-description: Learn how to enable custom domains in your redirect URLs for Azure Active Directory B2C.

-# Enable custom domains for Azure Active Directory B2C

-This guide will show you how to get started with the sample Face enrollment application. The app demonstrates best practices for obtaining meaningful consent to add users into a face recognition service and acquire high-accuracy face data. An integrated system could use an app like this to provide touchless access control, identification, attendance tracking, or personalization kiosk, based on their face data.

-When launched, the application shows users a detailed consent screen. If the user gives consent, the app prompts for a username and password and then captures a high-quality face image using the device's camera.

-The sample app is written using JavaScript and the React Native framework. It can currently be deployed on Android and iOS devices; more deployment options are coming in the future.

-### Important Security Considerations

-* For local development and initial limited testing, it is acceptable (although not best practice) to use environment variables to hold the API key and endpoint. For pilot and final deployments, the API key should be stored securely - which likely involves using an intermediate service to validate a user token generated during login.

-* Never store the API key or endpoint in code or commit them to a version control system (e.g. Git). If that happens by mistake, you should immediately generate a new API key/endpoint and revoke the previous ones.

-* As a best practice, consider having separate API keys for development and production.

-Now that you have set up the sample app, you can tailor it to your own needs.

- * Occlusion (partially hidden or obstructed faces) including accessories like hats or thick-rimmed glasses)

- using Azure.AI.Vision.Common;

- // Submit the image to the Azure AI Vision API

- var serviceOptions = new VisionServiceOptions(

- Environment.GetEnvironmentVariable(ConfigurationManager.AppSettings["VisionEndpoint"]),

- var analysisOptions = new ImageAnalysisOptions()

- {

- Features = ImageAnalysisFeature.Caption | ImageAnalysisFeature.Tags,

- Language = "en",

- GenderNeutralCaption = true

- };

- using var imageSource = VisionSource.FromUrl(

- new Uri(photo.Uri.ToString()));

- using var analyzer = new ImageAnalyzer(serviceOptions, imageSource, analysisOptions);

- var result = analyzer.Analyze();

- photo.Metadata.Add("Caption", result.Caption.ContentCaption.Content);

- for (int i = 0; i < result.Tags.ContentTags.Count; i++)

- photo.Metadata.Add(key, result.Tags.ContentTags[i]);

- Observe that the **Index** method now accepts a parameter _id_ that contains the value the user typed into the search box. An empty or missing _id_ parameter indicates that all the photos should be displayed.

-## Input data

-This article explains the concept of Face recognition, its related operations, and the underlying data structures. Broadly, face recognition is the act of verifying or identifying individuals by their faces. Face recognition is important in implementing the identification scenario, which enterprises and apps can use to verify that a (remote) user is who they claim to be.

-## Input data

-### Shelf Image Composition

-### Shelf Product Recognition (pretrained model)

-### Shelf Product Recognition - Custom (customized model)

-### Shelf Planogram Compliance (preview)

-In order to use the Azure AI Face API for face verification or identification, you need to enroll faces into a **LargePersonGroup** or similar data structure. This deep-dive demonstrates best practices for gathering meaningful consent from users and example logic to create high-quality enrollments that will optimize recognition accuracy.

-> [!NOTE]

-|Recommended enrollment features | Include a log-on step with multi-factor authentication. </br></br>Link user information like an alias or identification number with their face template ID from the Face API (known as person ID). This mapping is necessary to retrieve and manage a user's enrollment. Note: person ID should be treated as a secret in the application.</br></br>Set up an automated process to delete all enrollment data, including the face templates and enrollment photos of people who are no longer users of facial recognition technology, such as former employees. </br></br>Avoid auto-enrollment, as it does not give the user the awareness, understanding, freedom of choice, or control that is recommended for obtaining consent. </br></br>Ask users for permission to save the images used for enrollment. This is useful when there is a model update since new enrollment photos will be required to re-enroll in the new model about every 10 months. If the original images aren't saved, users will need to go through the enrollment process from the beginning.</br></br>Allow users to opt out of storing photos in the system. To make the choice clearer, you can add a second consent request screen for saving the enrollment photos. </br></br>If photos are saved, create an automated process to re-enroll all users when there is a model update. Users who saved their enrollment photos will not have to enroll themselves again. </br></br>Create an app feature that allows designated administrators to override certain quality filters if a user has trouble enrolling. |

-This guide demonstrates how to add a large number of persons and faces to a PersonGroup object. The same strategy also applies to LargePersonGroup, FaceList, and LargeFaceList objects. This sample is written in C# by using the Azure AI Face .NET client library.

-## Step 1: Initialization

-The following code declares several variables and implements a helper function to schedule the face add requests:

-## Step 2: Authorize the API call

-## Step 3: Create the PersonGroup

-A PersonGroup named "MyPersonGroup" is created to save the persons.

-The request time is enqueued to `_timeStampQueue` to ensure the overall validation.

-## Step 4: Create the persons for the PersonGroup

-Persons are created concurrently, and `await WaitCallLimitPerSecondAsync()` is also applied to avoid exceeding the call limit.

-## Step 5: Add faces to the persons

-Faces added to different persons are processed concurrently. Faces added for one specific person are processed sequentially.

-Again, `await WaitCallLimitPerSecondAsync()` is invoked to ensure that the request frequency is within the scope of limitation.

-The following features were explained and demonstrated:

-In this guide, you learned how to add face data to a **PersonGroup**. Next, learn how to use the enhanced data structure **PersonDirectory** to do more with your face data.

-This guide demonstrates how to use the face detection API to extract attributes like age, emotion, or head pose from a given image. You'll learn the different ways to configure the behavior of this API to meet your needs.

-# Shelf Product Recognition - Custom Model (preview)

-When your custom model is trained and ready (you've completed the steps in the [Model customization guide](./model-customization.md)), you can use it through the Shelf Analyze operation. Set the _PRODUCT_CLASSIFIER_MODEL_ URL parameter to the name of your custom model (the _ModelName_ value you used in the creation step).

-curl.exe -H "Ocp-Apim-Subscription-Key: <subscriptionKey>" -H "Content-Type: application/json" "https://<endpoint>/computervision/productrecognition/ms-pretrained-product-detection/runs/<your_run_name>?api-version=2023-04-01-preview" -d "{

- 2. Replace the `<your_run_name>` with your unique test run name for the task queue. It is an async API task queue name for you to be able retrieve the API response later. For example, `.../runs/test1?api-version...`

-# Shelf Planogram Compliance (preview)

-### Planogram API Model

-### Product API Model

-### Fixture API Model

-### Position API Model

-### Planogram Matching Position API Model

-|**detection_01** |**detection_02** |**detection_03**

-||||

-|Default choice for all face detection operations. | Released in May 2019 and available optionally in all face detection operations. | Released in February 2021 and available optionally in all face detection operations.

-|Not optimized for small, side-view, or blurry faces. | Improved accuracy on small, side-view, and blurry faces. | Further improved accuracy, including on smaller faces (64x64 pixels) and rotated face orientations.

-|Returns main face attributes (head pose, age, emotion, and so on) if they're specified in the detect call. | Does not return face attributes. | Returns mask and head pose attributes if they're specified in the detect call.

-|Returns face landmarks if they're specified in the detect call. | Does not return face landmarks. | Returns face landmarks if they're specified in the detect call.

-See the [Azure AI Face WPF](https://github.com/Azure-Samples/cognitive-services-dotnet-sdk-samples/tree/master/app-samples/Cognitive-Services-Face-WPF) app on GitHub for a working example of rotated face rectangles. Or, see the [Face HeadPose Sample](https://github.com/Azure-Samples/cognitive-services-dotnet-sdk-samples/tree/master/app-samples) app, which tracks the HeadPose attribute in real time to detect head movements.

-This guide shows you how to scale up from existing PersonGroup and FaceList objects to LargePersonGroup and LargeFaceList objects, respectively. PersonGroups can hold up to 1000 persons in the free tier and 10,000 in the paid tier, while LargePersonGroups can hold up to one million persons in the paid tier.

-This guide demonstrates the migration process. It assumes a basic familiarity with PersonGroup and FaceList objects, the [Train](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599ae2d16ac60f11b48b5aa4) operation, and the face recognition functions. To learn more about these subjects, see the [face recognition](../concept-face-recognition.md) conceptual guide.

-LargePersonGroup and LargeFaceList are collectively referred to as large-scale operations. LargePersonGroup can contain up to 1 million persons, each with a maximum of 248 faces. LargeFaceList can contain up to 1 million faces. The large-scale operations are similar to the conventional PersonGroup and FaceList but have some differences because of the new architecture.

-> To enable Face search performance for Identification and FindSimilar in large scale, introduce a Train operation to preprocess the LargeFaceList and LargePersonGroup. The training time varies from seconds to about half an hour based on the actual capacity. During the training period, it's possible to perform Identification and FindSimilar if a successful training operating was done before. The drawback is that the new added persons and faces don't appear in the result until a new post migration to large-scale training is completed.

-This section focuses on how to migrate PersonGroup or FaceList implementation to LargePersonGroup or LargeFaceList. Although LargePersonGroup or LargeFaceList differs from PersonGroup or FaceList in design and internal implementation, the API interfaces are similar for backward compatibility.

-Data migration isn't supported. You re-create the LargePersonGroup or LargeFaceList instead.

-Migration from a PersonGroup to a LargePersonGroup is simple. They share exactly the same group-level operations.

-For PersonGroup- or person-related implementation, it's necessary to change only the API paths or SDK class/module to LargePersonGroup and LargePersonGroup Person.

-Add all of the faces and persons from the PersonGroup to the new LargePersonGroup. For more information, see [Add faces](add-faces.md).

-| FaceList APIs | LargeFaceList APIs |

-The preceding table is a comparison of list-level operations between FaceList and LargeFaceList. As is shown, LargeFaceList comes with new operations, Train and Get Training Status, when compared with FaceList. Training the LargeFaceList is a precondition of the

-[FindSimilar](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395237) operation. Training isn't required for FaceList. The following snippet is a helper function to wait for the training of a LargeFaceList:

-Previously, a typical use of FaceList with added faces and FindSimilar looked like the following:

-When migrating it to LargeFaceList, it becomes the following:

-As previously shown, the data management and the FindSimilar part are almost the same. The only exception is that a fresh preprocessing Train operation must complete in the LargeFaceList before FindSimilar works.

-Although the Train operation speeds up [FindSimilar](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395237)

-and [Identification](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239), the training time suffers, especially when coming to large scale. The estimated training time in different scales is listed in the following table.

-As is shown in `TrainLargeFaceList()`, there's a time interval in milliseconds to delay the infinite training status checking process. For LargeFaceList with more faces, using a larger interval reduces the call counts and cost. Customize the time interval according to the expected capacity of the LargeFaceList.

-The same strategy also applies to LargePersonGroup. For example, when you train a LargePersonGroup with 1 million persons, `timeIntervalInMilliseconds` might be 60,000, which is a 1-minute interval.

-Persons or faces in a LargePersonGroup or a LargeFaceList are searchable only after being trained. In a dynamic scenario, new persons or faces are constantly added and must be immediately searchable, yet training might take longer than desired.

-To mitigate this problem, use an extra small-scale LargePersonGroup or LargeFaceList as a buffer only for the newly added entries. This buffer takes a shorter time to train because of the smaller size. The immediate search capability on this temporary buffer should work. Use this buffer in combination with training on the master LargePersonGroup or LargeFaceList by running the master training on a sparser interval. Examples are in the middle of the night and daily.

-1. Create a master LargePersonGroup or LargeFaceList, which is the master collection. Create a buffer LargePersonGroup or LargeFaceList, which is the buffer collection. The buffer collection is only for newly added persons or faces.

-1. Call Identification or FindSimilar against both the master collection and the buffer collection. Merge the results.

-1. When the buffer collection size increases to a threshold or at a system idle time, create a new buffer collection. Trigger the Train operation on the master collection.

-1. Delete the old buffer collection after the Train operation finishes on the master collection.

-If a relatively long latency is acceptable, it isn't necessary to trigger the Train operation right after you add new data. Instead, the Train operation can be split from the main logic and triggered regularly. This strategy is suitable for dynamic scenarios with acceptable latency. It can be applied to static scenarios to further reduce the Train frequency.

-Suppose there's a `TrainLargePersonGroup` function similar to `TrainLargeFaceList`. A typical implementation of the standalone training on a LargePersonGroup by invoking the [`Timer`](/dotnet/api/system.timers.timer) class in `System.Timers` is:

-In this guide, you learned how to migrate the existing PersonGroup or FaceList code, not data, to the LargePersonGroup or LargeFaceList:

-Follow a how-to guide to learn how to add faces to a PersonGroup or write a script to do the Identify operation on a PersonGroup.

-#

-In this guide, you'll learn how to improve the quality of your Custom Vision Service model. The quality of your [classifier](./getting-started-build-a-classifier.md) or [object detector](./get-started-build-detector.md) depends on the amount, quality, and variety of the labeled data you provide it and how balanced the overall dataset is. A good model has a balanced training dataset that is representative of what will be submitted to it. The process of building such a model is iterative; it's common to take a few rounds of training to reach expected results.

-> The Custom Vision Service supports some automatic negative image handling. For example, if you are building a grape vs. banana classifier and submit an image of a shoe for prediction, the classifier should score that image as close to 0% for both grape and banana.

-2. Hover over an image to see the tags that were predicted by the model. Images are sorted so that the ones that can bring the most improvements to the model are listed the top. To use a different sorting method, make a selection in the __Sort__ section.

-3. Then use the __Train__ button to retrain the model.

-After you've trained your model, you can test images programmatically by submitting them to the prediction API endpoint. In this guide, you'll learn how to call the prediction API to score an image. You'll learn the different ways you can configure the behavior of this API to meet your needs.

-> For extracting text from external images like labels, street signs, and posters, use the [Azure AI Vision v4.0 preview Read](../../ai-services/Computer-vision/concept-ocr.md) feature optimized for general, non-document images with a performance-enhanced synchronous API that makes it easier to embed OCR in your user experience scenarios.

-description: This article shows you how to create a new Immersive Reader resource with a custom subdomain and then configure Microsoft Entra ID in your Azure tenant.

-In this article, we provide a script that creates an Immersive Reader resource and configure Microsoft Entra authentication. Each time an Immersive Reader resource is created, whether with this script or in the portal, it must also be configured with Microsoft Entra permissions.

-The script is designed to create and configure all the necessary Immersive Reader and Microsoft Entra resources for you all in one step. However, you can also just configure Microsoft Entra authentication for an existing Immersive Reader resource, if for instance, you happen to have already created one in the Azure portal.

-For some customers, it may be necessary to create multiple Immersive Reader resources, for development vs. production, or perhaps for multiple different regions your service is deployed in. For those cases, you can come back and use the script multiple times to create different Immersive Reader resources and get them configured with the Microsoft Entra permissions.

-The script is designed to be flexible. It first looks for existing Immersive Reader and Microsoft Entra resources in your subscription, and creates them only as necessary if they don't already exist. If it's your first time creating an Immersive Reader resource, the script does everything you need. If you want to use it just to configure Microsoft Entra ID for an existing Immersive Reader resource that was created in the portal, it does that too.

-It can also be used to create and configure multiple Immersive Reader resources.

- :::image type="content" source="media/contributor-role.png" alt-text="Screenshot of contributor built-in role description.":::

- :::image type="content" source="media/application-developer-role.png" alt-text="{alt-text}":::

-For more information, _see_ [Microsoft Entra built-in roles](../../active-directory/roles/permissions-reference.md#application-developer)

-## Set up PowerShell environment

-1. Start by opening the [Azure Cloud Shell](../../cloud-shell/overview.md). Ensure that Cloud Shell is set to PowerShell in the upper-left hand dropdown or by typing `pwsh`.

- # Create an Azure Active Directory app if it doesn't already exist

- Write-Host "Creating new Azure Active Directory app"

- throw "Error: Failed to create Azure Active Directory application"

- Write-Host "Azure Active Directory application created successfully."

- throw "Error: Failed to create Azure Active Directory application client secret"

- Write-Host "Azure Active Directory application client secret created successfully."

- Write-Host "NOTE: To manage your Active Directory application client secrets after this Immersive Reader Resource has been created please visit https://portal.azure.com and go to Home -> Azure Active Directory -> App Registrations -> (your app) '$AADAppDisplayName' -> Certificates and Secrets blade -> Client Secrets section" -ForegroundColor Yellow

- # Grab the tenant ID, which is needed when obtaining an Azure AD token

- # Collect the information needed to obtain an Azure AD token into one object

- Write-Host "This function has created a client secret (password) for you. This secret is used when calling Azure Active Directory to fetch access tokens."

- Write-Host "This is the only time you will ever see the client secret for your Azure Active Directory application, so save it now." -ForegroundColor Yellow

- Write-Host "You will need to retrieve the ClientSecret from your original run of this function that created it. If you don't have it, you will need to go create a new client secret for your Azure Active Directory application. Please visit https://portal.azure.com and go to Home -> Azure Active Directory -> App Registrations -> (your app) '$AADAppDisplayName' -> Certificates and Secrets blade -> Client Secrets section." -ForegroundColor Yellow

- Create-ImmersiveReaderResource -SubscriptionName '<SUBSCRIPTION_NAME>' -ResourceName '<RESOURCE_NAME>' -ResourceSubdomain '<RESOURCE_SUBDOMAIN>' -ResourceSKU '<RESOURCE_SKU>' -ResourceLocation '<RESOURCE_LOCATION>' -ResourceGroupName '<RESOURCE_GROUP_NAME>' -ResourceGroupLocation '<RESOURCE_GROUP_LOCATION>' -AADAppDisplayName '<AAD_APP_DISPLAY_NAME>' -AADAppIdentifierUri '<AAD_APP_IDENTIFIER_URI>' -AADAppClientSecretExpiration '<AAD_APP_CLIENT_SECRET_EXPIRATION>'

- The full command looks something like the following. Here we have put each parameter on its own line for clarity, so you can see the whole command. __Do not copy or use this command as-is.__ Copy and use the command with your own values. This example has dummy values for the '<PARAMETER_VALUES>'. Yours may be different, as you come up with your own names for these values.

- | ResourceName | Must be alphanumeric, and may contain '-', as long as the '-' isn't the first or last character. Length may not exceed 63 characters.|

- | ResourceSubdomain |A custom subdomain is needed for your Immersive Reader resource. The subdomain is used by the SDK when calling the Immersive Reader service to launch the Reader. The subdomain must be globally unique. The subdomain must be alphanumeric, and may contain '-', as long as the '-' isn't the first or last character. Length may not exceed 63 characters. This parameter is optional if the resource already exists. |

- | ResourceSKU |Options: `S0` (Standard tier) or `S1` (Education/Nonprofit organizations). Visit our [Azure AI services pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/immersive-reader/) to learn more about each available SKU. This parameter is optional if the resource already exists. |

- | AADAppClientSecretExpiration |The date or datetime after which your Microsoft Entra Application Client Secret (password) will expire (for example, '2020-12-31T11:59:59+00:00' or '2020-12-31'). This function creates a client secret for you. To manage Microsoft Entra application client secrets after you've created this resource, visit https://portal.azure.com and go to Home -> Microsoft Entra ID -> App Registrations -> (your app) `[AADAppDisplayName]` -> Certificates and Secrets section -> Client Secrets section (as shown in the "Manage your Microsoft Entra application secrets" screenshot).|

- Manage your Microsoft Entra application secrets

- 

-## Next steps

-* View the [Node.js quickstart](./quickstarts/client-libraries.md?pivots=programming-language-nodejs) to see what else you can do with the Immersive Reader SDK using Node.js

-* View the [Android tutorial](./how-to-launch-immersive-reader.md) to see what else you can do with the Immersive Reader SDK using Java or Kotlin for Android

-* View the [iOS tutorial](./how-to-launch-immersive-reader.md) to see what else you can do with the Immersive Reader SDK using Swift for iOS

-* View the [Python tutorial](./how-to-launch-immersive-reader.md) to see what else you can do with the Immersive Reader SDK using Python

-* Explore the [Immersive Reader SDK](https://github.com/microsoft/immersive-reader-sdk) and the [Immersive Reader SDK Reference](./reference.md)

-A native document refers to the file format used to create the original document such as Microsoft Word (docx) or a portable document file (pdf). Native document support eliminates the need for text preprocessing prior to using Azure AI Language resource capabilities. Currently, native document support is available for the following capabilities:

- Applications use native file formats to create, save, or open native documents. Currently **PII** and **Document summarization** capabilities supports the following native document formats:

- > Windows: `curl.exe -V`.

-* An active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/). If you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).

-* [**Managed identity role-based access control (RBAC)**](managed-identities.md). Managed identities for Azure resources are service principals that create a Microsoft Entra identity and specific permissions for Azure managed resources

- "location": "{your-source-container-with-SAS-URL}"

- "excludePiiCategoriesredac" : ["PersonType", "Category2", "Category3"],

- "redactionPolicy": "UseEntityTypeName"

- "location":"{your-source-container-SAS-URL}"

-GET https://YOUR_RESOURCE_NAME.openai.azure.com/openai/threads{thread_id}?api-version=2024-02-15-preview

-| `metadata` | map | Set of 16 key-value pairs that can be attached to an object. This can be useful for storing additional information about the object in a structured format. Keys can be a maximum of 64 characters long and values can be a maximum of 512 characters long. |

-description: Learn about the options for how to use prompt engineering with GPT-3, GPT-35-Turbo, and GPT-4 models

-The **Completion API** supports the older GPT-3 models and has much more flexible input requirements in that it takes a string of text with no specific format rules. Technically the GPT-35-Turbo models can be used with either APIs, but we strongly recommend using the Chat Completion API for these models. To learn more, please consult our [in-depth guide on using these APIs](../how-to/chatgpt.md).

-> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.

-> In order to use the video prompt enhancement, you need both an Azure AI Vision resource and an Azure Video Indexer resource, in the paid (S0) tier, in addition to your Azure OpenAI resource.

-#### Azure Government regions

-The following GPT-3 models are available with [Azure Government](/azure/azure-government/documentation-government-welcome):

-|Model ID | Model Availability |

-|--|--|

-|`gpt-35-turbo` (1106) |US Gov Virginia<br>US Gov Arizona |

-> To use Vision enhancement, you need a Computer Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.

-> To use Vision enhancement, you need an Azure AI Vision resource. It must be in the paid (S0) tier and in the same Azure region as your GPT-4 Turbo with Vision resource.

-description: Learn how to use the Codex models on Azure OpenAI to handle a variety of coding tasks

-If you want Codex to create a webpage, placing the first line of code in an HTML document (`<!DOCTYPE html>`) after your comment tells Codex what it should do next. The same method works for creating a function from a comment (following the comment with a new line starting with func or def).

-Setting the API temperature to 0, or close to zero (such as 0.1 or 0.2) tends to give better results in most cases. Unlike GPT-3 models, where a higher temperature can provide useful creative and random results, higher temperatures with Codex models may give you really random or erratic responses.

-# ms.devlang: cpp, csharp

-# ms.devlang: cpp, csharp, golang, java, javascript, objective-c, python

-# ms.devlang: cpp, csharp, java, javascript, python

-> LUIS will be retired on October 1st 2025 and starting April 1st 2023 you will not be able to create new LUIS resources. We recommend [migrating your LUIS applications](../language-service/conversational-language-understanding/how-to/migrate-from-luis.md) to [conversational language understanding](../language-service/conversational-language-understanding/overview.md) to benefit from continued product support and multilingual capabilities.

-# ms.devlang: cpp, csharp, javascript

-> LUIS will be retired on October 1st 2025 and starting April 1st 2023 you will not be able to create new LUIS resources. We recommend [migrating your LUIS applications](../language-service/conversational-language-understanding/how-to/migrate-from-luis.md) to [conversational language understanding](../language-service/conversational-language-understanding/overview.md) to benefit from continued product support and multilingual capabilities.

-| 4.5.0 | `mcr.microsoft.com/azure-cognitive-services/speechservices/custom-speech-to-text:4.5.0-amd64` |

-| [Speech to text](speech-container-stt.md) | Transcribes continuous real-time speech or batch audio recordings with intermediate results. | Latest: 4.5.0<br/><br/>For all supported versions and locales, see the [Microsoft Container Registry (MCR)](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/speech-to-text/tags) and [JSON tags](https://mcr.microsoft.com/v2/azure-cognitive-services/speechservices/speech-to-text/tags/list).|

-| [Custom speech to text](speech-container-cstt.md) | Using a custom model from the [custom speech portal](https://speech.microsoft.com/customspeech), transcribes continuous real-time speech or batch audio recordings into text with intermediate results. | Latest: 4.5.0<br/><br/>For all supported versions and locales, see the [Microsoft Container Registry (MCR)](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/custom-speech-to-text/tags) and [JSON tags](https://mcr.microsoft.com/v2/azure-cognitive-services/speechservices/speech-to-text/tags/list). |

-| 4.5.0 | `mcr.microsoft.com/azure-cognitive-services/speechservices/speech-to-text:4.5.0-amd64-mr-in` |

-**Translation - Cloud:** Cloud translation is available in all languages for the Translate operation of Text Translation and for Document Translation.

-**Dictionary:** Use the [Dictionary Lookup](reference/v3-0-dictionary-lookup.md) or [Dictionary Examples](reference/v3-0-dictionary-examples.md) operations from the Text Translation feature to display alternative translations from or to English and examples of words in context.

-|Afrikaans|af|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Albanian|sq|Γ£ö|Γ£ö| |Γ£ö| |

-|Amharic|am|Γ£ö|Γ£ö| |Γ£ö| |

-|Arabic|ar|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Armenian|hy|Γ£ö|Γ£ö| |Γ£ö| |

-|Assamese|as|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Azerbaijani (Latin)|az|Γ£ö|Γ£ö| |Γ£ö| |

-|Bangla|bn|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Bashkir|ba|Γ£ö|Γ£ö| |Γ£ö| |

-|Basque|eu|Γ£ö|Γ£ö| |Γ£ö| |

-|Bhojpuri|bho|Γ£ö|Γ£ö | | | |

-|Bosnian (Latin)|bs|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Bulgarian|bg|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Cantonese (Traditional)|yue|Γ£ö|Γ£ö| |Γ£ö| |

-|Catalan|ca|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Chinese (Literary)|lzh|Γ£ö|Γ£ö| | | |

-|Chinese Simplified|zh-Hans|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Chinese Traditional|zh-Hant|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|chiShona|sn|Γ£ö|Γ£ö| | | |

-|Croatian|hr|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Czech|cs|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Danish|da|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Dari|prs|Γ£ö|Γ£ö| |Γ£ö| |

-|Divehi|dv|Γ£ö|Γ£ö| |Γ£ö| |

-|Dogri|doi|Γ£ö| | | | |

-|Dutch|nl|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|English|en|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Estonian|et|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Faroese|fo|Γ£ö|Γ£ö| |Γ£ö| |

-|Fijian|fj|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Filipino|fil|Γ£ö|Γ£ö|Γ£ö| | |

-|Finnish|fi|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|French|fr|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|French (Canada)|fr-ca|Γ£ö|Γ£ö| | | |

-|Galician|gl|Γ£ö|Γ£ö| |Γ£ö| |

-|Georgian|ka|Γ£ö|Γ£ö| |Γ£ö| |

-|German|de|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Greek|el|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Gujarati|gu|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Haitian Creole|ht|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|

-|Hausa|ha|Γ£ö|Γ£ö| |Γ£ö| |

-|Hebrew|he|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Hindi|hi|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Hmong Daw (Latin)|mww|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|

-|Hungarian|hu|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Icelandic|is|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Igbo|ig|Γ£ö|Γ£ö| |Γ£ö| |

-|Indonesian|id|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Inuinnaqtun|ikt|Γ£ö|Γ£ö| | | |

-|Inuktitut|iu|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Inuktitut (Latin)|iu-Latn|Γ£ö|Γ£ö| |Γ£ö| |

-|Irish|ga|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Italian|it|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Japanese|ja|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Kannada|kn|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Kashmiri|ks|Γ£ö|Γ£ö | | | |

-|Kazakh|kk|Γ£ö|Γ£ö| |Γ£ö| |

-|Khmer|km|Γ£ö|Γ£ö| |Γ£ö| |

-|Kinyarwanda|rw|Γ£ö|Γ£ö| |Γ£ö| |

-|Klingon|tlh-Latn|Γ£ö| | |Γ£ö|Γ£ö|

-|Klingon (plqaD)|tlh-Piqd|Γ£ö| | |Γ£ö| |

-|Konkani|gom|Γ£ö|Γ£ö| | | |

-|Korean|ko|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Kurdish (Central)|ku|Γ£ö|Γ£ö| |Γ£ö| |

-|Kurdish (Northern)|kmr|Γ£ö|Γ£ö| | | |

-|Kyrgyz (Cyrillic)|ky|Γ£ö|Γ£ö| |Γ£ö| |

-|Lao|lo|Γ£ö|Γ£ö| |Γ£ö| |

-|Latvian|lv|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Lithuanian|lt|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Lingala|ln|Γ£ö|Γ£ö| | | |

-|Lower Sorbian|dsb|Γ£ö| | | | |

-|Luganda|lug|Γ£ö|Γ£ö| | | |

-|Macedonian|mk|Γ£ö|Γ£ö| |Γ£ö| |

-|Maithili|mai|Γ£ö|Γ£ö| | | |

-|Malagasy|mg|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Malay (Latin)|ms|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Malayalam|ml|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Maltese|mt|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Maori|mi|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Marathi|mr|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Mongolian (Cyrillic)|mn-Cyrl|Γ£ö|Γ£ö| |Γ£ö| |

-|Mongolian (Traditional)|mn-Mong|Γ£ö|Γ£ö| | | |

-|Myanmar|my|Γ£ö|Γ£ö| |Γ£ö| |

-|Nepali|ne|Γ£ö|Γ£ö| |Γ£ö| |

-|Norwegian|nb|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Nyanja|nya|Γ£ö|Γ£ö| | | |

-|Odia|or|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Pashto|ps|Γ£ö|Γ£ö| |Γ£ö| |

-|Persian|fa|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Polish|pl|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Portuguese (Brazil)|pt|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Portuguese (Portugal)|pt-pt|Γ£ö|Γ£ö| | | |

-|Punjabi|pa|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Queretaro Otomi|otq|Γ£ö|Γ£ö| |Γ£ö| |

-|Romanian|ro|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Rundi|run|Γ£ö|Γ£ö| | | |

-|Russian|ru|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Samoan (Latin)|sm|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Serbian (Cyrillic)|sr-Cyrl|Γ£ö|Γ£ö| |Γ£ö| |

-|Serbian (Latin)|sr-Latn|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Sesotho|st|Γ£ö|Γ£ö| | | |

-|Sesotho sa Leboa|nso|Γ£ö|Γ£ö| | | |

-|Setswana|tn|Γ£ö|Γ£ö| | | |

-|Sindhi|sd|Γ£ö|Γ£ö| |Γ£ö| |

-|Sinhala|si|Γ£ö|Γ£ö| |Γ£ö| |

-|Slovak|sk|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Slovenian|sl|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Somali (Arabic)|so|Γ£ö|Γ£ö| |Γ£ö| |

-|Spanish|es|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Swahili (Latin)|sw|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Swedish|sv|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Tahitian|ty|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Tamil|ta|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Tatar (Latin)|tt|Γ£ö|Γ£ö| |Γ£ö| |

-|Telugu|te|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Thai|th|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Tibetan|bo|Γ£ö|Γ£ö| |Γ£ö| |

-|Tigrinya|ti|Γ£ö|Γ£ö| |Γ£ö| |

-|Tongan|to|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |

-|Turkish|tr|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Turkmen (Latin)|tk|Γ£ö|Γ£ö| |Γ£ö| |

-|Ukrainian|uk|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Upper Sorbian|hsb|Γ£ö|Γ£ö| |Γ£ö| |

-|Urdu|ur|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Uyghur (Arabic)|ug|Γ£ö|Γ£ö| |Γ£ö| |

-|Uzbek (Latin)|uz|Γ£ö|Γ£ö| |Γ£ö| |

-|Vietnamese|vi|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Welsh|cy|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

-|Xhosa|xh|Γ£ö|Γ£ö| |Γ£ö| |

-|Yoruba|yo|Γ£ö|Γ£ö| |Γ£ö| |

-|Yucatec Maya|yua|Γ£ö|Γ£ö| |Γ£ö| |

-|Zulu|zu|Γ£ö|Γ£ö| |Γ£ö| |

-|Amharic|`am`|No|No|

-|Armenian|`hy`|No|No|

-|Assamese|`as`|No|No|

-|Bangla|`bn`|No|No|

-|Bashkir|`ba`|No|Yes|

-|Cantonese (Traditional)|`yue`|No|Yes|

-|Chinese (Literary)|`lzh`|No|Yes|

-|Dari|`prs`|No|No|

-|Divehi|`dv`|No|No|

-|Georgian|`ka`|No|No|

-|Greek|`el`|No|No|

-|Gujarati|`gu`|No|No|

-|Hebrew|`he`|No|No|

-|Inuinnaqtun|`ikt`|No|Yes|

-|Inuktitut|`iu`|No|No|

-|Kannada|`kn`|No|Yes|

-|Khmer|`km`|No|No|

-|Klingon|`tlh-Latn`|No|No|

-|Klingon (plqaD)|`tlh-Piqd`|No|No|

-|Kurdish (Arabic) (Central)|`ku-arab`,`ku`|No|No|

-|Lao|`lo`|No|No|

-|Latvian|`lv`|No|Yes|

-|Macedonian|`mk`|No|Yes|

-|Malagasy|`mg`|No|Yes|

-|Malayalam|`ml`|No|Yes|

-|Mongolian (Traditional)|`mn-Mong`|No|No|

-|Myanmar (Burmese)|`my`|No|No|

-|Odia|`or`|No|No|

-|Pashto|`ps`|No|No|

-|Persian|`fa`|No|No|

-|Punjabi|`pa`|No|Yes|

-|Queretaro Otomi|`otq`|No|Yes|

-|Serbian (Cyrillic)|`sr-Cyrl`|No|Yes|

-|Somali|`so`|No|Yes|

-|Tahitian|`ty`|No|Yes|

-|Tamil|`ta`|No|Yes|

-|Telugu|`te`|No|Yes|

-|Thai|`th`|No|No|

-|Tibetan|`bo`|No|No|

-|Tigrinya|`ti`|No|No|

-|Ukrainian|`uk`|No|Yes|

-|Urdu|`ur`|No|No|

-|Uyghur (Arabic)|`ug`|No|No|

-|Vietnamese|`vi`|No|Yes|

-Use this article to learn how to develop Azure AI services applications securely by using [Azure Key Vault](../key-vault/general/overview.md).

-Key Vault reduces the chances that secrets may be accidentally leaked, because you won't store security information in your application.

-Only the Owner and Contributor roles allow you to make an Azure AI hub resource. At this time, custom roles won't grant you permission to make Azure AI hub resources.

-When a user gets access to a project, two more roles are automatically assigned to the project user. The first role is Reader on the Azure AI hub resource. The second role is the Inference Deployment Operator role, which allows the user to create deployments on the resource group that the project is in. This role is composed of these two permissions: ```"Microsoft.Authorization/*/read"``` and ```"Microsoft.Resources/deployments/*"```.

-Below is an example of how to set up role-based access control for your Azure AI Studio for an enterprise.

-| Managers | Contributor or Azure AI Developer on the Azure AI hub resource | Managers can create projects for their team and create shared resources (ex: compute and connections) for their group at the Azure AI hub resource level. |

-| Managers | Owner of the Azure AI Project | When managers create a project, they become the project owner. This allows them to add their team/developers to the project. Their team/developers can be added as Contributors or Azure AI Developers to allow them to develop in the project. |

-The Llama 2 family of large language models (LLMs) is a collection of pretrained and fine-tuned generative text models ranging in scale from 7 billion to 70 billion parameters. The model family also includes fine-tuned versions optimized for dialogue use cases with Reinforcement Learning from Human Feedback (RLHF), called Llama-2-chat.

-Llama 2 can be deployed as a service with pay-as-you-go billing or with hosted infrastructure in real-time endpoints.

-Llama 2 models deployed as a service with pay-as-you-go are offered by Meta AI through the Azure Marketplace and they might add more terms of use and pricing.

-> [!NOTE]

-> Pay-as-you-go offering is only available in projects created in East US 2 and West US 3 regions.

-### Offerings

-The following models are available for Llama 2 when deployed as a service with pay-as-you-go:

-### Create a new deployment

-To create a deployment:

-1. Choose a model you want to deploy from the Azure AI Studio [model catalog](../how-to/model-catalog.md). Alternatively, you can initiate deployment by selecting **+ Create** from the **Deployments** options in the **Build** tab of your project.

-1. On the detail page, select **Deploy** and then **Pay-as-you-go**.

- :::image type="content" source="../media/deploy-monitor/llama/deploy-pay-as-you-go.png" alt-text="A screenshot showing how to deploy a model with the pay-as-you-go option." lightbox="../media/deploy-monitor/llama/deploy-pay-as-you-go.png":::

-1. Select the project where you want to create a deployment.

-1. On the deployment wizard, you see the option to explore the more terms and conditions applied to the selected model and its pricing. Select **Azure Marketplace Terms** to learn about it.

- :::image type="content" source="../media/deploy-monitor/llama/deploy-marketplace-terms.png" alt-text="A screenshot showing the terms and conditions of a given model." lightbox="../media/deploy-monitor/llama/deploy-marketplace-terms.png":::

-1. If this is the first time you deployed the model in the project, you have to sign up your project for the particular offering from the Azure Marketplace. Each project has its own connection to the marketplace's offering, which, allows you to control and monitor spending per project. Select **Subscribe and Deploy**.

- > [!NOTE]

- > Subscribing a project to a particular offering from the Azure Marketplace requires **Contributor** or **Owner** access at the subscription level where the project is created.

-1. Once you sign up the project for the offering, subsequent deployments don't require signing up (neither subscription-level permissions). If this is your case, select **Continue to deploy**.

- :::image type="content" source="../media/deploy-monitor/llama/deploy-pay-as-you-go-project.png" alt-text="A screenshot showing a project that is already subscribed to the offering." lightbox="../media/deploy-monitor/llama/deploy-pay-as-you-go-project.png":::

-1. Give the deployment a name. Such name is part of the deployment API URL, which requires to be unique on each Azure region.

- :::image type="content" source="../media/deploy-monitor/llama/deployment-name.png" alt-text="A screenshot showing how to indicate the name of the deployment you want to create." lightbox="../media/deploy-monitor/llama/deployment-name.png":::

-1. Select **Deploy**.

-1. Once the deployment is ready, you're redirected to the deployments page.

-1. Once your deployment is ready, you can select **Open in playground** to start interacting with the model.

-1. You can also take note of the **Endpoint** URL and the **Secret** to call the deployment and generate completions.

-1. Additionally, you can find the deployment details, URL, and access keys navigating to the tab **Build** > **Components** > **Deployments**.

-Models deployed as a service can be consumed using either the chat or the completions API, depending on the type of model you have deployed.

-1. Select **View code** and copy the **Endpoint** URL and the **Key** token values.

-1. Make an API request depending on the type of model you deployed. For completions models such as `Llama-2-7b` use the [`/v1/completions`](#completions-api) API, for chat models such as `Llama-2-7b-chat` use the [`/v1/chat/completions`](#chat-api) API. See the [reference](#reference-for-llama-2-models-deployed-as-a-service) section for more details with examples.

-| `prompt` | `string` | No default. This must be specified. | The prompt to send to the model. |

-| `top_p` | `float` | `1` | An alternative to sampling with temperature, called nucleus sampling, where the model considers the results of the tokens with `top_p` probability mass. So 0.1 means only the tokens comprising the top 10% probability mass are considered. We generally recommend altering it or `temperature` but not both. |

-| `temperature` | `float` | `1` | The sampling temperature to use, between 0 and 2. Higher values mean the model samples more broadly the distribution of tokens. Zero means greedy sampling. It's recommend altering this or `top_p` but not both. |

-| `n` | `integer` | `1` | How many completions to generate for each prompt. Note: Because this parameter generates many completions, it can quickly consume your token quota. |

-| `best_of` | `integer` | `1` | Generates best_of completions server-side and returns the "best" (the one with the lowest log probability per token). Results can't be streamed. When used with n, best_of controls the number of candidate completions and n specifies how many to return ΓÇô best_of must be greater than n. Note: Because this parameter generates many completions, it can quickly consume your token quota.|

-| `logprobs` | `integer` | `null` | A number indicating to include the log probabilities on the logprobs most likely tokens, as well the chosen tokens. For example, if logprobs is 10, the API returns a list of the 10 most likely tokens. the API always returns the logprob of the sampled token, so there might be up to logprobs+1 elements in the response. |

-| `use_beam_search` | `boolean` | `False` | Whether to use beam search instead of sampling. In such case, `best_of must > 1` and `temperature` must be `0`. |

-| `stop_token_ids` | `array` | `null` | List of tokens' ID that stops the generation when they're generated. The returned output contains the stop tokens unless the stop tokens are special tokens. |

-| `object` | `string` | The object type, which is always "text_completion". |

-> In the streaming mode, for each chunk of response, `finish_reason` is always `null`, except from the last one which is terminated by a payload `[DONE]`.

-The `choice` object is a dictionary with the following fields.

-| `index` | `integer` | Choice index. When best_of > 1, the index in this array might not be in order and might not be 0 to n-1. |

-| `finish_reason` | `string` | The reason the model stopped generating tokens: `stop`, model hit a natural stop point, or a provided stop sequence; `length`, if max number of tokens have been reached; `content_filter`, When RAI moderates and CMP forces moderation; `content_filter_error`, an error during moderation and wasn't able to make decision on the response; `null`, API response still in progress or incomplete. |

-

-| `token_logprobs` | `array` of `float` | Selected logprobs from dictionary in top_logprobs array |

-| `tokens` | `array` of `string` | Selected tokens |

-| `messages` | `string` | No default. This must be specified. | The message or history of messages to prompt the model with. |

-| `top_p` | `float` | `1` | An alternative to sampling with temperature, called nucleus sampling, where the model considers the results of the tokens with `top_p` probability mass. So 0.1 means only the tokens comprising the top 10% probability mass are considered. We generally recommend altering it or `temperature` but not both. |

-| `temperature` | `float` | `1` | The sampling temperature to use, between 0 and 2. Higher values mean the model samples more broadly the distribution of tokens. Zero means greedy sampling. It's recommend altering this or `top_p` but not both. |

-| `n` | `integer` | `1` | How many completions to generate for each prompt. Note: Because this parameter generates many completions, it can quickly consume your token quota. |

-| `best_of` | `integer` | `1` | Generates best_of completions server-side and returns the "best" (the one with the lowest log probability per token). Results can't be streamed. When used with n, best_of controls the number of candidate completions and n specifies how many to return ΓÇô best_of must be greater than n. Note: Because this parameter generates many completions, it can quickly consume your token quota.|

-| `logprobs` | `integer` | `null` | A number indicating to include the log probabilities on the logprobs most likely tokens, as well the chosen tokens. For example, if logprobs is 10, the API returns a list of the 10 most likely tokens. the API will always return the logprob of the sampled token, so there might be up to logprobs+1 elements in the response. |

-| `use_beam_search` | `boolean` | `False` | Whether to use beam search instead of sampling. In such case, `best_of must > 1` and `temperature` must be `0`. |

-| `stop_token_ids` | `array` | `null` | List of token IDs that stop the generation when they are generated. The returned output contains the stop tokens unless the stop tokens are special tokens. |

-The `message` object has the following fields:

-| `object` | `string` | The object type, which is always "chat.completion". |

-> In the streaming mode, for each chunk of response, `finish_reason` is always `null`, except from the last one which is terminated by a payload `[DONE]`. In each `choice` object, the key for `message` is changed by `delta`.

-The `choice` object is a dictionary with the following fields.

-| `index` | `integer` | Choice index. When best_of > 1, the index in this array might not be in order and might not be 0 to n-1. |

-| `message` or `delta` | `string` | Chat completion result in `message` object. When streaming mode is used, `delta` key is used. |

-| `finish_reason` | `string` | The reason the model stopped generating tokens: `stop`, model hit a natural stop point, or a provided stop sequence; `length`, if max number of tokens have been reached; `content_filter`, When RAI moderates and CMP forces moderation; `content_filter_error`, an error during moderation and wasn't able to make decision on the response; `null`, API response still in progress or incomplete. |

-

-| `token_logprobs` | `array` of `float` | Selected logprobs from dictionary in top_logprobs array |

-| `tokens` | `array` of `string` | Selected tokens |

-Llama 2 models can be deployed to real-time endpoints in AI Studio. When deployed to real-time endpoints, you can select all the details about on the infrastructure running the model including the virtual machines used to run it and the number of instances to handle the load you're expecting. Models deployed in this modality consume quota from your subscription. All the models in the Llama family can be deployed to real-time endpoints.

-Follow the steps below to deploy a model such as `Llama-2-7b-chat` to a real-time endpoint in [Azure AI Studio](https://ai.azure.com).

-1. Choose a model you want to deploy from AI Studio [model catalog](./model-catalog.md). Alternatively, you can initiate deployment by selecting **Create** from `your project`>`deployments`

-1. On the detail page, select **Deploy** and then **Real-time endpoint**.

-1. Select if you want to enable **Azure AI Content Safety (preview)**.

- > [!TIP]

- > Deploying Llama 2 models with Azure AI Content Safety (preview) is currently only supported using the Python SDK.

-1. Select **Proceed**.

-

-1. Select the project where you want to create a deployment.

- > If you don't have enough quota available in the selected project, you can use the option **I want to use shared quota and I acknowledge that this endpoint will be deleted in 168 hours**.

-1. Select the **Virtual machine** and the instance count you want to assign to the deployment.

-1. Select if you want to create this deployment as part of a new endpoint or an existing one. Endpoints can host multiple deployments while keeping resources configuration exclusive for each of them. Deployments under the same endpoint share the endpoint URI and its access keys.

-1. Select **Deploy**.

-1. You land on the deployment details page. Select **Consume** to obtain code samples that can be used to consume the deployed model in your application.

-You can use the Azure AI Generative SDK to deploy an open model. In this example, you deploy a `Llama-2-7b-chat` model.

-```python

-# Import the libraries

-from azure.ai.resources.client import AIClient

-from azure.ai.resources.entities.deployment import Deployment

-from azure.ai.resources.entities.models import PromptflowModel

-from azure.identity import DefaultAzureCredential

-```

-Credential info can be found under your project settings on Azure AI Studio. You can go to Settings by selecting the gear icon on the bottom of the left navigation UI.

-```python

-credential = DefaultAzureCredential()

-client = AIClient(

- credential=credential,

- subscription_id="<xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx>",

- resource_group_name="<YOUR_RESOURCE_GROUP_NAME>",

- project_name="<YOUR_PROJECT_NAME>",

-)

-```

-Define the model and the deployment. `The model_id` can be found on the model card in the Azure AI Studio [model catalog](../how-to/model-catalog.md).

-```python

-model_id = "azureml://registries/azureml/models/Llama-2-7b-chat/versions/12"

-deployment_name = "my-llam27bchat-deployment"

-deployment = Deployment(

- name=deployment_name,

- model=model_id,

-)

-```

-Deploy the model.

-```python

-client.deployments.create_or_update(deployment)

-```

-### Consuming Llama 2 models deployed to real-time endpoints

-For reference about how to invoke Llama 2 models deployed to real-time endpoints, see the model card in the Azure AI Studio [model catalog](../how-to/model-catalog.md).

-Each time a project subscribes to a given offer from the Azure Marketplace, a new resource is created to track the costs associated with its consumption. The same resource is used to track costs associated with inference and fine tuning, However, multiple meters are available to track each scenario independently.

-See [monitor costs for models offered throughout the Azure Marketplace](./costs-plan-manage.md#monitor-costs-for-models-offered-through-the-azure-marketplace) to learn more about how to track costs.

-Quota is managed per deployment. Each deployment has a rate limit of 200,000 tokens per minute and 1,000 API requests per minute. However, we currently limit one deployment per model per project. Contact Microsoft Azure Support if the current rate limits don't suffice your scenarios.

-Deploying Llama models and inferencing with real-time endpoints can be done by consuming Virtual Machine (VM) core quota that is assigned to your subscription a per-region basis. When you sign up for Azure AI Studio, you receive a default VM quota for several VM families available in the region. You can continue to create deployments until you reach your quota limit. Once that happens, you can request for quota increase.

-Models deployed as a service with pay-as-you-go are protected by Azure AI Content Safety. When deployed to real-time endpoints, you can opt out for this capability. Both the prompt and completion are run through an ensemble of classification models aimed at detecting and preventing the output of harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Learn more about [Azure AI Content Safety](../concepts/content-filtering.md).

-# Managed nginx Ingress with the application routing add-on

-One way to route Hypertext Transfer Protocol (HTTP) and secure (HTTPS) traffic to applications running on an Azure Kubernetes Service (AKS) cluster is to use the [Kubernetes Ingress object][kubernetes-ingress-object-overview]. When you create an Ingress object that uses the application routing add-on nginx Ingress classes, the add-on creates, configures, and manages one or more Ingress controllers in your AKS cluster.

-## Application routing add-on with nginx features

-The application routing add-on with nginx delivers the following:

-* Easy configuration of managed nginx Ingress controllers based on [Kubernetes nginx Ingress controller][kubernetes-nginx-ingress].

-* **open-service-mesh**: If you require encrypted intra cluster traffic (recommended) between the nginx Ingress and your services, the Open Service Mesh add-on is required which provides mutual TLS (mTLS).

-### Create the Ingress

-### Create the Ingress

-* This article assumes you have an existing AKS cluster. If you need an AKS cluster, you can create one using [Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or [Azure portal][aks-quickstart-portal].

- > [!IMPORTANT]

- > Your AKS cluster must be [in a region that supports Azure HPC Cache][hpc-cache-regions].

-* You need Azure CLI version 2.7 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli]. For more information on using HPC Cache with Azure CLI, see the [HPC Cache CLI prerequisites][hpc-cache-cli-prerequisites].

-* Install the `hpc-cache` Azure CLI extension using the [`az extension add --upgrade -n hpc-cache][az-extension-add]` command.

-* Review the [HPC Cache prerequisites][hpc-cache-prereqs]. You need to satisfy these prerequisites before you can run an HPC Cache. Important prerequisites include the following:

-2. Create the dedicated HPC Cache subnet using the [`az network vnet subnet create`][az-network-vnet-subnet-create] command.

-3. Register the *Microsoft.StorageCache* resource provider using the [`az provider register`][az-provider-register] command.

- ```azurecli

- az provider register --namespace Microsoft.StorageCache --wait

- > [!NOTE]

- > The resource provider registration can take some time to complete.

-4. Create an HPC Cache in the same node resource group and region using the [`az hpc-cache create`][az-hpc-cache-create].

- > [!NOTE]

- > The HPC Cache takes approximately 20 minutes to be created.

- ```azurecli

- RESOURCE_GROUP=MC_myResourceGroup_myAKSCluster_eastus

- VNET_NAME=$(az network vnet list --resource-group $RESOURCE_GROUP --query [].name -o tsv)

- VNET_ID=$(az network vnet show --resource-group $RESOURCE_GROUP --name $VNET_NAME --query "id" -o tsv)

- SUBNET_NAME=MyHpcCacheSubnet

- SUBNET_ID=$(az network vnet subnet show --resource-group $RESOURCE_GROUP --vnet-name $VNET_NAME --name $SUBNET_NAME --query "id" -o tsv)

-> [!IMPORTANT]

-> You need to select a unique storage account name. Replace `uniquestorageaccount` with something unique for you. Storage account names must be *between 3 and 24 characters in length* and *can contain only numbers and lowercase letters*.

-1. Create a storage account using the [`az storage account create`][az-storage-account-create] command.

- ```azurecli

- RESOURCE_GROUP=MC_myResourceGroup_myAKSCluster_eastus

- STORAGE_ACCOUNT_NAME=uniquestorageaccount

- -n $STORAGE_ACCOUNT_NAME \

- -g $RESOURCE_GROUP \

- -l eastus \

-2. Assign the "Storage Blob Data Contributor Role" on your subscription using the [`az role assignment create`][az-role-assignment-create] command.

- ```azurecli

- STORAGE_ACCOUNT_NAME=uniquestorageaccount

- CONTAINER_NAME=mystoragecontainer

-3. Create the Blob container within the storage account using the [`az storage container create`][az-storage-container-create] command.

-4. Provide permissions to the Azure HPC Cache service account to access your storage account and Blob container using the following [`az role assignment`][az-role-assignment-create] commands.

-5. Add the blob container to your HPC Cache as a storage target using the [`az hpc-cache blob-storage-target add`][az-hpc-cache-blob-storage-target-add] command.

- ```azurecli

- CONTAINER_NAME=mystoragecontainer

-1. Create an Azure Private DNS Zone for the client-facing IP addresses using the [`az network private-dns zone create`][az-network-private-dns-zone-create] command.

- -g $RESOURCE_GROUP \

- -n $PRIVATE_DNS_ZONE

-2. Create a DNS link between the Azure Private DNS Zone and the VNet using the [`az network private-dns link vnet create`][az-network-private-dns-link-vnet-create] command.

- ```azurecli

- -g $RESOURCE_GROUP \

- -n MyDNSLink \

- -z $PRIVATE_DNS_ZONE \

- -v $VNET_NAME \

- -e true

-3. Create the round-robin DNS name for the client-facing IP addresses using the [`az network private-dns record-set a create`][az-network-private-dns-record-set-a-create] command.

-1. Create a `pv-nfs.yaml` file to define a [persistent volume][persistent-volume].

-2. Get the credentials for your Kubernetes cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.

-3. Update the *server* and *path* to the values of your NFS (Network File System) volume you created in the previous step.

-4. Create the persistent volume using the [`kubectl apply`][kubectl-apply] command.

- ```console

-5. Verify the status of the persistent volume is **Available** using the [`kubectl describe`][kubectl-describe] command.

- ```console

-1. Create a `pvc-nfs.yaml` to define a [persistent volume claim][persistent-volume-claim].

- ```console

- ```console

-1. Create a `nginx-nfs.yaml` file to define a pod that uses the persistent volume claim.

- ```console

- ```console

-4. Verify your volume is mounted in the pod using the [`kubectl exec`][kubectl-exec] command to connect to the pod, then `df -h` to check if the volume is mounted.

- ```console

- / # df -h

-## Frequently asked questions (FAQ)

-### Running applications as non-root

-If you need to run an application as a non-root user, you may need to disable root squashing to chown a directory to another user. The non-root user needs to own a directory to access the file system. For the user to own a directory, the root user must chown a directory to that user, but if the HPC Cache is squashing root, this operation is denied because the root user (UID 0) is being mapped to the anonymous user. For more information about root squashing and client access policies, see [HPC Cache access policies][hpc-cache-access-policies].

-[aks-quickstart-cli]: ./learn/quick-kubernetes-deploy-cli.md

-[aks-quickstart-portal]: ./learn/quick-kubernetes-deploy-portal.md

-[aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md

-[hpc-cache-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=hpc-cache&regions=all

-[kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply

-[kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe

-[kubectl-exec]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#exec

-[az-network-private-dns-record-set-a-create]: /cli/azure/network/private-dns/record-set/a#az_network_private_dns_record_set_a_create

- * For Linux node pools, the length must be between 1-11 characters.

-[az-extension-add]: /cli/azure/extension#az_extension_add

-[az-extension-update]: /cli/azure/extension#az_extension_update

-[az-feature-list]: /cli/azure/feature#az_feature_list

-[az-feature-register]: /cli/azure/feature#az_feature_register

-[az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli

-[az-aks-create]: /cli/azure/aks#az_aks_create

-[az-aks-show]: /cli/azure/aks#az_aks_show

-[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create

-[az-provider-register]: /cli/azure/provider#az_provider_register

-[az-group-create]: /cli/azure/group#az_group_create

-[az-aks-update]: /cli/azure/aks#az_aks_update

-[az-role-definition-create]: /cli/azure/role/definition#az_role_definition_create

-[az-aks-get-credentials]: /cli/azure/aks#az_aks_get-credentials

-[aks-aad]: azure-ad-integration-cli.md

-[managed-identities]: ../active-directory/managed-identities-azure-resources/overview.md

-| 1.24 | Apr 2022 | May 2022 | Jul 2022 | Jul 2023 | Until 1.28 GA |

-| 1.26 | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.9.3<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.5.3<br>Image Cleaner v1.1.1<br>Azure Workload identity v1.0.0<br>MDC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>|No breaking changes |None

-| 1.27 | Azure policy 1.1.0<br>Metrics-Server 0.6.3<br>KEDA 2.10.0<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.7.2<br>Image Cleaner v1.1.1<br>Azure Workload identity v1.0.0<br>MDC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0|Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7 for Linux and 1.6 for Windows<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>|Keda 2.10.0 |Because of Ubuntu 22.04 FIPS certification status, we'll switch AKS FIPS nodes from 18.04 to 20.04 from 1.27 onwards.

-| 1.28 | Azure policy 1.2.1<br>Metrics-Server 0.6.3<br>KEDA 2.11.2<br>Open Service Mesh 1.2.7<br>Core DNS V1.9.4<br>Overlay VPA 0.13.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Application Gateway Ingress Controller (AGIC) 1.7.2<br>Image Cleaner v1.2.2<br>Azure Workload identity v1.2.0<br>MDC Defender Security Publisher 1.0.68<br>MDC Defender Old File Cleaner 1.3.68<br>MDC Defender Pod Collector 1.0.78<br>MDC Defender Low Level Collector 1.3.81<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.8.1|Cilium 1.13.5<br>CNI v1.4.43.1 (Default)/v1.5.11 (Azure CNI Overlay)<br> Cluster Autoscaler 1.27.3<br> | OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7.5 for Linux and 1.7.1 for Windows<br>Azure Linux 2.0<br>Cgroups V1<br>ContainerD 1.6<br>|No breaking changes|None

-* (Developer and Premium tiers) API Management service is moved to a different subnet.

-tags: azure-resource-manager

-| renewal-period | The length in seconds of the fixed window after which the quota resets. The start of each period is calculated relative to `first-period-start`. When `renewal-period` is set to `0`, the period is set to infinite. Policy expressions aren't allowed. | Yes | N/A |

-Use the `set-backend-service` policy to redirect an incoming request to a different backend than the one specified in the API settings for that operation. This policy changes the backend service base URL of the incoming request to the one specified in the policy.

-|backend-id|Identifier (name) of the backend to route primary or secondary replica of a partition. Policy expressions are allowed. |One of `base-url` or `backend-id` must be present.|N/A|

-The following sections describe the DNS considerations and configuration that apply inbound to and outbound from your App Service Environment. The examples use the domain suffix `appserviceenvironment.net` from Azure Public Cloud. If you're using other clouds like Azure Government, you need to use their respective domain suffix. Note that for App Service Environment domains, the site name will be truncated at 40 characters because of DNS limits. If you have a slot, the slot name will be truncated at 19 characters.

-The apps in your App Service Environment uses the DNS that your virtual network is configured with. If you want some apps to use a different DNS server, you can manually set it on a per app basis, with the app settings `WEBSITE_DNS_SERVER` and `WEBSITE_DNS_ALT_SERVER`. `WEBSITE_DNS_ALT_SERVER` configures the secondary DNS server. The secondary DNS server is only used when there's no response from the primary DNS server.

-tags: azure-resource-manager

-tags: azure-resource-manager

-tags: azure-resource-manager

-tags: azure-resource-manager

-To access the .NET feature manager, your app must have references to the `Microsoft.FeatureManagement.AspNetCore` NuGet package.

-## February 12, 2024

-**Image tag**:`v1.27.0_2023-02-13`

-For complete release version information, review [Version log](version-log.md#february-12-2024).

-## February 12, 2024

-|Container images tag |`v1.27.0_2023-02-13`|

-This section describes additional networking requirements specific to deploying Azure Arc resource bridge in your enterprise. These requirements also apply to Azure Arc-enabled VMware vSphere (preview) and Azure Arc-enabled System Center Virtual Machine Manager (preview).

-For more information, see [Overview of Arc-enabled System Center Virtual Machine Manager (preview)](system-center-virtual-machine-manager/overview.md).

-## Additional network requirements

-In addition, Arc resource bridge requires connectivity to the [Arc-enabled Kubernetes endpoints](../network-requirements-consolidated.md?tabs=azure-cloud).

-Download for [Windows](https://download.microsoft.com/download/e/#installing-a-specific-version-of-the-agent)

-tags: azure-service-management

-tags: azure-service-management

-description: Article that shows you how to perform certain virtual networking tasks for Azure Functions.

-# How to configure Azure Functions with a virtual network

-This article shows you how to perform tasks related to configuring your function app to connect to and run on a virtual network. For an in-depth tutorial on how to secure your storage account, refer to the [Connect to a Virtual Network tutorial](functions-create-vnet.md). To learn more about Azure Functions and networking, see [Azure Functions networking options](functions-networking-options.md).

-When you create a function app, you either create a new storage account or link to an existing storage account. During function app creation, you can secure a new storage account behind a virtual network and integrate the function app with this network. At this time, you can't secure an existing storage account being used by your function app in the same way.

-### During function app creation

-You can create a new function app along with a new storage account secured behind a virtual network. The following links show you how to create these resources by using either the Azure portal or by using deployment templates:

-# [Azure portal](#tab/portal)

-# [Deployment templates](#tab/templates)

-### Existing function app

-When you have an existing function app, you can't directly secure the storage account currently being used by the app. You must instead swap-out the existing storage account for a new, secured storage account.

-To secure the storage for an existing function app:

-1. Create or configure a second storage account. This is going to be the secured storage account that your function app uses instead.

-1. [Create a file share](../storage/files/storage-how-to-create-file-share.md#create-a-file-share) in the new storage account.

- * [Create a private endpoint](../storage/common/storage-private-endpoints.md#creating-a-private-endpoint). When using private endpoint connections, the storage account must have private endpoints for the `file` and `blob` subresources. For Durable Functions, you must also make `queue` and `table` subresources accessible through private endpoints.

- * [Enable a service endpoint from the virtual network](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network). When using service endpoints, enable the subnet dedicated to your function apps for storage accounts on the firewall.

-1. Copy the file and blob content from the current storage account used by the function app to the newly secured storage account and file share.

-1. Copy the connection string for this storage account.

-1. Update the **Application Settings** under **Configuration** for the function app to the following:

- | `AzureWebJobsStorage`| Storage connection string | This is the connection string for a secured storage account. |

- | `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` | Storage connection string | This is the connection string for a secured storage account. This setting is required for Consumption and Elastic Premium plan apps on both Windows and Linux. It's not required for Dedicated plan apps, which aren't dynamically scaled by Functions. |

- | `WEBSITE_CONTENTSHARE` | File share | The name of the file share created in the secured storage account where the project deployment files reside. This setting is required for Consumption and Elastic Premium plan apps on both Windows and Linux. It's not required for Dedicated plan apps, which aren't dynamically scaled by Functions. |

- | `WEBSITE_CONTENTOVERVNET` | 1 | A value of 1 enables your function app to scale when you have your storage account restricted to a virtual network. You should enable this setting when restricting your storage account to a virtual network. |

-Constructor injection is used to make your dependencies available in a function. The use of constructor injection requires that you do not use static classes for injected services or for your function classes.

-The host injects `ILogger<T>` and `ILoggerFactory` services into constructors. However, by default these new logging filters are filtered out of the function logs. You need to modify the `host.json` file to opt-in to additional filters and categories.

-You can extract values from the `IConfiguration` instance into a custom type. Copying the app settings values to a custom type makes it easy test your services by making these values injectable. Settings read into the configuration instance must be simple key/value pairs. Please note that, the functions running on Elastic Premium SKU has this constraint "App setting names can only contain letters, numbers (0-9), periods ("."), colons (":") and underscores ("_")"

-Refer to [Options pattern in ASP.NET Core](/aspnet/core/fundamentals/configuration/options) for more details regarding working with options.

-When developing locally, ASP.NET Core provides a [Secret Manager tool](/aspnet/core/security/app-secrets#secret-manager) that allows you to store secret information outside the project root. It makes it less likely that secrets are accidentally committed to source control. Azure Functions Core Tools (version 3.0.3233 or later) automatically reads secrets created by the ASP.NET Core Secret Manager.

-To specify additional configuration sources, override the `ConfigureAppConfiguration` method in your function app's `StartUp` class.

-The following sample adds configuration values from a base and an optional environment-specific app settings files.

-By default, configuration files such as *appsettings.json* are not automatically copied to the function app's output folder. Update your *.csproj* file to match the following sample to ensure the files are copied.

-You can create your function app in a deployment where one or more of the resources have been secured by integrating with virtual networks. Virtual network integration for your function app is defined by a `Microsoft.Web/sites/networkConfig` resource. This integration depends on both the referenced function app and virtual network resources. You function app might also depend on other private networking resources, such as private endpoints and routes. For more information, see [Azure Functions networking options](functions-networking-options.md).

-### Container image unavailable

-When the container image can't be found, you'll see a `manifest unknown` error in the Docker logs. In this case, you can use the Azure CLI commands documented at [How to target Azure Functions runtime versions](set-runtime-version.md?tabs=azurecli#manual-version-updates-on-linux) to change the container image being referenced. If you've deployed a [custom container image](./functions-how-to-custom-container.md), you need to fix the image and redeploy the updated version to the referenced registry.

-### App container has conflicting ports

-Changing any _read-only_ [App Service application settings](../app-service/reference-app-settings.md#app-environment) can put your function app into an unreachable state.

-# Customer intent: As an IT manager, I want to understand the capabilities of Azure Monitor Agent to determine whether I can use the agent to collect the data I need from the operating systems of my virtual machines.

-Here's a short **introduction to Azure Monitor agent video**, which includes a quick demo of how to set up the agent from the Azure portal: [ITOps Talk: Azure Monitor Agent](https://www.youtube.com/watch?v=f8bIrFU8tCs)

-Using Azure Monitor agent, you get immediate benefits as shown below:

- - Allows filtering rules and data transformations to reduce the overall data volume being uploaded, thus lowering ingestion and storage costs significantly.

- - Centralized agent configuration "in the cloud" for enterprise scale throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.

-

-The following tables list the operating systems that Azure Monitor Agent and the legacy agents support. All operating systems are assumed to be x64. x86 isn't supported for any operating system.

-| Operating system | Azure Monitor agent | Log Analytics agent (legacy) | Diagnostics extension |

-| Windows 10 Enterprise<br>(including multi-session) and Pro<br>(Server scenarios only) | Γ£ô | Γ£ô | Γ£ô |

-Use the steps described in [Create a new log alert](../alerts/alerts-metric.md) to be notified when data collection stops. Use the following settings for the alert rule:

-

-

-Specify an existing or new [action group](../alerts/action-groups.md) so that when the log alert matches criteria, you're notified if you have a heartbeat missing for more than 15 minutes.

-

-Review the list of [Azure Monitor Agent extensions currently available in preview](#supported-services-and-features). These extensions are the same solutions and services now available by using the new Azure Monitor Agent instead.

-You might see more extensions getting installed for the solution or service to collect extra data or perform transformation or processing as required for the solution or service. Then use Azure Monitor Agent to route the final data to Azure Monitor.

-

-

-| Nov-Dec 2022 | <ul><li>Support for air-gapped clouds added for [Windows MSI installer for clients](./azure-monitor-agent-windows-client.md) </li><li>Reliability improvements for using AMA with Custom Metrics destination</li><li>Performance and internal logging improvements</li></ul> | 1.11.0 | None |

-| Oct 2022 | **Windows** <ul><li>Increased reliability of data uploads</li><li>Data quality improvements</li></ul> **Linux** <ul><li>Support for `http_proxy` and `https_proxy` environment variables for [network proxy configurations](./azure-monitor-agent-data-collection-endpoint.md#proxy-configuration) for the agent</li><li>[Text logs](./data-collection-text-log.md) <ul><li>Network proxy support enabled</li><li>Fixed missing `_ResourceId`</li><li>Increased maximum line size support to 1 MB</li></ul></li><li>Support ingestion of syslog events whose timestamp is in the future</li><li>Performance improvements</li><li>Fixed `diskio` metrics instance name dimension to use the disk mount path(s) instead of the device name(s)</li><li>Fixed world writable file issue to lock down write access to certain agent logs and configuration files stored locally on the machine</li></ul> | 1.10.0.0 | 1.24.2 |

-| Sep 2022 | Reliability improvements | 1.9.0 | None |

-> - **Check the [prerequisites](./azure-monitor-agent-manage.md#prerequisites) for installing Azure Monitor Agent.**<br>To monitor non-Azure and on-premises servers, you must [install the Azure Arc agent](../../azure-arc/servers/agent-overview.md). You won't incur an additional cost for installing the Azure Arc agent and you don't necessarily need to use Azure Arc to manage your non-Azure virtual machines.

-On the machine to be diagnosed, run the Agent Troubleshooter.

-sudo sh ama_troubleshooter.sh -L

-sudo sh ama_troubleshooter.sh -A

-

-The common alert schema standardizes the consumption of Azure Monitor alert notifications. Historically, activity log, metric, and log alerts each had their own email templates and webhook schemas. The common alert schema provides one standardized schema for all alert notifications.

-| alertTargetIDs | The list of the Azure Resource Manager IDs that are affected targets of an alert. For a log alert defined on a Log Analytics workspace or Application Insights instance, it's the respective workspace or application. |

-| configurationItems |The list of affected resources of an alert.<br>In some cases, the configuration items can be different from the alert targets. For example, in metric-for-log or log alerts defined on a Log Analytics workspace, the configuration items are the actual resources sending the data, and not the workspace.<br><ul><li>In the log alerts API (Scheduled Query Rules) v2021-08-01, the `configurationItem` values are taken from explicitly defined dimensions in this priority: `_ResourceId`, `ResourceId`, `Resource`, `Computer`.</li><li>In earlier versions of the log alerts API, the `configurationItem` values are taken implicitly from the results in this priority: `_ResourceId`, `ResourceId`, `Resource`, `Computer`.</li></ul>In ITSM systems, the `configurationItems` field is used to correlate alerts to resources in a configuration management database. |

-## Alert context fields for Log alerts

-> When you enable the common schema, the fields in the payload are reset to the common schema fields. Therefore, log alerts have these limitations regarding the common schema:

-> - The common schema is not supported for log alerts using webhooks with a custom email subject and/or JSON payload, since the common schema overwrites the custom configurations.

-> - Alerts using the common schema have an upper size limit of 256 KB per alert. If the log alerts payload includes search results that cause the alert to exceed the maximum size, the search results aren't embedded in the log alerts payload. You can check if the payload includes the search results with the `IncludedSearchResults` flag. Use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get) if the search results are not included.

-### Sample log alert when the monitoringService = Log Analytics

-### Sample log alert when the monitoringService = Application Insights

-### Sample log alert when the monitoringService = Log Alerts V2

-> Log alert rules from API version 2020-05-01 use this payload type, which only supports common schema. Search results aren't embedded in the log alerts payload when you use this version. Use [dimensions](./alerts-unified-log.md#split-by-alert-dimensions) to provide context to fired alerts. You can also use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get). If you must embed the results, use a logic app with the provided links to generate a custom payload.

-description: This article shows you how to create a new log alert rule.

-# Create or edit a log alert rule

-This article shows you how to create a new log alert rule or edit an existing log alert rule. To learn more about alerts, see the [alerts overview](alerts-overview.md).

- > Log alert rule queries do not support the 'bag_unpack()', 'pivot()' and 'narrow()' plugins.

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-log-rule-query-pane.png" alt-text="Screenshot that shows the Query pane when creating a new log alert rule.":::

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-logs-conditions-tab.png" alt-text="Screenshot that shows the Condition tab when creating a new log alert rule.":::

- For sample log alert queries that query ARG or ADX, see [log alert query samples](./alerts-log-alert-query-samples.md)

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-log-measurements.png" alt-text="Screenshot that shows the Measurement tab when creating a new log alert rule.":::

- |Measure|Log alerts can measure two different things, which can be used for different monitoring scenarios:<br> **Table rows**: The number of rows returned can be used to work with events such as Windows event logs, Syslog, and application exceptions. <br>**Calculation of a numeric column**: Calculations based on any numeric column can be used to include any number of resources. An example is CPU percentage. |

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-create-log-rule-dimensions.png" alt-text="Screenshot that shows the splitting by dimensions section of a new log alert rule.":::

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-create-log-rule-logic.png" alt-text="Screenshot that shows the Alert logic section of a new log alert rule.":::

- For sample log alert queries that query ARG or ADX, see [log alert query samples](./alerts-log-alert-query-samples.md)

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-rule-preview-advanced-options.png" alt-text="Screenshot that shows the Advanced options section of a new log alert rule.":::

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-log-rule-details-tab.png" alt-text="Screenshot that shows the Details tab when creating a new log alert rule.":::

- 1. <a name="managed-id"></a>In the **Identity** section, select which identity is used by the log alert rule to send the log query. This identity is used for authentication when the alert rule executes the log query.

- - If the query is accessing a Log Analytics workspace, the identity must be assigned a **Reader role** for all workspaces accessed by the query. If you're creating resource-centric log alerts, the alert rule may access multiple workspaces, and the identity must have a reader role on all of them.

- |Automatically resolve alerts (preview) |Select to make the alert stateful. When an alert is stateful, the alert is resolved when the condition is no longer met for a specific time range. The time range differs based on the frequency of the alert:<br>**1 minute**: The alert condition isn't met for 10 minutes.<br>**5-15 minutes**: The alert condition isn't met for three frequency periods.<br>**15 minutes - 11 hours**: The alert condition isn't met for two frequency periods.<br>**11 to 12 hours**: The alert condition isn't met for one frequency period. <br><br>Note that stateful log alerts have these limitations:<br> - they can trigger up to 300 alerts per evaluation.<br> - you can have a maximum of 5000 alerts with the `fired` alert condition.|

- - To create a log alert rule, use the [az monitor scheduled-query create](/cli/azure/monitor/scheduled-query) command.

- - For log alerts: `Microsoft.Insights/scheduledQueryRules`

- - For log alerts: [Resource Manager template samples for log alert rules](resource-manager-alerts-log.md)

-description: See examples of Azure monitor log alert rule queries.

-# Sample log alert queries that include ADX and ARG

-A log alert rule monitors a resource by using a Log Analytics query to evaluate logs at a set frequency. You can include data from Azure Data Explorer and Azure Resource Graph in your log alert rule queries.

-This article provides examples of log alert rule queries that use Azure Data Explorer and Azure Resource Graph. For more information about creating a log alert rule, see [Create a log alert rule](./alerts-create-log-alert-rule.md).

-description: Learn how to switch to the log alerts management to ScheduledQueryRules API

-# Upgrade to the Log Alerts API from the legacy Log Analytics alerts API

-> As [announced](https://azure.microsoft.com/updates/switch-api-preference-log-alerts/), the Log Analytics alert API will be retired on October 1, 2025. You must transition to using the Scheduled Query Rules API for log alerts by that date.

-> Log Analytics workspaces created after June 1, 2019 use the [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules) to manage alert rules. [Switch to the current API](./alerts-log-api-switch.md) in older workspaces to take advantage of Azure Monitor scheduledQueryRules [benefits](./alerts-log-api-switch.md#benefits).

-In the past, users used the [legacy Log Analytics Alert API](/azure/azure-monitor/alerts/api-alerts) to manage log alert rules. Currently workspaces use [ScheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules) for new rules. This article describes the benefits and the process of switching legacy log alert rules management from the legacy API to the current API.

-You can also use [Azure CLI](/cli/azure/reference-index#az-rest) tool:

-You can also use [ARMClient](https://github.com/projectkudu/ARMClient) tool:

-You can also use [Azure CLI](/cli/azure/reference-index#az-rest) tool:

-# Optimize log alert queries

-This article describes how to write and convert [Log alerts](alerts-types.md#log-alerts) to achieve optimal performance. Optimized queries reduce latency and load of alerts, which run frequently.

-Queries for log alert rules should always start with a table to define a clear scope, which improves query performance and the relevance of the results. Queries in alert rules run frequently. Using `search` and `union` can result in excessive overhead that adds latency to the alert because it requires scanning across multiple tables. These operators also reduce the ability of the alerting service to optimize the query.

-We don't support creating or modifying log alert rules that use `search` or `union` operators, except for cross-resource queries.

-Log alert rules using [cross-resource queries](../logs/cross-workspace-query.md) aren't affected by this change because cross-resource queries use a type of `union`, which limits the query scope to specific resources. The following example would be a valid log alert query:

-> [Cross-resource queries](../logs/cross-workspace-query.md) are supported in the new [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules). If you still use the [legacy Log Analytics Alert API](./api-alerts.md) for creating log alerts, see [Upgrade legacy rules management to the current Azure Monitor Log Alerts API](./alerts-log-api-switch.md) to learn about switching.

-You want to create a log alert rule by using the following query that retrieves performance information using `search`:

-You want to create a log alert rule by using the following query that retrieves performance information using `search`:

-You want to create a log alert rule by using the following query that uses both `search` and `union` to retrieve performance information:

-You want to create a log alert rule by using the following query that joins the results of two `search` queries:

-description: This article describes how to configure log alert rules with webhook actions and available customizations.

-# Sample payloads for log alerts using webhook actions

-You can use webhook actions in a log alert rule to invoke a single HTTP POST request. In this article, we describe the properties that are available when you [configure action groups to use webhooks](./action-groups.md). The service that's called must support webhooks and know how to use the payload it receives.

-For log alert rules that have a custom JSON payload defined, enabling the common alert schema reverts the payload schema to the one described in [Common alert schema](../alerts/alerts-common-schema.md#alert-context-fields-for-log-alerts). If you want to have a custom JSON payload defined, the webhook can't use the common alert schema.

-## Log alert for all resources logs (from API version `2021-08-01`)

-The following sample payload is for a standard webhook when it's used for log alerts based on resources logs:

-## Log alert for Log Analytics (up to API version `2018-04-16`)

-## Log alert for Application Insights (up to API version `2018-04-16`)

-The following sample payload is for a standard webhook when it's used for log alerts based on Application Insights resources:

-## Log alert with a custom JSON payload (up to API version `2018-04-16`)

-| `Severity` |#severity |Severity set for the fired log alert. |

-| `Search Interval StartTime` |#searchintervalstarttimeutc |Start time for the query in UTC, with the format mm/dd/yyyy HH:mm:ss AM/PM.

-| `Alert Type`| #alerttype | The type of log alert rule configured as [Metric measurement or Number of results](./alerts-unified-log.md#measure).|

-The following sample payload is for a custom webhook action for any log alert:

- - Log alert rules

- - **Condition**. Learn more about conditions for [metric alert rules](./alerts-create-new-alert-rule.md?tabs=metric#tabpanel_1_metric), [log alert rules](./alerts-create-new-alert-rule.md?tabs=log#tabpanel_1_log), and [activity log alert rules](./alerts-create-new-alert-rule.md?tabs=activity-log#tabpanel_1_activity-log)

-> This section describes how to manage alert rules created in the latest UI or using an API version later than `2018-04-16`. See [View and manage log alert rules created in previous versions](alerts-manage-alerts-previous-version.md) for information about how to view and manage log alert rules created in the previous UI.

-## Manage log alert rules using the CLI

-This section describes how to manage log alerts using the cross-platform [Azure CLI](/cli/azure/get-started-with-azure-cli). The following examples use [Azure Cloud Shell](../../cloud-shell/overview.md).

-### Manage log alert rules using the Azure Resource Manager CLI with [templates](./alerts-log-create-templates.md)

-## Manage log alert rules with PowerShell

-Log alert rules have this dedicated PowerShell cmdlet:

-description: Use the Azure Monitor portal to manage log alert rules created in earlier versions.

-This article describes the process of managing alert rules created in the previous UI or by using API version `2018-04-16` or earlier. Alert rules created in the latest UI are viewed and managed in the new UI, as described in [Create, view, and manage log alerts by using Azure Monitor](alerts-log.md).

-## Changes to the log alert rule creation experience

- - **Alert logic**: Log alerts can be based on two types of [measures](./alerts-unified-log.md#measure):

- For metric measurements alert logic, you can specify how to [split the alerts by dimensions](./alerts-unified-log.md#split-by-alert-dimensions) by using the **Aggregate on** option. The row grouping expression must be unique and sorted.

- - **Period**: Choose the time range over which to assess the specified condition by using the [Period](./alerts-unified-log.md#query-time-range) option.

-1. Use the preview data to set the [Operator, Threshold value](./alerts-unified-log.md#threshold-and-operator), and [Frequency](./alerts-unified-log.md#frequency).

-1. Set the [number of violations to trigger an alert](./alerts-unified-log.md#number-of-violations-to-trigger-alert) by using **Total** or **Consecutive breaches**.

-1. Use the [Suppress Alerts](./alerts-unified-log.md#state-and-resolving-alerts) option if you want to suppress rule actions for a specified time after an alert is fired. The rule will still run and create alerts, but actions won't be triggered to prevent noise. The **Mute actions** value must be greater than the frequency of the alert to be effective.

-1. (Optional) Customize actions in log alert rules:

- - **Include custom Json payload for webhook**: Overrides the webhook JSON used by action groups, assuming that the action group contains a webhook action. Learn more about [webhook actions for log alerts](./alerts-log-webhook.md).

- :::image type="content" source="media/alerts-log/AlertsPreviewOverrideLog.png" lightbox="media/alerts-log/AlertsPreviewOverrideLog.png" alt-text="Screenshot that shows Action overrides for log alerts." border="false":::

-## Manage log alerts using PowerShell

-> The `ScheduledQueryRules` PowerShell cmdlets can only manage rules created in [this version of the Scheduled Query Rules API](/rest/api/monitor/scheduledqueryrule-2018-04-16/scheduled-query-rules). Log alert rules created by using the legacy [Log Analytics Alert API](./api-alerts.md) can only be managed by using PowerShell after you [switch to the Scheduled Query Rules API](./alerts-log-api-switch.md).

-Example steps for creating a log alert rule by using PowerShell:

-Example steps for creating a log alert rule by using PowerShell with cross-resource queries:

-You can also create the log alert by using [a template and parameters](./alerts-log-create-templates.md) files using PowerShell:

-* Learn about [log alerts](./alerts-unified-log.md).

-* Create log alerts by using [Azure Resource Manager templates](./alerts-log-create-templates.md).

-* Understand [webhook actions for log alerts](./alerts-log-webhook.md).

-There are many benefits for using **Metric Alerts for Logs** over query based [Log Alerts](./alerts-log.md) in Azure; some of them are listed below:

-The noncommon alert schema were historically used to customize alert email templates and webhook schemas for metric, log, and activity log alert rules. We recommend using the [common schema](./alerts-common-schema.md) for all alert types and integrations.

-## Log alerts

-See sample values for log alerts.

-|[Log alerts](alerts-types.md#log-alerts)|Log alerts allow users to use a Log Analytics query to evaluate resource logs at a predefined frequency.|

-Stateful log alerts have limitations - details [here](/azure/azure-monitor/service-limits#alerts).

-|Log alerts| The alert condition isn't met for a specific time range. The time range differs based on the frequency of the alert:<ul> <li>**1 minute**: The alert condition isn't met for 10 minutes.</li> <li>**5 to 15 minutes**: The alert condition isn't met for three frequency periods.</li> <li>**15 minutes to 11 hours**: The alert condition isn't met for two frequency periods.</li> <li>**11 to 12 hours**: The alert condition isn't met for one frequency period.</li></ul>|

-### Log alerts

-Use [log alert rules](alerts-create-log-alert-rule.md) to monitor all resources that send data to the Log Analytics workspace. These resources can be from any subscription or region. Use data collection rules when setting up your Log Analytics workspace to collect the required data for your log alerts rule.

-Log alert rules that use splitting by dimensions are charged based on the number of time series created by the dimensions resulting from your query. If the data is already collected to a Log Analytics workspace, there is no additional cost.

-The common alert schema standardizes the consumption experience for alert notifications in Azure. Historically, activity log, metric, and log alerts each had their own email templates and webhook schemas. The common alert schema provides one standardized schema for all alert notifications.

-## Sample log alerts

-> When you enable the common schema, the fields in the payload are reset to the common schema fields. Therefore, log alerts have these limitations regarding the common schema:

-> - The common schema is not supported for log alerts using webhooks with a custom email subject and/or JSON payload, since the common schema overwrites the custom configurations.

-> - Alerts using the common schema have an upper size limit of 256 KB per alert. If the log alerts payload includes search results that cause the alert to exceed the maximum size, the search results aren't embedded in the log alerts payload. You can check if the payload includes the search results with the `IncludedSearchResults` flag. Use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get) if the search results are not included.

-### Log alert with monitoringService = Platform

-### Log alert with monitoringService = Application Insights

-### Log alert with monitoringService = Log Alerts V2

-> Log alert rules from API version 2020-05-01 use this payload type, which only supports common schema. Search results aren't embedded in the log alerts payload when you use this version. Use [dimensions](./alerts-unified-log.md#split-by-alert-dimensions) to provide context to fired alerts. You can also use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get). If you must embed the results, use a logic app with the provided links to generate a custom payload.

-### Sample test action log alerts

-#### Test action log alert V1 ΓÇô Metric

-#### Test action log alert V1 - Numresults

-#### Test action log alert V2

-> Log alerts rules from API version 2020-05-01 use this payload type, which only supports common schema. Search results aren't embedded in the log alerts payload when you use this version. Use [dimensions](./alerts-unified-log.md#split-by-alert-dimensions) to provide context to fired alerts.

-> Resource-centric log query alert rules currently in public preview allow you to use all resources in a subscription or resource group as a target for a log query alert.

-Learn about fixing other problems with [alert notifications](alerts-troubleshoot.md), [metric alerts](alerts-troubleshoot-metric.md), and [log alerts](alerts-troubleshoot-log.md).

-description: Common issues, errors, and resolutions for log alert rules in Azure.

-# Troubleshoot log alerts in Azure Monitor

-This article describes how to resolve common issues with log alerts in Azure Monitor. It also provides solutions to common problems with the functionality and configuration of log alerts.

-You can use log alerts to evaluate resources logs every set frequency by using a [Log Analytics](../logs/log-analytics-tutorial.md) query, and fire an alert that's based on the results. Rules can trigger one or more actions using [Action Groups](./action-groups.md). To learn more about functionality and terminology of log alerts, see [Log alerts in Azure Monitor](alerts-unified-log.md).

-## Log alert didn't fire

-Log alerts provide an option to mute fired alert actions for a set amount of time using **Mute actions** and to only fire once per condition being met using **Automatically resolve alerts**.

-When you author an alert rule, Log Analytics creates a permission snapshot for your user ID. This snapshot is saved in the rule and contains the rule scope resource, Azure Resource Manager ID. If the rule scope resource moves, gets renamed, or is deleted, all log alert rules that refer to that resource will break. To work correctly, alert rules need to be recreated using the new Azure Resource Manager ID.

-When you create a log alert rule with system-assigned managed identity, the identity is created without any permissions. After you create the rule, you need to assign the appropriate roles to the ruleΓÇÖs identity so that it can access the data you want to query. For example, you might need to give it a Reader role for the relevant Log Analytics workspaces, or a Reader role and a Database Viewer role for the relevant ADX cluster. See [managed identities](/azure/azure-monitor/alerts/alerts-create-log-alert-rule#configure-the-alert-rule-details) for more information about using managed identities in log alerts.

-[Metric measurement](alerts-unified-log.md#calculation-of-a-value) is a type of log alert that's based on summarized time series results. You can use these rules to group by columns to [split alerts](alerts-unified-log.md#split-by-alert-dimensions). If you're using the legacy Log Analytics API, splitting doesn't work as expected because it doesn't support grouping.

-You can use the current ScheduledQueryRules API to set **Aggregate On** in [Metric measurement](alerts-unified-log.md#calculation-of-a-value) rules, which work as expected. To learn more about switching to the current ScheduledQueryRules API, see [Upgrade to the current Log Alerts API from legacy Log Analytics Alert API](./alerts-log-api-switch.md).

-## Log alert fired unnecessarily

-A configured [log alert rule in Azure Monitor](./alerts-log.md) might be triggered unexpectedly. The following sections describe some common reasons.

-Log alerts work best when you try to detect data in the logs. It works less well when you try to detect lack of data in the logs, like alerting on virtual machine heartbeat.

-## Log alert was disabled

-The following sections list some reasons why Azure Monitor might disable a log alert rule. After those sections, there's an [example of the activity log that is sent when a rule is disabled](#activity-log-example-when-rule-is-disabled).

-If a log alert fails continuously for a week, Azure Monitor disables it.

-### Query used in a log alert isn't valid

-When a log alert rule is created, the query is validated for correct syntax. But sometimes, the query provided in the log alert rule can start to fail. Some common reasons are:

-[Azure Advisor](../../advisor/advisor-overview.md) warns you about this behavior. It adds a recommendation about the affected log alert rule. The category used is 'High Availability' with medium impact and a description of 'Repair your log alert rule to ensure monitoring'.

-1. Use [splitting of alerts by dimensions](alerts-unified-log.md#split-by-alert-dimensions) to reduce rules count. These rules can monitor many resources and detection cases.

-### To check the current usage of new log alert rules

-If query fails for seven days continuously, Azure Monitor disables the log alert and stops the billing of the rule. You can see the exact time when Azure Monitor disabled the log alert in the [Azure activity log](../../azure-monitor/essentials/activity-log.md).

-Currently, monitoring a guest metric for multiple virtual machines with a single alert rule isn't supported by metric alerts. But you can use a [log alert rule](./alerts-unified-log.md). To do so, make sure the guest metrics are collected to a Log Analytics workspace and create a log alert rule on the workspace.

-Refer to these articles for troubleshooting information about metric or log alerts that are not behaving as expected:

-

-|Log alert|You can use log alerts to perform advanced logic operations on your data. If the data you want to monitor is available in logs, or requires advanced logic, you can use the robust features of Kusto Query Language (KQL) for data manipulation by using log alerts.|Each log alert rule is billed based on the interval at which the log query is evaluated. More frequent query evaluation results in a higher cost. For log alerts configured for at-scale monitoring using splitting by dimensions, the cost also depends on the number of time series created by the dimensions resulting from your query. |

-## Log alerts

-A log alert rule monitors a resource by using a Log Analytics query to evaluate resource logs at a set frequency. If the conditions are met, an alert is fired. Because you can use Log Analytics queries, you can perform advanced logic operations on your data and use the robust KQL features to manipulate log data.

-The target of the log alert rule can be:

-Log alerts can measure two different things, which can be used for different monitoring scenarios:

-You can configure if log alerts are [stateful or stateless](alerts-overview.md#alerts-and-state). This feature is currently in preview.

-Note that stateful log alerts have these limitations:

-> Log alerts work best when you're trying to detect specific data in the logs, as opposed to when you're trying to detect a lack of data in the logs. Because logs are semi-structured data, they're inherently more latent than metric data on information like a VM heartbeat. To avoid misfires when you're trying to detect a lack of data in the logs, consider using [metric alerts](#metric-alerts). You can send data to the metric store from logs by using [metric alerts for logs](alerts-metric-logs.md).

-You can use dimensions when you create log alert rules to monitor the values of multiple instances of a resource with one rule. For example, you can monitor CPU usage on multiple instances running your website or app. Each instance is monitored individually. Notifications are sent for each instance.

-### Use the API for log alert rules

-> Log alerts for Log Analytics used to be managed by using the legacy [Log Analytics Alert API](api-alerts.md). Learn more about [switching to the current ScheduledQueryRules API](alerts-log-api-switch.md).

-### Log alerts on your Azure bill

-Log alerts are listed under resource provider `microsoft.insights/scheduledqueryrules` with:

-> Activity log alerts (including Service health alerts) and Log alerts are not impacted by the migration. The migration only applies to classic alert rules described [here](./monitoring-classic-retirement.md#retirement-of-classic-monitoring-and-alerting-platform).

-# Legacy Log Analytics alerts REST API

-> As [announced](https://azure.microsoft.com/updates/switch-api-preference-log-alerts/), the Log Analytics alert API will be retired on October 1, 2025. You must transition to using the Scheduled Query Rules API for log alerts by that date.

-The `Suppress` property of a Log Analytics alert rule is specified by using the `Throttling` value. The suppression period is specified by using the `DurationInMinutes` value.

-By default, the webhook sent via an action group for Log Analytics has a fixed structure. But you can customize the JSON payload by using specific variables supported to meet requirements of the webhook endpoint. For more information, see [Webhook action for log alert rules](./alerts-log-webhook.md).

-* Learn about [log alerts in Azure Monitor](./alerts-unified-log.md).

-* Learn how to [create, edit, or manage log alert rules in Azure Monitor](./alerts-log.md).

-Secure Webhook is an updated version of [IT Service Management Connector (ITSMC)](./itsmc-overview.md). Both versions allow you to create work items in an ITSM tool when Azure Monitor sends alerts. The functionality includes metric, log, and activity log alerts.

-Action groups provide a modular and reusable way of triggering actions for Azure alerts. You can use action groups with metric alerts, activity log alerts, and Log Analytics alerts in the Azure portal.

-For Log Search Alerts (V1 only), the structure is:

-After you create your ITSM connection, use the ITSM action in action groups to create work items in your ITSM tool based on Azure alerts. Action groups provide a modular and reusable way to trigger actions for your Azure alerts. You can use action groups with metric alerts, activity log alerts, and Log Analytics alerts in the Azure portal.

-1. In the last section of the interface for creating an ITSM action group, if the alert is a log alert, you can define how many work items will be created for each alert. For all other alert types, one work item is created per alert.

-Azure Monitor provides a bidirectional connection between Azure and ITSM tools to help you resolve issues faster. You can create work items in your ITSM tool based on your Azure metric alerts, activity log alerts, and Log Analytics alerts.

-* The alert isn't a log alert. Configuration items are only supported by log alerts.

-* Check if the alert is a log alert. If it isn't a log alert, configuration items are not supported.

-|Unknown|This log search alert rule is currently disabled or in an unknown state.|[Log alert was disabled](alerts-troubleshoot-log.md#log-alert-was-disabled).|

-description: Sample Azure Resource Manager templates to deploy Azure Monitor log query alerts.

-# Resource Manager template samples for log alert rules in Azure Monitor

-This article includes samples of [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md) to create and configure log query alerts in Azure Monitor. Each sample includes a template file and a parameters file with sample values to provide to the template.

-The following sample creates a [number of results alert rule](../alerts/alerts-unified-log.md#result-count).

-The following sample creates a [metric measurement alert rule](../alerts/alerts-unified-log.md#calculation-of-a-value).

-description: Tutorial to create a log query alert for an Azure resource.

-# Tutorial: Create a log query alert for an Azure resource

-Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. Log query alert rules create an alert when a log query returns a particular result. For example, receive an alert when a particular event is created on a virtual machine, or send a warning when excessive anonymous requests are made to a storage account.

-> * Create a log query alert rule

-To complete this tutorial you need the following:

-

- ## Select a log query and verify results

-Data is retrieved from a Log Analytics workspace using a log query written in Kusto Query Language (KQL). Insights and solutions in Azure Monitor will provide log queries to retrieve data for a particular service, but you can work directly with log queries and their results in the Azure portal with Log Analytics.

-Select **Logs** from your resource's menu. Log Analytics opens with the **Queries** window that includes prebuilt queries for your **Resource type**. Select **Alerts** to view queries specifically designed for alert rules.

-Select a query and click **Run** to load it in the query editor and return results. You may want to modify the query and run it again. For example, the **Show anonymous requests** query for storage accounts is shown below. You may want to modify the **AuthenticationType** or filter on a different column.

-Once you verify your query, you can create the alert rule. Select **New alert rule** to create a new alert rule based on the current log query. The **Scope** will already be set to the current resource. You don't need to change this value.

-On the **Condition** tab, the **Log query** will already be filled in. The **Measurement** section defines how the records from the log query will be measured. If the query doesn't perform a summary, then the only option will be to **Count** the number of **Table rows**. If the query includes one or more summarized columns, then you'll have the option to use number of **Table rows** or a calculation based on any of the summarized columns. **Aggregation granularity** defines the time interval over which the collected values are aggregated. For example, if the aggregation granularity is set to 5 minutes, the alert rule will evaluate the data aggregated over the last 5 minutes. If the aggregation granularity is set to 15 minutes, the alert rule will evaluate the data aggregated over the last 15 minutes. It is important to choose the right aggregation granularity for your alert rule, as it can affect the accuracy of the alert.

-If you need a certain dimension(s) included in the alert notification email, you can specify a dimension (e.g. "Computer"), the alert notification email will include the computer name that triggered the alert. The alerting engine uses the alert query to determine the available dimensions. If you do not see the dimension you want in the drop-down list for the "Dimension name", it is because the alert query does not expose that column in the results. You can easily add the dimensions you want by adding a Project line to your query that includes the columns you want to use. You can also use the Summarize line to add additional columns to the query results.

-For example, if the measurement is **Table rows**, the alert logic may be **Greater than 0** indicating that at least one record was returned. If the measurement is a columns value, then the logic may need to be greater than or less than a particular threshold value. In the example below, the log query is looking for anonymous requests to a storage account. If an anonymous request has been made, then we should trigger an alert. In this case, a single row returned would trigger the alert, so the alert logic should be **Greater than 0**.

-Now that you've learned how to create a log query alert for an Azure resource, have a look at workbooks for creating interactive visualizations of monitoring data.

-Yes, calls to the old API for creating Application Insights resources continue to work as before. The old API version doesn't include a reference to the Log Analytics resource. However, when you trigger a legacy API call, it automatically creates a resource and the required association between Application Insights and Log Analytics.

-### What is the migration process for Application Insights resources?

-The migration of Application Insights resources to the new format isn't instantaneous on the day of deprecation. Instead, it occurs over time. We'll gradually migrate all Application Insights resources, ensuring a smooth transition with minimal disruption to your services.

-| [Scheduled query rules - 2023-03-15 (preview)](/rest/api/monitor/scheduled-query-rules?view=rest-monitor-2023-03-15-preview&preserve-view=true) | Manages and lists [log alert rules](./alerts/alerts-types.md#log-alerts). |

-| [Scheduled query rules - 2018-04-16](/rest/api/monitor/scheduled-query-rules?view=rest-monitor-2018-04-16&preserve-view=true) | Manages and lists [log alert rules](./alerts/alerts-types.md#log-alerts). |

-| [Scheduled query rules - 2021-08-01](/rest/api/monitor/scheduled-query-rules?view=rest-monitor-2021-08-01&preserve-view=true) | Manages and lists [log alert rules](./alerts/alerts-types.md#log-alerts). |

-|[Log Analytics](logs/log-analytics-overview.md)|With Log Analytics, you can create log queries to interactively work with log data and create log query alerts.| Some training is required for you to become familiar with the query language, although you can use prebuilt queries for common requirements. You can also add [query packs](logs/query-packs.md) with queries that are unique to your organization. Then if you're familiar with the query language, you can build queries for others in your organization. |

-The [Microsoft Entra logs](../active-directory/reports-monitoring/overview-reports.md) for your tenant and the [activity log](essentials/platform-logs-overview.md) for your subscription are collected automatically. When you send them to a Log Analytics workspace, you can analyze these events with other log data by using log queries in Log Analytics. You can also create log query alerts, which are the only way to alert on Microsoft Entra logs and provide more complex logic than activity log alerts.

-description: This article describes how to create custom log alerts for memory and CPU utilization from Container insights.

-# Create log alerts from Container insights

-To alert for high CPU or memory utilization, or low free disk space on cluster nodes, use the queries that are provided to create a metric alert or a metric measurement alert. Metric alerts have lower latency than log alerts, but log alerts provide advanced querying and greater sophistication. Log alert queries compare a datetime to the present by using the `now` operator and going back one hour. (Container insights stores all dates in Coordinated Universal Time [UTC] format.)

-If you aren't familiar with Azure Monitor alerts, see [Overview of alerts in Microsoft Azure](../alerts/alerts-overview.md) before you start. To learn more about alerts that use log queries, see [Log alerts in Azure Monitor](../alerts/alerts-unified-log.md). For more about metric alerts, see [Metric alerts in Azure Monitor](../alerts/alerts-metric-overview.md).

-[Log alerts](../alerts/alerts-unified-log.md) can measure two different things, which can be used to monitor virtual machines in different scenarios:

-## Create a log query alert rule

-To create a log query alert rule by using the portal, see [this example of a log query alert](../alerts/tutorial-log-alert.md), which provides a complete walkthrough. You can use these same processes to create alert rules for AKS clusters by using queries similar to the ones in this article.

-To create a query alert rule by using an Azure Resource Manager (ARM) template, see [Resource Manager template samples for log alert rules in Azure Monitor](../alerts/resource-manager-alerts-log.md). You can use these same processes to create ARM templates for the log queries in this article.

-> The recommended alert rules in the Azure portal also include a log alert rule called *Daily Data Cap Breach*. This rule alerts when the total data ingestion to your Log Analytics workspace exceeds the [designated quota](../logs/daily-cap.md). This alert rule isn't included with the Prometheus alert rules.

-> You can create this rule on your own by creating a [log alert rule](../alerts/alerts-types.md#log-alerts) that uses the query `_LogOperation | where Operation == "Data collection Status" | where Detail contains "OverQuota"`.

-This article describes how to send Prometheus metrics from your Kubernetes cluster monitored by Container insights to a Log Analytics workspace. Before you perform this configuration, you should first ensure that you're [scraping Prometheus metrics from your cluster using Azure Monitor managed service for Prometheus](/azure/azure-monitor/containers/prometheus-metrics-scrape-configuration), which is the recommended method for monitoring your clusters. Use the configuration described in this article only if you also want to send this same data to a Log Analytics workspace where you can analyze it using [log queries](../logs/log-query-overview.md) and [log alerts](../alerts/alerts-log-query.md).

-| Log alert rules | Use log alert rules to generate an alert from the results of a log query. For more information, see [How to create log alerts from Container Insights](container-insights-log-alerts.md) and [How to query logs from Container Insights](container-insights-log-query.md). |

-| Log Signals Monitored | Number of [log alert rules](alerts/alerts-types.md#log-alerts) and their frequency. |

-| Alerts | Alerts are charged based on the type and number of [signals](alerts/alerts-overview.md) used by the alert rule, its frequency, and the type of [notification](alerts/action-groups.md) used in response. For [log alerts](alerts/alerts-unified-log.md) configured for [at scale monitoring](alerts/alerts-unified-log.md#split-by-alert-dimensions), the cost will also depend on the number of time series created by the dimensions resulting from your query. |

- You can work with [log queries](logs/log-query-overview.md) interactively with [Log Analytics](logs/log-query-overview.md) in the Azure portal. You can also add the results to an [Azure dashboard](app/overview-dashboard.md#create-custom-kpi-dashboards-using-application-insights) for visualization in combination with other data. You can create [log alerts](alerts/alerts-log.md), which will trigger an alert based on the results of a schedule query.

-To learn how to create alert rules and view alerts, see [Create a metric alert for an Azure resource](../alerts/tutorial-metric-alert.md) or [Create a log query alert for an Azure resource](../alerts/tutorial-log-alert.md).

-| Log Analytics workspace | Analyze the logs of all your Azure resources together and take advantage of all the features available to [Azure Monitor Logs](../logs/data-platform-logs.md) including [log queries](../logs/log-query-overview.md) and [log alerts](../alerts/alerts-log.md). Pin the results of a log query to an Azure dashboard or include it in a workbook as part of an interactive report. |

-Now that you're collecting resource logs, create a log query alert to be proactively notified when interesting data is identified in your log data.

-> [Create a log query alert for an Azure resource](../alerts/tutorial-log-alert.md)

-The following example is a [log alert rule](../alerts/alerts-unified-log.md) that sends an alert if the billable data volume ingested in the last 24 hours was greater than 50 GB. Modify the **Alert Logic** setting to use a different threshold based on expected usage in your environment. You can also increase the frequency to check usage multiple times every day, but this option will result in a higher charge for the alert rule.

-* Cross-resource queries in log alerts are only supported in the current [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2018-04-16/scheduled-query-rules). If you're using the legacy Log Analytics Alerts API, you'll need to [switch to the current API](../alerts/alerts-log-api-switch.md).

-> This method can't be used with log alerts because the access validation of the alert rule resources, including workspaces and applications, is performed at alert creation time. Adding new resources to the function after the alert creation isn't supported. If you prefer to use a function for resource scoping in log alerts, you must edit the alert rule in the portal or with an Azure Resource Manager template to update the scoped resources. Alternatively, you can include the list of resources in the log alert query.

-## Customer-managed key for saved queries and log alerts

-The query language used in Log Analytics is expressive and can contain sensitive information in comments, or in the query syntax. Some organizations require that such information is kept protected under Customer-managed key policy and you need save your queries encrypted with your key. Azure Monitor enables you to store saved queries and log alerts encrypted with your key in your own Storage Account when linked to your workspace.

-With the considerations mentioned for [Customer-managed key for saved queries and log alerts](#customer-managed-key-for-saved-queries-and-log-alerts), Azure Monitor enables you to store Workbook queries encrypted with your key in your own Storage Account, when selecting **Save content to an Azure Storage Account** in Workbook 'Save' operation.

-When linking your Storage Account for saved queries, the service stores saved-queries and log alerts queries in your Storage Account. Having control on your Storage Account [encryption-at-rest policy](../../storage/common/customer-managed-keys-overview.md), you can protect saved queries and log alerts with Customer-managed key. You will, however, be responsible for the costs associated with that Storage Account.

-* You can link a single Storage Account to a workspace for both saved queries and log alerts queries.

-* Log alerts are saved in blob storage and Customer-managed key encryption can be configured at Storage Account creation, or later.

-* Fired log alerts won't contain search results or alert query. You can use [alert dimensions](../alerts/alerts-unified-log.md#split-by-alert-dimensions) to get context in the fired alerts.

-**Configure BYOS for log alerts queries**

-Link a Storage Account for *Alerts* to keep *log alerts* queries in your Storage Account.

-To receive an alert when the daily cap is reached, create a [log alert rule](../alerts/alerts-unified-log.md) with the following details.

-The following query can be used to track the data volumes that are subject to the daily cap for a Log Analytics workspace between daily cap resets. This accounts for the security data types that aren't included in the daily cap. In this example, the workspace's reset hour is 14:00. Change this value for your workspace.

-| where DataType !in ("SecurityAlert", "SecurityBaseline", "SecurityBaselineSummary", "SecurityDetection", "SecurityEvent", "WindowsFirewall", "MaliciousIPCommunication", "LinuxAuditLog", "SysmonEvent", "ProtectionStatus", "WindowsEvent")

-| Alert | Configure a [log alert rule](../alerts/alerts-log.md) that sends a notification or takes [automated action](../alerts/action-groups.md) when the results of the query match a particular result. |

-Log Analytics is a tool in the Azure portal. Use it to edit and run log queries and interactively analyze their results. You can then use those queries to support other features in Azure Monitor, such as log query alerts and workbooks. Access Log Analytics from the **Logs** option on the Azure Monitor menu or from most other services in the Azure portal.

-Whether you work with the results of your queries interactively or use them with other Azure Monitor features, such as log query alerts or workbooks, Log Analytics is the tool that you'll use to write and test them.

-| New alert rule button | Open the Create an alert rule page. Use this page to [create an alert rule](../alerts/alerts-create-new-alert-rule.md?tabs=log) with an alert type of [log alert](../alerts/alerts-types.md#log-alerts). The page opens with the [Conditions tab](../alerts/alerts-create-new-alert-rule.md?tabs=log#set-the-alert-rule-conditions) selected, and your query is added to the **Search query** field. |

-Use [log query alerts](../alerts/alerts-log-query.md) in Azure Monitor to be proactively notified when an issue is detected in your Log Analytics workspace. Use a strategy that allows you to respond in a timely manner to issues while minimizing your costs. Your subscription will be charged for each alert rule as listed in [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/#platform-logs).

-Use the process in [Create, view, and manage log alerts by using Azure Monitor](../alerts/alerts-log.md) to create the log alert rules. The following sections describe the details for each rule.

-> - Log alerts are saved in blob storage where configuration of Customer-managed key encryption can be at Storage Account creation, or later.

-|Draft-Monitor|[Log alert creation in the Azure portal.](../alerts/alerts-create-new-alert-rule.md?tabs=log)|

-Azure Monitor alerts proactively notify you when important conditions are found in your monitoring data. They allow you to identify and address issues in your system before your customers notice them. You can set alerts on [metrics](./alerts/alerts-metric-overview.md), [logs](./alerts/alerts-unified-log.md), and the [activity log](./alerts/activity-log-alerts.md). Different types of alerts have benefits and drawbacks.

- - [Log alert rules](alerts/resource-manager-alerts-log.md): Configure alerts from log queries and Azure Activity Log.

-| Microsoft.Insights/ScheduledQueryRules/[Read, Write, Delete] |Read, write, or delete log alerts in Azure Monitor. |

-The most common types of alert rules in Azure Monitor are [metric alerts](../alerts/alerts-metric.md) and [log query alerts](../alerts/alerts-log-query.md). The type of alert rule that you create for a particular scenario depends on where the data that you're alerting on is located.

-### Log alerts

-Common uses for log alerts:

-Data sources for log alerts:

-### Log alert rules

-If you set the target resource of a log alert rule to a specific machine, queries are limited to data associated with that machine, which gives you individual alerts for it. This arrangement requires a separate alert rule for each machine.

-If you set the target resource of a log alert rule to a Log Analytics workspace, you have access to all data in that workspace. For this reason, you can alert on data from all machines in the workgroup with a single rule. This arrangement gives you the option of creating a single alert for all machines. You can then use dimensions to create a separate alert for each machine.

-Another benefit of using log alert rules is the ability to include complex logic in the query for determining the threshold value. You can hardcode the threshold, apply it to all resources, or calculate it dynamically based on some field or calculated value. The threshold is applied to resources only according to specific conditions. For example, you might create an alert based on available memory but only for machines with a particular amount of total memory.

-The following section lists common alert rules for virtual machines in Azure Monitor. Details for metric alerts and log alerts are provided for each. For guidance on which type of alert to use, see [Alert types](#alert-types). If you're unfamiliar with the process for creating alert rules in Azure Monitor, see the [instructions to create a new alert rule](../alerts/alerts-create-new-alert-rule.md).

-> The details for log alerts provided here are using data collected by using [VM Insights](vminsights-overview.md), which provides a set of common performance counters for the client operating system. This name is independent of the operating system type.

-#### Log alert rules

-Log query alerts use the [Heartbeat table](/azure/azure-monitor/reference/tables/heartbeat), which should have a heartbeat record every minute from each machine.

-#### Log alert rules

-#### Log alert rules

-#### Log query alert rules

-#### Log query alert rules

-This article provides guidance on collecting the most common types of telemetry from virtual machines. The exact configuration that you choose depends on the workloads that you run on your machines. Included in each section are sample log query alerts that you can use with that data.

-| Logs | Performance data stored in Azure Monitor Logs can be stored for extended periods. The data can be analyzed along with your event data by using [log queries](../logs/log-query-overview.md) with [Log Analytics](../logs/log-analytics-overview.md) or [log query alerts](../alerts/alerts-create-new-alert-rule.md?tabs=log). You can also correlate data by using complex logic across multiple machines, regions, and subscriptions.<br><br>Performance data is sent to the following tables:<br>- VM insights: [InsightsMetrics](/azure/azure-monitor/reference/tables/insightsmetrics)<br>- Other performance data: [Perf](/azure/azure-monitor/reference/tables/perf) |

-When you enable Change Tracking and Inventory, two new tables are created in your Log Analytics workspace. Use these tables for logs queries and log query alert rules.

-If you're using VM insights with **Processes and dependencies collection** enabled, you can use [VMConnection](/azure/azure-monitor/reference/tables/vmconnection) and [VMBoundPort](/azure/azure-monitor/reference/tables/vmboundport) to analyze connections and ports on the machine. The `VMBoundPort` table is updated every minute with each process running on the computer and the port it's listening on. You can create a log query alert similar to the missing heartbeat alert to find processes that have stopped or to alert when the machine isn't listening on a particular port.

-The runbook can access any resources on the local machine to gather required data. It can't send data directly to Azure Monitor or create an alert. To create an alert, have the runbook write an entry to a custom log. Then configure that log to be collected by Azure Monitor. Create a log query alert rule that fires on that log entry.

-For a tutorial on using Log Analytics to analyze log data, see [Log Analytics tutorial](../logs/log-analytics-tutorial.md). For a tutorial on creating alert rules from log data, see [Tutorial: Create a log query alert for an Azure resource](../alerts/tutorial-log-alert.md).

-> Azure Monitor Agent has several advantages over the legacy Log Analytics agent, which will be deprecated by August 2024. After this date, Microsoft will no longer provide any support for the Log Analytics agent. [Migrate to Azure Monitor agent](../agents/azure-monitor-agent-migration.md) before August 2024 to continue ingesting data.

-## Data collection rule

-If you associate a data collection rule with the Map feature enabled to a machine on which Dependency Agent isn't installed, the Map view won't be available. To enable the Map view, set `enableAMA property = true` in the Dependency Agent extension when you install Dependency Agent. We recommend following the procedure described in [Enable VM Insights for Azure Monitor Agent](vminsights-enable-portal.md#enable-vm-insights-for-azure-monitor-agent).

-

-

-Alerts|[Create or edit a log alert rule](alerts/alerts-create-log-alert-rule.md)|Added limitations to log search alert queries.|

-Alerts|[Create or edit a log alert rule](alerts/alerts-create-log-alert-rule.md)|We've added samples of log search alert rule queries that use Azure Data Explorer and Azure Resource Graph.|

-Alerts|[Upgrade to the Log Alerts API from the legacy Log Analytics alerts API](alerts/alerts-log-api-switch.md)|Changes to the log alert rule creation experience|

-|[Upgrade legacy rules management to the current Log Alerts API from legacy Log Analytics Alert API](./alerts/alerts-log-api-switch.md)|The process of moving legacy log alert rules management from the legacy API to the current API is now supported by the government cloud.|

-| [Resource Manager template samples for log query alerts](alerts/resource-manager-alerts-log.md) | Added Bicep samples for alerting to the Resource Manager template samples articles. |

-* <a name="Ultra"></a>Ultra storage:

- The Ultra service level provides up to 128 MiB/s of throughput per 1 TiB of capacity provisioned.

-* <a name="Premium"></a>Premium storage:

- The Premium service level provides up to 64 MiB/s of throughput per 1 TiB of capacity provisioned.

-* Automatic Managed System Identity (MSI) certificate renewal isn't currently supported. It's recommended you create an Azure monitor alert to notify you when the MSI certificate is set to expire.

-* The MSI certificate has a lifetime of 90 days. It becomes eligible for renewal after 46 days. **After 90 days, the certificate is no longer be valid and the customer-managed key volumes under the NetApp account will go offline.**

- * To renew, you need to call the NetApp account operation `renewCredentials` if eligible for renewal. If it's not eligible, an error message communicates the date of eligibility.

- * Version 2.42 or later of the Azure CLI supports running the `renewCredentials` operation with the [az netappfiles account command](/cli/azure/netappfiles/account#az-netappfiles-account-renew-credentials). For example:

- `az netappfiles account renew-credentials ΓÇô-account-name myaccount -ΓÇôresource-group myresourcegroup`

- * If the account isn't eligible for MSI certificate renewal, an error message communicates the date and time when the account is eligible. It's recommended you run this operation periodically (for example, daily) to prevent the certificate from expiring and from the customer-managed key volume going offline.

-To [publish](bicep-cli.md#publish) modules to a private module registry or to [restore](bicep-cli.md#restore) external modules to the local cache, the account must have the correct permissions to access the registry. You can configure the profile and the credential precedence for authenticating to the registry. By default, Bicep uses the `AzureCloud` profile and the credentials from the user authenticated in Azure CLI or Azure PowerShell. You can customize `currentProfile` and `credentialPrecedence` in the config file.

-You can customize these profiles, or add new profiles for your on-premises environments.

-| Microsoft.ElasticSan | [Elastic SAN Preview](../../storage/elastic-san/index.yml) |

-Instead of maintaining your linked templates at an accessible endpoint, you can create a [template spec](template-specs.md) that packages the main template and its linked templates into a single entity you can deploy. The template spec is a resource in your Azure subscription. It makes it easy to securely share the template with users in your organization. You use Azure role-based access control (Azure RBAC) to grant access to the template spec. This feature is currently in preview.

-| [VMSA-2023-023](https://www.vmware.com/security/advisories/VMSA-2023-0023.html) VMware vCenter Server Out-of-Bounds Write Vulnerability (CVE-2023-34048) publicized in October 2023 | October 2023 | A risk assessment of CVE-2023-03048 was conducted and it was determined that sufficient controls are in place within Azure VMware Solution to reduce the risk of CVE-2023-03048 from a CVSS Base Score of 9.8 to an adjusted Environmental Score of [6.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAC:L/MPR:H/MUI:R) or lower. Adjustments from the base score were possible due to the network isolation of the Azure VMware Solution vCenter Server (ports 2012, 2014, and 2020 are not exposed via any interactive network path) and multiple levels of authentication and authorization necassary to gain interactive access to the vCenter network segment. Microsoft is working on a plan to roll out security fixes soon to completely remediate the security vulnerability. | October 2023 |

-| VMware HCX version 4.8.0 Network Extension (NE) Appliance VMs running in High Availability (HA) mode may experience intermittent Standby to Active failover. For more information, see [HCX - NE appliances in HA mode experience intermittent failover (96352)](https://kb.vmware.com/s/article/96352) | Jan 2024 | Avoid upgrading to VMware HCX 4.8.0 if you are using NE appliances in a HA configuration. | N/A |

-Customers can start their onboarding with Azure Arc-enabled VMware vSphere, install agents at-scale, and enable Azure management, observability, and security solutions, while benefitting from the existing lifecycle management capabilities. Azure Arc-enabled VMware vSphere VMs now show up alongside other Azure Arc-enabled servers under ΓÇÿMachinesΓÇÖ view in the Azure portal. [Learn more](https://aka.ms/vSphereGAblog)

-description: Learn how to use Elastic SAN Preview with Azure VMware Solution

-This article explains how to use Azure Elastic SAN Preview as backing storage for Azure VMware Solution. [Azure VMware Solution](introduction.md) supports attaching iSCSI datastores as a persistent storage option. You can create Virtual Machine File System (VMFS) datastores with Azure Elastic SAN volumes and attach them to clusters of your choice. By using VMFS datastores backed by Azure Elastic SAN, you can expand your storage instead of scaling the clusters.

-Azure Elastic storage area network (SAN) addresses the problem of workload optimization and integration between your large scale databases and performance-intensive mission-critical applications. For more information on Azure Elastic SAN, see [What is Azure Elastic SAN? Preview](../storage/elastic-san/elastic-san-introduction.md).

-# Deploy Arc-enabled Azure VMware Solution

-In this article, learn how to deploy Arc for Azure VMware Solution. Once you set up the components needed, you're ready to execute operations in Azure VMware Solution vCenter Server from the Azure portal. Arc-enabled Azure VMware Solution allows you to do the actions:

-Running software in Azure VMware Solution, as a private cloud in Azure, offers some benefits not realized by operating your environment outside of Azure. For software running in a VM, such as SQL Server and Windows Server, running in Azure VMware Solution provides additional value such as free Extended Security Updates (ESUs).

-To take advantage of these benefits if you are running in an Azure VMware Solution it is important to enable Arc through this document to fully integrate the experience with the AVS private cloud. Alternatively, Arc-enabling VMs through the following mechanisms will not create the necessary attributes to register the VM and software as part of Azure VMware Solution and therefore result in billing for SQL Server ESUs for:

-2. Run the [az connectedvmware vm create ](/cli/azure/connectedvmware/vm#az-connectedvmware-vm-create)Azure CLI command on the VM in Azure VMware Solution to update the machine type. 

-## Registration to Arc for Azure VMware Solution feature set

-The following **Register features** are for provider registration using Azure CLI.

-```azurecli

-az provider register --namespace Microsoft.ConnectedVMwarevSphere

-az provider register --namespace Microsoft.ExtendedLocation

-az provider register --namespace Microsoft.KubernetesConfiguration

-az provider register --namespace Microsoft.ResourceConnector

-az provider register --namespace Microsoft.AVS

-```

-Alternately, users can sign in to their Subscription, navigate to the **Resource providers** tab, and register themselves on the resource providers mentioned previously.

-1. Sign in to the jumpbox VM and extract the contents from the compressed file from the following [location](https://github.com/Azure/ArcOnAVS/releases/latest). The extracted file contains the scripts to install the preview software.

- - `k8sNodeIPPoolStart`, `k8sNodeIPPoolEnd`, `gatewayIPAddress` ,`applianceControlPlaneIpAddress` are optional. You can choose to skip all the optional fields or provide values for all. If you choose not to provide the optional fields, then you must use /28 address space for `networkCIDRForApplianceVM`

-If you choose to enable the guest management as a separate step or have issues with the VM extension install steps please review the prerequisites and steps discussed in the section below.

-Before you install an extension, you need to enable guest management on the VMware VM.

-From here additional extensions can be installed. See the [VM extensions](/azure/azure-arc/servers/manage-vm-extensions?branch=main) for a list of current extensions.

-### Install extensions

-To add extensions, follow these steps:

-1. Go to **vCenter Server Inventory >** **Virtual Machines** and select the virtual machine to which you need to add an extension.

-2. Locate **Settings >** **Extensions** from the left navigation and select **Add**. Alternatively, in the **Overview** page an **Extensions** click-through is listed under Properties.

-1. Select the extension you want to install. Some extensions require additional information.

-4. When you're done, select **Review + create**.

-Arc resource bridges, on a supported [private cloud provider](/azure/azure-arc/resource-bridge/upgrade#private-cloud-providers) with an appliance version 1.0.15 or higher, are automatically opted in to [cloud-managed upgrade](/azure/azure-arc/resource-bridge/upgrade#cloud-managed-upgrade). 

-`az rest --method delete`

-> [!CAUTION]

-> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

-| Prerequisites | **Linux**: The **stress-ng** utility needs to be installed. This happens automatically as part of agent installation, using the default package manager, on Debian-based systems (including Ubuntu), Red Hat Enterprise Linux, CentOS, and OpenSUSE. For other distributions, you must install **stress-ng** manually. |

-| Prerequisites | **Linux**: The **stress-ng** utility needs to be installed. This happens automatically as part of agent installation, using the default package manager, on Debian-based systems (including Ubuntu), Red Hat Enterprise Linux, CentOS, and OpenSUSE. For other distributions, you must install **stress-ng** manually. |

-| Prerequisites | The **stress-ng** utility needs to be installed. This happens automatically as part of agent installation, using the default package manager, on Debian-based systems (including Ubuntu), Red Hat Enterprise Linux, CentOS, and OpenSUSE. For other distributions, you must install **stress-ng** manually. |

-| Prerequisites | The **stress-ng** utility needs to be installed. This happens automatically as part of agent installation, using the default package manager, on Debian-based systems (including Ubuntu), Red Hat Enterprise Linux, CentOS, and OpenSUSE. For other distributions, you must install **stress-ng** manually. |

-| Microsoft.Cache/Redis (service-direct) | Microsoft-AzureCacheForRedis | Redis Cache Contributor |

-| Microsoft.ClassicCompute/domainNames (service-direct) | Microsoft-DomainNames | Classic Virtual Machine Contributor |

-| Microsoft.Compute/virtualMachines (agent-based) | Microsoft-Agent | Reader |

-| Microsoft.Compute/virtualMachineScaleSets (agent-based) | Microsoft-Agent | Reader |

-| Microsoft.Compute/virtualMachines (service-direct) | Microsoft-VirtualMachine | Virtual Machine Contributor |

-| Microsoft.Compute/virtualMachineScaleSets (service-direct) | Microsoft-VirtualMachineScaleSet | Virtual Machine Contributor |

-| Microsoft.ContainerService/managedClusters (service-direct) | Microsoft-AzureKubernetesServiceChaosMesh | Azure Kubernetes Service Cluster Admin Role |

-| Microsoft.DocumentDb/databaseAccounts (CosmosDB, service-direct) | Microsoft-CosmosDB | Azure Cosmos DB Operator |

-| Microsoft.Insights/autoscalesettings (service-direct) | Microsoft-AutoScaleSettings | Web Plan Contributor |

-| Microsoft.KeyVault/vaults (service-direct) | Microsoft-KeyVault | Azure Key Vault Contributor |

-| Microsoft.Network/networkSecurityGroups (service-direct) | Microsoft-NetworkSecurityGroup | Network Contributor |

-| Microsoft.Web/sites (service-direct) | Microsoft-AppService | Website Contributor |

-Azure Cloud Shell is a browser-based shell experience to manage and develop Azure resources.

-Cloud Shell offers a browser-accessible, preconfigured shell experience for managing Azure

-resources without the overhead of installing, versioning, and maintaining a machine yourself.

-Cloud Shell allocates machines on a per-request basis and as a result machine state doesn't

-persist across sessions. Since Cloud Shell is built for interactive sessions, shells automatically

-terminate after 20 minutes of shell inactivity.

-edge products and services. Microsoft internally compiles all the packages included in the **Azure

-Linux** repository to help guard against supply chain attacks.

-### Secure automatic authentication

-Cloud Shell securely and automatically authenticates account access for the Azure CLI and Azure

-PowerShell.

-To persist files across sessions, Cloud Shell walks you through attaching an Azure file share on

-first launch. Once completed, Cloud Shell will automatically attach your storage (mounted as

-`$HOME\clouddrive`) for all future sessions. Additionally, your `$HOME` directory is persisted as an

-.img in your Azure File share. Files outside of `$HOME` and machine state aren't persisted across

-sessions. Learn more about [Persisting files in Cloud Shell][09].

-store and retrieve your keys. For more information, see [Manage Key Vault using the Azure CLI][02].

-filesystem navigation. You can continue to use the familiar [Azure PowerShell cmdlets][14] to manage

-these resources regardless of the drive you are in. Any changes made to the Azure resources, either

-made directly in Azure portal or through Azure PowerShell cmdlets, are reflected in the Azure drive.

-You can run `dir -Force` to refresh your resources.

-![Screenshot of an Azure Cloud Shell being initialized and a list of directory resources.][06]

-### Manage Exchange Online

-PowerShell in Cloud Shell contains the ExchangeOnlineManagement module. Run the following command to

-get a list of Exchange cmdlets.

-```powershell

-Get-Command -Module ExchangeOnlineManagement

-```

-For more information about using the ExchangeOnlineManagement module, see

-[Exchange Online PowerShell][15].

-### Preinstalled tools

-The most commonly used tools are preinstalled in Cloud Shell.

-#### Azure tools

-| Tool | Version | Command |

-| - | -- | |

-| [Azure CLI][13] | 2.55.0 | `az --version` |

-| [Azure PowerShell][14] | 11.1.0 | `Get-Module Az -ListAvailable` |

-| [AzCopy][04] | 10.15.0 | `azcopy --version` |

-| [Azure Functions CLI][01] | 4.0.5390 | `func --version` |

-| [Service Fabric CLI][03] | 11.2.0 | `sfctl --version` |

-| [Batch Shipyard][18] | 3.9.1 | `shipyard --version` |

-| [blobxfer][19] | 1.11.0 | `blobxfer --version` |

-You can verify the version of the language using the command listed in the table.

-Use the `Get-PackageVersion` to see a more complete list of tools and versions.

-#### Linux tools

-#### Text editors

-#### Source control

-#### Build tools

-#### Containers

-#### Databases

-#### Other

-### Preinstalled developer languages

-Cloud Shell comes with the following languages preinstalled:

-| Language | Version | Command |

-| - | - | |

-| .NET Core | [7.0.400][25] | `dotnet --version` |

-| Go | 1.19.11 | `go version` |

-| Java | 17.0.8 | `java --version` |

-| Node.js | 16.20.1 | `node --version` |

-| PowerShell | [7.4.0][16] | `pwsh -Version` |

-| Python | 3.9.14 | `python --version` |

-| Ruby | 3.1.4p223 | `ruby --version` |

-You can verify the version of the language using the command listed in the table.

-[01]: ../azure-functions/functions-run-local.md

-[02]: ../key-vault/general/manage-with-cli2.md#prerequisites

-[03]: ../service-fabric/service-fabric-cli.md

-[04]: ../storage/common/storage-use-azcopy-v10.md

-[05]: ./get-started.md

-[06]: ./media/features/azure-drive.png

-[09]: ./persisting-shell-storage.md

-[10]: /azure/developer/ansible/dynamic-inventory-configure

-[11]: /azure/developer/ansible/getting-started-cloud-shell

-[12]: /azure/developer/terraform/quickstart-configure

-[13]: /cli/azure/

-[14]: /powershell/azure

-[15]: /powershell/exchange/exchange-online-powershell

-[16]: /powershell/scripting/whats-new/what-s-new-in-powershell-74

-[17]: /sql/tools/sqlcmd-utility

-[18]: https://batch-shipyard.readthedocs.io/en/latest/

-[19]: https://blobxfer.readthedocs.io/en/latest/

-[20]: https://developer.hashicorp.com/packer/docs

-[21]: https://docs.chef.io/

-[22]: https://docs.cloudfoundry.org/cf-cli/

-[23]: https://docs.d2iq.com/dkp/2.6/azure-infrastructure

-[24]: https://docs.docker.com/desktop/

-[25]: https://dotnet.microsoft.com/download/dotnet/7.0

-[27]: https://github.com/microsoft/mssql-scripter/blob/dev/doc/usage_guide.md

-[28]: https://helm.sh/docs/

-[29]: https://kubernetes.io/docs/reference/kubectl/

-[30]: https://pnp.github.io/office365-cli/

-[31]: https://puppet.com/docs/bolt/latest/bolt.html

-[32]: https://www.ansible.com/microsoft-azure

-[33]: https://www.terraform.io/docs/providers/azurerm/

-| | Blind Transfer* a participant from group call to another endpoint | ✔️ | ✔️ | ✔️ | ✔️ |

-The Video Constraints API is a powerful tool that enables developers to control the video quality from within their video calls. With this API, developers can set maximum video resolutions, frame rate, and bitrate used so that the call is optimized for the user's device and network conditions. The Azure Communication Services video engine is optimized to allow the video quality to change dynamically based on devices ability and network quality. But there might be certain scenarios where you would want to have tighter control of the video quality that end users experience. For instance, there may be situations where the highest video quality is not a priority, or you may want to limit the video bandwidth usage in the application. To support those use cases, you can use the Video Constraints API to have tighter control over video quality.

-Another benefit of the Video Constraints API is that it enables developers to optimize the video call for different devices. For example, if a user is using an older device with limited processing power, developers can set constraints on the video resolution to ensure that the video call runs smoothly on that device

-Azure Communication Services Web Calling SDK supports setting the maximum video resolution, framerate, or bitrate that a client sends. The sender video constraints are supported on Desktop browsers (Chrome, Edge, Firefox) and when using iOS Safari mobile browser or Android Chrome mobile browser.

-The native Calling SDK (Android, iOS, Windows) supports setting the maximum values of video resolution and framerate for outgoing video streams and setting the maximum resolution for incoming video streams. These constraints can be set at the start of the call and during the call.

-| Web | Outgoing video: resolution, framerate, bitrate |

-| Android | Incoming video: resolution<br />Outgoing video: resolution, framerate |

-| iOS | Incoming video: resolution<br />Outgoing video: resolution, framerate |

-| Windows | Incoming video: resolution<br />Outgoing video: resolution, framerate |

-[Call recording](../../concepts/voice-video-calling/call-recording.md), lets your users record their calls made with Azure Communication Services. Here we learn how to manage recording on the client side. Before this can work, you'll need to set up [server side](../../quickstarts/voice-video-calling/call-recording-sample.md) recording.

-### Compliance Recording

-Compliance recording is Teams policy based recording that could be enabled using this tutorial: [Introduction to Teams policy-based recording for callings](/microsoftteams/teams-recording-policy).<br>

-Policy based recording will be started automatically when user with this policy will join a call. To get notification from Azure Communication Service about recording - we can use Cloud Recording section from this article.

-Compliance recording could be implemented by using custom recording bot [GitHub Example](https://github.com/microsoftgraph/microsoft-graph-comms-samples/tree/a3943bafd73ce0df780c0e1ac3428e3de13a101f/Samples/BetaSamples/LocalMediaSamples/ComplianceRecordingBot).<br>

-Only use this step if you are creating a new application.

-creates an easy to run TypeScript application powered by React. This command creates a simple react application using TypeScript.

-Then you need to update the dependency array in the `package.json` to include some packages from Azure Communication Services for the widget experience we are going to build to work:

-"@azure/communication-calling": "1.19.1-beta.2",

-"@azure/communication-chat": "1.4.0-beta.1",

-"@azure/communication-react": "1.10.0-beta.1",

-import './App.css';

-import { CommunicationIdentifier, MicrosoftTeamsAppIdentifier } from '@azure/communication-common';

-import { Spinner, Stack, initializeIcons, registerIcons, Text } from '@fluentui/react';

-import { CallAdd20Regular, Dismiss20Regular } from '@fluentui/react-icons';

-import logo from './logo.svg';

-import { CallingWidgetComponent } from './components/CallingWidgetComponent';

- const token = "<Enter your Azure Communication Services token here>";

- communicationUserId: "<Enter your Azure Communication Services ID here>",

- teamsAppId: '<Enter your teams voice app ID here>', cloud: 'public'

- }

- <Stack verticalAlign='center' style={{ height: '100%', width: '100%' }}>

- <Spinner label={'Getting user credentials from server'} ariaLive="assertive" labelPosition="top" />;

- )

- <Stack tokens={{ childrenGap: '1rem' }} style={{ margin: "auto" }}>

- Welcome to a Calling Widget sample for the Azure Communication Services UI

- Library. Sample has the ability to connect you through Teams voice apps to a agent to help you.

- <Stack horizontal tokens={{ childrenGap: '1.5rem' }} style={{ overflow: 'hidden', margin: 'auto' }}>

- style={{ height: '4rem', width: '4rem', margin: 'auto' }}

-In this snippet we register two new icons `<Dismiss20Regular/>` and `<CallAdd20Regular>`. These new icons are used inside the widget component that we are creating in the next section.

-Lets create a folder called `src/components`. In this folder make a new file called `CallingWidgetComponent.tsx`. This file should look like the following snippet:

-import { IconButton, PrimaryButton, Stack, TextField, useTheme, Checkbox, Icon } from '@fluentui/react';

-import React, { useState } from 'react';

- callingWidgetSetupContainerStyles,

- checkboxStyles,

- startCallButtonStyles,

- callingWidgetContainerStyles,

- callIconStyles,

- logoContainerStyles,

- collapseButtonStyles,

- callingWidgetInCallContainerStyles

-} from '../styles/CallingWidgetComponent.styles';

-import { AzureCommunicationTokenCredential, CommunicationIdentifier, MicrosoftTeamsAppIdentifier } from '@azure/communication-common';

- CallAdapter,

- CallComposite,

- useAzureCommunicationCallAdapter,

- AzureCommunicationCallAdapterArgs

-} from '@azure/communication-react';

-import { useCallback, useMemo } from 'react';

- token: string;

- userId: CommunicationIdentifier;

- teamsAppIdentifier: MicrosoftTeamsAppIdentifier;

- /**

- * arguments for creating an AzureCommunicationCallAdapter for your Calling experience

- */

- widgetAdapterArgs: WidgetAdapterArgs;

- /**

- * Custom render function for displaying logo.

- * @returns

- */

- onRenderLogo?: () => JSX.Element;

- props: CallingWidgetComponentProps

- const { onRenderLogo, widgetAdapterArgs } = props;

- const [widgetState, setWidgetState] = useState<'new' | 'setup' | 'inCall'>('new');

- const [displayName, setDisplayName] = useState<string>();

- const [consentToData, setConsentToData] = useState<boolean>(false);

- const [useLocalVideo, setUseLocalVideo] = useState<boolean>(false);

- const theme = useTheme();

- const credential = useMemo(() => {

- try {

- return new AzureCommunicationTokenCredential(widgetAdapterArgs.token);

- } catch {

- console.error('Failed to construct token credential');

- return undefined;

- }, [widgetAdapterArgs.token]);

- const callAdapterArgs = useMemo(() => {

- return {

- userId: widgetAdapterArgs.userId,

- credential: credential,

- locator: {participantIds: [`28:orgid:${widgetAdapterArgs.teamsAppIdentifier.teamsAppId}`]},

- displayName: displayName

- }, [widgetAdapterArgs.userId, widgetAdapterArgs.teamsAppIdentifier.teamsAppId, credential, displayName]);

- const afterCreate = useCallback(async (adapter: CallAdapter): Promise<CallAdapter> => {

- adapter.on('callEnded', () => {

- setDisplayName(undefined);

- setWidgetState('new');

- });

- return adapter;

- }, [])

- const adapter = useAzureCommunicationCallAdapter(callAdapterArgs as AzureCommunicationCallAdapterArgs, afterCreate);

- // Widget template for when widget is open, put any fields here for user information desired

- if (widgetState === 'setup' ) {

- return (

- <Stack styles={callingWidgetSetupContainerStyles(theme)} tokens={{ childrenGap: '1rem' }}>

- <IconButton

- styles={collapseButtonStyles}

- iconProps={{ iconName: 'Dismiss' }}

- onClick={() => setWidgetState('new')} />

- <Stack tokens={{ childrenGap: '1rem' }} styles={logoContainerStyles}>

- <Stack style={{ transform: 'scale(1.8)' }}>{onRenderLogo && onRenderLogo()}</Stack>

- </Stack>

- <TextField

- label={'Name'}

- required={true}

- placeholder={'Enter your name'}

- onChange={(_, newValue) => {

- setDisplayName(newValue);

- }} />

- <Checkbox

- styles={checkboxStyles(theme)}

- label={'Use video - Checking this box will enable camera controls and screen sharing'}

- onChange={(_, checked?: boolean | undefined) => {

- setUseLocalVideo(true);

- }}

- ></Checkbox>

- <Checkbox

- required={true}

- styles={checkboxStyles(theme)}

- label={'By checking this box, you are consenting that we will collect data from the call for customer support reasons'}

- onChange={(_, checked?: boolean | undefined) => {

- setConsentToData(!!checked);

- }}

- ></Checkbox>

- <PrimaryButton

- styles={startCallButtonStyles(theme)}

- onClick={() => {

- if (displayName && consentToData && adapter && widgetAdapterArgs.teamsAppIdentifier) {

- setWidgetState('inCall');

- adapter.startCall([widgetAdapterArgs.teamsAppIdentifier]);

- }

- }}

- >

- StartCall

- </PrimaryButton>

- </Stack>

- );

- }

- if (widgetState === 'inCall' && adapter) {

- return (

- <Stack styles={callingWidgetInCallContainerStyles(theme)}>

- <CallComposite

- adapter={adapter}

- options={{

- callControls: {

- cameraButton: useLocalVideo,

- screenShareButton: useLocalVideo,

- moreButton: false,

- peopleButton: false,

- displayType: 'compact'

- },

- localVideoTile: !useLocalVideo ? false : { position: 'floating' }

- }}/>

- </Stack>

- )

- <Stack

- horizontalAlign="center"

- verticalAlign="center"

- styles={callingWidgetContainerStyles(theme)}

- setWidgetState('setup');

- >

- <Stack

- horizontalAlign="center"

- verticalAlign="center"

- style={{ height: '4rem', width: '4rem', borderRadius: '50%', background: theme.palette.themePrimary }}

- >

- <Icon iconName="callAdd" styles={callIconStyles(theme)} />

- </Stack>

-We need to write some styles to make sure the widget looks appropriate and can hold our call composite. These styles should already be used in the widget if copying the snippet above.

-lets make a new folder called `src/styles` in this folder create a file called `CallingWidgetComponent.styles.ts`. The file should look like the following snippet:

-import { IButtonStyles, ICheckboxStyles, IIconStyles, IStackStyles, Theme } from '@fluentui/react';

-export const callingWidgetSetupContainerStyles = (theme: Theme): IStackStyles => {

- background: theme.palette.white

-export const callingWidgetInCallContainerStyles = (theme: Theme): IStackStyles => {

- width: '35rem',

- height: '25rem',

- padding: '0.5rem',

- right: '1rem',

- position: 'absolute',

- overflow: 'hidden',

- cursor: 'pointer',

- background: theme.semanticColors.bodyBackground

- }

- }

-}

-after you fill out your name click start call and the call should begin. The widget should look like so after starting a call:

-If you haven't had the chance, check out our documentation on Teams auto attendants and Teams call queues.

-### Disk encryption

-For example, a Standard workflow can use both managed connectors and built-in connectors for Azure Blob Storage, Azure Cosmos DB, Azure Event Hubs, Azure Service Bus, DB2, FTP, MQ, SFTP, and SQL Server. A Consumption workflow doesn't have the built-in versions. A Consumption workflow can use built-in connectors for Azure API Management, Azure App Services, and Batch, while a Standard workflow doesn't have these built-in connectors.

-| Azure API Management<br>Azure App Services <br>Azure Functions <br>Azure Logic Apps <br>Batch <br>Control <br>Data Operations <br>Date Time <br>Flat File <br>HTTP <br>Inline Code <br>Integration Account <br>Liquid <br>Request <br>Schedule <br>Variables <br>XML | AS2 (v2) <br>Azure Automation* <br>Azure Blob Storage* <br>Azure Cosmos DB* <br>Azure File Storage* <br>Azure Functions <br>Azure Queue Storage* <br>Azure Table Storage* <br>Control <br>Data Operations <br>Date Time <br>DB2* <br>Event Grid Publisher* <br>Event Hubs* <br>File System* <br>Flat File <br>FTP* <br>HTTP <br>IBM Host File* <br>Inline Code <br>JDBC* <br>Key Vault* <br>Liquid operations <br>MQ* <br>Request <br>SAP* <br>Schedule <br>Service Bus* <br>SFTP* <br>SMTP* <br>SQL Server* <br>Variables <br>Workflow operations <br>XML operations |

- [**Batch**][batch-doc]<br>(*Consumption workflow only*)

- [**Azure Logic Apps**][nested-logic-app-doc]<br>(*Consumption workflow*) <br><br>-or-<br><br>**Workflow operations**<br>(*Standard workflow*)

- :::column:::

- :::column-end:::

- [**Execute JavaScript Code**][inline-code-doc]: Add and run your own inline JavaScript *code snippets* within your workflow.

- [**Name**][scope-doc]

-<a name="integration-account-built-in"></a>

-## Integration account built-in connectors

-Integration account operations support business-to-business (B2B) communication scenarios in Azure Logic Apps. After you create an integration account and define your B2B artifacts, such as trading partners, agreements, and others, you can use integration account built-in actions to encode and decode messages, transform content, and more.

- Before you use any integration account operations in a workflow, [link your logic app resource to your integration account](../logic-apps/logic-apps-enterprise-integration-create-integration-account.md).

- While most integration account operations don't require that you link your logic app resource to your integration account, linking lets you share artifacts across multiple Standard workflows and their child workflows. Based on the integration account operation that you want to use, complete one of the following steps before you use the operation:

- [![AS2 Decode v2 icon][as2-v2-icon]][as2-doc]

- [**AS2 Decode (v2)**][as2-doc]<br>(*Standard workflow only*)

- Decode messages received using the AS2 protocol.

- [![AS2 Encode (v2) icon][as2-v2-icon]][as2-doc]

- [**AS2 Encode (v2)**][as2-doc]<br>(*Standard workflow only*)

- Encode messages sent using the AS2 protocol.

- [![Flat file decoding icon][flat-file-decode-icon]][flat-file-decode-doc]

- [**Flat file decoding**][flat-file-decode-doc]

- Encode XML before sending the content to a trading partner.

- [![Flat file encoding icon][flat-file-encode-icon]][flat-file-encode-doc]

- [**Flat file encoding**][flat-file-encode-doc]

- Decode XML after receiving the content from a trading partner.

- [![Integration account icon][integration-account-icon]][integration-account-doc]

- [**Integration Account Artifact Lookup**][integration-account-doc]<br>(*Consumption workflow only*)

- Get custom metadata for artifacts, such as trading partners, agreements, schemas, and so on, in your integration account.

- [![Liquid operations icon][liquid-icon]][json-liquid-transform-doc]

- [**Liquid operations**][json-liquid-transform-doc]

- Convert the following formats by using Liquid templates: <br><br>- JSON to JSON <br>- JSON to TEXT <br>- XML to JSON <br>- XML to TEXT

- [**XML validation**][xml-validate-doc]

-[azure-queue-storage-icon]: ./media/apis-list/azure-queues.png

-<!--Built-in integration account connector icons -->

-[flat-file-encode-icon]: ./media/apis-list/flat-file-encoding.png

-[flat-file-decode-icon]: ./media/apis-list/flat-file-decoding.png

-[event-grid-publisher-doc]: /azure/logic-apps/connectors/built-in/reference/eventgridpublisher/ "Connect to Azure Event Grid for event-based programming using pub-sub semantics"

-<!--Built-in integration account doc links-->

-[flat-file-decode-doc]:../logic-apps/logic-apps-enterprise-integration-flatfile.md "Decode XML content with a flat file schema"

-[flat-file-encode-doc]:../logic-apps/logic-apps-enterprise-integration-flatfile.md "Encode XML content with a flat file schema"

-[json-liquid-transform-doc]: ../logic-apps/logic-apps-enterprise-integration-liquid-transform.md "Transform JSON or XML content with Liquid templates"

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-tags: connectors

-For a smaller number of services, systems and protocols, Azure Logic Apps provides a built-in version alongside the managed version. The number and range of built-in connectors vary based on whether you create a Consumption logic app workflow that runs in multi-tenant Azure Logic Apps or a Standard logic app workflow that runs in single-tenant Azure Logic Apps. In most cases, the built-in version provides better performance, capabilities, pricing, and so on. In a few cases, some built-in connectors are available only in one logic app workflow type, and not the other.

-For example, a Standard workflow can use both managed connectors and built-in connectors for Azure Blob, Azure Cosmos DB, Azure Event Hubs, Azure Service Bus, DB2, FTP, MQ, SFTP, and SQL Server, while a Consumption workflow doesn't have the built-in versions. A Consumption workflow can use built-in connectors for Azure API Management, Azure App Services, and Batch, while a Standard workflow doesn't have these built-in connectors. For more information, review [Built-in connectors in Azure Logic Apps](built-in.md) and [Single-tenant versus multi-tenant and integration service environment (ISE)](../logic-apps/single-tenant-overview-compare.md).

-In an integration service environment (ISE), these managed connectors also have [ISE versions](introduction.md#ise-and-connectors), which have different capabilities than their multi-tenant versions:

-[azure-queues-icon]: ./media/apis-list/azure-queues.png

-With an HTTP scaling rule, you have control over the threshold of concurrent HTTP requests that determines how your container app revision scales. [Container Apps jobs](jobs.md) don't support HTTP scaling rules.

-With a TCP scaling rule, you have control over the threshold of concurrent TCP connections that determines how your app scales. [Container Apps jobs](jobs.md) don't support TCP scaling rules.

-1. Locate the **Update method** section and change the selections to only allow **delete** and **update** operations. Also, specify the **Key columns** as a **List of columns** using the field `_{rid}` as the unique identifier.

-zoneName="privatelink.mongocluster.azure.com"

-| Authentication | API key provisioned in the Enterprise Agreement (EA) portal | Microsoft Entra authentication using user tokens or service principals. Service principals take the place of API keys. |

-The Billing account overview page might show costs that differ from costs shown in the EA portal.

-The EA portal doesn't show the Total charges column. The Power BI template app includes Adjustments, Service Overage, Charges billed separately, and Azure Marketplace service charges as Total charges.

-

-The Prepayment Usage shown in the EA portal isn't available in the Template app as part of the total charges.

-description: This article walks you though assigning permission to Cost Management data for various access scopes.

-For users with Azure Enterprise agreements, a combination of permissions granted in the Azure portal and the Enterprise (EA) portal define a user's level of access to Cost Management data. For users with other Azure account types, defining a user's level of access to Cost Management data is simpler by using Azure role-based access control (Azure RBAC). This article walks you through assigning access to Cost Management data. After the combination of permissions is assigned, the user views data in Cost Management based on their access scope and on the scope that they select in the Azure portal.

-The scope that a user selects is used throughout Cost Management to provide data consolidation and to control access to cost information. When using scopes, users don't multi-select them. Instead, they select a larger scope that child scopes roll up to and then they filter-down to what they want to view. Data consolidation is important to understand because some people shouldn't access a parent scope that child scopes roll up to.

-Cost management supports a variety of Azure account types. To view the full list of supported account types, see [Understand Cost Management data](understand-cost-mgt-data.md). The type of account determines available scopes.

-| Billing account┬╣ | [https://ea.azure.com](https://ea.azure.com/) | ΓÇó Enterprise Admin<br> ΓÇó Enrollment reader (Enterprise admin read-only) | None | All subscriptions from the enterprise agreement |

-| Department | [https://ea.azure.com](https://ea.azure.com/) | Department Admin | **DA view charges** enabled | All subscriptions belonging to an enrollment account that is linked to the department |

-| Enrollment account┬▓ | [https://ea.azure.com](https://ea.azure.com/) | Account Owner | **AO view charges** enabled | All subscriptions from the enrollment account |

-Direct enterprise administrators can assign the billing account, department, and enrollment account scope the in the [Azure portal](https://portal.azure.com/). For more information, see [Azure portal administration for direct Enterprise Agreements](../manage/direct-ea-administration.md).

-Various scopes are available after partners onboard customers to a Microsoft Customer Agreement. CSP customers can then use Cost Management features when enabled by their CSP partner. For more information, see [Get started with Cost Management for partners](get-started-partners.md).

-The department scope requires the **Department admins can view charges** (DA view charges) option set to **On**. Configure the option in either the Azure portal or the EA portal. All other scopes require the **Account owners can view charges** (AO view charges) option set to **On**.

-## Enable access to costs in the EA portal

-> [!NOTE]

-> The information in the section applies only to users that have an Enterprise Agreement with a Microsoft partner (indirect EA).

-The department scope requires the **DA view charges** option **Enabled** in the EA portal. Configure the option in either the Azure portal or the EA portal. All other scopes require the **AO view charges** option **Enabled** in the EA portal.

-To enable an option in the EA portal:

-1. Sign in to the EA portal at [https://ea.azure.com](https://ea.azure.com) with an enterprise administrator account.

-2. Select **Manage** in the left pane.

-3. For the cost management scopes that you want to provide access to, enable the charge option to **DA view charges** and/or **AO view charges**.

- 

-After the view charge options are enabled, most scopes also require Azure role-based access control (Azure RBAC) permission configuration in the Azure portal.

-Access to the billing account scope requires enterprise administrator permission in the EA portal. The enterprise administrator can view costs across the entire EA enrollment or multiple enrollments. No action is required in the Azure portal for the billing account scope.

-1. Sign in to the EA portal at [https://ea.azure.com](https://ea.azure.com) with an enterprise administrator account.

-2. Select **Manage** in the left pane.

-3. On the **Enrollment** tab, select the enrollment that you want to manage.

- 

-4. Select **+ Add Administrator**.

-5. In the Add Administrator box, select the authentication type and type the user's email address.

-6. If the user should have read-only access to cost and usage data, under **Read-only**, select **Yes**. Otherwise, select **No**.

-7. Select **Add** to create the account.

- 

-It may take up to 30 minutes before the new user can access data in Cost Management.

-Access to the department scope requires department administrator (DA view charges) access in the EA portal. The department administrator can view costs and usage data associated with a department or to multiple departments. Data for the department includes all subscriptions belonging to an enrollment account that are linked to the department. No action is required in the Azure portal.

-1. Sign in to the EA portal at [https://ea.azure.com](https://ea.azure.com) with an enterprise administrator account.

-2. Select **Manage** in the left pane.

-3. On the **Enrollment** tab, select the enrollment that you want to manage.

-4. Select the **Department** tab and then select **Add Administrator**.

-5. In the Add Department Administrator box, select the authentication type and then type the user's email address.

-6. If the user should have read-only access to cost and usage data, under **Read-only**, select **Yes**. Otherwise, select **No**.

-7. Select the departments that you want to grant department administrative permission to.

-8. Select **Add** to create the account.

- 

-

-Direct enterprise administrators can assign department administrator access in the Azure portal. For more information, see [Add a department administrator in the Azure portal](../manage/direct-ea-administration.md#add-a-department-administrator).

-Access to the enrollment account scope requires account owner (AO view charges) access in the EA portal. The account owner can view costs and usage data associated with the subscriptions created from that enrollment account. No action is required in the Azure portal.

-1. Sign in to the EA portal at [https://ea.azure.com](https://ea.azure.com) with an enterprise administrator account.

-2. Select **Manage** in the left pane.

-3. On the **Enrollment** tab, select the enrollment that you want to manage.

-4. Select the **Account** tab and then select **Add Account**.

-5. In the Add Account box, select the **Department** to associate the account to, or leave it as unassigned.

-6. Select the authentication type and type the account name.

-7. Type the user's email address and then optionally type the cost center.

-8. Select on **Add** to create the account.

- 

-After completing the steps above, the user account becomes an enrollment account in the Enterprise portal and can create subscriptions. The user can access cost and usage data for subscriptions that they create.

-Direct enterprise administrators can assign account owner access in the Azure portal. For more information, see [Add an account owner in the Azure portal](../manage/direct-ea-administration.md#add-an-account-and-account-owner).

-Access to view the management group scope requires at least the Cost Management Reader (or Reader) permission. You can configure permissions for a management group in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the management group to enable access for others. And for Azure EA accounts, you must also have enabled the **AO view charges** setting in the EA portal.

- For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

-Access to a subscription requires at least the Cost Management Reader (or Reader) permission. You can configure permissions to a subscription in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the subscription to enable access for others. And for Azure EA accounts, you must also have enabled the **AO view charges** setting in the EA portal.

- For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

-Access to a resource group requires at least the Cost Management Reader (or Reader) permission. You can configure permissions to a resource group in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the resource group to enable access for others. And for Azure EA accounts, you must also have enabled the **AO view charges** setting in the EA portal.

- For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

-Currently, Cost Management has limited support for cross-tenant authentication. In some circumstances when you try to authenticate across tenants, you may receive an **Access denied** error in cost analysis. This issue might occur if you configure Azure role-based access control (Azure RBAC) to another tenant's subscription and then try to view cost data.

-*To work around the problem*: After you configure cross-tenant Azure RBAC, wait an hour. Then, try to view costs in cost analysis or grant Cost Management access to users in both tenants.

-Department spending quota alerts notify you when department spending reaches a fixed threshold of the quota. Spending quotas are configured in the EA portal. Whenever a threshold is met it generates an email to department owners and is shown in cost alerts. For example, 50% or 75% of the quota.

-| **Azure Government** | Azure Government Enterprise | EnterpriseAgreement_2014-09-01 | MS-AZR-USGOV-0017P | May 2014┬╣ |

-| **Enterprise Agreement (EA)** | Enterprise Dev/Test | MSDNDevTest_2014-09-01 | MS-AZR-0148P | May 2014┬╣ |

-| **Enterprise Agreement (EA)** | Microsoft Azure Enterprise | EnterpriseAgreement_2014-09-01 | MS-AZR-0017P | May 2014┬╣ |

-| **Microsoft Customer Agreement** | Microsoft Azure Plan | EnterpriseAgreement_2014-09-01 | N/A | March 2019┬▓ |

-| **Microsoft Customer Agreement** | Microsoft Azure Plan for Dev/Test | MSDNDevTest_2014-09-01 | N/A | March 2019┬▓ |

-| **Microsoft Customer Agreement supported by partners** | Microsoft Azure Plan | CSP_2015-05-01, CSP_MG_2017-12-01, and CSPDEVTEST_2018-05-01⁴ | N/A | October 2019 |

-| **Microsoft Developer Network (MSDN)** | MSDN Platforms┬│ | MSDN_2014-09-01 | MS-AZR-0062P | October 2, 2018 |

-| **Pay-as-you-go** | Microsoft Cloud Partner Program | MPN_2014-09-01 | MS-AZR-0025P | October 2, 2018 |

-| **Pay-as-you-go** | Free Trial┬│ | FreeTrial_2014-09-01 | MS-AZR-0044P | October 2, 2018 |

-| **Pay-as-you-go** | Azure in Open┬│ | AzureInOpen_2014-09-01 | MS-AZR-0111P | October 2, 2018 |

-| **Pay-as-you-go** | Azure Pass┬│ | AzurePass_2014-09-01 | MS-AZR-0120P, MS-AZR-0122P - MS-AZR-0125P, MS-AZR-0128P - MS-AZR-0130P | October 2, 2018 |

-| **Visual Studio** | Visual Studio Enterprise ΓÇô MPN┬│ | MPN_2014-09-01 | MS-AZR-0029P | October 2, 2018 |

-| **Visual Studio** | Visual Studio Professional┬│ | MSDN_2014-09-01 | MS-AZR-0059P | October 2, 2018 |

-| **Visual Studio** | Visual Studio Test Professional┬│ | MSDNDevTest_2014-09-01 | MS-AZR-0060P | October 2, 2018 |

-| **Visual Studio** | Visual Studio Enterprise┬│ | MSDN_2014-09-01 | MS-AZR-0063P | October 2, 2018 |

-_┬╣ For data before May 2014, visit the [Azure Enterprise portal](https://ea.azure.com)._

-_┬▓ Microsoft Customer Agreements started in March 2019 and don't have any historical data before this point._

-_┬│ Historical data for credit-based and pay-in-advance subscriptions might not match your invoice. See the following [Historical data might not match invoice](#historical-data-might-not-match-invoice) section._

-_⁴ Quota IDs are the same across Microsoft Customer Agreement and classic subscription offers. Classic CSP subscriptions aren't supported._

-| **Pay-as-you-go** | Azure for Students┬│ | AzureForStudents_2018-01-01 | MS-AZR-0170P |

-| Azure service usage (including deleted resources)⁵ | Unbilled services (for example, free tier resources) |

-| Marketplace offering usage⁶ | Support charges - For more information, see [Invoice terms explained](../understand/understand-invoice.md). |

-| Marketplace purchases⁶ | Taxes - For more information, see [Invoice terms explained](../understand/understand-invoice.md). |

-| Reservation purchases⁷ | Credits - For more information, see [Invoice terms explained](../understand/understand-invoice.md). |

-| Amortization of reservation purchases⁷ | |

-| New Commerce non-Azure products (Microsoft 365 and Dynamics 365) ⁸ | |

-_⁵ Azure service usage is based on reservation and negotiated prices._

-_⁶ Marketplace purchases aren't available for MSDN and Visual Studio offers at this time._

-_⁷ Reservation purchases are only available for Enterprise Agreement (EA) and Microsoft Customer Agreement accounts at this time._

-_⁸ Only available for specific offers._

-You can manage your Enterprise Agreement (EA) enrollment in the [Azure Enterprise portal](https://ea.azure.com/). Direct Enterprise customer can now manage Enterprise Agreement (EA) enrollment in [Azure portal](https://portal.azure.com/).

-You can create different roles to manage your organization, view costs, and create subscriptions. This article helps you automate some of those tasks by using Azure PowerShell and REST APIs with Microsoft Entra ID service principals.

- The billing account name is the same parameter that you used in the API parameters. It's the enrollment ID that you see in the EA portal and Azure portal.

- The billing account name is the same parameter that you used in the API parameters. It's the enrollment ID that you see in the EA portal and Azure portal.

- The billing account name is the same parameter that you used in the API parameters. It's the enrollment ID that you see in the EA portal and the Azure portal.

-Service princnipal role assignments are not visible in the Azure portal. You can view enrollment account role assignments, including the subscription creator role, with the [Billing Role Assignments - List By Enrollment Account - REST API (Azure Billing)](/rest/api/billing/2019-10-01-preview/billing-role-assignments/list-by-enrollment-account) API. Use the API to verify that the role assignment was successful.

-Learn more about [Azure EA portal administration](ea-portal-administration.md).

-If you're an Enterprise Agreement (EA) customer, your enterprise administrator can transfer billing ownership of your subscriptions between accounts. For more information, [Change Azure subscription or account ownership](ea-portal-administration.md#change-azure-subscription-or-account-ownership).

-This article explains the common tasks that an Enterprise Agreement (EA) administrator accomplishes in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/AllBillingScopes). A direct enterprise agreement is signed between Microsoft and an enterprise agreement customer. Conversely, an indirect EA is one where a customer signs an agreement with a Microsoft partner. This article is applicable for both direct and indirect EA customers.

-> On November 15, 2023, the Azure Enterprise portal is retiring for EA enrollments in the Commercial cloud and is becoming read-only for EA enrollments in the Azure Government cloud.

-> Customers and Partners should use Cost Management + Billing in the Azure portal to manage their enrollments. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](ea-direct-portal-get-started.md).

->

-> Since August 14, 2023, EA customers is not be able to manage their Azure Government EA enrollments from the [Azure portal](https://portal.azure.com). Instead, they can manage it from the Azure Government portal at [https://portal.azure.us](https://portal.azure.us). The functionality mentioned in this article is same as the Azure Government portal.

-> - Any new EA administrator account created using the CICR process is assigned read-only permissions to the enrollment in the EA portal and Azure portal. To elevate access, create an [Azure support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).

-> [!NOTE]

->On February 15, 2024, the Azure Enterprise portal is retiring for EA enrollments in the Azure Government cloud. The Azure Enterprise portal is already retired for EA enrollments in the commercial cloud. Customers and Partners should use Cost Management + Billing in the Azure portal to manage their enrollments. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](ea-direct-portal-get-started.md).

->

-If you're an Azure customer with a direct Enterprise Agreement (EA customer), you can download your organization's invoices using the information at [Download or view your Azure billing invoice](direct-ea-azure-usage-charges-invoices.md#download-or-view-your-azure-billing-invoice). For indirect EA customers, see [Azure Enterprise enrollment invoices](ea-portal-enrollment-invoices.md).

-description: Describes how EA customers can use Azure Marketplace

-For direct customers, Azure Marketplace charges are visible on the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). Azure Marketplace purchases and consumption are billed outside of Azure Prepayment on a quarterly or monthly cadence and in arrears. See [Manage Azure Marketplace on Azure portal](direct-ea-administration.md#enable-azure-marketplace-purchases).

-Indirect customers can find their Azure Marketplace subscriptions on the **Manage Subscriptions** page of the Azure Enterprise portal, but pricing will be hidden. Customers should contact their Licensing Solutions Provider (LSP) for information on Azure Marketplace charges.

-New monthly or annually recurring Azure Marketplace purchases are billed in full during the period when Azure Marketplace items are purchased. These items will autorenew in the following period on the same day of the original purchase.

-Existing, monthly recurring charges will continue to renew on the first of each calendar month. Annual charges will renew on the anniversary of the purchase date.

-### Partners

-> [!NOTE]

-> The Azure Marketplace price list feature in the EA portal is retired. Currently, EA customers can't get a Marketplace price sheet.

-Enterprise administrators can disable or enable Azure Marketplace purchases for all Azure subscriptions under their enrollment. If the enterprise administrator disables purchases, and there are Azure subscriptions that already have Azure Marketplace subscriptions, those Azure Marketplace subscriptions won't be canceled or affected.

-Although customers can convert their direct Azure subscriptions to Azure EA by associating them to their enrollment in the Azure Enterprise portal, this action doesn't automatically convert the child subscriptions.

-To enable Azure Marketplace purchases on Azure Enterprise Portal:

-1. Sign in to the Azure Enterprise portal as an enterprise administrator.

-1. Go to **Manage**.

-1. Under **Enrollment Detail**, select the pencil icon next to the **Azure Marketplace** line item.

-1. Toggle **Enabled/Disabled** or Free **BYOL SKUs Only** as appropriate.

-1. Select **Save**.

-Direct customer can enable Azure Marketplace purchase in Azure portal:

-The following services are billed hourly under an Enterprise Agreement instead of the monthly rate in MOSP:

-> [!NOTE]

-> The Azure Enterprise portal (EA portal) is getting deprecated. We recommend that EA customers and partners use Cost Management + Billing in the Azure portal to manage their enrollment and billing instead of using the EA portal. For more information about enrollment management in the Azure portal or Azure Government portal, see [Get started with EA billing in the Azure portal](ea-direct-portal-get-started.md).

->

-> - The EA portal is retiring on November 15, 2023, for EA enrollments in the Azure commercial cloud.

-> - Starting November 15, 2023, indirect EA customers and partners wonΓÇÖt be able to manage their Azure Government EA enrollment in the EA portal. Instead, they must use the Azure Government portal.

-> - The Azure Government portal is accessed only with Azure Government credentials. For more information, see [Access your EA billing account in the Azure Government portal](../../azure-government/documentation-government-how-to-access-enterprise-agreement-billing-account.md).

-For explanations about the common tasks that a partner EA administrator accomplishes in the Azure EA portal, see [Azure EA portal administration for partners](ea-partner-portal-administration.md).

-description: Describes portal administration topics pertaining to Partners

-# Azure EA portal administration for partners

-This article explains the common tasks that a partner EA administrator accomplishes in the Azure EA portal (https://ea.azure.com).

-## Manage partner administrators

-Each partner administrator within the Azure EA Portal has the ability to add or remove other partner administrators. Partner administrators are associated to the partner organizations of indirect enrollments and aren't associated directly to the enrollments.

-### Add a partner administrator

-To view a list of all enrollments that are associated to the same partner organization as the current user, select the **Enrollment** tab and select a desired enrollment box.

-1. Sign in as a partner administrator.

-1. Select **Manage** on the left navigation.

-1. Select the **Partner** tab.

-1. Select **+ Add Administrator** and fill in the email address, notification contact, and notification details.

-1. Select **Add**.

-### Remove a partner administrator

-To view a list of all enrollments that are associated to the same partner organization as the current user, select the **Enrollment** tab and select a desired enrollment box.

-1. Sign in as a partner administrator.

-1. Select **Manage** on the left navigation.

-1. Select the **Partner** tab.

-1. Under the Administrator section, select the appropriate row for the administrator you wish to remove.

-1. Select the X symbol on the right.

-1. Confirm that you want to delete.

-## Manage partner notifications

-Partner Administrators can manage the frequency that they receive usage notifications for their enrollments. They automatically receive weekly notifications of their unbilled balance. They can change the frequency of individual notifications to monthly, weekly, daily, or turn them off completely.

-If a notification isn't received by a user, verify that the user's notification settings are correct with the following steps.

-1. Sign in to the Azure EA portal as a Partner Administrator.

-2. Select **Manage** and then select the **Partner** tab.

-3. View the list of administrators under the Administrator section.

-4. To edit notification preferences, hover over the appropriate administrator and select the pencil symbol.

-5. Increase the notification frequency and lifecycle notifications as needed.

-6. Add a contact if needed and select **Add**.

-7. Select **Save**.

-

-## View enrollments for partner administrators

-Partner administrators can see a list view of all their direct and indirect enrollments in the Azure EA Portal. Boxes containing an overview of every enrollment will be displayed with the enrollment number, enrollment name, balance, and overage amounts.

-### View a List of Enrollments

-1. Sign in as a partner administrator.

-1. Select **Manage** on the navigation on the left side of the page.

-1. Select the **Enrollment** tab.

-1. Select the box for the enrollment.

-A view of all enrollments remains at the top of the page, with boxes for each enrollment. Additionally, you can navigate between enrollments by selecting the current enrollment number on the navigation on the left side of the page. A pop out will appear allowing you to search enrollments or select a different enrollment by selecting the appropriate box.

-## Next steps

-description: This article explains the common tasks that an administrator accomplishes in the Azure EA portal.

-# Azure EA portal administration

-This article explains the common tasks that an administrator accomplishes in the Azure EA portal (https://ea.azure.com). The Azure EA portal is an online management portal that helps customers manage the cost of their Azure EA services. For introductory information about the Azure EA portal, see the [Get started with the Azure EA portal](ea-portal-get-started.md) article.

-> [!NOTE]

-> On February 15, 2024, the Azure Enterprise portal is retiring for EA enrollments in the Azure Government cloud. The Azure Enterprise portal is already retired for EA enrollments in the commercial cloud.

-> Customers and Partners should use Cost Management + Billing in the Azure portal to manage their enrollments. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](ea-direct-portal-get-started.md).

-## Activate your enrollment

-To activate your enrollment, the initial enterprise administrator signs in to the [Azure Enterprise portal](https://ea.azure.com) using their work, school, or Microsoft account.

-If you've been set up as the enterprise administrator, you don't need to receive the activation email. Go to [Azure Enterprise portal](https://ea.azure.com) and sign in with your work, school, or Microsoft account email address and password.

-If you have more than one enrollment, choose one to activate. By default, only active enrollments are shown. To view enrollment history, clear the **Active** option in the top right of the Azure Enterprise portal.

-Under **Enrollment**, the status shows **Active**.

-

-Only existing Azure enterprise administrators can create other enterprise administrators.

-### Create another enterprise administrator

-Use one of the following options, based on your situation.

-#### If you're already an enterprise administrator

-1. Sign in to the [Azure Enterprise portal](https://ea.azure.com).

-1. Go to **Manage** > **Enrollment Detail**.

-1. Select **+ Add Administrator** at the top right.

-Make sure that you have the user's email address and preferred authentication method, such as a work, school, or Microsoft account.

-#### If you're not an enterprise administrator

-If you're not an enterprise administrator, contact an enterprise administrator to request that they add you to an enrollment. The enterprise administrator uses the preceding steps to add you as an enterprise administrator. After you're added to an enrollment, you receive an activation email. After the account is registered, it's activated in about 5 to 10 minutes.

-#### If your enterprise administrator can't help you

-If your enterprise administrator can't assist you, create an [Azure support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest). Provide the following information:

->[!NOTE]

-> - We recommend that you have at least one active Enterprise Administrator at all times. If no active Enterprise Administrator is available, contact your partner to change the contact information on the Volume License agreement. Your partner can make changes to the customer contact information by using the Contact Information Change Request (CICR) process available in the eAgreements (VLCM) tool.

-> - Any new EA administrator account created using the CICR process is assigned read-only permissions to the enrollment in the EA portal and Azure portal. To elevate access, create an [Azure support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).

-## Create an Azure Enterprise department

-Enterprise administrators and department administrators use departments to organize and report on enterprise Azure services and usage by department and cost center. The enterprise administrator can:

-A department administrator can add new accounts to their departments. They can remove accounts from their departments, but not from the enrollment.

-To add a department:

-1. Sign in to the Azure Enterprise portal.

-1. In the left pane, select **Manage**.

-1. Select the **Department** tab, then select **+ Add Department**.

-1. Enter the information.

- The department name is the only required field. It must be at least three characters.

-1. When complete, select **Add**.

-## Add a department administrator

-After a department is created, the enterprise administrator can add department administrators and associate each one to a department. Department administrators can perform the following actions for their departments:

-> ┬╣ An enterprise administrator must grant these permissions. If you were given permission to view department monthly usage and charges, but can't see them, contact your partner.

-### To add a department administrator

-As an enterprise administrator:

-1. Sign in to the Azure Enterprise portal.

-1. In the left pane, select **Manage**.

-1. Select the **Department** tab and then select the department.

-1. Select **+ Add Administrator** and add the required information.

-1. For read-only access, set the **Read-Only** option to **Yes** and then select **Add**.

-

-### To set read-only access

-You can grant read-only access to department administrators.

- 1. Select a department, and then select the pencil symbol next to the **Department Administrator** that you want to edit.

- 1. Set the read-only open to **Yes**, and then select **Save**.

-Enterprise administrators automatically get department administrator permissions.

-## Add an account

-The structure of accounts and subscriptions impact how they're administered and how they appear on your invoices and reports. Examples of typical organizational structures include business divisions, functional teams, and geographic locations.

-To add an account:

-1. In the Azure Enterprise portal, select **Manage** in the left navigation area and then select an enrollment.

-1. Select the **Account** tab. On the **Account** page, select **+Add Account**.

-1. Select a department, or leave it as unassigned, and then select the desired authentication type.

-1. Enter a friendly name to identify the account in reporting.

-1. Enter the **Account Owner Email** address to associate with the new account.

-1. Confirm the email address and then select **Add**.

-

-To add another account, select **Add Another Account**, or select **Add** at the bottom-right corner of the left toolbar.

-To confirm account ownership:

-1. Sign in to the Azure Enterprise portal.

-1. View the status.

- The status changes from **Pending** to **Active**. When Active, dates shown under the **Start/End Date** column are the start and end dates of the agreement.

-1. When the **Warning** message pops up, the account owner needs to select **Continue** to activate the account the first time they sign in to the Azure Enterprise portal.

-<a name='add-an-account-from-another-azure-ad-tenant'></a>

-## Add an account from another Microsoft Entra tenant

-By default, an enrollment is associated with a specific Microsoft Entra tenant. Only accounts from that tenant are allowed to be used to establish an Azure enrollment account. However, you change the behavior to allow an account to get linked from any Microsoft Entra tenant.

-To add an account from any tenant:

-1. In the Azure Enterprise portal, select **Manage** in the left navigation area.

-1. Select the appropriate enrollment. Note the current setting for **Auth level**, if you want to restore the setting later.

-1. If not already configured, change the Auth level to **Work and School Account Cross Tenant**.

-1. Add the account using the Microsoft Entra sign-in information, as described in the previous section.

-1. Return the **Auth level** to its previous setting, or set it as **Work and School Account**.

-1. Sign in to the EA portal to verify that you can view the appropriate subscription offers so that you can then add subscriptions in the Azure portal.

-## Change Azure subscription or account ownership

-This section only applies when a subscription owner is being changed. Changing a subscription ownership doesn't require an Azure support ticket. Enterprise administrators can use the Azure Enterprise portal to transfer account ownership of selected or all subscriptions in an enrollment. They also have the option to change the subscription directory (tenant).

-However, an EA admin can't transfer an account from one enrollment to another enrollment. To transfer an account from one enrollment to another, a support request is required. For information about transferring an account from one enrollment to another enrollment, see [Transfer an enterprise account to a new enrollment](ea-transfers.md#transfer-an-enterprise-account-to-a-new-enrollment).

-Pay-as-you-go subscription administrators can also transfer account ownership of their subscriptions to an EA enrollment using this same process.

-When you complete a subscription or account ownership transfer, Microsoft updates the account owner.

-Before performing the ownership transfer, understand these Azure role-based access control (Azure RBAC) policies:

- :::image type="content" source="./media/ea-portal-administration/unselected-checkbox-move-subscriptions-to-recipients-tenant.png" alt-text="Image showing unselected checkbox for moving subscriptions to Microsoft Entra tenant" lightbox="./media/ea-portal-administration/unselected-checkbox-move-subscriptions-to-recipients-tenant.png" :::

-Before changing an account owner:

-1. In the Azure Enterprise portal, view the **Account** tab and identify the source account. The source account must be active.

-1. Identify the destination account and make sure it's active.

-To transfer account ownership for all subscriptions:

-1. Sign in to the Azure Enterprise portal.

-1. In the left navigation area, select **Manage**.

-1. Select the **Account** tab and hover over an account.

-1. Select the change account owner icon on the right. The icon resembles a person.

- 

-1. Choose the destination account to transfer to and then select **Next**.

-1. If you want to transfer the account ownership across Microsoft Entra tenants, select the **Move the subscriptions to the recipient's Microsoft Entra tenant** checkbox.

- :::image type="content" source="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" alt-text="Image showing selected checkbox for moving subscriptions to Microsoft Entra tenant" lightbox="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" :::

-1. Confirm the transfer and select **Submit**.

-To transfer account ownership for a single subscription:

-1. Sign in to the Azure Enterprise portal.

-1. In the left navigation area, select **Manage**.

-1. Select the **Account** tab and hover over an account.

-1. Select the transfer subscriptions icon on the right. The icon resembles a page.

- 

-1. Choose the destination account to transfer the subscription and then select **Next**.

-1. If you want to transfer the subscription ownership across Microsoft Entra tenants, select the **Move the subscriptions to the recipient's Microsoft Entra tenant** checkbox.

- :::image type="content" source="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" alt-text="Image showing selected checkbox for moving subscriptions to Microsoft Entra tenant" lightbox="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" :::

-1. Confirm the transfer and then select **Submit**.

-## Associate an account to a department

-Enterprise Administrators can associate existing accounts to Departments under the enrollment.

-### To associate an account to a department

-1. Sign in to the Azure EA Portal as an enterprise administrator.

-1. Select **Manage** on the left navigation.

-1. Select **Account**.

-1. Hover over the row with the account and select the pencil icon on the right.

-1. Select the department from the drop-down menu.

-1. Select **Save**.

-## Associate an existing account with your Pay-As-You-Go subscription

-If you already have an existing Microsoft Azure account on the Azure portal, enter the associated school, work, or Microsoft account in order to associate it with your Enterprise Agreement enrollment.

-### Associate an existing account

-1. In the Azure Enterprise portal, select **Manage**.

-1. Select the **Account** tab.

-1. Select **+Add an account**.

-1. Enter the work, school, or Microsoft account associated with the existing Azure account.

-1. Confirm the account associated with the existing Azure account.

-1. Provide a name you would like to use to identify this account in reporting.

-1. Select **Add**.

-1. To add an additional account, you can select the **+Add an Account** option again or return to the homepage by selecting the **Admin** button.

-1. If you view the **Account** page, the newly added account will appear in a **Pending** status.

-### Confirm account ownership

-1. Sign into the email account associated with the work, school, or Microsoft account you provided.

-1. Open the email notification titled _"Invitation to Activate your Account on the Microsoft Azure Service from Microsoft Volume Licensing"_.

-1. Select the **Log into the Microsoft Azure Enterprise Portal** link in the invitation.

-1. Select **Sign in**.

-1. Enter your work, school, or Microsoft account and password to sign in and confirm account ownership.

-### Azure Marketplace

-Although most subscriptions can convert from the Pay-as-You-Go environment to Azure Enterprise Agreement, Azure Marketplace services do not. In order to have a single view of all subscriptions and charges, we recommend you add the Azure Marketplace services to the Azure Enterprise portal.

-1. Sign in to the Azure Enterprise portal.

-1. Select **Manage** on the left navigation.

-1. Select the **EnrollmentTab**.

-1. View the **Enrollment Detail** section.

-1. To the right of the Azure Marketplace field, select the pencil icon to enable it. Select **Save**.

-The account owner can now purchase any Azure Marketplace services that were previously owned in the Pay-As-You-Go subscription.

-After the new Azure Marketplace subscriptions are activated under your Azure EA enrollment, cancel the Azure Marketplace services that were created in the Pay-As-You-Go environment. This step is critical so that your Azure Marketplace subscriptions do not fall into a bad state when your Pay-As-You-Go payment instrument expires.

-### MSDN

-MSDN subscriptions are automatically converted to MSDN Dev/Test and the Azure EA offer will lose any existing monetary credit.

-### Azure in Open

-If you associate an Azure in Open subscription with an Enterprise Agreement, you forfeit any unconsumed Azure in Open credits. Thus, we recommended that you consume all credit on an Azure in Open subscription before you add the account to your Enterprise Agreement.

-### Accounts with support subscriptions

-If your Enterprise Agreement doesn't have a support subscription and you add an existing account with a support subscription to the Azure Enterprise portal, your MOSA support subscription won't automatically transfer. You'll need to repurchase a support subscription in Azure EA during the grace period - by the end of the subsequent month.

-## Department spending quotas

-EA customers can set or change spending quotas for each department under an enrollment. The spending quota amount is set for the current Prepayment term. At the end of the current Prepayment term, the system will extend the existing spending quota to the next Prepayment term unless the values are updated.

-The department administrator can view the spending quota but only the enterprise administrator can update the quota amount. The enterprise administrator and the department administrator and will receive notifications once quota has reached 50%, 75%, 90%, and 100%.

-### Enterprise administrator to set the quota:

- 1. Open the Azure EA Portal.

- 1. Select **Manage** on the left navigation.

- 1. Select the **Department** Tab.

- 1. Select the Department.

- 1. Select the pencil symbol on the Department Details section, or select the **+ Add Department** symbol to add a spending quota along with a new department.

- 1. Under Department Details, enter a spending quota amount in the enrollment's currency in the Spending Quota $ box (must be greater than 0).

- - The Department Name and Cost Center can also be edited at this time.

- 1. Select **Save**.

-The department spending quota will now be visible in the Department List view under the Department tab. At the end of the current Prepayment, the Azure EA Portal will maintain the spending quotas for the next Prepayment term.

-The department quota amount is independent of the current Azure Prepayment, and the quota amount and alerts apply only to first party usage. The department spending quota is for informational purposes only and doesn't enforce spending limits.

-### Department administrator to view the quota:

-1. Open the Azure EA Portal.

-1. Select **Manage** on the left navigation.

-1. Select the **Department** tab and view the Department List view with spending quotas.

-If you're an indirect customer, cost features must be enabled by your channel partner.

-## Enterprise user roles

-The Azure EA portal helps you to administer your Azure EA costs and usage. There are three main roles in the Azure EA portal:

-Each role has a different level of access and authority.

-For more information about user roles, see [Enterprise user roles](./understand-ea-roles.md#enterprise-user-roles).

-## Add an Azure EA account

-The Azure EA account is an organizational unit in the Azure EA portal. It's used to administer subscriptions and it's also used for reporting. To access and use Azure services, you need to create an account or have one created for you.

-For more information about Azure accounts, see [Add an account](#add-an-account).

-## Enterprise Dev/Test Offer

-As an Azure enterprise administrator, you can enable account owners in your organization to create subscriptions based on the EA Dev/Test offer. To do so, select the Dev/Test box for the account owner in the Azure EA Portal.

-Once you've checked the Dev/Test box, let the account owner know so that they can set up the EA Dev/Test subscriptions needed for their teams of Dev/Test subscribers.

-The offer enables active Visual Studio subscribers to run development and testing workloads on Azure at special Dev/Test rates. It provides access to the full gallery of Dev/Test images including Windows 8.1 and Windows 10.

-### To set up the Enterprise Dev/Test offer:

-1. Sign in as the enterprise administrator.

-1. Select **Manage** on the left navigation.

-1. Select the **Account** tab.

-1. Select the row for the account where you would like to enable Dev/Test access.

-1. Select the pencil symbol to the right of the row.

-1. Select the Dev/Test checkbox.

-1. Select **Save**.

-When a user is added as an account owner through the Azure EA Portal, any Azure subscriptions associated with the account owner that are based on either the PAYG Dev/Test offer or the monthly credit offers for Visual Studio subscribers will be converted to the EA Dev/Test offer. Subscriptions based on other offer types, such as PAYG, associated with the Account Owner will be converted to Microsoft Azure Enterprise offers.

-The Dev/Test Offer isn't applicable to Azure Gov customers at this time.

-## Create a subscription

-Account owners can view and manage subscriptions. You can use subscriptions to give teams in your organization access to development environments and projects. For example: test, production, development, and staging.

-When you create different subscriptions for each application environment, you help secure each environment.

-### Add a subscription

-Use the following information to add a subscription.

-The first time you add a subscription to your account, you're asked to accept the Microsoft Online Subscription Agreement (MOSA) and a rate plan. Although they aren't applicable to Enterprise Agreement customers, the MOSA and the rate plan are required to create your subscription. Your Microsoft Azure Enterprise Agreement Enrollment Amendment supersedes the above items and your contractual relationship doesn't change. When prompted, select the box that indicates you accept the terms.

-_Microsoft Azure Enterprise_ is the default name when a subscription is created. You can change the name to differentiate it from the other subscriptions in your enrollment, and to ensure that it's recognizable in reports at the enterprise level.

-To add a subscription:

-1. In the Azure Enterprise portal, sign in to the account.

-1. Select the **Admin** tab and then select **Subscription** at the top of the page.

-1. Verify that you're signed in as the account owner of the account.

-1. Select **+Add Subscription** and then select **Purchase**.

- The first time you add a subscription to an account, you must provide your contact information. When you add additional subscriptions, your contact information is added for you.

-1. Select **Subscriptions** and then select the subscription you created.

-1. Select **Edit Subscription Details**.

-1. Edit the **Subscription Name** and the **Service Administrator** and then select the check mark.

- The subscription name appears on reports. It's the name of the project associated with the subscription in the development portal.

-New subscriptions can take up to 24 hours to appear in the subscriptions list. After you've created a subscription, you can:

-## Delete subscription

-To delete a subscription where you're the account owner:

-1. Sign in to the Azure portal with the credentials associated to your account.

-1. On the Hub menu, select **Subscriptions**.

-1. In the subscriptions tab in the upper left corner of the page, select the subscription you want to cancel and select **Cancel Sub** to launch the cancel tab.

-1. Enter the subscription name and choose a cancellation reason and select the **Cancel Sub** button.

-Only account administrators can cancel subscriptions.

-For more information, see [What happens after I cancel my subscription?](cancel-azure-subscription.md#what-happens-after-subscription-cancellation).

-## Delete an account

-Account removal can only be completed for active accounts with no active subscriptions.

-1. In the Enterprise portal, select **Manage** on the left navigation.

-1. Select the **Account** tab.

-1. From the Accounts table, select the Account you would like to delete.

-1. Select the X symbol at the right of the Account row.

-1. Once there are no active subscriptions under the account, select **Yes** under the Account row to confirm the Account removal.

-## Update notification settings

-Enterprise Administrators are automatically enrolled to receive usage notifications associated to their enrollment. Each Enterprise Administrator can change the interval of the individual notifications or can turn them off completely.

-Notification contacts are shown in the Azure EA portal in the **Notification Contact** section. Managing your notification contacts makes sure that the right people in your organization get Azure EA notifications.

-To View current notifications settings:

-1. In the Azure EA portal, navigate to **Manage** > **Notification Contact**.

-2. Email Address ΓÇô The email address associated with the Enterprise Administrator's Microsoft Account, Work, or School Account that receives the notifications.

-3. Unbilled Balance Notification Frequency ΓÇô The frequency that notifications are set to send to each individual Enterprise Administrator.

-To add a contact:

-1. Select **+Add Contact**.

-2. Enter the email address and then confirm it.

-3. Select **Save**.

-The new notification contact is displayed in the **Notification Contact** section. To change the notification frequency, select the notification contact and select the pencil symbol to the right of the selected row. Set the frequency to **daily**, **weekly**, **monthly**, or **none**.

-You can suppress _approaching coverage period end date_ and _disable and de-provision date approaching_ lifecycle notifications. Disabling lifecycle notifications suppresses notifications about the coverage period and agreement end date.

-## Azure sponsorship offer

-The Azure sponsorship offer is a limited sponsored Microsoft Azure account. It's available by e-mail invitation only to limited customers selected by Microsoft. If you're entitled to the Microsoft Azure sponsorship offer, you'll receive an e-mail invitation to your account ID.

-If you need assistance, create aΓÇ»[support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) in the Azure portal.

-## Conversion to work or school account authentication

-Azure Enterprise users can convert from a Microsoft Account (MSA or Live ID) to a Work or School Account (which uses Microsoft Entra ID) authentication type.

-To begin:

-1. Add the work or school account to the Azure EA Portal in the role(s) needed.

-1. If you get errors, the account may not be valid in Microsoft Entra ID. Azure uses User Principal Name (UPN), which isn't always identical to the email address.

-1. Authenticate to the Azure EA portal using the work or school account.

-### To convert subscriptions from Microsoft accounts to work or school accounts:

-1. Sign in to the management portal using the Microsoft account that owns the subscriptions.

-1. Use account ownership transfer to move to the new account.

-1. Now the Microsoft account should be free from any active subscriptions and can be deleted.

-1. Any deleted account will remain in view in the portal in an inactive status for historic billing reasons. You can filter it out of the view by selecting a check box to show only active accounts.

-## Azure EA term glossary

-### Enrollment statuses

- Before the Azure EA enrollment reaches the Enterprise Agreement end date, the enrollment administrator should decide which of the following options to take:

- - Renew the enrollment by adding additional Azure Prepayment.

- - Transfer to a new enrollment.

- - Migrate to the Microsoft Online Subscription Program (MOSP).

- - Confirm disablement of all services associated with the enrollment.

- >[!NOTE]

- > Enrollments don't automatically transfer if a new enrollment number is generated at renewal. You must include your prior enrollment number in your renewal paperwork to facilitate an automatic transfer.

-## Next steps

-description: This article explains how Azure EA agreements and amendments affect your Azure EA portal use.

-You can add price markup in the Azure Enterprise portal with the following steps:

-#### First step - Add price markup

-1. In the Enterprise Portal, select **Reports** in the left navigation menu.

-1. Under _Usage Summary_, select the blue **Markup** link.

-1. Enter the markup percentage (between 0 to 100) and select **Preview**.

-#### Second step - Review and validate

-Review the markup price in the _Usage Summary_ for the Prepayment term in the customer view. The Microsoft price is still available in the partner view. The views can be toggled using the partner markup **People** toggle at the top right.

-1. Review the prices in the price sheet.

-1. Changes can be made before publishing by selecting **Edit** on _View Usage Summary > Customer View_ tab.

-Both the service prices and the Prepayment balances get marked up by the same percentages. If you have different percentages for monetary balance and meter rates, or different percentages for different services, then don't use this feature.

-#### Third step - Publish

-After pricing is reviewed and validated, select **Publish**.

-Pricing with markup is available to enterprise administrators immediately after selecting publish. Edits can't be made to markup. You must disable markup and begin from the first step.

-To check markup status of an enrollment on Azure portal, follow the below steps:

-### How can I as partner apply markup to existing EA customer(s) that was earlier with another partner?

-Partners can use the markup feature (on Azure EA portal or Azure portal) after a Change of Channel Partner is processed; there's no need to wait for the next anniversary term.

-Enterprise Administrators can assign Account Owners to prepare previously purchased Plan SKUs in the Enterprise portal by following these steps:

-### View the price sheet to check included quantity

-1. Sign in as an Enterprise Administrator.

-1. Select **Reports** on the left navigation.

-1. Select the **Price Sheet** tab.

-1. Select the **Download** symbol in the top-right corner of the page.

-1. Find the corresponding Plan SKU part numbers with filter on column **Included Quantity** and select values greater than 0 (zero).

-EA customer can view price sheet in Azure portal. See [view price sheet in Azure portal](ea-pricing.md#download-pricing-for-an-enterprise-agreement).

-### Existing/New account owners to create new subscriptions

-**Step One: Sign in to account**

-1. From the Azure EA Portal, select the **Manage** tab and navigate to **Subscription** on the top menu.

-1. Verify that you're logged in as the account owner of this account.

-1. Select **+Add Subscription**.

-1. Select **Purchase**.

-The first time you add a subscription to an account, you need to provide your contact information. When you add more subscriptions later, your contact information is populated for you.

-The first time you add a subscription to your account, you're asked to accept the MOSA agreement and a Rate Plan. These sections aren't Applicable to Enterprise Agreement Customers, but are currently necessary to create your subscription. Your Microsoft Azure Enterprise Agreement Enrollment Amendment supersedes the above items and your contractual relationship doesn't change. Select the box indicating you accept the terms.

-**Step Two: Update subscription name**

-All new subscriptions are added with the default *Microsoft Azure Enterprise* subscription name. It's important to update the subscription name to differentiate it from the other subscriptions within your Enterprise Enrollment and ensure that it's recognizable on reports at the enterprise level.

-Select **Subscriptions**, select the subscription you created, and then select **Edit Subscription Details.**

-Update the subscription name and service administrator and select the checkmark. The subscription name appears on reports and it's also the name of the project associated with the subscription on the development portal.

-New subscriptions might take up to 24 hours to propagate in the subscriptions list.

-Only account owners can view and manage subscriptions.

-Direct customer can create and edit subscription in Azure portal. See [manage subscription in Azure portal](direct-ea-administration.md#create-a-subscription).

-### Troubleshooting

-**Account owner showing in pending status**

-When new Account Owners (AO) are added to the enrollment for the first time, they always have `pending` under status. When you receive the activation welcome email, the AO can sign in to activate their account. This activation updates their account status from `pending` to `active`.

-**Usages being charged after Plan SKUs are purchased**

-This scenario occurs when the customer deployed services under the wrong enrollment number or selected the wrong services.

-To validate if you're deploying under the right enrollment, you can check your included units information via the price sheet. Sign in as an Enterprise Administrator and select **Reports** on the left navigation and select **Price Sheet** tab. Select the Download symbol in the top-right corner and find the corresponding Plan SKU part numbers with filter on column **Included Quantity** and select values greater than "0."

-Ensure that your OMS plan is showing on the price sheet under included units. If there are no included units for OMS plan on your enrollment, your OMS plan might be under another enrollment. Contact Azure Enterprise Portal Support at [https://aka.ms/AzureEntSupport](https://aka.ms/AzureEntSupport).

-If the included units for the services on the price sheet don't match with what you deployed, you may have deployed services that aren't covered by the plan. For example, Operational Insights Premium Data Analyzed vs. Operational Insights Standard Data Analyzed. In this example, contact Azure Enterprise Portal Support at [https://aka.ms/AzureEntSupport](https://aka.ms/AzureEntSupport) so we can assist you further.

-**Provisioned Plan SKU services on wrong enrollment**

-If you have multiple enrollments and you deployed services under the wrong enrollment number, which doesn't have an OMS plan, contact Azure Enterprise Portal Support at [https://aka.ms/AzureEntSupport](https://aka.ms/AzureEntSupport).

-description: This article explains how to manage and act on your Azure Enterprise invoice.

-# Azure Enterprise enrollment invoices

-This article explains how to manage and act on your Azure Enterprise Agreement (Azure EA) invoice. Your invoice is a representation of your bill. Review it for accuracy. You should also get familiar with other tasks that might be needed to manage your invoice.

-> [!NOTE]

-> We recommend that both direct and indirect EA Azure customers use Cost Management + Billing in the Azure portal to manage their enrollment and billing instead of using the EA portal. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](ea-direct-portal-get-started.md).

->

-> As of February 20, 2023 indirect EA customers wonΓÇÖt be able to manage their billing account in the EA portal. Instead, they must use the Azure portal.

->

-> This change doesnΓÇÖt affect Azure Government EA enrollments. They continue using the EA portal to manage their enrollment.

-## View usage summary and download reports

-Enterprise administrators can view a summary of their usage data, Azure Prepayment consumed, and charges associated with additional usage in the Azure Enterprise portal. Charges are presented at the summary level across all accounts and subscriptions.

-To view detailed usage for specific accounts, download the usage detail report:

-1. Sign in to the Azure Enterprise portal.

-1. Select **Reports**.

-1. Select the **Download Usage** tab.

-1. In the list of reports, select **Download** for the monthly report that want to get.

- > [!NOTE]

- > The usage detail report doesn't include any applicable taxes.

- >

- > There may be a latency of up to eight hours from the time usage was incurred to when it's reflected on the report.

-To view the usage summary reports and graphs:

-1. Sign in to the Azure Enterprise portal.

-1. Select a Prepayment term.

- To change the date range for **Usage Summary**, you can toggle from **M** (Monthly) to **C** (Custom) on the top right of the page and then enter custom start and end dates.

- 

-1. To view additional details, you can select a period or month on the graph.

- - The graph shows month-over-month usage with a breakdown of utilized usage, service overage, charges billed separately, and Azure Marketplace charges.

- - For the selected month, you can use the fields below the graph to filter by departments, accounts, and subscriptions.

- - You can toggle between **Charge by Services** and **Charge by Hierarchy**.

- - View details from **Azure Service**, **Charges Billed Separately**, and **Azure Marketplace** by expanding the relevant sections.

-View this video to see how to view usage:

-> [!VIDEO https://www.youtube.com/embed/Cv2IZ9QCn9E]

-### Download CSV reports

-Enterprise administrators use the Monthly Report Download page to download the following reports as CSV files:

-To download reports:

-1. In the Azure Enterprise portal, select **Reports**.

-2. Select **Download Usage** at the top of the page.

-3. Select **Download** next to the month's report.

- > [!NOTE]

- > There may be a latency of up to 72 hours between the incurred usage date and when usage is shown in the reports.

- >

- > Users downloading CSV files with Safari to Excel may experience formatting errors. To avoid errors, open the file using a text editor.

-

-View this video to see how to download usage information:

-> [!VIDEO https://www.youtube.com/embed/eY797htT1qg]

-### Advanced report download

-You can use the advance report download to get reports that cover specific date ranges or accounts. The output file is in the CSV format to accommodate large record sets.

-1. In the Azure Enterprise portal, select **Advanced Report Download**.

-1. Select an appropriate date range and the appropriate accounts.

-1. Select **Request Usage Data**.

-1. Select the **Refresh** button until the report status updates to **Download**.

-1. Download the report.

-### Download usage reports and billing information for a prior enrollment

-You can download usage reports and billing information for a prior enrollment after an enrollment transfer has taken place. Historical reporting is available in both the Azure Enterprise portal and cost management.

-The Azure Enterprise portal filters inactive enrollments out of view. You'll need to uncheck the **Active** box to view inactive transferred enrollments.

-

-## PO number management

-PO number management functionality in the EA portal is getting deprecated. It is currently read-only in the EA portal. Instead, an EA administrator can use the Azure portal to manage PO numbers. For more information, see [Update a PO number](direct-ea-azure-usage-charges-invoices.md#update-a-po-number-for-an-upcoming-overage-invoice).

-## Azure enterprise billing frequency

-Microsoft bills annually at the enrollment effective date for any Prepayment purchases of the Microsoft Azure services. For any usage exceeding the Prepayment amounts, Microsoft bills in arrears.

-### Billing intervals

-You billing interval depends on how you choose to make your Prepayment purchases. Your annual Prepayment is coterminous with either:

-The date you receive your overage invoice depends on your enrollment start date and set-up:

- - If you're on a direct Enterprise Agreement (EA), you're on an annual billing cycle for Azure services, excluding Azure Marketplace services. Your billing cycle is based on the anniversary date: the date when your agreement became effective.

- - If you surpass 150% of your Azure EA Prepayment threshold, you'll automatically be converted to a quarterly billing cycle that is based on your anniversary date. You'll also receive an Azure service overage invoice.

- - If you don't surpass 150% of your Azure Prepayment threshold, your enrollment will remain on an annual billing cycle. The overage invoice will be received at the end of the Prepayment year.

- - Your Azure consumption and charges billed separately invoices are on a monthly billing cycle.

- - Any charges not covered by your Azure Prepayment are due as an overage payment.

- If you're an indirect Enterprise Agreement (EA) customer with a start date before May 1, 2018, you're set up on a quarterly billing cycle. The channel partner (CP) invoices you directly.

- You're on a monthly billing cycle.

-### Increase your Azure Prepayment

-You can increase your Prepayment at any time. You'll be billed for the number of months remaining in that year's Prepayment period. For example, if you sign up for a one-year Amendment Subscription and then increase your Prepayment during month six, you'll be invoiced for the remaining six months of that term. Your Prepayment quantities will then be updated for the last six months of your Prepayment term. These new quantities will be used for determining any overage charges.

-### Overage

-For overage, you're billed for the usage or reservations that exceed your Prepayment during the billing period. To view a breakdown of how the overage quantities for individual items were calculated, refer to the usage summary report or contact your channel partner.

-For each item on the invoice, you'll see:

-Applicable taxes are computed only on the net amount that exceeds your Prepayment.

-Overage invoicing is automated. The timing of notifications and invoices depends on your billing period end date.

-### Azure Marketplace

-Effective from the April 2019 billing cycle, customers started to receive a single Azure invoice that combines all Azure and Azure Marketplace charges into a single invoice instead of two separate invoices. This change doesn't affect customers in Australia, Japan, or Singapore.

-During the transition to a combined invoice, you'll receive a partial Azure Marketplace invoice. This final separate invoice will show Azure Marketplace charges incurred before the date of your billing update. Azure Marketplace charges incurred after that date will appear on your Azure invoice. After the transition period, you'll see all Azure and Azure Marketplace charges on the combined invoice.

-### Adjust billing frequency

-A customer's billing frequency is annual, quarterly, or monthly. The billing cycle is determined when a customer signs their agreement. Monthly billing is smallest billing interval.

-The change becomes effective at the end of the current billing quarter.

-### Request an invoice copy

-If you're an indirect enterprise agreement customer, contact your partner to request a copy of your invoice.

-## Credits and adjustments

-You can view all credits or adjustments applied to your enrollment in the **Reports** section of [the Azure Enterprise portal](https://ea.azure.com).

-To view credits:

-1. In [the Azure Enterprise portal](https://ea.azure.com), select the **Reports** section.

-1. Select **Usage Summary**.

-1. In the top-right corner, change the **M** to **C** view.

-1. Extend the adjustment field in the Azure service Prepayment table.

-1. You'll see credits applied to your enrollment and a short explanation. For example: Service Level Agreement Credit.

-## Pay your overage with your Azure Prepayment

-To apply your Azure Prepayment to overages, you must meet the following criteria:

-To complete an overage offset, you or the account team can open a support request. An emailed approval from your enterprise administrator or Bill to Contact is required.

-## Move charges to another enrollment

-Usage data is only moved when a transfer is backdated. There are two options to move usage data from one enrollment to another:

-For either option, you must submit a [support request](https://support.microsoft.com/supportrequestform/cf791efa-485b-95a3-6fad-3daf9cd4027c) to the EA Support Team for assistance. ΓÇï

-## Enterprise Agreement usage calculations

-Refer to [Azure services](https://azure.microsoft.com/services/) and [Azure pricing](https://azure.microsoft.com/pricing/) for basic public pricing information, units of measure, FAQs, and usage reporting guidelines for each individual service. You can find more information about EA calculations in the following sections.

-### Enterprise Agreement units of measure

-The units of measure for Enterprise Agreements are often different than seen in our other programs such as the Microsoft Online Services Agreement program (MOSA). This disparity means that, for a number of services, the unit of measure is aggregated to provide the normalized pricing. The unit of measure shown in the Azure Enterprise portal's Usage Summary view is always the Enterprise measure. A full list of current units of measure and conversions for each service is provided by submitting a [support request](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade).

-### Conversion between usage detail report and the usage summary page

-In the download usage data report, you can see raw resource usage up to six decimal places. However, usage data shown in the Azure Enterprise portal is rounded to four decimal places for Prepayment units and truncated to zero decimals for overage units. Raw usage data is first rounded to four digits before conversion to units used in the Azure Enterprise portal. Then, the converted Enterprise units are rounded again to four digits. You can only see the actual consumed hours before conversion in the download usage report and not within the Azure Enterprise portal.

-For example: If 694.533404 actual SQL Server hours are reported in the usage detail report. These units are converted to 6.94533404 of 100 compute hours, and then rounded to 6.9453 and displayed in the Azure Enterprise portal.

-### Graduated pricing

-Enterprise Agreement pricing doesn't currently include graduated pricing where the charges per unit decreases as usage increases. When you move from a MOSA program with graduated pricing to an Enterprise Agreement, your prices are set commensurate with the service's base tier minus any applicable adjustments for Enterprise Agreement discounts.

-### Partial hour billing

-All billed usage is based on minutes converted to partial hours and not on whole hour increments. The listed hourly Enterprise rates are applied to total hours plus partial hours.

-### Average daily consumption

-Some services are priced on a monthly basis, but usage is reported on daily basis. In these cases, the usage is evaluated once per day, divided by 31, and summed across the number of days in that billing month. So, rates are never higher than expected for any month and are slightly lower for those months with less than 31 days.

-### Compute hours conversion

-Before January 28, 2016, usage for A0, A2, A3, and A4 Standard and Basic Virtual Machines and Cloud Services was emitted as A1 Virtual Machine meter minutes. A0 VMs counted as fractions of A1 VM minutes while A2s, A3s, and A4s were converted to multiples. Because this policy caused some confusion for our customers, we implemented a change to assign per-minute usage to dedicated A0, A2, A3, and A4 meters.

-The new metering took effect between January 27 and January 28, 2016. On the CSV download that shows usage during this transition period, you can see both:

-| **Deployment size** | **Usage emitted as multiple of A1 through January 26, 2016** | **Usage emitted on dedicated meter starting January 27, 2016** |

-| | | |

-| A0 | 0.25 of A1 hour | 1 of A0 hour |

-| A2 | 2 of A1 hour | 1 of A2 hour |

-| A3 | 4 of A1 hour | 1 of A3 hour |

-| A4 | 8 of A1 hour | 1 of A4 hour |

-### Regions

-For those services where zone and region affect pricing, see the following table for a map of geographies and regions:

-| Geo | Data Transfer Regions | CDN Regions |

-| | | |

-| Zone 1 | Europe North <br> Europe West <br> US West <br> US East <br> US North Central <br> US South Central <br> US East 2 <br> US Central | North America <br> Europe |

-| Zone 2 | Asia Pacific East <br> Asia Pacific Southeast <br> Japan East <br> Japan West <br> Australia East <br> Australia Southeast | Asia Pacific <br> Japan <br> Latin America <br> Middle East / Africa <br> Australia East <br> Australia Southeast |

-| Zone 3 | Brazil South | |

-There are no charges for data egress between services housed within the same data center. For example, Microsoft 365 and Azure.

-### Azure Prepayment and unbilled usage

-Azure Prepayment is an amount paid up front for Azure services. The Azure Prepayment is consumed as services are used. First-party Azure services are billed against the Azure Prepayment. However, some charges are billed separately, and Azure Marketplace services don't consume Azure Prepayment.

-### Charges billed separately

-Some products and services provided from third-party sources don't consume Azure Prepayment. Instead, these items are billed separately as part of the standard billing cycle's overage invoice.

-We've combined all Azure and Azure Marketplace charges into a single invoice that aligns with the enrollment's billing cycle. The combined invoice doesn't apply to customers in Australia, Japan, or Singapore.

-The combined invoice shows Azure usage first, followed by any Azure Marketplace charges. Customers in Australia, Japan, or Singapore see their Azure Marketplace charges on a separate invoice.

-If there's no overage usage at the end of the standard billing cycle, charges billed separately are invoiced separately. This process applies to customers in Australia, Japan, and Singapore.

-The following services are examples of charges billed separately. You can get a full list of the services where charges are billed separately by submitting a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview).

-## What to expect after change of channel partner

-If the change of channel partner (COCP) happens in the middle of the month, a customer will receive an invoice for usage under the previous associated partner and another invoice for the usage under new partner.

-The invoices will be released following the month after the billing period ends. If the billing cadence is monthly, then September's invoice will be released in October for both partners. If the billing cycle is quarterly or annually, the customer can expect an invoice for the previous associated partner for the usage under their period and rest will be to the new partner based on the billing cadence.

-## Next steps

-description: This article explains how Azure Enterprise Agreement (Azure EA) customers use the Azure Enterprise portal.

-# Get started with the Azure Enterprise portal

-This article helps direct and indirect Azure Enterprise Agreement (Azure EA) customers start to use the [Azure Enterprise portal](https://ea.azure.com). Get basic information about:

-> [!NOTE]

-> We recommend that both direct and indirect EA Azure customers use Cost Management + Billing in the Azure portal to manage their enrollment and billing instead of using the EA portal. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](ea-direct-portal-get-started.md).

->

-> As of February 20, 2023 indirect EA customers wonΓÇÖt be able to manage their billing account in the EA portal. Instead, they must use the Azure portal.

->

-> This change doesnΓÇÖt affect Azure Government EA enrollments. They continue using the EA portal to manage their enrollment.

-## Get started with EA onboarding

-For an Azure EA onboarding guide, see [Azure EA Onboarding Guide (PDF)](https://ea.azure.com/api/v3Help/v2AzureEAOnboardingGuide).

-View this video to watch a full Azure Enterprise portal onboarding session:

-> [!VIDEO https://www.youtube.com/embed/OiZ1GdBpo-I]

-## Understanding EA user roles and introduction to user hierarchy

-To help manage your organization's usage and spend, Azure customers with an Enterprise Agreement (EA) can assign five distinct administrative roles:

-Each role has a varying degree of user limits and permissions. For more information, see [Organization structure and permissions by role](./understand-ea-roles.md#organization-structure-and-permissions-by-role).

-## Activate your enrollment, create a subscription, and other administrative tasks

-For more information regarding activating your enrollment, creating a department or subscription, adding administrators and account owners, and other administrative tasks, see [Azure EA portal administration](./ea-portal-administration.md).

-If youΓÇÖd like to know more about transferring an Enterprise subscription to a Pay-As-You-Go subscription, see [Azure Enterprise transfers](./ea-transfers.md).

-## View usage summary and download reports

-You can manage and act on your Azure EA invoice. Your invoice is a representation of your bill and should be reviewed for accuracy.

-To view usage summary, download reports, and manage enrollment invoices, see [Azure Enterprise enrollment invoices](./ea-portal-enrollment-invoices.md).

-## Now that you're familiar with the basics, here are some additional links to help you get onboarded

-[Azure EA pricing](./ea-pricing-overview.md) provides details on how usage is calculated and goes over charges for various Azure services in the Enterprise Agreement where the calculations are more complex.

-If you'd like to know about how Azure reservations for VM reserved instances can help you save money with your enterprise enrollment, see [Azure EA VM reserved instances](./ea-portal-vm-reservations.md).

-For information on which REST APIs to use with your Azure enterprise enrollment and an explanation for how to resolve common issues with REST APIs, see [Azure Enterprise REST APIs](./enterprise-rest-apis.md).

-[Azure EA agreements and amendments](./ea-portal-agreements.md) describes how Azure EA agreements and amendments might affect your access, use, and payments for Azure services.

-[Azure Marketplace](./ea-azure-marketplace.md) explains how EA customers and partners can view marketplace charges and enable Azure Marketplace purchases.

-For explanations regarding the common tasks that a partner EA administrator accomplishes in the Azure EA portal, see [Azure EA portal administration for partners](./ea-partner-portal-administration.md).

-## Next steps

-1. The refund amount is reflected on the purchase month. In the EA portal, navigate to **Usage Summary** > **Adjustments/Charge by services**.

-2. The refund is shown in the EA portal as a negative adjustment in the purchase month and a positive adjustment in the current month. It appears similar to a reservations exchange.

-To return a partial refund with an overage:

-1. View the refund amount displayed in the purchase month. In the EA portal, navigate to **Usage Summary** > **Charge by services**.

-2. The credit memo references the original invoice number. To reconcile the initial purchase with the credit memo, refer to the original invoice number.

-Direct Enterprise customers can view the refund details in the Azure portal. To view refunds:

-1. Navigate to **Cost Management + Billing** > select a billing scope > in the left menu under **Billing**, select **Reservation transactions** menu.

-Any reservation discounts that your organization might have negotiated aren't shown in the EA portal price sheet. Previously, the discounted rates were available in the EA portal, however that functionality was removed. If youΓÇÖve negotiated reduced reservation prices, currently the only way to view the discounted prices is in the purchase reservation purchase experience.

-To purchase an Azure reserved virtual machine instance, an Enterprise Azure enrollment admin must enable the _Reserve Instance_ purchase option. The option is in the _Enrollment Detail_ section on the _Enrollment_ tab in the [Azure EA Portal](https://ea.azure.com/).

-You can view your reserved instance purchase details via the _Reservations_ menu on the left side of the [Azure portal](https://aka.ms/reservations) or from the [Azure EA portal](https://ea.azure.com/). Select **Reports** from the left-side menu and scroll down to the _Charges by Services_ section on the _Usage Summary_ Tab. Scroll to the bottom of the section and your reserved instance purchases and usage will list at the end as indicated by the `1 year` or `3 years` designation next to the service name, for example: `Standard_DS1_v2 eastus 1 year` or `Standard_D2s_v3 eastus2 3 years`.

-You can view your reserved instance usage detail in the [Azure portal](https://aka.ms/reservations) or in the [Azure EA portal](https://ea.azure.com/) (for EA customers who have access to view billing information) under _Reports_ > _Usage Summary_ > _Charges by Services_. Your reserved instances can be identified as service names containing 'Reservation', for example: `Reservation-Base VM or Virtual Machines Reservation-Windows Svr (1 Core)`.

-Customer and channel partners can view their current pricing for an enrollment by logging into the [Azure Enterprise portal](https://ea.azure.com/). Then view the price sheet page for that enrollment. Direct EA customers can now view and download **price sheet** in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). See [view price sheet](ea-pricing.md#download-pricing-for-an-enterprise-agreement).

- - If you have only UPN (User Principal Name) entities configured as full EA administrators without access to e-mail, you must **either** create a temporary full EA administrator account in the EA portal **or** provide EA portal screenshot evidence of a user account associated with the UPN account.

- - You may have to repurchase the canceled monthly reservations from the source enrollment using the new enrollment in the local or new currency. If you repurchase a reservation, the purchase term (one or three years) is reset. The repurchase doesn't continue under the previous term.

-You might see that an enrollment has the **Transferred** state, even if you haven't submitted a support ticket to request an enrollment transfer. The **Transferred** state results from the auto enrollment transfer process. In order for the auto enrollment transfer to occur during the renewal phrase, there are a few items that must be included in the new agreement:

-If there's no missing usage data in the EA portal between the prior enrollment and the new enrollment, then you don't have to create a transfer support ticket.

-## Transfer an Enterprise subscription to a Pay-As-You-Go subscription

-To transfer an Enterprise subscription to an individual subscription with Pay-As-You-Go rates, you must create a new support request in the Azure Enterprise portal. To create a support request, select **+ New support request** in the **Help and Support** area.

-The Azure EA portal can transfer subscriptions from one account owner to another. For more information, see [Change Azure subscription or account ownership](ea-portal-administration.md#change-azure-subscription-or-account-ownership).

-2. select **All resources** on the Hub menu.

-4. select **Settings** to view and update existing secrets on the resource page.

-* **Generate or retrieve the API key** - Sign in to the Enterprise portal, and navigate to Reports > Download Usage > API Access Key to generate or retrieve the API key.

-Microsoft Enterprise Azure customers can get usage and billing information through REST APIs. The role owner (Enterprise Administrator, Department Administrator, Account Owner) must enable access to the API by generating a key from the Azure EA portal. Then, anyone provided with the enrollment number and key can access the data through the API.

-> 3. If you are Account owner only, then you can generate the keys at Acount level only.

-The article applies to customers with Microsoft Online Service program accounts. If you're an Azure customer with an Enterprise Agreement (EA) and are the Enterprise Administrator, you can give permissions to the Department Administrators and Account Owners in the Enterprise portal. For more information, see [Understand Azure Enterprise Agreement administrative roles in Azure](understand-ea-roles.md). If you're a Microsoft Customer Agreement customer, see, [Understand Microsoft Customer Agreement administrative roles in Azure](understand-mca-roles.md).

-> If you're an EA customer, an Account Owner can assign the above role to other users of their team. But for these users to view billing information, the Enterprise Administrator must enable AO view charges in the Enterprise portal.

-> If you're an EA customer, an Account Owner or Department Administrator can assign the Billing Reader role to team members. But for that Billing Reader to view billing information for the department or account, the Enterprise Administrator must enable **AO view charges** or **DA view charges** policies in the Enterprise portal.

-If your direct Enterprise Agreement enrollment has expired or about to expire, you can sign a Microsoft Customer Agreement to renew your enrollment. This article describes the changes to your existing billing after the setup and walks you through the setup of your new billing account. Currently, expiring indirect Enterprise Agreements can't get renewed with a Microsoft Customer Agreement.

-2. Set up the new billing account that's created for the new Microsoft Customer Agreement.

-When you convert an EA enrollment to MCA, you canΓÇÖt use the Cost Management Power BI template app any longer because the app doesnΓÇÖt support MCA. However, the [Azure Cost Management connector for Power BI Desktop](/power-bi/connect-data/desktop-connect-azure-cost-management) supports MCA accounts.

-Charges and credits balance prior to transition can be viewed in your Enterprise Agreement enrollment through the Azure portal.

-Complete the setup of your billing account before your Enterprise Agreement enrollment expires. If your enrollment expires, services in your Azure subscriptions continue to run without disruption. However, you are charged pay-as-you-go rates for the services.

-Azure subscriptions that are created for the Enterprise Agreement enrollment after the transition can be manually moved to the new billing account. For more information, see [get billing ownership of Azure subscriptions from other users](mca-request-billing-ownership.md). To move Azure reservations or savings plans that are purchased after the transition, [contact Azure Support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade). You can also provide users access to the billing account after the transition. For more information, see [manage billing roles in the Azure portal](understand-mca-roles.md#manage-billing-roles-in-the-azure-portal)

-4. You can monitor the status of the transition on the **Transition status** page. Canceled savings plans are shown in the Transition details.

-Azure subscriptions that are transitioned from your Enterprise Agreement enrollment to the new billing account are displayed on the Azure subscriptions page. If you believe any subscription is missing, transition the billing of the subscription manually in the Azure portal. For more information, see [get billing ownership of Azure subscriptions from other users](mca-request-billing-ownership.md)

-3. Select the billing profile created for your enrollment. Depending on your access, you may need to select a billing account. From the billing account, select Billing profiles and then the billing profile.

-3. Select an invoice section. Invoice sections have the same name as their respective departments in Enterprise Agreement enrollments. Depending on your access, you may need to select a billing account. From the billing account, select **Billing profiles** and then select **Invoice sections**. From the invoice sections list, select an invoice section.

-EAs have an authentication level set that determines which types of users can be added as EA account owners for the enrollment. There are four authentication levels available, as described at [Authentication level types](ea-portal-troubleshoot.md#authentication-level-types).

-> When set correctly, changing the authentication level doesn't impact the transfer process. For more information, see [Authentication level types](ea-portal-troubleshoot.md#authentication-level-types).

-* The Enterprise Administrator of your enrollment can [make you an Account Owner](https://ea.azure.com/helpdocs/addNewAccount) (sign in required) which makes you an Owner of the Enrollment Account.

-* The Enterprise Administrator of your enrollment can [make you an Account Owner](https://ea.azure.com/helpdocs/addNewAccount) and sign in required which makes you an Owner of the Enrollment Account.

-| `offerType` | Yes | String | The offer of the subscription. The two options for EA are [MS-AZR-0017P](https://azure.microsoft.com/pricing/enterprise-agreement/) (production use) and [MS-AZR-0148P](https://azure.microsoft.com/offers/ms-azr-0148p/) (dev/test, needs to be [turned on using the EA portal](https://ea.azure.com/helpdocs/DevOrTestOffer)). |

-| `OfferType` | Yes | String | The subscription offer. The two options for EA are [MS-AZR-0017P](https://azure.microsoft.com/pricing/enterprise-agreement/) (production use) and [MS-AZR-0148P](https://azure.microsoft.com/offers/ms-azr-0148p/) (dev/test, needs to be [turned on using the EA portal](https://ea.azure.com/helpdocs/DevOrTestOffer)). |

-| `offer-type` | Yes | String | The offer of the subscription. The two options for EA are [MS-AZR-0017P](https://azure.microsoft.com/pricing/enterprise-agreement/) (production use) and [MS-AZR-0148P](https://azure.microsoft.com/offers/ms-azr-0148p/) (dev/test, needs to be [turned on using the EA portal](https://ea.azure.com/helpdocs/DevOrTestOffer)). |

-If you're an Enterprise Agreement (EA) customer, your enterprise administrators can transfer billing ownership of your products between accounts in the EA portal. For more information, see [Change Azure subscription or account ownership](ea-portal-administration.md#change-azure-subscription-or-account-ownership).

-| EA | EA | ΓÇó Transferring between EA enrollments requires a [billing support ticket](https://azure.microsoft.com/support/create-ticket/).<br><br> ΓÇó Reservations and savings plans automatically get transferred during EA to EA transfers, except in transfers with a currency change.<br><br> ΓÇó Transfer within the same enrollment is the same action as changing the account owner. For details, see [Change EA subscription or account ownership](ea-portal-administration.md#change-azure-subscription-or-account-ownership). |

-* If you have a pay-as-you-go subscription (Azure offer ID MS-AZR-0003P) or an Azure plan with pay-as-you-go rates (Azure offer ID MS-AZR-0017G) and you want to migrate to an EA enrollment, have your Enrollment Admin add your account into the EA. Follow instructions in the invitation email to have your subscriptions moved under the EA enrollment. For more information, see [Change Azure subscription or account ownership](ea-portal-administration.md#change-azure-subscription-or-account-ownership).

-┬╣ The Bill-To contact of the EA contract will be under this role.

-┬▓ The Bill-To contact cannot be added or changed in the Azure EA Portal and will be added to the EA enrollment based on the user who is set up as the Bill-To contact on agreement level. To change the Bill-To contact, a request needs to be made through a partner/software advisor to the Regional Operations Center (ROC).

-The first enrollment administrator that is set up during the enrollment provisioning determines the authentication type of the Bill-to contact account. When the bill-to contact gets added to the EA Portal as a read-only administrator, they are given Microsoft account authentication.

-For example, if the initial authentication type is set to Mixed, the EA will be added as a Microsoft account and the Bill-to contact will have read-only EA admin privileges. If the EA admin doesnΓÇÖt approve Microsoft account authorization for an existing Bill-to contact, the EA admin may delete the user in question and ask the customer to add the user back as a read-only administrator with a Work or School account Only set at enrollment level in the EA portal.

-> [!NOTE]

-> We recommend that both direct and indirect EA Azure customers use Cost Management + Billing in the Azure portal to manage their enrollment and billing instead of using the EA portal. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](ea-direct-portal-get-started.md).

->

-> As of February 20, 2023 indirect EA customers wonΓÇÖt be able to manage their billing account in the EA portal. Instead, they must use the Azure portal.

->

-> This change doesnΓÇÖt affect Azure Government EA enrollments. They continue using the EA portal to manage their enrollment.

-Use the Azure portal's Cost Management blade the [Azure portal](https://portal.azure.com) to manage Azure Enterprise Agreement roles.

-User roles are associated with a user account. To validate user authenticity, each user must have a valid work, school, or Microsoft account. Ensure that each account is associated with an email address that's actively monitored. Enrollment notifications are sent to the email address.

-> [!NOTE]

-You can have multiple enterprise administrators in an enterprise enrollment. You can grant read-only access to enterprise administrators.

-The EA administrator role automatically inherits all access and privilege of the department administrator role. So thereΓÇÖs no need to manually give an EA administrator the department administrator role.

-Users with this role have permissions to purchase Azure services, but are not allowed to manage accounts. They can:

-Each account requires a unique work, school, or Microsoft account. For more information about Azure Enterprise portal administrative roles, see [Understand Azure Enterprise Agreement administrative roles in Azure](understand-ea-roles.md).

-| EA purchaser assigned to an SPN | Unlimited |

-Enterprise administrators have the most privileges when managing an Azure EA enrollment. The initial Azure EA admin was created when the EA agreement was set up. However, you can add or remove new admins at any time. New admins are only added by existing admins. For more information about adding additional enterprise admins, see [Create another enterprise admin](ea-portal-administration.md#create-another-enterprise-administrator). Direct EA customers can use the Azure portal to add EA admins, see [Create another enterprise admin on Azure portal](direct-ea-administration.md#add-another-enterprise-administrator). For more information about billing profile roles and tasks, see [Billing profile roles and tasks](understand-mca-roles.md#billing-profile-roles-and-tasks).

-When new Account Owners (AO) are added to an Azure EA enrollment for the first time, their status appears as _pending_. When a new account owner receives the activation welcome email, they can sign in to activate their account.

-> If the Account Owner is a service account and doesn't have an email, use an In-Private session to sign in to the Azure portal and navigate to Cost Management to be prompted to accept the activation welcome email.

-Once they activate their account, the account status is updated from _pending_ to _active_. The account owner needs to read the 'Warning' message and select **Continue**. New users might get prompted to enter their first and last name to create a Commerce Account. If so, they must add the required information to continue and then the account is activated.

-You may see different pricing in the Azure portal depending on your administrative role and how the view charges policies are set by the Enterprise Administrator. Enabling Department Administrator and Account Owner Roles to see the charges can be restricted by restricting access to billing information.

-The following table shows the relationship between the Enterprise Agreement admin roles, the view charges policy, the Azure role in the Azure portal, and the pricing that you see in the Azure portal. The Enterprise Administrator always sees usage details based on the organization's EA pricing. However, the Department Administrator and Account Owner see different pricing views based on the view charge policy and their Azure role. The Department Admin role listed in the following table refers to both Department Admin and Department Admin (read only) roles.

-You set the Enterprise admin role and view charges policies in the Enterprise portal. The Azure role can be updated in the Azure portal. For more information, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

-Make sure that you complete any outstanding payments for your older [pay-as-you-go](../understand/download-azure-invoice.md) or [EA](../manage/ea-portal-enrollment-invoices.md) contract subscription invoices. For more information, see [Understand your Microsoft Customer Agreement Invoice in Azure](../understand/mca-understand-your-invoice.md#billing-period).

-If you're an EA admin, you can download the CSV file that contains new usage data from Azure portal. This data isn't available from the EA portal (ea.azure.com), you must download the usage file from Azure portal (portal.azure.com) to see the new data.

-Enterprise Agreement (EA) customers can limit purchases to EA admins by disabling the **Add Reserved Instances** option in the EA Portal. Direct EA customers can now disable Reserved Instance setting in [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). Navigate to Policies menu to change settings.

-If you're an EA admin, you can download the CSV file that contains new usage data from Azure portal. This data isn't available from the EA portal (ea.azure.com), you must download the usage file from Azure portal (portal.azure.com) to see the new data.

-If you're an EA admin, you can download the CSV file that contains new usage data from Azure portal. This data isn't available from the EA portal (ea.azure.com), you must download the usage file from Azure portal (portal.azure.com) to see the new data.

-The complete list of savings plan eligible products is found in your price sheet, which can be downloaded from the [Azure portal](https://portal.azure.com). The EA portal price sheet doesn't include savings plan pricing. After you download the file, filter `Price Type` by `Savings Plan` to see the one-year and three-year prices.

-If you're an EA admin, you can download the CSV file that contains new cost data from the Azure portal. This data isn't available from the [EA portal](https://ea.azure.com/), you must download the cost file from Azure portal (portal.azure.com) to see the new data.

-| Enterprise Agreement | _Enterprise Administrator_<p> If you're an Enterprise admin with read-only access, you need your organization to give you **full** access to assign licenses using centrally managed Azure Hybrid Benefit. <p>If you're not an Enterprise admin, you must get assigned that role by your organization (with full access). For more information about how to become a member of the role, see [Add another enterprise administrator](../manage/ea-portal-administration.md#create-another-enterprise-administrator). | - MS-AZR-0017P (Microsoft Azure Enterprise)<br>- MS-AZR-USGOV-0017P (Azure Government Enterprise) |

- For more information about how to become a member of the role, see [Add another enterprise administrator](../manage/ea-portal-administration.md#create-another-enterprise-administrator).

-description: This article describes some common issues that can occur with an Azure Enterprise Agreement (EA) in the Azure EA portal.

-# Troubleshoot Azure EA portal access

-This article describes some common issues that can occur with an Azure Enterprise Agreement (EA). The Azure EA portal is used to manage enterprise agreement users and costs. You might come across these issues when you're configuring or updating Azure EA portal access.

-> [!NOTE]

-> We recommend that both direct and indirect EA Azure customers use Cost Management + Billing in the Azure portal to manage their enrollment and billing instead of using the EA portal. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](../manage/ea-direct-portal-get-started.md).

->

-> As of February 20, 2023 indirect EA customers wonΓÇÖt be able to manage their billing account in the EA portal. Instead, they must use the Azure portal.

->

-> This change doesnΓÇÖt affect Azure Government EA enrollments. They continue using the EA portal to manage their enrollment.

-## Issues adding a user to an enrollment

-There are different types of authentication levels for enterprise enrollments. When authentication levels are applied incorrectly, you might have issues when you try to sign in to the Azure EA portal.

-You use the Azure EA portal to grant access to users with different authentication levels. An enterprise administrator can update the authentication level to meet security requirements of their organization.

-### Authentication level types

-The first work or school account added to the enrollment determines the _default_ domain. To add a work or school account with another tenant, you must change the authentication level under the enrollment to cross-tenant authentication.

-To update the Authentication Level:

-1. Sign in to the Azure [EA portal](https://ea.azure.com/) as an Enterprise Administrator.

-2. Select **Manage** on the left navigation panel.

-3. Select the **Enrollment** tab.

-4. Under **Enrollment Details**, select **Auth Level**.

-5. Select the pencil symbol.

-6. Select **Save**.

-

-Microsoft accounts must have an associated ID created at [https://signup.live.com](https://signup.live.com/).

-Work or school accounts are available to organizations that have set up Microsoft Entra ID with federation and where all accounts are on a single tenant. Users can be added with work or school federated user authentication if the company's internal Microsoft Entra ID is federated.

-If your organization doesn't use Microsoft Entra ID federation, you can't use your work or school email address. Instead, register or create a new email address and register it as a Microsoft account.

-## Unable to access the Azure EA portal

-If you get an error message when you try to sign in to the Azure EA portal, use the following the troubleshooting steps:

- - If you're using your work account, enter your work email and work password. Your work password is provided by your organization. You can check with your IT department about how to reset the password if you have issues with it.

- - If you're using a Microsoft account, enter your Microsoft account email address and password. If you've forgotten your Microsoft account password, you can reset it at [https://account.live.com/password/reset](https://account.live.com/password/reset).

-Or, if you get an _Invalid User_ error, it might be because the wrong account type was used when the user was added to the enrollment. For example, a work or school account instead of a Microsoft account. In this example, you have another EA admin add the correct account or you need to contact [support](https://support.microsoft.com/supportforbusiness/productselection?sapId=cf791efa-485b-95a3-6fad-3daf9cd4027c).

- - If you need to check the primary alias, go to [https://account.live.com](https://account.live.com). Then, select **Your Info** and then select **Manage how to sign in to Microsoft**. Follow the prompts to verify an alternate email address and obtain a code to access sensitive information. Enter the security code. Select **Set it up later** if you don't want to set up two-factor authentication.

- - You see the **Manage how to sign in to Microsoft** page where you can view your account aliases. Check that the primary alias is the one that you're using to sign in to the Azure EA portal. If it isn't, you can make it your primary alias. Or, you can use the primary alias for Azure EA portal instead.

-## Next steps

-description: Learn how to resolve any issues you might have with organizational cost views within the Azure portal.

-# Troubleshoot enterprise cost views

-Within enterprise enrollments, there are several settings that could cause users within the enrollment to not see costs. These settings are managed by the enrollment administrator. Or, if the enrollment isn't bought directly through Microsoft, the settings are managed by the partner. This article helps you understand what the settings are and how they impact the enrollment. These settings are independent of the Azure roles.

-> [!NOTE]

-> We recommend that both direct and indirect EA Azure customers use Cost Management + Billing in the Azure portal to manage their enrollment and billing instead of using the EA portal. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](../manage/ea-direct-portal-get-started.md).

->

-> As of February 20, 2023 indirect EA customers wonΓÇÖt be able to manage their billing account in the EA portal. Instead, they must use the Azure portal.

->

-> This change doesnΓÇÖt affect Azure Government EA enrollments. They continue using the EA portal to manage their enrollment.

-## Enable access to costs

-Are you seeing a message Unauthorized, or *"Cost views are disabled in your enrollment."* when looking for cost information?

-

-It might be for one of the following reasons:

-1. YouΓÇÖve bought Azure through an enterprise partner, and the partner didn't release pricing yet. Contact your partner to update the pricing setting within the [Enterprise portal](https://ea.azure.com).

-2. If youΓÇÖre an EA Direct customer, there are a couple of possibilities:

- * You're an Account Owner and your Enrollment Administrator disabled the **AO view charges** setting.

- * You're a Department Administrator and your Enrollment Administrator disabled the **DA view charges** setting.

- * Contact your Enrollment Administrator to get access. The Enrollment Admin can now update the settings in [Azure portal](https://portal.azure.com/). Navigate to **Policies** menu to change settings.

- * The Enrollment Admin can update the settings in the [Enterprise portal](https://ea.azure.com/manage/enrollment).

- 

-

-

-## Asset is unavailable

-If you get an error message stating **This asset is unavailable** when trying to access a subscription or management group, then you don't have the correct role to view this item.

-

-Ask your Azure subscription or management group administrator for access. For more information, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

-## Next steps

-To create a support request for an Enterprise Agreement, you must be an Enterprise Administrator or Partner Administrator associated with an enterprise enrollment.

-1. Type a summary of your issue and then select **Issue type**.

-1. In the **Issue type** list, select **Enrollment administration** for EA portal related issues.

-1. For **Enrollment number**, select the enrollment number.

-description: Resolving an issue when trying to sign up for a new account in the Microsoft Azure portal.

-You might experience an issue when you try to sign up for a new account in the Microsoft Azure portal. This short guide walks you through the sign-up process and discusses some common issues at each step.

-> [!NOTE]

-> We recommend that both direct and indirect EA Azure customers use Cost Management + Billing in the Azure portal to manage their enrollment and billing instead of using the EA portal. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](../manage/ea-direct-portal-get-started.md).

->

-> As of February 20, 2023 indirect EA customers wonΓÇÖt be able to manage their billing account in the EA portal. Instead, they must use the Azure portal.

->

-> This change doesnΓÇÖt affect Azure Government EA enrollments. They continue using the EA portal to manage their enrollment.

-If you're an Azure customer with an Enterprise Agreement (EA customer), only an EA administrator can download and view your organization's invoice. Direct EA administrators can [Download or view their Azure billing invoice](../manage/direct-ea-azure-usage-charges-invoices.md#download-or-view-your-azure-billing-invoice). Indirect EA administrators can use the information at [Azure Enterprise enrollment invoices](../manage/ea-portal-enrollment-invoices.md) to download their invoice.

-### EA, CSP, and Sponsorship customers

-| Enterprise Agreement (EA) | [EA portal](https://ea.azure.com/), [help docs](https://ea.azure.com/helpdocs), and [Power BI report](https://powerbi.microsoft.com/documentation/powerbi-content-pack-azure-enterprise/) |

-> - To learn how to generate the API key for your enrollment, see the API Reports help file on the [Enterprise portal](https://ea.azure.com/?WT.mc_id=azurebg_email_Trans_33675_1378_Service_Notice_EA_Customer_Power_BI_EA_Content_Pack_Apr26).

-1. In **Authentication Key Box**, enter the API key.

- You can get the API key in the Azure Enterprise portal under the **Download Usage** tab. Select **API Access Key**, and then paste the key into the **Account Key** box.

-EA customers can see external service spending and download reports in the EA portal. See [Azure Marketplace for EA Customers](https://ea.azure.com/helpdocs/azureMarketplace) to get started.

-Direct EA customers can see external service spending in the [Azure portal](https://portal.azure.com). Navigate to the Usage + charges menu to view and download Azure Marketplace charges.

-Enabling direct onboarding is an opt-in setting at the tenant level. It affects both existing and new servers onboarded to Defender for Endpoint in the same Microsoft Entra tenant. Shortly after enabling this setting, your server devices will show under the designated subscription. Alerts, software inventory, and vulnerability data are integrated with Defender for Cloud, in a similar way to how it works with Azure VMs.

-1. Select the subscription you would like to use for servers onboarded directly with Defender for Endpoint

-You've now successfully enabled direct onboarding on your tenant. After you enable it for the first time, it might take up to 24 hours to see your non-Azure servers in your designated subscription.

- The following are deployment use cases currently with this limitation when used with direct onboarding of your tenant:

- | Location | Deployment use case |

- | | |

- | All | <u>Windows 2012, 2016:</u> <br />Azure VMs or Azure Arc machines already onboarded and billed by Defender for Servers via an Azure subscription or Log Analytics workspace, running the Defender for Endpoint modern unified agent without the MDE.Windows Azure extension. For such machines, you can enable Defender for Cloud integration with Defender for Endpoint to deploy the extension. |

- | On-premises (not running Azure Arc) | <u>Windows Server 2012, 2016</u>: <br />Servers running the Defender for Endpoint modern unified agent, and already billed by Defender for Servers P2 via the Log Analytics workspace |

- | AWS, GCP (not running Azure Arc) | <u>Windows Server 2012, 2016</u>: <br />AWS or GCP VMs using the modern unified Defender for Endpoint solution, already onboarded and billed by Defender for Servers via multicloud connectors, Log Analytics workspace, or both. |

- Note: For Windows 2019 and above and Linux, agent version updates have been already released to support simultaneous onboarding without limitations. For Windows - use agent version 10.8555.X and above, For Linux - use agent version 30.101.23052.009 and above.

-description: Learn about the threat protections available from Microsoft Defender for Cloud

-Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. The Application Gateway WAF is based on Core Rule Set 3.2 or higher from the Open Web Application Security Project. The WAF is updated automatically to protect against new vulnerabilities.

-If you have created [WAF Security solution](partner-integration.md#add-data-sources), your WAF alerts are streamed to Defender for Cloud with no other configurations. For more information on the alerts generated by WAF, see [Web application firewall CRS rule groups and rules](../web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md?tabs=owasp31#crs911-31).

-To deploy Azure's Application Gateway WAF, do the following:

- :::image type="content" source="media/other-threat-protections/deploy-azure-waf.png" alt-text="Screenshot showing where to select add to deploy WAF." lightbox="media/other-threat-protections/deploy-azure-waf.png":::

-[Microsoft Entra Permissions Management](../active-directory/cloud-infrastructure-entitlement-management/index.yml) is a cloud infrastructure entitlement management (CIEM) solution. Microsoft Entra Permission Management provides comprehensive visibility and control over permissions for any identity and any resource in Azure, AWS, and GCP.

-

-description: Learn about cloud security posture in Microsoft Defender for Cloud

-# Review cloud security posture

-Microsoft Defender for Cloud provides a unified view into the security posture of hybrid cloud workloads with the

-interactive **Overview** dashboard. Select any element on the dashboard to get more information.

-| Foundational CSPM | ΓÇó There are no charges when you use foundational CSPM with no plans enabled.<br /><br />ΓÇó AWS/GCP machines don't need to be set up with Azure Arc for foundational CSPM. On-premises machines do.<br /><br />ΓÇó Some foundational recommendations rely only agents: Antimalware / endpoint protection (Log Analytics agent or Azure Monitor agent) \| OS baselines recommendations (Log Analytics agent or Azure Monitor agent and Guest Configuration extension) \|

-|[Security Operations (SecOps)](/azure/cloud-adoption-framework/organize/cloud-security-operations-center) | Reducing organizational risk by reducing the time in which bad actors have access to corporate resources. Reactive detection, analysis, response and remediation of attacks. Proactive threat hunting.

-|[Incident preparation](/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation)|Building tools, processes, and expertise to respond to security incidents.

-tags: azure-synapse

-If you are new to Azure Event Hubs, see [Event Hubs overview](event-hubs-about.md) before you do this quickstart.

-### Install the npm package(s) to send events

- * `EVENT HUBS RESOURCE NAME`

- const eventHubsResourceName = "EVENT HUBS RESOURCE NAME";

-Congratulations! You have now sent events to an event hub.

-[Get the connection string to the storage account](../storage/common/storage-configure-connection-string.md)

- - `EVENT HUBS RESOURCE NAME`

- const eventHubsResourceName = "EVENT HUBS RESOURCE NAME";

-Congratulations! You have now received events from your event hub. The receiver program will receive events from all the partitions of the default consumer group in the event hub.

-description: This article provides an overview of Azure Event Hubs Premium, which offers multi-tenant deployments of Event Hubs for high-end streaming needs.

-The Event Hubs Premium (premium tier) is designed for high-end streaming scenarios that require elastic, superior performance with predictable latency. The performance is achieved by providing reserved compute, memory, and storage resources, which minimize cross-tenant interference in a managed multi-tenant PaaS environment.

-You can purchase 1, 2, 4, 8 and 16 processing units for each namespace. As the premium tier is a capacity-based offering, the achievable throughput isn't set by a throttle as it is in the standard tier, but depends on the work you ask Event Hubs to do, similar to the dedicated tier. The effective ingest and stream throughput per PU will depend on various factors, including:

-The premium tier offers an isolated compute and memory capacity to achieve more predictable latency and far reduced *noisy neighbor* impact risk in a multi-tenant deployment.

-As the premium tier is a multitenant offering, it can dynamically scale more flexibly and very quickly. Capacity is allocated in processing units (PUs) that allocate isolated pods of CPU/memory inside the cluster. The number of those pods can be scaled up/down per namespace. Therefore, the premium tier is a low-cost option for messaging scenarios with the overall throughput range that is less than 120 MB/s but higher than what you can achieve with the standard SKU.

-Azure Event Hubs provides encryption of data at rest with Azure Storage Service Encryption (Azure SSE). The Event Hubs service uses Azure Storage to store the data. All the data that's stored with Azure Storage is encrypted using Microsoft-managed keys. If you use your own key (also referred to as Bring Your Own Key (BYOK) or customer-managed key), the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. This feature enables you to create, rotate, disable, and revoke access to customer-managed keys that are used for encrypting Microsoft-managed keys. Enabling the BYOK feature is a one time setup process on your namespace. For more information, see [Configure customer-managed keys for encrypting Azure Event Hubs data at rest](configure-customer-managed-key.md).

-For more quotas and limits, see [Event Hubs quotas and limits](event-hubs-quotas.md)

-| **Madrid** | [Interxion MAD1](https://www.interxion.com/es/donde-estamos/europa/madrid) | 1 | West Europe | Supported | DE-CIX<br/>InterCloud<br/>Interxion<br/>Megaport<br/>Telefonica |

-| **[Equinix](https://www.equinix.com/partners/microsoft-azure/)** | Supported | Supported | Amsterdam<br/>Amsterdam2<br/>Atlanta<br/>Berlin<br/>Canberra2<br/>Chicago<br/>Dallas<br/>Dubai2<br/>Dublin<br/>Frankfurt<br/>Frankfurt2<br/>Geneva<br/>Hong Kong<br/>Hong Kong2<br/>London<br/>London2<br/>Los Angeles*<br/>Los Angeles2<br/>Melbourne<br/>Miami<br/>Milan<br/>New York<br/>Osaka<br/>Paris<br/>Paris2<br/>Perth<br/>Quebec City<br/>Rio de Janeiro<br/>Sao Paulo<br/>Seattle<br/>Seoul<br/>Silicon Valley<br/>Singapore<br/>Singapore2<br/>Stockholm<br/>Sydney<br/>Tokyo<br/>Tokyo2<br/>Toronto<br/>Washington DC<br/>Warsaw<br/>Zurich</br>Zurich2</br></br> **New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Create new circuits in Los Angeles2.* |

-## Public Preview

-The following scenario is in public preview:

-ExpressRoute Direct and ExpressRoute circuit(s) in a different subscription or Microsoft Entra tenants. You'll create an authorization for your ExpressRoute Direct resource, and redeem the authorization to create an ExpressRoute circuit in a different subscription or Microsoft Entra tenant.

-Azure Firewall Policy is replicated to a paired Azure region. For example, if one Azure region goes down, Azure Firewall policy becomes active in the paired Azure region. The paired region is automatically selected based on the region where the policy is created. For more information, see [Cross-region replication in Azure: Business continuity and disaster recovery](../reliability/cross-region-replication-azure.md#azure-paired-regions).

-The rule processing is in the following order: DNATRC1, DNATRC3, ChDNATRC3, NetworkRC1, NetworkRC2, ChNetRC1, ChNetRC2, AppRC2, ChAppRC1, ChAppRC2.

-Azure Front Door supports three versions of the TLS protocol: TLS versions 1.0, 1.1, and 1.2. All Azure Front Door profiles created after September 2019 use TLS 1.2 as the default minimum, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.

-Although Azure Front Door supports TLS 1.2, which introduced client/mutual authentication in RFC 5246, currently, Azure Front Door doesn't support client/mutual authentication.

-You can configure the minimum TLS version in Azure Front Door in the custom domain HTTPS settings using the Azure portal or theΓÇ»[Azure REST API](/rest/api/frontdoorservice/frontdoor/frontdoors/createorupdate#minimumtlsversion). Currently, you can choose between 1.0 and 1.2. As such, specifying TLS 1.2 as the minimum version controls the minimum acceptable TLS version Azure Front Door will accept from a client. When Azure Front Door initiates TLS traffic to the origin, it will attempt to negotiate the best TLS version that the origin can reliably and consistently accept.

-For TLS 1.2 the following cipher suites are supported:

-description: In this quickstart, you use Azure PowerShell to create an Azure Policy assignment to identify non-compliant resources.

-The first step in understanding compliance in Azure is to identify the status of your resources. In

-this quickstart, you create a policy assignment to identify virtual machines that aren't using

-managed disks. When complete, you'll identify virtual machines that are _non-compliant_.

-The Azure PowerShell module is used to manage Azure resources from the command line or in scripts.

-This guide explains how to use Az module to create a policy assignment.

- account before you begin.

- [Install Azure PowerShell module](/powershell/azure/install-azure-powershell) for detailed information.

- resource provider makes sure that your subscription works with it. To register a resource

- provider, you must have permission to the register resource provider operation. This operation is

- included in the Contributor and Owner roles. Run the following command to register the resource

- provider:

- ```azurepowershell-interactive

- # Register the resource provider if it's not already registered

- Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'

- ```

- For more information about registering and viewing resource providers, see

- [Resource Providers and Types](../../azure-resource-manager/management/resource-providers-and-types.md).

-## Create a policy assignment

-In this quickstart, you create a policy assignment for the _Audit VMs without managed disks_

-definition. This policy definition identifies virtual machines not using managed disks.

-Run the following commands to create a new policy assignment:

-```azurepowershell-interactive

-# Get a reference to the resource group that is the scope of the assignment

-# Get a reference to the built-in policy definition to assign

-$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }

-# Create the policy assignment with the built-in definition against your resource group

-New-AzPolicyAssignment -Name 'audit-vm-manageddisks' -DisplayName 'Audit VMs without managed disks Assignment' -Scope $rg.ResourceId -PolicyDefinition $definition

-The preceding commands use the following information:

- without managed disks Assignment_.

- this case, it's the ID of policy definition _Audit VMs that do not use managed disks_.

- enforced on. It could range from a subscription to resource groups. Be sure to replace

- &lt;scope&gt; with the name of your resource group.

-You're now ready to identify non-compliant resources to understand the compliance state of your

-environment.

-Use the following information to identify resources that aren't compliant with the policy assignment

-you created. Run the following commands:

-```azurepowershell-interactive

-# Get the resources in your resource group that are non-compliant to the policy assignment

-Get-AzPolicyState -ResourceGroupName $rg.ResourceGroupName -PolicyAssignmentName 'audit-vm-manageddisks' -Filter 'IsCompliant eq false'

-For more information about getting policy state, see

-[Get-AzPolicyState](/powershell/module/az.policyinsights/Get-AzPolicyState).

-Your results resemble the following example:

-Timestamp : 3/9/19 9:21:29 PM

-ResourceId : /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmId}

-PolicyAssignmentId : /subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/audit-vm-manageddisks

-PolicyDefinitionId : /providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d

-IsCompliant : False

-SubscriptionId : {subscriptionId}

-ResourceType : /Microsoft.Compute/virtualMachines

-ResourceTags : tbd

-PolicyAssignmentName : audit-vm-manageddisks

-PolicyAssignmentOwner : tbd

-PolicyAssignmentScope : /subscriptions/{subscriptionId}

-PolicyDefinitionName : 06a78e20-9358-41c9-923c-fb736d382a4d

-PolicyDefinitionAction : audit

-PolicyDefinitionCategory : Compute

-ManagementGroupIds : {managementGroupId}

-The results match what you see in the **Resource compliance** tab of a policy assignment in the

-Azure portal view.

-To remove the assignment created, use the following command:

-```azurepowershell-interactive

-# Removes the policy assignment

-Remove-AzPolicyAssignment -Name 'audit-vm-manageddisks' -Scope '/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>'

-To learn more about assigning policies to validate that new resources are compliant, continue to the

-tutorial for:

-> [Creating and managing policies](./tutorials/create-and-manage.md)

-Parameters can't be removed from a policy definition because there may be an assignment that sets the parameter value, and that reference would become broken. Instead of removing, you can classify the parameter as deprecated in the parameter metadata.

-> If you assign this policy definition to your root management group scope, Azure portal is unable to detect exemptions at lower level scopes. Resources disallowed by the policy assignment will show as disabled from the **All Services** list and the **Create** option is unavailable.

-HDInsight service has two main components: a Resource provider and open-source software (OSS) componentscomponents that are deployed on a cluster.

-### Release date: January 10, 2024

-This hotfix release applies to HDInsight 4.x and 5.x versions. HDInsight release will be available to all regions over several days. This release is applicable for image number **2401030422**. [How to check the image number?](./view-hindsight-cluster-image-version.md)

-HDInsight uses safe deployment practices, which involve gradual region deployment. it might take up to 10 business days for a new release or a new version to be available in all regions.