+## Mobile and desktop apps

+| Sample | Description |

+|--| -- |

+| [ios-swift-native-msal](https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal) | An iOS sample in Swift that authenticates Azure AD B2C users and calls an API using OAuth 2.0 |

+| [android-native-msal](https://github.com/Azure-Samples/ms-identity-android-java#b2cmodefragment-class) | A simple Android app showcasing how to use MSAL to authenticate users via Azure Active Directory B2C, and access a Web API with the resulting tokens. |

+| [ios-native-appauth](https://github.com/Azure-Samples/active-directory-b2c-ios-native-appauth) | A sample that shows how you can use a third-party library to build an iOS application in Objective-C that authenticates Microsoft identity users to our Azure AD B2C identity service. |

+| [android-native-appauth](https://github.com/Azure-Samples/active-directory-b2c-android-native-appauth) | A sample that shows how you can use a third-party library to build an Android application that authenticates Microsoft identity users to our B2C identity service and calls a web API using OAuth 2.0 access tokens. |

+| [dotnet-desktop](https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop) | A sample that shows how a Windows Desktop .NET (WPF) application can sign in a user using Azure AD B2C, get an access token using MSAL.NET and call an API. |

+| [xamarin-native](https://github.com/Azure-Samples/active-directory-b2c-xamarin-native) | A simple Xamarin Forms app showcasing how to use MSAL to authenticate users via Azure Active Directory B2C, and access a Web API with the resulting tokens. |

+The number of applications used in modern organizations continues to grow. You, as an IT admin, must manage access management at scale. You use standards such as SAML or OIDC for single sign-on (SSO), but access also requires you provision users into an app. You might think provisioning means manually creating every user account or uploading CSV files each week. These processes are time-consuming, expensive, and error prone. To streamline the process, use SAML just-in-time (JIT) to automate provisioning. Use the same process to deprovision users when they leave the organization or no longer require access to certain apps based on role change.

+- A single set of policies to determine provisioned users that can sign in to an app.

+ To request a new application for provisioning, see [Submit a request to publish your application in Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). For a user provisioning request, we require the application to have a SCIM-compliant endpoint. Request that the application vendor follows the SCIM standard so we can onboard the app to our platform quickly.

+>Number matching will begin to be enabled for all users of Microsoft Authenticator starting May 08, 2023.

+## Certificate-based authentication is MFA capable

+Azure AD CBA is an MFA (Multi factor authentication) capable method, that is Azure AD CBA can be either Single (SF) or Multi-factor (MF) depending on the tenant configuration. Enabling CBA for a user indicates the user is potentially capable of MFA. This means a user may need additional configuration to get MFA and proof up to register other authentication methods when the user is in scope for CBA.

+If CBA enabled user only has a Single Factor (SF) certificate and need MFA

+ 1. Use Password + SF certificate.

+ 1. Issue Temporary Access Pass (TAP)

+ 1. Admin adds Phone Number to user account and allows Voice/SMS method for user.

+If CBA enabled user has not yet been issued a certificate and need MFA

+ 1. Issue Temporary Access Pass (TAP)

+ 1. Admin adds Phone Number to user account and allows Voice/SMS method for user.

+If CBA enabled user cannot use MF cert (such as on mobile device without smart card support) and need MFA

+ 1. Issue Temporary Access Pass (TAP)

+ 1. User Register another MFA method (when user can use MF cert)

+ 1. Use Password + MF cert (when user can use MF cert)

+ 1. Admin adds Phone Number to user account and allows Voice/SMS method for user

+Azure AD CBA can be used as a second factor to meet MFA requirements with single-factor certificates. The supported combintaions are

+CBA (first factor) + passwordless phone sign-in (PSI as second factor)

+CBA (first factor) + FIDO2 security keys

+Password (first factor) + CBA (second factor)

+Users need to have another way to get MFA and register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.

+- Certificate Authority hints aren't supported, so the list of certificates that appears for users in the certificate picker UI isn't scoped.

+- Methods registered (Alternate Mobile Phone, Email, FIDO2 Security Key, Hardware OATH token, Microsoft Authenticator app, Microsoft Passwordless phone sign-in, Mobile Phone, Office Phone, Security questions, Software OATH token, Temporary Access Pass, Windows Hello for Business)

+ > [!IMPORTANT]

+ > If your Azure tenant has already been enabled for combined registration, you might not see the configuration option for **Users can use the combined security information registration experience** or even see it grayed out.

+| Synchronize customer defined AD attributes (directory extensions) |ΓùÅ|ΓùÅ|

+- Adobe Acrobat Reader mobile app

+- Provectus - Secure Contacts

+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]

+ Title: Workload identities license plans faq

+description: Learn about workload identities license plans, features and capabilities.

+#Customer intent: I want to know about workload identities licensing plans

+# Frequently asked questions about workload identities license plans

+[Workload identities](workload-identities-overview.md) is now available in two editions: **Free** and **Workload Identities Premium**. The free edition of workload identities is included with a subscription of a commercial online service such as [Azure](https://azure.microsoft.com/) and [Power Platform](https://powerplatform.microsoft.com/). The Workload

+Identities Premium offering is available through a Microsoft representative, the [Open Volume License

+Program](https://www.microsoft.com/licensing/how-to-buy/how-to-buy), and the [Cloud Solution Providers program](/azure/lighthouse/concepts/cloud-solution-provider). Azure and Microsoft 365 subscribers can also purchase Workload

+Identities Premium online.

+For more information, see [what are workload identities?](workload-identities-overview.md)

+>[!NOTE]

+>Workload Identities Premium is a standalone product and isn't included in other premium product plans. All subscribers require a license to use Workload Identities Premium features.

+Learn more about [workload identities

+pricing](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz).

+## What features are included in Workload Identities Premium plan and which features are free?

+|Capabilities | Description | Free | Premium |

+|:--|:-|:|:--|

+| **Authentication and authorization**| | | |

+| Create, read, update, delete workload identities | Create and update identities for securing service to service access | Yes | Yes |

+| Authenticate workload identities and tokens to access resources | Use Azure Active Directory (Azure AD) to protect resource access | Yes| Yes |

+| Workload identities sign-in activity and audit trail | Monitor and track workload identity behavior | Yes | Yes |

+| **Managed identities**| Use Azure AD identities in Azure without handling credentials | Yes| Yes |

+| Workload identity federation | Use workloads tested by external Identity Providers (IdPs) to access Azure AD protected resources | Yes | Yes |

+| **Conditional Access (CA)** | | |

+| CA policies for workload identities |Define the condition in which a workload can access a resource, such as an IP range | | Yes |

+|**Lifecycle Management**| | | |

+|Access reviews for service provider-assigned privileged roles | Closely monitor workload identities with impactful permissions | | Yes |

+|**Identity Protection** | | |

+|Identity Protection for workload identities | Detect and remediate compromised workload identities | | Yes |

+## What is the cost of Workload Identities Premium plan?

+Check the pricing for the [Microsoft Entra Workload Identities

+Premium](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz)

+plan.

+## How do I purchase a Workload Identities Premium plan?

+You need an Azure or Microsoft 365 subscription. You can use a

+current subscription or set up a new one. Then, sign into the [Microsoft

+Entra admin

+center](https://entra.microsoft.com/)

+with your credentials to buy Workload Identities licenses.

+## Through what channels can I purchase Workload Identities Premium plan?

+You can purchase the plan through Enterprise Agreement (EA)/Enterprise Subscription (EAS), Cloud Solution Providers (CSPs), or Web Direct.

+## Where can I find more feature details to determine if I need a license(s)?

+Entra workload identities has three premium features that require a license.

+- [Conditional Access](../conditional-access/workload-identity.md):

+Supports location or risk-based policies for workload identities.

+- [Identity Protection](../identity-protection/concept-workload-identity-risk.md):

+Provides reports of compromised credentials, anomalous sign-ins, and

+suspicious changes to accounts.

+- [Access Reviews](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-azure-ad-access-reviews-for-service-principals/ba-p/1942488):

+Enables delegation of reviews to the right people, focused on the most

+important privileged roles.

+## What do the numbers in each category on the [Workload identities - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade) mean?

+Category definitions:

+- **Enterprise apps/Service Principals**: This category includes multi-tenant apps, gallery apps, non-gallery apps and service principals.

+- **Microsoft apps**: Apps such as Outlook and Microsoft Teams.

+- [**Managed Identities**](https://entra.microsoft.com/#home): An identity for

+applications for connecting resources that support Azure AD authentication.

+## How many licenses do I need to purchase? Do I need to license all workload identities including Microsoft and Managed Service Identities?

+All workload identities - service principles, apps and managed identities, configured in your directory for a Microsoft Entra

+Workload Identities Premium feature require a license. Select and prioritize the identities based on the available licenses. Remove

+the workload identities from the directory that are no longer required.

+The following identity functionalities are currently available to view

+in a directory:

+- Identity Protection: All single-tenant and multi-tenant service

+ principals excluding managed identities and Microsoft apps.

+- Conditional Access: Single-tenant service principals (excluding

+ managed identities) capable of acting as a subject/client, having a

+ defined credential.

+- Access reviews: All single-tenant and multi-tenant service

+ principals assigned to privileged roles.

+>[!NOTE]

+>Functionality is subject to change, and feature coverage is

+intended to expand.

+## Do these licenses require individual workload identities assignment?

+No, license assignment isn't required. One license in the tenant unlocks features for workload identities.

+## Can I get a free trial of Workload Identities Premium?

+Yes. you can get a [90-day free trial](https://entra.microsoft.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade).

+In the Modern channel, a 30-day only trial is available. Free trial is

+unavailable in Government clouds.

+## Is the Workload Identities Premium edition available on Government clouds?

+Yes, it's available.

+## Is it possible to have a mix of Azure AD Premium P1, Azure AD Premium P2 and Workload Identities Premium licenses in one tenant?

+Yes, customers can have a mixture of license plans in one tenant.

+- Learn how to [secure access of workload identities](../conditional-access/workload-identity.md) with adaptive policies.

+- Get answers to [frequently asked questions about workload identities](workload-identities-faqs.md).

+- **Cluster issuer URL** is the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.

+- **Cluster issuer URL** is the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster.

+*issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+- *Issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+- *issuer* is your service account issuer URL (the [OIDC issuer URL](../../aks/use-oidc-issuer.md) for the managed cluster or the [OIDC Issuer URL](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer.html) for a self-managed cluster).

+### US Government cloud (inclusive of GCCHigh and DoD)

+- `https://enterpriseregistration.windows.net` **and** `https://enterpriseregistration.microsoftonline.us`

+ Title: Discover the current state of external collaboration in your organization

+description: Discover the current state of an organization's collaboration with audit logs, reporting, allowlist, blocklist, and more.

+Learn more: [Determine your security posture for external access with Azure Active Directory](1-secure-access-posture.md)

+Users in your organization likely collaborate with users from other organizations. Collaboration occurs with productivity applications like Microsoft 365, by email, or sharing resources with external users. These scenarios include users:

+* Initiating external collaboration

+* Collaborating with external users and organizations

+* Granting access to external users

+## Determine who initiates external collaboration

+Generally, users seeking external collaboration know the applications to use, and when access ends. Therefore, determine users with delegated permissions to invite external users, create access packages, and complete access reviews.

+* Microsoft 365 [Audit log activities](/microsoft-365/compliance/audit-log-activities?view=o365-worldwide&preserve-view=true) - search for events and discover activities audited in Microsoft 365

+* [Auditing and reporting a B2B collaboration user](../external-identities/auditing-and-reporting.md) - verify guest user access, and see records of system and user activities

+## Enumerate guest users and organizations

+External users might be Azure AD B2B users with partner-managed credentials, or external users with locally provisioned credentials. Typically, these users are the Guest UserType. To learn about inviting guests users and sharing resources, see [B2B collaboration overview](../external-identities/what-is-b2b.md).

+Use the following tools to identify Azure AD B2B collaboration, external Azure AD tenants, and users accessing applications:

+* PowerShell module, [Get MsIdCrossTenantAccessActivity](https://github.com/AzureAD/MSIdentityTools/wiki/Get-MSIDCrossTenantAccessActivity)

+* [Cross-tenant access activity workbook](../reports-monitoring/workbook-cross-tenant-access-activity.md)

+### Discover email domains and companyName property

+You can determine external organizations with the domain names of external user email addresses. This discovery might not be possible with consumer identity providers. We recommend you write the companyName attribute to identify external organizations.

+### Use allowlist, blocklist, and entitlement management

+Use the allowlist or blocklist to enable your organization to collaborate with, or block, organizations at the tenant level. Control B2B invitations and redemptions regardless of source (such as Microsoft Teams, SharePoint, or the Azure portal).

+See, [Allow or block invitations to B2B users from specific organizations](../external-identities/allow-deny-list.md)

+ 

+## Determine external user access

+With an inventory of external users and organizations, determine the access to grant to the users. You can use the Microsoft Graph API to determine Azure AD group membership or application assignment.

+| Workload identities| Give an identity to your software workload (such as an application, service, script, or container) to authenticate and access other services and resources. For more information, see [workload identities faqs](../develop/workload-identities-faqs.md).

+|Microsoft Authenticator app [Number matching](../authentication/how-to-mfa-number-match.md)|Feature change|May 8, 2023|

+## January 2023

+### General Availability - Azure AD Domain

+**Type:** New feature

+**Service category:** Azure AD Domain Services

+**Product capability:** Azure AD Domain Services

+Now within the Azure portal you have access to view key data for your Azure AD-DS Domain Controllers such as: LDAP Searches/sec, Total Query Received/sec, DNS Total Response Sent/sec, LDAP Successful Binds/sec, memory usage, processor time, Kerberos Authentications, and NTLM Authentications. For more information, see: [Check fleet metrics of Azure Active Directory Domain Services](/azure/active-directory-domain-services/fleet-metrics).

+### General Availability - Add multiple domains to the same SAML/Ws-Fed based identity provider configuration for your external users

+**Type:** New feature

+**Service category:** B2B

+**Product capability:** B2B/B2C

+An IT admin can now add multiple domains to a single SAML/WS-Fed identity provider configuration to invite users from multiple domains to authenticate from the same identity provider endpoint. For more information, see: [Federation with SAML/WS-Fed identity providers for guest users](../external-identities/direct-federation.md).

+### General Availability - New risk in Identity Protection: Anomalous user activity

+**Type:** New feature

+**Service category:** Conditional Access

+**Product capability:** Identity Security & Protection

+This risk detection baselines normal administrative user behavior in Azure AD, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrator making the change or the object that was changed. For more information, see: [User-linked detections](../identity-protection/concept-identity-protection-risks.md#user-linked-detections).

+### General Availability - Administrative unit support for devices

+**Type:** New feature

+**Service category:** Directory Management

+**Product capability:** AuthZ/Access Delegation

+You can now use administrative units to delegate management of specified devices in your tenant by adding devices to an administrative unit, and assigning built-in and custom device management roles scoped to that administrative unit. For more information, see: [Device management](../roles/administrative-units.md#device-management).

+### General Availability - Azure AD Terms of Use (ToU) API

+**Type:** New feature

+**Service category:** Conditional Access

+**Product capability:** Identity Security & Protection

+Represents a tenant's customizable terms of use agreement that is created, and managed, with Azure Active Directory (Azure AD). You can use the following methods to create and manage the [Azure Active Directory Terms of Use feature](/graph/api/resources/agreement?#json-representation) according to your scenario. For more information, see: [agreement resource type](/graph/api/resources/agreement).

+Restore a recently deleted application, group, servicePrincipal, administrative unit, or user object from deleted items. If an item was accidentally deleted, you can fully restore the item. This isn't applicable to security groups, which are deleted permanently. A recently deleted item remains available for up to 30 days. After 30 days, the item is permanently deleted. For more information, see: [servicePrincipal resource type](/graph/api/resources/serviceprincipal).

+We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, weΓÇÖve made Windows Hello for Business easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Migrate to cloud authentication using Staged Rollout](../hybrid/how-to-connect-staged-rollout.md).

+We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, weΓÇÖve made Windows Hello for Business easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Hybrid Cloud Kerberos Trust Deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).

+To ensure timing accuracy of scheduled workflows itΓÇÖs crucial to consider:

+ - For more information on Microsoft Graph queries for activity logs, see [Activity reports API overview](/graph/api/resources/azure-ad-auditlog-overview)

+* [Sign-in API reference](/graph/api/resources/signin)

+ > The Identifier value is not real. Update this value with the actual Identifier. Contact [HPE SaaS Client support team](https://support.hpe.com/connect/s/?language=en_US) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+A container runtime is software that executes containers and manages container images on a node. The runtime helps abstract away sys-calls or operating system (OS) specific functionality to run containers on Linux or Windows. Linux node pools use `containerd` for node pools using Kubernetes version 1.19 and greater. On Windows Server 2019 node pools, `containerd` is generally available and the only container runtime option on Kubernetes 1.21 and greater. Docker is no longer supported as of September 2022. For more information about this deprecation, see the [AKS release notes][aks-release-notes].

+[`Containerd`](https://containerd.io/) is an [OCI](https://opencontainers.org/) (Open Container Initiative) compliant core container runtime that provides the minimum set of required functionality to execute containers and manage images on a node. `Containerd` was [donated](https://www.cncf.io/announcement/2017/03/29/containerd-joins-cloud-native-computing-foundation/) to the Cloud Native Compute Foundation (CNCF) in March of 2017. The current Moby (upstream Docker) version that AKS uses is built on top of `containerd`.

+With a `containerd`-based node and node pools, instead of talking to the `dockershim`, the kubelet talks directly to `containerd` using the CRI (container runtime interface) plugin, removing extra hops in the data flow when compared to the Docker CRI implementation. As such, you see better pod startup latency and less resource (CPU and memory) usage.

+By using `containerd` for AKS nodes, pod startup latency improves and node resource consumption by the container runtime decreases. These improvements through this new architecture enable kubelet communicating directly to `containerd` through the CRI plugin. While in a Moby/docker architecture, kubelet communicates to the `dockershim` and docker engine before reaching `containerd`, therefore having extra hops in the data flow.

+`Containerd` works on every GA version of Kubernetes in AKS, and in every newer Kubernetes version above v1.19, and supports all Kubernetes and AKS features.

+ * `Containerd` doesn't provide the complete functionality of the docker CLI. It's available for troubleshooting only.

+ * Building images and directly using the Docker engine using the methods mentioned earlier aren't recommended. Kubernetes isn't fully aware of those consumed resources, and those methods present numerous issues as described [here](https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/) and [here](https://securityboulevard.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1/).

+Azure supports [Generation 2 (Gen2) virtual machines (VMs)](../virtual-machines/generation-2.md). Generation 2 VMs support key features not supported in generation 1 VMs (Gen1). These features include increased memory, Intel Software Guard Extensions (Intel SGX), and virtualized persistent memory (vPMEM).

+Additionally not all VM images support Gen2, on AKS Gen2 VMs use the new [AKS Ubuntu 18.04 image](#os-configuration). This image supports all Gen2 SKUs and sizes.

+When you create a new cluster or add a new node pool to an existing cluster, by default the OS disk size is determined by the number for vCPUs. The number of vCPUs is based on the VM SKU, and in the following table we list the default values:

+|VM SKU Cores (vCPUs)| Default OS Disk Tier | Provisioned IOPS | Provisioned Throughput (Mbps) |

+By default, Azure automatically replicates the operating system disk for a virtual machine to Azure storage to avoid data loss when the VM is relocated to another host. However, since containers aren't designed to have local state persisted, this behavior offers limited value while providing some drawbacks. These drawbacks include, but aren't limited to, slower node provisioning and higher read/write latency.

+Like the temporary disk, included in the price of the VM is an ephemeral OS disk.

+> When you don't explicitly request managed disks for the OS, AKS defaults to ephemeral OS if possible for a given node pool configuration.

+If you chose to use the AKS default VM size [Standard_DS2_v2](../virtual-machines/dv2-dsv2-series.md#dsv2-series) SKU with the default OS disk size of 100 GB. The default VM size supports ephemeral OS, but only has 86 GiB of cache size. This configuration would default to managed disks if you don't explicitly specify it. If you do request an ephemeral OS, you receive a validation error.

+If you request the same [Standard_DS2_v2](../virtual-machines/dv2-dsv2-series.md#dsv2-series) SKU with a 60 GiB OS disk, this configuration would default to ephemeral OS. The requested size of 60 GiB is smaller than the maximum cache size of 86 GiB.

+If you select the [Standard_D8s_v3](../virtual-machines/dv3-dsv3-series.md#dsv3-series) SKU with 100 GB OS disk, this VM size supports ephemeral OS and has 200 GiB of cache space. If you don't specify the OS disk type, the node pool would receive ephemeral OS by default.

+The latest generation of VM series doesn't have a dedicated cache, but only temporary storage. Let's assume to use the [Standard_E2bds_v5](../virtual-machines/ebdsv5-ebsv5-series.md#ebdsv5-series) VM size with the default OS disk size of 100 GiB as an example. This VM size supports ephemeral OS disks, but only has 75 GB of temporary storage. This configuration would default to managed OS disks if you don't explicitly specify it. If you do request an ephemeral OS disk, you receive a validation error.

+If you request the same [Standard_E2bds_v5](../virtual-machines/ebdsv5-ebsv5-series.md#ebdsv5-series) VM size with a 60 GiB OS disk, this configuration defaults to ephemeral OS disks. The requested size of 60 GiB is smaller than the maximum temporary storage of 75 GiB.

+If you chose to use [Standard_E4bds_v5](../virtual-machines/ebdsv5-ebsv5-series.md#ebdsv5-series) SKU with 100 GiB OS disk, this VM size supports ephemeral OS

+and has 150 GiB of temporary storage. If you don't specify the OS disk type, by default Azure provisions an ephemeral OS disk to the node pool.

+Configure the cluster to use ephemeral OS disks when the cluster is created. Use the `--node-osdisk-type` flag to set Ephemeral OS as the OS disk type for the new cluster.

+If you want to create a regular cluster using network-attached OS disks, you can do so by specifying `--node-osdisk-type=Managed`. You can also choose to add other ephemeral OS node pools as described below.

+When you deploy an Azure Kubernetes Service cluster in Azure, it also creates a second resource group for the worker nodes. By default, AKS names the node resource group `MC_resourcegroupname_clustername_location`, but you can specify a custom name.

+To specify a custom resource group name, install the `aks-preview` Azure CLI extension version 0.3.2 or later. When using the Azure CLI, include the `--node-resource-group` parameter with the `az aks create` command to specify a custom name for the resource group. To deploy an AKS cluster with an Azure Resource Manager template, you can define the resource group name by using the `nodeResourceGroup` property.

+The secondary resource group is automatically created by the Azure resource provider in your own subscription. You can only specify the custom resource group name during cluster creation.

+- Change the node resource group name after creating the cluster.

+The [Node Restriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) admission controller limits the Node and Pod objects a kubelet can modify. Node Restriction is on by default in AKS 1.24+ clusters. If you're using an older version, use the following commands to create a cluster with Node Restriction, or update an existing cluster to add Node Restriction.

+[enable-oidc-issuer]: use-oidc-issuer.md

+ Title: Create an OpenID Connect provider for your Azure Kubernetes Service (AKS) cluster

+description: Learn how to configure the OpenID Connect (OIDC) provider for a cluster in Azure Kubernetes Service (AKS)

+# Create an OpenID Connect provider on Azure Kubernetes Service (AKS)

+[OpenID Connect][open-id-connect-overview] (OIDC) extends the OAuth 2.0 authorization protocol for use as an additional authentication protocol issued by Azure Active Directory (Azure AD). You can use OIDC to enable single sign-on (SSO) between your OAuth-enabled applications, on your Azure Kubernetes Service (AKS) cluster, by using a security token called an ID token. With your AKS cluster, you can enable OpenID Connect (OIDC) Issuer, which allows Azure Active Directory (Azure AD) or other cloud provider identity and access management platform, to discover the API server's public signing keys.

+AKS rotates the key automatically and periodically. If you don't want to wait, you can rotate the key manually and immediately. The maximum lifetime of the token issued by the OIDC provider is one day.

+> [!WARNING]

+> Enable or disable OIDC Issuer changes the current service account token issuer to a new value, which can cause down time and restarts the API server. If your application pods using a service token remain in a failed state after you enable or disable the OIDC Issuer, we recommend you manually restart the pods.

+In this article, you learn how to create, update, and manage the OIDC Issuer for your cluster.

+## Prerequisites

+* The Azure CLI version 2.42.0 or higher. Run `az --version` to find your version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

+* AKS supports OIDC Issuer on version 1.22 and higher.

+## Create an AKS cluster with OIDC Issuer

+You can create an AKS cluster using the [az aks create][az-aks-create] command with the `--enable-oidc-issuer` parameter to use the OIDC Issuer. The following example creates a cluster named *myAKSCluster* with one node in the *myResourceGroup*:

+```azurecli-interactive

+az aks create -g myResourceGroup -n myAKSCluster --node-count 1 --enable-oidc-issuer

+```

+## Update an AKS cluster with OIDC Issuer

+You can update an AKS cluster using the [az aks update][az-aks-update] command with the `--enable-oidc-issuer` parameter to use the OIDC Issuer. The following example updates a cluster named *myAKSCluster*:

+```azurecli-interactive

+az aks update -g myResourceGroup -n myAKSCluster --enable-oidc-issuer

+```

+## Show the OIDC Issuer URL

+To get the OIDC Issuer URL, run the [az aks show][az-aks-show] command. Replace the default values for the cluster name and the resource group name.

+```azurecli-interactive

+az aks show -n myAKScluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv

+```

+### Rotate the OIDC key

+To rotate the OIDC key, run the [az aks oidc-issuer][az-aks-oidc-issuer] command. Replace the default values for the cluster name and the resource group name.

+```azurecli-interactive

+az aks oidc-issuer rotate-signing-keys -n myAKSCluster -g myResourceGroup

+```

+> [!IMPORTANT]

+> Once you rotate the key, the old key (key1) expires after 24 hours. This means that both the old key (key1) and the new key (key2) are valid within the 24-hour period. If you want to invalidate the old key (key1) immediately, you need to rotate the OIDC key twice. Then key2 and key3 are valid, and key1 is invalid.

+## Next steps

+* See [configure creating a trust relationship between an app and an external identity provider](../active-directory/develop/workload-identity-federation-create-trust.md) to understand how a federated identity credential creates a trust relationship between an application on your cluster and an external identity provider.

+* Review [Azure AD workload identity][azure-ad-workload-identity-overview] (preview). This authentication method integrates with the Kubernetes native capabilities to federate with any external identity providers on behalf of the application.

+* See [Secure pod network traffic][secure-pod-network-traffic] to understand how to use the Network Policy engine and create Kubernetes network policies to control the flow of traffic between pods in AKS.

+<!-- LINKS - external -->

+<!-- LINKS - internal -->

+[open-id-connect-overview]: ../active-directory/fundamentals/auth-oidc.md

+[azure-cli-install]: /cli/azure/install-azure-cli

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[az-aks-update]: /cli/azure/aks#az-aks-update

+[az-aks-show]: /cli/azure/aks#az-aks-show

+[az-aks-oidc-issuer]: /cli/azure/aks/oidc-issuer

+[azure-ad-workload-identity-overview]: workload-identity-overview.md

+[secure-pod-network-traffic]: use-network-policies.md

+ dotnet publish -c Release --property:PublishDir='${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp'

+ dotnet publish -c Release --property:PublishDir='${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp'

+ dotnet publish -c Release --property:PublishDir='${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp'

+ dotnet publish -c Release --property:PublishDir='${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp'

+Azure CLI has a command [`az webapp up`](/cli/azure/webapp#az-webapp-up) that will create the necessary resources and deploy your application in a single step.

+In the terminal, deploy the code in your local folder using the [`az webapp up`](/cli/azure/webapp#az-webapp-up) command:

+ :::code language="python" source="~/msdocs-django-postgresql-sample-app/azureproject/production.py" range="6-8" highlight="3":::

+ :::code language="python" source="~/msdocs-django-postgresql-sample-app/azureproject/production.py" range="11-16" highlight="14":::

+ :::code language="python" source="~/msdocs-django-postgresql-sample-app/azureproject/production.py" range="25-26":::

+## Scenario: Runbook fails with "Parameter length exceeded" error

+### Issue

+Your runbook uses parameters and fails with the following error:

+```error

+Total Length of Runbook Parameter names and values exceeds the limit of 30,000 characters. To avoid this issue, use Automation Variables to pass values to runbook.

+```

+### Cause

+There is a limit to the total length of characters of all Parameters that can be provided in Python 2.7, Python 3.8, and PowerShell 7.1 runbooks. The total length of all Parameter names, and Parameter values must not exceed 30,000 characters.

+### Resolution

+To overcome this issue, you can use Azure Automation [Variables](../shared-resources/variables.md) to pass values to runbook. You can alternatively reduce the number of characters in Parameter names and Parameter values to ensure that the total length does not exceed 30,000 characters.

+- **Supported distributions**: All Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters

+- **Supported distributions**: AKS on Azure Stack HCI, AKS hybrid clusters provisioned from Azure, Cluster API Azure, Google Kubernetes Engine, Canonical Kubernetes Distribution, OpenShift Kubernetes Distribution, Amazon Elastic Kubernetes Service, VMWare Tanzu Kubernetes Grid

+- **Supported distributions**: AKS hybrid clusters provisioned from Azure, Cluster API Azure, Azure Red Hat OpenShift, Red Hat OpenShift (version 4.6 or newer), Google Kubernetes Engine Standard, Amazon Elastic Kubernetes Service, VMWare Tanzu Kubernetes Grid, Rancher Kubernetes Engine, Canonical Kubernetes Distribution

+- **Supported distributions**: AKS, AKS on Azure Stack HCI, AKS hybrid clusters provisioned from Azure, Cluster API Azure, Google Kubernetes Engine, Canonical Kubernetes Distribution, Rancher Kubernetes Engine, OpenShift Kubernetes Distribution, Amazon Elastic Kubernetes Service, VMWare Tanzu Kubernetes Grid

+- **Supported distributions**: AKS, AKS on Azure Stack HCI, Azure Red Hat OpenShift, Google Kubernetes Engine, Canonical Kubernetes Distribution, OpenShift Container Platform, Amazon Elastic Kubernetes Service

+- **Supported distributions**: AKS, AKS on Azure Stack HCI, Azure Red Hat OpenShift, Google Kubernetes Engine, OpenShift Container Platform

+- **Supported distributions**: AKS, Red Hat OpenShift

+- **Supported distributions**: All Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters.

+- **Supported distributions**: All Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters. Not currently supported for ARM 64.

+- **Supported distributions**: All Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters. Not currently supported for ARM 64.

+>- If VMM server is running on Windows Server 2016 machine, ensure that [Open SSH package](https://github.com/PowerShell/Win32-OpenSSH/releases) is installed.

+>- If you deploy an older version of appliance (version lesser than 0.2.25), Arc operation fails with the error *Appliance cluster is not deployed with AAD authentication*. To fix this issue, download the latest version of the onboarding script and deploy the resource bridge again.

+| **SCVMM** | You need an SCVMM management server running version 2016 or later.<br/><br/> A private cloud with minimum free capacity of 16 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> For dynamic IP allocation to appliance VM, DHCP server is required. For static IP allocation, VMM static IP pool is required. |

+An action group is a *global* service, so there's no dependency on a specific Azure region. Requests from clients can be processed by action group services in any region. For instance, if one region of the action group service is down, the traffic is automatically routed and processed by other regions. As a global service, an action group helps provide a disaster recovery solution.

+ :::image type="content" source="./media/action-groups/manage-action-groups.png" alt-text="Screenshot that shows the Alerts page in the Azure portal. The Action groups button is called out.":::

+ :::image type="content" source="./media/action-groups/create-action-group.png" alt-text="Screenshot that shows the Action groups page in the Azure portal. The Create button is called out.":::

+1. Under **Project details**, select:

+ - Values for **Subscription** and **Resource group**.

+ - The region.

+ | Global | The action groups service decides where to store the action group. The action group is persisted in at least two regions to ensure regional resiliency. Processing of actions may be done in any [geographic region](https://azure.microsoft.com/explore/global-infrastructure/geographies/#overview).<br></br>Voice, SMS, and email actions performed as the result of [service health alerts](../../service-health/alerts-activity-log-service-notifications-portal.md) are resilient to Azure live-site incidents. |

+ The action group is saved in the subscription, region, and resource group that you select.

+ :::image type="content" source="./media/action-groups/action-group-1-basics.png" alt-text="Screenshot that shows the Create action group dialog. Values are visible in the Subscription, Resource group, Action group name, and Display name boxes.":::

+ - **Common alert schema**: You can choose to turn on the common alert schema, which provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor. For more information about this schema, see [Common alert schema](./alerts-common-schema.md).

+ :::image type="content" source="./media/action-groups/action-group-2-notifications.png" alt-text="Screenshot that shows the Notifications tab of the Create action group dialog. Configuration information for an email notification is visible.":::

+1. Select **OK**.

+ - **Common alert schema**: You can choose to turn on the common alert schema, which provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor. For more information about this schema, see [Common alert schema](./alerts-common-schema.md).

+ :::image type="content" source="./media/action-groups/action-group-3-actions.png" alt-text="Screenshot that shows the Actions tab of the Create action group dialog. Several options are visible in the Action type list.":::

+1. To assign a key-value pair to the action group, select **Next: Tags**. Alternately, at the top of the page, select the **Tags** tab. Otherwise, skip this step. By using tags, you can categorize your Azure resources. Tags are available for all Azure resources, resource groups, and subscriptions.

+ :::image type="content" source="./media/action-groups/action-group-4-tags.png" alt-text="Screenshot that shows the Tags tab of the Create action group dialog. Values are visible in the Name and Value boxes.":::

+ :::image type="content" source="./media/action-groups/action-group-5-review.png" alt-text="Screenshot that shows the Review + create tab of the Create action group dialog. All configured values are visible.":::

+> When you configure an action to notify a person by email or SMS, they receive a confirmation that indicates they were added to the action group.

+When you create or update an action group in the Azure portal, you can test the action group.

+1. Define an action, as described in the previous few sections. Then select **Review + create**.

+ > [!NOTE]

+ >

+ > If you're editing an already existing action group, you must save changes to the action group before you begin testing.

+1. On the page that lists the information you entered, select **Test action group**.

+ :::image type="content" source="./media/action-groups/test-action-group.png" alt-text="Screenshot that shows the test action group start page with the Test option.":::

+1. Select a sample type and the notification and action types that you want to test. Then select **Test**.

+ :::image type="content" source="./media/action-groups/test-sample-action-group.png" alt-text="Screenshot that shows the Test sample action group page with an email notification type and a webhook action type.":::

+1. If you close the window or select **Back to test setup** while the test is running, the test is stopped, and you don't get test results.

+ :::image type="content" source="./media/action-groups/stop-running-test.png" alt-text="Screenshot that shows the Test Sample action group page. A dialog contains a Stop button and asks the user about stopping the test.":::

+1. When the test is finished, a test status of either **Success** or **Failed** appears. If the test failed and you want to get more information, select **View details**.

+ :::image type="content" source="./media/action-groups/test-sample-failed.png" alt-text="Screenshot that shows the Test sample action group page showing a test that failed.":::

+> You can run a limited number of tests per time period. To check which limits apply to your situation, see [Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts](./alerts-rate-limiting.md).

+> When you configure an action group in the portal, you can opt in or out of the common alert schema:

+To create an action group by using a Resource Manager template, you create a resource of the type `Microsoft.Insights/actionGroups`. Then you fill in all related properties. Here are two sample templates that create an action group.

+The first template describes how to create a Resource Manager template for an action group where the action definitions are hard-coded in the template. The second template describes how to create a template that takes the webhook configuration information as input parameters when the template is deployed.

+1. On the **Monitor** page, select **Alerts**.

+1. Select **Manage actions**.

+You might have a limited number of runbook actions per action group.

+### Azure App Service push notifications

+You might have a limited number of email actions per action group. For information about rate limits, see [Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts](./alerts-rate-limiting.md).

+If your primary email doesn't receive notifications:

+1. Select the user whose *primary email* you want to review.

+ :::image type="content" source="media/action-groups/active-directory-user-profile.png" alt-text="Screenshot that shows the Azure portal All users page. Information about one user is visible but is indecipherable." border="true":::

+ :::image type="content" source="media/action-groups/active-directory-add-primary-email.png" alt-text="Screenshot that shows a user profile page in the Azure portal. The Edit button and the Email box are called out." border="true":::

+You might have a limited number of email actions per action group. To check which limits apply to your situation, see [Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts](./alerts-rate-limiting.md).

+When you set up the Resource Manager role:

+1. Assign an entity of type **User** to the role.

+> It can take up to 24 hours for a customer to start receiving notifications after they add a new Azure Resource Manager role to their subscription.

+When you define the function action, the function's HTTP trigger endpoint and access key are saved in the action definition, for example, `https://azfunctionurl.azurewebsites.net/api/httptrigger?code=<access_key>`. If you change the access key for the function, you must remove and re-create the function action in the action group.

+You might have a limited number of function actions per action group.

+ > The function must have access to the storage account. If not, no keys will be available and the function URI won't be accessible.

+You might have a limited number of Logic Apps actions per action group.

+When you use a secure webhook action, you must use Azure AD to secure the connection between your action group and your protected web API, which is your webhook endpoint.

+The secure webhook action authenticates to the protected API by using a Service Principal instance in the Azure AD tenant of the "AZNS AAD Webhook" Azure AD application. To make the action group work, this Azure AD Webhook Service Principal must be added as a member of a role on the target Azure AD application that grants access to the target endpoint.

+> Basic authentication isn't supported for `SecureWebhook`. To use basic authentication, you must use `Webhook`.

+If you use the webhook action, your target webhook endpoint must be able to process the various JSON payloads that different alert sources emit. If the webhook endpoint expects a specific schema, for example, the Microsoft Teams schema, use the Logic Apps action to transform the alert schema to meet the target webhook's expectations.

+1. Create an Azure AD application for your protected web API. For more information, see [Protected web API: App registration](../../active-directory/develop/scenario-protected-web-api-app-registration.md). Configure your protected API to be called by a daemon app and expose application permissions, not delegated permissions. For more information about these permissions, see [If your web API is called by a service or daemon app](../../active-directory/develop/scenario-protected-web-api-app-registration.md#if-your-web-api-is-called-by-a-service-or-daemon-app).

+ > Configure your protected web API to accept V2.0 access tokens. For more information about this setting, see [Azure Active Directory app manifest](../../active-directory/develop/reference-app-manifest.md#accesstokenacceptedversion-attribute).

+ 1. Modify the PowerShell script's `$myAzureADApplicationObjectId` variable to use the object ID of your Azure AD application.

+ > The service principal must be assigned an **owner role** of the Azure AD application to be able to create or modify the secure webhook action in the action group.

+ :::image type="content" source="./media/action-groups/action-groups-secure-webhook.png" alt-text="Screenshot that shows the Secured Webhook dialog in the Azure portal with the Object Id box." border="true":::

+For information about rate limits, see [Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts](./alerts-rate-limiting.md).

+For important information about rate limits, see [Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts](./alerts-rate-limiting.md).

+> If you use the webhook action, your target webhook endpoint must be able to process the various JSON payloads that different alert sources emit. You can't pass security certificates through a webhook action. If the webhook endpoint expects a specific schema, for example, the Microsoft Teams schema, use the Logic Apps action to transform the alert schema to meet the target webhook's expectations.

+- Between the first and second call, it waits 20 seconds for a response.

+- Between the second and third call, it waits 40 seconds for a response.

+ - One of the following HTTP status codes is returned: 408, 429, 503, 504, or `TaskCancellationException`.

+ - If any one of the preceding errors is encountered, wait an additional 5 seconds for the response.

+- Learn more about the [ITSM Connector](./itsmc-overview.md).

+- Get an [overview of activity log alerts](./alerts-overview.md) and learn how to receive alerts.

+description: Classic alerts will be deprecated. Alerts enable you to monitor Azure resource metrics, events, or logs, and they notify you when a condition you specify is met.

+# What are classic alerts in Azure?

+> This article describes how to create older classic metric alerts. Azure Monitor now supports [near real time metric alerts and a new alerts experience](./alerts-overview.md). Classic alerts are [retired](./monitoring-classic-retirement.md) for public cloud users. Classic alerts for Azure Government cloud and Azure China 21Vianet will retire on **February 29, 2024**.

+Alerts allow you to configure conditions over data, and they notify you when the conditions match the latest monitoring data.

+In the past, Azure Monitor, Application Insights, Log Analytics, and Service Health had separate alerting capabilities. Over time, Azure improved and combined both the user interface and different methods of alerting. The consolidation is still in process.

+You can view classic alerts only on the classic alerts user screen in the Azure portal. To see this screen, select **View classic alerts** on the **Alerts** screen.

+ 

+- **Better notification system:** All newer alerts use action groups. You can reuse these named groups of notifications and actions in multiple alerts. Classic metric alerts and older Log Analytics alerts don't use action groups.

+- **A unified authoring experience:** All alert creation for metrics, logs, and activity logs across Azure Monitor, Log Analytics, and Application Insights is in one place.

+- **View fired Log Analytics alerts in the Azure portal:** You can now also see fired Log Analytics alerts in your subscription. Previously, these alerts were in a separate portal.

+- **Separation of fired alerts and alert rules:** Alert rules (the definition of condition that triggers an alert) and fired alerts (an instance of the alert rule firing) are differentiated. Now the operational and configuration views are separated.

+- **Better workflow:** The new alerts authoring experience guides the user along the process of configuring an alert rule. This change makes it simpler to discover the right things to get alerted on.

+- **Smart alerts consolidation and setting alert state:** Newer alerts include auto grouping functionality that shows similar alerts together to reduce overload in the user interface.

+- **Improved latency:** Newer metric alerts can run as frequently as every minute. Older metric alerts always run at a frequency of 5 minutes. Newer alerts have increasing smaller delay from issue occurrence to notification or action (3 to 5 minutes). Older alerts are 5 to 15 minutes depending on the type. Log alerts typically have a delay of 10 minutes to 15 minutes because of the time it takes to ingest the logs. Newer processing methods are reducing that time.

+- **Support for multidimensional metrics:** You can alert on dimensional metrics. Now you can monitor an interesting segment of the metric.

+- **More control over metric conditions:** You can define richer alert rules. The newer alerts support monitoring the maximum, minimum, average, and total values of metrics.

+- **Combined monitoring of multiple metrics:** You can monitor multiple metrics (currently, up to two metrics) with a single rule. An alert triggers if both metrics breach their respective thresholds for the specified time period.

+- **Better notification system:** All newer alerts use [action groups](./action-groups.md). You can reuse these named groups of notifications and actions in multiple alerts. Classic metric alerts and older Log Analytics alerts don't use action groups.

+- **Metrics from logs (preview):** You can now extract and convert log data that goes into Log Analytics into Azure Monitor metrics and then alert on it like other metrics. For the terminology specific to classic alerts, see [Alerts (classic)]().

+Two types of classic alerts are available:

+* **Classic metric alerts**: This alert triggers when the value of a specified metric crosses a threshold that you assign. The alert generates a notification when that threshold is crossed and the alert condition is met. At that point, the alert is considered "Activated." It generates another notification when it's "Resolved," that is, when the threshold is crossed again and the condition is no longer met.

+* **Classic activity log alerts**: A streaming log alert that triggers on an activity log event entry that matches your filter criteria. These alerts have only one state: "Activated." The alert engine applies the filter criteria to any new event. It doesn't search to find older entries. These alerts can notify you when a new Service Health incident occurs or when a user or application performs an operation in your subscription. An example of an operation might be "Delete virtual machine."

+For resource log data available through Azure Monitor, route the data into Log Analytics and use a log query alert. Log Analytics now uses the [new alerting method](./alerts-overview.md).

+

+* **Alert**: A definition of criteria (one or more rules or conditions) that becomes activated when met.

+* **Active**: The state when the criteria defined by a classic alert are met.

+* **Resolved**: The state when the criteria defined by a classic alert are no longer met after they were previously met.

+* **Notification**: The action taken based off of a classic alert becoming active.

+* **Action**: A specific call sent to a receiver of a notification (for example, emailing an address or posting to a webhook URL). Notifications can usually trigger multiple actions.

+Historically, Azure alerts from different services used their own built-in notification methods.

+Azure Monitor created a reusable notification grouping called *action groups*. Action groups specify a set of receivers for a notification. Any time an alert is activated that references the action group, all receivers receive that notification. With action groups, you can reuse a grouping of receivers (for example, your on-call engineer list) across many alert objects.

+Action groups support notification by posting to a webhook URL and to email addresses, SMS numbers, and several other actions. For more information, see [Action groups](./action-groups.md).

+Older classic activity log alerts use action groups. But the older metric alerts don't use action groups. Instead, you can configure the following actions:

+- Send email notifications to the service administrator, co-administrators, or other email addresses that you specify.

+- Call a webhook, which enables you to launch other automation actions.

+Webhooks enable automation and remediation, for example, by using:

+- Azure Automation runbooks

+- Azure Functions

+- Azure Logic Apps

+- A third-party service

+Get information about alert rules and how to configure them:

+* Learn more about [metrics](../data-platform.md).

+* Configure [classic metric alerts via the Azure portal](alerts-classic-portal.md).

+* Configure [classic metric alerts via PowerShell](alerts-classic-portal.md).

+* Configure [classic metric alerts via the command-line interface (CLI)](alerts-classic-portal.md).

+* Configure [classic metric alerts via the Azure Monitor REST API](/rest/api/monitor/alertrules).

+* Learn more about [activity logs](../essentials/platform-logs-overview.md).

+* Configure [activity log alerts via the Azure portal](./activity-log-alerts.md).

+* Configure [activity log alerts via Azure Resource Manager](./alerts-activity-log.md).

+* Review the [activity log alert webhook schema](activity-log-alerts-webhook.md).

+* Learn more about [action groups](./action-groups.md).

+* Configure [newer alerts](alerts-metric.md).

+ Title: Customize alert notifications by using Logic Apps

+# Customer intent: As an administrator, I want to create a logic app that's triggered by an alert so that I can send emails or Teams messages when an alert is fired.

+# Customize alert notifications by using Logic Apps

+This article shows you how to create a logic app and integrate it with an Azure Monitor alert.

+You can use [Azure Logic Apps](../../logic-apps/logic-apps-overview.md) to build and customize workflows for integration. Use Logic Apps to customize your alert notifications. You can:

+- Customize the alerts email by using your own email subject and body format.

+- Customize the alert metadata by looking up tags for affected resources or fetching a log query search result. For information on how to access the search result rows that contain alerts data, see:

+- Integrate with external services by using existing connectors like Outlook, Microsoft Teams, Slack, and PagerDuty. You can also configure the logic app for your own services.

+This example creates a logic app that uses the [common alerts schema](./alerts-common-schema.md) to send details from the alert.

+## Create a logic app

+1. In the [Azure portal](https://portal.azure.com/), create a new logic app. In the **Search** bar at the top of the page, enter **Logic App**.

+1. On the **Logic App** page, select **Add**.

+1. Select the **Subscription** and **Resource group** for your logic app.

+1. Set **Logic App name**. For **Plan type**, select **Consumption**.

+1. Select **Review + create** > **Create**.

+1. Select **Go to resource** after the deployment is finished.

+ :::image type="content" source="./media/alerts-logic-apps/create-logic-app.png" alt-text="Screenshot that shows the Create Logic App page.":::

+1. On the **Logic Apps Designer** page, select **When a HTTP request is received**.

+ :::image type="content" source="./media/alerts-logic-apps/logic-apps-designer.png" alt-text="Screenshot that shows the Logic Apps Designer start page.":::

+ :::image type="content" source="./media/alerts-logic-apps/configure-http-request-received.png" alt-text="Screenshot that shows the Parameters tab for the When a HTTP request is received pane.":::

+1. (Optional). You can customize the alert notification by extracting information about the affected resource on which the alert fired, for example, the resource's tags. You can then include those resource tags in the alert payload and use the information in your logical expressions for sending the notifications. To do this step, we will:

+ - Split the resource ID into an array so that we can use its various elements (for example, subscription and resource group).

+ - Use the Azure Resource Manager connector to read the resource's metadata.

+ - Fetch the resource's tags, which can then be used in subsequent steps of the logic app.

+ 1. Select **+** > **Add an action** to insert a new step.

+ 1. In the **Name** field, enter the name of the variable, such as **AffectedResources**.

+ 1. In the **Value** field, select **Add dynamic Content**. Select the **Expression** tab and enter the string `split(triggerBody()?['data']?['essentials']?['alertTargetIDs'][0], '/')`.

+ :::image type="content" source="./media/alerts-logic-apps/initialize-variable.png" alt-text="Screenshot that shows the Parameters tab for the Initialize variable pane.":::

+ 1. Select **+** > **Add an action** to insert another step.

+ 1. In the **Search** field, search for and select **Azure Resource Manager** > **Read a resource**.

+ 1. Populate the fields of the **Read a resource** action with the array values from the `AffectedResources` variable. In each of the fields, select the field and scroll down to **Enter a custom value**. Select **Add dynamic content**, and then select the **Expression** tab. Enter the strings from this table:

+1. Select **+** > **Add an action** to insert a new step.

+ :::image type="content" source="./media/alerts-logic-apps/configure-http-request-received.png" alt-text="Screenshot that shows the parameters for When a HTTP request is received.":::

+1. In the search field, search for **Outlook**.

+1. Select **Office 365 Outlook**.

+ :::image type="content" source="./media/alerts-logic-apps/choose-operation-outlook.png" alt-text="Screenshot that shows the Add an action page of the Logic Apps Designer with Office 365 Outlook selected.":::

+1. Sign in to Office 365 when you're prompted to create a connection.

+1. Create the email **Body** by entering static text and including content taken from the alert payload by choosing fields from the **Dynamic content** list.

+ - **An alert has monitoring condition:** Select **monitorCondition** from the **Dynamic content** list.

+ - **Date fired:** Select **firedDateTime** from the **Dynamic content** list.

+ - **Affected resources:** Select **alertTargetIDs** from the **Dynamic content** list.

+1. In the **Subject** field, create the subject text by entering static text and including content taken from the alert payload by choosing fields from the **Dynamic content** list. For example:

+ - **Alert:** Select **alertRule** from the **Dynamic content** list.

+ - **with severity:** Select **severity** from the **Dynamic content** list.

+ - **has condition:** Select **monitorCondition** from the **Dynamic content** list.

+1. Enter the email address to send the alert to the **To** field.

+ :::image type="content" source="./media/alerts-logic-apps/configure-email.png" alt-text="Screenshot that shows the Parameters tab on the Send an email pane.":::

+You've created a logic app that sends an email to the specified address, with details from the alert that triggered it.

+The next step is to create an action group to trigger your logic app.

+1. In the search field, search for **Microsoft Teams**.

+1. Select **Microsoft Teams**.

+ :::image type="content" source="./media/alerts-logic-apps/choose-operation-teams.png" alt-text="Screenshot that shows the Add an action page of the Logic Apps Designer with Microsoft Teams selected.":::

+1. Select **Post message in a chat or channel** from the list of actions.

+1. Sign in to Teams when you're prompted to create a connection.

+1. Select **User** from the **Post as** dropdown.

+1. Create the message text in the **Message** field by entering static text and including content taken from the alert payload by choosing fields from the **Dynamic content** list. For example:

+ 1. **Alert:** Select **alertRule** from the **Dynamic content** list.

+ 1. **with severity:** Select **severity** from the **Dynamic content** list.

+ 1. **was fired at:** Select **firedDateTime** from the **Dynamic content** list.

+1. Select **Save**.

+ :::image type="content" source="./media/alerts-logic-apps/configure-teams-message.png" alt-text="Screenshot that shows the Parameters tab on the Post message in a chat or channel pane.":::

+You've created a logic app that sends a Teams message to the specified group, with details from the alert that triggered it.

+The next step is to create an action group to trigger your logic app.

+To trigger your logic app, create an action group. Then create an alert that uses that action group.

+1. Go to the **Azure Monitor** page and select **Alerts** from the pane on the left.

+1. Select **Action groups** > **Create**.

+1. Select values for **Subscription**, **Resource group**, and **Region**.

+1. Enter a name for **Action group name** and **Display name**.

+ :::image type="content" source="./media/alerts-logic-apps/create-action-group.png" alt-text="Screenshot that shows the Actions tab on the Create an action group page.":::

+1. On the **Actions** tab under **Action type**, select **Logic App**.

+1. Set **Enable common alert schema** to **Yes**. If you select **No**, the alert type determines which alert schema is used. For more information about alert schemas, see [Context-specific alert schemas](./alerts-non-common-schema-definitions.md).

+1. Select **Review + create** > **Create**.

+ :::image type="content" source="./media/alerts-logic-apps/create-action-group-actions.png" alt-text="Screenshot that shows the Actions tab on the Create an action group page and the Logic App pane.":::

+1. In the **Logic App** section, select **Test action group (preview)**.

+ :::image type="content" source="./media/alerts-logic-apps/test-action-group1.png" alt-text="Screenshot that shows an action group details page with the Test action group option.":::

+1. Select a sample alert type from the **Select sample type** dropdown.

+1. Select **Test**.

+ :::image type="content" source="./media/alerts-logic-apps/test-action-group2.png" alt-text="Screenshot that shows an action group details Test page.":::

+ The following email is sent to the specified account:

+ :::image type="content" source="./media/alerts-logic-apps/sample-output-email.png" alt-text="Screenshot that shows a sample email sent by the Test page.":::

+## Create a rule by using your action group

+1. [Create a rule](./alerts-create-new-alert-rule.md) for one of your resources.

+1. On the **Actions** tab of your rule, choose **Select action groups**.

+1. Choose **Select**.

+ :::image type="content" source="./media/alerts-logic-apps/select-action-groups.png" alt-text="Screenshot that shows the Actions tab on the Create an alert rule pane and the Select action groups pane.":::

+* [Learn more about action groups](./action-groups.md)

+* [Learn more about the common alert schema](./alerts-common-schema.md)

+1. From the top command bar, select **Alert rules**. The page shows all your alert rules across on all subscriptions.

+ :::image type="content" source="media/alerts-managing-alert-instances/alerts-rules-page.png" alt-text="Screenshot of alerts rules page.":::

+1. You can filter the list of rules using the available filters:

+ - Subscription

+ - Alert condition

+ - Severity

+ - User response

+ - Monitor service

+ - Signal type

+ - Resource group

+ - Target resource type

+ - Resource name

+ - Suppression status

+ > [!NOTE]

+ > If you filter on a `target resource type` scope, the alerts rules list doesnΓÇÖt include resource health alert rules. To see the resource health alert rules, remove the `Target resource type` filter, or filter the rules based on the `Resource group` or `Subscription`.

+ :::image type="content" source="media/alerts-managing-alert-instances/alerts-enable-recommended-alert-rule-pane.png" alt-text="Screenshot of recommended alert rules pane.":::

+description: Understand how Azure limits the number of possible SMS, email, Azure App Service push, or webhook notifications from an action group.

+# Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts

+Rate limiting is a suspension of notifications that occurs when too many notifications are sent to a particular phone number, email address, or device. Rate limiting ensures that alerts are manageable and actionable.

+- **SMS**: No more than one SMS every 5 minutes.

+- **Voice**: No more than one voice call every 5 minutes.

+ Other actions aren't rate limited.

+- **SMS**: No more than one SMS every 1 minute.

+- **Voice**: No more than one voice call every 1 minute.

+- **Email**: No more than two emails in every 1 minute.

+ Other actions aren't rate limited.

+- When an email address is rate limited, another notification is sent to communicate the rate limiting. The email states when the rate limiting expires.

+* Get an [overview of activity log alerts](./alerts-overview.md) and learn how to receive alerts.

+ Title: SMS alert behavior in action groups

+description: SMS message format and responding to SMS messages to unsubscribe, resubscribe, or request help.

+# SMS alert behavior in action groups

+Action groups enable you to configure a list of actions. These groups are used when you define alerts. They ensure that a particular action group is notified when the alert is triggered. One of the actions supported is SMS. SMS notifications support bidirectional communication. A user can respond to an SMS to:

+- **Unsubscribe from alerts:** A user can unsubscribe from all SMS alerts for all action groups or a single action group.

+- **Resubscribe to alerts:** A user can resubscribe to all SMS alerts for all action groups or a single action group.

+- **Request help:** A user can ask for more information on the SMS. Users are redirected to this article.

+This article covers the behavior of SMS alerts and the response actions the user can take based on the locale of the user.

+## Receive an SMS alert

+* Short name of the action group where this alert was sent

+| DISABLE `<Action Group Short name>` | Disables further SMS from the action group. |

+| ENABLE `<Action Group Short name>` | Re-enables SMS from the action group. |

+| STOP | Disables further SMS from all action groups. |

+| START | Re-enables SMS from all action groups. |

+>If a user has unsubscribed from SMS alerts but is then added to a new action group, they *will* receive SMS alerts for that new action group but remain unsubscribed from all previous action groups.

+## Next steps

+* Get an [overview of activity log alerts](./alerts-overview.md) and learn how to get alerted.

+* Learn more about [SMS rate limiting](alerts-rate-limiting.md).

+* Learn more about [action groups](./action-groups.md).

+You can find a Django sample application in the sample Azure Monitor OpenCensus Python samples repository located [here](https://github.com/Azure-Samples/azure-monitor-opencensus-python/tree/master/azure_monitor/django_sample).

+ "connection_string": "<your-application-insights-connection-string>",

+Register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription to make the resource properties and configuration change data available. The `Microsoft.ChangeAnalysis` resource provider is automatically registered as you either:

+### Agent settings for outbound proxy with Azure Monitor Private Link Scope (AMPLS)

+| Key | Data type | Value | Description |

+|--|--|--|--|

+| `[agent_settings.proxy_config] ignore_proxy_settings =` | Boolean | True or false | Set this value to true to ignore proxy settings. On both AKS & Arc K8s enviornments, if your cluster is configured with forward proxy, then proxy settings are automatically applied and used for the agent. For certain configurations, such as, with AMPLS + Proxy, you may with for the proxy config to be ignored. . By default, this setting is set to `false`. |

+- Canada Central

+- France Central

+- Japan East

+ | Service | Table |

+ | Application Insights | [AppTraces](/azure/azure-monitor/reference/tables/apptraces) |

+ | Container Apps | [ContainerAppConsoleLogs](/azure/azure-monitor/reference/tables/containerappconsoleLogs) |

+ | Container Insights | [ContainerLogV2](/azure/azure-monitor/reference/tables/containerlogv2) |

+ | Communication Services | [ACSCallAutomationIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallAutomationIncomingOperations)<br>[ACSCallRecordingSummary](/azure/azure-monitor/reference/tables/acscallrecordingsummary)<br>[ACSRoomsIncomingOperations](/azure/azure-monitor/reference/tables/acsroomsincomingoperations) |

+ | Confidential Ledgers | [CCFApplicationLogs](/azure/azure-monitor/reference/tables/CCFApplicationLogs) |

+ | Dev Center | [DevCenterDiagnosticLogs](/azure/azure-monitor/reference/tables/DevCenterDiagnosticLogs) |

+ | Firewalls | [AZFWNetworkRule](/azure/azure-monitor/reference/tables/AZFWNetworkRule) |

+ | Health Data | [AHDSMedTechDiagnosticLogs](/azure/azure-monitor/reference/tables/AHDSMedTechDiagnosticLogs) |

+ | Media Services | [AMSLiveEventOperations](/azure/azure-monitor/reference/tables/AMSLiveEventOperations)<br>[AMSKeyDeliveryRequests](/azure/azure-monitor/reference/tables/AMSKeyDeliveryRequests)<br>[AMSMediaAccountHealth](/azure/azure-monitor/reference/tables/AMSMediaAccountHealth)<br>[AMSStreamingEndpointRequests](/azure/azure-monitor/reference/tables/AMSStreamingEndpointRequests) |

+ | Sphere | [ASCAuditLogs](/azure/azure-monitor/reference/tables/ASCAuditLogs)<br>[ASCDeviceEvents](/azure/azure-monitor/reference/tables/ASCDeviceEvents) |

+ | Storage | [StorageBlobLogs](/azure/azure-monitor/reference/tables/StorageBlobLogs)<br>[StorageFileLogs](/azure/azure-monitor/reference/tables/StorageFileLogs)<br>[StorageQueueLogs](/azure/azure-monitor/reference/tables/StorageQueueLogs)<br>[StorageTableLogs](/azure/azure-monitor/reference/tables/StorageTableLogs) |

+ | Storage Mover | [StorageMoverJobRunLogs](/azure/azure-monitor/reference/tables/StorageMoverJobRunLogs) |

+ | Virtual Network Manager | [AVNMNetworkGroupMembershipChange](/azure/azure-monitor/reference/tables/AVNMNetworkGroupMembershipChange) |

+Use Azure Monitor to monitor these types of resources in Azure, other clouds, or on-premises:

+- [Data collection in Azure Monitor](essentials/data-collection.md)

+* Norway West

+2. Select **+ Create** to create a new NetApp account.

+ 3. Select **Create new** to create new resource group. Enter **myRG1** for the resource group name. Select **OK**.

+4. Select **Create** to create your new NetApp account.

+ 

+2. From the Azure NetApp Files management blade of your NetApp account, select **Capacity pools**.

+ 

+3. Select **+ Add pools**.

+ :::image type="content" source="../media/azure-netapp-files/azure-netapp-files-new-capacity-pool.png" alt-text="Screenshot of new capacity pool options.":::

+5. Select **Create**.

+1. From the Azure NetApp Files management blade of your NetApp account, select **Volumes**.

+ 

+2. Select **+ Add volume**.

+ 

+ 4. Under virtual network, select **Create new** to create a new Azure virtual network (VNet). Then fill in the following information:

+ * Select **OK** to create the VNet.

+ 

+ 

+4. Select **Protocol**, and then complete the following actions:

+ 

+5. Select **Review + create** to display information for the volume you are creating.

+6. Select **Create** to create the volume.

+ 

+2. In the list of subscriptions, select the resource group (myRG1) you want to delete.

+ 

+3. In the resource group page, select **Delete resource group**.

+4. Enter the name of the resource group (myRG1) to confirm that you want to permanently delete the resource group and all resources in it, and then select **Delete**.

+ 

+ Title: Resize the capacity pool or a volume for Azure NetApp Files | Microsoft Docs

+* Capacity pools with Basic network features have a minimum size of 4 TiB. For capacity pools with Standard network features, the minimum size is 2 TiB. For more information, see [Resource limits](azure-netapp-files-resource-limits.md)

+You can change the capacity pool size in 1-TiB increments or decrements. However, the capacity pool size cannot be smaller than the sum of the capacity of the volumes hosted in the pool.

+Resizing the capacity pool changes the purchased Azure NetApp Files capacity.

+| Minimum size of a single capacity pool | 2 TiB* | No |

+\* [!INCLUDE [Limitations for capacity pool minimum of 2 TiB](includes/2-tib-capacity-pool.md)]

+Creating a capacity pool enables you to create volumes within it.

+You must have already [created a NetApp account](azure-netapp-files-create-netapp-account.md).

+2. Select **+ Add pools** to create a new capacity pool.

+ The minimum capacity pool size is 2 TiB. You can change the size of a capacity pool in 1-TiB increments.

+ >[!NOTE]

+ >[!INCLUDE [Limitations for capacity pool minimum of 2 TiB](includes/2-tib-capacity-pool.md)]

+ :::image type="content" source="../media/azure-netapp-files/azure-netapp-files-new-capacity-pool.png" alt-text="Screenshot of new capacity pool options.":::

+4. Select **Create**.

+> Azure NetApp Files currently doesn't support resource migration between subscriptions.

+## <a name="conceptual_diagram_of_storage_hierarchy"></a>Conceptual diagram of storage hierarchy

+The following example shows the relationships of the Azure subscription, NetApp accounts, capacity pools, and volumes.

+- A NetApp account isn't the same as your general Azure storage account.

+ For more information, see [QoS types](#qos_types).

+- You can't move a capacity pool across NetApp accounts.

+ For example, in the [Conceptual diagram of storage hierarchy](#conceptual_diagram_of_storage_hierarchy), you can't move Capacity Pool 1 US East NetApp account to US West 2 NetApp account.

+- You can't delete a capacity pool until you delete all volumes within the capacity pool.

+The QoS type is an attribute of a capacity pool. Azure NetApp Files provides two QoS types of capacity pools--*auto (default)* and *manual*.

+The maximum throughput allocated to a volume depends on the service level of the capacity pool and the size quota of the volume. See [Service levels for Azure NetApp Files](azure-netapp-files-service-levels.md) for an example calculation.

+When you [create a capacity pool](azure-netapp-files-set-up-capacity-pool.md), you can specify for the capacity pool to use the manual QoS type. You can also [change an existing capacity pool](manage-manual-qos-capacity-pool.md#change-to-qos) to use the manual QoS type. *Setting the capacity type to manual QoS is a permanent change.* You can't convert a manual QoS type capacity tool to an auto QoS capacity pool.

+In a manual QoS capacity pool, you can assign the capacity and throughput for a volume independently. For minimum and maximum throughput levels, see [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md#resource-limits). The total throughput of all volumes created with a manual QoS capacity pool is limited by the total throughput of the pool. It's determined by the combination of the pool size and the service-level throughput. For instance, a 4-TiB capacity pool with the Ultra service level has a total throughput capacity of 512 MiB/s (4 TiB x 128 MiB/s/TiB) available for the volumes.

+ Title: Configure customer-managed keys for Azure NetApp Files volume encryption | Microsoft Docs

+description: Describes how to configure customer-managed keys for Azure NetApp Files volume encryption.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Configure customer-managed keys for Azure NetApp Files volume encryption

+Customer-managed keys in Azure NetApp Files volume encryption enable you to use your own keys rather than a Microsoft-managed key when creating a new volume. With customer-managed keys, you can fully manage the relationship between a key's life cycle, key usage permissions, and auditing operations on keys.

+## Considerations

+> [!IMPORTANT]

+> Customer-managed keys for Azure NetApp Files volume encryption is currently in preview. You need to submit a waitlist request for accessing the feature through the **[Customer-managed keys for Azure NetApp Files volume encryption](https://aka.ms/anfcmkpreviewsignup)** page. Wait for an official confirmation email from the Azure NetApp Files team before using customer-managed keys.

+* Customer-managed keys can only be configured on new volumes. You can't migrate existing volumes to customer-managed key encryption.

+* To create a volume using customer-managed keys, you must select the *Standard* network features. You can't use customer-managed key volumes with volume configured using Basic network features. Follow instructions in to [Set the Network Features option](configure-network-features.md#set-the-network-features-option) in the volume creation page.

+* Switching from user-assigned identity to the system-assigned identity isn't currently supported.

+* MSI Automatic certificate renewal isn't currently supported.

+* The MSI certificate has a lifetime of 90 days. It becomes eligible for renewal after 46 days. **After 90 days, the certificate is no longer be valid and the customer-managed key volumes under the NetApp account will go offline.**

+ * To renew, you need to call the NetApp account operation `renewCredentials` if eligible for renewal. If it's not eligible, an error message will communicate the date of eligibility.

+ * Version 2.42 or later of the Azure CLI supports running the `renewCredentials` operation with the [az netappfiles account command](/cli/azure/netappfiles/account#az-netappfiles-account-renew-credentials). For example:

+

+ `az netappfiles account renew-credentials ΓÇô-account-name myaccount ΓÇôresource-group myresourcegroup`

+ * If the account isn't eligible for MSI certificate renewal, an error will communicate the date and time when the account is eligible. It's recommended you run this operation periodically (for example, daily) to prevent the certificate from expiring and from the customer-managed key volume going offline.

+<!--

+ * You will need to call the operation via ARM REST API. Submit a POST request to `/subscriptions/<16 digit subscription ID>/resourceGroups/<resource_group_name>/providers/Microsoft.NetApp/netAppAccounts/<account name>/renewCredentials?api-version=2022-04`.

+ This operation is available with the Azure CLI, PowerShell, and SDK beginning with the `2022-05` versions.

+ * If the certificate is more than 46 days old, you can call proxy Azure Resource Manager (ARM) operation via REST API to renew the certificate. For example:

+ ```rest

+ /{accountResourceId}/renewCredentials?api-version=2022-01 ΓÇô example /subscriptions/<16 digit subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.NetApp/netAppAccounts/<account name>/renewCredentials?api-version=2022-01

+ ``` -->

+* Applying Azure network security groups on the private link subnet to Azure Key Vault isn't supported for Azure NetApp Files customer-managed keys. Network security groups don't affect connectivity to Private Link unless `Private endpoint network policy` is enabled on the subnet. It's recommended to keep this option disabled.

+* If Azure NetApp Files fails to create a customer-managed key volume, error messages are displayed. Refer to the [Error messages and troubleshooting](#error-messages-and-troubleshooting) section for more information.

+## Supported regions

+Azure NetApp Files customer-managed keys is supported for the following regions:

+* East Asia

+* East US 2

+* West Europe

+## Requirements

+Before creating your first customer-managed key volume, you must have set up:

+* An [Azure Key Vault](../key-vault/general/overview.md), containing at least one key.

+ * The key vault must have soft delete and purge protection enabled.

+ * The key must be of type RSA.

+* The key vault must have an [Azure Private Endpoint](../private-link/private-endpoint-overview.md).

+ * The private endpoint must reside in a different subnet than the one delegated to Azure NetApp Files. The subnet must be in the same VNet as the one delegated to Azure NetApp.

+For more information about Azure Key Vault and Azure Private Endpoint, refer to:

+* [Quickstart: Create a key vault ](../key-vault/general/quick-create-portal.md)

+* [Create or import a key into the vault](../key-vault/keys/quick-create-portal.md)

+* [Create a private endpoint](../private-link/create-private-endpoint-portal.md)

+* [More about keys and supported key types](../key-vault/keys/about-keys.md)

+* [Network security groups](../virtual-network/network-security-groups-overview.md)

+* [Manage network policies for private endpoints](../private-link/disable-private-endpoint-network-policy.md)

+## Configure a NetApp account to use customer-managed keys

+1. In the Azure portal and under Azure NetApp Files, select **Encryption**.

+ The **Encryption** page enables you to manage encryption settings for your NetApp account. It includes an option to let you set your NetApp account to use your own encryption key, which is stored in [Azure Key Vault](../key-vault/general/basic-concepts.md). This setting provides a system-assigned identity to the NetApp account, and it adds an access policy for the identity with the required key permissions.

+ :::image type="content" source="../media/azure-netapp-files/encryption-menu.png" alt-text="Screenshot of the encryption menu." lightbox="../media/azure-netapp-files/encryption-menu.png":::

+1. When you set your NetApp account to use customer-managed key, you have two ways to specify the Key URI:

+ * The **Select from key vault** option allows you to select a key vault and a key.

+ :::image type="content" source="../media/azure-netapp-files/select-key.png" alt-text="Screenshot of the select a key interface." lightbox="../media/azure-netapp-files/select-key.png":::

+

+ * The **Enter key URI** option allows you to enter manually the key URI.

+ :::image type="content" source="../media/azure-netapp-files/key-enter-uri.png" alt-text="Screenshot of the encryption menu showing key URI field." lightbox="../media/azure-netapp-files/key-enter-uri.png":::

+1. Select the identity type that you want to use for authentication to the Azure Key Vault. If your Azure Key Vault is configured to use Vault access policy as its permission model, then both options are available. Otherwise, only the user-assigned option is available.

+ * If you choose **System-assigned**, select the **Save** button. The Azure portal configures the NetApp account automatically with the following process: A system-assigned identity is added to your NetApp account. An access policy is to be created on your Azure Key Vault with key permissions Get, Encrypt, Decrypt.

+ * If you choose **User-assigned**, you must select an identity to use. Choosing **Select an identity** opens a context pane prompting you to select a user-assigned managed identity.

+ :::image type="content" source="../media/azure-netapp-files/encryption-user-assigned.png" alt-text="Screenshot of user-assigned submenu." lightbox="../media/azure-netapp-files/encryption-user-assigned.png":::

+

+ If you've configured your Azure Key Vault use Vault access policy, the Azure portal configures the NetApp account automatically with the following process: The user-assigned identity you select is added to your NetApp account. An access policy is created on your Azure Key Vault with the key permissions Get, Encrypt, Decrypt.

+ If you've configure your Azure Key Vault to use Azure role-based access control, then you need to make sure the selected user-assigned identity has a role assignment on the key vault with permissions for data actions:

+ * `Microsoft.KeyVault/vaults/keys/read`

+ * `Microsoft.KeyVault/vaults/keys/encrypt/action`

+ * `Microsoft.KeyVault/vaults/keys/decrypt/action`

+ The user-assigned identity you select is added to your NetApp account. Due to the customizable nature of role-based access control (RBAC), the Azure portal doesn't configure access to the key vault. See [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control](../key-vault/general/rbac-guide.md) for details on configuring Azure Key Vault.

+1. After selecting **Save** button, you'll receive a notification communicating the status of the operation. If the operation was not successful, an error message displays. Refer to [error messages and troubleshooting](#error-messages-and-troubleshooting) for assistance in resolving the error.

+## Use role-based access control

+You can use an Azure Key Vault that is configured to use Azure role-based access control. To configure customer-managed keys through Azure portal, you need to provide a user-assigned identity.

+1. In your Azure account, navigate to the **Access policies** menu.

+1. To create an access policy, under **Permission model**, select **Azure role-based access-control**.

+ :::image type="content" source="../media/azure-netapp-files/rbac-permission.png" alt-text="Screenshot of access configuration menu." lightbox="../media/azure-netapp-files/rbac-permission.png":::

+1. When creating the user-assigned role, there are three permissions required for customer-managed keys:

+ 1. `Microsoft.KeyVault/vaults/keys/read`

+ 1. `Microsoft.KeyVault/vaults/keys/encrypt/action`

+ 1. `Microsoft.KeyVault/vaults/keys/decrypt/action`

+ Although there are pre-defined roles with these privileges, it is recommended that you create a custom role with the required permissions. See [Azure custom roles](../role-based-access-control/custom-roles.md) for details.

+ ```json

+ {

+ "id": "/subscriptions/<subscription>/Microsoft.Authorization/roleDefinitions/<roleDefinitionsID>",

+ "properties": {

+ "roleName": "NetApp account",

+ "description": "Has the necessary permissions for customer-managed key encryption: get key, encrypt and decrypt",

+ "assignableScopes": [

+ "/subscriptions/<subscriptionID>/resourceGroups/<resourceGroup>"

+ ],

+ "permissions": [

+ {

+ "actions": [],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.KeyVault/vaults/keys/read",

+ "Microsoft.KeyVault/vaults/keys/encrypt/action",

+ "Microsoft.KeyVault/vaults/keys/decrypt/action"

+ ],

+ "notDataActions": []

+ }

+ ]

+ }

+ }

+ ```

+1. Once the custom role is created and available to use with the key vault, you can add a role assignment for your user-assigned identity.

+ :::image type="content" source="../media/azure-netapp-files/rbac-review-assign.png" alt-text="Screenshot of RBAC review and assign menu." lightbox="../media/azure-netapp-files/rbac-review-assign.png":::

+## Create an Azure NetApp Files volume using customer-managed keys

+1. From Azure NetApp Files, select **Volumes** and then **+ Add volume**.

+1. Follow the instructions in [Configure network features for an Azure NetApp Files volume](configure-network-features.md):

+ * [Set the Network Features option in volume creation page](configure-network-features.md#set-the-network-features-option).

+ * The network security group for the volumeΓÇÖs delegated subnet must allow incoming traffic from NetApp's storage VM.

+1. For a NetApp account configured to use a customer-managed key, the Create Volume page includes an option Encryption Key Source.

+

+ To encrypt the volume with your key, select **Customer-Managed Key** in the **Encryption Key Source** dropdown menu.

+

+ When you create a volume using a customer-managed key, you must also select **Standard** for the **Network features** option. Basic network features are not supported.

+ You must select a key vault private endpoint as well. The dropdown menu displays private endpoints in the selected Virtual network. If there's no private endpoint for your key vault in the selected virtual network, then the dropdown is empty, and you won't be able to proceed. If so, see to [Azure Private Endpoint](../private-link/private-endpoint-overview.md).

+ :::image type="content" source="../media/azure-netapp-files/keys-create-volume.png" alt-text="Screenshot of create volume menu." lightbox="../media/azure-netapp-files/keys-create-volume.png":::

+1. Continue to complete the volume creation process. Refer to:

+ * [Create an NFS volume](azure-netapp-files-create-volumes.md)

+ * [Create an SMB volume](azure-netapp-files-create-volumes-smb.md)

+ * [Create a dual-protocol volume](create-volumes-dual-protocol.md)

+## Rekey all volumes under a NetApp account

+If you have already configured your NetApp account for customer-managed keys and has one or more volumes encrypted with customer-managed keys, you can change the key that is used to encrypt all volumes under the NetApp account. You can select any key that is in the same key vault, changing key vaults isn't supported.

+1. Under your NetApp account, navigate to the **Encryption** menu. Under the **Current key** input field, select the **Rekey** link.

+1. In the **Rekey** menu, select one of the available keys from the dropdown menu. The chosen key must be different from the current key.

+1. Select **OK** to save. The rekey operation may take several minutes.

+## Error messages and troubleshooting

+This section lists error messages and possible resolutions when Azure NetApp Files fails to configure customer-managed key encryption or create a volume using a customer-managed key.

+### Errors configuring customer-managed key encryption on a NetApp account

+| Error Condition | Resolution |

+| -- | -- |

+| `The operation failed because the specified key vault key was not found` | When entering key URI manually, ensure that the URI is correct. |

+| `Azure Key Vault key is not a valid RSA key` | Ensure that the selected key is of type RSA. |

+| `Azure Key Vault key is not enabled` | Ensure that the selected key is enabled. |

+| `Azure Key Vault key is expired` | Ensure that the selected key is not expired. |

+| `Azure Key Vault key has not been activated` | Ensure that the selected key is active. |

+| `Key Vault URI is invalid` | When entering key URI manually, ensure that the URI is correct. |

+| `Azure Key Vault is not recoverable. Make sure that Soft-delete and Purge protection are both enabled on the Azure Key Vault` | Update the key vault recovery level to: <br> `ΓÇ£Recoverable/Recoverable+ProtectedSubscription/CustomizedRecoverable/CustomizedRecoverable+ProtectedSubscriptionΓÇ¥` |

+| `Account must be in the same region as the Vault` | Ensure the key vault is in the same region as the NetApp account. |

+### Errors creating a volume encrypted with customer-managed keys

+| Error Condition | Resolution |

+| -- | -- |

+| `Volume cannot be encrypted with Microsoft.KeyVault, NetAppAccount has not been configured with KeyVault encryption` | Your NetApp account doesn't have customer-managed key encryption enabled. Configure the NetApp account to use customer-managed key. |

+| `EncryptionKeySource cannot be changed` | No resolution. The `EncryptionKeySource` property of a volume can't be changed. |

+| `Unable to use the configured encryption key, please check if key is active` | Check that: <br> -Are all access policies correct on the key vault: Get, Encrypt, Decrypt? <br> -Does a private endpoint for the key vault exist? <br> -Is there a Virtual Network NAT in the VNet, with the delegated Azure NetApp Files subnet enabled? |

+## Next steps

+* [Azure NetApp Files API](https://github.com/Azure/azure-rest-api-specs/tree/master/specification/netapp/resource-manager/Microsoft.NetApp/stable/2019-11-01)

+Azure NetApp Files data traffic is inherently secure by design, as it doesn't provide a public endpoint, and data traffic stays within customer-owned VNet. Data-in-flight isn't encrypted by default. However, data traffic from an Azure VM (running an NFS or SMB client) to Azure NetApp Files is as secure as any other Azure-VM-to-VM traffic.

+NFSv3 protocol doesn't provide support for encryption, so this data-in-flight can't be encrypted. However, NFSv4.1 and SMB3 data-in-flight encryption can optionally be enabled. Data traffic between NFSv4.1 clients and Azure NetApp Files volumes can be encrypted using Kerberos with AES-256 encryption. See [Configure NFSv4.1 Kerberos encryption for Azure NetApp Files](configure-kerberos-encryption.md) for details. Data traffic between SMB3 clients and Azure NetApp Files volumes can be encrypted using the AES-CCM algorithm on SMB 3.0, and the AES-GCM algorithm on SMB 3.1.1 connections. See [Create an SMB volume for Azure NetApp Files](azure-netapp-files-create-volumes-smb.md) for details.

+Key management for Azure NetApp Files is handled by the service. A unique XTS-AES-256 data encryption key is generated for each volume. An encryption key hierarchy is used to encrypt and protect all volume keys. These encryption keys are never displayed or reported in an unencrypted format. When you delete a volume, Azure NetApp Files immediately deletes the volume's encryption keys.

+Customer-managed keys (Bring Your Own Key) using Azure Dedicated HSM is supported on a controlled basis. Support is currently available in the East US, South Central US, West US 2, and US Gov Virginia regions. You can request access at [anffeedback@microsoft.com](mailto:anffeedback@microsoft.com). As capacity becomes available, requests will be approved.

+[Customer-managed keys](configure-customer-managed-keys.md) are available with limited regional support.

+## Can I use Azure role-based access control (RBAC) with Azure NetApp Files?

+However, you can't create Azure policies (custom naming policies) on the Azure NetApp Files interface. See [Guidelines for Azure NetApp Files network planning](azure-netapp-files-network-topologies.md#considerations).

+## February 2023

+* [Customer-managed keys](configure-customer-managed-keys.md) (Preview)

+ Azure NetApp Files volumes now support encryption with customer-managed keys and Azure Key Vault to enable an extra layer of security for data at rest.

+

+ Data encryption with customer-managed keys for Azure NetApp Files allows you to bring your own key for data encryption at rest. You can use this feature to implement separation of duties for managing keys and data. Additionally, you can centrally manage and organize keys using Azure Key Vault. With customer-managed encryption, you are in full control of, and responsible for, a key's lifecycle, key usage permissions, and auditing operations on keys.

+

+* [Capacity pool enhancement](azure-netapp-files-set-up-capacity-pool.md) (Preview)

+ Azure NetApp Files now supports a lower limit of 2 TiB for capacity pool sizing with Standard network features.

+ You can now choose a minimum size of 2 TiB when creating a capacity pool. Capacity pools smaller than 4 TiB in size can only be used with volumes using standard network features. This enhancement provides a more cost effective solution for running workloads such as SAP-shared files and VDI that require lower capacity pool sizes for their capacity and performance needs. When you have less than 2-4 TiB capacity with proportional performance, this enhancement allows you to start with 2 TiB as a minimum pool size and increase with 1-TiB increments. For capacities less than 3 TiB, this enhancement saves cost by allowing you to re-evaluate volume planning to take advantage of savings of smaller capacity pools. This feature is supported in all [regions with Standard network features](azure-netapp-files-network-topologies.md#supported-regions).

+| SubscriptionRequestsThrottled | Azure Resource Manager throttles requests at the subscription level or tenant level. Resource providers like `Microsoft.Compute` also throttle requests specific to its operations. <br><br> When a limit is reached, you get a message and a value with the amount of time you should wait before sending a new request. For example: `Number of requests for subscription '<subscription-id-guid>' and operation '<resource provider>' exceeded the backend storage limit. Please try again after '6' seconds.` <br><br> An HTTP response returns a message like `HTTP status code 429 Too Many Requests` with a `Retry-After` value that specifies the number of seconds to wait before you send another request. | [Throttling Resource Manager requests](../management/request-limits-and-throttling.md) <br><br> [Troubleshooting API throttling errors - virtual machines](/troubleshoot/azure/virtual-machines/troubleshooting-throttling-errors) <br><br> [Azure Kubernetes Service throttling](/troubleshoot/azure/azure-kubernetes/error-code-subscriptionrequeststhrottled) |

+ They'll be called with respect to the registered order right after we got an **FINACK** response from our Azure SignalR Service, which means this server has been set offline in the Azure SignalR Service.

+ You can broadcast messages or do some cleaning jobs in this stage, once all shutdown hooks has been executed, we'll proceed to the next stage.

+ You may have to design a way, like broadcast a closing message to all clients, and then let your clients decide when to close/reconnect itself.

+ In this scenario, `OnConnectedAsync` and `OnDisconnectedAsync` will be triggered on the new server and the old server respectively with an `IConnectionMigrationFeature` set in the `Context`, which can be used to identify if the client connection was being migrated-in or migrated-out. This feature could be useful especially for stateful scenarios.

+We've introduced an "IConnectionMigrationFeature" to indicate if a connection was being migrated-in/out.

+This article explains Video Indexer's language options and provides a list of language support for each one. It includes the languages support for Video Indexer features, translation, language identification, customization, and the language settings of the Video Indexer website.

+## Supported languages per scenario

+This section explains the Video Indexer language options and has a table of the supported languages for each one.

+> [!IMPORTANT]

+> All of the languages listed support translation when indexing through the API.

+### Column explanations

+- **Supported source language** ΓÇô The language spoken in the media file supported for transcription, translation, and search.

+- **Language identification** - Whether the language can be automatically detected by Video Indexer when language identification is used for indexing. To learn more, see [Use Azure Video Indexer to auto identify spoken languages](language-identification-model.md) and the **Language Identification** section.

+- **Customization (language model)** - Whether the language can be used when customizing language models in Video Indexer. To learn more, see [Customize a Language model in Azure Video Indexer](customize-language-model-overview.md)

+- **Website Translation** ΓÇô Whether the language is supported for translation when using the [Azure Video Indexer website](https://aka.ms/vi-portal-link). Select the translated language in the language drop-down menu.

+ :::image type="content" source="media/language-support/website-translation.png" alt-text="Screenshow showing a menu with download, English and views as menu items. A tooltip is shown as mouseover on the English item and says Translation is set to English." lightbox="media/language-support/website-translation.png":::

+ The following insights are translated:

+ - Transcript

+ - Keywords

+ - Topics

+ - Labels

+ - Frame patterns (Only to Hebrew as of now)

+ All other insights appear in English when using translation.

+- **Website Language** - Whether the language can be selected for use on the [Azure Video Indexer website](https://aka.ms/vi-portal-link). Select the **Settings icon** then select the language in the **Language settings** dropdown.

+ :::image type="content" source="media/language-support/website-language.jpg" alt-text="Screenshow showing a menu with user settings show them all toggled to on." lightbox="media/language-support/website-language.jpg":::

+| **Language** | **Code** | **Supported source language** | **Language identification** | **Customization (language model)** | **Website Translation** | **Website Language** |

+|:-|:-:|:--:|::|:-:|:--:|:--:|

+| Afrikaans | af-ZA | | | | Γ£ö | |

+| Arabic (Israel) | ar-IL | Γ£ö | | Γ£ö | | |

+| Arabic (Iraq) | ar-IQ | Γ£ö | Γ£ö | | | |

+| Arabic (Jordan) | ar-JO | Γ£ö | Γ£ö | Γ£ö | | |

+| Arabic (Kuwait) | ar-KW | Γ£ö | Γ£ö | Γ£ö | | |

+| Arabic (Lebanon) | ar-LB | Γ£ö | | Γ£ö | | |

+| Arabic (Oman) | ar-OM | Γ£ö | Γ£ö | Γ£ö | | |

+| Arabic (Palestinian Authority) | ar-PS | Γ£ö | | Γ£ö | | |

+| Arabic (Qatar) | ar-QA | Γ£ö | Γ£ö | Γ£ö | | |

+| Arabic (Saudi Arabia) | ar-SA | Γ£ö | Γ£ö | Γ£ö | | |

+| Arabic (United Arab Emirates) | ar-AE | Γ£ö | Γ£ö | Γ£ö | | |

+| Arabic Egypt | ar-EG | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| Arabic Modern Standard (Bahrain) | ar-BH | Γ£ö | Γ£ö | Γ£ö | | |

+| Arabic Syrian Arab Republic | ar-SY | Γ£ö | Γ£ö | Γ£ö | | |

+| Armenian | hy-AM | Γ£ö | | | | |

+| Bangla | bn-BD | | | | Γ£ö | |

+| Bosnian | bs-Latn | | | | Γ£ö | |

+| Bulgarian | bg-BG | Γ£ö | Γ£ö | | Γ£ö | |

+| Catalan | ca-ES | Γ£ö | Γ£ö | | Γ£ö | |

+| Chinese (Cantonese Traditional) | zh-HK | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| Chinese (Simplified) | zh-Hans | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Chinese (Simplified) | zh-CK | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Chinese (Traditional) | zh-Hant | | | | Γ£ö | |

+| Croatian | hr-HR | Γ£ö | Γ£ö | | Γ£ö | |

+| Czech | cs-CZ | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Danish | da-DK | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| Dutch | nl-NL | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| English Australia | en-AU | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| English United Kingdom | en-GB | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| English United States | en-US | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Estonian | et-EE | Γ£ö | Γ£ö | | Γ£ö | |

+| Fijian | en-FJ | | | | Γ£ö | |

+| Filipino | fil-PH | | | | Γ£ö | |

+| Finnish | fi-FI | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| French | fr-FR | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| French (Canada) | fr-CA | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| German | de-DE | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Greek | el-GR | Γ£ö | Γ£ö | | Γ£ö | |

+| Gujarati | gu-IN | Γ£ö | Γ£ö | | Γ£ö | |

+| Haitian | fr-HT | | | | Γ£ö | |

+| Hebrew | he-IL | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| Hindi | hi-IN | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Hungarian | hu-HU | | Γ£ö | | Γ£ö | Γ£ö |

+| Icelandic | is-IS | Γ£ö | | | | |

+| Indonesian | id-ID | | | | Γ£ö | |

+| Irish | ga-IE | Γ£ö | Γ£ö | | | |

+| Italian | it-IT | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Japanese | ja-JP | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Kannada | kn-IN | Γ£ö | Γ£ö | | | |

+| Kiswahili | sw-KE | | | | Γ£ö | |

+| Korean | ko-KR | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Latvian | lv-LV | Γ£ö | Γ£ö | | Γ£ö | |

+| Lithuanian | lt-LT | | | | Γ£ö | |

+| Malagasy | mg-MG | | | | Γ£ö | |

+| Malay | ms-MY | Γ£ö | | | Γ£ö | |

+| Malayalam | ml-IN | Γ£ö | Γ£ö | | | |

+| Maltese | mt-MT | | | | Γ£ö | |

+| Norwegian | nb-NO | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| Persian | fa-IR | Γ£ö | | Γ£ö | Γ£ö | |

+| Polish | pl-PL | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Portuguese | pt-BR | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Portuguese (Portugal) | pt-PT | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| Romanian | ro-RO | Γ£ö | Γ£ö | | Γ£ö | |

+| Russian | ru-RU | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Samoan | en-WS | | | | | |

+| Serbian (Cyrillic) | sr-Cyrl-RS | | | | Γ£ö | |

+| Serbian (Latin) | sr-Latn-RS | | | | Γ£ö | |

+| Slovak | sk-SK | Γ£ö | Γ£ö | | Γ£ö | |

+| Slovenian | sl-SI | Γ£ö | Γ£ö | | Γ£ö | |

+| Spanish | es-ES | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Spanish (Mexico) | es-MX | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| Swedish | sv-SE | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Tamil | ta-IN | Γ£ö | Γ£ö | | Γ£ö | |

+| Telugu | te-IN | Γ£ö | Γ£ö | | | |

+| Thai | th-TH | Γ£ö | Γ£ö | Γ£ö | Γ£ö | |

+| Tongan | to-TO | | | | Γ£ö | |

+| Turkish | tr-TR | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Ukrainian | uk-UA | Γ£ö | Γ£ö | | Γ£ö | |

+| Urdu | ur-PK | | | | Γ£ö | |

+| Vietnamese | vi-VN | Γ£ö | Γ£ö | | Γ£ö | |

+## Get supported languages through the API

+Use the Get Supported Languages API call to pull a full list of supported languages per area. For more information, see [Get Supported Languages](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Get-Supported-Languages).

+{

+ "name": "Language",

+ "languageCode": "Code",

+ "isRightToLeft": true/false,

+ "isSourceLanguage": true/false,

+ "isAutoDetect": true/false

+}

+ If `isSourceLanguage` is false, the language is supported for translation only.

+ If `isSourceLanguage` is true, the language is supported as source for transcription, translation, and search.

+- Language identification (auto detection):

+ If `isAutoDetect` is true, the language is supported for language identification (LID) and multi-language identification (MLID).

+## Language Identification

+When uploading a media file to Video Indexer, you can specify the media file's source language. If indexing a file through the Video Indexer website, this can be done by selecting a language during the file upload. If you're submitting the indexing job through the API, it's done by using the language parameter. The selected language is then used to generate the transcription of the file.

+If you aren't sure of the source language of the media file or it may contain multiple languages, Video Indexer can detect the spoken languages. If you select either Auto-detect single language (LID) or multi-language (MLID) for the media fileΓÇÖs source language, the detected language or languages will be used to transcribe the media file. To learn more about LID and MLID, see Use Azure Video Indexer to auto identify spoken languages, see [Automatically identify the spoken language with language identification model](language-identification-model.md) and [Automatically identify and transcribe multi-language content](multi-language-identification-transcription.md)

+There's a limit of 10 languages allowed for identification during the indexing of a media file for both LID and MLID. The following are the 9 *default* languages of Language identification (LID) and Multi-language identification (MILD):

+- German (de-DE)

+- English United States (en-US)

+- Spanish (es-ES)

+- French (fr-FR)

+- Italian (it-IT)

+- Japanese (ja-JP)

+- Portuguese (pt-BR)

+- Russian (ru-RU)

+- Chinese (Simplified) (zh-Hans)

+## How to change the list of default languages

+If you need to use languages for identification that aren't used by default, you can customize the list to any 10 languages that support customization through either the website or the API:

+### Use the website to change the list

+1. Select the **Language ID** tab under Model customization. The list of languages is specific to the Video Indexer account you're using and for the signed-in user. The default list of languages is saved per user on their local device, per device, and browser. As a result, each user can configure their own default identified language list.

+1. Use **Add language** to search and add more languages. If 10 languages are already selected, you first must remove one of the existing detected languages before adding a new one.

+ :::image type="content" source="media/language-support/default-language.png" alt-text="Screenshot showing a table showing all of the selected languages." lightbox="media/language-support/default-language.png":::

+### Use the API to change the list

+When you upload a file, the Video Indexer language model cross references 9 languages by default. If there's a match, the model generates the transcription for the file with the detected language.

+Use the language parameter to specify `multi` (MLID) or `auto` (LID) parameters. Use the `customLanguages` parameter to specify up to 10 languages. (The parameter is used only when the language parameter is set to `multi` or `auto`.) To learn more about using the API, see [Use the Azure Video Indexer API](video-indexer-use-apis.md).

+|Storage|18.56 TB (8 x 1.92 TB SATA SSD, 2x1.6TB NVMe)|20.7 TB (2x750 GB Optane, 6x3.2 TB NVMe)|

+| [Fast purge](cdn-purge-endpoint.md) | **&#x2713;** |**&#x2713;**, Purge all and Wildcard purge aren't supported by Azure CDN from Akamai currently |**&#x2713;** |**&#x2713;** |

+The endpoint name in your CDN profile is a subdomain of azureedge.net. By default when delivering content, the CDN profile domain gets included in the URL.

+A custom domain and its subdomain can only get added to a single endpoint at a time.

+> - *Traffic routing* can be accomplished with a CNAME record as well as A or AAAA record types in Azure DNS. To apply, use the following steps to replace the CNAME record with the record type of your choice.

+> - A CNAME record is **required** for custom domain *ownership validation* and must be available when adding the custom domain to a CDN Endpoint. More details in the following section.

+4. If you previously created a temporary cdnverify subdomain CNAME record, delete it.

+4. In **Add a custom domain**, **Endpoint hostname**, gets generated and pre-filled from your CDN endpoint URL: **\<endpoint-hostname>**.azureedge.net. You can't change this value.

+ Azure verifies that the CNAME record exists for the custom domain name you entered. If the CNAME is correct, your custom domain gets validated.

+Azure verifies that the CNAME record exists for the custom domain name you entered. If the CNAME is correct, your custom domain gets validated.

+1. Ensure that you have public content that you want cached at the endpoint. For example, if your CDN endpoint is associated with a storage account, Azure CDN caches the content in a public container. Set your container to allow public access and it contains at least one file to test the custom domain.

+ The custom domain gets removed from your endpoint.

+A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users. A CDN store cached content on edge servers in point-of-presence (POP) locations that are close to end users, to minimize latency.

+Azure CDN offers developers a global solution for rapidly delivering high-bandwidth content to users by caching their content at strategically placed physical nodes across the world. Azure CDN can also accelerate dynamic content, which can't get cached, by using various network optimizations using CDN POPs. For example, route optimization to bypass Border Gateway Protocol (BGP).

+* Better performance and improved user experience for end users, especially when using applications where multiple round-trips requests required by end users to load contents.

+* Distribution of user requests and serving of content directly from edge servers so that less traffic gets sent to the origin server.

+5. More users can then request the same file by using the same URL that Alice used, and gets directed to the same POP.

+* Since [Azure CDN pricing](https://azure.microsoft.com/pricing/details/cdn/) gets applied at the CDN profile level, so if you want to use a mix of pricing tiers you must create multiple CDN profiles. For information about the Azure CDN billing structure, see [Understanding Azure CDN billing](cdn-billing.md).

+ - The number of CDN profiles created.

+ - The number of endpoints created in a CDN profile.

+ - The number of custom domains mapped to an endpoint.

+tag: top-support-issue

+> Calling and chat interoperability is in private preview and restricted to a limited number of Azure Communication Services early adopters. You can [submit this form to request participation in the preview](https://forms.office.com/r/F3WLqPjw0D), and we'll review your scenario(s) and evaluate your participation in the preview.

+> Private Preview APIs and SDKs are provided without a service-level agreement, aren't appropriate for production workloads, and should only be used with test users and data. Certain features may not be supported or have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+As part of this preview, the Azure Communication Services SDKs can be used to build applications that enable bring your own identity (BYOI) users to start 1:1 calls or 1:n chats with Teams users. [Standard Azure Communication Services pricing](https://azure.microsoft.com/pricing/details/communication-services/) applies to these users, but there's no extra fee for the interoperability capability. Custom applications built with Azure Communication Services to connect and communicate with Teams users or Teams voice applications can be used by end users or by bots, and there's no differentiation in how they appear to Teams users in Teams applications unless explicitly indicated by the developer of the application with a display name.

+To enable calling and chat between your Communication Services users and Teams tenant, allow your tenant via the [form](https://forms.office.com/r/F3WLqPjw0D) and enable the connection between the tenant and Communication Services resource.

+## Enable interoperability in your Teams tenant

+Azure AD user with [Teams administrator role](../../../active-directory/roles/permissions-reference.md#teams-administrator) can run PowerShell cmdlet with MicrosoftTeams module to enable the Communication Services resource in the tenant.

+### 1. Prepare the Microsoft Teams module

+First, open the PowerShell and validate the existence of the Teams module with the following command:

+If you don't see the `MicrosoftTeams` module, install it first. To install the module, you need to run PowerShell as an administrator. Then run the following command:

+You'll be informed about the modules that will be installed, which you can confirm with a `Y` or `A` answer. If the module is installed but is outdated, you can run the following command to update the module:

+### 2. Connect to Microsoft Teams module

+### 3. Enable tenant configuration

+Interoperability with Communication Services resources is controlled via tenant configuration and assigned policy. Teams tenant has a single tenant configuration, and Teams users have assigned global policy or custom policy. The following table shows possible scenarios and impacts on interoperability.

+| Tenant configuration | Global policy | Custom policy | Assigned policy | Interoperability |

+| | | | | |

+| True | True | True | Global | **Enabled** |

+| True | True | True | Custom | **Enabled** |

+| True | True | False | Global | **Enabled** |

+| True | True | False | Custom | Disabled |

+| True | False | True | Global | Disabled |

+| True | False | True | Custom | **Enabled** |

+| True | False | False | Global | Disabled |

+| True | False | False | Custom | Disabled |

+| False | True | True | Global | Disabled |

+| False | True | True | Custom | Disabled |

+| False | True | False | Global | Disabled |

+| False | True | False | Custom | Disabled |

+| False | False | True | Global | Disabled |

+| False | False | True | Custom | Disabled |

+| False | False | False | Global | Disabled |

+| False | False | False | Custom | Disabled |

+### 4. Enable tenant policy

+Each Teams user has assigned an `External Access Policy` that determines whether Communication Services users can call this Teams user. Use cmdlet

+[Set-CsExternalAccessPolicy](/powershell/module/skype/set-csexternalaccesspolicy) to ensure that the policy assigned to the Teams user has set `EnableAcsFederationAccess` to `$true`

+```script

+Set-CsExternalAccessPolicy -Identity Global -EnableAcsFederationAccess $true

+```

+- Many features in the Teams client don't work as expected during 1:1 calls with Communication Services users.

+With the Chat SDK, Communication Services users or endpoints can have group chats with Teams users, identified by their Azure Active Directory (Azure AD) object ID. You can easily modify an existing application that creates chats with other Communication Services users to create chats with Teams users instead. Here is an example of how to use the Chat SDK to add Teams users as participants. To learn how to use Chat SDK to send a message, manage participants, and more, see our [quickstart](../../quickstarts/chat/get-started.md?pivots=programming-language-javascript).

+To make testing easier, we've published a sample app [here](https://github.com/Azure-Samples/communication-services-web-chat-hero/tree/teams-interop-chat-adhoc). Update the app with your Communication Services resource, and interop enabled Teams tenant to get started.

+- Communication Services users can delete the chat. This action removes the Teams user from the chat thread and hides the message history from the Teams client.

+- Known issue: Communication Services users aren't displayed correctly in the participant list. They're currently displayed as External, but their people cards show inconsistent data.

+Microsoft will indicate via the Azure Communication Services API that recording or transcription has commenced. You must communicate this fact in real time to your users within your application's user interface. You agree to indemnify Microsoft for all costs and damages incurred due to your failure to comply with this obligation.

+Calls to an emergency number are routed over the Microsoft network. Microsoft assigns a temporary phone number as the Call Line Identity (CLI) when an emergency call from the US, PR, GB, or CA are placed. Microsoft temporarily maintains a mapping of the phone number to the caller's identity. If there's a call-back from the PSAP, we route the call directly to the originating caller. The caller can accept incoming PSAP call even if inbound calling is disabled.

+1. In the US, PR, and CA the emergency call will be first routed to a call center where an agent will request the callerΓÇÖs address. The call center will then route the call to the appropriate PSAP in a proper region

+## Enabling Emergency Calling

+1. When testing your application in the US, dial 933 instead of 911. 933 is enabled for testing purposes; the recorded message confirms the phone number the emergency call originates from. You should hear a temporary number assigned by Microsoft, which isn't the `alternateCallerId` provided by the application

+There's also an option to use purchased number as a caller ID for direct routing calls. In such case, if there's no voice routing rule for emergency number, the call falls back to Microsoft network, and we treat it as a regular emergency call. Learn more about [voice routing fall back](./direct-routing-provisioning.md#outbound-voice-routing-considerations).

+- [Add Emergency Calling to your app](../../quickstarts/telephony/emergency-calling.md)

+> [!NOTE]

+>

+> The [**SFTP** *managed* connector](/connectors/sftp/) has been deprecated, so this connector's operations no longer appear in the workflow designer.

+* [Spring Boot on Docker Getting Started](https://spring.io/guides/topicals/spring-boot-docker/)

+To change the vCores for all worker nodes, on the **Scale** screen, select a new value under **Compute per node**. To adjust the coordinator node's vCores, expand **Coordinator** and select a new value under **Coordinator compute**.

+> You can scale compute on [cluster read replicas](concepts-read-replicas.md) independent of their primary cluster's compute.

+> Once you increase storage and save, you can't decrease the amount of storage.

+1. In the Azure portal, search for **Cost Management** and select it (the green hexagon-shaped symbol, *not* Cost Management + Billing).

+> [!Note]

+> The MicrosoftSecurityDevOps build task depends on .NET 6. The CredScan analyzer depends on .NET 3.1. See more [here](https://marketplace.visualstudio.com/items?itemName=ms-securitydevops.microsoft-security-devops-azdevops).

+ uses: github/codeql-action/upload-sarif@v2

+## Prerequisites

+Enable the resource provider `_Microsoft.Security_` for the management group using the following Azure CLI command:

+```azurecli

+az provider register --namespace Microsoft.Security --management-group-id …

+```

+## Onboard a management group and all its subscriptions

+**To onboard a management group and all its subscriptions**:

+* `Import Jobs` - The Jobs API lets you manage a long running, asynchronous action to [import models, twins, and relationships in bulk](#bulk-import-with-the-jobs-api).

+## Bulk import with the Jobs API

+The [Jobs API](/rest/api/digital-twins/dataplane/import-jobs) is a data plane API that allows you to import a set of models, twins, and/or relationships in a single API call. Jobs API operations are also included with the [CLI commands](/cli/azure/dt/job) and [data plane SDKs](#data-plane-apis). Using the Jobs API requires use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md).

+To use the Jobs API, you'll need to have write permission in your Azure Digital Twins instance for the following data action categories:

+> If you attempt an Jobs API call and you're missing write permissions to one of the graph element types you're trying to import, the job will skip that type and import the others. For example, if you have write access to models and twins, but not relationships, an attempt to bulk import all three types of element will only succeed in importing the models and twins. The job status will reflect a failure and the message will indicate which permissions are missing.

+Once the file has been created, upload it to a block blob in Azure Blob Storage using your preferred upload method (some options are the [AzCopy command](../storage/common/storage-use-azcopy-blobs-upload.md), the [Azure CLI](../storage/blobs/storage-quickstart-blobs-cli.md#upload-a-blob), or the [Azure portal](https://portal.azure.com)). You'll use the blob storage URL of the NDJSON file in the body of the Jobs API call.

+Now you can proceed with calling the [Jobs API](/rest/api/digital-twins/dataplane/import-jobs). For detailed instructions on importing a full graph in one API call, see [Upload models, twins, and relationships in bulk with the Jobs API](how-to-manage-graph.md#upload-models-twins-and-relationships-in-bulk-with-the-jobs-api). You can also use the Jobs API to import each resource type independently. For more information on using the Jobs API with individual resource types, see Jobs API instructions for [models](how-to-manage-model.md#upload-large-model-sets-with-the-jobs-api), [twins](how-to-manage-twin.md#create-twins-in-bulk-with-the-jobs-api), and [relationships](how-to-manage-graph.md#create-relationships-in-bulk-with-the-jobs-api).

+In the body of the API call, you'll provide the blob storage URL of the NDJSON input file. You'll also provide a new blob storage URL to indicate where you'd like the output log to be stored once the service creates it.

+As the import job executes, a structured output log is generated by the service and stored as a new append blob in your blob container, at the URL location you specified for the output blob in the request. Here's an example output log for a successful job importing models, twins, and relationships:

+When the job is complete, you can see the total number of ingested entities using the [BulkOperationEntityCount metric](how-to-monitor.md#bulk-operation-metrics-from-the-jobs-api).

+It's also possible to cancel a running import job with the [Cancel operation](/rest/api/digital-twins/dataplane/import-jobs/cancel?tabs=HTTP) from the Jobs API. Once the job has been canceled and is no longer running, you can delete it.

+Keep the following considerations in mind while working with the Jobs API:

+* Currently, the Jobs API only supports "create" operations.

+* Only one bulk import job is supported at a time within an Azure Digital Twins instance. You can view this information and other numerical limits of the Jobs API in [Azure Digital Twins limits](reference-service-limits.md).

+You can upload many models in a single API call using the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api). The API can simultaneously accept up to the [Azure Digital Twins limit for number of models in an instance](reference-service-limits.md), and it automatically reorders models if needed to resolve dependencies between them. For detailed instructions and examples that use this API, see [bulk import instructions for models](how-to-manage-model.md#upload-large-model-sets-with-the-jobs-api).

+An alternative to the Jobs API is the [Model uploader sample](https://github.com/Azure/opendigitaltwins-tools/tree/main/ADTTools#uploadmodels), which uses the individual model APIs to upload multiple model files at once. The sample also implements automatic reordering to resolve model dependencies.

+### Create twins and relationships in bulk with the Jobs API

+You can upload many twins and relationships in a single API call using the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api). Twins and relationships created with this API can optionally include initialization of their properties. For detailed instructions and examples that use this API, see [bulk import instructions for twins](how-to-manage-twin.md#create-twins-in-bulk-with-the-jobs-api) and [relationships](how-to-manage-graph.md#create-relationships-in-bulk-with-the-jobs-api).

+### Create relationships in bulk with the Jobs API

+You can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to create many relationships at once in a single API call. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for relationships and bulk jobs.

+>The Jobs API also allows models and twins to be imported in the same call, to create all parts of a graph at once. For more about this process, see [Upload models, twins, and relationships in bulk with the Jobs API](#upload-models-twins-and-relationships-in-bulk-with-the-jobs-api).

+You can view an example import file and a sample project for creating these files in the [Jobs API introduction](concepts-apis-sdks.md#bulk-import-with-the-jobs-api).

+Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/import-jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

+### Upload models, twins, and relationships in bulk with the Jobs API

+You can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to upload multiple models, twins, and relationships to your instance in a single API call, effectively creating the graph all at once. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for graph elements (models, twins, and relationships) and bulk jobs.

+You can view an example import file and a sample project for creating these files in the [Jobs API introduction](concepts-apis-sdks.md#bulk-import-with-the-jobs-api).

+Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/import-jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

+### Upload large model sets with the Jobs API

+For large model sets, you can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to upload many models at once in a single API call. The API can simultaneously accept up to the [Azure Digital Twins limit for number of models in an instance](reference-service-limits.md), and it automatically reorders models if needed to resolve dependencies between them. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for models and bulk jobs.

+>The Jobs API also allows twins and relationships to be imported in the same call, to create all parts of a graph at once. For more about this process, see [Upload models, twins, and relationships in bulk with the Jobs API](how-to-manage-graph.md#upload-models-twins-and-relationships-in-bulk-with-the-jobs-api).

+To import models in bulk, you'll need to structure your models (and any other resources included in the bulk import job) as an *NDJSON* file. The `Models` section comes immediately after `Header` section, making it the first graph data section in the file. You can view an example import file and a sample project for creating these files in the [Jobs API introduction](concepts-apis-sdks.md#bulk-import-with-the-jobs-api).

+Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/import-jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

+### Create twins in bulk with the Jobs API

+You can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to create many twins at once in a single API call. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for twins and bulk jobs.

+>The Jobs API also allows models and relationships to be imported in the same call, to create all parts of a graph at once. For more about this process, see [Upload models, twins, and relationships in bulk with the Jobs API](how-to-manage-graph.md#upload-models-twins-and-relationships-in-bulk-with-the-jobs-api).

+You can view an example import file and a sample project for creating these files in the [Jobs API introduction](concepts-apis-sdks.md#bulk-import-with-the-jobs-api).

+Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/import-jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

+### Bulk operation metrics (from the Jobs API)

+Metrics having to do with bulk operations from the [Jobs API](/rest/api/digital-twins/dataplane/import-jobs):

+ az dt role-assignment create --resource-group <your-resource-group> --dt-name <your-Azure-Digital-Twins-instance> --assignee "<principal-ID>" --role "Azure Digital Twins Data Owner"

+- Azure Functions

+- Azure Relay Hybrid Connections

+The following operations return potentially secret information, which gets filtered out of normal read operations. We recommend that you restrict access to these operations.

+| [`EventGrid EventSubscription Reader`](../role-based-access-control/built-in-roles.md#eventgrid-eventsubscription-reader) | Lets you read Event Grid event subscriptions. |

+| [`EventGrid EventSubscription Contributor`](../role-based-access-control/built-in-roles.md#eventgrid-eventsubscription-contributor) | Lets you manage Event Grid event subscription operations. |

+| [`EventGrid Contributor`](../role-based-access-control/built-in-roles.md#eventgrid-contributor) | Lets you create and manage Event Grid resources. |

+| [`EventGrid Data Sender`](../role-based-access-control/built-in-roles.md#eventgrid-data-sender) | Lets you send events to Event Grid topics. |

+**EventGridContributorRole.json**: Allows all Event Grid actions.

+For system topics, if you aren't the owner or contributor of the source resource, you need permission to write a new event subscription at the scope of the resource publishing the event. The format of the resource is:

+For custom topics, you need permission to write a new event subscription at the scope of the Event Grid topic. The format of the resource is:

+ Title: 'Azure ExpressRoute: Reset circuit peering using Azure PowerShell'

+# Reset ExpressRoute circuit peerings using Azure PowerShell

+Migration is only available and can be completed using the Azure portal. Service charges for Azure Front Door Standard or Premium tier will start once migration is completed.

+## 503 or 504 response from Azure Front Door after a few seconds

+* Regular requests sent to your backend without going through Azure Front Door are succeeding. Going via Azure Front Door results in 503 or 504 error responses.

+ Title: How to use CalculatedContent mappings - Azure Health Data Services

+description: Learn how to use CalculatedContent mappings with the MedTech service device mappings.

+This article describes how to use CalculatedContent mappings with MedTech service device mappings in Azure Health Data Services.

+## Overview of CalculatedContent mappings

+The MedTech service provides an expression-based content template to both match the wanted template and extract values. Either JSONPath or JMESPath can use expressions. Each expression within the template can use its own expression language.

+> If you don't define an expression language, MedTech service device mappings use the default expression language that's configured for the template. The default is JSONPath, but you can overwrite it if necessary.

+In the following example, `typeMatchExpression` is defined as:

+> If you want to use JSON instead of the default JSONPath expression language, you can supply the expression alone.

+You can explicitly set the default expression language for MedTech service device mappings by using the `defaultExpressionLanguage` parameter:

+CalculatedContent mappings allow matching on, and extracting values from, an Azure Event Hubs message through the following expressions:

+|`TypeName`|The type to associate with measurements that match the template.|`heartrate`|

+|`TypeMatchExpression`|The expression that the MedTech service evaluates against the `EventData` payload. If the service finds a matching `JToken` value, it considers the template a match. The service evaluates all later expressions against the extracted `JToken` value matched here.|`$..[?(@heartRate)]`|

+|`TimestampExpression`|The expression to extract the timestamp value for the measurement's `OccurrenceTimeUtc` value.|`$.matchedToken.endDate`|

+|`DeviceIdExpression`|The expression to extract the device identifier.|`$.matchedToken.deviceId`|

+|`PatientIdExpression`|The expression to extract the patient identifier. *Required* when `IdentityResolution` is in `Create` mode, and *optional* when `IdentityResolution` is in `Lookup` mode.|`$.matchedToken.patientId`|

+|`EncounterIdExpression`|*Optional*: The expression to extract the encounter identifier.|`$.matchedToken.encounterId`|

+|`CorrelationIdExpression`|*Optional*: The expression to extract the correlation identifier. You can use this output to group values into a single observation in the FHIR destination mappings.|`$.matchedToken.correlationId`|

+|`Values[].ValueName`|The name to associate with the value that the next expression extracts. Used to bind the wanted value or component in the FHIR destination-mapping template.|`hr`|

+|`Values[].ValueExpression`|The expression to extract the wanted value.|`$.matchedToken.heartRate`|

+|`Values[].Required`|Requires the value to be present in the payload. If the MedTech service doesn't find the value, it won't generate a measurement, and it will create an `InvalidOperationException` instance.|`true`|

+## Expression languages

+When you're specifying the language to use for the expression, the following values are valid:

+| Expression language | Value |

+| JSONPath | `JsonPath` |

+| JMESPath | `JmesPath` |

+> For more information on JSONPath, see [JSONPath - XPath for JSON](https://goessner.net/articles/JsonPath/). CalculatedContent mappings use the [JSON .NET implementation](https://www.newtonsoft.com/json/help/html/QueryJsonSelectTokenJsonPath.htm) for resolving JSONPath expressions.

+> For more information on JMESPath, see [JMESPath Specification](https://jmespath.org/specification.html). CalculatedContent mappings use the [JMESPath .NET implementation](https://github.com/jdevillard/JmesPath.Net) for resolving JMESPath expressions.

+## Custom functions

+A set of custom functions for the MedTech service is also available. The MedTech service custom functions are outside the functions provided as part of the JMESPath specification. For more information on the MedTech service custom functions, see [How to use custom functions with device mappings](how-to-use-custom-functions.md).

+## Matched token

+The MedTech service evaluates `TypeMatchExpression` against the incoming `EventData` payload. If the service finds a matching `JToken` value, it considers the template a match.

+The MedTech service evaluates all later expressions against a new `JToken` value. This new `JToken` value contains both the original `EventData` payload and the extracted `JToken` value matched here.

+In this way, the original payload and the matched object are available to each later expression. The extracted `JToken` value will be available as the property `matchedToken`.

+Here's an example message:

+The MedTech service extracts two matches by using the preceding expression and uses them to create `JToken` values. The MedTech service will evaluate later expressions by using the following `JToken` values:

+## Examples

+### Heart rate

+### Blood pressure

+### Projection of multiple measurements from a single message

+### Projection of multiple measurements from an array in a message

+### Projection of data from a matched token and an original event

+### Selection and transformation of incoming data

+In the following example, height data arrives in either inches or meters. Assume that you want all normalized height data to be in meters. To achieve this outcome, you create a template that targets only height data in inches and transforms it into meters. Another template targets height data in meters and simply stores it as is.

+> For assistance in fixing MedTech service errors, see [Troubleshoot MedTech service errors](troubleshoot-errors.md).

+In this article, you learned how to configure MedTech service device mappings by using CalculatedContent mappings.

+To learn how to configure FHIR destination mappings, see:

+FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office, and is used with permission.

+ :::image type="content" source="./media/how-to-access-dtpm/vs-nuget-microsoft-tss.png" alt-text="Screenshot that shows Visual Studio add NuGet packages .":::

+ :::image type="content" source="./media/how-to-access-dtpm/sample-publish-options.png" alt-text="Screenshot that shows publish options .":::

+ :::image type="content" source="./media/how-to-access-dtpm/tpm-read-output.png" alt-text="Screenshot that shows EFLOW dTPM output.":::

+ :::image type="content" source="./media/how-to-access-host-storage-from-module/offline-storage-1-4.png" alt-text="Screenshot that shows how to add create options and environment variables for local storage.":::

+ :::image type="content" source="./media/how-to-authenticate-downstream-device/symmetric-key-portal.png" alt-text="Screenshot of how to create a device ID with symmetric key authorization in the Azure portal.":::

+ :::image type="content" source="./media/how-to-authenticate-downstream-device/x509-self-signed-portal.png" alt-text="Screenshot that shows how to create a device ID with an X.509 self-signed authorization in the Azure portal.":::

+ * Java: [SendEventX509.java](https://github.com/Azure/azure-iot-sdk-java/tree/main/iothub/device/iot-device-samples/send-event-x509)

+ * Java: [SendEventX509.java](https://github.com/Azure/azure-iot-sdk-java/tree/main/iothub/device/iot-device-samples/send-event-x509)

+ :::image type="content" source="./media/how-to-configure-api-proxy-module/change-config.png" alt-text="Screenshot that shows how to paste encoded config file as value of proxy_config property.":::

+ :::image type="content" source="./media/how-to-configure-iot-edge-for-linux-on-windows-iiot-dmz/add-eflow-network.png" alt-text="Screenshot of a successful creation of the external network named OnlineOPCUA.":::

+ :::image type="content" source="./media/how-to-configure-iot-edge-for-linux-on-windows-iiot-dmz/add-eflow-vm-endpoint.png" alt-text="Screenshot of a successful configuration of the OnlineOPCUA switch..":::

+ :::image type="content" source="./media/how-to-configure-iot-edge-for-linux-on-windows-iiot-dmz/ifconfig-multiple-nic.png" alt-text="Screenshot showing the IP configuration of multiple NICs connected to two different networks.":::

+ :::image type="content" source="./media/how-to-configure-iot-edge-for-linux-on-windows-iiot-dmz/route-output.png" alt-text="Screenshot showing the routing table for the EFLOW virtual machine.":::

+1. Get the sample for **Send-event** from the [Azure IoT device SDK for Java samples](https://github.com/Azure/azure-iot-sdk-java/tree/main/iothub/device/iot-device-samples).

+- Review [Understanding policy effects](../governance/policy/concepts/effects.md).

+ :::code language="python" source="~/azureml-examples-main/cli/endpoints/online/ncd/sklearn-diabetes/src/score.py" highlight="14":::

+ :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/online/ncd/sklearn-diabetes/environment/conda.yml":::

+ conda_file: sklearn-diabetes/environment/conda.yml

+ code: sklearn-diabetes/src

+To control who can access your Azure Machine Learning workspace, use Azure Active Directory [Conditional Access](../active-directory/conditional-access/overview.md). To use Conditional Access for Azure Machine Learning workspaces, [assign the Conditional Access policy](../active-directory/conditional-access/concept-conditional-access-cloud-apps.md) to the app named __Azure Machine Learning__. The app ID is __0736f41a-0425-bdb5-1563eff02385__.

+Azure AD Conditional Access can be used to further control or restrict access to the workspace for each authentication workflow. For example, an admin can allow workspace access from managed devices only.

+As an administrator, you can enforce [Azure AD Conditional Access policies](../active-directory/conditional-access/overview.md) for users signing in to the workspace. For example, you

+can require two-factor authentication, or allow sign in only from managed devices. To use Conditional Access for Azure Machine Learning workspaces specifically, [assign the Conditional Access policy](../active-directory/conditional-access/concept-conditional-access-cloud-apps.md) to the app named __Azure Machine Learning__. The app ID is __0736f41a-0425-bdb5-1563eff02385__.

+4. Select **Create Service Connection**.

+1. Under the Repos section, select **Repositories**. Select the repository you created in previous step Select the **Security** tab

+1. Select **Create Pipeline**.

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning developer platform you're using:"]

+__Tracking__ refers to process of saving all experiment's related information that you may find relevant for every experiment you run. Such metadata varies based on your project, but it may include:

+> [!div class="checklist"]

+> - Code

+> - Environment details (OS version, Python packages)

+> - Input data

+> - Parameter configurations

+> - Models

+> - Evaluation metrics

+> - Evaluation visualizations (confusion matrix, importance plots)

+> - Evaluation results (including some evaluation predictions)

+Some of these elements are automatically tracked by Azure Machine Learning when working with jobs (including code, environment, and input and output data). However, others like models, parameters, and metrics, need to be instrumented by the model builder as it's specific to the particular scenario.

+In this article, you'll learn how to use MLflow for tracking your experiments and runs in Azure Machine Learning workspaces.

+## Benefits of tracking experiments

+We highly encourage machine learning practitioners to instrument their experimentation by tracking them, regardless if they're training with jobs in Azure Machine Learning or interactively in notebooks. Benefits include:

+- All of your ML experiments are organized in a single place, allowing you to search and filter experiments to find the information and drill down to see what exactly it was that you tried before.

+- Compare experiments, analyze results, and debug model training with little extra work.

+- Reproduce or re-run experiments to validate results.

+- Improve collaboration by seeing what everyone is doing, sharing experiment results, and access experiment data programmatically.

+### Why MLflow

+Azure Machine Learning workspaces are MLflow-compatible, which means you can use MLflow to track runs, metrics, parameters, and artifacts with your Azure Machine Learning workspaces. By using MLflow for tracking, you don't need to change your training routines to work with Azure Machine Learning or inject any cloud-specific syntax, which is one of the main advantages of the approach.

+See [MLflow and Azure Machine Learning](concept-mlflow.md) for all supported MLflow and Azure Machine Learning functionality including MLflow Project support (preview) and model deployment.

+Azure Machine Learning tracks any training job in what MLflow calls a run. Use runs to capture all the processing that your job performs.

+When working interactively, MLflow starts tracking your training routine as soon as you try to log information that requires an active run. For instance, when you log a metric, log a parameter, or when you start a training cycle when Mlflow's autologging functionality is enabled. However, it's usually helpful to start the run explicitly, specially if you want to capture the total time of your experiment in the field __Duration__. To start the run explicitly, use `mlflow.start_run()`.

+Regardless if you started the run manually or not, you'll eventually need to stop the run to inform MLflow that your experiment run has finished and marks its status as __Completed__. To do that, all `mlflow.end_run()`. We strongly recommend starting runs manually so you don't forget to end them when working on notebooks.

+To help you avoid forgetting to end the run, it's usually helpful to use the context manager paradigm:

+The previous code example doesn't uses `mlflow.start_run()` but if used you can expect MLflow to reuse the current active run so there's no need to remove those lines if migrating to Azure Machine Learning.

+All Azure Machine Learning environments already have MLflow installed for you, so no action is required if you're using a curated environment. If you want to use a custom environment:

+1. Reference the environment in the job you're using.

+### Configuring job's name

+2. Ensure you're not using `mlflow.start_run(run_name="")` inside of your training routine.

+1. First, let's connect to Azure Machine Learning workspace where we're going to work on.

+Select the logged metrics to render charts on the right side. You can customize the charts by applying smoothing, changing the color, or plotting multiple metrics on a single graph. You can also resize and rearrange the layout as you wish. Once you've created your desired view, you can save it for future use and share it with your teammates using a direct link.

+You can also access or __query metrics, parameters and artifacts programatically__ using the MLflow SDK. Use [mlflow.get_run()](https://mlflow.org/docs/latest/python_api/mlflow.html#mlflow.get_run) as explained bellow:

+```python

+import mlflow

+run = mlflow.get_run("<RUN_ID>")

+tags = run.data.tags

+print(metrics, params, tags)

+> [!TIP]

+> For metrics, the previous example will only return the last value of a given metric. If you want to retrieve all the values of a given metric, use `mlflow.get_metric_history` method as explained at [Getting params and metrics from a run](how-to-track-experiments-mlflow.md#getting-params-and-metrics-from-a-run).

+To download artifacts you've logged, like files and models, you can use [mlflow.artifacts.download_artifacts()](https://www.mlflow.org/docs/latest/python_api/mlflow.artifacts.html#mlflow.artifacts.download_artifacts)

+```python

+mlflow.artifacts.download_artifacts(run_id="<RUN_ID>", artifact_path="helloworld.txt")

+For more details about how to __retrieve or compare__ information from experiments and runs in Azure Machine Learning using MLflow view [Query & compare experiments and runs with MLflow](how-to-track-experiments-mlflow.md)

+If you're looking for examples about how to use MLflow in Jupyter notebooks, please see our example's repository [Using MLflow (Jupyter Notebooks)](https://github.com/Azure/azureml-examples/tree/main/sdk/python/using-mlflow).

+* The **Authoring** section of the studio contains multiple ways to get started in creating machine learning models. You can:

+Azure AD Conditional Access can be used to further control or restrict access to the workspace for each authentication workflow. For example, an admin can allow workspace access from managed devices only.

+As an administrator, you can enforce [Azure AD Conditional Access policies](../../active-directory/conditional-access/overview.md) for users signing in to the workspace. For example, you

+can require two-factor authentication, or allow sign in only from managed devices. To use Conditional Access for Azure Machine Learning workspaces specifically, [assign the Conditional Access policy](../../active-directory/conditional-access/concept-conditional-access-cloud-apps.md) to the app named __Azure Machine Learning__. The app ID is __0736f41a-0425-bdb5-1563eff02385__.

+> In ARO 4.9 or older, running this command will cause your cluster nodes to restart one by one as they're updated.

+> In ARO 4.10 version or later a restart will not be triggered.

+### Verify that pull secret is in place

+```

+oc exec $(oc get pod -n openshift-apiserver -o jsonpath="{.items[0].metadata.name}") -- cat /var/lib/kubelet/config.json

+```

+> [!NOTE]

+> For the `domain` parameter, specify the domain prefix that will be used as part of the auto-generated DNS name for OpenShift console and API servers. This prefix is also used as part of the name of the resource group that is created to host the cluster VMs.

+

+ > [!NOTE]

+ > In the **Domain name** field, you can either specify a domain name (e.g., *example.com*) or a prefix (e.g., *abc*) that will be used as part of the auto-generated DNS name for OpenShift console and API servers. This prefix is also used as part of the name of the resource group (e.g., *aro-abc*) that is created to host the cluster VMs.

+In this tutorial, part one of three, you prepare your environment to create an Azure Red Hat OpenShift cluster running OpenShift 4, and create a cluster. You learn how to:

+Azure Red Hat OpenShift requires a minimum of 40 cores to create and run an OpenShift cluster. The default Azure resource quota for a new Azure subscription doesn't meet this requirement. To request an increase in your resource limit, see [Standard quota: Increase limits by VM series](../azure-portal/supportability/per-vm-quota-requests.md).

+* For example, to check the current subscription quota of the smallest supported virtual machine family SKU "Standard DSv3":

+During this tutorial, you'll create a resource group, which contains the virtual network for the cluster. To do this, you'll need Contributor and User Access Administrator permissions or Owner permissions, either directly on the virtual network or on the resource group or subscription containing it.

+You'll also need sufficient Azure Active Directory permissions (either a member user of the tenant, or a guest assigned with role **Application administrator**) for the tooling to create an application and service principal on your behalf for the cluster. See [Member and guests](../active-directory/fundamentals/users-default-permissions.md#member-and-guest-users) and [Assign administrator and non-administrator roles to users with Azure Active Directory](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) for more details.

+ > ARO pull secret doesn't change the cost of the RH OpenShift license for ARO.

+A Red Hat pull secret enables your cluster to access Red Hat container registries along with other content. This step is optional but recommended. The field `cloud.openshift.com` is removed from your secret even if your pull-secret contains that field. This field enables an extra monitoring feature, which sends data to RedHat and is thus disabled by default. To enable this feature, see https://docs.openshift.com/container-platform/4.11/support/remote_health_monitoring/enabling-remote-health-reporting.html .

+1. [Navigate to your Red Hat OpenShift cluster manager portal](https://console.redhat.com/openshift/install/azure/aro-provisioned) and sign-in.

+ You'll need to log in to your Red Hat account or create a new Red Hat account with your business email and accept the terms and conditions.

+1. Select **Download pull secret** and download a pull secret to be used with your ARO cluster.

+ If you're copying your pull secret or referencing it in other scripts, your pull secret should be formatted as a valid JSON string.

+> [!NOTE]

+> Although adding a domain name is optional when creating a cluster through Azure CLI, a domain name (or a prefix used as part of the auto-generated DNS name for OpenShift console and API servers) is needed when adding a cluster through the portal. See [Quickstart: Deploy an Azure Red Hat OpenShift cluster using the Azure portal](quickstart-portal.md#create-an-azure-red-hat-openshift-cluster) for more information.

+If you provide a custom domain for your cluster, note the following points:

+* After creating your cluster, you must create two DNS A records in your DNS server for the `--domain` specified:

+Next, you'll create a virtual network containing two empty subnets. If you have existing virtual network that meets your needs, you can skip this step.

+ An Azure resource group is a logical group in which Azure resources are deployed and managed. When you create a resource group, you're asked to specify a location. This location is where resource group metadata is stored, and it is also where your resources run in Azure if you don't specify another region during resource creation. Create a resource group using the [az group create](/cli/azure/group#az-group-create) command.

+* Optionally, you can [pass your Red Hat pull secret](#get-a-red-hat-pull-secret-optional), which enables your cluster to access Red Hat container registries along with other content. Add the `--pull-secret @pull-secret.txt` argument to your command.

+Your next step is to configure metrics and logs on the **Metrics and Logs** tab. When you're creating the New Relic resource, you can set up metrics monitoring and automatic log forwarding:

+1. To set up monitoring of platform metrics for Azure resources by New Relic, select **Enable metrics collection**. If you leave this option cleared, metrics are not be pulled by New Relic.

+1. To send subscription-level logs to New Relic, select **Subscription activity logs**. If you leave this option cleared, no subscription-level logs are sent to New Relic.

+ Azure charges for logs sent to New Relic. For more information, see the [pricing of platform logs](https://azure.microsoft.com/pricing/details/monitor/) sent to Azure Marketplace partners.

+- Once enabled, CMK encryption can't be removed. If customer desires to remove this feature, it can only be done via [restore of the server to non-CMK server](./concepts-backup-restore.md#point-in-time-recovery).

+ |**Control Plane Access Ip Address** | Enter the IP address for the control plane interface on the access network.</br> Note: Please ensure that the N2 IP address specified here matches the N2 address configured on the ASE Portal. |

+# Reliability in Azure Bot Service

+# Reliability in Azure Container Instances

+# Reliability in Microsoft Energy Data Services

+# Reliability in Azure Functions

+- February 21, 2023: Correct link to HANA hardware directory in [SAP HANA infrastructure configurations and operations on Azure](./hana-vm-operations.md) and fixed a bug in [SAP HANA Azure virtual machine Premium SSD v2 storage configurations](./hana-vm-premium-ssd-v2.md)

+In order to find out the Azure VM types that are certified for either OLAP scale-out or S/4HANA scale-out, check the [SAP HANA hardware directory](https://www.sap.com/dmc/exp/2014-09-02-hana-hardware/enEN/#/solutions?filters=v:deCertified;iaas;ve:24). A checkmark in the column 'Clustering' indicates scale-out support. Application type indicates whether OLAP scale-out or S/4HANA scale-out is supported. For details on nodes certified in scale-out, review the entry for a specific VM SKU listed in the SAP HANA hardware directory.

+| E32ds_v4 | 256 GiB | 769 MBps | 51,200 | 304 GB | 425 MBps | 3,000 |

+| E20(d)s_v5 | 160 GiB | 750 MBps | 32,000 | 80 GB | 275 MBps | 3,000 | 160 GB |

+| **TimeGenerated** | Datetime | The time (UTC) at which the audited activity occurred. |

+| <a name="sentinelresourceid_audit"></a>**SentinelResourceId** | String | The unique identifier of the Microsoft Sentinel workspace and the associated resource on which the audited activity occurred. |

+| **WorkspaceId** | String | The workspace GUID on which the audited activity occurred. The full Azure Resource Identifier is available in the [SentinelResourceID](#sentinelresourceid_audit) column. |

+| **ResourceDiffMemberNames** | Array\[String\] | An array of the properties of the rule that were changed by the audited activity. For example: `['custom_details','look_back']`. |

+| **ResourceDisplayName** | String | Name of the analytics rule on which the audited activity occurred. |

+| **ResourceGroupName** | String | Resource group of the workspace on which the audited activity occurred. |

+| **ResourceId** | String | The resource ID of the analytics rule on which the audited activity occurred. |

+| **SubscriptionId** | String | The subscription ID of the workspace on which the audited activity occurred. |

+| **WorkspaceId** | String | The resource ID of the workspace on which the audited activity occurred. |

+| **WorkspaceName** | String | The name of the workspace on which the audited activity occurred. |

+ Title: Custom data ingestion and transformation in Microsoft Sentinel

+# Custom data ingestion and transformation in Microsoft Sentinel

+- [Data collection transformations in Azure Monitor Logs](../azure-monitor/essentials/data-collection-transformations.md)

+- [Logs ingestion API in Azure Monitor Logs](../azure-monitor/logs/logs-ingestion-api-overview.md)

+- Use the auditing and health monitoring workbooks provided in Microsoft Sentinel.

+ - [Analytics rules](monitor-analytics-rule-integrity.md#use-the-auditing-and-health-monitoring-workbook)

+|`sort` |Sorts the search results by the specified fields. |[sort](/azure/data-explorer/kusto/query/sort-operator) |`T | sort by strlen(country) asc, price desc` |

+ - The log also records, for each running of an analytics rule:

+ - How many events were captured by the rule's query.

+ - Whether the number of events passed the threshold defined in the rule, causing the rule to fire an alert.

+ These logs are collected in the *SentinelHealth* table in Log Analytics.

+ - This log captures events that record changes made to any analytics rule, including the following details:

+ - The name of the rule that was changed.

+ - Which properties of the rule were changed.

+ - The state of the rule settings before and after the change.

+ - The user or identity that made the change.

+ - The source IP and date/time of the change.

+ - ...and more.

+

+ These logs are collected in the *SentinelAudit* table in Log Analytics.

+## Use the auditing and health monitoring workbook

+1. To make the workbook available in your workspace, you must install the workbook solution from the Microsoft Sentinel content hub:

+ 1. From the Microsoft Sentinel portal, select **Content hub (Preview)** from the **Content management** menu.

+ 1. In the **Content hub**, enter *health* in the search bar, and select **Analytics Health & Audit** from among the **Workbook** solutions under **Standalone** in the results.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/select-workbook-from-content-hub.png" alt-text="Screenshot of selection of analytics health workbook from content hub.":::

+ 1. Select **Install** from the details pane, then select **Save** that appears in its place.

+1. When the solution indicates it's installed, select **Workbooks** from the **Threat management** menu.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/installed.png" alt-text="Screenshot of indication that analytics health workbook solution is installed from content hub.":::

+1. In the **Workbooks** gallery, select the **Templates** tab, enter *health* in the search bar, and select **Analytics Health & Audit** from among the results.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/select-workbook-template.png" alt-text="Screenshot of selecting analytics health workbook from template gallery.":::

+1. Select **Save** in the details pane to create an editable and usable copy of the workbook. When the copy is created, select **View saved workbook**.

+1. Once in the workbook, first select the **subscription** and **workspace** you wish to view (they may already be selected), then define the **TimeRange** to filter the data according to your needs. Use the **Show help** toggle to display in-place explanation of the workbook.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/analytics-health-workbook-overview.png" alt-text="Screenshot of analytics rule health workbook overview tab.":::

+There are three tabbed sections in this workbook:

+### Overview tab

+The **Overview** tab shows health and audit summaries:

+- Health summaries of the status of analytics rule runs in the selected workspace: number of runs, successes and failures, and failure event details.

+- Audit summaries of activities on analytics rules in the selected workspace: number of activities over time, number of activities by type, and number of activities of different types by rule.

+### Health tab

+The **Health** tab lets you drill down to particular health events.

+- Filter the whole page data by **status** (success/failure) and **rule type** (scheduled/NRT).

+- See the trends of successful and/or failed rule runs (depending on the status filter) over the selected time period. You can "time brush" the trend graph to see a subset of the original time range.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/analytics-rule-runs-over-time.png" alt-text="Screenshot of analytics rule runs over time in analytics health workbook.":::

+- Filter the rest of the page by **reason**.

+- See the total number of runs for all the analytics rules, displayed proportionally by status in a pie chart.

+- Following that is a table showing the number of unique analytics rules that ran, broken down by rule type and status.

+ - Select a status to filter the remaining charts for that status.

+ - Clear the filter by selecting the "Clear selection" icon (it looks like an "Undo" icon) in the upper right corner of the chart.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/number-rule-runs-by-status-and-type.png" alt-text="Screenshot of number of rules run by status and type in the analytics health workbook.":::

+- See each status, with the number of possible reasons for that status. (Only reasons represented in the runs in the selected time frame will be shown.)

+ - Select a status to filter the remaining charts for that status.

+ - Clear the filter by selecting the "Clear selection" icon (it looks like an "Undo" icon) in the upper right corner of the chart.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/unique-reasons-by-status.png" alt-text="Screenshot of number of unique reasons by status in analytics health workbook.":::

+- Next, see a list of those reasons, with the number of total rule runs combined and the number of unique rules that were run.

+ - Select a reason to filter the following charts for that reason.

+ - Clear the filter by selecting the "Clear selection" icon (it looks like an "Undo" icon) in the upper right corner of the chart.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/rule-runs-by-reason.png" alt-text="Screenshot of rule runs by unique reason in analytics health workbook.":::

+- After that is a list of the unique analytics rules that ran, with the latest results and trendlines of their success and/or failure (depending on the status selected to filter the list).

+ - Select a rule to drill down and show a new table with all the runnings of that rule (in the selected time frame).

+ - Clear that table by selecting the "Clear selection" icon (it looks like an "Undo" icon) in the upper right corner of the chart.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/unique-rules-by-status-and-trend.png" alt-text="Screenshot of list of unique rules run, with status and trendlines, in analytics health workbook.":::

+- If you selected a rule in the list above, a new table will appear with the health details for the selected rule.

+### Audit tab

+The **Audit** tab lets you drill down to particular audit events.

+- Filter the whole page data by **audit rule type** (scheduled/Fusion).

+- See the trends of audited activity on analytics rules over the selected time period. You can "time brush" the trend graph to see a subset of the original time range.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/audit-trending-by-activity.png" alt-text="Screenshot of trending audit activity in analytics health workbook.":::

+- See the numbers of audited events, broken down by **activity** and **rule type**.

+ - Select an activity to filter the following charts for that activity.

+ - Clear the filter by selecting the "Clear selection" icon (it looks like an "Undo" icon) in the upper right corner of the chart.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/number-audit-events-by-activity-and-type.png" alt-text="Screenshot of counts of audit events by activity and type in analytics health workbook.":::

+- See the number of audited events by **rule name**.

+ - Select a rule name to filter the following table for that rule, and to drill down and show a new table with all the activity on that rule (in the selected time frame). (See after the following screenshot.)

+ - Clear the filter by selecting the "Clear selection" icon (it looks like an "Undo" icon) in the upper right corner of the chart.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/activity-by-rule-name-and-caller.png" alt-text="Screenshot of audited events by rule name and caller in analytics health workbook.":::

+- See the number of audited events by **caller** (the identity that performed the activity).

+- If you selected a rule name in the chart depicted above, another table will appear showing the audited **activities** on that rule. Select the value that appears as a link in the ExtendedProperties column to open a side panel displaying the changes made to the rule.

+ :::image type="content" source="media/monitor-analytics-rule-integrity/audit-activity-for-rule.png" alt-text="Screenshot of audit activity for selected rule in analytics health workbook.":::

+# Deploy and monitor Azure Key Vault honeytokens with Microsoft Sentinel (Community supported)

+> The Microsoft Sentinel Deception (Honey Tokens) solution is offered in a community supported model by the [Microsoft SIEM & XDR Community](https://github.com/Azure/Azure-Sentinel/wiki). Any support required can be raised as an [issue](https://github.com/Azure/Azure-Sentinel/issues) on GitHub where the Microsoft Sentinel community can assist.

+> For solution documentation, review the [Honeytokens solution GitHub page](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/HoneyTokens).

+## Azure Key Vault honeytokens is now a community supported solution

+To deploy and monitor Azure Key Vault honeytokens with Microsoft Sentinel, review the [Honeytokens solution GitHub page](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/HoneyTokens).

+[DTA-Sub]: https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FHoneyTokens%2FASCRecommendationPolicySub.json

+| **EventSubType** | Optional | String | The sign-in type. Allowed values include:<br> - `System`<br> - `Interactive`<br> - `RemoteInteractive`<br> - `Service`<br> - `RemoteService`<br> - `Remote` - Use when the type of remote sign-in is unknown.<br> - `AssumeRole` - Typically used when the event type is `Elevate`. <br><br>The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype). |

+| **EventResultDetails** | Recommended | Enumerated | Reason or details for the result reported in the [EventResult](#eventresult) field. Supported values are:<br> - Failover <br> - Invalid TCP <br> - Invalid Tunnel<br> - Maximum Retry<br> - Reset<br> - Routing issue<br> - Simulation<br> - Terminated<br> - Timeout<br> - Transient error<br> - Unknown<br> - NA.<br><br>The original, source specific, value is stored in the [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails) field. |

+description: This article describes upcoming centralization changes for out-of-the-box content in Microsoft Sentinel.

+#Customer intent: As a SIEM decision maker or implementer, I want to know about changes to out-of-the-box content, and how to centralize the management, discovery, and inventory of content in Microsoft Sentinel.

+The Microsoft Sentinel content hub enables discovery and on-demand installation of out-of-the-box (OOTB) content and solutions in a single step. Previously, some of this OOTB content existed only in various gallery sections of Microsoft Sentinel. Now, *all* of the following gallery content templates are available in the content hub as standalone items or as part of packaged solutions:

+- Data connectors

+- Analytics rule templates

+- Hunting queries

+- Playbook templates

+- Workbook templates

+To centralize all OOTB content, we're planning to retire the gallery-only content templates. The legacy gallery content templates are no longer being updated consistently, and the content hub is where OOTB content stays up to date. The content hub also provides update workflows for solutions and automatic updates for standalone content.

+To facilitate this transition, we're publishing a central tool to reinstate **IN USE** retired templates from corresponding content hub solutions.

+## Microsoft Sentinel GitHub changes

+Microsoft Sentinel has an official [GitHub repository](https://github.com/Azure/Azure-Sentinel) for community contributions that are vetted by Microsoft and the community. It's the source for most of the content items in the content hub.

+For consistent discovery of this content, the OOTB content centralization changes have already been extended to the Microsoft Sentinel GitHub repo:

+- All OOTB content packaged from content hub solutions is now stored in the GitHub repo's [Solutions folder](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions).

+- All standalone OOTB content items will remain in their respective locations.

+These changes to the content hub and the Microsoft Sentinel GitHub repo will complete the journey toward centralizing Microsoft Sentinel content.

+The centralization change in the Microsoft Sentinel portal is expected to go live in all Microsoft Sentinel workspaces in Q2 2023. The Microsoft Sentinel GitHub changes have already happened. Standalone content is available in existing GitHub folders, and solution content has been moved to the *Solutions* folder.

+This change is scoped to only the *gallery content* type of templates. All these same templates and more OOTB content are available in the content hub as solutions or standalone content.

+For the Microsoft Sentinel GitHub repo, OOTB content packaged in solutions in the content hub is now listed only under the GitHub repo's [Solutions folder](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions). The other existing GitHub content is scoped to the following folders and contains only standalone content items. Content in the remaining GitHub folders not mentioned in this list doesn't have any changes.

+- [Detections folder](https://github.com/Azure/Azure-Sentinel/tree/master/Detections) (analytics rules)

+- [Hunting Queries folder](https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries)

+This change does not affect active or custom items (created from templates or otherwise). Specifically, this change doesn't affect the following items:

+- Data connectors with **Status** = **Connected**.

+- Alert rules or detections (enabled or disabled) on the **Active rules** tab in the analytics gallery.

+- Saved workbooks on the **My workbooks** tab in the workbooks gallery.

+- Cloned content or **Content source** = **Custom** in the hunting gallery.

+- Active playbooks (enabled or disabled) on the **Active playbooks** tab in the automation gallery.

+This change also doesn't affect any OOTB content templates installed from the content hub (identifiable as **Content source** = **Content hub**).

+All template galleries will display an in-product warning banner. This banner will contain a link to a tool that will run within the Microsoft Sentinel portal. Activating the tool will start a guided experience to reinstate the content templates for the **IN USE** retired templates from the content hub.

+This tool needs to run only once per workspace, so be sure to plan with your organization. After the tool runs successfully, the warning banner will disappear from the template galleries of that workspace.

+The following table lists specific impacts to the content templates for each of these galleries. Expect these changes when the OOTB content centralization goes live.

+| Content type | Impact |

+| [Data connectors](connect-data-sources.md) | Templates identifiable as **Content source** = **Gallery content** and **Status** = **Not connected** will no longer appear in the data connectors gallery. |

+| [Analytics](detect-threats-built-in.md#view-built-in-detections) | Templates identifiable as **Source name** = **Gallery content** will no longer appear in the analytics gallery. |

+| [Hunting](hunting.md#use-built-in-queries) | Templates with **Content source** = **Gallery content** will no longer appear in the hunting gallery. |

+| [Playbooks](use-playbook-templates.md#explore-playbook-templates) | Templates identifiable as **Source name** = **Gallery content** will no longer appear in the automation playbooks gallery. |

+| [Workbooks](get-visibility.md#use-built-in-workbooks) | Templates with **Content source** = **Gallery content** will no longer appear in the workbooks gallery. |

+Here's an example of an analytics rule before and after the centralization changes and the tool has run:

+- The active analytics rule won't change at all. It's based on an analytics rule template that will be retired.

+

+ :::image type="content" source="media/sentinel-content-centralize/before-tool-analytic-rule-active-2.png" alt-text="Screenshot that shows an active analytics rule before centralization changes." lightbox="media/sentinel-content-centralize/before-tool-analytic-rule-active-2.png":::

+ This screenshot shows an analytics rule template that will be retired.

+ :::image type="content" source="media/sentinel-content-centralize/before-tool-analytic-rule-templates-2.png" alt-text="Screenshot that shows the analytics rule template that will be retired." lightbox="media/sentinel-content-centralize/before-tool-analytic-rule-templates-2.png":::

+- After you run the tool to reinstate the analytics rule template, the source changes to the solution that it's reinstated from.

+ :::image type="content" source="media/sentinel-content-centralize/after-tool-analytic-rule-template-2.png" alt-text="Screenshot that shows the analytics rule template after being reinstated from the content hub Azure Active Directory solution." lightbox="media/sentinel-content-centralize/after-tool-analytic-rule-template-2.png":::

+- Starting now, install new OOTB content from the content hub and update solutions as needed to have the latest versions of templates.

+- For existing gallery content templates in use, get future updates by installing the solutions or standalone content items from the content hub. The gallery content in the feature galleries might be out of date.

+- If you have applications or processes that directly get OOTB content from the Microsoft Sentinel GitHub repository, update the locations to include getting OOTB content from the *Solutions* folder in addition to existing content folders.

+- Plan with your organization who will run the tool, and when, after you see the warning banner and the change goes live in Q2 2023. The tool needs to run once in a workspace to reinstate all **IN USE** retired templates from the content hub.

+- Review the following FAQs to learn more details that might apply to your environment.

+### Will this change affect my SOC alert generation or incident generation and management?

+No. There's no impact to active alert rules or detections, active playbooks, cloned hunting queries, or saved workbooks. The OOTB content centralization change won't affect your current incident generation and management processes.

+### Are there any exceptions for gallery content?

+Yes. The following types of analytics rule templates are exempt from this change:

+- ML Behavior Analytics (machine learning) rule templates

+- Microsoft Security (incident creation) rule templates

+- Threat Intelligence rule templates

+### Will this change affect any of the APIs?

+Yes. Currently, the only Microsoft Sentinel REST API calls that exist for content template management are the `Get` and `List` operations for alert rule templates. These operations only surface gallery content templates and won't be updated. For more information on these operations, see the current [Alert Rule Templates REST API reference](/rest/api/securityinsights/stable/alert-rule-templates).

+New REST API operations on the content hub will be available soon to enable OOTB content management scenarios more broadly. This API update will include operations for the same content types scoped in the centralization changes (data connectors, playbook templates, workbook templates, analytics rule templates, hunting queries). A mechanism to update analytics rule templates installed on the workspace is also on the roadmap.

+**Action needed:** Plan to update your applications and processes to use the new OOTB content management API operations on the content hub when those are available in Q2 2023.

+### How will the central tool identify my in-use OOTB content templates?

+The tool builds a list of solutions based on two criteria: data connectors with **Status** = **Connected** and **IN USE** playbook templates. After the tool builds the proposed list of solutions, it will present the list for approval. If the list is approved, the tool installs all those solutions. Because the OOTB content is reinstated based on solutions, you might get more templates than you actually use.

+This central tool is a best effort to get your **IN USE** OOTB content templates reinstated from the content hub. You can install omitted OOTB content directly from the content hub.

+### What if I'm using APIs to connect data sources in my Microsoft Sentinel workspace?

+

+Currently, if an API data connection matches the data connector data type, it will appear as **Status** = **Connected** in the data connectors gallery. After the centralization changes go live, the specific data connector needs to be installed from a respective solution to get the same behavior.

+**Action needed:** Plan to update processes or tooling for your data connector deployments to install from content hub solutions before connecting with data ingestion APIs. The REST API operator for installing a solution will be coming in Q2 2023 with the OOTB content management APIs.

+### What if I'm working with content by using the repositories feature in Microsoft Sentinel?

+Repositories specifically deploy custom or active content in Microsoft Sentinel. The OOTB content centralization changes won't affect content that's deployed through the repositories feature.

+Take a look at these other resources for OOTB content and the content hub:

+- [About Microsoft Sentinel content and solutions](sentinel-solutions.md)

+- [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md)

+- Video: [Using content hub to manage your SIEM content](https://www.youtube.com/watch?v=OtHs4dnR0yA&list=PL3ZTgFEc7LyvY90VTpKVFf70DXM7--47u&index=10)

+- Explore the new [Analytics Health & Audit workbook](monitor-analytics-rule-integrity.md#use-the-auditing-and-health-monitoring-workbook).

+An Azure Service Fabric application is a collection of services. During an upgrade, Service Fabric compares the new [application manifest](service-fabric-application-and-service-manifests.md) with the previous version and determines which services in the application require updates. Service Fabric compares the version in the service manifests with the version in the previous version. If the service version has not changed, that service will not be upgraded.

+#### Option 2: Azure portal

+1. In your Azure Spring Apps instance, select **Apps** in the navigation pane.

+ :::image type="content" source="media/dynatrace-oneagent/existing-applications.png" alt-text="Screenshot of the Azure portal showing the Apps page for an Azure Spring Apps instance." lightbox="media/dynatrace-oneagent/existing-applications.png":::

+1. Select the application from the list, and then select **Configuration** in the navigation pane.

+1. Use the **Environmental variables** tab to add or update the variables used by your application.

+ :::image type="content" source="media/dynatrace-oneagent/configuration-application.png" alt-text="Screenshot of the Azure portal showing the Configuration page for an app in an Azure Spring Apps instance, with the Environmental variables tab selected." lightbox="media/dynatrace-oneagent/configuration-application.png":::

+| Use familiar development tools. | IntelliJ, Visual Studio Code, Eclipse, Spring Tool Suite, Maven, or Gradle |

+For feature updates about Azure Spring Apps, see [Azure updates](https://azure.microsoft.com/updates/?query=spring).

+- For offline data movement to the desired tier, see [Azure Data Box](https://azure.microsoft.com/products/databox/).

+> The examples in this article assume that you've provided authorization credentials by using Azure Active Directory (Azure AD) and that your Azure AD identity has the proper role assignments for the destination account. The source account, if different from the destination, must use a SAS token with the proper read permissions or allow public access. For example: azcopy copy 'https://<source-storage-account-name>.blob.core.windows.net/<container-name>/<blob-path><SAS-token>' 'https://<destination-storage-account-name>.blob.core.windows.net/<container-name>/<blob-path>'.

+> Alternatively you can also append a SAS token to the destination URL in each AzCopy command. For example: azcopy copy 'https://<source-storage-account-name>.blob.core.windows.net/<container-name>/<blob-path><SAS-token>' 'https://<destination-storage-account-name>.blob.core.windows.net/<container-name>/<blob-path><SAS-token>'.

+5. Although cloud management can be done with the Azure portal, advanced registered server functionality is provided through PowerShell cmdlets that are intended to be run locally in either PowerShell 5.1 or PowerShell 6+. PowerShell 5.1 ships by default on Windows Server 2016 and above. On Windows Server 2012 R2, you can verify that you are running at least PowerShell 5.1.\* by looking at the value of the **PSVersion** property of the **$PSVersionTable** object:

+ ```powershell

+ $PSVersionTable.PSVersion

+ ```

+ If your **PSVersion** value is less than 5.1.\*, as will be the case with most fresh installations of Windows Server 2012 R2, you'll need to upgrade by downloading and installing [Windows Management Framework (WMF) 5.1](https://www.microsoft.com/download/details.aspx?id=54616). The appropriate package to download and install for Windows Server 2012 R2 is **Win8.1AndW2K12R2-KB\*\*\*\*\*\*\*-x64.msu**.

+ PowerShell 6+ can be used with any supported system, and can be downloaded via its [GitHub page](https://github.com/PowerShell/PowerShell#get-powershell).

+5. PowerShell 5.1 or PowerShell 6+. You may use the Az PowerShell module for Azure File Sync on any supported system, including non-Windows systems, however the server registration cmdlet must always be run on the Windows Server instance you are registering (this can be done directly or via PowerShell remoting). PowerShell 5.1 ships by default on Windows Server 2016 and above. On Windows Server 2012 R2, you can verify that you are running at least PowerShell 5.1.\* by looking at the value of the **PSVersion** property of the **$PSVersionTable** object:

+8. Although cloud management can be done with the Azure CLI, advanced registered server functionality is provided through PowerShell cmdlets that are intended to be run locally in either PowerShell 5.1 or PowerShell 6+. PowerShell 5.1 ships by default on Windows Server 2016 and above. On Windows Server 2012 R2, you can verify that you are running at least PowerShell 5.1.\* by looking at the value of the **PSVersion** property of the **$PSVersionTable** object:

+ ```powershell

+ $PSVersionTable.PSVersion

+ ```

+ If your **PSVersion** value is less than 5.1.\*, as will be the case with most fresh installations of Windows Server 2012 R2, you'll need to upgrade by downloading and installing [Windows Management Framework (WMF) 5.1](https://www.microsoft.com/download/details.aspx?id=54616). The appropriate package to download and install for Windows Server 2012 R2 is **Win8.1AndW2K12R2-KB\*\*\*\*\*\*\*-x64.msu**.

+ PowerShell 6+ can be used with any supported system, and can be downloaded via its [GitHub page](https://github.com/PowerShell/PowerShell#get-powershell).

+ - Windows 11 Enterprise/Pro single or multi-session.

+ - Windows 10 Enterprise/Pro single or multi-session, versions 2004 or later with the latest cumulative updates installed, especially the [KB5007253 - 2021-11 Cumulative Update Preview for Windows 10](https://support.microsoft.com/topic/november-22-2021-kb5007253-os-builds-19041-1387-19042-1387-19043-1387-and-19044-1387-preview-d1847be9-46c1-49fc-bf56-1d469fc1b3af).

+>[!WARNING]

+> * The [.NET for Apache Spark](https://github.com/dotnet/spark) is an open-source project under the .NET Foundation that currently requires the .NET 3.1 library, which has reached the out-of-support status. We would like to inform users of Azure Synapse Spark of the removal of the .NET for Apache Spark library in the Azure Synapse Runtime for Apache Spark version 3.3. Users may refer to the [.NET Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) for more details on this matter. As a result, users it will no longer be possible for users to utilize Apache Spark APIs via C# and F#, or execute C# code in notebooks within Synapse or through Apache Spark Job definitions in Synapse. It is important to note that this change affects only Azure Synapse Runtime for Apache Spark 3.3 and above. We will continue to support .NET for Apache Spark in all previous versions of the Azure Synapse Runtime according to [their lifecycle stages](/runtime-for-apache-spark-lifecycle-and-supportability.md). However, we do not have plans to support .NET for Apache Spark in Azure Synapse Runtime for Apache Spark 3.3 and future versions. We recommend that users with existing workloads written in C# or F# migrate to Python or Scala. Users are advised to take note of this information and plan accordingly.

+This article walks you through the process of using the Azure REST API to trigger an assessment and an update deployment on your Azure Arc-enabled servers with update management (preview) in Azure. If you're new to update management center (preview) and you want to learn more, see [overview of update management center (preview)](overview.md). To use the Azure REST API to manage Azure virtual machines, see [How to programmatically work with Azure virtual machines](manage-vms-programmatically.md).

+| `rebootSetting` | Flag to state if you should reboot the machine and if the Guest OS update installation needs it for completion. Acceptable values are: `IfRequired, NeverReboot, AlwaysReboot`. |

+| `windowsParameters - kbNumbersToInclude` | List of Windows Update KB IDs that are available to the machine and that you need install. If you've included any 'classificationsToInclude', the KBs available in the category are installed. 'kbNumbersToInclude' is an option to provide list of specific KB IDs over and above that you want to get installed. For example: `1234` |

+| `windowsParameters - kbNumbersToExclude` | List of Windows Update KB Ids that are available to the machine and that should **not** be installed. If you've included any 'classificationsToInclude', the KBs available in the category will be installed. 'kbNumbersToExclude' is an option to provide list of specific KB IDs that you want to ensure don't get installed. For example: `5678` |

+| `linuxParameters - packageNameMasksToInclude` | List of Linux packages that are available to the machine and need to be installed. If you've included any 'classificationsToInclude', the packages available in the category will be installed. 'packageNameMasksToInclude' is an option to provide list of packages over and above that you want to get installed. For example: `mysql, libc=1.0.1.1, kernel*` |

+| `linuxParameters - packageNameMasksToExclude` | List of Linux packages that are available to the machine and should **not** be installed. If you've included any 'classificationsToInclude', the packages available in the category will be installed. 'packageNameMasksToExclude' is an option to provide list of specific packages that you want to ensure don't get installed. For example: `mysql, libc=1.0.1.1, kernel*` |

+| `properties.maintenanceWindow.expirationDateTime` | Effective expiration date of the maintenance window in YYYY-MM-DD hh:MM format. The window is created in the time zone provided to daylight savings according to that time zone. You must set the expiration date to a future date. If not provided, it will be set to the maximum datetime 9999-12-31 23:59:59. |

+| `properties.maintenanceWindow.recurEvery` | Rate at which a Maintenance window is expected to recur. The rate can be expressed as daily, weekly, or monthly schedules. You can format daily schedules as recurEvery: [Frequency as integer]['Day(s)']. If no frequency is provided, the default frequency is 1. Daily schedule examples are recurEvery: Day, recurEvery: 3Days. Weekly schedule are formatted as recurEvery: [Frequency as integer]['Week(s)'] [Optional comma separated list of weekdays Monday-Sunday]. Weekly schedule examples are recurEvery: 3Weeks, recurEvery: Week Saturday, Sunday. You can format monthly schedules as [Frequency as integer]['Month(s)'] [Comma separated list of month days] or [Frequency as integer]['Month(s)'] [Week of Month (First, Second, Third, Fourth, Last)] [Weekday Monday-Sunday]. Monthly schedule examples are recurEvery: Month, recurEvery: 2Months, recurEvery: Month day23, day24, recurEvery: Month Last Sunday, recurEvery: Month Fourth Monday. |

+| `properties.maintenanceWindow.startDateTime` | Effective start date of the maintenance window in YYYY-MM-DD hh:mm format. You can set the start date to either the current date or future date. The window will be created in the time zone provided and adjusted to daylight savings according to that time zone. |

+| `properties.maintenanceWindow.timeZone` | Name of the timezone. You can obtain the list of timezones by executing [System.TimeZoneInfo]:GetSystemTimeZones() in PowerShell. Example: Pacific Standard Time, UTC, W. Europe Standard Time, Korea Standard Time, Cen. Australia Standard Time. |

+ "extensionProperties": {

+ "InGuestPatchMode" : "User"

+ },

+ "extensionProperties": {

+ "InGuestPatchMode": "User"

+ },

+ "extensionProperties": {

+ "InGuestPatchMode" : "User"

+ },

+## Remove machine from the schedule

+To remove a machine from the schedule, get all the configuration assignment names for the machine that you have created to associate the machine with the current schedule from the Azure Resource Graph as listed:

+```kusto

+maintenanceresources

+| where type =~ "microsoft.maintenance/configurationassignments"

+| where properties.maintenanceConfigurationId =~ "<maintenance configuration Resource ID>"

+| where properties.resourceId =~ "<Machine Resource Id>"

+| project name, id

+```

+After you obtain the name from above, delete the configuration assignment by following the DELETE request -

+```rest

+DELETE on `<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview`

+```

+This article walks you through the process of using the Azure REST API to trigger an assessment and an update deployment on your Azure virtual machine with update management center (preview) in Azure. If you're new to update management center (preview) and you want to learn more, see [overview of update management center (preview)](overview.md). To use the Azure REST API to manage Arc-enabled servers, see [How to programmatically work with Arc-enabled servers](manage-arc-enabled-servers-programmatically.md).

+Update management center (preview) in Azure enables you to use the [Azure REST API](/rest/api/azure/) for access programmatically. Additionally, you can use the appropriate REST commands from [Azure PowerShell](/powershell/azure/) and [Azure CLI](/cli/azure/).

+| `rebootSetting` | Flag to state if machine should be rebooted and if Guest OS update installation requires it for completion. Acceptable values are: `IfRequired, NeverReboot, AlwaysReboot`. |

+| `windowsParameters - kbNumbersToExclude` | List of Windows Update KB Ids that should **not** be installed. This parameter overrides `windowsParameters - classificationsToInclude`, meaning a Windows Update KB ID specified here won't be installed even if it belongs to the classification provided under `classificationsToInclude` parameter. |

+| `linuxParameters - packageNameMasksToExclude` | List of updates that should **not** be installed. This parameter overrides `linuxParameters - packageNameMasksToExclude`, meaning a package specified here won't be installed even if it belongs to the classification provided under `classificationsToInclude` parameter. |

+| `properties.maintenanceWindow.expirationDateTime` | Effective expiration date of the maintenance window in YYYY-MM-DD hh:mm format. The window is created in the time zone provided to daylight savings according to that time zone. Expiration date must be set to a future date. If not provided, it will be set to the maximum datetime 9999-12-31 23:59:59. |

+| `properties.maintenanceWindow.recurEvery` | Rate at which a maintenance window is expected to recur. The rate can be expressed as daily, weekly, or monthly schedules. Daily schedules are formatted as recurEvery: [Frequency as integer]['Day(s)']. If no frequency is provided, the default frequency is 1. Daily schedule examples are recurEvery: Day, recurEvery: 3Days. Weekly schedules are formatted as recurEvery: [Frequency as integer]['Week(s)'] [Optional comma separated list of weekdays Monday-Sunday]. Weekly schedule examples are recurEvery: 3Weeks, recurEvery: Week Saturday, Sunday. Monthly schedules are formatted as [Frequency as integer]['Month(s)'] [Comma separated list of month days] or [Frequency as integer]['Month(s)'] [Week of Month (First, Second, Third, Fourth, Last)] [Weekday Monday-Sunday]. Monthly schedule examples are recurEvery: Month, recurEvery: 2Months, recurEvery: Month day23, day24, recurEvery: Month Last Sunday, recurEvery: Month Fourth Monday. |

+| `properties.maintenanceWindow.startDateTime` | Effective start date of the maintenance window in YYYY-MM-DD hh:mm format. You can set the start date to either the current date or future date. The window will be created in the time zone provided and adjusted to daylight savings according to that time zone. |

+| `properties.maintenanceWindow.timeZone` | Name of the timezone. List of timezones can be obtained by executing [System.TimeZoneInfo]:GetSystemTimeZones() in PowerShell. Example: Pacific Standard Time, UTC, W. Europe Standard Time, Korea Standard Time, Cen. Australia Standard Time. |

+## Remove machine from the schedule

+To remove a machine from the schedule, get all the configuration assignment names for the machine that were created to associate the machine with the current schedule from the Azure Resource Graph as listed:

+```kusto

+maintenanceresources

+| where type =~ "microsoft.maintenance/configurationassignments"

+| where properties.maintenanceConfigurationId =~ "<maintenance configuration Resource ID>"

+| where properties.resourceId =~ "<Machine Resource Id>"

+| project name, id

+```

+After you obtain the name from above, delete the configuration assignment by following the DELETE request -

+```rest

+DELETE on `<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview`

+```

+ ShowInPortal = $true

+ ShowInPortal = $true

+ Title: 'Dlsv5 and Dldsv5 (preview)' #Required; page title is displayed in search results. 60 characters max.

+description: Specifications for the Dlsv5 and Dldsv5-series VMs. #Required; this appears in search as the short description

+# Dlsv5 and Dldsv5-series (preview)

+The Dlsv5 and Dldsv5-series Virtual Machines runs on the Intel&reg; Xeon&reg; Platinum 8370C (Ice Lake) processor in a [hyper threaded](https://www.intel.com/content/www/us/en/architecture-and-technology/hyper-threading/hyper-threading-technology.html) configuration. This new processor features an all core turbo clock speed of 3.5 GHz with [Intel&reg; Turbo Boost Technology](https://www.intel.com/content/www/us/en/architecture-and-technology/turbo-boost/turbo-boost-technology.html), [Intel&reg; Advanced-Vector Extensions 512 (Intel&reg; AVX-512)](https://www.intel.com/content/www/us/en/architecture-and-technology/avx-512-overview.html) and [Intel&reg; Deep Learning Boost](https://software.intel.com/content/www/us/en/develop/topics/ai/deep-learning-boost.html). The Dlsv5 and Dldsv5 VM series provides 2GiBs of RAM per vCPU and optimized for workloads that require less RAM per vCPU than standard VM sizes. Target workloads include web servers, gaming, video encoding, AI/ML, and batch processing.

+> [!NOTE]

+> This feature is currently in preview. Previews are made available to you on the condition that you agree to the [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Some aspects of this feature may change prior to general availability (GA).

+## Dlsv5-series

+Dlsv5-series virtual machines run on the 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake) processor reaching an all core turbo clock speed of up to 3.5 GHz. These virtual machines offer up to 96 vCPU and 192 GiB of RAM. These VM sizes can reduce cost when running non-memory intensive applications.

+Dlsv5-series virtual machines do not have any temporary storage thus lowering the price of entry. You can attach Standard SSD, Standard HDD, and Premium SSD disk types. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).

+[Premium Storage](premium-storage-performance.md): Supported<br>

+[Premium Storage caching](premium-storage-performance.md): Supported<br>

+[Live Migration](maintenance-and-updates.md): Supported<br>

+[Memory Preserving Updates](maintenance-and-updates.md): Supported<br>

+[VM Generation Support](generation-2.md): Generation 1 and 2<br>

+[Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md)¹: Required <br>

+[Ephemeral OS Disks](ephemeral-os-disks.md): Not Supported <br>

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported <br>

+<br>

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max uncached disk throughput: IOPS/MBps^* | Max burst uncached disk throughput: IOPS/MBps3 | Max NICs |Max network bandwidth (Mbps) |

+||||||||| |

+| Standard_D2ls_v5 | 2 | 4 | Remote Storage Only | 4 | 3750/85 | 10000/1200 | 2 | 12500 |

+| Standard_D4ls_v5 | 4 | 8 | Remote Storage Only | 8 | 6400/145 | 20000/1200 | 2 | 12500 |

+| Standard_D8ls_v5 | 8 | 16 | Remote Storage Only | 16 | 12800/290 | 20000/1200 | 4 | 12500 |

+| Standard_D16s_v5 | 16 | 32 | Remote Storage Only | 32 | 25600/600 | 40000/1200 | 8 | 12500 |

+| Standard_D32ls_v5 | 32 | 64 | Remote Storage Only | 32 | 51200/865 | 80000/2000 | 8 | 16000 |

+| Standard_D48ls_v5 | 48 | 96 | Remote Storage Only | 32 | 76800/1315 | 80000/3000 | 8 | 24000 |

+| Standard_D64ls_v5 | 64 | 128 | Remote Storage Only | 32 | 80000/1735 | 80000/3000 | 8 | 30000 |

+| Standard_D96ls_v5 | 96 | 192 | Remote Storage Only | 32 | 80000/2600 | 80000/4000 |8 | 35000 |

+^* These IOPs values can be guaranteed by using [Gen2 VMs](generation-2.md)<br>

+¹ Accelerated networking is required and turned on by default on all Dlsv5 virtual machines.<br>

+## Dldsv5-series

+Dldsv5-series virtual machines run on the 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake) processor reaching an all core turbo clock speed of up to 3.5 GHz. These virtual machines offer up to 96 vCPU and 192 GiB of RAM as well as fast, local SSD storage up to 3,600 GiB. These VM sizes can reduce cost when running non-memory intensive applications.

+Dldsv5-series virtual machines support Standard SSD, Standard HDD, and Premium SSD disk types. You can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).

+[Premium Storage](premium-storage-performance.md): Supported<br>

+[Premium Storage caching](premium-storage-performance.md): Supported<br>

+[Live Migration](maintenance-and-updates.md): Supported<br>

+[Memory Preserving Updates](maintenance-and-updates.md): Supported<br>

+[VM Generation Support](generation-2.md): Generation 1 and 2<br>

+[Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md)¹: Required <br>

+[Ephemeral OS Disks](ephemeral-os-disks.md): Supported <br>

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported <br>

+<br>

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max temp storage throughput: IOPS/MBps^* | Max uncached disk throughput: IOPS/MBps | Max burst uncached disk throughput: IOPS/MBps³ | Max NICs | Max network bandwidth (Mbps) |

+|||||||||||

+| Standard_D2lds_v5 | 2 | 4 | 75 | 4 | 9000/125 | 3750/85 | 10000/1200 | 2 | 12500 |

+| Standard_D4lds_v5 | 4 | 8 | 150 | 8 | 19000/250 | 6400/145 | 20000/1200 | 2 | 12500 |

+| Standard_D8lds_v5 | 8 | 16 | 300 | 16 | 38000/500 | 12800/290 | 20000/1200 | 4 | 12500 |

+| Standard_D16lds_v5 | 16 | 32 | 600 | 32 | 75000/1000 | 25600/600 | 40000/1200 | 8 | 12500 |

+| Standard_D32lds_v5 | 32 | 64 | 1200 | 32 | 150000/2000 | 51200/865 | 80000/2000 | 8 | 16000 |

+| Standard_D48lds_v5 | 48 | 96 | 1800 | 32 | 225000/3000 | 76800/1315 | 80000/3000 | 8 | 24000 |

+| Standard_D64lds_v5 | 64 | 128 | 2400 | 32 | 300000/4000 | 80000/1735 | 80000/3000 | 8 | 30000 |

+| Standard_D96lds_v5 | 96 | 192 | 3600 | 32 | 450000/4000 | 80000/2600 | 80000/4000 | 8 | 35000 |

+^* These IOPs values can be guaranteed by using [Gen2 VMs](generation-2.md)<br>

+¹ Accelerated networking is required and turned on by default on all Dldsv5 virtual machines.<br>

+² Dldsv5-series virtual machines can [burst](disk-bursting.md) their disk performance and get up to their bursting max for up to 30 minutes at a time.

+## Other sizes and information

+- [General purpose](sizes-general.md)

+- [Memory optimized](sizes-memory.md)

+- [Storage optimized](sizes-storage.md)

+- [GPU optimized](sizes-gpu.md)

+- [High performance compute](sizes-hpc.md)

+- [Previous generations](sizes-previous-gen.md)

+Pricing Calculator: [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/)

+For more information on Disks Types: [Disk Types](./disks-types.md#ultra-disks)

+## Next steps

+Learn more about how [Azure compute units (ACU)](acu.md) can help you compare compute performance across Azure SKUs.

+This article shows you how to change an existing virtual machine's [VM size](sizes.md).

+After you create a virtual machine (VM), you can scale the VM up or down by changing the VM size. In some cases, you must deallocate the VM first. Deallocation may be necessary if the new size isn't available on the same hardware cluster that is currently hosting the VM.

+> [!Note]

+> If the virtual machine is currently running, changing its size will cause it to restart.

+1. View the list of available VM sizes on the current hardware cluster using [az vm list-vm-resize-options](/cli/azure/vm). The following example lists VM sizes for the VM named `myVM` in the resource group `myResourceGroup` region:

+2. If you find the desired VM size listed, resize the VM with [az vm resize](/cli/azure/vm). The following example resizes the VM named `myVM` to the `Standard_DS3_v2` size:

+ The VM restarts during this process. After the restart, your VM will keep existing OS and data disks. Anything on the temporary disk will be lost.

+3. If you don't see the desired VM size, deallocate the VM with [az vm deallocate](/cli/azure/vm). This process allows you to resize the VM to any size available that the region supports. The following steps deallocate, resize, and then start the VM named `myVM` in the resource group named `myResourceGroup`:

+List the VM sizes that are available in the region where you hosted the VM.

+If you see the size you want listed, run the following commands to resize the VM. If you don't see the desired size, go on to step 3.

+If you don't see the size you want listed, run the following commands to deallocate the VM, resize it, and restart the VM. Replace **\<newVMsize>** with the size you want.

+If the new size for a VM in an availability set isn't available on the hardware cluster currently hosting the VM, then you will need to deallocate all VMs in the availability set to resize the VM. You also might need to update the size of other VMs in the availability set after one VM has been resized. To resize a VM in an availability set, perform the following steps.

+List the VM sizes that are available on the hardware cluster where you hosted the VM.

+If you see the size you want listed, run the following commands to resize the VM. If you don't see it listed, go to the next section.

+If you don't see the size you want listed, continue with the following steps to deallocate all VMs in the availability set, resize VMs, and restart them.

+If you frequently use the portal to deploy Linux VMs, you can simplify using SSH keys by integrating them into Azure. There are several ways to create SSH keys for use with Azure.

+- You can create SSH keys when you first create a VM. Your keys aren't tied to a specific VM and you can use them in future applications.

+- You can create SSH keys in the Azure portal separate from a VM. You can use them with both new and old VMs.

+- You can create SSH keys externally and upload them for use in Azure.

+You can reuse your stored keys in various of applications to fit your organization's needs.

+1. In **Region** select a region to store your keys. You can use the keys in any region, this option is just the region where you store them.

+1. When you're done, select **Review + create**.

+1. You'll get a pop-up window to, select **Download private key and create resource** that downloads the SSH key as a .pem file.

+1. Once you've downloaded the .pem file, you might want to move it somewhere on your computer where it's easy to point to from your SSH client.

+1. In **Region** select a region to store your keys. You can use the keys in any region, this option is just the region where they're stored.

+Once you upload the key, you can choose to use it when you create a VM.

+Azure stores your SSH keys created in the portal as resources, so you can filter your resources view to see all of them.

+If you need your public key, you can easily copy it from the portal page for the key. Just list your keys (using the process in the last section) then select a key from the list. The page for your key opens and you can click the **Copy to clipboard** icon next to the key to copy it.

+"sku": "20h2-avd",