+# Customer intent: I'm a developer, and I need to understand how to build a global identity solution using a funnel-based approach, so I can implement it in my organization's Azure AD B2C environment.

+# Customer intent: As a developer, I want to understand how to build a global identity solution using a funnel-based approach, so I can implement it in my organization's Azure AD B2C environment.

+# Customer intent: I'm a developer implementing Azure Active Directory B2C, and I want to configure region-based sign-up, sign-in, and password reset journeys. My goal is for users to be directed to the correct region and their data managed accordingly.

+# Customer intent: I'm a developer implementing a global identity solution. I need to understand the different scenarios and workflows for region-based design approach in Azure AD B2C. My goal is to design and implement the authentication and sign-up processes effectively for users from different regions.

+# Customer intent: I'm a developer building a customer-facing application. I need to understand the different approaches to implement an identity platform using Azure AD B2C tenants for a globally operating business model. I want to make an informed decision about the architecture that best suits my application's requirements.

+# Customer intent: I'm a developers working with Azure Active Directory B2C. I need videos that provide a deep-dive into the architecture and features of the service. My goal is to gain a better understanding of how to implement and utilize Azure AD B2C in my applications.

+# Customer intent: I'm a developer integrating Azure AD B2C, and I want to configure an identity verification and proofing provider. I need to combat identity fraud and create a trusted user experience for account registration.

+# Customer intent: I'm an IT admin, and I want to configure Azure Active Directory B2C with Akamai Enterprise Application Access for SSO and secure hybrid access. I want to enable Azure AD B2C authentication for end users accessing private applications secured by Akamai Enterprise Application Access.

+# Customer intent: I'm a developer integrating Azure Active Directory B2C with the Arkose Labs platform. I need to configure the integration, so I can protect against bot attacks, account takeover, and fraudulent account openings.

+# Customer intent: I'm a developer integrating Asignio with Azure AD B2C for multifactor authentication. I want to configure an application with Asignio and set it up as an identity provider (IdP) in Azure AD B2C, so I can provide a passwordless, soft biometric, and multifactor authentication experience to customers.

+# Customer intent: I'm a developer integrating Azure Active Directory B2C with Transmit Security BindID. I need instructions to configure integration, so I can enable passwordless authentication using FIDO2 biometrics for my application.

+# Customer intent: I'm a developer integrating Azure AD B2C authentication with BioCatch technology. I need to configure the custom UI, policies, and user journey. My goal is to enhance the security of my Customer Identity and Access Management (CIAM) system by analyzing user physical and cognitive behaviors.

+# Customer intent: I'm a developer integrating Azure Active Directory B2C with BlokSec for passwordless authentication. I need to configure integration, so I can simplify user sign-in and protect against identity-related attacks.

+# Customer intent: I'm a developer configuring Azure AD B2C with Cloudflare WAF. I need to enable and configure the Web Application Firewall, so I can protect my application from malicious attacks such as SQL Injection and cross-site scripting (XSS).

+# Customer intent: I'm a developer, and I want to integrate Azure Active Directory B2C with Datawiza Access Proxy (DAP). My goal is to enable single sign-on (SSO) and granular access control for on-premises legacy applications, without rewriting them.

+# Customer intent: As an Azure AD B2C administrator, I want to integrate Deduce with Azure AD B2C authentication. I want to combat identity fraud and create a trusted user experience for my organization.

+# Customer intent: I'm a developer, and I want to integrate Microsoft Dynamics 365 Fraud Protection with Azure Active Directory B2C. I need to assess risk during attempts to create fraudulent accounts and sign-ins, and then block or challenge suspicious attempts.

+# Customer intent: I'm an Azure AD B2C administrator, and I want to configure eID-Me as an identity provider (IdP). My goal is to enable users to verify their identity and sign in using eID-Me.

+# Customer intent: I'm an Azure AD B2C administrator, and I want to integrate Experian CrossCore with Azure AD B2C. I need to verify user identification and perform risk analysis based on user attributes during sign-up.

+# Customer intent: As an IT admin responsible for securing applications, I want to integrate Azure Active Directory B2C with F5 BIG-IP Access Policy Manager. I want to expose legacy applications securely to the internet with preauthentication, Conditional Access, and single sign-on (SSO) capabilities.

+# Customer intent: I'm an application developer using header-based authentication, and I want to migrate my legacy application to Azure Active Directory B2C with Grit app proxy. I need to enable modern authentication experiences, enhance security, and save on licensing costs.

+# Customer intent: As an application developer using header-based authentication, I want to migrate my legacy application to Azure Active Directory B2C with Grit app proxy. I want to enable modern authentication experiences, enhance security, and save on licensing costs.

+# Customer intent: I'm an Azure AD B2C administrator, and I want to use the Visual IEF Editor tool to create, modify, and deploy Azure AD B2C policies, without writing code.

+# Customer intent: I'm a developer, and I want to integrate Azure Active Directory B2C authentication with the Grit IAM B2B2C solution. I need to provide secure and user-friendly identity and access management for my customers.

+# Customer intent: I'm a developer integrating Haventec Authenticate with Azure AD B2C. I need instructions to configure integration, so I can enable single-step, multi-factor passwordless authentication for my web and mobile applications.

+# Customer intent: I'm a developer integrating HYPR with Azure AD B2C. I want a tutorial to configure the Azure AD B2C policy to enable passwordless authentication using HYPR for my customer applications.

+# Customer intent: I'm an Azure AD B2C administrator, and I want to configure IDEMIA Mobile ID integration with Azure AD B2C. I want users to authenticate using biometric authentication services and benefit from a trusted, government-issued digital ID.

+# Customer intent: I'm an Azure AD B2C administrator, and I want to integrate Jumio with Azure AD B2C. I need to enable real-time automated ID verification for user accounts and protect customer data.

+# Customer intent: I'm a developer integrating Azure AD B2C with Keyless for passwordless authentication. I need to configure Keyless with Azure AD B2C, so I can provide a secure and convenient passwordless authentication experience for my customer applications.

+# Customer intent: I'm a developer integrating Azure Active Directory B2C with LexisNexis ThreatMetrix. I want to configure the API and UI components, so I can verify user identities and perform risk analysis based on user attributes and device profiling information.

+# Customer intent: As an administrator managing customer accounts in Azure AD B2C, I want to configure TheAccessHub Admin Tool with Azure AD B2C. My goal is to migrate customer accounts, administer CSR requests, synchronize data, and customize notifications.

+# Customer intent: I'm a developer, and I want to configure Nevis with Azure Active Directory B2C for passwordless authentication. I need to enable customer authentication and comply with Payment Services Directive 2 (PSD2) transaction requirements.

+# Customer intent: I'm a developer integrating Azure Active Directory B2C with a third-party authentication provider. I want to learn how to configure Nok Nok Passport as an identity provider (IdP) in Azure AD B2C. My goal is to enable passwordless FIDO authentication for my users.

+# Customer intent: I'm a developer integrating Azure Active Directory B2C with Onfido. I need to configure the Onfido service to verify identity in the sign-up or sign-in flow. My goal is to meet Know Your Customer and identity requirements and provide a reliable onboarding experience, while reducing fraud.

+# Customer intent: I'm a developer, and I want to learn how to configure Ping Identity with Azure Active Directory B2C for secure hybrid access (SHA). I need to extend the capabilities of Azure AD B2C and enable secure hybrid access using PingAccess and PingFederate.

+# Customer intent: As a security manager, I want to integrate Azure Active Directory B2C with Saviynt. I need visibility, security, and governance over user life-cycle management and access control.

+# Customer intent: As an IT admin, I want to integrate Azure Active Directory B2C with StrataMaverics Identity Orchestrator. I need to protect on-premises applications and enable customer single sign-on (SSO) to hybrid apps.

+# Customer intent: I'm a developer integrating Azure AD B2C authentication with Trusona Authentication Cloud. I want to configure Trusona Authentication Cloud as an identity provider (IdP) in Azure AD B2C, so I can enable passwordless authentication and provide a better user experience for my web application users.

+# Customer intent: I'm an Azure AD B2C administrator, and I want to integrate TypingDNA with Azure AD B2C. I need to comply with Payment Services Directive 2 (PSD2) transaction requirements through keystroke dynamics and strong customer authentication.

+# Customer intent: I'm a developer configuring Azure Active Directory B2C with Azure Web Application Firewall. I want to enable the WAF service for my B2C tenant with a custom domain, so I can protect my web applications from common exploits and vulnerabilities.

+# Customer intent: I'm a developer integrating WhoIAM Rampart with Azure AD B2C. I need to configure and integrate Rampart with Azure AD B2C using custom policies. My goal is to enable an integrated helpdesk and invitation-gated user registration experience for my application.

+# Customer intent: I'm a developer integrating Azure Active Directory B2C with a third-party identity management system. I need a tutorial to configure WhoIAM Branded Identity Management System (BRIMS) with Azure AD B2C. My goal is to enable user verification with voice, SMS, and email in my application.

+# Customer intent: As an Azure AD B2C administrator, I want to configure xID as an identity provider, so users can sign in using xID and authenticate with their digital identity on their device.

+# Customer intent: As an IT admin, I want to integrate Azure Active Directory B2C authentication with Zscaler Private Access. I need to provide secure access to private applications and assets without the need for a virtual private network (VPN).

+- Access to the Azure AI Vision Face Client SDK for mobile (IOS and Android). To get started, you need to apply for the [Face Recognition Limited Access features](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUQjA5SkYzNDM4TkcwQzNEOE1NVEdKUUlRRCQlQCN0PWcu) to get access to the SDK. For more information, see the [Face Limited Access](/legal/cognitive-services/computer-vision/limited-access-identity?context=%2Fazure%2Fcognitive-services%2Fcomputer-vision%2Fcontext%2Fcontext) page.

+ curl --location '<insert-api-endpoint>/face/v1.1-preview.1/detectlivenesswithverify/singlemodal/sessions/3847ffd3-4657-4e6c-870c-8e20de52f567' \

+Vector embeddings are a way of representing content&mdash;text or images&mdash;as vectors of real numbers in a high-dimensional space. Vector embeddings are often learned from large amounts of textual and visual data using machine learning algorithms, such as neural networks.

+Each dimension of the vector corresponds to a different feature or attribute of the content, such as its semantic meaning, syntactic role, or context in which it commonly appears. In Azure AI Vision, image and text vector embeddings have 1024 dimensions.

+## Input requirements

+**Image input**

+- The file size of the image must be less than 20 megabytes (MB)

+- The dimensions of the image must be greater than 10 x 10 pixels and less than 16,000 x 16,000 pixels

+**Text input**

+- The text string must be between (inclusive) one word and 70 words.

+> [!TIP]

+> Input requirements for multi-modal embeddings are different and are listed in [Multi-modal embeddings](/azure/ai-services/computer-vision/concept-image-retrieval#input-requirements)

+## December 2023

+* [Text Analytics for health](./text-analytics-for-health/overview.md) new model 2023-12-01 is now available.

+* New Relation Type: `BodySiteOfExamination`

+ * Quality enhancements to support radiology documents

+ * Significant latency improvements

+ * Various bug fixes: Improvements across NER, Entity Linking, Relations and Assertion Detection

+| Medium, high | Yes | Yes | Default setting. Content detected at severity level low isn't filtered, content at medium and high is filtered.|

+^\* Only customers who have been approved for modified content filtering have full content filtering control and can turn content filters partially or fully off. Content filtering control doesn't apply to content filters for DALL-E (preview) or GPT-4 Turbo with Vision (preview). Apply for modified content filters using this form: [Azure OpenAI Limited Access Review: Modified Content Filtering (microsoft.com)](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUMlBQNkZMR0lFRldORTdVQzQ0TEI5Q1ExOSQlQCN0PWcu).

+## Content streaming

+This section describes the Azure OpenAI content streaming experience and options. With approval, you have the option to receive content from the API as it's generated, instead of waiting for chunks of content that have been verified to pass your content filters.

+The content filtering system is integrated and enabled by default for all customers. In the default streaming scenario, completion content is buffered, the content filtering system runs on the buffered content, and ΓÇô depending on the content filtering configuration ΓÇô content is either returned to the user if it doesn't violate the content filtering policy (Microsoft's default or a custom user configuration), or itΓÇÖs immediately blocked and returns a content filtering error, without returning the harmful completion content. This process is repeated until the end of the stream. Content is fully vetted according to the content filtering policy before it's returned to the user. Content isn't returned token-by-token in this case, but in ΓÇ£content chunksΓÇ¥ of the respective buffer size.

+Customers who have been approved for modified content filters can choose the asynchronous modified filter as an additional option, providing a new streaming experience. In this case, content filters are run asynchronously, and completion content is returned immediately with a smooth token-by-token streaming experience. No content is buffered, which allows for zero latency.

+Customers must be aware that while the feature improves latency, it's a trade-off against the safety and real-time vetting of smaller sections of model output. Because content filters are run asynchronously, content moderation messages and policy violation signals are delayed, which means some sections of harmful content that would otherwise have been filtered immediately could be displayed to the user.

+**Annotations**: Annotations and content moderation messages are continuously returned during the stream. We strongly recommend you consume annotations in your app and implement additional AI content safety mechanisms, such as redacting content or returning additional safety information to the user.

+**Content filtering signal**: The content filtering error signal is delayed. In case of a policy violation, itΓÇÖs returned as soon as itΓÇÖs available, and the stream is stopped. The content filtering signal is guaranteed within a ~1,000-character window of the policy-violating content.

+Approval for modified content filtering is required for access to the asynchronous modified filter. The application can be found [here](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xURE01NDY1OUhBRzQ3MkQxMUhZSE1ZUlJKTiQlQCN0PWcu). To enable it in Azure OpenAI Studio, follow the [Content filter how-to guide](/azure/ai-services/openai/how-to/content-filters) to create a new content filtering configuration, and select **Asynchronous Modified Filter** in the Streaming section.

+### Comparison of content filtering modes

+| | Streaming - Default | Streaming - Asynchronous Modified Filter |

+| Eligibility |All customers |Customers approved for modified content filtering |

+| How to enable | Enabled by default, no action needed |Customers approved for modified content filtering can configure it directly in Azure OpenAI Studio (as part of a content filtering configuration, applied at the deployment level) |

+|Modality and availability |Text; all GPT models |Text; all GPT models except gpt-4-vision |

+|Content filtering signal |Immediate filtering signal |Delayed filtering signal (in up to ~1,000-character increments) |

+|Content filtering configurations |Supports default and any customer-defined filter setting (including optional models) |Supports default and any customer-defined filter setting (including optional models) |

+### Annotations and sample responses

+The text field will always be an empty string, indicating no new tokens. Annotations will only be relevant to already-sent tokens. There may be multiple annotation messages referring to the same tokens.

+`"start_offset"` and `"end_offset"` are low-granularity offsets in text (with 0 at beginning of prompt) to mark which text the annotation is relevant to.

+`"check_offset"` represents how much text has been fully moderated. It's an exclusive lower bound on the `"end_offset"` values of future annotations. It's non-decreasing.

+#### Sample response stream (passes filters)

+Below is a real chat completion response using asynchronous modified filter. Note how the prompt annotations aren't changed, completion tokens are sent without annotations, and new annotation messages are sent without tokens&mdash;they are instead associated with certain content filter offsets.

+#### Sample response stream (blocked by filters)

+# Customer intent: As a user who implements audio transcription, I want create transcriptions in bulk so that I don't have to submit audio content repeatedly.

+ az aks nodepool show --resource-group myResourceGroup --cluster-name myAKSCluster --name myNodePool --query artifactStreamingProfile

+ Title: Use a customer-managed key to encrypt Azure managed disks in Azure Kubernetes Service (AKS)

+description: Bring your own keys (BYOK) to encrypt managed OS and data disks in AKS.

+# Bring your own keys (BYOK) with Azure managed disks in Azure Kubernetes Service (AKS)

+Azure encrypts all data in a managed disk at rest. By default, data is encrypted with Microsoft-managed keys. For more control over encryption keys, you can supply customer-managed keys to use for encryption at rest for both the OS and data disks for your AKS clusters.

+* Encryption of an OS disk with customer-managed keys can only be enabled when creating an AKS cluster.

+* When encrypting an ephemeral OS disk-enabled node pool with customer-managed keys, if you want to rotate the key in Azure Key Vault, you need to:

+ * *control plane*

+ * *nodes*

+ * *node pools*

+* Workload resources:

+ * *pods*

+ * *deployments*

+ * *sets*

+- [AKS access and identity][aks-concepts-identity]

+- [AKS security][aks-concepts-security]

+- [AKS virtual networks][aks-concepts-network]

+- [AKS storage][aks-concepts-storage]

+- [AKS scale][aks-concepts-scale]

+> You can also execute this guidance from the [Azure Cloud Shell](/azure/cloud-shell/quickstart). This approach has all the prerequisite tools pre-installed, with the exception of Docker.

+>

+> [](https://shell.azure.com)

+

+ Create environment variables in your shell for the resource group names for the cluster and the database.

+ ### [Bash](#tab/in-bash)

+ ```bash

+ export RESOURCE_GROUP_NAME=<your-resource-group-name>

+ export DB_RESOURCE_GROUP_NAME=<your-resource-group-name>

+ ```

+ ### [PowerShell](#tab/in-powershell)

+ ```powershell

+ $Env:RESOURCE_GROUP_NAME="<your-resource-group-name>"

+ $Env:DB_RESOURCE_GROUP_NAME="<your-resource-group-name>"

+ ```

+

+1. Select **Next**, enter the **AKS** pane. This pane allows you to select an existing AKS cluster and Azure Container Registry (ACR), instead of causing the deployment to create a new one, if desired. This capability enables you to use the sidecar pattern, as shown in the [Azure architecture center](/azure/architecture/patterns/sidecar). You can also adjust the settings for the size and number of the virtual machines in the AKS node pool. The remaining values do not need to be changed from their default values.

+ 1. You can customize the **virtual network** and **subnet** into which the deployment will place the resources. The remaining values do not need to be changed from their default values.

+az group delete --name $DB_RESOURCE_GROUP_NAME --yes --no-wait

+az group delete --name $Env:DB_RESOURCE_GROUP_NAME --yes --no-wait

+ Title: Long-term support for Azure Kubernetes Service (AKS)

+description: Learn about Azure Kubernetes Service (AKS) long-term support for Kubernetes

+#Customer intent: As a cluster operator or developer, I want to understand how long-term support for Kubernetes on AKS works.

+# Long-term support

+The Kubernetes community releases a new minor version approximately every four months, with a support window for each version for one year. In Azure Kubernetes Service (AKS), this support window is called "Community support."

+AKS supports versions of Kubernetes that are within this Community support window, to push bug fixes and security updates from community releases.

+While innovation delivered with this release cadence provides huge benefits to you, it challenges you to keep up to date with Kubernetes releases, which can be made more difficult based on the number of AKS clusters you have to maintain.

+After approximately one year, the Kubernetes version exits Community support and your AKS clusters are now at risk as bug fixes and security updates become unavailable.

+AKS provides one year Community support and one year of long-term support (LTS) to back port security fixes from the community upstream in our public repository. Our upstream LTS working group contributes efforts back to the community to provide our customers with a longer support window.

+| | Community support |Long-term support |

+## Enable long-term support

+Enabling and disabling long-term support is a combination of moving your cluster to the Premium tier and explicitly selecting the LTS support plan.

+> While it's possible to enable LTS when the cluster is in Community support, you'll be charged once you enable the Premium tier.

+```azurecli

+> Enabling and disabling LTS is a combination of moving your cluster to the Premium tier, as well as enabling long-term support. Both must either be turned on or off.

+```azurecli

+```azurecli

+The AKS team currently tracks add-on versions where Kubernetes Community support exists. Once a version leaves Community support, we rely on open source projects for managed add-ons to continue that support. Due to various external factors, some add-ons and features may not support Kubernetes versions outside these upstream Community support windows.

+| Calico | Requires Calico Enterprise agreement past Community support |

+| Cillium | Requires Cillium Enterprise agreement past Community support |

+>You can't move your cluster to long-term support if any of these add-ons or features are enabled.

+>Whilst these AKS managed add-ons aren't supported by Microsoft, you're able to install the Open Source versions of these on your cluster if you wish to use it past Community support.

+```azurecli

+```azurecli

+The upstream Kubernetes community supports a two-minor-version upgrade path. The process migrates the objects in your Kubernetes cluster as part of the upgrade process, and provides a tested, and accredited migration path.

+```azurecli

+> Kubernetes 1.30.2 is used as an example version in this article. Check the [AKS release tracker](release-tracker.md) for available Kubernetes releases.

+- This feature is currently available in the following regions: West US 2, East Asia, UK South, East US, Australia Central, Australia East, Brazil South, Canada Central, Central India, East US 2, France Central, and Germany West Central, Israel Central, Italy North, Japan East, JioIndia West, Korea Central, Malaysia South, Mexico Central, North Central.

+ service:

+ service:

+2. Create an Azure Container Registry with a unique name by calling the [az acr create][az-acr-create] command. The following example creates an ACR named *myhelmacr* with the *Basic* SKU.

+2. Create an Azure Container Registry with a unique name by calling the [New-AzContainerRegistry][new-azcontainerregistry] cmdlet. The following example creates an ACR named *myhelmacr* with the *Basic* SKU.

+ New-AzContainerRegistry -ResourceGroupName myResourceGroup -Name myhelmacr -Sku Basic -Location eastus

+Backup is a long-running operation that may take several minutes to complete. During this time the API gateway continues to handle requests, but the state of the service is Updating.

+Backup is a long-running operation that may take several minutes to complete. If the request succeeded and the backup process began, you receive a `202 Accepted` response status code with a `Location` header. Make `GET` requests to the URL in the `Location` header to find out the status of the operation. While the backup is in progress, you continue to receive a `202 Accepted` status code. During this time the API gateway continues to handle requests, but the state of the service is Updating. A Response code of `200 OK` indicates successful completion of the backup operation.

+## IP addresses of Consumption, Basic v2, and Standard v2 tier API Management service

+If your API Management instance is created in a service tier that runs on a shared infrastructure, it doesn't have a dedicated IP address. Currently, instances in the following service tiers run on a shared infrastructure and without a deterministic IP address: Consumption, Basic v2 (preview), Standard v2 (preview).

+If you need to add the outbound IP addresses used by your Consumption, Basic v2, or Standard v2 tier instance to an allowlist, you can add the instance's data center (Azure region) to an allowlist. You can [download a JSON file that lists IP addresses for all Azure data centers](https://www.microsoft.com/download/details.aspx?id=56519). Then find the JSON fragment that applies to the region that your instance runs in.

+# Customer intent: As an Azure service administrator, I want to move my service resources to another Azure region.

+> When included in a request header or query parameter, the subscription key by default is passed to the backend and may be exposed in backend monitoring logs or other systems. If this is considered sensitive data, you can configure a policy at the end of the `inbound` section to remove the subscription key header ([`set-header`](set-header-policy.md)) or query parameter ([`set-query-parameter`](set-query-parameter-policy.md)).

+The following table summarizes the compute platforms currently used in the **Consumption**, **Developer**, **Basic**, **Standard**, and **Premium** tiers of API Management. This table doesn't apply to the [v2 pricing tiers (preview)](#what-about-the-v2-pricing-tiers).

+We're going to see how API Management can be used in a simplified scenario with Azure Functions and Azure AD B2C. You'll create a JavaScript (JS) app calling an API that signs in users with Azure AD B2C. Then you'll use API Management's validate-jwt, CORS, and Rate Limit By Key policy features to protect the Backend API.

+1. Configure the Function API to enable EasyAuth with the new Azure AD B2C Client IDs and Keys and lock down to APIM VIP

+1. Configure the Sample JS Client App with the new Azure AD B2C Client IDs and keys

+ > If you're using the API Management Consumption, Basic v2, and Standard v2 tiers then [there isn't a dedicated Azure API Management Virtual IP](./api-management-howto-ip-addresses.md#ip-addresses-of-consumption-basic-v2-and-standard-v2-tier-api-management-service) to allow-list with the functions access-restrictions. In the Azure API Management dedicated tiers [the VIP is single tenant and for the lifetime of the resource](./api-management-howto-ip-addresses.md#changes-to-the-ip-addresses). For the tiers that run on shared infrastructure, you can lock down your API calls via the shared secret function key in the portion of the URI you copied above. Also, for these tiers - steps 12-17 below do not apply.

+1. The following API settings are filled automatically based on information from the SOAP API: **Display name**, **Name**, **Description**. Operations are filled automatically with **Display name**, **URL**, and **Description**, and receive a system-generated **Name**.

+1. The following fields are filled automatically with information from the SOAP API: **Display name**, **Name**, **Description**. Operations are filled automatically with **Display name**, **URL**, and **Description**, and receive a system-generated **Name**.

+> [Transform and protect a published API](transform-api.md)

+ CONNECTED_CLUSTER_ID=$(az connectedk8s show --resource-group $GROUP_NAME --name $CLUSTER_NAME --query id --output tsv)

+For Diagnostic Settings restrictions, refer to the [official Diagnostic Settings documentation regarding destination limits](../azure-monitor/essentials/diagnostic-settings.md#destination-limitations).

+After Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for TLS termination. The instances poll Key Vault at four-hour intervals to retrieve a renewed version of the certificate, if it exists. If an updated certificate is found, the TLS/SSL certificate that's associated with the HTTPS listener is automatically rotated.

+> Any change to Application Gateway forces a check against Key Vault to see if any new versions of certificates are available. This includes, but not limited to, changes to Frontend IP Configurations, Listeners, Rules, Backend Pools, Resource Tags, and more. If an updated certificate is found, the new certificate is immediately presented.

+Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager, we strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway automatically rotates the certificate if a newer version is available in your Key Vault. An example of a secret URI without a version is `https://myvault.vault.azure.net/secrets/mysecret/`. You may refer to the PowerShell steps provided in the [following section](#key-vault-azure-role-based-access-control-permission-model).

+2. Select the Key Vault that contains your certificate.

+3. If you're using the permission model **Vault access policy**: Select **Access Policies**, select **+ Add Access Policy**, select **Get** for **Secret permissions**, and choose your user-assigned managed identity for **Select principal**. Then select **Save**.

+> [!NOTE]

+> If you have Key Vaults for your HTTPS listener that use different identities, creating or updating the listener requires checking the certificates associated with each identity. In order for the operation to be successful, you must [grant permission](../key-vault/general/rbac-guide.md) to all identities.

+> If using Private Endpoints to access Key Vault, you must link the privatelink.vaultcore.azure.net private DNS zone, containing the corresponding record to the referenced Key Vault, to the virtual network containing Application Gateway. Custom DNS servers may continue to be used on the virtual network instead of the Azure DNS provided resolvers, however the private DNS zone needs to remain linked to the virtual network as well.

+2. On the **Firewalls and virtual networks** tab, select **Selected networks**.

+3. For **Virtual networks**, select **+ Add existing virtual networks**, and then add the virtual network and subnet for your Application Gateway instance. If prompted, ensure the _Do not configure 'Microsoft.KeyVault' service endpoint(s) at this time_ checkbox is unchecked to ensure the `Microsoft.KeyVault` service endpoint is enabled on the subnet.

+4. Select **Yes** to allow trusted services to bypass the Key Vault's firewall.

+$secretId = $secret.Id.Replace($secret.Version, "") # Remove the secret version so Application Gateway uses the latest version in future syncs

+> It is important to consider any impact on your application gateway resource when making changes or revoking access to your Key Vault resource. If your application gateway is unable to access the associated key vault or locate the certificate object in it, the application gateway automatically sets the listener to a disabled state.

+> You can identify this user-driven event by viewing the Resource Health for your application gateway. [Learn more](../application-gateway/disabled-listeners.md).

+2. Select Advisor

+3. Select Operational Excellence category from the left menu.

+4. You find a recommendation titled **Resolve Azure Key Vault issue for your Application Gateway**, if your gateway is experiencing this issue. Ensure the correct subscription is selected from the drop-down options above.

+5. Select it to view the error details, the associated key vault resource and the [troubleshooting guide](../application-gateway/application-gateway-key-vault-common-errors.md) to fix your exact issue.

+For Advisor alert, use "Resolve Azure Key Vault issue for your Application Gateway" in the recommendation type shown:</br>

+You can configure the Resource health alert as illustrated:</br>

+| JavaScript/Node.js | App Configuration [provider](https://github.com/Azure/AppConfiguration-JavaScriptProvider) for JavaScript | Javascript/Node.js [quickstart](./quickstart-javascript-provider.md)|

+| Python | App Configuration [provider](https://pypi.org/project/azure-appconfiguration-provider/) for Python | Python [quickstart](./quickstart-python-provider.md)) |

+### Resource bridge configurations cannot be updated

+### Appliance Network Unavailable

+If Arc resource bridge is experiencing a network communication problem, you may see an "Appliance Network Unavailable" error when trying to perform an action that interacts with the resource bridge or an extension operating on top of the bridge. This error can also surface as "Error while dialing dial tcp xx.xx.xxx.xx:55000: connect: no route to host" and this is typically a network communication problem. The problem could be that communication from the host to the Arc resource bridge VM needs to be opened with the help of your network administrator. It could be that there was a temporary network issue not allowing the host to reach the Arc resource bridge VM and once the network issue is resolved, you can retry the operation.

+- There must be sufficient space on the management machine (~3.5 GB) and appliance VM (35 GB) to download required images.

+

+- For Arc-enabled VMware, upgrading the resource bridge requires 200GB of free space on the datastore. A new template is also created.

+> [!IMPORTANT]

+> Adding these tags to your license will NOT make the license free or reduce the number of license cores that are chargeable. These tags allow you to link your Azure machines to existing licenses that are already configured with payable cores without needing to create any new licenses or add additional cores to your free machines.

+ Install-Package Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues

+> Running your containerized function apps on Kubernetes, either by using KEDA or by direct deployment, is an open-source effort that you can use free of cost. Best-effort support is provided by contributors and from the community by using [GitHub issues in the Azure Functions repository](https://github.com/Azure/Azure-Functions/issues). Please use these issues to report bugs and raise feature requests. Containerized function app deployments to Azure Container Apps, which runs on managed Kubernetes clusters in Azure, is currently in preview. For more information, see [Azure Container Apps hosting of Azure Functions](functions-container-apps-hosting.md).

+# Customer intent: As an IT manager, I want to understand the capabilities of Azure Monitor Agent to determine whether I can use the agent to collect the data I need from the operating systems of my virtual machines.

+# Customer intent: As a deployment engineer, I can scope the resources required to scale my gateway data colletors the use the Azure Monitor Agent.

+# Customer intent: When AMA is experiencing issues, I want to investigate the issues and determine if I can resolve the issue on my own.

+# Customer intent: When AMA is experiencing issues, I want to investigate the issues and determine if I can resolve the issue on my own.

+Stateful log alerts have limitations - details [here](https://learn.microsoft.com/azure/azure-monitor/service-limits#alerts).

+ This config map can be used to provide Prometheus scrape config for addon DaemonSet that runs on every **Linux** node in the cluster, and any node level targets on each node can be scraped by providing scrape jobs in this configmap. When you use this configmap, you can use `$NODE_IP` variable in your scrape config, which gets substituted by corresponding node's ip address in DaemonSet pod running on each node. This way you get access to scrape anything that runs on that node from the metrics addon DaemonSet. **Please be careful when you use discoveries in scrape config in this node level config map, as every node in the cluster will setup & discover the target(s) and will collect redundant metrics**.

+ This config map can be used to provide Prometheus scrape config for addon DaemonSet that runs on every **Windows** node in the cluster, and node level targets on each node can be scraped by providing scrape jobs in this configmap. When you use this configmap, you can use `$NODE_IP` variable in your scrape config, which will be substituted by corresponding node's ip address in DaemonSet pod running on each node. This way you get access to scrape anything that runs on that node from the metrics addon DaemonSet. **Please be careful when you use discoveries in scrape config in this node level config map, as every node in the cluster will setup & discover the target(s) and will collect redundant metrics**.

+### TLS based scraping

+If you have a Prometheus instance served with TLS and you want to scrape metrics from it, you need to set scheme to `https` and set the TLS settings in your configmap or respective CRD. You can use the `tls_config` configuration property inside a custom scrape job to configure the TLS settings either using a CRD or a configmap. You need to provide a CA certificate to validate API server certificate with. The CA certificate is used to verify the authenticity of the server's certificate when Prometheus connects to the target over TLS. It helps ensure that the server's certificate is signed by a trusted authority.

+The secret should be created in kube-system namespace and then the configmap/CRD should be created in kube-system namespace. The order of secret creation matters. When there's no secret but a valid CRD/config map, you will find errors in collector log -> `no file found for cert....`

+Below are the details about how to provide the TLS config settings through a configmap or CRD.

+- To provide the TLS config setting in a configmap, please create the self-signed certificate and key inside /etc/prometheus/certs directory inside your mtls enabled app.

+ An example tlsConfig inside the config map should look like this:

+```yaml

+tls_config:

+ ca_file: /etc/prometheus/certs/client-cert.pem

+ cert_file: /etc/prometheus/certs/client-cert.pem

+ key_file: /etc/prometheus/certs/client-key.pem

+ insecure_skip_verify: false

+```

+- To provide the TLS config setting in a CRD, please create the self-signed certificate and key inside /etc/prometheus/certs directory inside your mtls enabled app.

+ An example tlsConfig inside a Podmonitor should look like this:

+```yaml

+tlsConfig:

+ ca:

+ secret:

+ key: "client-cert.pem" # since it is self-signed

+ name: "ama-metrics-mtls-secret"

+ cert:

+ secret:

+ key: "client-cert.pem"

+ name: "ama-metrics-mtls-secret"

+ keySecret:

+ key: "client-key.pem"

+ name: "ama-metrics-mtls-secret"

+ insecureSkipVerify: false

+```

+> [!NOTE]

+> Make sure that the certificate file name and key name inside the mtls app is in the following format in case of a CRD based scraping.

+ For example: secret_kube-system_ama-metrics-mtls-secret_cert-name.pem and secret_kube-system_ama-metrics-mtls-secret_key-name.pem.

+> The CRD needs to be created in kube-system namespace.

+> The secret name should exactly be ama-metrics-mtls-secret in kube-system namespace. An example command for creating secret: kubectl create secret generic ama-metrics-mtls-secret --from-file=secret_kube-system_ama-metrics-mtls-secret_client-cert.pem=secret_kube-system_ama-metrics-mtls-secret_client-cert.pem --from-file=secret_kube-system_ama-metrics-mtls-secret_client-key.pem=secret_kube-system_ama-metrics-mtls-secret_client-key.pem -n kube-system

+To read more on TLS authentication, the following documents might be helpful.

+- Generating TLS certificates -> https://o11y.eu/blog/prometheus-server-tls/

+- Configurations -> https://prometheus.io/docs/alerting/latest/configuration/#tls_config

+# Customer intent: As an IT manager, I want to understand how I can use activity log insights to monitor changes to resources and resource groups in an Azure subscription.

+- **Virtual machine agents**: Metrics are collected from the guest operating system of a virtual machine. You can enable guest OS metrics for Windows virtual machines by using the [Azure Monitor Agent](/azure/azure-monitor/agents/agents-overview). Azure Monitor Agent replaces the legacy agents - [Windows diagnostic extension](../agents/diagnostics-extension-overview.md) and the [InfluxData Telegraf agent](https://www.influxdata.com/time-series-platform/telegraf/) for Linux virtual machines.

+# Customer intent: As a customer, I want to understand how to migrate from the metrics API to the getBatch API

+|[Azure VM Insights](/azure/azure-monitor/insights/vminsights-overview) |General Availability (GA) | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/virtualMachines) |Monitors your Azure VMs and Virtual Machine Scale Sets at scale. It analyzes the performance and health of your Windows and Linux VMs and monitors their processes and dependencies on other resources and external processes. |

+|[Azure Container Insights](/azure/azure-monitor/insights/container-insights-overview) |GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/containerInsights) |Monitors the performance of container workloads that are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service. It gives you performance visibility by collecting metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API. Container logs are also collected. After you enable monitoring from Kubernetes clusters, these metrics and logs are automatically collected for you through a containerized version of the Log Analytics agent for Linux. |

+|[Azure Network Insights](../../network-watcher/network-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/networkInsights) | Provides a comprehensive view of health and metrics for all your network resources. The advanced search capability helps you identify resource dependencies, enabling scenarios like identifying resources that are hosting your website, by searching for your website name. |

+| [Azure Storage Insights](/azure/azure-monitor/insights/storage-insights-overview) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/storageInsights) | Provides comprehensive monitoring of your Azure Storage accounts by delivering a unified view of your Azure Storage services performance, capacity, and availability. |

+| [Azure Monitor Log Analytics Workspace](../logs/log-analytics-workspace-insights-overview.md) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/lawsInsights) | Log Analytics Workspace Insights (preview) provides comprehensive monitoring of your workspaces through a unified view of your workspace usage, performance, health, agent, queries, and change log. This article will help you understand how to onboard and use Log Analytics Workspace Insights (preview). |

+| [Azure Key Vault Insights](../../key-vault/key-vault-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/keyvaultsInsights) | Provides comprehensive monitoring of your key vaults by delivering a unified view of your Key Vault requests, performance, failures, and latency. |

+| [Azure Monitor Application Insights](../app/app-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/applicationsInsights) | Extensible application performance management service that monitors the availability, performance, and usage of your web applications whether they're hosted in the cloud or on-premises. It uses the powerful data analysis platform in Azure Monitor to provide you with deep insights into your application's operations. It enables you to diagnose errors without waiting for a user to report them. Application Insights includes connection points to various development tools and integrates with Visual Studio to support your DevOps processes. |

+| [Azure activity Log Insights](../essentials/activity-log-insights.md) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_DataProtection/BackupCenterMenuBlade/backupReportsConfigure/menuId/backupReportsConfigure) | Provides built-in monitoring and alerting capabilities in a Recovery Services vault. |

+|[Azure IoT Edge](../../iot-edge/how-to-explore-curated-visualizations.md) | GA | No | Visualize and explore metrics collected from the IoT Edge device right in the Azure portal by using Azure Monitor Workbooks-based public templates. The curated workbooks use built-in metrics from the IoT Edge runtime. These views don't need any metrics instrumentation from the workload modules. |

+| [Azure Stack HCI Insights](/azure-stack/hci/manage/azure-stack-hci-insights) | GA| [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/azureStackHCIInsights) | Based on Azure Monitor Workbooks. Provides health, performance, and usage insights about registered Azure Stack HCI version 21H2 clusters that are connected to Azure and enrolled in monitoring. It stores its data in a Log Analytics workspace, which allows it to deliver powerful aggregation and filtering and analyze data trends over time. |

+| [Azure Monitor Workbooks for Microsoft Entra ID](../../active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md) |GA| [Yes](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Workbooks) | Microsoft Entra ID provides workbooks to understand the effect of your Conditional Access policies, troubleshoot sign-in failures, and identify legacy authentications. |

+# Customer intent: As a DevOps manager or data scientist, I want to understand which AIOps features Azure Monitor offers and how to implement a machine learning pipeline on data in Azure Monitor Logs so that I can use artifical intelligence to improve service quality and reliability of my IT environment.

+# Customer intent: As an IT manager, I want to understand the data and service resilience benefits Azure Monitor availability zones provide to ensure my data and services are sufficiently protected in the event of datacenter failure.

+| Bare Metal Machines | [NCBMSecurityDefenderLogs](/azure/azure-monitor/reference/tables/ncbmsecuritydefenderlogs)<br>[NCBMSystemLogs](/azure/azure-monitor/reference/tables/NCBMSystemLogs)<br>[NCBMSecurityLogs](/azure/azure-monitor/reference/tables/NCBMSecurityLogs) |

+# Customer intent: As a DevOps engineer, I want to ingest data from an event hub into a Log Analytics workspace so that I can monitor logs that I send to Azure Event Hubs.

+# Customer intent: As an IT manager, I want to understand the steps required to migrate my Splunk deployment to Azure Monitor Logs so that I can decide whether to migrate and plan and execute my migration.

+# Customer intent: As a data scientist or workspace administrator, I want an efficient way to search through large volumes of data in a table, including archived and basic logs.

+ :::image type="content" source="./media/access-smb-volume-from-windows-client/api-permissions.png" alt-text="Screenshot to register API permissions." lightbox="./media/access-smb-volume-from-windows-client/api-permissions.png":::

+ :::image type="content" source="./media/access-smb-volume-from-windows-client/grant-admin-consent.png" alt-text="Screenshot to grant API permissions." lightbox="./media/access-smb-volume-from-windows-client/grant-admin-consent.png ":::

+ :::image type="content" source="./media/access-smb-volume-from-windows-client/authentication-registration.png" alt-text="Screenshot of app registrations." lightbox="./media/access-smb-volume-from-windows-client/authentication-registration.png":::

+ :::image type="content" source="./media/access-smb-volume-from-windows-client/define-host-name-to-kerberos.png" alt-text="Screenshot to define how-name-to-Kerberos real mappings." lightbox="./media/access-smb-volume-from-windows-client/define-host-name-to-kerberos.png":::

+ :::image type="content" source="./media/access-smb-volume-from-windows-client/klist-output.png" alt-text="Screenshot of CLI output." lightbox="./media/access-smb-volume-from-windows-client/klist-output.png":::

+ [  ](./media/application-volume-group-add-hosts/application-multiple-hosts-sap-hana.png#lightbox)

+ [  ](./media/application-volume-group-add-hosts/application-multiple-hosts-volumes.png#lightbox)

+ [  ](./media/application-volume-group-add-hosts/application-multiple-review-create.png#lightbox)

+ [  ](./media/application-volume-group-add-hosts/application-multiple-create-groups.png#lightbox)

+ 

+ [  ](./media/application-volume-group-add-volume-secondary/application-secondary-sap-hana.png#lightbox)

+ [  ](./media/application-volume-group-add-volume-secondary/application-secondary-volume-group-tags.png#lightbox)

+ [  ](./media/application-volume-group-add-volume-secondary/application-secondary-volumes-tags.png#lightbox)

+ [  ](./media/application-volume-group-add-volume-secondary/application-secondary-volumes-tag-details.png#lightbox)

+ [ ](./media/application-volume-group-delete/application-volume-group-list.png#lightbox)

+ [](./media/application-volume-group-delete/application-volume-group-delete.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-volume-group-add-group.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-volume-group-create-group.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-sap-hana-tag.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-volume-group-tag.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-add-tags.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-protocols-tag.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-volume-list.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-create-volume-basics-tab.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-create-volume-protocol-tab.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-volume-details.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-volume-remove.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-review-create.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-deployment-in-progress.png#lightbox)

+ [  ](./media/application-volume-group-deploy-first-host/application-new-volume-group.png#lightbox)

+ 

+ [  ](./media/application-volume-group-disaster-recovery/application-cross-region-create-volume.png#lightbox)

+ [  ](./media/application-volume-group-disaster-recovery/application-cross-region-multiple-disabled.png#lightbox)

+ [  ](./media/application-volume-group-disaster-recovery/application-cross-region-volume-types.png#lightbox)

+ [  ](./media/application-volume-group-disaster-recovery/application-cross-region-replication-tab.png#lightbox)

+[  ](./media/application-volume-group-disaster-recovery/replicate-only-primary-database-volumes.png#lightbox)

+[  ](./media/application-volume-group-disaster-recovery/replicate-both-primary-secondary-database-volumes.png#lightbox)

+ [](./media/application-volume-group-manage-volumes/application-volume-group-overview.png#lightbox)

+ 

+ 

+ 

+

+ 

+ 

+ 

+ :::image type="content" source="./media/azure-netapp-files-configure-nfsv41-domain/nfsv4-id-domain.png" alt-text="Screenshot with field to set NFSv4 domain." lightbox="./media/azure-netapp-files-configure-nfsv41-domain/nfsv4-id-domain.png":::

+

+

+

+[  ](./media/azure-netapp-files-cost-model/cost-model-example-one-capacity.png#lightbox)

+[  ](./media/azure-netapp-files-cost-model/cost-model-example-one-pricing.png#lightbox)

+[  ](./media/azure-netapp-files-cost-model/cost-model-example-two-capacity.png#lightbox)

+[  ](./media/azure-netapp-files-cost-model/cost-model-example-two-pricing.png#lightbox)

+ 

+ 

+ 

+ 

+ :::image type="content" source="./media/azure-netapp-files-create-volumes-smb/azure-netapp-files-protocol-smb.png" alt-text="Screenshot showing the Protocol tab of creating an SMB volume." lightbox="./media/azure-netapp-files-create-volumes-smb/azure-netapp-files-protocol-smb.png":::

+

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ :::image type="content" source="./media/azure-netapp-files-metrics/metrics-select-pool-volume.png" alt-text="Screenshot that shows how to access Azure NetApp Files metrics for capacity pools or volumes." lightbox="./media/azure-netapp-files-metrics/metrics-select-pool-volume.png":::

+ :::image type="content" source="./media/azure-netapp-files-metrics/metrics-navigate-volume.png" alt-text="Snapshot that shows how to navigate to the Metric pull-down." lightbox="./media/azure-netapp-files-metrics/metrics-navigate-volume.png":::

+ :::image type="content" source="./media/azure-netapp-files-metrics/throughput-limit-reached.png" alt-text="Screenshot that shows Azure NetApp Files metrics a line graph demonstrating throughput limit reached." lightbox="./media/azure-netapp-files-metrics/throughput-limit-reached.png":::

+ :::image type="content" source="./media/azure-netapp-files-mount-unmount-volumes-for-virtual-machines/azure-netapp-files-mount-instructions-nfs.png" alt-text="Screenshot of Mount instructions." lightbox="./media/azure-netapp-files-mount-unmount-volumes-for-virtual-machines/azure-netapp-files-mount-instructions-nfs.png":::

+

+

+

+ 

+ 

+ 

+ 

+ 

+ :::image type="content" source="./media/shared/azure-netapp-files-new-capacity-pool.png" alt-text="Screenshot of new capacity pool options.":::

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+

+

+ 

+ :::image type="content" source="./media/shared/azure-netapp-files-new-capacity-pool.png" alt-text="Screenshot showing the New Capacity Pool window.":::

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+ <!-- :::image type="content" source="./media/backup-configure-policy-based/backup-navigate.png" alt-text="Screenshot that shows how to navigate to Backups option." lightbox="./media/backup-configure-policy-based/backup-navigate.png"::: -->

+ :::image type="content" source="./media/backup-configure-policy-based/backup-policy-window-daily.png" alt-text="Screenshot that shows the Backup Policy window." lightbox="./media/backup-configure-policy-based/backup-policy-window-daily.png":::

+ :::image type="content" source="./media/shared/backup-configure-enabled.png" alt-text="Screenshot showing Configure Backups window." lightbox="./media/shared/backup-configure-enabled.png":::

+ 

+ 

+ :::image type="content" source="./media/backup-manage-policies/backup-policies-edit.png" alt-text="Screenshot that shows context sensitive menu of Backup Policies." lightbox="./media/backup-manage-policies/backup-policies-edit.png":::

+ :::image type="content" source="./media/backup-manage-policies/backup-modify-policy.png" alt-text="Screenshot showing the Modify Backup Policy window." lightbox="./media/backup-manage-policies/backup-modify-policy.png":::

+ 

+ 

+ :::image type="content" source="./media/backup-restore-new-volume/backup-restore-new-volume.png" alt-text="Screenshot of selecting restore backup to new volume." lightbox="./media/backup-restore-new-volume/backup-restore-new-volume.png":::

+ 

+ :::image type="content" source="./media/backup-search/backup-search-vault.png" alt-text="Screenshot that shows a list of backups in a vault." lightbox="./media/backup-search/backup-search-vault.png":::

+ :::image type="content" source="./media/backup-search/backup-search-volume-level.png" alt-text="Screenshot that shows a list of backup for a volume." lightbox="./media/backup-search/backup-search-volume-level.png":::

+ :::image type="content" source="./media/backup-vault-manage/backup-vault-create.png" alt-text="Screenshot of backup vault creation." lightbox="./media/backup-vault-manage/backup-vault-create.png":::

+ :::image type="content" source="./media/backup-vault-manage/backup-vault-assign.png" alt-text="Screenshot of backup vault assignment." lightbox="./media/backup-vault-manage/backup-vault-assign.png":::

+ :::image type="content" source="./media/backup-vault-manage/backup-vault-delete.png" alt-text="Screenshot of deleting a backup vault." lightbox="./media/backup-vault-manage/backup-vault-delete.png":::

+ :::image type="content" source="./media/configure-customer-managed-keys/encryption-menu.png" alt-text="Screenshot of the encryption menu." lightbox="./media/configure-customer-managed-keys/encryption-menu.png":::

+ :::image type="content" source="./media/configure-customer-managed-keys/select-key.png" alt-text="Screenshot of the select a key interface." lightbox="./media/configure-customer-managed-keys/select-key.png":::

+ :::image type="content" source="./media/configure-customer-managed-keys/key-enter-uri.png" alt-text="Screenshot of the encryption menu showing key URI field." lightbox="./media/configure-customer-managed-keys/key-enter-uri.png":::

+ :::image type="content" source="./media/configure-customer-managed-keys/encryption-system-assigned.png" alt-text="Screenshot of the encryption menu with system-assigned options." lightbox="./media/configure-customer-managed-keys/encryption-system-assigned.png":::

+ :::image type="content" source="./media/configure-customer-managed-keys/encryption-user-assigned.png" alt-text="Screenshot of user-assigned submenu." lightbox="./media/configure-customer-managed-keys/encryption-user-assigned.png":::

+ :::image type="content" source="./media/configure-customer-managed-keys/rbac-permission.png" alt-text="Screenshot of access configuration menu." lightbox="./media/configure-customer-managed-keys/rbac-permission.png":::

+ :::image type="content" source="./media/configure-customer-managed-keys/rbac-review-assign.png" alt-text="Screenshot of RBAC review and assign menu." lightbox="./media/configure-customer-managed-keys/rbac-review-assign.png":::

+ :::image type="content" source="./media/configure-customer-managed-keys/keys-create-volume.png" alt-text="Screenshot of create volume menu." lightbox="./media/configure-customer-managed-keys/keys-create-volume.png":::

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ [ ](./media/configure-network-features/network-features-volume-list.png#lightbox)

+ :::image type="content" source="./media/configure-network-features/edit-network-features.png" alt-text="Screenshot showing the Edit Network Features window." lightbox="./media/configure-network-features/edit-network-features.png":::

+ :::image type="content" source="./media/configure-network-features/terraform-lifecycle.png" alt-text="Screenshot of the lifecycle configuration." lightbox="./media/configure-network-features/terraform-lifecycle.png":::

+ :::image type="content" source="./media/configure-network-features/change-network-features-standard.png" alt-text="Screenshot of confirm change of network features." lightbox="./media/configure-network-features/change-network-features-standard.png":::

+ :::image type="content" source="./media/configure-network-features/terraform-plan-output.png" alt-text="Screenshot of terraform plan command output." lightbox="./media/configure-network-features/terraform-plan-output.png":::

+ :::image type="content" source="./media/configure-network-features/updated-terraform-module.png" alt-text="Screenshot of updated Terraform module." lightbox="./media/configure-network-features/updated-terraform-module.png":::

+ :::image type="content" source="./media/configure-network-features/terraform-network-features-standard.png" alt-text="Screenshot of Terraform module with Standard network features." lightbox="./media/configure-network-features/terraform-network-features-standard.png":::

+ 

+ 

+ 

+ :::image type="content" source="./media/configure-virtual-wan/virtual-hub-route-table.png" alt-text="Screenshot of virtual hub route table.":::

+ :::image type="content" source="./media/configure-virtual-wan/route-table-edit.png" alt-text="Screenshot of route table edits.":::

+ 

+ 

+ 

+ :::image type="content" source="./media/create-active-directory-connections/azure-netapp-files-join-active-directory.png" alt-text="Screenshot of the Join Active Directory input fields.":::

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ :::image type="content" source="./media/create-cross-zone-replication/create-volume-availability-zone.png" alt-text="Screenshot of the 'Create a Zone' menu requires you to select an availability zone." lightbox="./media/create-cross-zone-replication/create-volume-availability-zone.png":::

+ :::image type="content" source="./media/create-cross-zone-replication/zone-replication-review-create.png" alt-text="Screenshot showing the need to confirm selection of correct availability zone in the Review and Create page." lightbox="./media/create-cross-zone-replication/zone-replication-review-create.png":::

+ :::image type="content" source="./media/create-cross-zone-replication/zone-replication-volume-overview.png" alt-text="The selected availability zone will display when you create the volume." lightbox="./media/create-cross-zone-replication/zone-replication-volume-overview.png":::

+ :::image type="content" source="./media/create-cross-zone-replication/zone-replication-create-new-volume.png" alt-text="Select an availability zone for the cross-zone replication volume." lightbox="./media/create-cross-zone-replication/zone-replication-create-new-volume.png":::

+ 

+ 

+ 

+ 

+ 

+

+

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ :::image type="content" source="./media/default-individual-user-group-quotas-introduction/user-quota-administrator-view.png" alt-text="Screenshot showing administrator view of user quota and consumption.":::

+ :::image type="content" source="./media/default-individual-user-group-quotas-introduction/user-quota-user-view.png" alt-text="Screenshot showing user view of user quota and consumption.":::

+ :::image type="content" source="./media/disable-showmount/disable-showmount.png" alt-text="Screenshot of the Azure interface depicting the disable showmount option." lightbox="./media/disable-showmount/disable-showmount.png":::

+ 

+ 

+ 

+

+ [  ](./media/manage-availability-zone-volume-placement/availability-zone-menu-drop-down.png#lightbox)

+ [  ](./media/manage-availability-zone-volume-placement/availability-zone-display-down.png#lightbox)

+ :::image type="content" source="./media/manage-availability-zone-volume-placement/availability-zone-volume-overview.png" alt-text="Screenshot of volume properties interface." lightbox="./media/manage-availability-zone-volume-placement/availability-zone-volume-overview.png":::

+ > :::image type="content" source="./media/manage-availability-zone-volume-placement/populate-availability-zone.png" alt-text="Screenshot of the Populate Availability Zone window." lightbox="./media/manage-availability-zone-volume-placement/populate-availability-zone.png":::

+ :::image type="content" source="./media/manage-availability-zone-volume-placement/populate-availability-zone.png" alt-text="Screenshot of the Populate Availability Zone menu." lightbox="./media/manage-availability-zone-volume-placement/populate-availability-zone.png":::

+ 

+ [  ](./media/manage-billing-tags/cost-analysis.png#lightbox)

+ [  ](./media/manage-billing-tags/azure-cost-invoices.png#lightbox)

+ 

+ [  ](./media/manage-billing-tags/spreadsheet-download.png#lightbox)

+ :::image type="content" source="./media/manage-cool-access/cool-access-new-capacity-pool.png" alt-text="Screenshot that shows the New Capacity Pool window with the Enable Cool Access option selected." lightbox="./media/manage-cool-access/cool-access-new-capacity-pool.png":::

+ :::image type="content" source="./media/manage-cool-access/cool-access-existing-pool.png" alt-text="Screenshot that shows the right-click menu on an existing capacity pool. The menu enables you to select the Enable Cool Access option." lightbox="./media/manage-cool-access/cool-access-existing-pool.png":::

+ :::image type="content" source="./media/manage-cool-access/cool-access-new-volume.png" alt-text="Screenshot that shows the Create a Volume page. Under the basics tab, the Enable Cool Access checkbox is selected. The options for the cool access retrieval policy are displayed. " lightbox="./media/manage-cool-access/cool-access-new-volume.png":::

+ :::image type="content" source="./media/manage-cool-access/cool-access-existing-volume.png" alt-text="Screenshot that shows the Enable Cool Access window with the Enable Cool Access field selected. " lightbox="./media/manage-cool-access/cool-access-existing-volume.png":::

+ 

+ 

+ 

+ 

+

+ 

+ :::image type="content" source="./media/manage-smb-share-access-control-lists/security-advanced-tab.png" alt-text="Screenshot of security tab." lightbox="./media/manage-smb-share-access-control-lists/security-advanced-tab.png":::

+ :::image type="content" source="./media/manage-smb-share-access-control-lists/view-permissions.png" alt-text="Screenshot of the permissions tab." lightbox="./media/manage-smb-share-access-control-lists/view-permissions.png":::

+ :::image type="content" source="./media/manage-smb-share-access-control-lists/view-shares.png" alt-text="Screenshot of the share tab." lightbox="./media/manage-smb-share-access-control-lists/view-shares.png":::

+ :::image type="content" source="./media/manage-smb-share-access-control-lists/computer-management-local.png" alt-text="Screenshot of the computer management window." lightbox="./media/manage-smb-share-access-control-lists/computer-management-local.png":::

+ :::image type="content" source="./media/manage-smb-share-access-control-lists/share-folder.png" alt-text="Screenshot of the share folder." lightbox="./media/manage-smb-share-access-control-lists/share-folder.png":::

+ :::image type="content" source="./media/manage-smb-share-access-control-lists/add-share.png" alt-text="Screenshot showing how to add a share." lightbox="./media/manage-smb-share-access-control-lists/add-share.png":::

+ [  ](./media/monitor-volume-capacity/monitor-explorer-drive-properties.png#lightbox)

+ 

+

+ :::image type="content" source="./media/mount-volumes-vms-smb/azure-netapp-files-mount-instructions-smb.png" alt-text="Screenshot of Mount instructions." lightbox="./media/mount-volumes-vms-smb/azure-netapp-files-mount-instructions-smb.png":::

+

+

+

+

+

+

+

+

+

+

+ :::image type="content" alt-text="Screenshot of output of ip a command." source="./media/performance-oracle-multiple-volumes/ip-a-command-output.png":::

+ :::image type="content" alt-text="Screenshot of output of settings for eth1." source="./media/performance-oracle-multiple-volumes/ethtool-output.png":::

+ :::image type="content" alt-text="Screenshot of a table showing top cells by percentage CPU." source="./media/performance-oracle-multiple-volumes/exadata-top-cells.png":::

+

+

+

+

+

+

+

+

+

+

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ [](./media/snapshots-introduction/single-file-snapshot-restore-one.png#lightbox)

+ [](./media/snapshots-introduction/single-file-snapshot-restore-two.png#lightbox)

+ [](./media/snapshots-introduction/single-file-snapshot-restore-three.png#lightbox)

+ [  ](./media/snapshots-introduction/single-file-snapshot-restore-four.png#lightbox)

+[ ](./media/snapshots-introduction/snapshots-used-space-over-time.png#lightbox)

+[ ](./media/snapshots-introduction/snapshot-traffic-cross-region-replication.png#lightbox)

+[  ](./media/snapshots-introduction/snapshot-data-transfer-backup-storage.png#lightbox)

+[

+](./media/snapshots-introduction/snapshot-restore-clone-new-volume.png#lightbox)

+[](./media/snapshots-introduction/snapshot-restore-clone-target-volume.png#lightbox)

+[

+](./media/snapshots-introduction/snapshot-volume-revert.png#lightbox)

+[](./media/snapshots-introduction/snapshot-file-directory-access.png#lightbox)

+[](./media/snapshots-introduction/snapshot-access-cross-region-replication.png#lightbox)

+ [](./media/snapshots-introduction/single-file-snapshot-restore-five.png#lightbox)

+[](./media/snapshots-introduction/snapshot-restore-vaulted-new-volume.png#lightbox)

+[](./media/snapshots-introduction/snapshot-delete-storage-consumption.png#lightbox)

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ [  ](./media/snapshots-restore-file-single/snapshot-restore-files-menu.png#lightbox)

+ 

+ 

+ :::image type="content" source="./media/snapshots-restore-new-volume/snapshot-restore-new-volume.png" alt-text="Screenshot showing the Create a Volume window for restoring a volume from a snapshot.":::

+ 

+

+

+

+ 

+ 

+

+[  ](./media/solutions-benefits-azure-netapp-files-sql-server/solution-sql-server-cost-1-tib.png#lightbox)

+[  ](./media/solutions-benefits-azure-netapp-files-sql-server/solution-sql-server-cost-50-tib.png#lightbox)

+

+

+

+

+

+ :::image type="content" source="./media/troubleshoot-diagnose-solve-problems/troubleshoot-issue-types.png" alt-text="Screenshot that shows an example of issue types in diagnose and solve problems page." lightbox="./media/troubleshoot-diagnose-solve-problems/troubleshoot-issue-types.png":::

+ :::image type="content" source="./media/troubleshoot-diagnose-solve-problems/troubleshoot-diagnose-pull-down.png" alt-text="Screenshot that shows the pull-down menu for problem subtype selection." lightbox="./media/troubleshoot-diagnose-solve-problems/troubleshoot-diagnose-pull-down.png":::

+ :::image type="content" source="./media/troubleshoot-diagnose-solve-problems/troubleshoot-problem-subtype.png" alt-text="Screenshot that shows the capacity pool troubleshoot page." lightbox="./media/troubleshoot-diagnose-solve-problems/troubleshoot-problem-subtype.png":::

+ :::image type="content" source="./media/troubleshoot-file-locks/break-file-locks.png" alt-text="Screenshot of break file locks portal." lightbox="./media/troubleshoot-file-locks/break-file-locks.png":::

+ :::image type="content" source="./media/troubleshoot-user-access-ldap/troubleshoot-ldap-user-id.png" alt-text="Screenshot of the LDAP group ID list portal." lightbox="./media/troubleshoot-user-access-ldap/troubleshoot-ldap-user-id.png":::

+| Azure NetApp Files |  |  |  |

+

+

+

+

+

+

+

+

+ 

+

+

+

+

+

+

+

+ 

+ 

+ 

+ 

+[  ](./media/volume-hard-quota-guidelines/hard-quota-update-cloud-shell-link.png#lightbox)

+[  ](./media/volume-hard-quota-guidelines/hard-quota-update-cloud-shell-window.png#lightbox)

+[  ](./media/volume-hard-quota-guidelines/hard-quota-update-powershell-volume-show.png#lightbox)

+[  ](./media/volume-hard-quota-guidelines/hard-quota-update-powershell-volume-update.png#lightbox)

+[  ](./media/volume-hard-quota-guidelines/hard-quota-update-powershell-pool-show.png#lightbox)

+[  ](./media/volume-hard-quota-guidelines/hard-quota-update-powershell-pool-update.png#lightbox)

+ 

+1. In the **Support method** section, select the **Support plan**, the **Severity** level, depending on the business impact. The [maximum available severity level and time to respond](https://azure.microsoft.com/support/plans/response/) depends on your [support plan](https://azure.microsoft.com/support/plans) and the country/region in which you're located, including the timing of business hours in that country/region.

+ > [!TIP]

+ > To add a support plan that requires an **Access ID** and **Contract ID**, select **Help + Support** > **Support plans** > **Link support benefits**. When a limited support plan expires or has no support incidents remaining, it won't be available to select.

+If your environment doesn't have nuget.org configured as a package feed, depending on how `nuget.config` is configured, you might need to run the following command:

+```powershell

+dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org

+```

+In certain environments, using a single package feed helps prevent problems arising from packages with the same ID and version containing different contents in different feeds. For Azure Artifacts users, this can be done using the [upstream sources feature](/azure/devops/artifacts/concepts/upstream-sources).

+The latest NuGet package versions match the latest [Bicep CLI](./bicep-cli.md) version.

+ When included in project file's `PackageReference` property, the `Azure.Bicep.MSBuild` package imports the Bicep task used for invoking the Bicep CLI.

+ The `Azure.Bicep.CommandLine.*` packages are available for Windows, Linux, and macOS. The following example references the package for Windows.

+ or

+- **Cross Region Restore for MARS**: If your Recovery Services vault uses GRS resiliency and has the [Cross Region Restore setting turned on](backup-create-recovery-services-vault.md#set-cross-region-restore), you can restore the backup data from the secondary region.

+## Cross Region Restore

+- [Cross Region Restore for MARS (Preview)](about-restore-microsoft-azure-recovery-services.md#cross-region-restore)

+## Cross Region Restore support for PostgreSQL using Azure Backup

+Learn [how to perform Cross Region Restore](create-manage-backup-vault.md#perform-cross-region-restore-using-azure-portal).

+>- Backup vaults enabled with Cross Region Restore are automatically charged at [RA-GRS rates](https://azure.microsoft.com/pricing/details/backup/) for the PostgreSQL backups stored in the vault.

+- [Create and manage Backup vault](create-manage-backup-vault.md#perform-cross-region-restore-using-azure-portal).

+**Recommendation**: Ensure that only one Backup vault is selected for every move operation.

+## Perform Cross Region Restore using Azure portal

+The Cross Region Restore option allows you to restore data in a secondary Azure paired region. To configure Cross Region Restore for the backup vault: 

+1. [Create a new Backup vault](create-manage-backup-vault.md#create-backup-vault) or choose an existing Backup vault, and then enable Cross Region Restore by going to **Properties** > **Cross Region Restore**, and choose **Enable**.

+ The recovery points available in the secondary region are now listed.

+1. Select **Restore to secondary region**.

+> [!NOTE]

+> Cross Region Restore is currently only available for PostGreSQL servers.

+- [Configure backup on Azure PostgreSQL databases](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases)

+ Title: Quickstart - Restore a PostgreSQL database across regions using Azure Backup

+description: Learn how to restore a PostgreSQL database across regions by using Azure Backup.

+# Quickstart: Restore a PostgreSQL database across regions by using Azure Backup

+This quickstart describes how to enable Cross Region Restore on your Backup vault to restore the data to an alternate region when the primary region is down.

+The Cross Region Restore option allows you to restore data in a secondaryΓÇ»[Azure paired region](/azure/availability-zones/cross-region-replication-azure) even when no outage occurs in the primary region; thus, enabling you to perform drills when there's an audit or compliance requirement.

+> [!NOTE]

+>- Currently, Geo-redundant Storage (GRS) vaults with Cross Region Restore enabled can't be changed to Zone-redundant Storage (ZRS) or Locally redundant Storage (LRS) after the protection starts for the first time.

+>- Cross Regional Restore (CRR) with Cross Subscription Restore (CSR) is currently not supported.

+## Prerequisites

+To begin with the Cross Region Restore, ensure that:

+- A Backup vault with Cross Region Restore configured. [Create one](./create-manage-backup-vault.md#create-a-backup-vault) in case you donΓÇÖt a Backup vault.

+- PostgreSQL database is protected by using Azure Backup, and one full backup is run. To protect and back up a database, see [Back up Azure Database for PostgreSQL server](backup-azure-database-postgresql.md).

+## Restore the database using Azure portal

+To restore the database to the secondary region using the Azure portal, follow these steps:

+1. Sign in to [Azure portal](https://portal.azure.com/).

+1. To check the available recovery point in the secondary region, go to theΓÇ»**Backup center**ΓÇ»>ΓÇ»**Backup Instances**.

+1. Filter to **Azure Database for PostgreSQL servers**, then filter **Instance Region** as *Secondary Region*.

+1. Select the required Backup instance.

+ The recovery points available in the secondary region are now listed.

+1. Select **Restore to secondary region** to review the target region selected, and then select the appropriate recovery point and restore parameters.

+ You can also trigger restores from the respective backup instance.

+ :::image type="content" source="./media/create-manage-backup-vault/restore-to-secondary-region.png" alt-text="Screenshot showing how to restore to secondary region." lightbox="./media/create-manage-backup-vault/restore-to-secondary-region.png":::

+

+1. Once the restore starts, you can monitor the completion of the restore operation under **Backup Jobs** of the Backup vault by filtering **Datasource type** to *Azure Database for PostgreSQL servers*  and **Instance Region** to *Secondary Region*.

+

+## Next steps

+- [Learn about the Cross Region Restore](./tutorial-cross-region-restore.md) feature.

+ Title: Quickstart - Cross region restore for PostgreSQL database with PowerShell by using Azure Backup

+description: In this Quickstart, learn how to restore PostgreSQL database across region with the Azure PowerShell module.

+ms.devlang: azurecli

+# Quickstart: Restore Azure Database for PostgreSQL server across regions with PowerShell by using Azure Backup

+This quickstart describes how to configure and perform cross-region restore for Azure Database for PostgreSQL server with Azure PowerShell.

+[Azure Backup](backup-overview.md) allows you to back up and restore the Azure Database for PostgreSQL server. The [Azure PowerShell AZ](/powershell/azure/new-azureps-module-az) module allows you to create and manage Azure resources from the command line or in scripts. If you want to restore the PostgreSQL database across regions by using the Azure portal, see [this Quickstart](quick-cross-region-restore.md).

+## Enable Cross Region Restore for Backup vault

+To enable the Cross Region Restore feature on the Backup vault that has Geo-redundant Storage enabled, run the following cmdlet:

+```azurepowershell

+Update-AzDataProtectionBackupVault -SubscriptionId $subscriptionId -ResourceGroupName $resourceGroupName -CrossRegionRestoreState $CrossRegionRestoreState

+```

+>[!Note]

+>You can't disable Cross Region Restore once protection has started with this feature enabled.

+## Configure restore for the PostgreSQL database to a secondary region

+To restore the database to a secondary region after enabling Cross Region Restore, run the following cmdlets:

+1. Fetch the backup instances from secondary region.

+ ```azurepowershell

+ Search-AzDataProtectionBackupInstanceInAzGraph -Subscription $subscriptionId -ResourceGroup $resourceGroupName -Vault $vaultName -DatasourceType AzureDatabaseForPostgreSQL

+ ```

+2. Once you identify the backed-up instance, fetch the relevant recovery point by using the `Get-AzDataProtectionRecoveryPoint` cmdlet.

+ ```azurepowershell

+ $recoveryPointsCrr = Get-AzDataProtectionRecoveryPoint -BackupInstanceName $instance.Name -ResourceGroupName $resourceGroupName -ResourceGroupName $resourceGroupName e -SubscriptionId $subscriptionId -UseSecondaryRegion

+ ```

+

+3. Prepare the restore request.

+ To restore the database, follow one of the following methods:

+ **Restore as database**

+ Follow these steps:

+ 1. Create the Azure Resource Manager ID for the new PostgreSQL database. You need to create this with the [target PostgreSQL server to which permissions are assigned](/azure/backup/restore-postgresql-database-ps#set-up-permissions). Additionally, create the required *PostgreSQL database name*.

+

+ For example, you can name a PostgreSQL database as `emprestored21` under a target PostgreSQL server `targetossserver` in a resource group `targetrg` with a different subscription.

+ ```azurepowershell

+ $targetResourceId = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx/resourceGroups/targetrg/providers/providers/Microsoft.DBforPostgreSQL/servers/targetossserver/databases/emprestored21"

+ ```

+ 2. Use the `Intialize-AzDataProtectionRestoreRequest` cmdlet to prepare the restore request with relevant details.

+ ```azurepowershell

+ $OssRestoreReq = Initialize-AzDataProtectionRestoreRequest -DatasourceType AzureDatabaseForPostgreSQL -SourceDataStore VaultStore -RestoreLocation $vault.ReplicatedRegion[0] -RestoreType AlternateLocation -RecoveryPoint $recoveryPointsCrr[0].Property.RecoveryPointId -TargetResourceId $targetResourceId -SecretStoreURI $secretURI -SecretStoreType AzureKeyVault

+ ```

+

+ **Restore as files**

+ Follow these steps:

+ 1. Fetch the *Uniform Resource Identifier (URI)* of the container, in the [storage account to which permissions are assigned](/azure/backup/restore-postgresql-database-ps#set-up-permissions).

+

+ For example, a container named `testcontainerrestore` under a storage account `testossstorageaccount` with a different subscription.

+ ```azurepowershell

+ $contURI = https://testossstorageaccount.blob.core.windows.net/testcontainerrestore

+ ```

+

+ 2. Use the `Intialize-AzDataProtectionRestoreRequest` cmdlet to prepare the restore request with relevant details.

+ ```azurepowershell

+ $OssRestoreReq = Initialize-AzDataProtectionRestoreRequest -DatasourceType AzureDatabaseForPostgreSQL -SourceDataStore VaultStore -RestoreLocation $vault.ReplicatedRegion[0] -RestoreType RestoreAsFiles -RecoveryPoint $recoveryPointsCrr[0].Property.RecoveryPointId -TargetContainerURI $targetContainerURI -FileNamePrefix $fileNamePrefix

+ ```

+## Validate the PostgreSQL database restore configuration

+To validate the probabilities of success for the restore operation, run the following cmdlet:

+```azurepowershell

+$validate = Test-AzDataProtectionBackupInstanceRestore -ResourceGroupName $ResourceGroupName -Name $instance[0].Name -VaultName $VaultName -RestoreRequest $OssRestoreReq -SubscriptionId $SubscriptionId -RestoreToSecondaryRegion #-Debug

+```

+## Trigger the restore operation

+To trigger the restore operation, run the following cmdlet:

+```azurepowershell

+$restoreJob = Start-AzDataProtectionBackupInstanceRestore -BackupInstanceName $instance.Name -ResourceGroupName $ResourceGroupName -VaultName $vaultName -SubscriptionId $SubscriptionId -Parameter $OssRestoreReq -RestoreToSecondaryRegion # -Debug

+```

+## Track the restore job

+To monitor the restore job progress, choose one of the methods:

+- To get the complete list of Cross Region Restore jobs from the secondary region, run the following cmdlet:

+ ```azurepowershell

+ $job = Get-AzDataProtectionJob -ResourceGroupName $resourceGroupName -SubscriptionId $subscriptionId -VaultName $vaultName -UseSecondaryRegion

+ ```

+- To get a single job detail, run the following cmdlet:

+ ```azurepowershell

+ $restoreJob = Start-AzDataProtectionBackupInstanceRestore -BackupInstanceName $instance.Name -ResourceGroupName $ResourceGroupName -VaultName $vaultName -SubscriptionId $SubscriptionId -Parameter $OssRestoreReq -RestoreToSecondaryRegion # -Debug

+ ```

+## Next steps

+- Learn how to [configure and run Cross Region Restore for Azure database for PostgreSQL](tutorial-cross-region-restore.md).

+ :::image type="content" source="./media/restore-azure-database-postgresql/select-application-type-for-id-inline.png" alt-text="Screenshot showing the process to get the Application ID of the vault MSI." lightbox="./media/restore-azure-database-postgresql/select-application-type-for-id-expanded.png":::

+ :::image type="content" source="./media/restore-azure-database-postgresql/copy-vault-id-inline.png" alt-text="Screenshot showing the process to copy the Application ID of the vault." lightbox="./media/restore-azure-database-postgresql/copy-vault-id-expanded.png":::

+## Restore databases across regions

+As one of the restore options, Cross Region Restore (CRR) allows you to restore Azure Database for PostgreSQL servers in a secondary region, which is an Azure-paired region.

+### Considerations

+- To begin using the feature, read the [Before you start](create-manage-backup-vault.md#before-you-start) section.

+- To check if Cross Region Restore is enabled, see the [Configure Cross Region Restore](create-manage-backup-vault.md#perform-cross-region-restore-using-azure-portal) section.

+### View backup instances in secondary region

+If CRR is enabled, you can view the backup instances in the secondary region.

+1. From the [Azure portal](https://portal.azure.com/), go to **Backup Vault** > **Backup Instances**.

+1. Select the filter as **Instance Region == Secondary Region**.

+ :::image type="content" source="./media/create-manage-backup-vault/select-secondary-region-as-instance-region.png" alt-text="Screenshot showing the selection of the secondary region as the instance region." lightbox="./media/create-manage-backup-vault/select-secondary-region-as-instance-region.png":::

+ >[!Note]

+ > Only Backup Management Types supporting the CRR feature are listed. Currently, the restoration of primary region data to a secondary region for PostgreSQL servers is only supported.

+### Restore in secondary region

+The secondary region restore experience is similar to the primary region restore.

+When configuring details in the **Restore Configuration** pane to configure your restore, youΓÇÖre prompted to provide only secondary region parameters. So, a vault should already exist in the secondary region and the PostgreSQL server should be registered to the vault in the secondary region.ΓÇ»

+Follow these steps:

+1. Select **Backup Instance name** to view details.

+2. Select **Restore to secondary region**.

+ :::image type="content" source="./media/create-manage-backup-vault/restore-to-secondary-region.png" alt-text="Screenshot showing how to restore to secondary region." lightbox="./media/create-manage-backup-vault/restore-to-secondary-region.png":::

+1. Select the restore point, the region, and the resource group.

+1. Select **Restore**.

+ >[!Note]

+ > - After the restore is triggered in the data transfer phase, the restore job can't be canceled.

+ > - The role/access level required to perform restore operation in cross-regions are *Backup Operator* role in the subscription and *Contributor (write)* access on the source and target virtual machines. To view backup jobs, *Backup reader* is the minimum permission required in the subscription.

+ > - The RPO for the backup data to be available in secondary region is 12 hours. Therefore, when you turn on CRR, the RPO for the secondary region is 12 hours + log frequency duration (that can be set to a minimum of 15 minutes).

+### Monitoring secondary region restore jobs

+1. In the Azure portal, go to **Monitoring + Reporting** > **Backup Jobs**.

+2. Filter Instance Region for **Secondary Region** to view the jobs in the secondary region.

+ :::image type="content" source="./media/create-manage-backup-vault/view-jobs-in-secondary-region.png" alt-text="Screenshot showing how to view jobs in secondary region." lightbox="./media/create-manage-backup-vault/view-jobs-in-secondary-region.png":::

+ Title: Tutorial - Configure and run Cross Region Restore for Azure database for PostgreSQL

+description: Learn how to configure and run Cross Region Restore for Azure database for PostgreSQL using Azure Backup.

+# Tutorial: Configure and run Cross Region Restore for Azure database for PostgreSQL by using Azure Backup

+This tutorial describes how you can enable and run Cross Region Restore to restore SQL databases hosted on Azure VMs in a secondary region.

+The Cross Region Restore option allows you to restore data in a secondaryΓÇ»[Azure paired region](/azure/availability-zones/cross-region-replication-azure) even when no outage occurs in the primary region; thus, enabling you to perform drills to assess regional resiliency.ΓÇ»

+> [!NOTE]

+>- Currently, Geo-redundant Storage (GRS) vault with Cross Region Restore enabled can't be changed to Zone-redundant Storage (ZRS) or Locally-redundant Storage (LRS) after the protection starts for the first time.ΓÇ»

+>- Secondary region Recovery Point Objective (RPO) is currently *36 hours*. This is because the RPO in the primary region is 24 hours and can take up to 12 hours to replicate the backup data from the primary to the secondary region.

+## Considerations

+Before you begin Cross Region Restore for PostgreSQL server, see the following information:

+- Cross Region Restore is supported only for a Backup vault that uses Storage Redundancy = Geo-redundant.

+- PostgreSQL databases hosted on Azure VMs are supported. You can restore databases or their files.ΓÇ»

+- Review the [support matrix](./backup-support-matrix.md) for a list of supported managed types and regions.

+- Cross Region Restore option incurs additional charges. [Learn more about pricing](https://azure.microsoft.com/pricing/details/backup/).

+- Once you enable Cross Region Restore, it might take up to 48 hours for the backup items to be available in secondary regions.

+- Review theΓÇ»[permissions required to use Cross Region Restore](backup-rbac-rs-vault.md#minimum-role-requirements-for-azure-vm-backup).ΓÇ»

+A vault created with GRS redundancy includes the option to configure the Cross Region Restore feature. Every GRS vault has a banner that links to the documentation.ΓÇ»

+## Enable Cross Region Restore on a Backup vault

+The Cross Region Restore option allows you to restore data in a secondary Azure paired region.

+To configure Cross Region Restore for the backup vault, follow these steps:ΓÇ»

+1. Sign in to [Azure portal](https://portal.azure.com/).

+1. [Create a new Backup vault](create-manage-backup-vault.md#create-backup-vault) or choose an existing Backup vault.

+1. Enable Cross Region Restore:

+ 1. Select **Properties** (under Manage). 

+ 1. Under **Vault Settings**, select **Update** for Cross Region Restore.

+ 1. UnderΓÇ»**Cross Region Restore**, selectΓÇ»**Enable**.

+ :::image type="content" source="./media/tutorial-cross-region-restore/update-for-cross-region-restore.png" alt-text="Screenshot showing the selection of update for cross region restore.":::

+ :::image type="content" source="./media/tutorial-cross-region-restore/enable-cross-region-restore.png" alt-text="Screenshot shows the Enable cross region restore option.":::

+## View backup instances in secondary region

+If CRR is enabled, you can view the backup instances in the secondary region.

+Follow these steps:

+1. From the [Azure portal](https://portal.azure.com/), go to your Backup vault.

+1. Select **Backup instances** under **Manage**.

+1. Select **Instance Region** == *Secondary Region* on the filters.

+ :::image type="content" source="./media/tutorial-cross-region-restore/backup-instances-secondary-region.png" alt-text="Screenshot showing the secondary region filter." lightbox="./media/tutorial-cross-region-restore/backup-instances-secondary-region.png":::

+## Restore the database to the secondary region

+To restore the database to the secondary region, follow these steps:

+1. Go to the Backup vaultΓÇÖs **Overview** pane, and then configure a backup for PostgreSQL database.

+ > [!Note]

+ > Once the backup is complete in the primary region, it can take up to 12 hours for the recovery point in the primary region to get replicated to the secondary region.

+1. To check the availability of recovery point in the secondary region, go to theΓÇ»**Backup center** >ΓÇ»**Backup Instances**.

+1. Filter to **Azure Database for PostgreSQL servers**, then filter Instance region as **Secondary Region**, and then select the required Backup Instance.

+ :::image type="content" source="./media/create-manage-backup-vault/view-jobs-in-secondary-region.png" alt-text="Screenshot showing how to view jobs in secondary region." lightbox="./media/create-manage-backup-vault/view-jobs-in-secondary-region.png":::

+ The recovery points available in the secondary region are now listed.

+1. SelectΓÇ»**Restore to secondary region**.

+ You can also trigger restores from the respective backup instance.

+1. Select Restore to secondary region to review the target region selected, and then select the appropriate recovery point and restore parameters.

+1. Once the restore starts, you can monitor the completion of the restore operation under Backup Jobs of the Backup vault by filtering Jobs workload type to Azure Database for PostgreSQL servers and Instance Region to Secondary Region.

+## Next steps

+For more information about backup and restore with Cross Region Restore, see:

+- [Cross Region Restore for PostGreSQL Servers](create-manage-backup-vault.md#perform-cross-region-restore-using-azure-portal).

+- [Restore Azure Database for PostgreSQL backups](./restore-azure-database-postgresql.md).

+- January 2024

+ - [Cross Region Restore support for PostgreSQL by using Azure Backup is now generally available](#cross-region-restore-support-for-postgresql-by-using-azure-backup-is-now-generally-available)

+## Cross Region Restore support for PostgreSQL by using Azure Backup is now generally available

+Azure Backup allows you to replicate your backups to an additional Azure paired region by using Geo-redundant Storage (GRS) to protect your backups from regional outages. When you enable the backups with GRS, the backups in the secondary region become accessible only when Microsoft declares an outage in the primary region. However, Cross Region Restore enables you to access and perform restores from the secondary region recovery points even when no outage occurs in the primary region; thus, enables you to perform drills to assess regional resiliency.

+For more information, see [Cross Region Restore support for PostgreSQL using Azure Backup](backup-vault-overview.md#cross-region-restore-support-for-postgresql-using-azure-backup).

+For more information, see [Cross Region Restore for MARS (preview)](about-restore-microsoft-azure-recovery-services.md#cross-region-restore).

+For more information, see [Cross Region Restore support for PostgreSQL using Azure Backup](backup-vault-overview.md#cross-region-restore-support-for-postgresql-using-azure-backup).

+|Geographic |USD 3.00/mo |

+### Install the Azure Communication Services Calling SDK

+#### 1:1 Call

+#### Rooms Call

+#### Group Call

+#### Teams call

+## Adding and removing participants to a call

+## Video calling

+## Starting and stopping video

+### Twilio

+### Azure Communication Services

+```javascript

+videoTrack.addProcessor(processor, { inputFrameBufferType: 'video', outputFrameBufferContextType: 'webgl2' });

+```

+Use the npm install command to install the [Azure Communication Services Effects SDK](../quickstarts/voice-video-calling/get-started-video-effects.md?pivots=platform-web) for JavaScript.

+### Twilio

+# Customer intent: As a developer, I want to understand the differences between built-in and Azure connectors in Azure Logic Apps (Standard).

+# Customer intent: As a developer, I want to get telemetry from an Application Insights resource to use with my workflow in Azure Logic Apps.

+# Customer intent: As a developer, I want to get log data from my Log Analytics workspace or telemetry from my Application Insights resource to use with my workflow in Azure Logic Apps.

+# Customer intent: As a developer, I want to learn how connectors help me access data, events, and resources in other apps, services, systems, and platforms from my workflow in Azure Logic Apps.

+If you created your container apps environment with a custom service CIDR, make sure your container app's subnet (or any peered subnet) doesn't conflict with your custom service CIDR range.

+ | **Virtual network** | Select the virtual network for your container app. |

+ | **Subnet** | Select the subnet your for container app. |

+# Customer intent: As a developer, I want artifact streaming capabilities so that I can efficiently deliver and serve containerized applications to end-users in real-time.

+```

+> [!WARNING]

+> Account keys are not automatically rotated or revoked after management RBAC changes. These keys give access to data plane operations. When removing access to the keys from an user, it is recommended to rotate the keys as well. For RBAC Data Plane, the Cosmos DB backend will reject requests once the roles/claims no longer match. If an user requires temporary access to data plane operations, it's recommended to use [Azure Cosmos DB RBAC](how-to-setup-rbac.md) Data Plane.

+ Title: Migrate from EA Marketplace Store Charge API

+description: This article has information to help you migrate from the EA Marketplace Store Charge API.

+# Migrate from EA Marketplace Store Charge API

+EA customers who were previously using the Enterprise Reporting consumption.azure.com API to [get their marketplace store charges](/rest/api/billing/enterprise/billing-enterprise-api-marketplace-storecharge) need to migrate to a replacement Azure Resource Manager API. This article helps you migrate by using the following instructions. It also explains the contract differences between the old API and the new API.

+Endpoints to migrate off:

+|Endpoint|API Comments|

+|||

+| `/v3/enrollments/{enrollmentNumber}/marketplacecharges` | ΓÇó API method: GET <br><br> ΓÇó Synchronous (non polling) <br><br> ΓÇó Data format: JSON |

+| `/v3/enrollments/{enrollmentNumber}/billingPeriods/{billingPeriod}/marketplacecharges` | ΓÇó API method: GET <br><br> ΓÇó Synchronous (non polling) <br><br> ΓÇó Data format: JSON |

+| `/v3/enrollments/{enrollmentNumber}/marketplacechargesbycustomdate?startTime=2017-01-01&endTime=2017-01-10` | ΓÇó API method: GET <br><br> ΓÇó Synchronous (non polling) <br><br> ΓÇó Data format: JSON |

+## Assign permissions to an SPN to call the API

+Before calling the API, you need to configure a service principal with the correct permission. You use the service principal to call the API. For more information, see [Assign permissions to ACM APIs](cost-management-api-permissions.md).

+### Call the Marketplaces API

+Use the following request URIs when calling the new Marketplaces API. All Azure and Marketplace charges are merged into a single file that is available through the new solutions. You can identify which charges are *Azure* versus *Marketplace* charges by using the `PublisherType` field that is available in the new dataset.

+Your enrollment number should be used as the `billingAccountId`.

+#### Supported requests

+You can call the API using the following scopes:

+- Department: `/providers/Microsoft.Billing/departments/{departmentId}`

+- Enrollment: `/providers/Microsoft.Billing/billingAccounts/{billingAccountId}`

+- EnrollmentAccount: `/providers/Microsoft.Billing/enrollmentAccounts/{enrollmentAccountId}`

+- Management Group: `/providers/Microsoft.Management/managementGroups/{managementGroupId}`

+- Subscription: `/subscriptions/{subscriptionId}/`

+For subscription, billing account, department, enrollment account, and management group scopes you can also add a billing period to the scope using `/providers/Microsoft.Billing/billingPeriods/{billingPeriodName}`. For example, to specify a billing period at the department scope, use `/providers/Microsoft.Billing/departments/{departmentId}/providers/Microsoft.Billing/billingPeriods/{billingPeriodName}`.

+[List Marketplaces](/rest/api/consumption/marketplaces/list#marketplaceslistresult)

+```http

+GET https://management.azure.com/{scope}/providers/Microsoft.Consumption/marketplaces

+```

+With optional parameters:

+```http

+https://management.azure.com/{scope}/providers/Microsoft.Consumption/marketplaces?$filter={$filter}&$top={$top}&$skiptoken={$skiptoken}

+```

+#### Response body changes

+Old response:

+```json

+[

+ {

+ "id": "id",

+ "subscriptionGuid": "00000000-0000-0000-0000-000000000000",

+ "subscriptionName": "subName",

+ "meterId": "2core",

+ "usageStartDate": "2015-09-17T00:00:00Z",

+ "usageEndDate": "2015-09-17T23:59:59Z",

+ "offerName": "Virtual LoadMaster&trade; (VLM) for Azure",

+ "resourceGroup": "Res group",

+ "instanceId": "id",

+ "additionalInfo": "{\"ImageType\":null,\"ServiceType\":\"Medium\"}",

+ "tags": "",

+ "orderNumber": "order",

+ "unitOfMeasure": "",

+ "costCenter": "100",

+ "accountId": 100,

+ "accountName": "Account Name",

+ "accountOwnerId": "account@live.com",

+ "departmentId": 101,

+ "departmentName": "Department 1",

+ "publisherName": "Publisher 1",

+ "planName": "Plan name",

+ "consumedQuantity": 1.15,

+ "resourceRate": 0.1,

+ "extendedCost": 1.11,

+ "isRecurringCharge": "False"

+ },

+ ...

+ ]

+```

+New response:

+```json

+ {

+ "id": "/subscriptions/subid/providers/Microsoft.Billing/billingPeriods/201702/providers/Microsoft.Consumption/marketPlaces/marketplacesId1",

+ "name": "marketplacesId1",

+ "type": "Microsoft.Consumption/marketPlaces",

+ "tags": {

+ "env": "newcrp",

+ "dev": "tools"

+ },

+ "properties": {

+ "accountName": "Account1",

+ "additionalProperties": "additionalProperties",

+ "costCenter": "Center1",

+ "departmentName": "Department1",

+ "billingPeriodId": "/subscriptions/subid/providers/Microsoft.Billing/billingPeriods/201702",

+ "usageStart": "2017-02-13T00:00:00Z",

+ "usageEnd": "2017-02-13T23:59:59Z",

+ "instanceName": "shared1",

+ "instanceId": "/subscriptions/subid/resourceGroups/Default-Web-eastasia/providers/Microsoft.Web/sites/shared1",

+ "currency": "USD",

+ "consumedQuantity": 0.00328,

+ "pretaxCost": 0.67,

+ "isEstimated": false,

+ "meterId": "00000000-0000-0000-0000-000000000000",

+ "offerName": "offer1",

+ "resourceGroup": "TEST",

+ "orderNumber": "00000000-0000-0000-0000-000000000000",

+ "publisherName": "xyz",

+ "planName": "plan2",

+ "resourceRate": 0.24,

+ "subscriptionGuid": "00000000-0000-0000-0000-000000000000",

+ "subscriptionName": "azure subscription",

+ "unitOfMeasure": "10 Hours",

+ "isRecurringCharge": false

+ }

+ }

+```

+## Next steps

+- Read the [Migrate from Azure Enterprise Reporting to Microsoft Cost Management APIs overview](migrate-ea-reporting-arm-apis-overview.md) article.

+ Title: Tutorial - Improved exports experience - Preview

+description: This tutorial helps you create automatic exports for your actual and amortized costs in the Cost and Usage Specification standard (FOCUS) format.

+# Tutorial: Improved exports experience - Preview

+This tutorial helps you create automatic exports using the improved exports experience that can be enabled from [Cost Management labs](enable-preview-features-cost-management-labs.md#exports-preview) by selecting **Exports (preview)** button. The improved Exports experience is designed to streamline your FinOps practice by automating the export of other cost-impacting datasets. The updated exports are optimized to handle large datasets while enhancing the user experience.

+Review [Azure updates](https://azure.microsoft.com/updates/) to see when the feature becomes available generally available.

+## Improved functionality

+The improved Exports feature supports new datasets including price sheets, reservation recommendations, reservation details, and reservation transactions. Also, you can download cost and usage details using the open-source FinOps Open Cost and Usage Specification [FOCUS](https://focus.finops.org/) format. It combines actual and amortized costs and reduces data processing times and storage and compute costs.

+FinOps datasets are often large and challenging to manage. Exports improve file manageability, reduce download latency, and help save on storage and network charges with the following functionality:

+- File partitioning, which breaks the file into manageable smaller chunks.

+- File overwrite, which replaces the previous day's file with an updated file each day in daily export.

+The Exports feature has an updated user interface, which helps you to easily create multiple exports for various cost management datasets to Azure storage using a single, simplified create experience. Exports let you choose the latest or any of the earlier dataset schema versions when you create a new export. Supporting multiple versions ensures that the data processing layers that you built on for existing datasets are reused while you adopt the latest API functionality. You can selectively export historical data by rerunning an existing Export job for a historical period. So you don't have to create a new one-time export for a specific date range. You can enhance security and compliance by configuring exports to storage accounts behind a firewall. The Azure Storage firewall provides access control for the public endpoint of the storage account.

+## Prerequisites

+Data export is available for various Azure account types, including [Enterprise Agreement (EA)](https://azure.microsoft.com/pricing/enterprise-agreement/) and [Microsoft Customer Agreement (MCA)](get-started-partners.md) customers. To view the full list of supported account types, see [Understand Cost Management data](understand-cost-mgt-data.md). The following Azure permissions, or scopes, are supported per subscription for data export by user and group. For more information about scopes, see [Understand and work with scopes](understand-work-scopes.md).

+- Owner - Can create, modify, or delete scheduled exports for a subscription.

+- Contributor - Can create, modify, or delete their own scheduled exports. Can modify the name of scheduled exports created by others.

+- Reader - Can schedule exports that they have permission to.

+ - **For more information about scopes, including access needed to configure exports for Enterprise Agreement and Microsoft Customer agreement scopes, see [Understand and work with scopes](understand-work-scopes.md)**.

+For Azure Storage accounts:

+- Write permissions are required to change the configured storage account, independent of permissions on the export.

+- Your Azure storage account must be configured for blob or file storage.

+- Don't configure exports to a storage container that is configured as a destination in an [object replication rule](../../storage/blobs/object-replication-overview.md#object-replication-policies-and-rules).

+- To export to storage accounts with configured firewalls, you need other privileges on the storage account. The other privileges are only required during export creation or modification. They are:

+ - Owner role on the storage account.

+ Or

+ - Any custom role with `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/permissions/read` permissions.

+ Additionally, ensure that you enable [Allow trusted Azure service access](../../storage/common/storage-network-security.md#grant-access-to-trusted-azure-services) to the storage account when you configure the firewall.

+- The storage account configuration must have the **Permitted scope for copy operations (preview)** option set to **From any storage account**.

+ :::image type="content" source="./media/tutorial-export-acm-data/permitted-scope-copy-operations.png" alt-text="Screenshot showing From any storage account option set." lightbox="./media/tutorial-export-acm-data/permitted-scope-copy-operations.png" :::

+If you have a new subscription, you can't immediately use Cost Management features. It might take up to 48 hours before you can use all Cost Management features.

+Enable the new Exports experience from Cost Management labs by selecting **Exports (preview)**. For more information about how to enable Exports (preview), see [Explore preview features](enable-preview-features-cost-management-labs.md#explore-preview-features). The preview feature is being deployed progressively.

+## Create exports

+You can create multiple exports of various data types using the following steps.

+### Choose a scope and navigate to Exports

+1. Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com/).

+2. Search for **Cost Management**.

+3. Select a billing scope.

+4. In the left navigation menu, select **Exports**.

+ - **For Partners**: Sign in as a partner at the billing account scope or on a customer's tenant. Then you can export data to an Azure Storage account that is linked to your partner storage account. However, you must have an active subscription in your CSP tenant.

+5. Set the schedule frequency.

+### Create new exports

+On the Exports page, at the top of the page, select **+ Create**.

+### Fill in export details

+1. On the Add export page, select the **Type of data**, the **Dataset version**, and enter an **Export name**. Optionally, enter an **Export description**.

+2. For **Type of data**, when you select **Reservation recommendations**, select values for the other fields that appear:

+ - Reservation scope

+ - Resource type

+ - Look back period

+3. Depending on the **Type of data** and **Frequency** that you select, you might need to specify more fields to define the date range in UTC format.

+4. Select **Add** to see the export listed on the Basic tab.

+### Optionally add more exports

+You can create up to 10 exports when you select **+ Add new exports**.

+Select **Next** when you're ready to define the destination.

+### Define the export destination

+1. On the Destination tab, select the **Storage type**. The default is Azure blob storage.

+2. Specify your Azure storage account subscription. Choose an existing resource group or create a new one.

+3. Select the Storage account name or create a new one.

+4. If you create a new storage account, choose an Azure region.

+5. Specify the storage container and directory path for the export file.

+6. File partitioning is enabled by default. It splits large files into smaller ones.

+7. **Overwrite data** is enabled by default. For daily exports, it replaces the previous day's file with an updated file.

+8. Select **Next** to move to the **Review + create** tab.

+### Review and create

+Review your export configuration and make any necessary changes. When done, select **Review + create** to complete the process.

+## Manage exports

+You can view and manage your exports by navigating to the Exports page where a summary of details for each export appears, including:

+- Type of data

+- Schedule status

+- Data version

+- Last run time

+- Frequency

+- Storage account

+- Estimated next run date and time

+You can perform the following actions by selecting the ellipsis (**…**) on the right side of the page or by selecting the individual export.

+- Run now - Queues an unplanned export to run at the next available moment, regardless of the scheduled run time.

+- Export selected dates - Reruns an export for a historical date range instead of creating a new one-time export. You can extract up to 13 months of historical data in three-month chunks. This option isn't available for price sheets.

+- Disable - Temporarily suspends the export job.

+- Delete - Permanently removes the export.

+- Refresh - Updates the Run history.

+### Schedule frequency

+All types of data support various schedule frequency options, as described in the following table.

+| **Type of data** | **Frequency options** |

+| | |

+| Price sheet | ΓÇó One-time export <br> ΓÇó Current month <br>ΓÇó Daily export of the current month |

+| Reservation details | ΓÇó One-time export <br> ΓÇó Daily export of month-to-date costs <br> ΓÇó Monthly export of last month's costs |

+| Reservation recommendations | ΓÇó One-time export <br> ΓÇó Daily export |

+| Reservation transactions | ΓÇó One-time export <br> ΓÇó Daily export <br> ΓÇó Monthly export of last month's data|

+| Cost and usage details (actual)<br> Cost and usage details (amortized) <br> Cost and usage details (FOCUS)<br> Cost and usage details (usage only) | ΓÇó One-time export <br>ΓÇó Daily export of month-to-date costs<br>ΓÇó Monthly export of last month's costs <br>ΓÇó Monthly export of last billing month's costs |

+## Understand data types

+- Cost and usage details (actual) - Select this option to export standard usage and purchase charges.

+- Cost and usage details (amortized) - Select this option to export amortized costs for purchases like Azure reservations and Azure savings plan for compute.

+- Cost and usage details (FOCUS) - Select this option to export cost and usage details using the open-source FinOps Open Cost and Usage Specification ([FOCUS](https://focus.finops.org/)) format. It combines actual and amortized costs. This format reduces data processing time and storage and compute charges for exports. The management group scope isn't supported for Cost and usage details (FOCUS) exports.

+- Cost and usage details (usage only) - Select this option to export standard usage charges without purchase information. Although you can't use this option when creating new exports, existing exports using this option are still supported.

+- Price sheet ΓÇô Select this option to export your download your organization's Azure pricing.

+- Reservation details ΓÇô Select this option to export the current list of all available reservations.

+- Reservation recommendations ΓÇô Select this option to export the list of reservation recommendations, which help with rate optimization.

+- Reservation transactions ΓÇô Select this option to export the list of all reservation purchases, exchanges, and refunds.

+Agreement types, scopes, and required roles are explained at [Understand and work with scopes](understand-work-scopes.md).

+| **Data types** | **Supported agreement** | **Supported scopes** |

+| | | |

+| Cost and usage (actual) | ΓÇó EA<br> ΓÇó MCA that you bought through the Azure website <br> ΓÇó MCA enterprise<br> ΓÇó MCA that you buy through a Microsoft partner <br> ΓÇó Microsoft Online Service Program (MOSP), also known as pay-as-you-go (PAYG) <br> ΓÇó Azure internal | ΓÇó EA - Enrollment, department, account, management group, subscription, and resource group <br> ΓÇó MCA - Billing account, billing profile, Invoice section, subscription, and resource group <br> ΓÇó Microsoft Partner Agreement (MPA) - Customer, subscription, and resource group |

+| Cost and usage (amortized) | ΓÇó EA <br> ΓÇó MCA that you bought through the Azure website <br> ΓÇó MCA enterprise <br> ΓÇó MCA that you buy through a Microsoft partner <br> ΓÇó Microsoft Online Service Program (MOSP), also known as pay-as-you-go (PAYG) <br> ΓÇó Azure internal | ΓÇó EA - Enrollment, department, account, management group, subscription, and resource group <br> ΓÇó MCA - Billing account, billing profile, Invoice section, subscription, and resource group <br> ΓÇó MPA - Customer, subscription, and resource group |

+| Cost and usage (FOCUS) | ΓÇó EA <br> ΓÇó MCA that you bought through the Azure website <br> ΓÇó MCA enterprise <br> ΓÇó MCA that you buy through a Microsoft partner| ΓÇó EA - Enrollment, department, account, subscription, and resource group <br> ΓÇó MCA - Billing account, billing profile, invoice section, subscription, and resource group <br> ΓÇó MPA - Customer, subscription, resource group. **NOTE**: The management group scope isn't supported for Cost and usage details (FOCUS) exports. |

+| All available prices | ΓÇó EA <br> ΓÇó MCA that you bought through the Azure website <br> ΓÇó MCA enterprise <br> ΓÇó MCA that you buy through a Microsoft partner | ΓÇó EA - Billing account <br> ΓÇó All other supported agreements - Billing profile |

+| Reservation recommendations | ΓÇó EA <br> ΓÇó MCA that you bought through the Azure website <br> ΓÇó MCA enterprise <br> ΓÇó MCA that you buy through a Microsoft partner | ΓÇó EA - Billing account <br> ΓÇó All other supported agreements - Billing profile |

+| Reservation transactions | ΓÇó EA <br> ΓÇó MCA that you bought through the Azure website <br> ΓÇó MCA enterprise <br> ΓÇó MCA that you buy through a Microsoft partner | ΓÇó EA - Billing account <br> ΓÇó All other supported agreements - Billing profile |

+| Reservation details | ΓÇó EA <br> ΓÇó MCA that you bought through the Azure website <br> ΓÇó MCA enterprise <br> ΓÇó MCA that you buy through a Microsoft partner | ΓÇó EA - Billing account <br> ΓÇó All other supported agreements - Billing profile |

+## Limitations

+The improved exports experience currently has the following limitations.

+- The new Exports experience doesn't fully support the management group scope and it has feature limitations.

+- Azure internal and MOSP billing scopes and subscriptions donΓÇÖt support FOCUS datasets.

+- Shared access service (SAS) key-based cross tenant export is only supported for Microsoft partners at the billing account scope. It isn't supported for other partner scenarios like any other scope, EA indirect contract or Azure Lighthouse.

+## Next steps

+- Learn more about exports at [Tutorial: Create and manage exported data](tutorial-export-acm-data.md).

+

+To use Fabric Lakehouse file-based connector in inline dataset type, you need to choose the right Inline dataset type for your data. You can use DelimitedText, Avro, JSON, ORC, or Parquet depending on your data format.

+For Fabric Lakehouse table-based connector in inline dataset type, you only need to use Delta as dataset type. This will allow you to read and write data from Fabric Lakehouse tables.

+In every subscription where this capability is enabled, all images stored in ACR that meet the criteria for scan triggers are scanned for vulnerabilities without any extra configuration of users or registries. Recommendations with vulnerability reports are provided for all images in ACR as well as images that are currently running in AKS that were pulled from an ACR registry or any other Defender for Cloud supported registry (ECR, GCR, or GAR). Images are scanned shortly after being added to a registry, and rescanned for new vulnerabilities once every 24 hours.

+- If a subscription is enabled with Defender CSPM and in parallel you scanned the same resources with Purview, Purview's scan result is ignored and defaults to displaying the Microsoft Defender for Cloud's scanning results for the supported resource type.

+ Title: Configure Defender for Servers features

+# Configure Defender for Servers features

+> [!NOTE]

+> The Log Analytics agent (also known as MMA) is set to retire in [August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). All Defender for Servers features that depend on the AMA, including those described on the [Enable Defender for Endpoint (Log Analytics)](endpoint-protection-recommendations-technical.md) page, will be available through either [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) or [agentless scanning](concept-agentless-data-collection.md), before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see [this announcement](upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation).

+ Title: Set up continuous export of alerts and recommendations

+description: Learn how to set up continuous export of Microsoft Defender for Cloud security alerts and recommendations to Log Analytics in Azure Monitor or to Azure Event Hubs.

+Microsoft Defender for Cloud generates detailed security alerts and recommendations. To analyze the information that's in these alerts and recommendations, you can export them to Log Analytics in Azure Monitor, to Azure Event Hubs, or to another Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), or IT classic [deployment model solution](export-to-siem.md). You can stream the alerts and recommendations as they're generated or define a schedule to send periodic snapshots of all new data.

+When you set up continuous export, you can fully customize what information to export and where the information goes. For example, you can configure it so that:

+- All high-severity alerts are sent to an Azure event hub.

+- All medium or higher-severity findings from vulnerability assessment scans of your computers running SQL Server are sent to a specific Log Analytics workspace.

+- Specific recommendations are delivered to an event hub or Log Analytics workspace whenever they're generated.

+- The secure score for a subscription is sent to a Log Analytics workspace whenever the score for a control changes by 0.01 or more.

+This article describes how to set up continuous export to a Log Analytics workspace or to an event hub in Azure.

+> Defender for Cloud also offers the option to do a onetime, manual export to a comma-separated values (CSV) file. Learn more in [Manually export alerts and recommendations](#manually-export-alerts-and-recommendations).

+|Release status:|General availability (GA)|

+|Required roles and permissions:|<ul><li>Security Admin or Owner for the resource group.</li><li>Write permissions for the target resource.</li><li>If you use the [Azure Policy DeployIfNotExist policies](#set-up-continuous-export-at-scale-by-using-provided-policies), you must have permissions that let you assign policies.</li><li>To export data to Event Hubs, you must have Write permissions on the Event Hubs policy.</li><li>To export to a Log Analytics workspace:<ul><li>If it *has the SecurityCenterFree solution*, you must have a minimum of Read permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/read`.</li><li>If it *doesn't have the SecurityCenterFree solution*, you must have write permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/action`.</li><li>Learn more about [Azure Monitor and Log Analytics workspace solutions](/previous-versions/azure/azure-monitor/insights/solutions).</li></ul></li></ul>|

+You can use continuous export to export the following data types whenever they change:

+- Security findings.

+ Findings can be thought of as "sub" recommendations and belong to a "parent" recommendation. For example:

+ - The recommendations [System updates should be installed on your machines (powered by Update Center)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e1145ab1-eb4f-43d8-911b-36ddf771d13f) and [System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27) each has one sub recommendation per outstanding system update.

+ - The recommendation [Machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/1195afff-c881-495e-9bc5-1486211ae03f) has a sub recommendation for every vulnerability that the vulnerability scanner identifies.

+ > If youΓÇÖre configuring continuous export by using the REST API, always include the parent with the findings.

+<a name="set-up-a-continuous-export"></a>

+## Set up continuous export

+You can set up continuous export on the Microsoft Defender for Cloud pages in the Azure portal, by using the REST API, or at scale by using provided Azure Policy templates.

+### [Azure portal](#tab/azure-portal)

+<a name="configure-continuous-export-from-the-defender-for-cloud-pages-in-azure-portal"></a>

+### Set up continuous export on the Defender for Cloud pages in the Azure portal

+To set up a continuous export to Log Analytics or Azure Event Hubs by using the Azure portal:

+1. On the Defender for Cloud resource menu, select **Environment settings**.

+1. Select the subscription that you want to configure data export for.

+1. In the resource menu under **Settings**, select **Continuous export**.

+ :::image type="content" source="./media/continuous-export/continuous-export-options-page.png" alt-text="Screenshot that shows the export options in Microsoft Defender for Cloud." lightbox="./media/continuous-export/continuous-export-options-page.png":::

+ The export options appear. There's a tab for each available export target, either event hub or Log Analytics workspace.

+1. Select the data type you'd like to export, and choose from the filters on each type (for example, export only high-severity alerts).

+ - **Streaming**. Assessments are sent when a resourceΓÇÖs health state is updated (if no updates occur, no data is sent).

+ - **Snapshots**. A snapshot of the current state of the selected data types that are sent once a week per subscription. To identify snapshot data, look for the field **IsSnapshot**.

+ If your selection includes one of these recommendations, you can include the vulnerability assessment findings with them:

+ To include the findings with these recommendations, set **Include security findings** to **Yes**.

+ :::image type="content" source="./media/continuous-export/include-security-findings-toggle.png" alt-text="Screenshot that shows the Include security findings toggle in a continuous export configuration." :::

+1. Under **Export target**, choose where you'd like the data saved. Data can be saved in a target of a different subscription (for example, in a central Event Hubs instance or in a central Log Analytics workspace).

+ You can also send the data to an [event hub or Log Analytics workspace in a different tenant](#export-data-to-an-event-hub-or-log-analytics-workspace-in-another-tenant).

+> Log Analytics supports only records that are up to 32 KB in size. When the data limit is reached, an alert displays the message **Data limit has been exceeded**.

+### [REST API](#tab/rest-api)

+### Set up continuous export by using the REST API

+You can set up and manage continuous export by using the Microsoft Defender for Cloud [automations API](/rest/api/defenderforcloud/automations). Use this API to create or update rules for exporting to any of the following destinations:

+You also can send the data to an [event hub or Log Analytics workspace in a different tenant](#export-data-to-an-event-hub-or-log-analytics-workspace-in-another-tenant).

+Here are some examples of options that you can use only in the API:

+- **Greater volume**: You can create multiple export configurations on a single subscription by using the API. The **Continuous Export** page in the Azure portal supports only one export configuration per subscription.

+- **Additional features**: The API offers parameters that aren't shown in the Azure portal. For example, you can add tags to your automation resource and define your export based on a wider set of alert and recommendation properties than the ones that are offered on the **Continuous export** page in the Azure portal.

+- **Focused scope**: The API offers you a more granular level for the scope of your export configurations. When you define an export by using the API, you can define it at the resource group level. If you're using the **Continuous export** page in the Azure portal, you must define it at the subscription level.

+ > These API-only options are not shown in the Azure portal. If you use them, a banner informs you that other configurations exist.

+### [Azure Policy](#tab/azure-policy)

+<a name="configure-continuous-export-at-scale-using-the-supplied-policies"></a>

+### Set up continuous export at scale by using provided policies

+Automating your organization's monitoring and incident response processes can help you reduce the time it takes to investigate and mitigate security incidents.

+To deploy your continuous export configurations across your organization, use the provided Azure Policy `DeployIfNotExist` policies to create and configure continuous export procedures.

+To implement these policies:

+1. In the following table, choose a policy to apply:

+ > You can also find the policies by searching Azure Policy:

+ >

+ > :::image type="content" source="./media/continuous-export/opening-azure-policy.png" alt-text="Screenshot that shows accessing Azure Policy.":::

+ >

+ > 1. On the Azure Policy menu, select **Definitions** and search for the policies by name.

+1. On the relevant page in Azure Policy, select **Assign**.

+ :::image type="content" source="./media/continuous-export/export-policy-assign.png" alt-text="Screenshot that shows assigning the Azure Policy.":::

+1. Select each tab and set the parameters to meet your requirements:

+ 1. On the **Basics** tab, set the scope for the policy. To use centralized management, assign the policy to the management group that contains the subscriptions that use the continuous export configuration.

+ 1. On the **Parameters** tab, set the resource group and data type details.

+ > Each parameter has a tooltip that explains the options that are available.

+ >

+ > The Azure Policy **Parameters** tab (1) provides access to configuration options that are similar to options that you can access on the Defender for Cloud **Continuous export** page (2).

+ > :::image type="content" source="./media/continuous-export/azure-policy-next-to-continuous-export.png" alt-text="Screenshot that shows comparing the parameters in continuous export with Azure Policy." lightbox="./media/continuous-export/azure-policy-next-to-continuous-export.png":::

+ >

+ 1. Optionally, to apply this assignment to existing subscriptions, select the **Remediation** tab, and then select the option to create a remediation task.

+1. Review the summary page, and then select **Create**.

+## Export to a Log Analytics workspace

+Security alerts and recommendations are stored in the **SecurityAlert** and **SecurityRecommendation** tables respectively.

+The name of the Log Analytics solution that contains these tables depends on whether you enabled the enhanced security features: Security (the Security and Audit solution) or SecurityCenterFree.

+> To see the data on the destination workspace, you must enable one of these solutions: Security and Audit or SecurityCenterFree.

+

+To view the event schemas of the exported data types, see [Log Analytics table schemas](https://aka.ms/ASCAutomationSchemas).

+## Export data to an event hub or Log Analytics workspace in another tenant

+You *can't* configure data to be exported to a Log Analytics workspace in another tenant if you use Azure Policy to assign the configuration. This process works only when you use the REST API to assign the configuration, and the configuration is unsupported in the Azure portal (because it requires a multitenant context). Azure Lighthouse *doesn't* resolve this issue with Azure Policy, although you can use Azure Lighthouse as the authentication method.

+When you collect data in a tenant, you can analyze the data from one, central location.

+To export data to an event hub or Log Analytics workspace in a different tenant:

+1. In the tenant that has the event hub or Log Analytics workspace, [invite a user](../active-directory/external-identities/what-is-b2b.md#easily-invite-guest-users-from-the-azure-portal) from the tenant that hosts the continuous export configuration, or you can configure Azure Lighthouse for the source and destination tenant.

+1. If you use business-to-business (B2B) guest user access in Microsoft Entra ID, ensure that the user accepts the invitation to access the tenant as a guest.

+1. If you use a Log Analytics workspace, assign the user in the workspace tenant one of these roles: Owner, Contributor, Log Analytics Contributor, Sentinel Contributor, or Monitoring Contributor.

+1. Create and submit the request to the Azure REST API to configure the required resources. You must manage the bearer tokens in both the context of the local (workspace) tenant and the remote (continuous export) tenant.

+You can enable continuous export as a trusted service so that you can send data to an event hub that has Azure Firewall enabled.

+To grant access to continuous export as a trusted service:

+1. Go to **Microsoft Defender for Cloud** > **Environmental settings**.

+You must add the relevant role assignment to the destination event hub.

+To add the relevant role assignment to the destination event hub:

+1. Go to the selected event hub.

+1. In the resource menu, select **Access control (IAM)** > **Add role assignment**.

+ :::image type="content" source="media/continuous-export/add-role-assignment.png" alt-text="Screenshot that shows the Add role assignment button." lightbox="media/continuous-export/add-role-assignment.png":::

+1. Choose **+ Select members**.

+1. Search for and then select **Windows Azure Security Resource Provider**.

+You might also choose to view exported security alerts or recommendations in [Azure Monitor](../azure-monitor/alerts/alerts-overview.md).

+Azure Monitor provides a unified alerting experience for various Azure alerts, including a diagnostic log, metric alerts, and custom alerts that are based on Log Analytics workspace queries.

+To view alerts and recommendations from Defender for Cloud in Azure Monitor, configure an alert rule that's based on Log Analytics queries (a log alert rule):

+1. On the Azure Monitor **Alerts** page, select **New alert rule**.

+ 

+1. On the **Create rule** pane, set up your new rule the same way you'd configure a [log alert rule in Azure Monitor](../azure-monitor/alerts/alerts-unified-log.md):

+ - For **Condition**, select **Custom log search**. In the page that appears, configure the query, lookback period, and frequency period. In the search query, you can enter **SecurityAlert** or **SecurityRecommendation** to query the data types that Defender for Cloud continuously exports to as you enable the continuous export to Log Analytics feature.

+ - Optionally, create an [action group](../azure-monitor/alerts/action-groups.md) to trigger. Action groups can automate sending an email, creating an ITSM ticket, running a webhook, and more, based on an event in your environment.

+ 

+The Defender for Cloud alerts or recommendations appear (depending on your configured continuous export rules and the condition that you defined in your Azure Monitor alert rule) in Azure Monitor alerts, with automatic triggering of an action group (if provided).

+<a name="manual-one-time-export-of-alerts-and-recommendations"></a>

+## Manually export alerts and recommendations

+To download a CSV file that lists alerts or recommendations, go to the **Security alerts** page or the **Recommendations** page, and then select the **Download CSV report** button.

+> Due to Azure Resource Graph limitations, the reports are limited to a file size of 13,000 rows. If you see errors related to too much data being exported, try limiting the output by selecting a smaller set of subscriptions to be exported.

+## Related content

+To see related content:

+- See the [Azure Event Hubs documentation](../event-hubs/index.yml).

+- Learn more about [Microsoft Sentinel](../sentinel/index.yml).

+- Review the [Azure Monitor documentation](../azure-monitor/index.yml).

+- Learn how to [export data types schemas](https://aka.ms/ASCAutomationSchemas).

+ Title: Use Azure Monitor gallery workbooks with Defender for Cloud data

+description: Learn how to create rich, interactive reports for your Microsoft Defender for Cloud data by using workbooks from the integrated Azure Monitor workbooks gallery.

+# Create rich, interactive reports of Defender for Cloud data by using workbooks

+[Azure workbooks](../azure-monitor/visualize/workbooks-overview.md) are flexible canvas that you can use to analyze data and create rich, visual reports in the Azure portal. In workbooks, you can access multiple data sources across Azure. Combine workbooks into unified, interactive experiences.

+Workbooks provide a rich set of capabilities for visualizing your Azure data. For detailed information about each visualization type, see the [visualizations examples and documentation](../azure-monitor/visualize/workbooks-text-visualizations.md).

+In Microsoft Defender for Cloud, you can access built-in workbooks to track your organizationΓÇÖs security posture. You can also build custom workbooks to view a wide range of data from Defender for Cloud or other supported data sources.

+For pricing, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+**Required roles and permissions**: To save a workbook, you must have at least [Workbook Contributor](../role-based-access-control/built-in-roles.md#workbook-contributor) permissions for the relevant resource group.

+<a name="workbooks-gallery-in-microsoft-defender-for-cloud"></a>

+## Use Defender for Cloud gallery workbooks

+In Defender for Cloud, you can use integrated Azure workbooks functionality to build custom, interactive workbooks that display your security data. Defender for Cloud includes a workbooks gallery that has the following workbooks ready for you to customize:

+- [Coverage workbook](#coverage-workbook): Track the coverage of Defender for Cloud plans and extensions across your environments and subscriptions.

+- [Secure Score Over Time workbook](#secure-score-over-time-workbook): Track your subscription scores and changes to recommendations for your resources.

+- [System Updates workbook](#system-updates-workbook): View missing system updates by resource, OS, severity, and more.

+- [Vulnerability Assessment Findings workbook](#vulnerability-assessment-findings-workbook): View the findings of vulnerability scans of your Azure resources.

+- [Compliance Over Time workbook](#compliance-over-time-workbook): View the status of a subscription's compliance with regulatory standards or industry standards that you select.

+- [Active Alerts workbook](#active-alerts-workbook): View active alerts by severity, type, tag, MITRE ATT&CK tactics, and location.

+- Price Estimation workbook: View monthly, consolidated price estimations for Defender for Cloud plans based on the resource telemetry in your environment. The numbers are estimates that are based on retail prices and don't represent actual billing or invoice data.

+- Governance workbook: Use the governance report in the governance rules settings to track progress of the rules that affect your organization.

+- [DevOps Security (preview) workbook](#devops-security-workbook): View a customizable foundation that helps you visualize the state of your DevOps posture for the connectors that you set up.

+Along with built-in workbooks, you can find useful workbooks in the **Community** category. These workbooks are provided as-is and have no SLA or support. You can choose one of the provided workbooks or create your own workbook.

+> To customize any of the workbooks, select the **Edit** button. When you're done editing, select **Save**. The changes are saved in a new workbook.

+>

+> :::image type="content" source="media/custom-dashboards-azure-workbooks/editing-supplied-workbooks.png" alt-text="Screenshot that shows how to edit a supplied workbook to customize it for your needs.":::

+<a name="use-the-coverage-workbook"></a>

+### Coverage workbook

+If you enable Defender for Cloud across multiple subscriptions and environments (Azure, Amazon Web Services, and Google Cloud Platform), you might find it challenging to keep track of which plans are active. It's especially true if you have multiple subscriptions and environments.

+The Coverage workbook helps you keep track of which Defender for Cloud plans are active in which parts of your environments. This workbook can help you ensure that your environments and subscriptions are fully protected. By having access to detailed coverage information, you can identify areas that might need more protection so that you can take action to address those areas.

+In this workbook, you can select a subscription (or all subscriptions), and then view the following tabs:

+- **Relative coverage**: Shows the percentage of subscriptions or connectors that have a specific Defender for Cloud plan enabled.

+- **Detailed coverage**: Shows additional settings that can be enabled or that must need to be enabled on relevant plans to get each plan's full value.

+You also can select the Azure, Amazon Web Services, or Google Cloud Platform environment in each or all subscriptions to see which plans and extensions are enabled for the environments.

+<a name="use-the-secure-score-over-time-workbook"></a>

+### Secure Score Over Time workbook

+The Secure Score Over Time workbook uses secure score data from your Log Analytics workspace. The data must be exported by using the continuous export tool as described in [Set up continuous export for Defender for Cloud in the Azure portal](continuous-export.md?tabs=azure-portal).

+When you set up continuous export, under **Export frequency**, select both **Streaming updates** and **Snapshots (Preview)**.

+> Snapshots are exported weekly. There's a delay of at least one week after the first snapshot is exported before you can view data in the workbook.

+> To configure continuous export across your organization, use the provided `DeployIfNotExist` policies in Azure Policy that are described in [Set up continuous export at scale](continuous-export.md?tabs=azure-policy).

+The Secure Score Over Time workbook has five graphs for the subscriptions that report to the selected workspaces:

+|**Score trends for the last week and month**<br>Use this section to monitor the current score and general trends of the scores for your subscriptions.|:::image type="content" source="media/custom-dashboards-azure-workbooks/secure-score-over-time-table-1.png" alt-text="Screenshot that shows trends for secure score on the built-in workbook.":::|

+|**Aggregated score for all selected subscriptions**<br>Hover your mouse over any point in the trend line to see the aggregated score at any date in the selected time range.|:::image type="content" source="media/custom-dashboards-azure-workbooks/secure-score-over-time-table-2.png" alt-text="Screenshot that shows an aggregated score for all selected subscriptions.":::|

+|**Recommendations with the most unhealthy resources**<br>This table helps you triage the recommendations that had the most resources that changed to an unhealthy status in the selected period.|:::image type="content" source="media/custom-dashboards-azure-workbooks/secure-score-over-time-table-3.png" alt-text="Screenshot that shows recommendations that have the most unhealthy resources.":::|

+|**Scores for specific security controls**<br>The security controls in Defender for Cloud are logical groupings of recommendations. This chart shows you at a glance the weekly scores for all your controls.|:::image type="content" source="media/custom-dashboards-azure-workbooks/secure-score-over-time-table-4.png" alt-text="Screenshot that shows scores for your security controls over the selected time period.":::|

+|**Resources changes**<br>Recommendations that have the most resources that changed state (healthy, unhealthy, or not applicable) during the selected period are listed here. Select any recommendation in the list to open a new table that lists the specific resources.|:::image type="content" source="media/custom-dashboards-azure-workbooks/secure-score-over-time-table-5.png" alt-text="Screenshot that shows recommendations that have the most resources that changed health state during the selected period.":::|

+### System Updates workbook

+The System Updates workbook is based on the security recommendation that system updates should be installed on your machines. The workbook helps you identify machines that have updates to apply.

+You can view the update status for selected subscriptions by:

+- A list of resources that have outstanding updates to apply.

+- A list of updates that are missing from your resources.

+### Vulnerability Assessment Findings workbook

+Defender for Cloud includes vulnerability scanners for your machines, containers in container registries, and computers running SQL Server.

+The Vulnerability Assessment Findings workbook gathers these findings and organizes them by severity, resource type, and category.

+### Compliance Over Time workbook

+Microsoft Defender for Cloud continually compares the configuration of your resources with requirements in industry standards, regulations, and benchmarks. Built-in standards include NIST SP 800-53, SWIFT CSP CSCF v2020, Canada Federal PBMM, HIPAA HITRUST, and more. You can select standards that are relevant to your organization by using the regulatory compliance dashboard. Learn more in [Customize the set of standards in your regulatory compliance dashboard](update-regulatory-compliance-packages.md).

+The Compliance Over Time workbook tracks your compliance status over time by using the various standards that you add to your dashboard.

+When you select a standard from the overview area of the report, the lower pane displays a more detailed breakdown:

+To view the resources that passed or failed each control, you can keep drilling down, all the way to the recommendation level.

+> For each panel of the report, you can export the data to Excel by using the **Export to Excel** option.

+> :::image type="content" source="media/custom-dashboards-azure-workbooks/export-workbook-data.png" alt-text="Screenshot that shows how to export a compliance workbook data to Excel.":::

+<a name="use-the-active-alerts-workbook"></a>

+### Active Alerts workbook

+The Active Alerts workbook displays the active security alerts for your subscriptions on one dashboard. Security alerts are the notifications that Defender for Cloud generates when it detects threats against your resources. Defender for Cloud prioritizes and lists the alerts with the information that you need to quickly investigate and remediate.

+This workbook benefits you by helping you be aware of and prioritize the active threats in your environment.

+> Most workbooks use Azure Resource Graph to query data. For example, to display a map view, data is queried in a Log Analytics workspace. [Continuous export](continuous-export.md) should be enabled. Export the security alerts to the Log Analytics workspace.

+You can view active alerts by severity, resource group, and tag.

+To see more details about an alert, select the alert.

+The **MITRE ATT&CK tactics** tab lists alerts in the order of the kill chain and the number of alerts that the subscription has at each stage.

+You can see all the active alerts in a table and filter by columns.

+To see details for a specific alert, select the alert in the table, and then select the **Open Alert View** button.

+To see all alerts by location in a map view, select the **Map View** tab.

+Select a location on the map to view all the alerts for that location.

+To view the details for an alert, select an alert, and then select the **Open Alert View** button.

+<a name="use-the-devops-security-workbook"></a>

+### DevOps Security workbook

+The DevOps Security workbook provides a customizable visual report of your DevOps security posture. You can use this workbook to view insights about your repositories that have the highest number of common vulnerabilities and exposures (CVEs) and weaknesses, active repositories that have Advanced Security turned off, security posture assessments of your DevOps environment configurations, and much more. Customize and add your own visual reports by using the rich set of data in Azure Resource Graph to fit the business needs of your security team.

+> To use this workbork, your environment must have a [GitHub connector](quickstart-onboard-github.md), [GitLab connector](quickstart-onboard-gitlab.md), or [Azure DevOps connector](quickstart-onboard-devops.md).

+To deploy the workbook:

+1. Go to **Microsoft Defender for Cloud** > **Workbooks**.

+The workbook loads and displays the **Overview** tab. On this tab, you can see the number of exposed secrets, the code security, and DevOps security. The findings are shown by total for each repository and by severity.

+To view the count by secret type, select the **Secrets** tab.

+The **Code** tab displays the findings count by tool and repository. It shows the results of your code scanning by severity.

+The **OSS Vulnerabilities** tab displays Open Source Security (OSS) vulnerabilities by severity and the count of findings by repository.

+The **Infrastructure as Code** tab displays your findings by tool and repository.

+The **Posture** tab displays security posture by severity and repository.

+The **Threats & Tactics** tab displays the count of threats and tactics by repository and the total count.

+To move workbooks that you build in other Azure services into your Microsoft Defender for Cloud workbook gallery:

+1. Open the workbook that you want to import.

+1. On the toolbar, select **Edit**.

+ :::image type="content" source="media/custom-dashboards-azure-workbooks/editing-workbooks.png" alt-text="Screenshot that shows how to edit a workbook.":::

+1. On the toolbar, select **</>** to open the advanced editor.

+ :::image type="content" source="media/custom-dashboards-azure-workbooks/editing-workbooks-advanced-editor.png" alt-text="Screenshot that shows how to open the advanced editor to copy the gallery template JSON code.":::

+1. In the workbook gallery template, select all the JSON in the file and copy it.

+1. Open the workbook gallery in Defender for Cloud, and then select **New** on the menu bar.

+1. Select **</>** to open the Advanced Editor.

+1. Paste the entire gallery template JSON code.

+1. On the toolbar, select **Save As**.

+ :::image type="content" source="media/custom-dashboards-azure-workbooks/editing-workbooks-save-as.png" alt-text="Screenshot that shows saving the workbook to the gallery in Defender for Cloud.":::

+1. To save changes to the workbook, enter or select the following information:

+ - A name for the workbook.

+ - The Azure region to use.

+ - Any relevant information about the subscription, resource group, and sharing.

+To find the saved workbook, go to the **Recently modified workbooks** category.

+## Related content

+This article describes the Defender for Cloud integrated Azure workbooks page that has built-in reports and the option to build your own custom, interactive reports.

+- Learn more about [Azure workbooks](../azure-monitor/visualize/workbooks-overview.md).

+Built-in workbooks get their data from Defender for Cloud recommendations.

+- Learn about the many security recommendations in [Security recommendations: A reference guide](recommendations-reference.md).

+- **Azure Policy for Kubernetes**: A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an AKS add-on. It's only installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](kubernetes-workload-protections.md) and [Understand Azure Policy for Kubernetes clusters](/azure/governance/policy/concepts/policy-for-kubernetes).

+- **[Azure Arc-enabled Kubernetes](/azure/azure-arc/kubernetes/overview)** - Azure Arc-enabled Kubernetes - An agent based solution, installed on one node in the cluster, that connects your clusters to Defender for Cloud. Defender for Cloud is then able to deploy the following two agents as [Arc extensions](/azure/azure-arc/kubernetes/extensions):

+- **Azure Policy for Kubernetes**: A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an Arc-enabled Kubernetes extension. It's only installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](/azure/defender-for-cloud/kubernetes-workload-protections) and [Understand Azure Policy for Kubernetes clusters](/azure/governance/policy/concepts/policy-for-kubernetes).

+- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - Azure Arc-enabled Kubernetes - An agent based solution, installed on one node in the cluster, that connects your clusters to Defender for Cloud. Defender for Cloud is then able to deploy the following two agents as [Arc extensions](/azure/azure-arc/kubernetes/extensions):

+- **Azure Policy for Kubernetes**: A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an Arc-enabled Kubernetes extension. It's only installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](kubernetes-workload-protections.md) and [Understand Azure Policy for Kubernetes clusters](/azure/governance/policy/concepts/policy-for-kubernetes).

+- **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** - Azure Arc-enabled Kubernetes - An agent based solution, installed on one node in the cluster, that connects your clusters to Defender for Cloud. Defender for Cloud is then able to deploy the following two agents as [Arc extensions](/azure/azure-arc/kubernetes/extensions):

+- **Azure Policy for Kubernetes**: A pod that extends the open-source [Gatekeeper v3](https://github.com/open-policy-agent/gatekeeper) and registers as a web hook to Kubernetes admission control making it possible to apply at-scale enforcements, and safeguards on your clusters in a centralized, consistent manner. The Azure Policy for Kubernetes pod is deployed as an Arc-enabled Kubernetes extension. It only needs to be installed on one node in the cluster. For more information, see [Protect your Kubernetes workloads](kubernetes-workload-protections.md) and [Understand Azure Policy for Kubernetes clusters](/azure/governance/policy/concepts/policy-for-kubernetes).

+ Title: Assessment checks for endpoint detection and response solutions

+# Assessment checks for endpoint detection and response solutions

+> [!NOTE]

+> As the Log Analytics agent (also known as MMA) is set to retire in [August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/), all Defender for Servers features that currently depend on it, including those described on this page, will be available through either [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) or [agentless scanning](concept-agentless-data-collection.md), before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see [this announcement](upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation).

+| Recommendation | Appears when |

+|--|--|

+| **Endpoint protection should be installed on your machines** | [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) runs and the result is **AMServiceEnabled: False** |

+| **Endpoint protection health issues should be resolved on your machines** | [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) runs and any of the following occurs: <br><br> Any of the following properties are false: <br><br> - **AMServiceEnabled** <br> - **AntispywareEnabled** <br> - **RealTimeProtectionEnabled** <br> - **BehaviorMonitorEnabled** <br> - **IoavProtectionEnabled** <br> - **OnAccessProtectionEnabled** <br> <br> If one or both of the following properties are 7 or more: <br><br> - **AntispywareSignatureAge** <br> - **AntivirusSignatureAge** |

+| Recommendation | Appears when |

+|--|--|

+| **Endpoint protection should be installed on your machines** | importing **SCEPMpModule ("$env:ProgramFiles\Microsoft Security Client\MpProvider\MpProvider.psd1")** and running **Get-MProtComputerStatus** results in **AMServiceEnabled = false** |

+| **Endpoint protection health issues should be resolved on your machines** | **Get-MprotComputerStatus** runs and any of the following occurs: <br><br> At least one of the following properties is false: <br><br> - **AMServiceEnabled** <br> - **AntispywareEnabled** <br> - **RealTimeProtectionEnabled** <br> - **BehaviorMonitorEnabled** <br> - **IoavProtectionEnabled** <br> - **OnAccessProtectionEnabled** <br><br> If one or both of the following Signature Updates are greater or equal to 7: <br><br> - **AntispywareSignatureAge** <br> - **AntivirusSignatureAge** |

+| Recommendation | Appears when |

+|--|--|

+| **Endpoint protection should be installed on your machines** | any of the following checks aren't met: <br><br> - **HKLM:\SOFTWARE\TrendMicro\Deep Security Agent** exists <br> - **HKLM:\SOFTWARE\TrendMicro\Deep Security Agent\InstallationFolder** exists <br> - The **dsa_query.cmd** file is found in the Installation Folder <br> - Running **dsa_query.cmd** results with **Component.AM.mode: on - Trend Micro Deep Security Agent detected** |

+| Recommendation | Appears when |

+|--|--|

+| **Endpoint protection should be installed on your machines** | any of the following checks aren't met: <br> <br> - **HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection"** <br> - **HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1** <br> Or <br> - **HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\PRODUCTNAME = "Symantec Endpoint Protection"** <br> - **HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\ASRunningStatus = 1**|

+| **Endpoint protection health issues should be resolved on your machines** | any of the following checks aren't met: <br> <br> - Check Symantec Version >= 12: Registry location: **HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion" -Value "PRODUCTVERSION"** <br> - Check Real-Time Protection status: **HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\OnOff == 1** <br> - Check Signature Update status: **HKLM\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LatestVirusDefsDate <= 7 days** <br> - Check Full Scan status: **HKLM:\Software\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LastSuccessfulScanDateTime <= 7 days** <br> - Find signature version number Path to signature version for Symantec 12: **Registry Paths+ "CurrentVersion\SharedDefs" -Value "SRTSP"** <br> - Path to signature version for Symantec 14: **Registry Paths+ "CurrentVersion\SharedDefs\SDSDefs" -Value "SRTSP"** <br><br> Registry Paths: <br> <br> - **"HKLM:\Software\Symantec\Symantec Endpoint Protection" + $Path;** <br> - **"HKLM:\Software\Wow6432Node\Symantec\Symantec Endpoint Protection" + $Path** |

+| Recommendation | Appears when |

+|--|--|

+| **Endpoint protection should be installed on your machines** | any of the following checks aren't met: <br><br> - **HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion** exists <br> - **HKLM:\SOFTWARE\McAfee\AVSolution\MCSHIELDGLOBAL\GLOBAL\enableoas = 1**|

+| **Endpoint protection health issues should be resolved on your machines** | any of the following checks aren't met: <br> <br> - McAfee Version: **HKLM:\SOFTWARE\McAfee\Endpoint\AV\ProductVersion >= 10** <br> - Find Signature Version: **HKLM:\Software\McAfee\AVSolution\DS\DS -Value "dwContentMajorVersion"** <br> - Find Signature date: **HKLM:\Software\McAfee\AVSolution\DS\DS -Value "szContentCreationDate" >= 7 days** <br> - Find Scan date: **HKLM:\Software\McAfee\Endpoint\AV\ODS -Value "LastFullScanOdsRunTime" >= 7 days** |

+| Recommendation | Appears when |

+|--|--|

+| **Endpoint protection should be installed on your machines** | any of the following checks aren't met: <br> <br> - File **/opt/McAfee/ens/tp/bin/mfetpcli** exists <br> - **"/opt/McAfee/ens/tp/bin/mfetpcli --version"** output is: **McAfee name = McAfee Endpoint Security for Linux Threat Prevention and McAfee version >= 10** |

+| **Endpoint protection health issues should be resolved on your machines** | any of the following checks aren't met: <br> <br> - **"/opt/McAfee/ens/tp/bin/mfetpcli --listtask"** returns **Quick scan, Full scan** and both of the scans <= 7 days <br> - **"/opt/McAfee/ens/tp/bin/mfetpcli --listtask"** returns **DAT and engine Update time** and both of them <= 7 days <br> - **"/opt/McAfee/ens/tp/bin/mfetpcli --getoasconfig --summary"** returns **On Access Scan** status |

+| Recommendation | Appears when |

+|--|--|

+| **Endpoint protection should be installed on your machines** | any of the following checks aren't met: <br> <br> - File **/opt/sophos-av/bin/savdstatus** exits or search for customized location **"readlink $(which savscan)"** <br> - **"/opt/sophos-av/bin/savdstatus --version"** returns Sophos name = **Sophos Anti-Virus and Sophos version >= 9** |

+| **Endpoint protection health issues should be resolved on your machines** | any of the following checks aren't met: <br> <br> - **"/opt/sophos-av/bin/savlog --maxage=7 \| grep -i "Scheduled scan .\* completed" \| tail -1"**, returns a value <br> - **"/opt/sophos-av/bin/savlog --maxage=7 \| grep "scan finished"** \| tail -1", returns a value <br> - **"/opt/sophos-av/bin/savdstatus --lastupdate"** returns lastUpdate, which should be <= 7 days <br> - **"/opt/sophos-av/bin/savdstatus -v"** is equal to **"On-access scanning is running"** <br> - **"/opt/sophos-av/bin/savconfig get LiveProtection"** returns enabled |

+ Title: Map Infrastructure as Code templates from code to cloud

+description: Learn how to map your Infrastructure as Code (IaC) templates to your cloud resources.

+Mapping Infrastructure as Code (IaC) templates to cloud resources helps you ensure consistent, secure, and auditable infrastructure provisioning. It supports rapid response to security threats and a security-by-design approach. You can use mapping to discover misconfigurations in runtime resources. Then, remediate at the template level to help ensure no drift and to facilitate deployment via CI/CD methodology.

+To set Microsoft Defender for Cloud to map IaC templates to cloud resources, you need:

+- An Azure account with Defender for Cloud configured. If you don't already have an Azure account, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An [Azure DevOps](quickstart-onboard-devops.md) environment set up in Defender for Cloud.

+- Azure Pipelines set up to run the [Microsoft Security DevOps Azure DevOps extension](azure-devops-extension.md).

+- IaC templates and cloud resources set up with tag support. You can use open-source tools like [Yor_trace](https://github.com/bridgecrewio/yor) to automatically tag IaC templates.

+ - Supported cloud platforms: Microsoft Azure, Amazon Web Services, Google Cloud Platform

+ - Supported source code management systems: Azure DevOps

+ - Supported template languages: Azure Resource Manager, Bicep, CloudFormation, Terraform

+> Microsoft Defender for Cloud uses only the following tags from IaC templates for mapping:

+>

+> - `yor_trace`

+> - `mapping_tag`

+To see the mapping between your IaC template and your cloud resources in [Cloud Security Explorer](how-to-manage-cloud-security-explorer.md):

+1. In the dropdown menu, search for and select all your cloud resources.

+1. To add more filters to your query, select **+**.

+1. In the **Identity & Access** category, add the subfilter **Provisioned by**.

+1. In the **DevOps** category, select **Code repositories**.

+1. After you build your query, select **Search** to run the query.

+Alternatively, select the built-in template **Cloud resources provisioned by IaC templates with high severity misconfigurations**.

+> Mapping between your IaC templates and your cloud resources might take up to 12 hours to appear in Cloud Security Explorer.

+To create sample IaC mapping tags in your code repositories:

+1. In your repository, add an IaC template that includes tags.

+ You can start with a [sample template](https://github.com/microsoft/security-devops-azdevops/tree/main/samples/IaCMapping).

+1. To commit directly to the main branch or create a new branch for this commit, select **Save**.

+1. Confirm that you included the **Microsoft Security DevOps** task in your Azure pipeline.

+1. Verify that pipeline logs show a finding that says **An IaC tag(s) was found on this resource**. The finding indicates that Defender for Cloud successfully discovered tags.

+## Related content

+ Title: Scan for misconfigurations in Infrastructure as Code

+description: Learn how to use Microsoft Security DevOps scanning with Microsoft Defender for Cloud to find misconfigurations in Infrastructure as Code (IaC) in a connected GitHub repository or Azure DevOps project.

+# Scan your connected GitHub repository or Azure DevOps project

+You can set up Microsoft Security DevOps to scan your connected GitHub repository or Azure DevOps project. Use a GitHub action or an Azure DevOps extension to run Microsoft Security DevOps only on your Infrastructure as Code (IaC) source code, and help reduce your pipeline runtime.

+This article shows you how to apply a template YAML configuration file to scan your connected repository or project specifically for IaC security issues by using Microsoft Security DevOps rules.

+- For Microsoft Security DevOps, set up the GitHub action or the Azure DevOps extension based on your source code management system:

+ - If your repository is in GitHub, set up the [Microsoft Security DevOps GitHub action](github-action.md).

+ - If you manage your source code in Azure DevOps, set up the [Microsoft Security DevOps Azure DevOps extension](azure-devops-extension.md).

+- Ensure that you have an IaC template in your repository.

+<a name="configure-iac-scanning-and-view-the-results-in-github"></a>

+## Set up and run a GitHub action to scan your connected IaC source code

+To set up an action and view scan results in GitHub:

+1. Go to the main page of your repository.

+1. In the file directory, select **.github** > **workflows** > **msdevopssec.yml**.

+ For more information about working with an action in GitHub, see [Prerequisites](github-action.md#configure-the-microsoft-security-devops-github-action-1).

+1. Select the **Edit this file** (pencil) icon.

+ :::image type="content" source="media/tutorial-iac-vulnerabilities/workflow-yaml.png" alt-text="Screenshot that highlights the Edit this file icon for the msdevopssec.yml file." lightbox="media/tutorial-iac-vulnerabilities/workflow-yaml.png":::

+1. In the **Run analyzers** section of the YAML file, add this code:

+ ```yaml

+ with:

+ categories: 'IaC'

+ ```

+ > [!NOTE]

+ > Values are case sensitive.

+ Here's an example:

+ :::image type="content" source="media/tutorial-iac-vulnerabilities/add-to-yaml.png" alt-text="Screenshot that shows the information to add to the YAML file.":::

+1. Select **Commit changes . . .** .

+ :::image type="content" source="media/tutorial-iac-vulnerabilities/commit-change.png" alt-text="Screenshot that shows where to select Commit changes on the GitHub page.":::

+1. (Optional) Add an IaC template to your repository. If you already have an IaC template in your repository, skip this step.

+ For example, commit an IaC template that you can use to [deploy a basic Linux web application](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-basic-linux).

+ 1. Select the **azuredeploy.json** file.

+ :::image type="content" source="media/tutorial-iac-vulnerabilities/deploy-json.png" alt-text="Screenshot that shows where the azuredeploy.json file is located.":::

+ 1. Select **Raw**.

+ 1. Copy all the information in the file, like in the following example:

+ "description": "The base name of the resource, such as the web app name or the App Service plan."

+ "description": "The SKU of the App Service plan."

+ "description": "The runtime stack of the current web app."

+ "description": "The location for all resources."

+ 1. In your GitHub repository, go to the **.github/workflows** folder.

+ 1. Select **Add file** > **Create new file**.

+ :::image type="content" source="media/tutorial-iac-vulnerabilities/create-file.png" alt-text="Screenshot that shows you how to create a new file." lightbox="media/tutorial-iac-vulnerabilities/create-file.png":::

+ 1. Enter a name for the file.

+ 1. Paste the copied information in the file.

+ 1. Select **Commit new file**.

+ The template file is added to your repository.

+ :::image type="content" source="media/tutorial-iac-vulnerabilities/file-added.png" alt-text="Screenshot that shows that the new file you created is added to your repository.":::

+1. Verify that the Microsoft Security DevOps scan is finished:

+ 1. For the repository, select **Actions**.

+ 1. Select the workflow to see the action status.

+1. To view the results of the scan, go to **Security** > **Code scanning alerts**.

+ You can filter by tool to see only the IaC findings.

+<a name="configure-iac-scanning-and-view-the-results-in-azure-devops"></a>

+## Set up and run an Azure DevOps extension to scan your connected IaC source code

+To set up an extension and view scan results in Azure DevOps:

+1. Select your project.

+1. Select **Pipelines**.

+1. Select the pipeline where your Azure DevOps extension for Microsoft Security DevOps is configured.

+1. Select **Edit pipeline**.

+1. In the pipeline YAML configuration file, below the `displayName` line for the **MicrosoftSecurityDevOps@1** task, add this code:

+ ```yaml

+ inputs:

+ categories: 'IaC'

+ ```

+ Here's an example:

+ :::image type="content" source="media/tutorial-iac-vulnerabilities/addition-to-yaml.png" alt-text="Screenshot that shows where to add the IaC categories line in the pipeline configuration YAML file.":::

+1. Select **Save**.

+1. (Optional) Add an IaC template to your Azure DevOps project. If you already have an IaC template in your project, skip this step.

+1. Choose whether to commit directly to the main branch or to create a new branch for the commit, and then select **Save**.

+1. To view the results of the IaC scan, select **Pipelines**, and then select the pipeline you modified.

+1. See see more details, select a specific pipeline run.

+## View details and remediation information for applied IaC rules

+The IaC scanning tools that are included with Microsoft Security DevOps are [Template Analyzer](https://github.com/Azure/template-analyzer) ([PSRule](https://aka.ms/ps-rule-azure) is included in Template Analyzer) and [Terrascan](https://github.com/tenable/terrascan).

+Template Analyzer runs rules on Azure Resource Manager templates (ARM templates) and Bicep templates. For more information, see the [Template Analyzer rules and remediation details](https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md#built-in-rules).

+Terrascan runs rules on ARM templates and templates for CloudFormation, Docker, Helm, Kubernetes, Kustomize, and Terraform. For more information, see the [Terrascan rules](https://runterrascan.io/docs/policies/).

+To learn more about the IaC scanning tools that are included with Microsoft Security DevOps, see:

+- [Template Analyzer](https://github.com/Azure/template-analyzer)

+- [PSRule](https://aka.ms/ps-rule-azure)

+- [Terrascan](https://runterrascan.io/)

+## Related content

+In this article, you learned how to set up a GitHub action and an Azure DevOps extension for Microsoft Security DevOps to scan for IaC security misconfigurations and how to view the results.

+To get more information:

+- Learn more about [DevOps security](defender-for-devops-introduction.md).

+- Learn how to [connect your GitHub repository](quickstart-onboard-github.md) to Defender for Cloud.

+- Learn how to [connect your Azure DevOps project](quickstart-onboard-devops.md) to Defender for Cloud.

+| [Changes in endpoint protection recommendations](#changes-in-endpoint-protection-recommendations) | February 1, 2024 | February 28, 2024 |

+## Changes in endpoint protection recommendations

+**Announcement date: February 1, 2024**

+**Estimated date of change: February 2024**

+As use of the Azure Monitor Agent (AMA) and the Log Analytics agent (also known as the Microsoft Monitoring Agent (MMA)) is [phased out in Defender for Servers](https://techcommunity.microsoft.com/t5/user/ssoregistrationpage?dest_url=https:%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fblogs%2Fblogworkflowpage%2Fblog-id%2FMicrosoftDefenderCloudBlog%2Farticle-id%2F1269), existing endpoint recommendations which rely on those agents, will be replaced with new recommendations. The new recommendations rely on [agentless machine scanning](concept-agentless-data-collection.md) which allows the recommendations to discover and assesses the configuration of supported endpoint detection and response solutions and offers remediation steps, if issues are found.

+These public preview recommendations will be deprecated.

+| Recommendation | Agent | Deprecation date | Replacement recommendation |

+|--|--|--|--|

+| [Endpoint protection should be installed on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/4fb67663-9ab9-475d-b026-8c544cced439) (public) | MMA/AMA | February 2024 | New agentless recommendations. |

+| [Endpoint protection health issues should be resolved on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/37a3689a-818e-4a0e-82ac-b1392b9bb000) (public)| MMA/AMA | February 2024 | New agentless recommendations. |

+The current generally available recommendations will remain supported until August 2024.

+As part of that deprecation, weΓÇÖll be introducing new agentless endpoint protection recommendations. These recommendations will be available in Defender for Servers Plan 2 and the Defender CSPM plan. They will support Azure and multicloud machines. On-premises machines are not supported.

+| Preliminary recommendation name | Estimated release date |

+|--|--|--|

+| Endpoint Detection and Response (EDR) solution should be installed on Virtual Machines | February 2024 |

+| Endpoint Detection and Response (EDR) solution should be installed on EC2s | February 2024 |

+| Endpoint Detection and Response (EDR) solution should be installed on Virtual Machines (GCP) | February 2024 |

+| Endpoint Detection and Response (EDR) configuration issues should be resolved on virtual machines | February 2024 |

+| Endpoint Detection and Response (EDR) configuration issues should be resolved on EC2s | February 2024 |

+| Endpoint Detection and Response (EDR) configuration issues should be resolved on GCP virtual machines | February 2024 |

+# Customer intent: As a platform engineer, I want to structure my catalog so that Azure Deployment Environments can find and cache environment definitions efficiently.

+# Customer intent: As a developer, I want to know which parameters I can assign for parameters in environment.yaml.

+# Customer intent: As a developer, I want to be able to create an enviroment by using AZD so that I can create my coding environment.

+# Customer intent: As a developer, I want automatically delete my environment on a specific date so that I can keep resources current.

+Developers create and manage environments for Azure Deployment Environments through the [developer portal](./quickstart-create-access-environments.md), with the [Azure CLI](./how-to-create-access-environments.md) or with the [Azure Developer CLI](./how-to-create-environment-with-azure-developer.md).

+Platform engineering teams can curate environment definitions to enforce enterprise security policies and map projects to Azure subscriptions, identities, and permissions by environment types.

+Create and organize environment definitions by the types of applications that development teams are working on, rather than using an unorganized list of templates or a traditional IaC setup.

+# Customer intent: As a platform engineer, I want to configure conditional access policies in Microsoft Intune so that I can control access to dev boxes.

+Remote desktop apps let you use and control a dev box from almost any device. For your desktop or laptop, you can choose to download the Remote Desktop client for Windows Desktop or Microsoft Remote Desktop for Mac. You can also download a remote desktop app for your mobile device: Microsoft Remote Desktop for iOS or Microsoft Remote Desktop for Android.

+> [!TIP]

+> Many remote desktops apps allow you to [use multiple monitors](tutorial-configure-multiple-monitors.md) when you connect to your dev box.

+ - WindTurbineDataGenerator ΓÇô A simple publisher that sends sample wind turbine data to an event hub with the Capture feature enabled.

+ - FunctionDWDumper ΓÇô An Azure function that receives a notification from Azure Event Grid when an Avro file is captured to the Azure Storage blob. It receives the blobΓÇÖs URI path, reads its contents, and pushes this data to Azure Synapse Analytics (dedicated SQL pool).

+ 1. Copy and paste the command into the Cloud Shell window. Alternatively, you can copy/paste into an editor of your choice, set values, and then copy the command to the Cloud Shell. If you see an error due to an Azure resource name, delete the resource group, fix the name, and retry the command again.

+ 3. Press **ENTER** in the Cloud Shell window to run the command. This process might take a while since you're creating a bunch of resources. In the result of the command, ensure that there have been no failures.

+ :::image type="content" source="media/event-hubs-functions-synapse-analytics/select-function-app.png" lightbox="media/event-hubs-functions-synapse-analytics/select-function-app.png" alt-text="Screenshot showing the selection of the function app in the list of resources for a resource group.":::

+ :::image type="content" source="media/event-hubs-functions-synapse-analytics/get-publish-profile.png" lightbox="media/event-hubs-functions-synapse-analytics/get-publish-profile.png" alt-text="Screenshot showing the selection of the **Get Publish Profile** button on the command bar of the function app page.":::

+2. In the web browser that has the **Azure Function** page open, select **Functions** in the middle pane. Confirm that the **EventGridTriggerMigrateData** function shows up in the list. If you don't see it, try publishing from Visual Studio again, and then refresh the page in the portal.

+1. On the **Storage account** page, select **Storage browser** on the left menu.

+1. Select **Functions** tab in the middle pane.

+# Customer intent: As a network engineer, I want to establish a private connection from my on-premises network to my Azure virtual network using ExpressRoute.

+### Can I have ExpressRoute Private Peering in an Azure Goverment environment with Virtual Network Gateways in Azure commercial cloud?

+No, it's not possible to establish ExpressRoute Private peering in an Azure Goverment environment with a virtual network gateway in Azure commercial cloud environments. Furthermore, the scope of the ExpressRoute Government Microsoft Peering is limited to only public IPs within Azure government regions and doesn't extend to the broader ranges of commercial public IPs.

+ > * CKN must be an even-length string up to 64 hexadecimal digits (0-9, A-F).

+ > * CAK length depends on cipher suite specified:

+ > * For GcmAes128 and GcmAesXpn128, the CAK must be an even-length string with 32 hexadecimal digits (0-9, A-F).

+ > * For GcmAes256 and GcmAesXpn256, the CAK must be an even-length string with 64 hexadecimal digits (0-9, A-F).

+ > * For CAK, the full length of the key must be used. If the key is shorter than the required length then `0's` will be added to the end of the key to meet the length requirement. For example, CAK of 1234 will be 12340000... for both 128-bit and 256-bit based on the cipher.

+# Customer intent: As an IT admin, I want to learn about Front Door and what I can use it for.

+ Title: Disable events for the FHIR or DICOM service in Azure Health Data Services

+description: Disable events for the FHIR or DICOM service in Azure Health Services by deleting an event subscription. Learn why and how to stop sending notifications from your data and resources.

+# Disable events

+**Applies to:** [!INCLUDE [Yes icon](../includes/applies-to.md)][!INCLUDE [FHIR service](../includes/fhir-service.md)], [!INCLUDE [DICOM service](../includes/DICOM-service.md)]

+Events in Azure Health Services allow you to monitor and respond to changes in your data and resources. By creating an event subscription, you can specify the conditions and actions for sending notifications to various endpoints.

+However, there may be situations where you want to temporarily or permanently stop receiving notifications from an event subscription. For example, you might want to pause notifications during maintenance or testing, or delete the event subscription if you no longer need it.

+To disable events from sending notifications for an **Event Subscription**, you need to delete the subscription.

+1. In the Azure portal on the left pane, select **Events**.

+1. Select **Event Subscriptions**.

+1. Select the **Event Subscription** you want to disable notifications for. In the example, the event subscription is named **azuredocsdemo-fhir-events-subscription**.

+ :::image type="content" source="media/disable-delete-workspaces/select-event-subscription.png" alt-text="Screenshot showing selection of event subscription to be deleted." lightbox="media/disable-delete-workspaces/select-event-subscription.png":::

+1. Choose **Delete**.

+ :::image type="content" source="media/disable-delete-workspaces/select-subscription-delete-sml.png" alt-text="Screenshot showing confirmation of the event subscription to be deleted." lightbox="media/disable-delete-workspaces/select-subscription-delete-lrg.png":::

+1. If there are multiple event subscriptions, repeat these steps to delete each one until the message **No Event Subscriptions Found** is displayed in the **Name** field.

+ :::image type="content" source="media/disable-delete-workspaces/no-event-subscriptions-found-sml.png" alt-text="Screenshot showing deletion of all event subscriptions to disable events." lightbox="media/disable-delete-workspaces/no-event-subscriptions-found-lrg.png":::

+> [!NOTE]

+> When you delete all event subscriptions, the FHIR or DICOM service disables events and goes into **Updating** status. The FHIR or DICOM service stays online during the update, but you canΓÇÖt change the configuration until it completes.

+## Delete events-enabled workspaces

+To delete events-enabled workspaces without errors, do these steps in this exact order:

+1. Delete all child resources associated with the workspace (for example, FHIR&reg; services, DICOM&reg; services, and MedTech services).

+1. [Delete all event subscriptions](#disable-events) associated with the workspace.

+1. Delete the workspace.

+## Next steps

+[Troubleshoot events](events-troubleshooting-guide.md)

+ Title: Events FAQ for Azure Health Data Services

+description: Get answers to common questions about the events capability in the FHIR and DICOM services in Azure Health Data Services. Find out how events work, what types of events are supported, and how to subscribe to events by using Azure Event Grid.

+# Events FAQ

+**Applies to:** [!INCLUDE [Yes icon](../includes/applies-to.md)][!INCLUDE [FHIR service](../includes/fhir-service.md)], [!INCLUDE [DICOM service](../includes/DICOM-service.md)]

+Events let you subscribe to data changes in the FHIR&reg; or DICOM&reg; service and get notified through Azure Event Grid. You can use events to trigger workflows, automate tasks, send alerts, and more. In this FAQ, youΓÇÖll find answers to some common questions about events.

+**Can I use events with a non-Microsoft FHIR or DICOM service?**

+No. The Events capability only supports the Azure Health Data Services FHIR and DICOM services.

+**What FHIR resource changes are supported by events?**

+Events are generated from these FHIR service types:

+- **FhirResourceCreated**. The event emitted after a FHIR resource is created.

+- **FhirResourceUpdated**. The event emitted after a FHIR resource is updated.

+- **FhirResourceDeleted**. The event emitted after a FHIR resource is soft deleted.

+For more information about delete types in the FHIR service, see [FHIR REST API capabilities for Azure Health Data Services](../../healthcare-apis/fhir/fhir-rest-api-capabilities.md).

+**Does events support FHIR bundles?**

+Yes. The events capability emits notifications of data changes at the FHIR resource level.

+Events support these [FHIR bundle types](http://hl7.org/fhir/R4/valueset-bundle-type.html):

+- **Batch**. An event is emitted for each successful data change operation in a bundle. If one of the operations generates an error, no event is emitted for that operation. For example: the batch bundle contains five operations, however, there's an error with one of the operations. Events are emitted for the four successful operations with no event emitted for the operation that generated an error.

+- **Transaction**. An event is emitted for each successful bundle operation as long as there are no errors. If there are any errors within a transaction bundle, then no events are emitted. For example: the transaction bundle contains five operations, however, there's an error with one of the operations. No events are emitted for that bundle.

+> Events aren't sent in the sequence of the data operations in the FHIR bundle.

+**What DICOM image changes does events support?**

+- **DicomImageCreated**. The event emitted after a DICOM image is created.

+- **DicomImageDeleted**. The event emitted after a DICOM image is deleted.

+- **DicomImageUpdated**. The event emitted after a DICOM image is updated. For more information, see [Update DICOM files](../dicom/update-files.md).

+**What is the payload of an events message?**

+For a description of the events message structure and required and nonrequired elements, see [Events message structures](events-message-structure.md).

+**What is the throughput for events messages?**

+The throughput of the FHIR or DICOM service and the Event Grid governs the throughput of FHIR and DICOM events. When a request made to the FHIR service is successful, it returns a 2xx HTTP status code. It also generates a FHIR resource or DICOM image changing event. The current limitation is 5,000 events/second per workspace for all FHIR or DICOM service instances in the workspace.

+**How am I charged for using events?**

+**How do I subscribe separately to multiple FHIR or DICOM services in the same workspace?**

+Use the Event Grid filtering feature. There are unique identifiers in the event message payload to differentiate accounts and workspaces. You can find a global unique identifier for workspace in the `source` field, which is the Azure Resource ID. You can locate the unique FHIR account name in that workspace in the `data.resourceFhirAccount` field. You can locate the unique DICOM account name in the workspace in the `data.serviceHostName` field. When you create a subscription, use the filtering operators to select the events you want to include in the subscription.

+**Can I use the same subscriber for multiple workspaces, FHIR accounts, or DICOM accounts?**

+Yes. We recommend that you use different subscribers for each FHIR or DICOM service to enable processing in isolated scopes.

+**Is the Event Grid compatible with HIPAA and HITRUST compliance requirements?**

+Yes. Event Grid supports Health Insurance Portability and Accountability Act (HIPAA) and Health Information Trust Alliance (HITRUST) obligations. For more information, see [Microsoft Azure Compliance Offerings](https://azure.microsoft.com/resources/microsoft-azure-compliance-offerings/).

+**How long does it take to receive an events message?**

+On average, you should receive your event message within one second after a successful HTTP request. 99.99% of the event messages should be delivered within five seconds unless the limitation of either the FHIR service, DICOM service, or [Event Grid](../../event-grid/quotas-limits.md) is reached.

+**Is it possible to receive duplicate events messages?**

+Yes. The Event Grid guarantees at least one events message delivery with its push mode. There may be cases when the event delivery request returns with a transient failure status code for random reasons. In this situation, the Event Grid considers it a delivery failure and resends the events message. For more information, see [Azure Event Grid delivery and retry](../../event-grid/delivery-and-retry.md).

+Generally, we recommend that developers ensure idempotency for the event subscriber. The event ID or the combination of all fields in the `data` property of the message content are unique for each event. You can rely on them to deduplicate.

+IoT Central relies on the Device Provisioning Service (DPS) to provision devices in IoT Central. Currently, IoT Edge can't use DPS provision a downstream device to your IoT Central application. The following steps show you how to provision the `thermostat1` device manually. To complete these steps, you need an environment with Python installed and internet connectivity. Check the [Azure IoT Python SDK](https://github.com/Azure/azure-iot-sdk-python/blob/main/README.md) for current Python version requirements. The [Azure Cloud Shell](https://shell.azure.com/) has Python pre-installed:

+# Customer intent: As a user of Azure IoT Operations, I want learn about the terminology associated with Azure IoT Operations so that I can use the terminology correctly.

+ | Name | `HTTP Endpoint - ERP data` |

+1. Name the stage _Reference dataset - erp-data_.

+ | Name | `MQ - ContosoLLC/#` |

+1. Add a **Transform** stage after the source stage. Name the stage _Transform - Reorganize message_ and add the following JQ expressions. This transform reorganizes the data and makes it easier to read:

+1. Use the **Stages** list on the left to add an **Enrich** stage after the transform stage, and select it from the pipeline diagram. Name the stage _Enrich - Add ERP data_. This stage enriches the measurements from the simulated production line assets with reference data from the `erp-data` dataset. This stage uses a condition to determine when to add the ERP data. Open the **Add condition** options and add the following information:

+1. Add a **Transform** stage after the enrich stage with the following JQ expressions. Name the stage _Transform - Flatten ERP data_. This transform stage reorganizes the data and makes it easier to read. These JQ expressions move the enrichment data to the same flat path as the real-time data to make it easier to export to Azure Data Explorer:

+ | Name | `Call out HTTP - Anomaly detection` |

+ | Name | `MQ - processed-output` |

+ | Field | Value |

+ |-||

+ | Name | `MQ - processed-output` |

+ | Broker | `tls://aio-mq-dmqtt-frontend:8883` |

+ | Topic | `processed-output` |

+ | Data Format | `JSON` |

+1. Select **Add destination** and then select **Azure Data Explorer**. Select the **Advanced** tab and then paste in the following configuration:

+ ```json

+ {

+ "displayName": "Azure Data Explorer - bakery_ops",

+ "type": "output/dataexplorer@v1",

+ "viewOptions": {

+ "position": {

+ "x": 0,

+ "y": 432

+ }

+ },

+ "clusterUrl": "https://your-cluster.northeurope.kusto.windows.net/",

+ "database": "bakery_ops",

+ "table": "edge_data",

+ "authentication": {

+ "type": "servicePrincipal",

+ "tenantId": "your tenant ID",

+ "clientId": "your client ID",

+ "clientSecret": "AIOFabricSecret"

+ },

+ "batch": {

+ "time": "5s",

+ "path": ".payload.payload"

+ },

+ "columns": [

+ {

+ "name": "AssetID",

+ "path": ".assetId"

+ },

+ {

+ "name": "Timestamp",

+ "path": ".sourceTimestamp"

+ },

+ {

+ "name": "Name",

+ "path": ".assetName"

+ },

+ {

+ "name": "SerialNumber",

+ "path": ".serialNumber"

+ },

+ {

+ "name": "Status",

+ "path": ".machineStatus"

+ },

+ {

+ "name": "Maintenance",

+ "path": ".maintenanceStatus"

+ },

+ {

+ "name": "Location",

+ "path": ".site"

+ },

+ {

+ "name": "OperatingTime",

+ "path": ".operatingTime"

+ },

+ {

+ "name": "Humidity",

+ "path": ".humidity"

+ },

+ {

+ "name": "HumidityAnomalyFactor",

+ "path": ".humidityAnomalyFactor"

+ },

+ {

+ "name": "HumidityAnomaly",

+ "path": ".humidityAnomaly"

+ },

+ {

+ "name": "Temperature",

+ "path": ".temperature"

+ },

+ {

+ "name": "TemperatureAnomalyFactor",

+ "path": ".temperatureAnomalyFactor"

+ },

+ {

+ "name": "TemperatureAnomaly",

+ "path": ".temperatureAnomaly"

+ },

+ {

+ "name": "Vibration",

+ "path": ".vibration"

+ },

+ {

+ "name": "VibrationAnomalyFactor",

+ "path": ".vibrationAnomalyFactor"

+ },

+ {

+ "name": "VibrationAnomaly",

+ "path": ".vibrationAnomaly"

+ }

+ ]

+ }

+ ```

+1. Then navigate to the **Basic** tag and fill in the following fields by using the information you made a note of previously:

+ | Field | Value |

+ |--|-|

+ | Cluster URL | To find this value, navigate to your cluster at [Azure Data Explorer](https://dataexplorer.azure.com) and select the **Edit connection** icon next to your cluster name in the left pane. |

+ | Tenant ID | The tenant ID you made a note of when you created the service principal. |

+ | Client ID | The app ID you made a note of when you created the service principal. |

+ | Secret | `AIOFabricSecret` |

+ Select **Apply**.

+ | Name | `HTTP Endpoint - production data` |

+ Select **Apply**.

+1. Name the stage _Reference dataset - production-data_.

+ | Name | `HTTP Endpoint - operations data` |

+ Select **Apply**.

+1. Name the stage _Reference dataset - operations-data_.

+ | Name | `MQ - Contoso/#` |

+1. Use the **Stages** list on the left to add a **Transform** stage after the source stage. Name the stage _Transform - flatten message_ and add the following JQ expressions. This transform creates a flat, readable view of the message and extracts the `Line` and `Site` information from the topic:

+1. Use the **Stages** list on the left to add an **Aggregate** stage after the transform stage and select it. Name the stage _Aggregate - down sample measurements_. In this pipeline, you use the aggregate stage to down sample the measurements from the production line assets. You configure the stage to aggregate data for 10 seconds. Then for the relevant data, calculate the average or pick the latest value. Select the **Advanced** tab in the aggregate stage and paste in the following configuration:

+ | Field | Value |

+ |--||

+ | Name | `Call out HTTP - Fetch shift data` |

+ | Method | `POST` |

+ | URL | `http://shift-svc-http:3333` |

+ | Authentication | `None` |

+ | API Request - Data format | `JSON` |

+ | API Request - Path | `.payload` |

+ | API Response - Data format | `JSON` |

+ | API Response - Path | `.payload` |

+ | Field | Value |

+ |--||

+ | Name | `Enrich - Operations data` |

+ | Dataset | `operations-data` |

+ | Output path | `.payload.operatorData` |

+ | Input path | `.payload.shift` |

+ | Property | `Shift` |

+ | Operator | `Key match` |

+ | Field | Value |

+ |--||

+ | Name | `Enrich - Production data` |

+ | Dataset | `production-data` |

+ | Output path | `.payload.productionData` |

+ | Input path | `.payload.Line` |

+ | Property | `Line` |

+ | Operator | `Key match` |

+1. Use the **Stages** list on the left to add another **Transform** stage after the enrich stage and select it. Name the stage _Transform - flatten enrichment data_. Add the following JQ expressions:

+ | Field | Value |

+ |-||

+ | Name | `MQ - Oee-processed-output` |

+ | Broker | `tls://aio-mq-dmqtt-frontend:8883` |

+ | Topic | `Oee-processed-output` |

+ | Data format | `JSON` |

+ | Path | `.payload` |

+1. Select the title of the pipeline on the top left corner, rename it to _oee-fabric_, and **Apply** the change.

+ | Field | Value |

+ |-||

+ | Name | `MQ - Oee-processed-output` |

+ | Broker | `tls://aio-mq-dmqtt-frontend:8883` |

+ | Topic | `Oee-processed-output` |

+ | Data Format | `JSON` |

+ "displayName": "Fabric Lakehouse - OEE table",

+1. To save your pipeline, select **Save**. It may take a few minutes for the pipeline to deploy to your cluster, so make sure it's finished before you proceed.

+# Customer intent: As a solution builder, I want a high-level overview of the options for analyzing and visualizing device data in an IoT solution.

+# Customer intent: As a solution builder or device developer I want a high-level overview of the issues around device infrastructure and connectivity so that I can easily find relevant content.

+# Customer intent: As a solution builder or device developer I want a high-level overview of the issues around device development so that I can easily find relevant content.

+# Customer intent: As a solution builder or device developer I want a high-level overview of the issues around device management and control so that I can easily find relevant content.

+# Customer intent: As a solution builder or device developer I want a high-level overview of the message processing in IoT solutions so that I can easily find relevant content for my scenario.

+# Customer intent: As a solution builder, I want a high-level overview of the options for scalability, high availability, and disaster recovery in an IoT solution so that I can easily find relevant content for my scenario.

+# Customer intent: As a solution builder, I want a high-level overview of the options for extending an IoT solution so that I can easily find relevant content for my scenario.

+# Customer intent: As a solution builder, I want a high-level overview of the options for managing an IoT solution so that I can easily find relevant content for my scenario.

+|Managed HSM Backup| Grants permissions to perform single-key or whole-HSM backup.|7b127d3c-77bd-4e3e-bbe0-dbb8971fa7f8|

+|Managed HSM Restore| Grants permissions to perform single-key or whole-HSM restore. |6efe6056-5259-49d2-8b3d-d3d73544b20b|

+|Data action | Administrator | Crypto Officer | Crypto User | Policy Administrator | Crypto Service Encryption User | Backup | Crypto Auditor | Crypto Service Release User | Restore|

+||::|::|::|::|::|::|::|::|::|

+|**Security domain management**||||||||||

+|/securitydomain/download/action|X|||||||||

+|/securitydomain/upload/action|X|||||||||

+|/securitydomain/upload/read|X|||||||||

+|/securitydomain/transferkey/read|X|||||||||

+|**Key management**||||||||||

+|/keys/read/action|||X||X||X|||

+|/keys/write/action|||X|||||||

+|/keys/rotate/action|||X|||||||

+|/keys/create|||X|||||||

+|/keys/delete|||X|||||||

+|/keys/deletedKeys/read/action||X||||||||

+|/keys/deletedKeys/recover/action||X||||||||

+|/keys/deletedKeys/delete||X|||||X|||

+|/keys/backup/action|||X|||X||||

+|/keys/restore/action|||X||||||X|

+|/keys/release/action|||X|||||X||

+|/keys/import/action|||X|||||||

+|**Key cryptographic operations**||||||||||

+|/keys/encrypt/action|||X|||||||

+|/keys/decrypt/action|||X|||||||

+|/keys/wrap/action|||X||X|||||

+|/keys/unwrap/action|||X||X|||||

+|/keys/sign/action|||X|||||||

+|/keys/verify/action|||X|||||||

+|**Role management**||||||||||

+|/roleAssignments/read/action|X|X|X|X|||X|||

+|/roleAssignments/write/action|X|X||X||||||

+|/roleAssignments/delete/action|X|X||X||||||

+|/roleDefinitions/read/action|X|X|X|X|||X|||

+|/roleDefinitions/write/action|X|X||X||||||

+|/roleDefinitions/delete/action|X|X||X||||||

+|**Backup and restore management**||||||||||

+|/backup/start/action|X|||||X||||

+|/backup/status/action|X|||||X||||

+|/restore/start/action|X||||||||X|

+|/restore/status/action|X||||||||X|

+# Customer intent: As an cloud engineer with basic Load Balancer services, I need guidance and direction on migrating my workloads off basic to standard SKUs

+# Customer intent: As a network engineer, I want to understand how to configure health probes for Azure Load Balancer so that I can detect application failures, manage load, and plan for downtime.

+ Title: "Quickstart: Create an internal load balancer - Terraform"

+description: This quickstart shows how to create an internal load balancer by using Terraform.

+#Customer intent: I want to create an internal load balancer by using Terraform so that I can load balance internal traffic to VMs.

+# Quickstart: Create an internal load balancer to load balance internal traffic to VMs using Terraform

+This quickstart shows you how to deploy a standard internal load balancer and two virtual machines using Terraform. Additional resources include Azure Bastion, NAT Gateway, a virtual network, and the required subnets.

+> [!div class="checklist"]

+> * Create an Azure resource group using [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)

+> * Create an Azure Virtual Network using [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network)

+> * Create an Azure subnet using [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)

+> * Create an Azure public IP using [azurerm_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip)

+> * Create an Azure Load Balancer using [azurerm_lb](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/lb)

+> * Create an Azure network interface using [azurerm_network_interface](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface)

+> * Create an Azure network interface load balancer backend address pool association using [azurerm_network_interface_backend_address_pool_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_backend_address_pool_association)

+> * Create an Azure Linux Virtual Machine using [azurerm_linux_virtual_machine](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine)

+> * Create an Azure Virtual Machine Extension using [azurerm_virtual_machine_extension](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_extension)

+> * Create an Azure NAT Gateway using [azurerm_nat_gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/nat_gateway)

+> * Create an Azure Bastion using [azurerm_bastion_host](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/bastion_host)

+## Prerequisites

+- [Install and configure Terraform](/azure/developer/terraform/quickstart-configure)

+## Implement the Terraform code

+> [!NOTE]

+> See more [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform).

+1. Create a directory in which to test the sample Terraform code and make it the current directory.

+1. Create a file named `providers.tf` and insert the following code:

+ ```

+ terraform {

+   required_version = ">=0.12"

+

+   required_providers {

+     azapi = {

+       source = "azure/azapi"

+       version = "~>1.5"

+     }

+     azurerm = {

+       source = "hashicorp/azurerm"

+       version = "~>2.0"

+     }

+     random = {

+       source = "hashicorp/random"

+       version = "~>3.0"

+     }

+   }

+ }

+

+ provider "azurerm" {

+   features {}

+ }

+ ```

+1. Create a file named `main.tf` and insert the following code:

+ ```

+ resource "random_string" "my_resource_group" {

+   length  = 8

+   upper   = false

+  special = false

+ }

+

+ # Create Resource Group

+ resource "azurerm_resource_group" "my_resource_group" {

+  name     = "${var.public_ip_name}-${random_string.my_resource_group.result}"

+  location = var.resource_group_location

+ }

+

+ # Create Virtual Network

+ resource "azurerm_virtual_network" "my_virtual_network" {

+   name = var.virtual_network_name

+   address_space = ["10.0.0.0/16"]

+   location = azurerm_resource_group.my_resource_group.location

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+ }

+

+ # Create a subnet in the Virtual Network

+ resource "azurerm_subnet" "my_subnet" {

+   name = var.subnet_name

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+   virtual_network_name = azurerm_virtual_network.my_virtual_network.name

+   address_prefixes = ["10.0.1.0/24"]

+ }

+

+ # Create a subnet named as "AzureBastionSubnet" in the Virtual Network for creating Azure Bastion

+ resource "azurerm_subnet" "my_bastion_subnet" {

+   name = "AzureBastionSubnet"

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+   virtual_network_name = azurerm_virtual_network.my_virtual_network.name

+   address_prefixes = ["10.0.2.0/24"]

+ }

+

+ # Create Network Security Group and rules

+ resource "azurerm_network_security_group" "my_nsg" {

+   name = var.network_security_group_name

+   location = azurerm_resource_group.my_resource_group.location

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+

+   security_rule {

+     name = "ssh"

+     priority = 1022

+     direction = "Inbound"

+     access = "Allow"

+     protocol = "Tcp"

+     source_port_range = "*"

+     destination_port_range = "22"

+     source_address_prefix = "*"

+     destination_address_prefix = "10.0.1.0/24"

+   }

+

+   security_rule {

+     name = "web"

+     priority = 1080

+     direction = "Inbound"

+     access = "Allow"

+     protocol = "Tcp"

+     source_port_range = "*"

+     destination_port_range = "80"

+     source_address_prefix = "*"

+     destination_address_prefix = "10.0.1.0/24"

+   }

+ }

+

+ # Associate the Network Security Group to the subnet

+ resource "azurerm_subnet_network_security_group_association" "my_nsg_association" {

+   subnet_id = azurerm_subnet.my_subnet.id

+   network_security_group_id = azurerm_network_security_group.my_nsg.id

+ }

+

+ # Create Public IPs

+ resource "azurerm_public_ip" "my_public_ip" {

+   count = 2

+   name = "${var.public_ip_name}-${count.index}"

+   location = azurerm_resource_group.my_resource_group.location

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+   allocation_method = "Static"

+   sku = "Standard"

+ }

+

+ # Create a NAT Gateway for outbound internet access of the Virtual Machines in the Backend Pool of the Load Balancer

+ resource "azurerm_nat_gateway" "my_nat_gateway" {

+   name = var.nat_gateway

+   location = azurerm_resource_group.my_resource_group.location

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+   sku_name = "Standard"

+ }

+

+ # Associate one of the Public IPs to the NAT Gateway

+ resource "azurerm_nat_gateway_public_ip_association" "my_nat_gateway_ip_association" {

+   nat_gateway_id = azurerm_nat_gateway.my_nat_gateway.id

+   public_ip_address_id = azurerm_public_ip.my_public_ip[0].id

+ }

+

+ # Associate the NAT Gateway to subnet

+ resource "azurerm_subnet_nat_gateway_association" "my_nat_gateway_subnet_association" {

+   subnet_id = azurerm_subnet.my_subnet.id

+   nat_gateway_id = azurerm_nat_gateway.my_nat_gateway.id

+ }

+

+ # Create Network Interfaces

+ resource "azurerm_network_interface" "my_nic" {

+   count = 3

+   name = "${var.network_interface_name}-${count.index}"

+   location = azurerm_resource_group.my_resource_group.location

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+

+   ip_configuration {

+     name = "ipconfig-${count.index}"

+     subnet_id = azurerm_subnet.my_subnet.id

+     private_ip_address_allocation = "Dynamic"

+     primary = true

+   }

+ }

+

+ # Create Azure Bastion for accessing the Virtual Machines

+ resource "azurerm_bastion_host" "my_bastion" {

+   name = var.bastion_name

+   location = azurerm_resource_group.my_resource_group.location

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+   sku = "Standard"

+

+   ip_configuration {

+     name = "ipconfig"

+     subnet_id = azurerm_subnet.my_bastion_subnet.id

+     public_ip_address_id = azurerm_public_ip.my_public_ip[1].id

+   }

+ }

+

+ # Associate Network Interface to the Backend Pool of the Load Balancer

+ resource "azurerm_network_interface_backend_address_pool_association" "my_nic_lb_pool" {

+   count = 2

+   network_interface_id = azurerm_network_interface.my_nic[count.index].id

+   ip_configuration_name = "ipconfig-${count.index}"

+   backend_address_pool_id = azurerm_lb_backend_address_pool.my_lb_pool.id

+ }

+

+ # Create Virtual Machine

+ resource "azurerm_linux_virtual_machine" "my_vm" {

+   count = 3

+   name = "${var.virtual_machine_name}-${count.index}"

+   location = azurerm_resource_group.my_resource_group.location

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+   network_interface_ids = [azurerm_network_interface.my_nic[count.index].id]

+   size = var.virtual_machine_size

+

+   os_disk {

+     name = "${var.disk_name}-${count.index}"

+     caching = "ReadWrite"

+     storage_account_type = var.redundancy_type

+   }

+

+   source_image_reference {

+     publisher = "Canonical"

+     offer = "0001-com-ubuntu-server-jammy"

+     sku = "22_04-lts-gen2"

+     version = "latest"

+   }

+

+   admin_username = var.username

+   admin_password = var.password

+   disable_password_authentication = false

+

+ }

+

+ # Enable virtual machine extension and install Nginx

+ resource "azurerm_virtual_machine_extension" "my_vm_extension" {

+   count = 2

+   name = "Nginx"

+   virtual_machine_id = azurerm_linux_virtual_machine.my_vm[count.index].id

+   publisher = "Microsoft.Azure.Extensions"

+   type = "CustomScript"

+   type_handler_version = "2.0"

+

+   settings = <<SETTINGS

+  {

+   "commandToExecute": "sudo apt-get update && sudo apt-get install nginx -y && echo \"Hello World from $(hostname)\" > /var/www/html/https://docsupdatetracker.net/index.html && sudo systemctl restart nginx"

+  }

+ SETTINGS

+

+ }

+

+ # Create an Internal Load Balancer

+ resource "azurerm_lb" "my_lb" {

+   name = var.load_balancer_name

+   location = azurerm_resource_group.my_resource_group.location

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+   sku = "Standard"

+

+   frontend_ip_configuration {

+     name = "frontend-ip"

+     subnet_id = azurerm_subnet.my_subnet.id

+     private_ip_address_allocation = "Dynamic"

+   }

+ }

+

+ resource "azurerm_lb_backend_address_pool" "my_lb_pool" {

+   loadbalancer_id = azurerm_lb.my_lb.id

+   name = "test-pool"

+ }

+

+ resource "azurerm_lb_probe" "my_lb_probe" {

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+   loadbalancer_id = azurerm_lb.my_lb.id

+   name = "test-probe"

+   port = 80

+ }

+

+ resource "azurerm_lb_rule" "my_lb_rule" {

+   resource_group_name = azurerm_resource_group.my_resource_group.name

+   loadbalancer_id = azurerm_lb.my_lb.id

+   name = "test-rule"

+   protocol = "Tcp"

+   frontend_port = 80

+   backend_port = 80

+   disable_outbound_snat = true

+   frontend_ip_configuration_name = "frontend-ip"

+   probe_id = azurerm_lb_probe.my_lb_probe.id

+   backend_address_pool_ids = [azurerm_lb_backend_address_pool.my_lb_pool.id]

+ }

+ ```

+1. Create a file named `variables.tf` and insert the following code:

+ ```

+ variable "resource_group_location" {

+   type = string

+   default = "eastus"

+   description = "Location of the resource group."

+ }

+

+ variable "resource_group_name" {

+   type = string

+   default = "test-group"

+   description = "Name of the resource group."

+ }

+

+ variable "username" {

+   type = string

+   default = "microsoft"

+   description = "The username for the local account that will be created on the new VM."

+ }

+

+ variable "password" {

+   type = string

+   default = "Microsoft@123"

+   description = "The passoword for the local account that will be created on the new VM."

+ }

+

+ variable "virtual_network_name" {

+   type = string

+   default = "test-vnet"

+   description = "Name of the Virtual Network."

+ }

+

+ variable "subnet_name" {

+   type = string

+   default = "test-subnet"

+   description = "Name of the subnet."

+ }

+

+ variable public_ip_name {

+   type = string

+   default = "test-public-ip"

+   description = "Name of the Public IP for the NAT Gateway."

+ }

+

+ variable "nat_gateway" {

+   type = string

+   default = "test-nat"

+   description = "Name of the NAT gateway."

+ }

+

+ variable "bastion_name" {

+   type = string

+   default = "test-bastion"

+   description = "Name of the Bastion."

+ }

+

+ variable network_security_group_name {

+   type = string

+   default = "test-nsg"

+   description = "Name of the Network Security Group."

+ }

+

+ variable "network_interface_name" {

+   type = string

+   default = "test-nic"

+   description = "Name of the Network Interface."  

+ }

+

+ variable "virtual_machine_name" {

+   type = string

+   default = "test-vm"

+   description = "Name of the Virtual Machine."

+ }

+

+ variable "virtual_machine_size" {

+   type = string

+   default = "Standard_B2s"

+   description = "Size or SKU of the Virtual Machine."

+ }

+

+ variable "disk_name" {

+   type = string

+   default = "test-disk"

+   description = "Name of the OS disk of the Virtual Machine."

+ }

+

+ variable "redundancy_type" {

+   type = string

+   default = "Standard_LRS"

+   description = "Storage redundancy type of the OS disk."

+ }

+

+ variable "load_balancer_name" {

+   type = string

+   default = "test-lb"

+   description = "Name of the Load Balancer."

+ }

+ ```

+1. Create a file named `outputs.tf` and insert the following code:

+ ```

+ output "private_ip_address" {

+ value = "http://${azurerm_lb.my_lb.private_ip_address}"

+ }

+ ```

+## Initialize Terraform

+## Create a Terraform execution plan

+## Apply a Terraform execution plan

+## Verify the results

+1. When you apply the execution plan, Terraform displays the frontend private IP address. If you've cleared the screen, you can retrieve that value with the following Terraform command:

+ ```console

+ echo $(terraform output -raw private_ip_address)

+ ```

+1. Login to the VM which is not associated to the backend pool of load balancer using Bastion.

+1. Run the curl command to access the custom web page of the Nginx web server using the frontend private IP address of the load balancer.

+ ```

+ curl http://<Frontend IP address>

+ ```

+## Clean up resources

+## Troubleshoot Terraform on Azure

+[Troubleshoot common problems when using Terraform on Azure](/azure/developer/terraform/troubleshoot)

+## Next steps

+In this quickstart, you:

+- Created an internal Azure Load Balancer

+- Attached 2 VMs to the load balancer

+- Configured the load balancer traffic rule, health probe, and then tested the load balancer

+To learn more about Azure Load Balancer, continue to:

+> [!div class="nextstepaction"]

+> [What is Azure Load Balancer?](load-balancer-overview.md)

+### Updating or starting the load test fails with `User doesn't have subnet/join/action permission on the virtual network (ALTVNET004)`

+To update or start a load test, you must have sufficient permissions to deploy Azure Load Testing to the virtual network. You require the [Network Contributor](/azure/role-based-access-control/built-in-roles#network-contributor) role, or a parent of this role, on the virtual network.

+# Customer intent: As a BizTalk Server customer, I want to learn about migration options, planning considerations, and best practices for moving from BizTalk Server to Azure Integration Services.

+# Customer intent: As a BizTalk Server customer, I want to better understand why I should migrate to Azure Integration Services in the cloud from on-premises BizTalk Server.

+# Customer intent: As a developer, I want to transform data in Azure Logic Apps by creating a map between schemas with Visual Studio Code.

+# Customer intent: As a developer, I want learn about the capability to create custom connectors with operations that I can use in my Azure Logic Apps workflows.

+# Customer intent: As a developer, I want to deploy Standard logic apps to Azure storage accounts that use private endpoints.

+# Customer intent: As a developer, I want to learn about DevOps deployment support for single-tenant Azure Logic Apps.

+| Qatar Central | 20.21.211.241, 20.21.211.242 |

+| Sweden Central | 20.91.178.13, 20.240.10.125 |

+| Qatar Central | 20.21.211.240, 20.21.209.216, 20.21.211.245, 20.21.210.251 |

+| Sweden Central | 20.91.178.11, 20.91.177.115, 20.240.10.91, 20.240.10.89 |

+# Customer intent: As a developer using Azure Logic Apps, I want to perform various data operations on various data types for my workflow in Azure Logic Apps.

+# Customer intent: As a logic apps developer, I want to learn and understand how usage metering, billing, and pricing work in Azure Logic Apps.

+# Customer intent: As a developer, I want to collect and send diagnostics data for my logic app workflows to specific destinations, such as a Log Analytics workspace, storage account, or event hub, for further review.

+# Customer intent: As a developer, I want to connect to my Standard logic app workflows with virtual networks using private endpoints and virtual network integration.

+# Customer intent: As a developer, I want to automate deployment for workflows hosted in single-tenant Azure Logic Apps by using DevOps tools and processes.

+# Customer intent: As a developer, I want to review the health and performance metrics for workflows in Azure Logic Apps.

+Depending on what a machine learning project already has, the starting point of building a machine learning pipeline might vary. There are a few typical approaches to building a pipeline.

+Once the teams get familiar with pipelines and want to do more machine learning projects using pipelines, they'll find the first approach is hard to scale. The second approach is set up a few pipeline templates, each try to solve one specific machine learning problem. The template predefines the pipeline structure including how many steps, each step's inputs and outputs, and their connectivity. To start a new machine learning project, the team first forks one template repo. The team leader then assigns members which step they need to work on. The data scientists and data engineers do their regular work. When they're happy with their result, they structure their code to fit in the pre-defined steps. Once the structured codes are checked-in, the pipeline can be executed or automated. If there's any change, each member only needs to work on their piece of code without touching the rest of the pipeline code.

+Azure Machine Learning offers different methods to build a pipeline. For users who are familiar with DevOps practices, we recommend using [CLI](how-to-create-component-pipelines-cli.md). For data scientists who are familiar with python, we recommend writing pipelines using the [Azure Machine Learning SDK v2](how-to-create-component-pipeline-python.md). For users who prefer to use the UI, they could use the [designer to build pipelines by using registered components](how-to-create-component-pipelines-ui.md).

+Microsoft developed a [Responsible AI Standard](https://blogs.microsoft.com/wp-content/uploads/prod/sites/5/2022/06/Microsoft-Responsible-AI-Standard-v2-General-Requirements-3.pdf). It's a framework for building AI systems according to six principles: fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. For Microsoft, these principles are the cornerstone of a responsible and trustworthy approach to AI, especially as intelligent technology becomes more prevalent in products and services that people use every day.

+**Transparency in Azure Machine Learning**: The [model interpretability](how-to-machine-learning-interpretability.md) and [counterfactual what-if](./concept-counterfactual-analysis.md) components of the [Responsible AI dashboard](concept-responsible-ai-dashboard.md) enable data scientists and developers to generate human-understandable descriptions of the predictions of a model.

+The model interpretability component provides multiple views into a model's behavior:

+Microsoft also created two open-source packages that can enable further implementation of privacy and security principles:

+ "Microsoft.MachineLearningServices/workspaces/batchEndpoints/write",

+ "Microsoft.MachineLearningServices/workspaces/batchEndpoints/write",

+ "Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/write",

+ "Microsoft.MachineLearningServices/workspaces/batchEndpoints/deployments/jobs/write",

+ "Microsoft.MachineLearningServices/workspaces/batchEndpoints/jobs/write",

+ "Microsoft.MachineLearningServices/workspaces/environments/build/action",

+In this article, you learn how to create and run [machine learning pipelines](concept-ml-pipelines.md) by using Azure CLI and [components](concept-component.md). You can create pipelines without using components, but components offer the greatest amount of flexibility and reuse. Azure Machine Learning Pipelines can be defined in YAML and run from the CLI, authored in Python, or composed in Azure Machine Learning studio Designer with a drag-and-drop UI. This document focuses on the CLI.

+Let's create your first pipeline with components using an example. This section aims to give you an initial impression of what a pipeline and component look like in Azure Machine Learning with a concrete example.

+- **pipeline.yml**: This YAML file defines the machine learning pipeline. This YAML file describes how to break a full machine learning task into a multistep workflow. For example, considering a simple machine learning task of using historical data to train a sales forecasting model, you might want to build a sequential workflow with data processing, model training, and model evaluation steps. Each step is a component that has well defined interface and can be developed, tested, and optimized independently. The pipeline YAML also defines how the child steps connect to other steps in the pipeline, for example, the model training step generates a model file and the model file will pass to a model evaluation step.

+- **component.yml**: This YAML file defines the component. It packages the following information:

+ - Command, code & environment: the command, code and environment to run the component. Command is the shell command to execute the component. Code usually refers to a source code directory. Environment could be an Azure Machine Learning environment(curated or customer created), docker image or conda environment.

+- **component_src**: This is the source code directory for a specific component. It contains the source code that is executed in the component. You can use your preferred language(Python, R...). The code must be executed by a shell command. The source code can take a few inputs from the shell command line to control how this step is going to be executed. For example, a training step might take training data, learning rate, number of epochs to control the training process. The argument of a shell command is used to pass inputs and outputs to the code.

+ Now let's create a pipeline using the `3b_pipeline_with_data` example. We explain the detailed meaning of each file in following sections.

+ First list your available compute resources with the following command:

+Now, create a pipeline job defined in the pipeline.yml file with the following command. The compute target is referenced in the pipeline.yml file as `azureml:cpu-cluster`. If your compute target uses a different name, remember to update it in the pipeline.yml file.

+You should receive a JSON dictionary with information about the pipeline job including:

+| `experiment_name` | The name under which jobs will be organized in studio. |

+Open the `services.Studio.endpoint` URL to see a graph visualization of the pipeline.

+The table describes the most common used fields of pipeline YAML schema. To learn more, see the [full pipeline YAML schema](reference-yaml-job-pipeline.md).

+|type|**Required**. Job type must be `pipeline` for pipeline jobs.|

+|display_name|Display name of the pipeline job in studio UI. Editable in studio UI. Doesn't have to be unique across all jobs in the workspace.|

+One common scenario is to read and write data in your pipeline. In Azure Machine Learning, we use the same schema to [read and write data](how-to-read-write-data-v2.md) for all type of jobs (pipeline job, command job, and sweep job). The following are pipeline job examples of using data for common scenarios.

+The most common used schema of the component YAML is described in table. To learn more, see the [full component YAML schema](reference-yaml-component-command.md).

+For the example in *3b_pipeline_with_data/componentA.yml*, componentA has one data input and one data output, which can be connected to other steps in the parent pipeline. All the files under `code` section in component YAML will be uploaded to Azure Machine Learning when submitting the pipeline job. In this example, files under `./componentA_src` will be uploaded (line 16 in *componentA.yml*). You can see the uploaded source code in Studio UI: double select the ComponentA step and navigate to Snapshot tab, as shown in the following screenshot. We can see it's a hello-world script just doing some simple printing, and write current datetime to the `componentA_output` path. The component takes input and output through command line argument, and it's handled in the *hello.py* using `argparse`.

+**Literal value inputs** (`string`,`number`,`integer`,`boolean`) are the parameters you can pass to the component at run time. You can add default value of literal inputs under `default` field. For `number` and `integer` type, you can also add minimum and maximum value of the accepted value using `min` and `max` fields. If the input value exceeds the min and max, pipeline fails at validation. Validation happens before you submit a pipeline job to save your time. Validation works for CLI, Python SDK and designer UI. The following screenshot shows a validation example in designer UI. Similarly, you can define allowed values in `enum` field.

+If you want to add an input to a component, remember to edit three places:

+- `inputs` field in component YAML

+- `command` field in component YAML.

+- Component source code to handle the command line input. It's marked in green box in the previous screenshot.

+Environment defines the environment to execute the component. It could be an Azure Machine Learning environment(curated or custom registered), docker image or conda environment. See the following examples.

+You can check component details and manage the component using CLI (v2). Use `az ml component -h` to get detailed instructions on component command. The following table lists all available commands. See more examples in [Azure CLI reference](/cli/azure/ml/component?view=azure-cli-latest&preserve-view=true).

+In this article, you'll learn how to create and run [machine learning pipelines](concept-ml-pipelines.md) by using the Azure Machine Learning studio and [Components](concept-component.md). You can create pipelines without using components, but components offer better amount of flexibility and reuse. Azure Machine Learning Pipelines can be defined in YAML and [run from the CLI](how-to-create-component-pipelines-cli.md), [authored in Python](how-to-create-component-pipeline-python.md), or composed in Azure Machine Learning studio Designer with a drag-and-drop UI. This document focuses on the Azure Machine Learning studio designer UI.

+- If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/).

+- An Azure Machine Learning workspace [Create workspace resources](quickstart-create-resources.md).

+- [Install and set up the Azure CLI extension for Machine Learning](how-to-configure-cli.md).

+- Clone the examples repository:

+> Designer supports two types of components, classic prebuilt components（v1） and custom components(v2). These two types of components are NOT compatible.

+>Custom components allow you to wrap your own code as a component. It supports sharing components across workspaces and seamless authoring across studio, CLI v2, and SDK v2 interfaces.

+>For new projects, we highly suggest you use custom component, which is compatible with AzureML V2 and will keep receiving new updates.

+The following example uses UI to register components, and the [component source files](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/pipelines-with-components/basics/1b_e2e_registered_components) are in the `cli/jobs/pipelines-with-components/basics/1b_e2e_registered_components` directory of the [`azureml-examples` repository](https://github.com/Azure/azureml-examples). You need to clone the repo to local first.

+1. In your Azure Machine Learning workspace, navigate to **Components** page and select **New Component** (one of the two style pages will appear).

+2. Select Upload from **Folder**, and select the `1b_e2e_registered_components` folder to upload. Select `train.yml` from the drop-down list.

+4. Repeat the previous steps to register Score and Eval component using `score.yml` and `eval.yml` as well.

+2. Give the pipeline a meaningful name by selecting the pencil icon besides the autogenerated name.

+ In this example, we'll use the sample data under [this path](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/pipelines-with-components/basics/1b_e2e_registered_components/data). Register the data into your workspace by selecting the add icon in designer asset library -> data tab, set Type = Folder(uri_folder) then follow the wizard to register the data. The data type need to be uri_folder to align with the [train component definition](https://github.com/Azure/azureml-examples/blob/main/cli/jobs/pipelines-with-components/basics/1b_e2e_registered_components/train.yml).

+ :::image type="content" source="./media/how-to-create-component-pipelines-ui/pipeline-with-all-boxes.png" alt-text="Screenshot showing the pipeline draft." lightbox ="./media/how-to-create-component-pipelines-ui/pipeline-with-all-boxes.png":::

+After submitting the pipeline job, there will be a message on the top with a link to the job detail. You can select this link to review the job details.

+# Customer intent: As a project manager, I want to set up a project to label images in the project. I want to enable machine learning-assisted labeling to help with the task.

+# Set up an image labeling project

+Set up labels for classification, object detection (bounding box), instance segmentation (polygon), or semantic segmentation (preview).

+You can also use an MLTable data asset as input to an image labeling project, as long as the images in the table are one of the above formats. For more information, see [How to use MLTable data assets](./how-to-mltable.md).

+If you already created a dataset that contains your data, select the dataset in the **Select an existing dataset** dropdown.

+You can also select **Create a dataset** to use an existing Azure datastore or to upload local files.

+### Data column mapping (preview)

+If you select an MLTable data asset, an additional **Data Column Mapping** step appears for you to specify the column that contains the image URLs.

+### Import options (preview)

+ When you include a **Category** column in the **Data Column Mapping** step, use **Import Options** to specify how to treat the labeled data.

+* [Manage labeling projects](how-to-manage-labeling-projects.md)

+* [Manage labeling projects](how-to-manage-labeling-projects.md)

+* [How to tag text](how-to-label-data.md#label-text)

+ Title: Deploy MLflow models to real-time endpoints

+description: Learn to deploy your MLflow model as a web service that's managed by Azure.

+In this article, learn how to deploy your [MLflow](https://www.mlflow.org) model to an [online endpoint](concept-endpoints.md) for real-time inference. When you deploy your MLflow model to an online endpoint, you don't need to specify a scoring script or an environmentΓÇöthis functionality is known as _no-code deployment_.

+For no-code-deployment, Azure Machine Learning:

+* Dynamically installs Python packages provided in the `conda.yaml` file. Hence, dependencies get installed during container runtime.

+* Provides an MLflow base image/curated environment that contains the following items:

+ * A scoring script for inferencing.

+## About the example

+The example shows how you can deploy an MLflow model to an online endpoint to perform predictions. The example uses an MLflow model that's based on the [Diabetes dataset](https://www4.stat.ncsu.edu/~boos/var.select/diabetes.html). This dataset contains 10 baseline variables: age, sex, body mass index, average blood pressure, and six blood serum measurements obtained from 442 diabetes patients. It also contains the response of interest, a quantitative measure of disease progression one year after baseline.

+The model was trained using a `scikit-learn` regressor, and all the required preprocessing has been packaged as a pipeline, making this model an end-to-end pipeline that goes from raw data to predictions.

+The information in this article is based on code samples contained in the [azureml-examples](https://github.com/azure/azureml-examples) repository. To run the commands locally without having to copy/paste YAML and other files, clone the repo, and then change directories to `cli`, if you're using the Azure CLI. If you're using the Azure Machine Learning SDK for Python, change directories to `sdk/python/endpoints/online/mlflow`.

+cd azureml-examples/cli

+### Follow along in Jupyter Notebook

+You can follow the steps for using the Azure Machine Learning Python SDK by opening the [Deploy MLflow model to online endpoints](https://github.com/Azure/azureml-examples/blob/main/sdk/python/endpoints/online/mlflow/online-endpoints-deploy-mlflow-model.ipynb) notebook in the cloned repository.

+- Azure role-based access controls (Azure RBAC) are used to grant access to operations in Azure Machine Learning. To perform the steps in this article, your user account must be assigned the owner or contributor role for the Azure Machine Learning workspace, or a custom role allowing `Microsoft.MachineLearningServices/workspaces/onlineEndpoints/*`. For more information on roles, see [Manage access to an Azure Machine Learning workspace](how-to-assign-roles.md).

+- You must have an MLflow model registered in your workspace. This article registers a model trained for the [Diabetes dataset](https://www4.stat.ncsu.edu/~boos/var.select/diabetes.html) in the workspace.

+- Also, you need to:

+ # [Azure CLI](#tab/cli)

+ - Install the Azure CLI and the `ml` extension to the Azure CLI. For more information on installing the CLI, see [Install and set up the CLI (v2)](how-to-configure-cli.md).

+ # [Python (Azure Machine Learning SDK)](#tab/sdk)

+ - Install the Azure Machine Learning SDK for Python.

+ ```bash

+ pip install azure-ai-ml azure-identity

+ ```

+ # [Python (MLflow SDK)](#tab/mlflow)

+ - Install the MLflow SDK package `mlflow` and the Azure Machine Learning plug-in for MLflow `azureml-mlflow`.

+ ```bash

+ pip install mlflow azureml-mlflow

+ ```

+ - If you're not running code in the Azure Machine Learning compute, configure the MLflow tracking URI or MLflow's registry URI to point to the Azure Machine Learning workspace you're working on. For more information on how to connect MLflow to the workspace, see [Configure MLflow for Azure Machine Learning](how-to-use-mlflow-configure-tracking.md).

+ # [Studio](#tab/studio)

+ No additional prerequisites when working in Azure Machine Learning studio.

+First, connect to the Azure Machine Learning workspace where you'll work.

+The workspace is the top-level resource for Azure Machine Learning, providing a centralized place to work with all the artifacts you create when you use Azure Machine Learning. In this section, connect to the workspace in which you'll perform deployment tasks.

+ from azure.ai.ml.entities import (

+ ManagedOnlineEndpoint,

+ ManagedOnlineDeployment,

+ Model,

+ Environment,

+ CodeConfiguration,

+ )

+ from azure.ai.ml.constants import AssetTypes

+### Register the model

+You can deploy only registered models to online endpoints. In this case, you already have a local copy of the model in the repository, so you only need to publish the model to the registry in the workspace. You can skip this step if the model you're trying to deploy is already registered.

+az ml model create --name $MODEL_NAME --type "mlflow_model" --path "endpoints/online/ncd/sklearn-diabetes/model"

+To create a model in Azure Machine Learning studio:

+- Open the __Models__ page in the studio.

+- Select __Register__ and select where your model is located. For this example, select __From local files__.

+- On the __Upload model__ page, select __MLflow__ for the model type.

+- Select __Browse__ to select the model folder, then select __Next__.

+- Provide a __Name__ for the model on the __Model settings__ page and select __Next__.

+- Review the uploaded model fines and model settings on the __Review__ page, then select __Register__.

+#### What if your model was logged inside of a run?

+If your model was logged inside of a run, you can register it directly.

+To register the model, you need to know the location where it is stored. If you're using MLflow's `autolog` feature, the path to the model depends on the model type and framework. You should check the jobs output to identify the name of the model's folder. This folder contains a file named `MLModel`.

+If you're using the `log_model` method to manually log your models, then pass the path to the model as the argument to the method. For example, if you log the model, using `mlflow.sklearn.log_model(my_model, "classifier")`, then the path where the model is stored is called `classifier`.

+1. Configure the endpoint where the model will be deployed. The following example configures the name and authentication mode of the endpoint:

+ Set an endpoint name by running the following command (replace `YOUR_ENDPOINT_NAME` with a unique name):

+ :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint-ncd.sh" ID="set_endpoint_name":::

+ Configure the endpoint:

+ __create-endpoint.yaml__

+ # Creating a unique endpoint name with current datetime to avoid conflicts

+ import datetime

+ You can configure the properties of this endpoint using a configuration file. In this case, you're configuring the authentication mode of the endpoint to be "key".

+ *You'll perform this step in the deployment stage.*

+1. Create the endpoint:

+ *You'll perform this step in the deployment stage.*

+1. Configure the deployment. A deployment is a set of resources required for hosting the model that does the actual inferencing.

+ Alternatively, if your endpoint doesn't have egress connectivity, use [model packaging (preview)](how-to-package-models.md) by including the argument `with_package=True`:

+ To configure the hardware requirements of your deployment, create a JSON file with the desired configuration:

+ > For details about the full specification of this configuration, see [Managed online deployment schema (v2)](reference-yaml-deployment-managed-online.md).

+ *You'll perform this step in the deployment stage.*

+ > Autogeneration of the `scoring_script` and `environment` are only supported for `pyfunc` model flavor. To use a different model flavor, see [Customizing MLflow model deployments](#customize-mlflow-model-deployments).

+1. Create the deployment:

+ 1. From the __Endpoints__ page, Select **Create** from the **Real-time endpoints** tab.

+ 1. Choose the MLflow model that you registered previously, then select the **Select** button.

+

+ > [!NOTE]

+ > The configuration page includes a note to inform you that the the scoring script and environment are auto generated for your selected MLflow model.

+ 1. Select **New** to deploy to a new endpoint.

+ 1. Provide a name for the endpoint and deployment or keep the default names.

+ 1. Select __Deploy__ to deploy the model to the endpoint.

+ :::image type="content" source="media/how-to-deploy-mlflow-models-online-endpoints/deployment-wizard.png" lightbox="media/how-to-deploy-mlflow-models-online-endpoints/deployment-wizard.png" alt-text="Screenshot showing no code and environment needed for MLflow models.":::

+1. Assign all the traffic to the deployment. So far, the endpoint has one deployment, but none of its traffic is assigned to it.

+ *This step in not required in the Azure CLI, since you used the `--all-traffic` flag during creation. If you need to change traffic, you can use the command `az ml online-endpoint update --traffic`. For more information on how to update traffic, see [Progressively update traffic](how-to-deploy-mlflow-models-online-progressive.md#progressively-update-the-traffic).*

+ endpoint.traffic = {"blue": 100}

+ *This step in not required in the studio.*

+ *This step in not required in the Azure CLI, since you used the `--all-traffic` flag during creation. If you need to change traffic, you can use the command `az ml online-endpoint update --traffic`. For more information on how to update traffic, see [Progressively update traffic](how-to-deploy-mlflow-models-online-progressive.md#progressively-update-the-traffic).*

+ *This step in not required in the studio.*

+## Invoke the endpoint

+Once your deployment is ready, you can use it to serve request. One way to test the deployment is by using the built-in invocation capability in the deployment client you're using. The following JSON is a sample request for the deployment.

+>`input_data` is used in this example, instead of `inputs` that is used in MLflow serving. This is because Azure Machine Learning requires a different input format to be able to automatically generate the swagger contracts for the endpoints. For more information about expected input formats, see [Differences between models deployed in Azure Machine Learning and MLflow built-in server](how-to-deploy-mlflow-models.md#models-deployed-in-azure-machine-learning-vs-models-deployed-in-the-mlflow-built-in-server).

+Submit a request to the endpoint as follows:

+# Read the sample request that's in the json file to construct a pandas data frame

+1. Go to the __Endpoints__ tab and select the endpoint you created.

+1. Select __Test__.

+## Customize MLflow model deployments

+You don't have to specify a scoring script in the deployment definition of an MLflow model to an online endpoint. However, you can opt to do so and customize how inference gets executed.

+You'll typically want to customize your MLflow model deployment when:

+> - You need to customize the way the model is run, for instance, to use a specific flavor to load the model, using `mlflow.<flavor>.load_model()`.

+> - You need to do pre/post processing in your scoring routine when it's not done by the model itself.

+> - The output of the model can't be nicely represented in tabular data. For instance, it's a tensor representing an image.

+> If you choose to specify a scoring script for an MLflow model deployment, you'll also have to specify the environment where the deployment will run.

+To deploy an MLflow model with a custom scoring script:

+1. Identify the folder where your MLflow model is located.

+ a. Go to the [Azure Machine Learning studio](https://ml.azure.com).

+ b. Go to the __Models__ section.

+ c. Select the model you're trying to deploy and go to its __Artifacts__ tab.

+ d. Take note of the folder that is displayed. This folder was specified when the model was registered.

+1. Create a scoring script. Notice how the folder name `model` that you previously identified is included in the `init()` function.

+ > [!TIP]

+ > The following scoring script is provided as an example about how to perform inference with an MLflow model. You can adapt this script to your needs or change any of its parts to reflect your scenario.

+ > __MLflow 2.0 advisory__: The provided scoring script will work with both MLflow 1.X and MLflow 2.X. However, be advised that the expected input/output formats on those versions might vary. Check the environment definition used to ensure you're using the expected MLflow version. Notice that MLflow 2.0 is only supported in Python 3.8+.

+1. Create an environment where the scoring script can be executed. Since the model is an MLflow model, the conda requirements are also specified in the model package. For more details about the files included in an MLflow model see [The MLmodel format](concept-mlflow-models.md#the-mlmodel-format). You'll then build the environment using the conda dependencies from the file. However, you need to also include the package `azureml-inference-server-http`, which is required for online deployments in Azure Machine Learning.

+ The conda definition file is as follows:

+ > The `azureml-inference-server-http` package has been added to the original conda dependencies file.

+ You'll use this conda dependencies file to create the environment:

+ *This operation isn't supported in MLflow SDK*

+ 1. Go to the __Environments__ tab on the side menu.

+ 1. For __Select environment source__, choose __Use existing docker image with optional conda file__.

+ 1. For __Container registry image path__, enter `mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu22.04`.

+ 1. Select __Next__ to go to the __Customize__ section.

+ 1. Copy the content of the `sklearn-diabetes/environment/conda.yml` file and paste it in the text box.

+ 1. Select __Next__ to go to the __Tags__ page, and then __Next__ again.

+ 1. On the __Review__ page, select __Create__. The environment is ready for use.

+1. Create the deployment:

+ Create a deployment configuration file __deployment.yml__:

+ *This operation isn't supported in MLflow SDK*

+ 1. Select the MLflow model you registered previously.

+ 1. Select __More options__ in the endpoint creation wizard to open up advanced options.

+ :::image type="content" source="media/how-to-deploy-mlflow-models-online-endpoints/select-advanced-deployment-options.png" lightbox="media/how-to-deploy-mlflow-models-online-endpoints/select-advanced-deployment-options.png" alt-text="Screenshot showing how to select advanced deployment options when creating an endpoint.":::

+ 1. Provide a name and authentication type for the endpoint, and then select __Next__ to see that the model you selected is being used for your deployment.

+ 1. Select __Next__ to continue to the ___Deployment__ page.

+ 1. Select __Next__ to go to the __Code + environment__ page. When you select a model registered in MLflow format, you don't need to specify a scoring script or an environment on this page. However, you want to specify one in this section

+ 1. Select the slider next to __Customize environment and scoring script__.

+ :::image type="content" source="media/how-to-deploy-mlflow-models-online-endpoints/configure-scoring-script-mlflow.png" lightbox="media/how-to-deploy-mlflow-models-online-endpoints/configure-scoring-script-mlflow.png" alt-text="Screenshot showing how to indicate an environment and scoring script for MLflow models.":::

+ 1. Browse to select the scoring script you created previously.

+ 1. Select __Custom environments__ for the environment type.

+ 1. Select the custom environment you created previously, and select __Next__.

+1. Once your deployment completes, it is ready to serve requests. One way to test the deployment is by using a sample request file along with the `invoke` method.

+ Submit a request to the endpoint as follows:

+ :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint-ncd.sh" ID="test_sklearn_deployment":::

+ *This operation isn't supported in MLflow SDK*

+ 1. Paste the content of the `sample-request-sklearn.json` file into the __Input data to test endpoint__ box.

+ 1. Select __Test__.

+ 1. The predictions will show up under "Test results" to the right-hand side of the box.

+ > __MLflow 2.0 advisory__: In MLflow 1.X, the `predictions` key will be missing.

+Once you're done using the endpoint, delete its associated resources:

+1. Go to the __Endpoints__ tab in the studio.

+1. Select the __Real-time endpoints__ tab.

+1. Select __Delete__.

+1. The endpoint and all its deployments will be deleted.

+## Related content

+- [Troubleshoot online endpoint deployment](how-to-troubleshoot-managed-online-endpoints.md)- [How to autoscale managed online endpoints](how-to-autoscale-endpoints.md)

+Although MLflow models don't require a scoring script, you can still provide one, if needed. You can use the scoring script to customize how inference is executed for MLflow models. For more information on how to customize inference, see [Customizing MLflow model deployments (online endpoints)](how-to-deploy-mlflow-models-online-endpoints.md#customize-mlflow-model-deployments) and [Customizing MLflow model deployments (batch endpoints)](how-to-mlflow-batch.md#customizing-mlflow-models-deployments-with-a-scoring-script).

+| Deploy to managed online endpoints (with a scoring script) | Not supported³ | [See example](how-to-deploy-mlflow-models-online-endpoints.md#customize-mlflow-model-deployments) | [See example](how-to-deploy-mlflow-models-online-endpoints.md?tab=studio#customize-mlflow-model-deployments) |

+ Title: Manage labeling projects

+description: Tasks for the project manager to administer a labeling project in Azure Machine Learning, including how to export the labels.

+monikerRange: 'azureml-api-1 || azureml-api-2'

+# customer intent: As a project manager, I want to monitor and administer a labeling project in Azure Machine Learning.

+# Manage labeling projects

+Learn how to manage a labeling project in Azure Machine Learning. This article is for project managers who are responsible for managing text or image labeling projects. For information about how to create the project, see [Set up a text labeling project](how-to-create-text-labeling-projects.md) or [Set up an image labeling project](how-to-create-image-labeling-projects.md).

+## Run and monitor the project

+After you initialize the project, Azure begins to run it. To manage a project, select the project on the main **Data Labeling** page.

+To pause or restart the project, on the project command bar, toggle the **Running** status. You can label data only when the project is running.

+### Monitor progress

+The **Dashboard** tab shows the progress of the labeling task.

+#### [Image projects](#tab/image)

+The progress charts show how many items were labeled, skipped, need review, or aren't yet complete. Hover over the chart to see the number of items in each section.

+A distribution of the labels for completed tasks is shown below the chart. In some project types, an item can have multiple labels. The total number of labels can exceed the total number of items.

+A distribution of labelers and how many items they labeled also are shown.

+The middle section shows a table that has a queue of unassigned tasks. When ML-assisted labeling is off, this section shows the number of manual tasks that are awaiting assignment.

+When ML-assisted labeling is on, this section also shows:

+* Tasks that contain clustered items in the queue.

+* Tasks that contain prelabeled items in the queue.

+Additionally, when ML-assisted labeling is enabled, you can scroll down to see the ML-assisted labeling status. The **Jobs** sections give links for each of the machine learning runs.

+* **Training**: Trains a model to predict the labels.

+* **Validation**: Determines whether item prelabeling uses the prediction of this model.

+* **Inference**: Prediction run for new items.

+* **Featurization**: Clusters items (only for image classification projects).

+#### [Text projects](#tab/text)

+The progress charts show how many items were labeled, skipped, need review, or aren't yet complete. Hover over the chart to see the number of items in each section.

+A distribution of the labels for completed tasks is shown below the chart. In some project types, an item can have multiple labels. The total number of labels can exceed the total number of items.

+A distribution of labelers and how many items they labeled also are shown.

+The middle section shows a table that has a queue of unassigned tasks. When ML-assisted labeling is off, this section shows the number of manual tasks that are awaiting assignment.

+When ML-assisted labeling is on, this section also shows:

+* Tasks that contain clustered items in the queue.

+* Tasks that contain prelabeled items in the queue.

+Additionally, when ML-assisted labeling is enabled, you can scroll down to see the ML-assisted labeling status. The **Jobs** sections give links for each of the machine learning runs.

+

+### Review data and labels

+On the **Data** tab, preview the dataset and review labeled data.

+Scroll through the labeled data to see the labels. If you see data that's incorrectly labeled, select it and choose **Reject** to remove the labels and return the data to the unlabeled queue.

+#### Skipped items

+A set of filters apply to the items you're reviewing. By default, you review labeled data. Select the **Asset type** filter to switch the type to **Skipped* to review items that were skipped.

+If you think the skipped data should be labeled, select **Reject** to put in back into the unlabeled queue. If you think the skipped data isn't relevant to your project, select **Accept** to remove it from the project.

+#### Consensus labeling

+If your project uses consensus labeling, review images that have no consensus:

+#### [Image projects](#tab/image)

+1. Select the **Data** tab.

+1. On the left menu, select **Review labels**.

+1. On the command bar above **Review labels**, select **All filters**.

+ :::image type="content" source="media/how-to-create-labeling-projects/select-filters.png" alt-text="Screenshot that shows how to select filters to review consensus label problems." lightbox="media/how-to-create-labeling-projects/select-filters.png":::

+1. Under **Labeled datapoints**, select **Consensus labels in need of review** to show only images for which the labelers didn't come to a consensus.

+ :::image type="content" source="media/how-to-create-labeling-projects/select-need-review.png" alt-text="Screenshot that shows how to select labels in need of review.":::

+1. For each image to review, select the **Consensus label** dropdown to view the conflicting labels.

+ :::image type="content" source="media/how-to-create-labeling-projects/consensus-dropdown.png" alt-text="Screenshot that shows the Select Consensus label dropdown to review conflicting labels." lightbox="media/how-to-create-labeling-projects/consensus-dropdown.png":::

+1. Although you can select an individual labeler to see their labels, to update or reject the labels, you must use the top choice, **Consensus label (preview)**.

+#### [Text projects](#tab/text)

+1. Select the **Data** tab.

+1. On the left menu, select **Review labels**.

+1. On the command bar above **Review labels**, select **All filters**.

+ :::image type="content" source="media/how-to-create-text-labeling-projects/text-labeling-select-filter.png" alt-text="Screenshot that shows how to select filters to review consensus label problems." lightbox="media/how-to-create-text-labeling-projects/text-labeling-select-filter.png":::

+1. Under **Labeled datapoints**, select **Consensus labels in need of review** to show only items for which the labelers didn't come to a consensus.

+ :::image type="content" source="media/how-to-create-labeling-projects/select-need-review.png" alt-text="Screenshot that shows how to select labels in need of review.":::

+1. For each item to review, select the **Consensus label** dropdown to view the conflicting labels.

+ :::image type="content" source="media/how-to-create-text-labeling-projects/text-labeling-consensus-dropdown.png" alt-text="Screenshot that shows the Select Consensus label dropdown to review conflicting labels." lightbox="media/how-to-create-text-labeling-projects/text-labeling-consensus-dropdown.png":::

+1. Although you can select an individual labeler to see their labels, to update or reject the labels, you must use the top choice, **Consensus label (preview)**.

+### Change project details

+View and change details of your project on the **Details** tab. On this tab, you can:

+* View project details and input datasets.

+* Set or clear the **Enable incremental refresh at regular intervals** option, or request an immediate refresh.

+* View details of the storage container that's used to store labeled outputs in your project.

+* Add labels to your project.

+* Edit instructions you give to your labels.

+* Change settings for ML-assisted labeling and kick off a labeling task.

+### Projects created in Azure AI services

+If your labeling project was created from [Vision Studio](../ai-services/computer-vision/how-to/model-customization.md) or [Language Studio](../ai-services/language-service/custom/azure-machine-learning-labeling.md), you'll see an extra tab on the **Details** page. The tab allows you to switch between labeling in Azure Machine Learning and labeling in Vision Studio or Language Studio.

+#### [Image projects](#tab/image)

+If your project was created from [Vision Studio](../ai-services/computer-vision/how-to/model-customization.md), you'll also see a **Vision Studio** tab. Select **Go to Vision Studio** to return to Vision Studio. Once you return to Vision Studio, you'll be able to import your labeled data.

+#### [Text projects](#tab/text)

+If your project was created from [Language Studio](../ai-services/language-service/custom/azure-machine-learning-labeling.md), you'll see a **Language Studio** tab.

+* If labeling is active in Language Studio, you can't label in Azure Machine Learning. In that case, Language Studio is the only tab available. Select **View in Language Studio** to go to the active labeling project in Language Studio. From there, you can switch to labeling in Azure Machine Learning if you wish.

+If labeling is active in Azure Machine Learning, you have two choices:

+* Select **Switch to Language Studio** to switch your labeling activity back to Language Studio. When you switch, all your currently labeled data is imported into Language Studio. Your ability to label data in Azure Machine Learning is disabled, and you can label data in Language Studio. You can switch back to labeling in Azure Machine Learning at any time through Language Studio.

+ > [!NOTE]

+ > Only users with the [correct roles](how-to-add-users.md) in Azure Machine Learning have the ability to switch labeling.

+* Select **Disconnect from Language Studio** to sever the relationship with Language Studio. Once you disconnect, the project loses its association with Language Studio, and no longer shows the Language Studio tab. Disconnecting your project from Language Studio is a permanent, irreversible process and can't be undone. You'll no longer be able to access your labels for this project in Language Studio. The labels are available only in Azure Machine Learning from this point onward.

+## Add new labels to a project

+During the data labeling process, you might want to add more labels to classify your items. For example, you might want to add an *Unknown* or *Other* label to indicate confusion.

+To add one or more labels to a project:

+1. On the main **Data Labeling** page, select the project.

+1. On the project command bar, toggle the status from **Running** to **Paused** to stop labeling activity.

+1. Select the **Details** tab.

+1. In the list on the left, select **Label categories**.

+1. Modify your labels.

+ :::image type="content" source="./media/how-to-create-labeling-projects/add-label.png" alt-text="Screenshot that shows how to add a label in Machine Learning Studio.":::

+1. In the form, add your new label. Then choose how to continue the project. Because you changed the available labels, choose how to treat data that's already labeled:

+ * Start over, and remove all existing labels. Choose this option if you want to start labeling from the beginning by using the new full set of labels.

+ * Start over, and keep all existing labels. Choose this option to mark all data as unlabeled, but keep the existing labels as a default tag for images that were previously labeled.

+ * Continue, and keep all existing labels. Choose this option to keep all data already labeled as it is, and start using the new label for data that's not yet labeled.

+1. Modify your instructions page as necessary for new labels.

+1. After you've added all new labels, toggle **Paused** to **Running** to restart the project.

+## Start an ML-assisted labeling task

+ML-assisted labeling starts automatically after some items have been labeled. This automatic threshold varies by project. You can manually start an ML-assisted training run if your project contains at least some labeled data.

+> [!NOTE]

+> On-demand training is not available for projects created before December 2022. To use this feature, create a new project.

+To start a new ML-assisted training run:

+1. At the top of your project, select **Details**.

+1. On the left menu, select **ML assisted labeling**.

+1. Near the bottom of the page, for **On-demand training**, select **Start**.

+## Export the labels

+To export the labels, on the project command bar, select the **Export** button. You can export the label data for Machine Learning experimentation at any time.

+#### [Image projects](#tab/image)

+If your project type is Semantic segmentation (Preview), an [Azure MLTable data asset](./how-to-mltable.md) is created.

+For all other project types, you can export an image label as:

+* A CSV file. Azure Machine Learning creates the CSV file in a folder inside *Labeling/export/csv*.

+* A [COCO format](http://cocodataset.org/#format-data) file. Azure Machine Learning creates the COCO file in a folder inside *Labeling/export/coco*.

+* An [Azure Machine Learning dataset with labels](v1/how-to-use-labeled-dataset.md).

+* A CSV file. Azure Machine Learning creates the CSV file in a folder inside *Labeling/export/csv*.

+* A [COCO format](https://cocodataset.org/#format-data) file. Azure Machine Learning creates the COCO file in a folder inside *Labeling/export/coco*.

+* An [Azure MLTable data asset](./how-to-mltable.md).

+When you export a CSV or COCO file, a notification appears briefly when the file is ready to download. Select the **Download file** link to download your results. You can also find the notification in the **Notification** section on the top bar:

+Access exported Azure Machine Learning datasets and data assets in the **Data** section of Machine Learning. The data details page also provides sample code you can use to access your labels by using Python.

+After you export your labeled data to an Azure Machine Learning dataset, you can use AutoML to build computer vision models that are trained on your labeled data. Learn more at [Set up AutoML to train computer vision models by using Python](how-to-auto-train-image-models.md).

+#### [Text projects](#tab/text)

+To export the labels, on the **Project details** page of your labeling project, select the **Export** button. You can export the label data for Machine Learning experimentation at any time.

+For all project types except **Text Named Entity Recognition**, you can export label data as:

+* A CSV file. Azure Machine Learning creates the CSV file in a folder inside *Labeling/export/csv*.

+* An [Azure Machine Learning dataset with labels](v1/how-to-use-labeled-dataset.md).

+* A CSV file. Azure Machine Learning creates the CSV file in a folder inside *Labeling/export/csv*.

+* An [Azure MLTable data asset](./how-to-mltable.md).

+For **Text Named Entity Recognition** projects, you can export label data as:

+* An [Azure Machine Learning dataset (v1) with labels](v1/how-to-use-labeled-dataset.md).

+* A `CoNLL` file. For this export, you'll also have to assign a compute resource. The export process runs offline and generates the file as part of an experiment run. Azure Machine Learning creates the `CoNLL` file in a folder inside*Labeling/export/conll*.

+* An [Azure MLTable data asset](./how-to-mltable.md).

+* A `CoNLL` file. For this export, you also have to assign a compute resource. The export process runs offline and generates the file as part of an experiment run. Azure Machine Learning creates the `CoNLL` file in a folder. inside*Labeling/export/conll*.

+When you export a `CSV` or `CoNLL` file, a notification appears briefly when the file is ready to download. Select the **Download file** link to download your results. You'll also find the notification in the **Notification** section on the top bar:

+Access exported Azure Machine Learning datasets and data assets in the **Data** section of Machine Learning. The data details page also provides sample code you can use to access your labels by using Python.

+## Import labels (preview)

+If you have an Azure MLTable data asset or COCO file that contains labels for your current data, you can import these labels into your project. For example, you might have labels that were exported from a previous labeling project using the same data. The import labels feature is available for image projects only.

+#### [Image projects](#tab/image)

+To import labels, on the project command bar, select the **Import** button. You can import labeled data for Machine Learning experimentation at any time.

+Import from either a COCO file or an Azure MLTable data asset.

+### Data mapping

+### Import options

+#### [Text projects](#tab/text)

+The import labels feature is not available for text projects.

+## Access for labelers

+Anyone who has Contributor or Owner access to your workspace can label data in your project.

+You can also add users and customize the permissions so that they can access labeling but not other parts of the workspace or your labeling project. For more information, see [Add users to your data labeling project](./how-to-add-users.md).

+## Troubleshoot issues

+Use these tips if you see any of the following issues:

+|Issue |Resolution |

+|||

+|Only datasets created on blob datastores can be used.|This issue is a known limitation of the current release.|

+|Removing data from the dataset your project uses causes an error in the project.|Don't remove data from the version of the dataset you used in a labeling project. Create a new version of the dataset to use to remove data.|

+|After a project is created, the project status is *Initializing* for an extended time.|Manually refresh the page. Initialization should complete at roughly 20 data points per second. No automatic refresh is a known issue.|

+|Newly labeled items aren't visible in data review.|To load all labeled items, select the **First** button. The **First** button takes you back to the front of the list, and it loads all labeled data.|

+|You can't assign a set of tasks to a specific labeler.|This issue is a known limitation of the current release.|

+### Troubleshoot object detection

+|Issue |Resolution |

+|||

+|If you select the Esc key when you label for object detection, a zero-size label is created and label submission fails.|To delete the label, select the **X** delete icon next to the label.|

+## Next step

+[Labeling images and text documents](how-to-label-data.md)

+# Customer intent: As a project manager, I want to hire a company to label the data in my data labeling project

+If you already have a data labeling project and you want to use that data, you can [export your labeled data as an Azure Machine Learning Dataset](how-to-manage-labeling-projects.md#export-the-labels) and then access the dataset under 'Datasets' tab in Azure Machine Learning studio. This exported dataset can then be passed as an input using `azureml:<tabulardataset_name>:<version>` format. Here's an example of how to pass existing dataset as input for training computer vision models.

+Refer to CLI/SDK tabs for reference.

+If there already exists a data asset with the name "fridge-items-images-object-detection" in your Azure Machine Learning Workspace, it updates the version number of the data asset and points it to the new location where the image data uploaded.

+If you already have your data present in an existing datastore and want to create a data asset out of it, you can do so by providing the path to the data in the datastore, instead of providing the path of your local machine. Update the code [above](#using-prelabeled-training-data-from-local-machine) with the following snippet.

+If you have your labeled training data present in a container in Azure Blob storage, then you can access it directly from there by [creating a datastore referring to that container](how-to-datastore.md#create-an-azure-blob-datastore).

+# Customer intent: I would like to have machine learning with all private IP only

+myenv.python.conda_dependencies.remove_conda_package("python=3.8")

+* Python 3.8+ is recommended due to older versions reaching end-of-life

+- [Customize MLflow model deployments with scoring script](how-to-deploy-mlflow-models-online-endpoints.md#customize-mlflow-model-deployments)

+In order to generate computer vision models, you need to bring labeled image data as input for model training in the form of an Azure Machine Learning [TabularDataset](/python/api/azureml-core/azureml.data.tabulardataset). You can either use a `TabularDataset` that you have [exported from a data labeling project](../how-to-manage-labeling-projects.md#export-the-labels), or create a new `TabularDataset` with your labeled training data.

+If you already have a data labeling project and you want to use that data, you can [export your labeled data as an Azure Machine Learning TabularDataset](../how-to-manage-labeling-projects.md#export-the-labels), which can then be used directly with automated ML for training computer vision models.

+When you complete a data labeling project, you can [export the label data from a labeling project](../how-to-manage-labeling-projects.md#export-the-labels). Doing so, allows you to capture both the reference to the data and its labels, and export them in [COCO format](http://cocodataset.org/#format-data) or as an Azure Machine Learning dataset.

+#CustomerIntent: As a data professional or developer I want to configure private access to an Azure Managed Grafana workspace.

+> When private access (preview) is enabled, pinging charts using the [*Pin to Grafana*](../azure-monitor/visualize/grafana-plugin.md#pin-charts-from-the-azure-portal-to-azure-managed-grafana) feature will no longer work as the Azure portal canΓÇÖt access an Azure Managed Grafana workspace on a private IP address.

+ To learn more about DNS configuration, go to [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server) and [DNS configuration for Private Endpoints](../private-link/private-endpoint-overview.md#dns-configuration). Azure Private Endpoint private DNS zone values for Azure Managed Grafana are listed at [Azure services DNS zone](../private-link/private-endpoint-dns.md#management-and-governance).

+In this how-to guide, you learned how to set up private access from your users to an Azure Managed Grafana workspace. To learn how to configure private access between a Managed Grafana workspace and a data source, see [Connect to a data source privately](how-to-connect-to-data-source-privately.md).

+### How can I add a single public endpoint to my Azure Managed Instance Cassandra Cluster?

+To achieve this, you can [create a load balancer](../load-balancer/basic/quickstart-basic-internal-load-balancer-portal.md). When configuring the Backend pools of the load balancer, utilize all the IP addresses from the data center within your Managed Instance cluster. You might see errors in the logs when using java and other Cassandra drivers. Users use this approach to work around network restrictions when administering clusters with cqlsh. This approach might result in extra costs. Also, you should carefully assess how opting for a single endpoint can affect performance.

+ Use more accurate data insights collected via **Azure Migrate appliance** | You need to set up an Azure Migrate appliance for [VMware](how-to-set-up-appliance-vmware.md) or [Hyper-V](how-to-set-up-appliance-hyper-v.md) or [Physical/Bare-metal or other clouds](how-to-set-up-appliance-physical.md). The appliance discovers servers, SQL Server instance and databases, and ASP.NET webapps and sends metadata and performance (resource utilization) data to Azure Migrate. [Learn more](migrate-appliance.md). | Azure recommended to minimize cost, Migrate to all IaaS (Infrastructure as a Service), Modernize to PaaS (Platform as a Service), Migrate to AVS (Azure VMware Solution)

+ Build a quick business case using the **servers imported via a .csv file** | You need to provide the server inventory in a [.CSV file and import in Azure Migrate](tutorial-discover-import.md) to get a quick business case based on the provided inputs. You don't need to set up the Azure Migrate appliance to discover servers for this option. | Migrate to all IaaS (Infrastructure as a Service), Migrate to AVS (Azure VMware Solution)

+**Modernize to PaaS (Platform as a Service)** | You can get a PaaS preferred recommendation that means, the logic identifies workloads best fit for PaaS targets.<br/><br/> General servers are recommended with a quick lift and shift recommendation to Azure IaaS. | For SQL Servers, sizing and cost comes from the *Instance to Azure SQL MI* report.<br/><br/> For web apps, sizing and cost comes from Azure App Service and Azure Kubernetes Service assessments, with a preference to App Service. <br/><br/> For general servers, sizing and cost comes from Azure VM assessment.

+**Migrate to AVS (Azure VMware Solution)** | You can get a quick lift and shift recommendation to AVS (Azure VMware Solution). | For all servers, sizing and cost comes from Azure VMware Solution assessment.<br/><br/>

+ - With *Migrate to AVS (Azure VMware Solution)*, you can get the most cost effective and compatible target recommendation for hosting workloads on AVS. Only Reserved Instances are available as a savings option for migrating to AVS.

+- **On-premises vs AVS (Azure VMware Solution)**: In case you build a business case to ΓÇ£Migrate to AVSΓÇ¥, youΓÇÖll see this report which covers the AVS and on-premises footprint of the workloads for migrating to AVS.

+It covers the cost of all servers and workloads that have been identified as ready for migration/modernization as per the recommendation. Refer to the respective [Azure IaaS](how-to-view-a-business-case.md#azure-iaas-report) and [Azure PaaS](how-to-view-a-business-case.md#azure-paas-report) report for details. The Azure cost is calculated based on the right sized Azure configuration, ideal migration target and most suitable pricing offers for your workloads. You can override the migration strategy, target location or other settings in the 'Azure cost' assumptions to see how your savings could change by migrating to Azure.

+It shows the potential savings with respect to extended security update license. It's the cost of extended security update license required to run Windows Server and SQL Server securely after the end of support of its licenses on-premises. Extended security updates are offered at no additional cost on Azure.

+#### [Azure](#tab/iaas-azure)

+ - **Estimated cost by savings options**: This card includes compute cost for Azure VMs. It's recommended that all idle servers are migrated via Pay as you go Dev/Test and others (Active and unknown) are migrated using 3 year Reserved Instance or 3 year Azure Savings Plan to maximize savings.

+#### [On-premises](#tab/iaas-on-premises)

+#### [Azure](#tab/paas-azure)

+ - **Estimated cost by savings options**: This card includes compute cost for Azure SQL MI. It's recommended that all idle SQL instances are migrated via Pay as you go Dev/Test and others (Active and unknown) are migrated using 3 year Reserved Instance to maximize savings.

+ - **Estimated cost by savings options**: This card includes Azure App Service Plans cost. It's recommended that the web apps are migrated using 3 year Reserved Instance or 3 year Savings Plan to maximize savings.

+ - **Estimated cost by savings options**: This card includes the cost of the recommended AKS node pools. It's recommended that the web apps are migrated using 3 year Reserved Instance or 3 year Savings Plan to maximize savings.

+#### [On-premises](#tab/paas-on-premises)

+## On-premises vs AVS report

+It covers cost components for on-premises and AVS, savings, and insights to understand the savings better.

+## AVS report

+#### [AVS (Azure VMware Solution)](#tab/avs-azure)

+This section contains the cost estimate by recommended target (Annual cost includes Compute, Storage, Network, labor components) and savings from Hybrid benefits.

+- AVS cost estimate:

+ - **Estimated AVS cost**: This card includes the total cost of ownership for hosting all workloads on AVS including the AVS nodes cost (which includes storage cost), networking and labor cost. The node cost is computed by taking the most cost optimum AVS node SKU. A default CPU over-subscription of 4:1, 100% memory overcommit and compression and deduplication factor of 1.5 is assumed to get the compute cost of AVS. You can learn more about this [here](concepts-azure-vmware-solution-assessment-calculation.md#whats-in-an-azure-vmware-solution-assessment). External storage options like ANF arenΓÇÖt a part of the business case yet.

+ - **Compute and license cost**: This card shows the comparison of compute and license cost when using Azure hybrid benefit and without Azure hybrid benefit.

+- Savings and optimization:

+ - **Savings with 3-year RI**: This card shows the node cost with 3-year RI.

+ - **Savings with Azure Hybrid Benefit & Extended Security Updates**: This card displays the estimated maximum savings when using Azure hybrid benefit and with extended security updates over a period of one year.

+#### [On-premises](#tab/avs-on-premises)

+- On-premises footprint of the servers recommended to be migrated to AVS.

+- Contribution of Zombie servers in the on-premises cost.

+- Distribution of servers by OS, virtualization, and activity state.

+- Distribution by support status of OS licenses and OS versions.

+## Onboard to Azure Stack HCI (optional)

+> [!Note]

+> Perform this step only if you are migrating to [Azure Stack HCI](https://learn.microsoft.com/azure-stack/hci/overview).

+Provide the Azure Stack cluster information and the credentials to connect to the cluster. For more information, see [Download the Azure Stack HCI software](https://learn.microsoft.com/azure-stack/hci/deploy/download-azure-stack-hci-software).

+> Setting the require_secure_transport to OFF doesn't mean encrypted connections aren't supported on the server side. If you set require_secure_transport to OFF on the Azure Database for MySQL flexible server instance, but if the client connects with the encrypted connection, it still is accepted. The following connection using mysql client to an Azure Database for MySQL flexible server instance configured with require_secure_transport=OFF also works as shown below.

+ :::image type="content" source="media/howto-monitor-alerts/resource-health.png" alt-text="Screenshot showing Resource health window with Add resource health alert button highlighted.":::

+In previous tutorials, the following variable was set:

+Using this value, delete your cluster:

+az group delete --name $RESOURCEGROUP

+You'll then be prompted to confirm if you are sure you want to perform this operation. After you confirm with `y`, it will take several minutes to delete the cluster. When the command finishes, the entire resource group and all resources inside it, including the cluster and the virtual network, will be deleted.

+ - name: dp_keyvault

+ provider:

+ type: key_vault

+ vault_name: contoso-dp-kv

+ auth:

+ tenant_id: ad5421f5-99e4-44a9-8a46-cc30f34e8dc7

+ identity_name: 98f3263d-218e-4adf-b939-eacce6a590d2

+ cert_path: /path/to/local/certkey.pkcs

+# A secret provider of type `key_vault` which contains details required to connect to the Azure Key Vault and allow connection to the storage account.

+# A secret provider of type `file_system`, which specifies a directory on the VM where secrets for connecting to the SFTP server are stored.

+ - name: data_product_keyvault

+ provider:

+ type: key_vault

+ vault_name: contoso-dp-kv

+ auth:

+ tenant_id: ad5421f5-99e4-44a9-8a46-cc30f34e8dc7

+ identity_name: 98f3263d-218e-4adf-b939-eacce6a590d2

+ cert_path: /path/to/local/certkey.pkcs

+ provider:

+ # Source configuration. This specifies which files are ingested from the SFTP server.

+ # Multiple sources can be defined here (where they can reference different folders on the same SFTP server). Each source must have a unique identifier where any URL reserved characters in source_id must be percent-encoded.

+ # A sink must be configured for each source.

+ - source_id: sftp-source01

+ source:

+ sftp:

+ # The IP address or hostname of the SFTP server.

+ host: 192.0.2.0

+ # Optional. The port to connect to on the SFTP server. Defaults to 22.

+ port: 22

+ # The path to a folder on the SFTP server that files will be uploaded to Azure Operator Insights from.

+ base_path: /path/to/sftp/folder

+ # The path on the VM to the 'known_hosts' file for the SFTP server.  This file must be in SSH format and contain details of any public SSH keys used by the SFTP server. This is required by the agent to verify it is connecting to the correct SFTP server.

+ known_hosts_file: /path/to/known_hosts

+ # The name of the user on the SFTP server which the agent will use to connect.

+ user: sftp-user

+ auth:

+ # The name of the secret provider configured above which contains the secret for the SFTP user.

+ secret_provider: local_file_system

+ # The form of authentication to the SFTP server. This can take the values 'password' or 'ssh_key'. The appropriate field(s) must be configured below depending on which type is specified.

+ type: password

+ # Only for use with 'type: password'. The name of the file containing the password in the secrets_directory folder

+ secret_name: sftp-user-password

+ # Only for use with 'type: ssh_key'. The name of the file containing the SSH key in the secrets_directory folder

+ key_secret: sftp-user-ssh-key

+ # Optional. Only for use with 'type: ssh_key'. The passphrase for the SSH key. This can be omitted if the key is not protected by a passphrase.

+ passphrase_secret_name: sftp-user-ssh-key-passphrase

+ # Optional. A regular expression to specify which files in the base_path folder should be ingested. If not specified, the STFP agent will attempt to ingest all files in the base_path folder (subject to exclude_pattern, settling_time_secs and exclude_before_time).

+ include_pattern: "*\.csv$"

+ # Optional. A regular expression to specify any files in the base_path folder which should not be ingested. Takes priority over include_pattern, so files which match both regular expressions will not be ingested.

+ exclude_pattern: '\.backup$'

+ # A duration in seconds. During an upload run, any files last modified within the settling time are not selected for upload, as they may still be being modified.

+ settling_time_secs: 60

+ # A datetime that adheres to the RFC 3339 format. Any files last modified before this datetime will be ignored.

+ exclude_before_time: "2022-12-31T21:07:14-05:00"

+ # An expression in cron format, specifying when upload runs are scheduled for this source. All times refer to UTC. The cron schedule should include fields for: second, minute, hour, day of month, month, day of week, and year. E.g.:

+ # `* /3 * * * * *` for once every 3 minutes

+ # `0 30 5 * * * *` for 05:30 every day

+ # `0 15 3 * * Fri,Sat *` for 03:15 every Friday and Saturday

+ schedule: "*/30 * * * Apr-Jul Fri,Sat,Sun 2025"

+ sink:

+ auth:

+ type: sas_token

+ # This must reference a secret provider configured above.

+ secret_provider: data_product_keyvault

+ # The name of a secret in the corresponding provider.

+ # This will be the name of a secret in the Key Vault.

+ # This is created by the Data Product and should not be changed.

+ secret_name: adls-sas-token

+ # The container within the ingestion account. This *must* be exactly the name of the container that Azure Operator Insights expects.

+ container_name: example-container

+ # Optional. A string giving an optional base path to use in Azure Blob Storage. Reserved URL characters must be percent-encoded. It may be required depending on the Data Product.

+ base_path: pmstats

+ # Optional. How often, in hours, the sink should refresh its ADLS token. Defaults to 1.

+ adls_token_cache_period_hours: 1

+ # Optional. The maximum number of blobs that can be uploaded to ADLS in parallel. Further blobs will be queued in memory until an upload completes. Defaults to 10.

+ # Note: This value is also the maximum number of concurrent SFTP reads for the associated source. Ensure your SFTP server can handle this many concurrent connections. If you set this to a value greater than 10 and are using an OpenSSH server, you may need to increase `MaxSessions` and/or `MaxStartups` in `sshd_config`.

+ maximum_parallel_uploads: 10

+ # Optional. The maximum size of each block that is uploaded to Azure.

+ # Each blob is composed of one or more blocks. Defaults to 32MiB (=33554432 Bytes).

+ block_size_in_bytes : 33554432

+ ```

+| PostgreSQL 16 | | X |

+|Version|What's New |Azure support start date|Retirement date (Azure) |

+|-|--|||

+|[PostgreSQL 16](https://www.postgresql.org/about/news/postgresql-16-released-2715/)|[Features](https://www.postgresql.org/docs/16/release-16.html)|15-Oct-23 |9-Nov-28 |

+|[PostgreSQL 15](https://www.postgresql.org/about/news/postgresql-15-released-2526/)|[Features](https://www.postgresql.org/docs/15/release-15.html)|15-May-23 |11-Nov-27 |

+|[PostgreSQL 14](https://www.postgresql.org/about/news/postgresql-14-released-2318/)|[Features](https://www.postgresql.org/docs/14/release-14.html)|29-Jun-22 |12-Nov-26 |

+|[PostgreSQL 13](https://www.postgresql.org/about/news/postgresql-13-released-2077/)|[Features](https://www.postgresql.org/docs/13/release-13.html)|25-May-21 |13-Nov-25 |

+|[PostgreSQL 12](https://www.postgresql.org/about/news/postgresql-12-released-1976/)|[Features](https://www.postgresql.org/docs/12/release-12.html)|22-Sep-20 |14-Nov-24 |

+|[PostgreSQL 11](https://www.postgresql.org/about/news/postgresql-11-released-1894/)|[Features](https://www.postgresql.org/docs/11/release-11.html)|24-Jul-19 |9-Nov-25 |

+|[PostgreSQL 10 (retired)](https://www.postgresql.org/about/news/postgresql-10-released-1786/)|[Features](https://wiki.postgresql.org/wiki/New_in_postgres_10)|4-Jun-18 |10-Nov-22 |

+|[PostgreSQL 9.5 (retired)](https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/)|[Features](https://www.postgresql.org/docs/9.5/release-9-5.html)|18-Apr-18 |11-Feb-21 |

+|[PostgreSQL 9.6 (retired)](https://www.postgresql.org/about/news/postgresql-96-released-1703/)|[Features](https://wiki.postgresql.org/wiki/NewIn96)|18-Apr-18 |11-Nov-21 |

+## PostgreSQL 11 support

+Azure is extending its support for PostgreSQL 11 within both the Azure Database for PostgreSQL Single Server and Azure Database for PostgreSQL Flexible Server platforms. This extended support timeline is designed to provide more time for users to plan and [migrate to Azure Database for PostgreSQL flexible server](../migrate/concepts-single-to-flexible.md) for higher PostgreSQL versions.

+### Single Server Support:

+- Until March 28, 2025, users can continue to create and utilize PostgreSQL 11 servers on the Azure Database for PostgreSQL Single Server, except for creation through the Azure portal. It's important to note that other [restrictions](#retired-postgresql-engine-versions-not-supported-in-azure-database-for-postgresql-flexible-server) associated with retired PostgreSQL engines still apply.

+- Azure will offer updates incorporating minor versions provided by the PostgreSQL community for PostgreSQL 11 servers until November 9, 2023.

+### Flexible Server Support

+- Users can create and operate PostgreSQL 11 servers on Azure Database for PostgreSQL Flexible Server until November 9, 2025.

+- Similar to the Single Server, updates with PostgreSQL community provided minor versions will be available for PostgreSQL 11 servers until November 9, 2023.

+- From November 9, 2023, to November 9, 2025, while users can continue using and creating new instances of PostgreSQL 11 on the Flexible Server, they will be subject to the [restrictions](#retired-postgresql-engine-versions-not-supported-in-azure-database-for-postgresql-flexible-server) of other retired PostgreSQL engines.

+This extension of Postgres 11 support is part of Azure's commitment to providing a seamless migration path and ensuring continued functionality for users.

+- As the community won't be releasing any further bug fixes or security fixes, Azure Database for PostgreSQL flexible server won't patch the retired database engine for any bugs or security issues, or otherwise take security measures regarding the retired database engine. You might experience security vulnerabilities or other issues as a result. However, Azure continues to perform periodic maintenance and patching for the host, OS, containers, and any other service-related components.

+- Uptime SLAs apply solely to Azure Database for PostgreSQL flexible server service-related issues and not to any downtime caused by database engine-related bugs.

+- In the extreme event of a serious threat to the service caused by the PostgreSQL database engine vulnerability identified in, the retired database version, Azure might choose to stop your database server to secure the service. In such case, you are notified to upgrade the server before bringing the server online.

+# Customer intent: As a network administrator, I want to approve Private Link connections across Azure subscriptions.

+>| Azure Managed Disks (Microsoft.Compute/diskAccesses) | disks | privatelink.blob.core.windows.net | blob.core.windows.net |

+- February 01, 2024: Added guidance for [SAP front-end printing to Universal Print](./universal-print-sap-frontend.md).

+ Title: SAP front-end printing with Universal Print

+description: Enabling SAP front-end printing with Universal Print

+tags: azure-resource-manager

+ vm-linux

+# SAP front-end printing with Universal Print

+Printing from your SAP landscape is a requirement for many customers. Depending on your business, printing needs can come in different areas and SAP applications. Examples can be data list printing, mass- or label printing. Such production and batch print scenarios are often solved with specialized hardware, drivers and printing solutions. This article addresses options to use [Universal Print](/universal-print/fundamentals/universal-print-whatis) for SAP front-end printing of the SAP users.

+Universal Print is a cloud-based print solution that enables organizations to manage printers and printer drivers in a centralized manner. Removes the need to use dedicated printer servers and available for use by company employees and applications. While Universal Print runs entirely on Microsoft Azure, for use with SAP systems there's no such requirement. Your SAP landscape can run on Azure, be located on-premises or operate in any other cloud environment. You can use SAP systems deployed by SAP RISE. Similarly, SAP cloud services, which are browser based can be used with Universal Print in most front-end printing scenarios.

+## Prerequisites

+[SAP front-end printing](https://help.sap.com/docs/SAP_NETWEAVER_750/290ce8983cbc4848a9d7b6f5e77491b9/4e96bc2a7e9e40fee10000000a421937.html) sends an output to a printer available for the user on their front-end device. In other words, a printer accessible by the operating system. Same client computer runs SAP GUI or browser. To use Universal Print, you need to have access to such printer(s).

+- Client OS with support for Universal Print

+- Add Universal Print printer to your Windows client

+- Able to print on Universal Print printer from OS

+See the [Universal Print documentation](/universal-print/fundamentals/universal-print-getting-started#step-4-add-a-universal-print-printer-to-a-windows-device.md) for details on these prerequisites. As a result, one or more Universal Print printers are visible in your deviceΓÇÖs printer list. For SAP front-end printing, it's not necessary to make it your default printer.

+[](./media/universtal-print-sap/frontend-os-printer.png#lightbox)

+## SAP web applications

+A web application such as SAP Fiori or SAP Web GUI is used to access SAP data and display it. It doesnΓÇÖt matter if you access the SAP system through an internal network, public URL or if your SAP system is an ABAP or Java system, or SAP application running within SAP Business Technology Platform. All SAP application data displayed within a browser can be printed. The print job creation in Universal Print is done by the operating system and doesn't require any SAP configuration at all. There's no SAP integration and communication with Universal Print directly.

+

+## SAP GUI printing

+For SAP front-end printing, Universal Print relies on SAP GUI and [SAP printer access method G](https://help.sap.com/docs/SAP_NETWEAVER_750/290ce8983cbc4848a9d7b6f5e77491b9/4e740b270f6f34e1e10000000a42189e.html). Your SAP system likely has one or more SAP printers defined already for such purpose. An example, SAP printer LOCL, defined in SAP transaction code SPAD.

+

+

+

+For Universal Print use, itΓÇÖs important the access method (1) is set to ΓÇÿGΓÇÖ, as this uses SAP GUIΓÇÖs integration into the operating system. For host printer field (2), value of __DEFAULT calls the relevant default printer name. Leaving option ΓÇ£No device selection at front endΓÇ¥ unchecked (3), you're prompted to select the printer from your OS printer list. With the option checked, print output goes directly to the OS default printer without extra user input.

+With such SAP printer definition, SAP GUI uses the operating system printer details. The operating system already knows your added Universal Print printers. As with SAP web applications, there's no direct communication between the SAP system and Universal Print APIs. No settings to configure for your SAP system beyond the available output device for front-end printing.

+When using SAP GUI for HTML and front-end printing, you can print to an SAP defined printer, too. In the SAP system, you need a front-end printer with access method ΓÇÿGΓÇÖ and a device type of PDF or derivate. For more information, see [SAPΓÇÖs documentation](https://help.sap.com/docs/SAP_NETWEAVER_750/290ce8983cbc4848a9d7b6f5e77491b9/4e96c13b7e9e40fee10000000a421937.html). Such print output is displayed in browser as a PDF from the SAP system. You open the common OS printing dialog and select a Universal Print printer installed on your computer.

+## Limitations

+SAP defines front-end printing with several [constraints](https://help.sap.com/docs/SAP_NETWEAVER_750/290ce8983cbc4848a9d7b6f5e77491b9/4e96cd237e6240fde10000000a421937.html). It can't be used for background printing, nor should it be relied upon for production or mass printing. See if your SAP printer definition is correct, as printers with access method ΓÇÿFΓÇÖ don't work correctly with current SAP releases. More details can be found in [SAP note 2028598 - Technical changes for front-end printing with access method F](https://me.sap.com/notes/2028598).

+## Next steps

+Check out the documentation:

+- [SAPΓÇÖs print queue API](https://api.sap.com/api/API_CLOUD_PRINT_PULL_SRV/overview)

+- [Universal Print API](/graph/api/resources/print)

+| `defaultLanguageCode` | A string indicating the language to return. The service returns recognition results in a specified language. If this parameter isn't specified, the default value is "en". <br/><br/>Supported languages include a subset of [generally available languages](../ai-services/computer-vision/language-support.md#image-analysis) of Azure AI Vision. When a language is newly introduced with general availability status into the AI Vision service, there is expected delay before they are fully integrated within this skill. |

+# Relevance in keyword search (BM25 scoring)

+Full text search is an approach in information retrieval that matches on plain text stored in an index. For example, given a query string "hotels in San Diego on the beach", the search engine looks for tokenized strings based on those terms. To make scans more efficient, query strings undergo lexical analysis: lower-casing all terms, removing stop words like "the", and reducing terms to primitive root forms. When matching terms are found, the search engine retrieves documents, ranks them in order of relevance, and returns the top results.

+In this API version, there's no prefilter support or `vectorFilterMode` parameter. The filter criteria are applied after the search engine executes the vector query. The set of `"k"` nearest neighbors is retrieved, and then combined with the set of filtered results. As such, the value of `"k"` predetermines the surface over which the filter is applied. For `"k": 10`, the filter is applied to 10 most similar documents. For `"k": 100`, the filter iterates over 100 documents (assuming the index contains 100 documents that are sufficiently similar to the query).

+The examples in this article used a "select" statement to specify text (nonvector) fields in the response.

+### Number of ranked results in a vector query response

+A vector query specifies the `k` parameter, which determines how many matches are returned in the results. The search engine always returns `k` number of matches. If `k` is larger than the number of documents in the index, then the number of documents determines the upper limit of what can be returned.

+If you're familiar with full text search, you know to expect zero results if the index doesn't contain a term or phrase. However, in vector search, the search operation is identifying nearest neighbors, and it will always return `k` results even if the nearest neighbors aren't that similar. So, it's possible to get results for nonsensical or off-topic queries, especially if you aren't using prompts to set boundaries. Less relevant results have a worse similarity score, but they're still the "nearest" vectors if there isn't anything closer. As such, a response with no meaningful results can still return `k` results, but each result's similarity score would be low.

+A [hybrid approach](hybrid-search-overview.md) that includes full text search can mitigate this problem. Another mitigation is to set a minimum threshold on the search score, but only if the query is a pure single vector query. Hybrid queries aren't conducive to minimum thresholds because the ranges are so much smaller and volatile.

+Query parameters affecting result count include:

+description: Describes concepts, scenarios, and availability of vector capabilities in Azure AI Search.

+# Vectors in Azure AI Search

+This article is a high-level introduction to vectors in Azure AI Search. It also explains integration with other Azure services and covers [terminology and concepts](#vector-search-concepts) related to vector search development.

+*Embedding space* is the corpus for vector queries. Within a search index, an embedding space is all of the vector fields populated with embeddings from the same embedding model. Machine learning models create the embedding space by mapping individual words, phrases, or documents (for natural language processing), images, or other forms of data into a representation comprised of a vector of real numbers representing a coordinate in a high-dimensional space. In this embedding space, similar items are located close together, and dissimilar items are located farther apart.

+# Relevance in vector search

+In vector query execution, the search engine looks for similar vectors to find the best candidates to return in search results. Depending on how you indexed the vector content, the search for relevant matches is either exhaustive, or constrained to near neighbors for faster processing. Once candidates are found, similarity metrics are used to score each result based on the strength of the match.

+This article explains the algorithms used to find relevant matches and the similarity metrics used for scoring. It also offers tips for improving relevance if search results don't meet expectations.

+## Scope of a vector search

+Vector search algorithms include exhaustive k-nearest neighbors (KNN) and Hierarchical Navigable Small World (HNSW).

+Only vector fields marked as `searchable` in the index, or as `searchFields` in the query, are used for searching and scoring.

+Exhaustive KNN calculates the distances between all pairs of data points and finds the exact `k` nearest neighbors for a query point. It's intended for scenarios where high recall is of utmost importance, and users are willing to accept the trade-offs in search performance. Because it's computationally intensive, use exhaustive KNN for small to medium datasets, or when precision requirements outweigh query performance considerations.

+Another use case is to build a dataset to evaluate approximate nearest neighbor algorithm recall. Exhaustive KNN can be used to build the ground truth set of nearest neighbors.

+During indexing, HNSW creates extra data structures for faster search, organizing data points into a hierarchical graph structure. HHNSW has several configuration parameters that can be tuned to achieve the throughput, latency, and recall objectives for your search application. For example, at query time, you can specify options for exhaustive search, even if the vector field is indexed for HNSW.

+During query execution, HNSW enables fast neighbor queries by navigating through the graph. This approach strikes a balance between search accuracy and computational efficiency. HNSW is recommended for most scenarios due to its efficiency when searching over larger data sets.

+During indexing, the search service constructs the HNSW graph. The goal of indexing a new vector into an HNSW graph is to add it to the graph structure in a manner that allows for efficient nearest neighbor search. The following steps summarize the process:

+ - The number of data points considered as candidate connections is governed by the `efConstruction` parameter. This dynamic list forms the set of closest points in the existing graph for the algorithm to consider. Higher `efConstruction` values result in more nodes being considered, which often leads to denser local neighborhoods for each vector.

+### Navigating the HNSW graph at query time

+A vector query navigates the hierarchical graph structure to scan for matches. The following summarize the steps in the process:

+Scores are calculated and assigned to each match, with the highest matches returned as `k` results. The **`@search.score`** property contains the score. The following table shows the range within which a score will fall.

+For`cosine` metric, it's important to note that the calculated `@search.score` isn't the cosine value between the query vector and the document vectors. Instead, Azure AI Search applies transformations such that the score function is monotonically decreasing, meaning score values will always decrease in value as the similarity becomes worse. This transformation ensures that search scores are usable for ranking purposes.

+## Tips for relevance tuning

+If you aren't getting relevant results, experiment with changes to [query configuration](vector-search-how-to-query.md). There are no specific tuning features, such as a scoring profile or field or term boosting, for vector queries:

+ Title: Vector store database

+description: Describes concepts behind vector storage in Azure AI Search.

+ - ignite-2023

+# Vector storage in Azure AI Search

+Azure AI Search provides vector storage and configurations for [vector search](vector-search-overview.md) and [hybrid queries](hybrid-search-overview.md). Support is implemented at the field level, which means you can combine vector and nonvector fields in the same search corpus.

+Vectors are stored in a search index. Use the [Create Index REST API](/rest/api/searchservice/indexes/create-or-update) or an equivalent Azure SDK method to create the vector store.

+## Retrieval patterns

+In Azure AI Search, there are two patterns for working with the search engine's response. Your index schema should reflect your primary use case.

+In a chat solution, results are fed into prompt flows and chat models like GPT and Text-Davinci use the search results, with or without their own training data, as grounding data for formulating the response. This is approach is based on [**Retrieval augmented generation (RAG)**](retrieval-augmented-generation-overview.md) architecture.

+## Basic schema for vectors

+An index schema for a vector store requires a name, a key field, one or more vector fields, and a vector configuration. Content fields are recommended for hybrid queries, or for returning human readable content that doesn't have to be decoded first. For more information about configuring a vector index, see [Create a vector store](vector-search-how-to-create-index.md).

+```json

+{

+ "name": "example-index",

+ "fields": [

+ { "name": "id", "type": "Edm.String", "searchable": false, "filterable": true, "retrievable": true, "key": true },

+ { "name": "content", "type": "Edm.String", "searchable": true, "retrievable": true, "analyzer": null },

+ { "name": "content_vector", "type": "Collection(Edm.Single)", "searchable": true, "filterable": false, "retrievable": true,

+ "dimensions": 1536, "vectorSearchProfile": null },

+ { "name": "metadata", "type": "Edm.String", "searchable": true, "filterable": false, "retrievable": true, "sortable": false, "facetable": false }

+ ],

+ "vectorSearch": {

+ "algorithms": [

+ {

+ "name": "default",

+ "kind": "hnsw",

+ "hnswParameters": {

+ "metric": "cosine",

+ "m": 4,

+ "efConstruction": 400,

+ "efSearch": 500

+ },

+ "exhaustiveKnnParameters": null

+ }

+ ],

+ "profiles": [],

+ "vectorizers": []

+ }

+}

+```

+The vector search algorithms specify the navigation structures used at query time. The structures are created during indexing, but used during queries.

+The content of your vector fields is determined by the [embedding step](vector-search-how-to-generate-embeddings.md) that vectorizes or encodes your content. If you use the same embedding model for all of your fields, you can [build vector queries](vector-search-how-to-query.md) that cover all of them.

+If you use search results as grounding data, where a chat model generates the answer to a query, design a schema that stores chunks of text. Data chunking is a requirement if source files are too large for the embedding model, but it's also efficient for chat if the original source files contain a varied information.

+## Next steps

+[TDE](/sql/relational-databases/security/encryption/transparent-data-encryption-tde) is used to encrypt [SQL Server](https://www.microsoft.com/sql-server), [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview), and [Azure Synapse Analytics](../../synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is.md) data files in real time, using a Database Encryption Key (DEK), which is stored in the database boot record for availability during recovery.

+| summarize BillableDataGB = sum(Quantity) / 1000. by Solution, DataType

+1. Choose the values for which you want to filter the field from among the values listed in the drop-down.

+1. To add complex filters, select **Add exclude field to filter** and add the relevant field. See examples in the [Use advanced filters](#use-advanced-filters) section below.

+1. To add more new filters, select **Add new exclude filter**.

+1. When finished adding filters, select **Add**.

+1. Back on the main connector page, select **Apply changes** to save and deploy the filters to your connectors. To edit or delete existing filters or fields, select the edit or delete icons in the table under the **Configuration** area.

+1. To add fields or filters after your initial deployment, select **Add data collection filters** again.

+- Make use of any custom solutions that can communicate directly with the [Threat Intelligence Upload Indicators API](connect-threat-intelligence-upload-api.md).

+- [AWS and GCP data connectors now support Azure Government clouds](#aws-and-gcp-data-connectors-now-support-azure-government-clouds)

+- [Windows DNS Events via AMA connector now generally available (GA)](#windows-dns-events-via-ama-connector-now-generally-available-ga)

+### Windows DNS Events via AMA connector now generally available (GA)

+Windows DNS events can now be ingested to Microsoft Sentinel using the Azure Monitor Agent with the now generally available data connector. This connector allows you to define Data Collection Rules (DCRs) and powerful, complex filters so that you ingest only the specific DNS records and fields you need.

+- For more information, see [Stream and filter data from Windows DNS servers with the AMA connector](connect-dns-ama.md).

+- The **Azure CLI** option uses a powerful command line tool to manage Azure resources. This option is suitable for Spring developers who are familiar with Azure cloud services.

+### [Azure CLI](#tab/Azure-CLI-ent)

+- An Azure subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+- If you're deploying an Azure Spring Apps Enterprise plan instance for the first time in the target subscription, see the [Requirements](./how-to-enterprise-marketplace-offer.md#requirements) section of [Enterprise plan in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).

+- [Git](https://git-scm.com/downloads).

+- [Java Development Kit (JDK)](/java/azure/jdk/), version 17.

+- [Azure CLI](/cli/azure/install-azure-cli), version 2.55.0 or higher.

+### 5.1. Access the applications

+After the deployment finishes, you can find the Spring Cloud Gateway URL from the deployment outputs, as shown in the following screenshot:

+Open the gateway URL. The application should look similar to the following screenshot:

+### 5.2. Query the application logs

+After you browse each function of the Pet Clinic, the Log Analytics workspace collects logs of each application. You can check the logs by using custom queries, as shown in the following screenshot:

+### 5.3. Monitor the applications

+Application Insights monitors the application dependencies, as shown by the following application tracing map:

+You can find the Application Live View URL from the deployment outputs. Open the Application Live View URL to monitor application runtimes, as shown in the following screenshot:

+Use the endpoint assigned from Spring Cloud Gateway - for example, `https://<your-Azure-Spring-Apps-instance-name>-gateway-xxxxx.svc.azuremicroservices.io`. The application should look similar to the following screenshot:

+### [Azure CLI](#tab/Azure-CLI-ent)

+### 5.1. Access the applications

+Use the following commands to retrieve the URL for Spring Cloud Gateway:

+```azurecli

+export GATEWAY_URL=$(az spring gateway show \

+ --service ${SPRING_APPS} \

+ --query properties.url \

+ --output tsv)

+echo "https://${GATEWAY_URL}"

+```

+The application should look similar to the following screenshot:

+### 5.2. Query the application logs

+After you browse each function of the Pet Clinic, the Log Analytics workspace collects logs of each application. You can check the logs by using custom queries, as shown in the following screenshot:

+### 5.3. Monitor the applications

+Application Insights monitors the application dependencies, as shown by the following application tracing map:

+Use the following commands to retrieve the URL for Application Live View:

+```azurecli

+export DEV_TOOL_URL=$(az spring dev-tool show \

+ --service ${SPRING_APPS} \

+ --query properties.url \

+ --output tsv)

+echo "https://${DEV_TOOL_URL}/app-live-view"

+```

+Open the Application Live View URL to monitor application runtimes, as shown in the following screenshot:

+### [Azure portal](#tab/Azure-portal-ent)

+Use the following steps to delete the entire resource group:

+1. Locate your resource group in the Azure portal. On the navigation menu, select **Resource groups**, and then select the name of your resource group.

+### [Azure portal + Maven plugin](#tab/Azure-portal-maven-plugin-ent)

+Use the following steps to delete the entire resource group:

+1. Locate your resource group in the Azure portal. On the navigation menu, select **Resource groups**, and then select the name of your resource group.

+1. On the **Resource group** page, select **Delete**. Enter the name of your resource group in the text box to confirm deletion, then select **Delete**.

+### [Azure CLI](#tab/Azure-CLI-ent)

+Use the following command to delete the resource group:

+```azurecli

+az group delete --name ${RESOURCE_GROUP}

+```

+ | `clientIdSettingName` | Your Microsoft Entra client ID. |

+|App Directory Location: '/*folder*' is invalid. Couldn't detect this directory. | Verify your workflow reflects your repository structure. |

+| Either no API directory was specified, or the specified directory wasn't found. | Azure Functions isn't created, as the workflow doesn't define a value for the `api` folder. |

+> Error messages generated by an incorrect `api_location` configuration may still build successfully, as Azure Static Web Apps doesn't require serverless code.

+Use [Application Insights](../azure-monitor/app/app-insights-overview.md) to find runtime error messages. If you don't already have an instance created, refer to [Monitoring Azure Static Web Apps](monitor.md). Application Insights logs the full error message and stack trace generated by each error.

+## Review diagnostic reports

+The [diagnose and solve](diagnostics-overview.md) feature can guide you through steps to troubleshoot problems.

+| **Cost to write (1000 * operation price)** | **$0.0055** | **$0.01** | **$0.018** |

+| **Total cost (listing + properties + write)** | **$0.0064** | **$0.0109** | **$0.0190** |

+| [azcopy bench](../common/storage-ref-azcopy-bench.md?toc=/azure/storage/blobs/toc.json) | Upload | [Put Block](/rest/api/storageservices/put-block-list) and [Put Block List](/rest/api/storageservices/put-block-list). Possibly [Put Blob](/rest/api/storageservices/put-blob) based on object size.|

+| [azcopy bench](../common/storage-ref-azcopy-bench.md?toc=/azure/storage/blobs/toc.json) | Download |[List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Get Blob](/rest/api/storageservices/get-blob) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Upload | [Put Block](/rest/api/storageservices/put-block-list), [Put Block List](/rest/api/storageservices/put-block-list), and [Get Blob Properties](/rest/api/storageservices/get-blob-properties). Possibly [Put Blob](/rest/api/storageservices/put-blob) based on object size. |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Download | [List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Get Blob](/rest/api/storageservices/get-blob) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Perform a dry run | [List Blobs](/rest/api/storageservices/list-blobs) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Copy from Amazon S3|[Put Blob from URL](/rest/api/storageservices/put-blob-from-url). Based on object size, could also be [Put Block From URL](/rest/api/storageservices/put-block-from-url) and [Put Block List](/rest/api/storageservices/put-block-list). |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Copy from Google Cloud Storage |[Put Blob from URL](/rest/api/storageservices/put-blob-from-url). Based on object size, could also be [Put Block From URL](/rest/api/storageservices/put-block-from-url) and [Put Block List](/rest/api/storageservices/put-block-list). |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Copy to another container |[List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Put Blob From URL](/rest/api/storageservices/put-blob-from-url). Based on object size, could also be [Put Block From URL](/rest/api/storageservices/put-block-from-url) and [Put Block List](/rest/api/storageservices/put-block-list). |

+| [azcopy sync](../common/storage-ref-azcopy-sync.md?toc=/azure/storage/blobs/toc.json) | Update local with changes to container |[List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Get Blob](/rest/api/storageservices/get-blob) |

+| [azcopy sync](../common/storage-ref-azcopy-sync.md?toc=/azure/storage/blobs/toc.json) | Update container with changes to local file system |[List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), [Put Block](/rest/api/storageservices/put-block-list), and [Put Block List](/rest/api/storageservices/put-block-list). Possibly [Put Blob](/rest/api/storageservices/put-blob) based on object size. |

+| [azcopy sync](../common/storage-ref-azcopy-sync.md?toc=/azure/storage/blobs/toc.json) | Synchronize containers |[List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Put Blob From URL](/rest/api/storageservices/put-blob-from-url). Based on object size, could also be [Put Block From URL](/rest/api/storageservices/put-block-from-url) and [Put Block List](/rest/api/storageservices/put-block-list). |

+| [azcopy set-properties](../common/storage-ref-azcopy-set-properties.md?toc=/azure/storage/blobs/toc.json) | Set blob tier |[Set Blob Tier](/rest/api/storageservices/set-blob-tier) and [List Blobs](/rest/api/storageservices/list-blobs) (if targeting a virtual directory) |

+| [azcopy set-properties](../common/storage-ref-azcopy-set-properties.md?toc=/azure/storage/blobs/toc.json) | Set metadata |[Set Blob Metadata](/rest/api/storageservices/set-blob-metadata) and [List Blobs](/rest/api/storageservices/list-blobs) (if targeting a virtual directory) |

+| [azcopy set-properties](../common/storage-ref-azcopy-set-properties.md?toc=/azure/storage/blobs/toc.json) | Set blob tags |[Set Blob Tags](/rest/api/storageservices/set-blob-tags) and [List Blobs](/rest/api/storageservices/list-blobs) (if targeting a virtual directory) |

+| [azcopy list](../common/storage-ref-azcopy-list.md?toc=/azure/storage/blobs/toc.json) | List blobs in a container|[List Blobs](/rest/api/storageservices/list-blobs) |

+| [azcopy make](../common/storage-ref-azcopy-make.md?toc=/azure/storage/blobs/toc.json) | Create a container |[Create Container](/rest/api/storageservices/create-container) |

+| [azcopy remove](../common/storage-ref-azcopy-remove.md?toc=/azure/storage/blobs/toc.json) | Delete a container |[Delete Container](/rest/api/storageservices/delete-container) |

+| [azcopy remove](../common/storage-ref-azcopy-remove.md?toc=/azure/storage/blobs/toc.json) | Delete a blob |[Get Blob Properties](/rest/api/storageservices/get-blob-properties). [List Blobs](/rest/api/storageservices/list-blobs) (if targeting a virtual directory), and [Delete Blob](/rest/api/storageservices/delete-blob) |

+- [Overview of Azure Data Lake Storage for the data management and analytics scenario](/azure/cloud-adoption-framework/scenarios/data-management/best-practices/data-lake-overview?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json)

+- [Provision three Azure Data Lake Storage Gen2 accounts for each data landing zone](/azure/cloud-adoption-framework/scenarios/data-management/best-practices/data-lake-services?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json)

+<sup>1</sup> On the source account, if you haven't changed a blob or version's tier, then you're billed for unique blocks of data across that blob, its versions. See [Blob versioning pricing and Billing](versioning-overview.md#pricing-and-billing). At the destination account, for a version, you're billed for all of the blocks of a version whether or not those blocks are unique.

+<sup>3</sup> Object replication copies the whole version to destination (not just the unique blocks of the version). This transfer incurs the cost of network egress. See [Bandwidth pricing](https://azure.microsoft.com/pricing/details/bandwidth/).

+> [!TIP]

+> To reduce the risk of an unexpected bill, enable object replication in an account that contains only a small number of objects. Then, measure the impact on cost before you enable the feature in a production setting.

+If your computer has fewer than 5 CPUs, then the value of this variable is set to `32`. Otherwise, the default value is equal to 16 multiplied by the number of CPUs. The maximum default value of this variable is `3000`, but you can manually set this value higher or lower.

+#### Metadata caching for premium SMB file shares is in public preview

+Metadata caching is an enhancement for SMB Azure premium file shares aimed to reduce metadata latency, increase available IOPS, and boost network throughput. [Learn more](smb-performance.md#metadata-caching-for-premium-smb-file-shares).

+description: Learn about different ways to improve performance for premium SMB Azure file shares, including SMB Multichannel and metadata caching.

+This article explains how you can improve performance for premium SMB Azure file shares, including using SMB Multichannel and metadata caching (preview).

+- Ensure that your storage account and your client are co-located in the same Azure region to reduce network latency.

+On Windows clients, SMB Multichannel is enabled by default. You can verify your configuration by running the following PowerShell command:

+1. Open PowerShell as an admin and use the following command:

+## Metadata caching for premium SMB file shares

+Metadata caching is an enhancement for SMB Azure premium file shares aimed to reduce metadata latency, increase available IOPS, and boost network throughput. This preview feature improves the following metadata APIs and can be used from both Windows and Linux clients:

+- Create

+- Open

+- Close

+- Delete

+To onboard, [sign up for the public preview](https://aka.ms/PremiumFilesMetadataCachingPreview) and we'll provide you with additional details. Currently this preview feature is only available for premium SMB file shares (file shares in the FileStorage storage account kind). There are no additional costs associated with using this feature.

+### Regional availability

+Currently the metadata caching preview is only available in the following Azure regions.

+- Australia East

+- Brazil South East

+- France South

+- Germany West Central

+- Switzerland North

+- UAE Central

+- UAE North

+- US West Central

+### Performance improvements with metadata caching

+Most workloads or usage patterns that contain metadata can benefit from metadata caching. To determine if your workload contains metadata, you can [use Azure Monitor](analyze-files-metrics.md#monitor-utilization) to split the transactions by API dimension.

+Typical metadata-heavy workloads and usage patterns include:

+- Web/app services

+- DevOps tasks

+- Indexing/batch jobs

+- Virtual desktops with home directories or other workloads that are primarily interacting with many small files, directories, or handles

+The following diagrams depict potential results.