanded by default. |

+|Array Values | Required |Type |Description |

+|||||

+|**linkType** | True | ENUM | Determines the link type, as one of the following values: <br><br>`InstallAgentOnWindowsVirtualMachine`<br>`InstallAgentOnWindowsNonAzure`<br> `InstallAgentOnLinuxVirtualMachine`<br> `InstallAgentOnLinuxNonAzure`<br>`OpenSyslogSettings`<br>`OpenCustomLogsSettings`<br>`OpenWaf`<br> `OpenAzureFirewall` `OpenMicrosoftAzureMonitoring` <br> `OpenFrontDoors` <br>`OpenCdnProfile` <br>`AutomaticDeploymentCEF` <br> `OpenAzureInformationProtection` <br> `OpenAzureActivityLog` <br> `OpenIotPricingModel` <br> `OpenPolicyAssignment` <br> `OpenAllAssignmentsBlade` <br> `OpenCreateDataCollectionRule` |

+|**policyDefinitionGuid** | True when using `OpenPolicyAssignment` linkType. | String | For policy-based connectors, defines the GUID of the built-in policy definition. |

+|**assignMode** | | ENUM | For policy-based connectors, defines the assign mode, as one of the following values: `Initiative`, `Policy` |

+|**dataCollectionRuleType** | | ENUM | For DCR-based connectors, defines the type of data collection rule type as either `SecurityEvent`, or `ForwardEvent`. |

+- You can create [Data Collection Rules/Endpoints](../../azure-monitor/essentials/data-collection-rule-overview.md) with the permissions:

+To collect the managed identity application ID from Microsoft Entra ID:

+1. Create a new entry in the table:

+### Enable auditing on the relevant Dynamics 365 Finance and Operations data tables

+The analytics rules provided with this solution monitor and detect threats based on logs generated in the System Database Log.

+If you're planning to use the analytics rules provided in this solution, enable auditing for the following tables:

+|Category |Table |

+|||

+|System | `UserInfo` |

+|Bank | `BankAccountTable` |

+|Not specified | `SysAADClientTable` |

+Enable auditing on tables using the **Database log setup** wizard in the Finance and Operations portal.

+- In the **Tables and fields** page, you might want to select the **Show table names** checkbox to make it easier to find your tables.

+- To enable auditing of all fields in the selected tables, in the **Types of change** page, select all four check boxes for any relevant table names with empty field labels. Sort the table list by the **Field label** column in ascending order (A-Z).

+- Select **Yes** for all warning messages.

+For more information, see [Set up database logging](/dynamics365/fin-ops-core/dev-itpro/sysadmin/configure-manage-database-log#set-up-database-logging).

+To verify that log ingestion is working:

+ Find packaged solutions for end-to-end products or standalone content from the content hub in Microsoft Sentinel. To install and manage content from the content hub, assign the **Microsoft Sentinel Contributor** role at the resource group level.

+To enable built-in Azure Monitor alerts for Azure Site Recovery, for a particular subscription, navigate to **Preview Features** in the [Azure portal](https://ms.portal.azure.com) and register the feature flag **EnableAzureSiteRecoveryAlertsToAzureMonitor** for the selected subscription.

+* Python: [Install the Python agent](https://docs.newrelic.com/install/python/)

+ Title: Monitoring data reference for Azure Blob Storage

+description: This article contains important reference material you need when you monitor Azure Blob Storage.

+<!--

+IMPORTANT

+To make this template easier to use, first:

+1. Search and replace Azure Blob Storage with the official name of your service.

+2. Search and replace blob-storage with the service name to use in GitHub filenames.-->

+<!-- VERSION 3.0 2024_01_01

+For background about this template, see https://review.learn.microsoft.com/en-us/help/contribute/contribute-monitoring?branch=main -->

+<!-- Most services can use the following sections unchanged. All headings are required unless otherwise noted.

+The sections use #included text you don't have to maintain, which changes when Azure Monitor functionality changes. Add info into the designated service-specific places if necessary. Remove #includes or template content that aren't relevant to your service.

+At a minimum your service should have the following two articles:

+1. The primary monitoring article (based on the template monitor-service-template.md)

+ - Title: "Monitor Azure Blob Storage"

+ - TOC Title: "Monitor"

+ - Filename: "monitor-blob-storage.md"

+2. A reference article that lists all the metrics and logs for your service (based on this template).

+ - Title: "Azure Blob Storage monitoring data reference"

+ - TOC Title: "Monitoring data reference"

+ - Filename: "monitor-blob-storage-reference.md".

+-->

+# Azure Blob Storage monitoring data reference

+<!-- Intro -->

+See [Monitor Azure Blob Storage](monitor-blob-storage.md) for details on the data you can collect for Azure Blob Storage and how to use it.

+<!-- ## Metrics. Required section. -->

+<a name="metrics-dimensions"></a>

+### Supported metrics for Microsoft.Storage/storageAccounts

+The following table lists the metrics available for the Microsoft.Storage/storageAccounts resource type.

+### Supported metrics for Microsoft.Storage/storageAccounts/blobServices

+The following table lists the metrics available for the Microsoft.Storage/storageAccounts/blobServices resource type.

+<!-- ## Metric dimensions. Required section. -->

+<!-- ## Resource logs. Required section. -->

+<a name="resource-logs-preview"></a>

+### Supported resource logs for Microsoft.Storage/storageAccounts/blobServices

+<!-- ## Azure Monitor Logs tables. Required section. -->

+- [AzureActivity](/azure/azure-monitor/reference/tables/azureactivity)

+- [AzureMetrics](/azure/azure-monitor/reference/tables/azuremetrics)

+- [StorageBlobLogs](/azure/azure-monitor/reference/tables/storagebloblogs)

+The following sections describe the properties for Azure Storage resource logs when they're collected in Azure Monitor Logs or Azure Storage. The properties describe the operation, the service, and the type of authorization that was used to perform the operation.

+<!-- ## Activity log. Required section. -->

+- [Microsoft.Storage resource provider operations](/azure/role-based-access-control/resource-provider-operations#microsoftstorage)

+<!-- ## Other schemas. Optional section. Please keep heading in this order. If your service uses other schemas, add the following include and information.

+<!-- List other schemas and their usage here. These can be resource logs, alerts, event hub formats, etc. depending on what you think is important. You can put JSON messages, API responses not listed in the REST API docs, and other similar types of info here. -->

+## Related content

+- See [Monitor Azure Blob Storage](monitor-blob-storage.md) for a description of monitoring Azure Blob Storage.

+- See [Monitor Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.

+ Title: Monitor Azure Blob Storage

+description: Start here to learn how to monitor Azure Blob Storage.

+<!--

+IMPORTANT

+To make this template easier to use, first:

+1. Search and replace Azure Blob Storage with the official name of your service.

+2. Search and replace blob-storage with the service name to use in GitHub filenames.-->

+<!-- VERSION 3.0 2024_01_07

+For background about this template, see https://review.learn.microsoft.com/en-us/help/contribute/contribute-monitoring?branch=main -->

+<!-- Most services can use the following sections unchanged. The sections use #included text you don't have to maintain, which changes when Azure Monitor functionality changes. Add info into the designated service-specific places if necessary. Remove #includes or template content that aren't relevant to your service.

+At a minimum your service should have the following two articles:

+1. The primary monitoring article (based on this template)

+ - Title: "Monitor Azure Blob Storage"

+ - TOC Title: "Monitor"

+ - Filename: "monitor-blob-storage.md"

+2. A reference article that lists all the metrics and logs for your service (based on the template data-reference-template.md).

+ - Title: "Azure Blob Storage monitoring data reference"

+ - TOC Title: "Monitoring data reference"

+ - Filename: "monitor-blob-storage-reference.md".

+-->

+# Monitor Azure Blob Storage

+<!-- Intro -->

+>[!IMPORTANT]

+>Metrics and logs in Azure Monitor support only Azure Resource Manager storage accounts. Azure Monitor doesn't support classic storage accounts. If you want to use metrics or logs on a classic storage account, you need to migrate to an Azure Resource Manager storage account. For more information, see [Migrate to Azure Resource Manager](/azure/virtual-machines/migration-classic-resource-manager-overview).

+<!-- ## Insights. Optional section. If your service has insights, add the following include and information. -->

+<!-- Insights service-specific information. Add brief information about what your Azure Monitor insights provide here. You can refer to another article that gives details or add a screenshot. -->

+Azure Storage insights offer a unified view of storage performance, capacity, and availability. See [Monitor storage with Azure Monitor Storage insights](../common/storage-insights-overview.md).

+<!-- ## Resource types. Required section. -->

+<!-- ## Data storage. Required section. Optionally, add service-specific information about storing your monitoring data after the include. -->

+<!-- Add service-specific information about storing monitoring data here, if applicable. For example, SQL Server stores other monitoring data in its own databases. -->

+<!-- METRICS SECTION START ->

+<!-- ## Platform metrics. Required section.

+ - If your service doesn't collect platform metrics, use the following include: [!INCLUDE [horz-monitor-no-platform-metrics](~/articles/reusable-content/ce-skilling/azure/includes/azure-monitor/horizontals/horz-monitor-no-platform-metrics.md)]

+ - If your service collects platform metrics, add the following include, statement, and service-specific information as appropriate. -->

+For a list of available metrics for Azure Blob Storage, see [Azure Blob Storage monitoring data reference](monitor-blob-storage-reference.md#metrics).

+<!-- Platform metrics service-specific information. Add service-specific information about your platform metrics here.-->

+<!-- ## Prometheus/container metrics. Optional. If your service uses containers/Prometheus metrics, add the following include and information.

+<!-- Add service-specific information about your container/Prometheus metrics here.-->

+<!-- ## System metrics. Optional. If your service uses system-imported metrics, add the following include and information.

+<!-- Add service-specific information about your system-imported metrics here.-->

+<!-- ## Custom metrics. Optional. If your service uses custom imported metrics, add the following include and information.

+<!-- Custom imported service-specific information. Add service-specific information about your custom imported metrics here.-->

+<!-- ## Non-Azure Monitor metrics. Optional. If your service uses any non-Azure Monitor based metrics, add the following include and information.

+<!-- Non-Monitor metrics service-specific information. Add service-specific information about your non-Azure Monitor metrics here.-->

+<!-- METRICS SECTION END ->

+<!-- LOGS SECTION START -->

+<a name="collection-and-routing"></a>

+<!-- ## Resource logs. Required section.

+ - If your service doesn't collect resource logs, use the following include [!INCLUDE [horz-monitor-no-resource-logs](~/articles/reusable-content/ce-skilling/azure/includes/azure-monitor/horizontals/horz-monitor-no-resource-logs.md)]

+ - If your service collects resource logs, add the following include, statement, and service-specific information as appropriate. -->

+For the available resource log categories, their associated Log Analytics tables, and the logs schemas for Azure Blob Storage, see [Azure Blob Storage monitoring data reference](monitor-blob-storage-reference.md#resource-logs).

+<!-- Resource logs service-specific information. Add service-specific information about your resource logs here.

+NOTE: Azure Monitor already has general information on how to configure and route resource logs. See https://learn.microsoft.com/azure/azure-monitor/platform/diagnostic-settings. Ideally, don't repeat that information here. You can provide a single screenshot of the diagnostic settings portal experience if you want. -->

+> [!NOTE]

+> Data Lake Storage Gen2 doesn't appear as a storage type because Data Lake Storage Gen2 is a set of capabilities available to Blob storage.

+#### Destination limitations

+For general destination limitations, see [Destination limitations](/azure/azure-monitor/essentials/diagnostic-settings#destination-limitations). The following limitations apply only to monitoring Azure Storage accounts.

+- You can't send logs to the same storage account that you're monitoring with this setting.

+ This would lead to recursive logs in which a log entry describes the writing of another log entry. You must create an account or use another existing account to store log information.

+- You can't set a retention policy.

+ If you archive logs to a storage account, you can manage the retention policy of a log container by defining a lifecycle management policy. To learn how, see [Optimize costs by automating Azure Blob Storage access tiers](lifecycle-management-overview.md).

+ If you send logs to Log Analytics, you can manage the data retention period of Log Analytics at the workspace level or even specify different retention settings by data type. To learn how, see [Change the data retention period](/azure/azure-monitor/logs/data-retention-archive).

+<!-- ## Activity log. Required section. Optionally, add service-specific information about your activity log after the include. -->

+<!-- Activity log service-specific information. Add service-specific information about your activity log here. -->

+<!-- ## Imported logs. Optional section. If your service uses imported logs, add the following include and information.

+<!-- Add service-specific information about your imported logs here. -->

+<!-- ## Other logs. Optional section.

+If your service has other logs that aren't resource logs or in the activity log, add information that states what they are and what they cover here. You can describe how to route them in a later section. -->

+<!-- LOGS SECTION END ->

+<!-- ANALYSIS SECTION START -->

+<!-- ## Analyze data. Required section. -->

+<a name="analyzing-logs"></a>

+<!-- ### External tools. Required section. -->

+### Analyze metrics for Azure Blob Storage

+Metrics for Azure Blob Storage are in these namespaces:

+- Microsoft.Storage/storageAccounts

+- Microsoft.Storage/storageAccounts/blobServices

+For a complete list of the dimensions that Azure Storage supports, see [Metrics dimensions](monitor-blob-storage-reference.md#metrics-dimensions).

+You can analyze metrics for Azure Storage with metrics from other Azure services by using Metrics Explorer. Open Metrics Explorer by choosing **Metrics** from the **Azure Monitor** menu. For details on using this tool, see [Analyze metrics with Azure Monitor metrics explorer](/azure/azure-monitor/essentials/analyze-metrics).

+#### Read metric values

+#### Read metric values with dimensions

+#### Read metric values with dimensions

+#### Read account-level metric values

+#### Read multidimensional metric values

+### Analyze logs for Azure Blob Storage

+You can access resource logs either as a blob in a storage account, as event data, or through Log Analytics queries. For information about how to find those logs, see [Azure resource logs](/azure/azure-monitor/essentials/resource-logs).

+#### Log authenticated requests

+> Azure Monitor currently filters out logs that describe activity in the "insights-logs-" container.

+#### Log anonymous requests

+<!-- ### Sample Kusto queries. Required section. If you have sample Kusto queries for your service, add them after the include. -->

+<!-- Add sample Kusto queries for your service here. -->

+<!-- ### Azure Blob Storage service-specific analytics. Optional section.

+Add short information or links to specific articles that outline how to analyze data for your service. -->

+<!-- ANALYSIS SECTION END ->

+<!-- ALERTS SECTION START -->

+<!-- ## Alerts. Required section. -->

+<!-- ### Azure Blob Storage alert rules. Required section.

+**MUST HAVE** service-specific alert rules. Include useful alerts on metrics, logs, log conditions, or activity log.

+Fill in the following table with metric and log alerts that would be valuable for your service. Change the format as necessary for readability. You can instead link to an article that discusses your common alerts in detail.

+Ask your PMs if you don't know. This information is the BIGGEST request we get in Azure Monitor, so don't avoid it long term. People don't know what to monitor for best results. Be prescriptive. -->

+### Azure Blob Storage alert rules

+The following table lists common and recommended alert rules for Azure Blob Storage and the proper metric to use for the alert:

+| Alert type | Condition | Description |

+|-|-|-|

+| Metric | Blob Storage service is throttled. | Transactions<br>Dimension name: Response type |

+| Metric | Blob Storage requests are successful 99% of the time. | Availability<br>Dimension names: Geo type, API name, Authentication |

+| Metric | Blob Storage egress has exceeded 500 GiB in one day. | Egress<br>Dimension names: Geo type, API name, Authentication |

+<!-- ### Advisor recommendations -->

+<!-- ALERTS SECTION END -->

+<!-- Note from v-thepet: I don't think the following section is relevant but maybe it's required in Blob docs?

+## Feature support

+-->

+## Related content

+<!-- You can change the wording and add more links if useful. -->

+Other Blob Storage monitoring content:

+- [Azure Blob Storage monitoring data reference](monitor-blob-storage-reference.md). A reference of the logs and metrics created by Azure Blob Storage.

+- [Best practices for monitoring Azure Blob Storage](blob-storage-monitoring-scenarios.md). Guidance for common monitoring and troubleshooting scenarios.

+- [Metrics and logs FAQ](storage-blob-faq.yml#metrics-and-logs).

+Overall Azure Storage monitoring content:

+- [Monitor storage with Azure Monitor Storage insights](../common/storage-insights-overview.md). Get a unified view of storage performance, capacity, and availability.

+- [Transition to metrics in Azure Monitor](../common/storage-metrics-migration.md). Move from Storage Analytics metrics to metrics in Azure Monitor.

+- [Troubleshoot performance issues](../common/troubleshoot-storage-performance.md?toc=/azure/storage/blobs/toc.json). See common performance issues and guidance about how to troubleshoot them.

+- [Troubleshoot availability issues](../common/troubleshoot-storage-availability.md?toc=/azure/storage/blobs/toc.json). See common availability issues and guidance about how to troubleshoot them.

+- [Troubleshoot client application errors](../common/troubleshoot-storage-client-application-errors.md?toc=/azure/storage/blobs/toc.json). See common issues with connecting clients and how to troubleshoot them.

+Azure Monitor content:

+- [Monitor Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource). General details on monitoring Azure resources.

+- [Azure Monitor Metrics overview](/azure/azure-monitor/essentials/data-platform-metrics). The basics of metrics and metric dimensions.

+- [Azure Monitor Logs overview](/azure/azure-monitor/logs/data-platform-logs). The basics of logs and how to collect and analyze them.

+- [Analyze metrics with Azure Monitor metrics explorer](/azure/azure-monitor/essentials/analyze-metrics). A tour of Metrics Explorer.

+- [Overview of Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview). A tour of Log Analytics.

+Training modules:

+- [Gather metrics from your Azure Blob Storage containers](/training/modules/gather-metrics-blob-storage/). Create charts that show metrics, with step-by-step guidance.

+- [Monitor, diagnose, and troubleshoot your Azure Storage](/training/modules/monitor-diagnose-and-troubleshoot-azure-storage/). Troubleshoot storage account issues, with step-by-step guidance.

+Create an Azure resource group with the [az group create](/cli/azure/group#az-group-create) command. A resource group is a logical container into which Azure resources are deployed and managed.

+Create a general-purpose storage account with the [az storage account create](/cli/azure/storage/account#az-storage-account-create) command. The general-purpose storage account can be used for all four

+Blobs are always uploaded into a container. You can organize groups of blobs in containers similar to the way you organize your files on your computer in folders. Create a container for storing blobs with the [az storage container create](/cli/azure/storage/container#az-storage-container-create) command.

+In this example, you upload a blob to the container you created in the last step using the [az storage blob upload](/cli/azure/storage/blob#az-storage-blob-upload) command. It's not necessary to specify a file path since the file was created at the root directory. Remember to replace placeholder values in angle brackets with your own values:

+To upload multiple files at the same time, you can use the [az storage blob upload-batch](/cli/azure/storage/blob#az-storage-blob-upload-batch) command.

+List the blobs in the container with the [az storage blob list](/cli/azure/storage/blob#az-storage-blob-list) command. Remember to replace placeholder values in angle brackets with your own values:

+Use the [az storage blob download](/cli/azure/storage/blob#az-storage-blob-download) command to download the blob you uploaded earlier. Remember to replace placeholder values in angle brackets with your own values:

+If you want to delete the resources you created as part of this quickstart, including the storage account, delete the resource group by using the [az group delete](/cli/azure/group#az-group-delete) command. Remember to replace placeholder values in angle brackets with your own values:

+* **[Azure Elastic SAN](../elastic-san/elastic-san-introduction.md)**: Azure Elastic SAN is a good fit for general purpose databases, streaming and messaging services, CD/CI environments, and other tier 1/tier 2 workloads. Storage is provisioned on demand per created volume and volume snapshot. Multiple clusters can access a single SAN concurrently, however persistent volumes can only be attached by one consumer at a time.

+ Title: Monitoring data reference for Azure Queue Storage

+description: This article contains important reference material you need when you monitor Azure Queue Storage.

+<!-- Intro -->

+See [Monitor Azure Queue Storage](monitor-queue-storage.md) for details on the data you can collect for Azure Queue Storage and how to use it.

+<!-- ## Metrics. Required section. -->

+### Supported metrics for Microsoft.Storage/storageAccounts

+The following table lists the metrics available for the Microsoft.Storage/storageAccounts resource type.

+### Supported metrics for Microsoft.Storage/storageAccounts/queueServices

+The following table lists the metrics available for the Microsoft.Storage/storageAccounts/queueServices resource type.

+### Supported resource logs for Microsoft.Storage/storageAccounts/queueServices

+<!-- ## Azure Monitor Logs tables. Required section. -->

+- [AzureActivity](/azure/azure-monitor/reference/tables/azureactivity)

+- [AzureMetrics](/azure/azure-monitor/reference/tables/azuremetrics)

+- [StorageQueueLogs](/azure/azure-monitor/reference/tables/storagequeuelogs)

+The following tables list the properties for Azure Storage resource logs when they're collected in Azure Monitor Logs or Azure Storage. The properties describe the operation, the service, and the type of authorization that was used to perform the operation.

+<!-- ## Activity log. Required section. -->

+- [Microsoft.Storage resource provider operations](/azure/role-based-access-control/resource-provider-operations#microsoftstorage)

+## Related content

+- See [Monitor Azure Queue Storage](monitor-queue-storage.md) for a description of monitoring Azure Queue Storage.

+- See [Monitor Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.

+ Title: Monitor Azure Queue Storage

+description: Start here to learn how to monitor Azure Queue Storage.

+<!--

+IMPORTANT

+To make this template easier to use, first:

+1. Search and replace Azure Queue Storage with the official name of your service.

+2. Search and replace queue-storage with the service name to use in GitHub filenames.-->

+<!-- VERSION 3.0 2024_01_07

+For background about this template, see https://review.learn.microsoft.com/en-us/help/contribute/contribute-monitoring?branch=main -->

+<!-- Most services can use the following sections unchanged. The sections use #included text you don't have to maintain, which changes when Azure Monitor functionality changes. Add info into the designated service-specific places if necessary. Remove #includes or template content that aren't relevant to your service.

+At a minimum your service should have the following two articles:

+1. The primary monitoring article (based on this template)

+ - Title: "Monitor Azure Queue Storage"

+ - TOC Title: "Monitor"

+ - Filename: "monitor-queue-storage.md"

+2. A reference article that lists all the metrics and logs for your service (based on the template data-reference-template.md).

+ - Title: "Azure Queue Storage monitoring data reference"

+ - TOC Title: "Monitoring data reference"

+ - Filename: "monitor-queue-storage-reference.md".

+-->

+# Monitor Azure Queue Storage

+<!-- Intro -->

+> [!IMPORTANT]

+> Metrics and logs in Azure Monitor support only Azure Resource Manager storage accounts. Azure Monitor doesn't support classic storage accounts. If you want to use metrics or logs on a classic storage account, you need to migrate to an Azure Resource Manager storage account. For more information, see [Migrate to Azure Resource Manager](/azure/virtual-machines/migration-classic-resource-manager-overview).

+<!-- ## Insights. Optional section. If your service has insights, add the following include and information. -->

+<!-- Insights service-specific information. Add brief information about what your Azure Monitor insights provide here. You can refer to another article that gives details or add a screenshot. -->

+Azure Storage insights offer a unified view of storage performance, capacity, and availability. See [Monitor storage with Azure Monitor Storage insights](../common/storage-insights-overview.md).

+<!-- ## Resource types. Required section. -->

+<!-- ## Data storage. Required section. Optionally, add service-specific information about storing your monitoring data after the include. -->

+<!-- Add service-specific information about storing monitoring data here, if applicable. For example, SQL Server stores other monitoring data in its own databases. -->

+<!-- METRICS SECTION START ->

+<!-- ## Platform metrics. Required section.

+ - If your service doesn't collect platform metrics, use the following include: [!INCLUDE [horz-monitor-no-platform-metrics](~/articles/reusable-content/ce-skilling/azure/includes/azure-monitor/horizontals/horz-monitor-no-platform-metrics.md)]

+ - If your service collects platform metrics, add the following include, statement, and service-specific information as appropriate. -->

+For a list of available metrics for Azure Queue Storage, see [Azure Queue Storage monitoring data reference](monitor-queue-storage-reference.md#metrics).

+> [!IMPORTANT]

+> On **January 9, 2024** Storage Analytics metrics, also referred to as *classic metrics*, retired. If you used classic metrics, see [Move from Storage Analytics metrics to Azure Monitor metrics](../common/storage-metrics-migration.md) to transition to metrics in Azure Monitor.

+> [!NOTE]

+> Azure Compute, not Azure Storage, supports metrics for managed disks or unmanaged disks. For more information, see [Per disk metrics for Managed and Unmanaged Disks](https://azure.microsoft.com/blog/per-disk-metrics-managed-disks/).

+<!-- Platform metrics service-specific information. Add service-specific information about your platform metrics here.-->

+<!-- ## Prometheus/container metrics. Optional. If your service uses containers/Prometheus metrics, add the following include and information.

+<!-- Add service-specific information about your container/Prometheus metrics here.-->

+<!-- ## System metrics. Optional. If your service uses system-imported metrics, add the following include and information.

+<!-- Add service-specific information about your system-imported metrics here.-->

+<!-- ## Custom metrics. Optional. If your service uses custom imported metrics, add the following include and information.

+<!-- Custom imported service-specific information. Add service-specific information about your custom imported metrics here.-->

+<!-- ## Non-Azure Monitor metrics. Optional. If your service uses any non-Azure Monitor based metrics, add the following include and information.

+<!-- Non-Monitor metrics service-specific information. Add service-specific information about your non-Azure Monitor metrics here.-->

+<!-- METRICS SECTION END ->

+<!-- LOGS SECTION START -->

+<!-- ## Resource logs. Required section.

+ - If your service doesn't collect resource logs, use the following include [!INCLUDE [horz-monitor-no-resource-logs](~/articles/reusable-content/ce-skilling/azure/includes/azure-monitor/horizontals/horz-monitor-no-resource-logs.md)]

+ - If your service collects resource logs, add the following include, statement, and service-specific information as appropriate. -->

+For the available resource log categories, their associated Log Analytics tables, and the logs schemas for Azure Queue Storage, see [Azure Queue Storage monitoring data reference](monitor-queue-storage-reference.md#resource-logs).

+<!-- Resource logs service-specific information. Add service-specific information about your resource logs here.

+NOTE: Azure Monitor already has general information on how to configure and route resource logs. See https://learn.microsoft.com/azure/azure-monitor/platform/diagnostic-settings. Ideally, don't repeat that information here. You can provide a single screenshot of the diagnostic settings portal experience if you want. -->

+<a name="collection-and-routing"></a>

+### Azure Queue Storage diagnostic settings

+When you create the diagnostic setting, choose **queue** as the type of storage that you want to enable logs for. Then, specify one of the following categories of operations for which you want to collect logs.

+| StorageRead | Read operations on objects. |

+| StorageWrite | Write operations on objects. |

+| StorageDelete | Delete operations on objects. |

+The **audit** resource log category group allows you to collect the baseline of resource logs that Microsoft deems necessary for auditing your resource. What's collected is dynamic, and Microsoft may change it over time as new resource log categories become available. If you choose the **audit** category group, you can't specify any other resource categories, because the system will decide which logs to collect. For more information, see [Diagnostic settings in Azure Monitor: Resource logs](/azure/azure-monitor/essentials/diagnostic-settings#resource-logs).

+#### Destination limitations

+For general destination limitations, see [Destination limitations](/azure/azure-monitor/essentials/diagnostic-settings#destination-limitations). The following limitations apply only to monitoring Azure Storage accounts.

+- You can't send logs to the same storage account that you're monitoring with this setting. This situation would lead to recursive logs in which a log entry describes the writing of another log entry. You must create an account or use another existing account to store log information.

+- You can't set a retention policy.

+ If you archive logs to a storage account, you can manage the retention policy of a log container by defining a lifecycle management policy. To learn how, see [Optimize costs by automatically managing the data lifecycle](../blobs/lifecycle-management-overview.md).

+ If you send logs to Log Analytics, you can manage the data retention period of Log Analytics at the workspace level or even specify different retention settings by data type. To learn how, see [Change the data retention period](/azure/azure-monitor/logs/data-retention-archive).

+<!-- ## Activity log. Required section. Optionally, add service-specific information about your activity log after the include. -->

+<!-- Activity log service-specific information. Add service-specific information about your activity log here. -->

+<!-- ## Imported logs. Optional section. If your service uses imported logs, add the following include and information.

+<!-- Add service-specific information about your imported logs here. -->

+<!-- ## Other logs. Optional section.

+If your service has other logs that aren't resource logs or in the activity log, add information that states what they are and what they cover here. You can describe how to route them in a later section. -->

+<!-- LOGS SECTION END ->

+<!-- ANALYSIS SECTION START -->

+<!-- ## Analyze data. Required section. -->

+<!-- ### External tools. Required section. -->

+### Analyze metrics for Azure Queue Storage

+Metrics for Azure Queue Storage are in these namespaces:

+- Microsoft.Storage/storageAccounts

+- Microsoft.Storage/storageAccounts/queueServices

+For a list of all Azure Monitor supported metrics, which includes Azure Queue Storage, see [Azure Monitor supported metrics](/azure/azure-monitor/essentials/metrics-supported).

+You can analyze metrics for Azure Storage with metrics from other Azure services by using Metrics Explorer. Open Metrics Explorer by choosing **Metrics** from the **Azure Monitor** menu. For details on using this tool, see [Analyze metrics with Azure Monitor metrics explorer](/azure/azure-monitor/essentials/analyze-metrics).

+#### Read metric values

+#### Read metric values with dimensions

+#### Read metric values with dimensions

+#### List the account-level metric definition

+#### Read account-level metric values

+#### Read multidimensional metric values

+<a name="analyzing-logs"></a>

+### Analyze logs for Azure Queue Storage

+You can access resource logs either as a blob in a storage account, as event data, or through Log Analytics queries. For information about how to find those logs, see [Azure resource logs](/azure/azure-monitor/essentials/resource-logs).

+When you view a storage account in the Azure portal, the operations called by the portal are also logged. For this reason, you may see operations logged in a storage account even though you haven't written any data to the account.

+#### Log authenticated requests

+ The following types of authenticated requests are logged:

+- Failed requests, including time-out, throttling, network, authorization, and other errors

+#### Log anonymous requests

+ The following types of anonymous requests are logged:

+- Failed GET requests with the error code 304 (`Not Modified`)

+<!-- ### Sample Kusto queries. Required section. If you have sample Kusto queries for your service, add them after the include. -->

+<!-- Add sample Kusto queries for your service here. -->

+Here are some queries that you can enter in the **Log search** bar to help you monitor your Queue Storage. These queries work with the [new language](../../azure-monitor/logs/log-query-overview.md). For more information, see [Log Analytics tutorial](/azure/azure-monitor/logs/log-analytics-tutorial).

+<!-- ### Azure Queue Storage service-specific analytics. Optional section.

+Add short information or links to specific articles that outline how to analyze data for your service. -->

+<!-- ANALYSIS SECTION END ->

+<!-- ALERTS SECTION START -->

+<!-- ## Alerts. Required section. -->

+<!-- ### Azure Queue Storage alert rules. Required section.

+**MUST HAVE** service-specific alert rules. Include useful alerts on metrics, logs, log conditions, or activity log.

+Fill in the following table with metric and log alerts that would be valuable for your service. Change the format as necessary for readability. You can instead link to an article that discusses your common alerts in detail.

+Ask your PMs if you don't know. This information is the BIGGEST request we get in Azure Monitor, so don't avoid it long term. People don't know what to monitor for best results. Be prescriptive. -->

+### Azure Queue Storage alert rules

+The following table lists common and recommended alert rules for Azure Queue Storage and the proper metric to use for the alert:

+| Alert type | Condition | Description |

+|-|-|-|

+| Metric | Queue Storage service is throttled. | Transactions<br>Dimension name: Response type |

+| Metric | Queue Storage requests are successful 99% of the time. | Availability<br>Dimension names: Geo type, API name, Authentication |

+| Metric | Queue Storage egress has exceeded 500 GiB in one day. | Egress<br>Dimension names: Geo type, API name, Authentication |

+<!-- ### Advisor recommendations -->

+<!-- ALERTS SECTION END -->

+## Related content

+<!-- You can change the wording and add more links if useful. -->

+Other Queue Storage monitoring content:

+- [Azure Queue Storage monitoring data reference](monitor-queue-storage-reference.md). A reference of the logs and metrics created by Azure Queue Storage.

+- [Performance and scalability checklist for Queue Storage](storage-performance-checklist.md)

+Overall Azure Storage monitoring content:

+- [Monitor storage with Azure Monitor Storage insights](../common/storage-insights-overview.md). Get a unified view of storage performance, capacity, and availability.

+- [Transition to metrics in Azure Monitor](../common/storage-metrics-migration.md). Move from Storage Analytics metrics to metrics in Azure Monitor.

+- [Troubleshoot performance issues](../common/troubleshoot-storage-performance.md?toc=/azure/storage/blobs/toc.json). See common performance issues and guidance about how to troubleshoot them.

+- [Troubleshoot availability issues](../common/troubleshoot-storage-availability.md?toc=/azure/storage/blobs/toc.json). See common availability issues and guidance about how to troubleshoot them.

+- [Troubleshoot client application errors](../common/troubleshoot-storage-client-application-errors.md?toc=/azure/storage/blobs/toc.json). See common issues with connecting clients and how to troubleshoot them.

+- [Monitor, diagnose, and troubleshoot your Azure Storage (training module)](/training/modules/monitor-diagnose-and-troubleshoot-azure-storage/). Troubleshoot storage account issues, with step-by-step guidance.

+Azure Monitor content:

+- [Monitor Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource). General details on monitoring Azure resources.

+- [Azure Monitor Metrics overview](/azure/azure-monitor/essentials/data-platform-metrics). The basics of metrics and metric dimensions.

+- [Azure Monitor Logs overview](/azure/azure-monitor/logs/data-platform-logs). The basics of logs and how to collect and analyze them.

+- [Analyze metrics with Azure Monitor metrics explorer](/azure/azure-monitor/essentials/analyze-metrics). A tour of Metrics Explorer.

+- [Overview of Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview). A tour of Log Analytics.

+ Title: Monitoring data reference for Azure Table Storage

+description: This article contains important reference material you need when you monitor Azure Table Storage.

+# Azure Table Storage monitoring data reference

+<!-- Intro -->

+See [Monitor Azure Table Storage](monitor-table-storage.md) for details on the data you can collect for Azure Table Storage and how to use it.

+<!-- ## Metrics. Required section. -->

+### Supported metrics for Microsoft.Storage/storageAccounts

+The following table lists the metrics available for the Microsoft.Storage/storageAccounts resource type.

+### Supported metrics for Microsoft.Storage/storageAccounts/tableServices

+The following table lists the metrics available for the Microsoft.Storage/storageAccounts/tableServices resource type.

+### Supported resource logs for Microsoft.Storage/storageAccounts/tableServices

+<!-- ## Azure Monitor Logs tables. Required section. -->

+- [AzureActivity](/azure/azure-monitor/reference/tables/azureactivity)

+- [AzureMetrics](/azure/azure-monitor/reference/tables/azuremetrics)

+- [StorageTableLogs](/azure/azure-monitor/reference/tables/storagetablelogs)

+The following tables list the properties for Azure Storage resource logs when they're collected in Azure Monitor Logs or Azure Storage. The properties describe the operation, the service, and the type of authorization that was used to perform the operation.

+<!-- ## Activity log. Required section. -->

+- [Microsoft.Storage resource provider operations](/azure/role-based-access-control/resource-provider-operations#microsoftstorage)

+## Related content

+- See [Monitor Azure Table Storage](monitor-table-storage.md) for a description of monitoring Azure Table Storage.

+- See [Monitor Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.

+ Title: Monitor Azure Table Storage

+description: Start here to learn how to monitor Azure Table Storage.

+# ms.devlang: csharp, powershell, azurecli

+<!--

+IMPORTANT

+To make this template easier to use, first:

+1. Search and replace Azure Table Storage with the official name of your service.

+2. Search and replace table-storage with the service name to use in GitHub filenames.-->

+<!-- VERSION 3.0 2024_01_07

+For background about this template, see https://review.learn.microsoft.com/en-us/help/contribute/contribute-monitoring?branch=main -->

+<!-- Most services can use the following sections unchanged. The sections use #included text you don't have to maintain, which changes when Azure Monitor functionality changes. Add info into the designated service-specific places if necessary. Remove #includes or template content that aren't relevant to your service.

+At a minimum your service should have the following two articles:

+1. The primary monitoring article (based on this template)

+ - Title: "Monitor Azure Table Storage"

+ - TOC Title: "Monitor"

+ - Filename: "monitor-table-storage.md"

+2. A reference article that lists all the metrics and logs for your service (based on the template data-reference-template.md).

+ - Title: "Azure Table Storage monitoring data reference"

+ - TOC Title: "Monitoring data reference"

+ - Filename: "monitor-table-storage-reference.md".

+-->

+# Monitor Azure Table Storage

+<!-- Intro -->

+> [!IMPORTANT]

+> Metrics and logs in Azure Monitor support only Azure Resource Manager storage accounts. Azure Monitor doesn't support classic storage accounts. If you want to use metrics or logs on a classic storage account, you need to migrate to an Azure Resource Manager storage account. For more information, see [Migrate to Azure Resource Manager](/azure/virtual-machines/migration-classic-resource-manager-overview).

+<!-- ## Insights. Optional section. If your service has insights, add the following include and information. -->

+<!-- Insights service-specific information. Add brief information about what your Azure Monitor insights provide here. You can refer to another article that gives details or add a screenshot. -->

+Azure Storage insights offer a unified view of storage performance, capacity, and availability. See [Monitor storage with Azure Monitor Storage insights](../common/storage-insights-overview.md).

+<!-- ## Resource types. Required section. -->

+<!-- ## Data storage. Required section. Optionally, add service-specific information about storing your monitoring data after the include. -->

+<!-- Add service-specific information about storing monitoring data here, if applicable. For example, SQL Server stores other monitoring data in its own databases. -->

+<!-- METRICS SECTION START ->

+<!-- ## Platform metrics. Required section.

+ - If your service doesn't collect platform metrics, use the following include: [!INCLUDE [horz-monitor-no-platform-metrics](~/articles/reusable-content/ce-skilling/azure/includes/azure-monitor/horizontals/horz-monitor-no-platform-metrics.md)]

+ - If your service collects platform metrics, add the following include, statement, and service-specific information as appropriate. -->

+For a list of available metrics for Azure Table Storage, see [Azure Table Storage monitoring data reference](monitor-table-storage-reference.md#metrics).

+> [!IMPORTANT]

+> On **January 9, 2024** Storage Analytics metrics, also referred to as *classic metrics*, retired. If you used classic metrics, see [Move from Storage Analytics metrics to Azure Monitor metrics](../common/storage-metrics-migration.md) to transition to metrics in Azure Monitor. You can continue using classic logs if you want to. However, we recommend that you transition to using Azure Storage logs in Azure Monitor instead of Storage Analytics logs.

+> [!NOTE]

+> Azure Compute, not Azure Storage, supports metrics for managed disks or unmanaged disks. For more information, see [Per disk metrics for Managed and Unmanaged Disks](https://azure.microsoft.com/blog/per-disk-metrics-managed-disks/).

+<!-- Platform metrics service-specific information. Add service-specific information about your platform metrics here.-->

+<!-- ## Prometheus/container metrics. Optional. If your service uses containers/Prometheus metrics, add the following include and information.

+<!-- Add service-specific information about your container/Prometheus metrics here.-->

+<!-- ## System metrics. Optional. If your service uses system-imported metrics, add the following include and information.

+<!-- Add service-specific information about your system-imported metrics here.-->

+<!-- ## Custom metrics. Optional. If your service uses custom imported metrics, add the following include and information.

+<!-- Custom imported service-specific information. Add service-specific information about your custom imported metrics here.-->

+<!-- ## Non-Azure Monitor metrics. Optional. If your service uses any non-Azure Monitor based metrics, add the following include and information.

+<!-- Non-Monitor metrics service-specific information. Add service-specific information about your non-Azure Monitor metrics here.-->

+<!-- METRICS SECTION END ->

+<!-- LOGS SECTION START -->

+<!-- ## Resource logs. Required section.

+ - If your service doesn't collect resource logs, use the following include [!INCLUDE [horz-monitor-no-resource-logs](~/articles/reusable-content/ce-skilling/azure/includes/azure-monitor/horizontals/horz-monitor-no-resource-logs.md)]

+ - If your service collects resource logs, add the following include, statement, and service-specific information as appropriate. -->

+For the available resource log categories, their associated Log Analytics tables, and the logs schemas for Azure Table Storage, see [Azure Table Storage monitoring data reference](monitor-table-storage-reference.md#resource-logs).

+<!-- Resource logs service-specific information. Add service-specific information about your resource logs here.

+NOTE: Azure Monitor already has general information on how to configure and route resource logs. See https://learn.microsoft.com/azure/azure-monitor/platform/diagnostic-settings. Ideally, don't repeat that information here. You can provide a single screenshot of the diagnostic settings portal experience if you want. -->

+<a name="collection-and-routing"></a>

+### Azure Table Storage diagnostic settings

+When you create the diagnostic setting, choose **table** as the type of storage that you want to enable logs for. Then, specify one of the following categories of operations for which you want to collect logs.

+The **audit** resource log category group allows you to collect the baseline of resource logs that Microsoft deems necessary for auditing your resource. What's collected is dynamic, and Microsoft may change it over time as new resource log categories become available. If you choose the **audit** category group, you can't specify any other resource categories, because the system will decide which logs to collect. For more information, see [Diagnostic settings in Azure Monitor: Resource logs](/azure/azure-monitor/essentials/diagnostic-settings#resource-logs).

+#### Destination limitations

+For general destination limitations, see [Destination limitations](/azure/azure-monitor/essentials/diagnostic-settings#destination-limitations). The following limitations apply only to monitoring Azure Storage accounts.

+- You can't send logs to the same storage account that you're monitoring with this setting. This situation would lead to recursive logs in which a log entry describes the writing of another log entry. You must create an account or use another existing account to store log information.

+- You can't set a retention policy.

+ If you archive logs to a storage account, you can manage the retention policy of a log container by defining a lifecycle management policy. To learn how, see [Optimize costs by automatically managing the data lifecycle](../blobs/lifecycle-management-overview.md).

+ If you send logs to Log Analytics, you can manage the data retention period of Log Analytics at the workspace level or even specify different retention settings by data type. To learn how, see [Change the data retention period](/azure/azure-monitor/logs/data-retention-archive).

+<!-- ## Activity log. Required section. Optionally, add service-specific information about your activity log after the include. -->

+<!-- Activity log service-specific information. Add service-specific information about your activity log here. -->

+<!-- ## Imported logs. Optional section. If your service uses imported logs, add the following include and information.

+<!-- Add service-specific information about your imported logs here. -->

+<!-- ## Other logs. Optional section.

+If your service has other logs that aren't resource logs or in the activity log, add information that states what they are and what they cover here. You can describe how to route them in a later section. -->

+<!-- LOGS SECTION END ->

+<!-- ANALYSIS SECTION START -->

+<!-- ## Analyze data. Required section. -->

+<!-- ### External tools. Required section. -->

+### Analyze metrics for Azure Table Storage

+Metrics for Azure Table Storage are in these namespaces:

+- Microsoft.Storage/storageAccounts

+- Microsoft.Storage/storageAccounts/tableServices

+For a list of all Azure Monitor supported metrics, which includes Azure Table Storage, see [Azure Monitor supported metrics](/azure/azure-monitor/essentials/metrics-supported).

+You can analyze metrics for Azure Storage with metrics from other Azure services by using Metrics Explorer. Open Metrics Explorer by choosing **Metrics** from the **Azure Monitor** menu. For details on using this tool, see [Analyze metrics with Azure Monitor metrics explorer](/azure/azure-monitor/essentials/analyze-metrics).

+You can list the metric definition of your storage account or the Table Storage service. Use the [Get-AzMetricDefinition](/powershell/module/az.monitor/get-azmetricdefinition) cmdlet.

+In this example, replace the `<resource-ID>` placeholder with the resource ID of the entire storage account or the resource ID of the Table Storage service. You can find these resource IDs on the **Properties** pages of your storage account in the Azure portal.

+#### Read metric values

+You can read account-level metric values of your storage account or the Table Storage service. Use the [Get-AzMetric](/powershell/module/az.monitor/get-azmetric) cmdlet.

+#### Read metric values with dimensions

+You can list the metric definition of your storage account or the Table Storage service. Use the [az monitor metrics list-definitions](/cli/azure/monitor/metrics#az-monitor-metrics-list-definitions) command.

+In this example, replace the `<resource-ID>` placeholder with the resource ID of the entire storage account or the resource ID of the Table Storage service. You can find these resource IDs on the **Properties** pages of your storage account in the Azure portal.

+You can read the metric values of your storage account or the Table Storage service. Use the [az monitor metrics list](/cli/azure/monitor/metrics#az-monitor-metrics-list) command.

+#### Read metric values with dimensions

+Azure Monitor provides the [.NET SDK](https://www.nuget.org/packages/microsoft.azure.management.monitor/) to read metric definition and values. The [sample code](https://azure.microsoft.com/resources/samples/monitor-dotnet-metrics-api/) shows how to use the SDK with different parameters. You need to use `0.18.0-preview` or a later version for storage metrics.

+In these examples, replace the `<resource-ID>` placeholder with the resource ID of the entire storage account or the Table Storage service. You can find these resource IDs on the **Properties** pages of your storage account in the Azure portal.

+Replace the `<subscription-ID>` variable with the ID of your subscription. For guidance on how to obtain values for `<tenant-ID>`, `<application-ID>`, and `<AccessKey>`, see [Use the portal to create a Microsoft Entra application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal).

+#### Read account-level metric values

+#### Read multidimensional metric values

+<a name="analyzing-logs"></a>

+### Analyze logs for Azure Table Storage

+You can access resource logs either as a blob in a storage account, as event data, or through Log Analytics queries. For information about how to find those logs, see [Azure resource logs](/azure/azure-monitor/essentials/resource-logs).

+Log entries are created only if there are requests made against the service endpoint. For example, if a storage account has activity in its table endpoint but not in its queue or blob endpoints, only logs that pertain to Table Storage are created. Azure Storage logs contain detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.

+When you view a storage account in the Azure portal, the operations called by the portal are also logged. For this reason, you may see operations logged in a storage account even though you haven't written any data to the account.

+#### Log authenticated requests

+Requests made by the Table Storage service itself, such as log creation or deletion, aren't logged. For a full list of the logged data, see [Storage logged operations and status messages](/rest/api/storageservices/storage-analytics-logged-operations-and-status-messages) and [Storage log format](monitor-table-storage-reference.md).

+#### Log anonymous requests

+- Failed GET requests with the error code 304 (`Not Modified`)

+<!-- ### Sample Kusto queries. Required section. If you have sample Kusto queries for your service, add them after the include. -->

+<!-- Add sample Kusto queries for your service here. -->

+Here are some queries that you can enter in the **Log search** bar to help you monitor your Table Storage. These queries work with the [new language](../../azure-monitor/logs/log-query-overview.md). For more information, see [Log Analytics tutorial](/azure/azure-monitor/logs/log-analytics-tutorial).

+<!-- ### Azure Table Storage service-specific analytics. Optional section.

+Add short information or links to specific articles that outline how to analyze data for your service. -->

+<!-- ANALYSIS SECTION END ->

+<!-- ALERTS SECTION START -->

+<!-- ## Alerts. Required section. -->

+<!-- ### Azure Table Storage alert rules. Required section.

+**MUST HAVE** service-specific alert rules. Include useful alerts on metrics, logs, log conditions, or activity log.

+Fill in the following table with metric and log alerts that would be valuable for your service. Change the format as necessary for readability. You can instead link to an article that discusses your common alerts in detail.

+Ask your PMs if you don't know. This information is the BIGGEST request we get in Azure Monitor, so don't avoid it long term. People don't know what to monitor for best results. Be prescriptive. -->

+### Azure Table Storage alert rules

+The following table lists common and recommended alert rules for Azure Table Storage and the proper metric to use for the alert:

+| Alert type | Condition | Description |

+|-|-|-|

+| Metric | Table Storage service is throttled. | Transactions<br>Dimension name: Response type |

+| Metric | Table Storage requests are successful 99% of the time. | Availability<br>Dimension names: Geo type, API name, Authentication |

+| Metric | Table Storage egress has exceeded 500 GiB in one day. | Egress<br>Dimension names: Geo type, API name, Authentication |

+<!-- ### Advisor recommendations -->

+<!-- ALERTS SECTION END -->

+## Related content

+<!-- You can change the wording and add more links if useful. -->

+Other Table Storage monitoring content:

+- [Azure Table Storage monitoring data reference](monitor-table-storage-reference.md). A reference of the logs and metrics created by Azure Table Storage.

+- [Performance and scalability checklist for Table Storage](storage-performance-checklist.md)

+Overall Azure Storage monitoring content:

+- [Monitor storage with Azure Monitor Storage insights](../common/storage-insights-overview.md). Get a unified view of storage performance, capacity, and availability.

+- [Transition to metrics in Azure Monitor](../common/storage-metrics-migration.md). Move from Storage Analytics metrics to metrics in Azure Monitor.

+- [Troubleshoot performance issues](../common/troubleshoot-storage-performance.md?toc=/azure/storage/blobs/toc.json). See common performance issues and guidance about how to troubleshoot them.

+- [Troubleshoot availability issues](../common/troubleshoot-storage-availability.md?toc=/azure/storage/blobs/toc.json). See common availability issues and guidance about how to troubleshoot them.

+- [Troubleshoot client application errors](../common/troubleshoot-storage-client-application-errors.md?toc=/azure/storage/blobs/toc.json). See common issues with connecting clients and how to troubleshoot them.

+- [Monitor, diagnose, and troubleshoot your Azure Storage (training module)](/training/modules/monitor-diagnose-and-troubleshoot-azure-storage/). Troubleshoot storage account issues, with step-by-step guidance.

+Azure Monitor content:

+- [Monitor Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource). General details on monitoring Azure resources.

+- [Azure Monitor Metrics overview](/azure/azure-monitor/essentials/data-platform-metrics). The basics of metrics and metric dimensions.

+- [Azure Monitor Logs overview](/azure/azure-monitor/logs/data-platform-logs). The basics of logs and how to collect and analyze them.

+- [Analyze metrics with Azure Monitor metrics explorer](/azure/azure-monitor/essentials/analyze-metrics). A tour of Metrics Explorer.

+- [Overview of Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview). A tour of Log Analytics.

+This tutorial shows you how to analyze phone call data using Azure Stream Analytics. The phone call data, generated by a client application, contains fraudulent calls, which are detected by the Stream Analytics job. You can use techniques from this tutorial for other types of fraud detection, such as credit card fraud or identity theft.

+In this tutorial, you perform the following tasks:

+ :::image type="content" source="media/stream-analytics-real-time-fraud-detection/sample-output-passthrough.png" alt-text="Sample output from test query.":::

+ The exact number of records you see depends on how many records were captured in the sample.

+For this transformation, you want a sequence of temporal windows that don't overlapΓÇöeach window has a discrete set of data that you can group and aggregate. This type of window is referred to as a *Tumbling window*. Within the Tumbling window, you can get a count of the incoming calls grouped by `SwitchNum`, which represents the country/region where the call originated.

+ To specify that you want to use a Tumbling window, you use the [TUMBLINGWINDOW](/stream-analytics-query/tumbling-window-azure-stream-analytics) function in the `GROUP BY` clause. In the function, you specify a time unit (anywhere from a microsecond to a day) and a window size (how many units). In this example, the Tumbling window consists of 5-second intervals, so you get a count by country/region for every 5 seconds' worth of calls.

+7. Your dashboard should look like the following example once both tiles are added. Notice that, if your event hub sender application and Streaming Analytics application are running, your Power BI dashboard periodically updates as new data arrives.

+ 

+For this part of the tutorial, you use a sample [ASP.NET](https://asp.net/) web application created by the Power BI team to embed your dashboard. For more information about embedding dashboards, see [embedding with Power BI](/power-bi/developer/embedding) article.

+Once you have the application running in your browser, follow these steps to embed the dashboard you created earlier into the web page:

+ Download and run the PowerShell script [`MigrationPrerequisiteScript`](https://github.com/azureautomation/Preqrequisite-for-Migration-from-Azure-Automation-Update-Management-to-Azure-Update-Manager/blob/main/MigrationPrerequisites.ps1) locally. This script takes AutomationAccountResourceId of the Automation account to be migrated as the input.

+1. Import [migration runbook](https://github.com/azureautomation/Migrate-from-Azure-Automation-Update-Management-to-Azure-Update-Manager/blob/main/Migration.ps1) from the runbooks gallery and publish. Search for **azure automation update** from browse gallery, and import the migration runbook named **Migrate from Azure Automation Update Management to Azure Update Manager** and publish the runbook.

+This sample configuration XML won't install OneDrive in per-user mode. To learn more, see [Install OneDrive in per-machine mode](#install-onedrive-in-per-machine-mode).

+1. First, create a location to stage the OneDrive installer. A local disk folder or UNC path is fine.

+## Microsoft Teams

+To learn how to install Microsoft Teams, see [Use Microsoft Teams on Azure Virtual desktop](./teams-on-avd.md). Azure Virtual Desktop doesn't support Skype for Business.

+| Insider | 1.2.5248 | [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139233) *(most common)*<br />[Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139144)<br />[Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139368) |

+## Updates for version 1.2.5248 (Insider)

+*Date published: February 13, 2024*

+Download: [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139233), [Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139144), [Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139368)

+In this release, we've made the following changes:

+- Fixed an issue that caused artifacts to appear on the screen during RemoteApp sessions.

+- Fixed an issue where resizing the Teams video call window caused the client to temporarily stop responding.

+- Fixed an issue that made Teams calls echo after expanding a two-person call to meeting call.

+- Improved client logging, diagnostics, and error classification to help admins troubleshoot connection and feed issues.

+## Updates for version 1.2.5126

+*Published: January 24, 2024*

+- Properly escaping characters will help ensure that strings are parsed correctly. For example, you always need two backslashes to escape a single literal backslash when dealing with file paths. Sample: `{"commandToExecute": "C:\\Windows\\System32\\systeminfo.exe >> D:\\test.txt"}`

+>Make sure your subscription is registered for the `Microsoft.ContainerInstance` provider and there are no policies blocking deployment of Azure Container Instances resources. Also ensure that quota is available for Azure Container Instances resources.

+You might observe a few new resources temporarily appear in the staging resource group (for example, Azure Container Instance, Virtual Network, Network Security Group, and Private Endpoint) while some other resource may no longer appear (for example, Public IP Address). As earlier, these temporary resources exist only during the build and will be deleted by Image Builder thereafter.

+> Image Builder is in the process of rolling this change out to all locations and customers. Some of these details (especially around deployment of new Networking related resources) might change as the process is fine-tuned based on service telemetry and feedback. Please refer to the [troubleshooting guide](./linux/image-builder-troubleshoot.md#troubleshoot-build-failures) for more information.

+>

+> After successfully registering your subscription, make sure there are no Azure Policies in your subscription that deny deployment of required resources. Policies allowing only a restricted set of resource types not including Azure Container Instance would block deployment.

+>

+> Ensure that your subscription also has a sufficient [quota of resources](../container-instances/container-instances-resource-and-quota-limits.md) required for deployment of Azure Container Instance resources.

+>

+> [!IMPORTANT]

+> Image Builder may need to deploy temporary networking related resources in the staging resource group in your subscription. Ensure that no Azure Policies deny the deployment of such resources (Virtual Network with Subnets, Network Security Group, Private endpoint) in the resource group.

+>

+> If you have Azure Policies applying DDoS protection plans to any newly created Virtual Network, either relax the Policy for the resource group or ensure that the Template Managed Identity has permissions to join the plan.

+* If your virtual hub is configured with more than 15 routing infrastructure units, please scale in your virtual hub to 2 routing infrastructure units before attempting to upgrade. You can scale back out your hub to more than 15 routing infrastructure units after upgrading your hub.