-description: Use the Azure Active Directory (Azure AD) PowerShell cmdlet for programmatic management of your Azure AD B2C custom policies. Create, read, update, and delete custom policies with PowerShell.

-#Customer intent: As an Azure AD B2C administrator, I want to manage custom policies using Azure PowerShell, so that I can review, update, and delete policies in my Azure AD B2C tenant.

-# Manage Azure AD B2C custom policies with Azure PowerShell

-Azure PowerShell provides several cmdlets for command line- and script-based custom policy management in your Azure AD B2C tenant. Learn how to use the Azure AD PowerShell module to:

-* [Azure AD PowerShell for Graph **preview module**](/powershell/azure/active-directory/install-adv2)

-To work with custom policies in your Azure AD B2C tenant, you first need to connect your PowerShell session to the tenant by using the [Connect-AzureAD][Connect-AzureAD] command.

-Execute the following command, substituting `{b2c-tenant-name}` with the name of your Azure AD B2C tenant. Sign in with an account that's assigned the [B2C IEF Policy Administrator](../active-directory/roles/permissions-reference.md#b2c-ief-policy-administrator) role in the directory.

-Connect-AzureAD -Tenant "{b2c-tenant-name}.onmicrosoft.com"

-```Console

-PS C:\> Connect-AzureAD -Tenant "contosob2c.onmicrosoft.com"

-Account Environment TenantId TenantDomain AccountType

-azureuser@contoso.com AzureCloud 00000000-0000-0000-0000-000000000000 contosob2c.onmicrosoft.com User

-Discovering custom policies allows an Azure AD B2C administrator to review, manage, and add business logic to their operations. Use the [Get-AzureADMSTrustFrameworkPolicy][Get-AzureADMSTrustFrameworkPolicy] command to return a list of the IDs of the custom policies in an Azure AD B2C tenant.

-Get-AzureADMSTrustFrameworkPolicy

-```Console

-PS C:\> Get-AzureADMSTrustFrameworkPolicy

-After reviewing the list of policy IDs, you can target a specific policy with [Get-AzureADMSTrustFrameworkPolicy][Get-AzureADMSTrustFrameworkPolicy] to download its content.

-Get-AzureADMSTrustFrameworkPolicy [-Id <policyId>]

-```Console

-PS C:\> Get-AzureADMSTrustFrameworkPolicy -Id B2C_1A_signup_signin

-To edit the policy content locally, pipe the command output to a file with the `-OutputFilePath` argument, and then open the file in your favorite editor.

-Example command sending output to a file:

-```PowerShell

-# Download and send policy output to a file

-Get-AzureADMSTrustFrameworkPolicy -Id B2C_1A_signup_signin -OutputFilePath C:\RPPolicy.xml

-```

-After editing a policy file you've created or downloaded, you can publish the updated policy to Azure AD B2C by using the [Set-AzureADMSTrustFrameworkPolicy][Set-AzureADMSTrustFrameworkPolicy] command.

-If you issue the `Set-AzureADMSTrustFrameworkPolicy` command with the ID of a policy that already exists in your Azure AD B2C tenant, the content of that policy is overwritten.

-Set-AzureADMSTrustFrameworkPolicy [-Id <policyId>] -InputFilePath <inputpolicyfilePath> [-OutputFilePath <outputFilePath>]

-Set-AzureADMSTrustFrameworkPolicy -Id B2C_1A_signup_signin -InputFilePath C:\B2C_1A_signup_signin.xml

-For additional examples, see the [Set-AzureADMSTrustFrameworkPolicy][Set-AzureADMSTrustFrameworkPolicy] command reference.

-Use the [New-AzureADMSTrustFrameworkPolicy][New-AzureADMSTrustFrameworkPolicy] command to upload a new policy:

-New-AzureADMSTrustFrameworkPolicy -InputFilePath <inputpolicyfilePath> [-OutputFilePath <outputFilePath>]

-New-AzureADMSTrustFrameworkPolicy -InputFilePath C:\SignUpOrSignInv2.xml

-Use the [Remove-AzureADMSTrustFrameworkPolicy][Remove-AzureADMSTrustFrameworkPolicy] command to delete a policy from your tenant.

-Remove-AzureADMSTrustFrameworkPolicy -Id <policyId>

-Remove-AzureADMSTrustFrameworkPolicy -Id B2C_1A_signup_signin

-For example, here's an attempt at updating a policy with content that contains malformed XML (output is truncated for brevity):

-```Console

-PS C:\> Set-AzureADMSTrustFrameworkPolicy -Id B2C_1A_signup_signin -InputFilePath C:\B2C_1A_signup_signin.xml

-Set-AzureADMSTrustFrameworkPolicy : Error occurred while executing PutTrustFrameworkPolicy

-Code: AADB2C

-Message: Validation failed: 1 validation error(s) found in policy "B2C_1A_SIGNUP_SIGNIN" of tenant "contosob2c.onmicrosoft.com".Schema validation error found at line

-14 col 55 in policy "B2C_1A_SIGNUP_SIGNIN" of tenant "contosob2c.onmicrosoft.com": The element 'OutputClaims' in namespace

-'http://schemas.microsoft.com/online/cpim/schemas/2013/06' cannot contain text. List of possible elements expected: 'OutputClaim' in namespace

-'http://schemas.microsoft.com/online/cpim/schemas/2013/06'.

-...

-```

-[Connect-AzureAD]: /powershell/module/azuread/get-azureadmstrustframeworkpolicy

-[Get-AzureADMSTrustFrameworkPolicy]: /powershell/module/azuread/get-azureadmstrustframeworkpolicy

-[New-AzureADMSTrustFrameworkPolicy]: /powershell/module/azuread/new-azureadmstrustframeworkpolicy

-[Remove-AzureADMSTrustFrameworkPolicy]: /powershell/module/azuread/remove-azureadmstrustframeworkpolicy

-[Set-AzureADMSTrustFrameworkPolicy]: /powershell/module/azuread/set-azureadmstrustframeworkpolicy

-# Multi-modal embeddings (version 4.0 preview)

-Multi-modal embedding is the process of generating a numerical representation of an image that captures its features and characteristics in a vector format. These vectors encode the content and context of an image in a way that is compatible with text search over the same vector space.

-Multi-modal embedding has a variety of applications in different fields, including:

-> Multi-modal embedding is not designed analyze medical images for diagnostic features or disease patterns. Please do not use Multi-modal embedding for medical purposes.

-> [!NOTE]

-> Vector embeddings can only be meaningfully compared if they are from the same model type.

-The following are the main steps of the image retrieval process using Multi-modal embeddings.

-1. Vectorize Images and Text: the Multi-modal embeddings APIs, **VectorizeImage** and **VectorizeText**, can be used to extract feature vectors out of an image or text respectively. The APIs return a single feature vector representing the entire input.

- > Multi-modal embedding does not do any biometric processing of human faces. For face detection and identification, see the [Azure AI Face service](./overview-identity.md).

-Enable Multi-modal embeddings for your search service and follow the steps to generate vector embeddings for text and images.

-* [Call the Multi-modal embeddings APIs](./how-to/image-retrieval.md)

-# Do image retrieval using multi-modal embeddings (version 4.0 preview)

-The Multi-modal embeddings APIs enable the _vectorization_ of images and text queries. They convert images to coordinates in a multi-dimensional vector space. Then, incoming text queries can also be converted to vectors, and images can be matched to the text based on semantic closeness. This allows the user to search a set of images using text, without the need to use image tags or other metadata. Semantic closeness often produces better results in search.

-## Try out Multi-modal embeddings

-You can try out the Multi-modal embeddings feature quickly and easily in your browser using Vision Studio.

-curl.exe -v -X POST "https://<endpoint>/computervision/retrieval:vectorizeImage?api-version=2023-02-01-preview&modelVersion=latest" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: <subscription-key>" --data-ascii "

-curl.exe -v -X POST "https://<endpoint>/computervision/retrieval:vectorizeText?api-version=2023-02-01-preview&modelVersion=latest" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: <subscription-key>" --data-ascii "

-[Multi-modal embeddings concepts](../concept-image-retrieval.md)

-## Image analysis

-## Multi-modal embeddings (v4.0 preview only)

-The multi-modal embeddings APIs enable the _vectorization_ of images and text queries. They convert images to coordinates in a multi-dimensional vector space. Then, incoming text queries can also be converted to vectors, and images can be matched to the text based on semantic closeness. This allows the user to search a set of images using text, without needing to use image tags or other metadata. Semantic closeness often produces better results in search.

-[Multi-modal embeddings](./concept-image-retrieval.md)

-> Input requirements for multi-modal embeddings are different and are listed in [Multi-modal embeddings](/azure/ai-services/computer-vision/concept-image-retrieval#input-requirements)

-Learn what's new in the service. These items might be release notes, videos, blog posts, and other types of information. Bookmark this page to stay up to date with new features, enhancements, fixes, and documentation updates.

-The other features of Image Analysis, such as model customization, background removal, and multi-modal embeddings, remain in public preview.

-"Caption" replaces "Describe" in V4.0 as the significantly improved image captioning feature rich with details and semantic understanding. Dense Captions provides more detail by generating one sentence descriptions of up to 10 regions of the image in addition to describing the whole image. Dense Captions also returns bounding box coordinates of the described image regions. There's also a new gender-neutral parameter to allow customers to choose whether to enable probabilistic gender inference for alt-text and Seeing AI applications. Automatically deliver rich captions, accessible alt-text, SEO optimization, and intelligent photo curation to support digital content. [Image captions](./concept-describe-images-40.md).

-Search and interact with video content in the same intuitive way you think and write. Locate relevant content without the need for additional metadata. Available only in [Vision Studio](https://aka.ms/VisionStudio).

-### Multi-modal embeddings APIs (public preview)

-The [Multi-modal embeddings APIs](./how-to/image-retrieval.md), part of the Image Analysis 4.0 API, enable the _vectorization_ of images and text queries. They let you convert images and text to coordinates in a multi-dimensional vector space. You can now search with natural language and find relevant images using vector similarity search.

-Image Analysis 4.0 has been released in public preview. The new API includes image captioning, image tagging, object detection, smart crops, people detection, and Read OCR functionality, all available through one Analyze Image operation. The OCR is optimized for general, non-document images in a performance-enhanced synchronous API that makes it easier to embed OCR-powered experiences in your workflows.

-<!-- markdownlint-disable DOCSMD006 -->

- ***Sample document processed with [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/layout)***

- :::image type="content" source="media/studio/form-recognizer-studio-layout-newspaper.png" alt-text="Screenshot of sample newspaper page processed using Document Intelligence Studio.":::

-|**Layout model**|&bullet; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com)</br>&bullet; [**REST API**](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-2023-10-31-preview&preserve-view=true&tabs=HTTP)</br>&bullet; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&bullet; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&bullet; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&bullet; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)|**prebuilt-layout**|

-|**Layout model**|&bullet; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com)</br>&bullet; [**REST API**](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)</br>&bullet; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)</br>&bullet; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)</br>&bullet; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)</br>&bullet; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)|**prebuilt-layout**|

-|**Layout model**|&bullet; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com)</br>&bullet; [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</br>&bullet; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&bullet; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&bullet; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&bullet; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)|**prebuilt-layout**|

-* Supported file formats: JPEG, PNG, PDF, and TIFF

-* For PDF and TIFF, up to 2000 pages are processed. For free tier subscribers, only the first two pages are processed.

-* The file size must be less than 50 MB and dimensions at least 50 x 50 pixels and at most 10,000 x 10,000 pixels.

-### Layout model data extraction

-* An Azure subscriptionΓÇöyou can [create one for free](https://azure.microsoft.com/free/cognitive-services/)

-## Document Intelligence Studio

-1. On the Document Intelligence Studio home page, select **Layout**

-1. Select the **Run analysis** button and, if necessary, configure the **Analyze options** :

- > [Try Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/layout)

- * [**Sample document**](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/layout-page-001.jpg)

-1. Select **Run Layout**. The Document Intelligence Sample Labeling tool calls the `Analyze Layout` API and analyze the document.

-1. View the results - see the highlighted text extracted, selection marks detected and tables detected.

-| **Predicted role** | **Description** |

-| | |

-| `title` | The main heading(s) in the page |

-| `sectionHeading` | One or more subheading(s) on the page |

-| `footnote` | Text near the bottom of the page |

-| `pageHeader` | Text near the top edge of the page |

-| `pageFooter` | Text near the bottom edge of the page |

-| `pageNumber` | Page number |

-### Pages

-The pages collection is the first object you see in the service response.

-```json

-"pages": [

- {

- "pageNumber": 1,

- "angle": 0,

- "width": 915,

- "height": 1190,

- "unit": "pixel",

- "words": [],

- "lines": [],

- "spans": [],

- "kind": "document"

- }

-]

-```

-### Text lines and words

-The document layout model in Document Intelligence extracts print and handwritten style text as `lines` and `words`. The model outputs bounding `polygon` coordinates and `confidence` for the extracted words. The `styles` collection includes any handwritten style for lines if detected along with the spans pointing to the associated text. This feature applies to [supported handwritten languages](language-support.md).

-The Layout model also extracts selection marks from documents. Extracted selection marks appear within the `pages` collection for each page. They include the bounding `polygon`, `confidence`, and selection `state` (`selected/unselected`). Any associated text if extracted is also included as the starting index (`offset`) and `length` that references the top level `content` property that contains the full text from the document.

-### Handwritten style for text lines

-The response includes classifying whether each text line is of handwriting style or not, along with a confidence score. For more information. *see*, [Handwritten language support](language-support-ocr.md). The following example shows an example JSON snippet.

-```json

-"styles": [

-{

- "confidence": 0.95,

- "spans": [

- {

- "offset": 509,

- "length": 24

- }

- "isHandwritten": true

- ]

-}

-```

-### Extract selected page(s) from documents

-For large multi-page documents, use the `pages` query parameter to indicate specific page numbers or page ranges for text extraction.

-Call this operation iteratively until it returns the `succeeded` value. Use an interval of 3 to 5 seconds to avoid exceeding the requests per second (RPS) rate.

-* [Learn how to process your own forms and documents](quickstarts/try-document-intelligence-studio.md) with the [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio)

-* [Learn how to process your own forms and documents](quickstarts/try-sample-label-tool.md) with the [Document Intelligence Sample Labeling tool](https://fott-2-1.azurewebsites.net/)

-<!-- markdownlint-disable MD024 -->

-<!-- markdownlint-disable MD033 -->

-<!-- markdownlint-disable MD011 -->

- Azure AI Document Intelligence supports a wide variety of models that enable you to add intelligent document processing to your apps and flows. You can use a prebuilt domain-specific model or train a custom model tailored to your specific business need and use cases. Document Intelligence can be used with the REST API or Python, C#, Java, and JavaScript SDKs.

-| [Health insurance card](#health-insurance-card) | Automate healthcare processes by extracting insurer, member, prescription, group number and other key information from US health insurance cards.|

-| [Custom extraction models](#custom-extraction)| &#9679; **Custom template models** use layout cues to extract values from documents and are suitable to extract fields from highly structured documents with defined visual templates.</br>&#9679; **Custom neural models** are trained on various document types to extract fields from structured, semi-structured and unstructured documents.|

-| [Custom classification model](#custom-classifier)| The **Custom classification model** can classify each page in an input file to identify the document(s) within and can also identify multiple documents or multiple instances of a single document within an input file.

-* [`queryFields`](concept-add-on-capabilities.md#query-fields) (2023-10-31-preview). `Not available with the US.Tax models`

- |US Tax 1099|Extract Information from 1099 forms.|**prebuilt-tax.us.1099(variations)**|

-The invoice model automates processing of invoices to extracts customer name, billing address, due date, and amount due, line items and other key data. Currently, the model supports English, Spanish, German, French, Italian, Portuguese, and Dutch invoices.

-The custom classification model enables you to identify the document type prior to invoking the extraction model. The classification model is available starting with the `2023-07-31 (GA)` API. Training a custom classification model requires at least two distinct classes and a minimum of five samples per class.

-| [prebuilt-read](concept-read.md#read-model-data-extraction) | Γ£ô | Γ£ô | | | Γ£ô | | | |

-A composed model is created by taking a collection of custom models and assigning them to a single model built from your form types. You can assign multiple custom models to a composed model called with a single model ID. you can assign up to 100 trained custom models to a single composed model.

-* Try processing your own forms and documents with the [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio)

-* Try processing your own forms and documents with the [Document Intelligence Sample Labeling tool](https://fott-2-1.azurewebsites.net/)

-|**Read OCR model**|&bullet; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com)</br>&bullet; [**REST API**](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-2023-10-31-preview&preserve-view=true&tabs=HTTP)</br>&bullet; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&bullet; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&bullet; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&bullet; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)|**prebuilt-read**|

-|**Read OCR model**|&bullet; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com)</br>&bullet; [**REST API**](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)</br>&bullet; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)</br>&bullet; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)</br>&bullet; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)</br>&bullet; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)|**prebuilt-read**|

-|**Read OCR model**|&bullet; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com)</br>&bullet; [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</br>&bullet; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&bullet; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&bullet; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&bullet; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)|**prebuilt-read**|

-## Read model data extraction

-* An Azure subscriptionΓÇöyou can [create one for free](https://azure.microsoft.com/free/cognitive-services/)

-1. On the Document Intelligence Studio home page, select **Read**

-1. Select the **Run analysis** button and, if necessary, configure the **Analyze options** :

- > [Try Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/layout)

-## Supported extracted languages and locales

-*See* our [Language SupportΓÇödocument analysis models](language-support-ocr.md) page for a complete list of supported languages.

-### Microsoft Office and HTML text extraction

-When analyzing Microsft Office and HTML files, the page units in the model output are computed as shown:

- **File format** | **Computed page unit** | **Total pages** |

-| | | |

-|Word | Up to 3,000 characters = 1 page unit, embedded or linked images not supported | Total pages of up to 3,000 characters each |

-|Excel | Each worksheet = 1 page unit, embedded or linked images not supported | Total worksheets

-|PowerPoint | Each slide = 1 page unit, embedded or linked images not supported | Total slides

-|HTML | Up to 3,000 characters = 1 page unit, embedded or linked images not supported | Total pages of up to 3,000 characters each |

-### Paragraphs extraction

-The Read OCR model in Document Intelligence extracts all identified blocks of text in the `paragraphs` collection as a top level object under `analyzeResults`. Each entry in this collection represents a text block and includes the extracted text as`content`and the bounding `polygon` coordinates. The `span` information points to the text fragment within the top-level `content` property that contains the full text from the document.

-```json

-"paragraphs": [

- {

- "spans": [],

- "boundingRegions": [],

- "content": "While healthcare is still in the early stages of its Al journey, we are seeing pharmaceutical and other life sciences organizations making major investments in Al and related technologies.\" TOM LAWRY | National Director for Al, Health and Life Sciences | Microsoft"

- }

-]

-```

-The page units in the model output are computed as shown:

- **File format** | **Computed page unit** | **Total pages** |

-|Images | Each image = 1 page unit | Total images |

- "kind": "document"

-### Text lines and words extraction

-For the preview of Microsoft Word, Excel, PowerPoint, and HTML file support, Read extracts all embedded text as is. For any embedded images, it runs OCR on the images to extract text and append the text from each image as an added entry to the `pages` collection. These added entries include the extracted text lines and words, their bounding polygons, confidences, and the spans pointing to the associated text.

-### Select page(s) for text extraction

-For large multi-page PDF documents, use the `pages` query parameter to indicate specific page numbers or page ranges for text extraction.

-> [!NOTE]

-> For the Microsoft Word, Excel, PowerPoint, and HTML file support, the Read API ignores the pages parameter and extracts all pages by default.

-> * [**REST API**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-3.1.0&preserve-view=true)

-> * [**C# SDK**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-3.1.0&preserve-view=true?pivots=programming-language-csharp)

-> * [**Python SDK**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-3.1.0&preserve-view=true?pivots=programming-language-python)

-> * [**Java SDK**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-3.1.0&preserve-view=true?pivots=programming-language-java)

-> * [**JavaScript**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-3.1.0&preserve-view=true?pivots=programming-language-javascript)</li></ul>

-> [Document Intelligence API v3.1](/rest/api/aiservices/document-models/analyze-document?view=rest-aiservices-2023-07-31&preserve-view=true&tabs=HTTP)

- ✔️ Custom classifiers identify document types prior to invoking an extraction model.

- [**Custom classifier**](#custom-classification-model) | Identify designated document types (classes) </br>prior to invoking an extraction model.

-\* - Premium features incur extra costs

-|[**prebuilt-read**](concept-read.md)|&#9679; Extract **text** from documents.</br>&#9679; [Data extraction](concept-read.md#read-model-data-extraction)| &#9679; Digitizing any document. </br>&#9679; Compliance and auditing. &#9679; Processing handwritten notes before translation.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/read)</br>&#9679; [**REST API**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-rest-api)</br>&#9679; [**C# SDK**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-csharp)</br>&#9679; [**Python SDK**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-python)</br>&#9679; [**Java SDK**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-java)</br>&#9679; [**JavaScript**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-4.0.0&preserve-view=true&pivots=programming-language-javascript) |

-|[**prebuilt-layout**](concept-layout.md) |&#9679; Extract **text and layout** information from documents.</br>&#9679; [Data extraction](concept-layout.md#data-extraction) |&#9679; Document indexing and retrieval by structure.</br>&#9679; Financial and medical report analysis. |&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/layout)</br>&#9679; [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#layout-model)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#layout-model)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#layout-model)</br>&#9679; [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-4.0.0&preserve-view=true#layout-model)|

-|**prebuilt-tax.us.1099(Variations)**|Extract information from 1099 form variations.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio)</br>&#9679; [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services?pattern=intelligence)|

-* [Choose a Document Intelligence model](choose-model-feature.md)

-* Try processing your own forms and documents with the [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio)

-* Try processing your own forms and documents with the [Document Intelligence Sample Labeling tool](https://fott-2-1.azurewebsites.net/)

-The [Document Intelligence SDKs](sdk-overview-v4-0.md) targeting REST API **2023-10-31-preview** are now available for use!

- * Cyber EO compliance.

- * Support for KVK field.

- * Support for BPAY field.

-> * There are no breaking changes to application programming interfaces (APIs) or SDKs.

-* Document Intelligence APIs are now more modular, with support for optional features, you can now customize the output to specifically include the features you need. Learn more about the [optional parameters](v3-1-migration-guide.md).

-* [Prebuilt contract model](concept-contract.md)

-* [Prebuilt US tax form 1098 model](concept-tax-document.md)

-* Support for [Office file types](concept-read.md) with Read API

-* [Barcode recognition](concept-read.md) in documents

-* Formula recognition [add-on capability](concept-add-on-capabilities.md)

-* Font recognition [add-on capability](concept-add-on-capabilities.md)

-* Support for [high resolution documents](concept-add-on-capabilities.md)

-* Custom neural models now require a single labeled sample to train

-* Custom neural models language expansion. Train a neural model for documents in 30 languages. See [language support](language-support.md) for the complete list of supported languages

-* In custom extraction model labeling page, you can now navigate through your training documents with ease by making use of the search, filter and sort by feature.

-* Document Intelligence REST API Version [2023-02-28-preview](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-02-28-preview/operations/AnalyzeDocument) supports the public preview release SDKs. This release includes the following new features and capabilities available for .NET/C# (4.1.0-beta-1), Java (4.1.0-beta-1), JavaScript (4.1.0-beta-1), and Python (3.3.0b.1) SDKs:

-* For more information, _see_ [**Document Intelligence SDK (public preview**)](./sdk-preview.md) and [March 2023 release](#march-2023) notes.

-* [**Add-on capabilities**](concept-add-on-capabilities.md)

-* [**Custom extraction model updates**](concept-custom.md)

- * [**Custom neural model**](concept-custom-neural.md) now supports added languages for training and analysis. Train neural models for Dutch, French, German, Italian and Spanish.

-* [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio) updates

- * New model additions in gated preview: **Vaccination cards**, **Contracts**, **US Tax 1098**, **US Tax 1098-E**, and **US Tax 1098-T**. To request access to gated preview models, complete and submit the [**Document Intelligence private preview request form**](https://aka.ms/form-recognizer/preview/survey).

-* [**Receipt model updates**](concept-receipt.md)

- For more information, _see_ [Install and run Document Intelligence containers](containers/install-run.md?view=doc-intel-3.0.0&preserve-view=true)

- * Driver's license expansion supporting India, Canada, United Kingdom and Australia

- * **Navigation**. You can select labels to target labeled words within a document.

- * This release includes important changes and updates for .NET, Java, JavaScript, and Python SDKs. For more information, _see_ [**Azure SDK DevBlog**](https://devblogs.microsoft.com/azure-sdk/announcing-new-stable-release-of-azure-form-recognizer-libraries/).

- * With the latest preview release, Document Intelligence's Read (OCR), Layout, and Custom template models support 134 new languages. These language additions include Greek, Latvian, Serbian, Thai, Ukrainian, and Vietnamese, along with several Latin and Cyrillic languages. Document Intelligence now has a total of 299 supported languages across the most recent GA and new preview versions. Refer to the [supported languages](language-support.md) page to see all supported languages.

- * Document Intelligence SDK version `4.0.0 GA` release

- * **Document Intelligence SDKs version 4.0.0 (.NET/C#, Java, JavaScript) and version 3.2.0 (Python) are generally available and ready for use in production applications!**

- * For more information on Document Intelligence SDKs, see the [**SDK overview**](sdk-overview-v3-1.md).

- * [**Read model now supports common Microsoft Office document types**](concept-read.md). Document types like Word (docx) and PowerPoint (ppt) are now supported with the Read API. See [Microsoft Office and HTML text extraction](concept-read.md#microsoft-office-and-html-text-extraction).

-* Document Intelligence v3.0 preview release introduces several new features, capabilities and enhancements:

-* Document Intelligence model data extraction

- * [Custom template](concept-custom-template.md) (formerly custom form)

- * [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com) To simplify use of the service, you can now access the Document Intelligence Studio to test the different prebuilt models or label and train a custom model

-* Monitoring menu

- :::image type="content" source="media/portal-metrics.png" alt-text="Screenshot showing the monitoring menu in the Azure portal":::

-* Charts

-* Document Intelligence connector released in preview: The [**Document Intelligence connector**](/connectors/formrecognizer) integrates with [Azure Logic Apps](../../logic-apps/logic-apps-overview.md), [Microsoft Power Automate](/power-automate/getting-started), and [Microsoft Power Apps](/powerapps/powerapps-overview). The connector supports workflow actions and triggers to extract and analyze document data and structure from custom and prebuilt forms, invoices, receipts, business cards and ID documents.

-* **Line-item extraction for invoice model** - Prebuilt Invoice model now supports line item extraction; it now extracts full items and their parts - description, amount, quantity, product ID, date and more. With a simple API/SDK call, you can extract useful data from your invoices - text, table, key-value pairs, and line items.

-* **Document Intelligence v2.0 reference available** - View the [v2.0 API Reference](https://westus2.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2/operations/AnalyzeWithCustomForm) and the updated SDKs for [.NET](/dotnet/api/overview/azure/ai.formrecognizer-readme), [Python](/python/api/overview/azure/), [Java](/java/api/overview/azure/ai-formrecognizer-readme), and [JavaScript](/javascript/api/overview/azure/).

-* **CopyModel API added to client SDKs** - You can now use the client SDKs to copy models from one subscription to another. See [Back up and recover models](./disaster-recovery.md) for general information on this feature.

-* **Azure Active Directory integration** - You can now use your Azure AD credentials to authenticate your Document Intelligence client objects in the SDKs.

-The new SDK supports all the features of the v2.0 REST API for Document Intelligence. You can share your feedback on the SDKs through the [SDK Feedback form](https://aka.ms/FR_SDK_v1_feedback).

-* **Table visualization** The Sample Labeling tool now displays tables that were recognized in the document. This feature lets you view recognized and extracted tables from the document prior to labeling and analyzing. This feature can be toggled on/off using the layers option.

-* TLS 1.2 enforcement

-* TLS 1.2 is now enforced for all HTTP requests to this service. For more information, see [Azure AI services security](../../ai-services/security-features.md).

-Text Analytics has been incorporated into the language service, and its features are still available. If you were using Text Analytics, your applications should continue to work without breaking changes. You can also see the [Text Analytics migration guide](migrate-language-service-latest.md), if you need to update an older application.

-You can get the consent statement text for each locale from the text to speech GitHub repository. See [SpeakerAuthorization.txt](https://github.com/Azure-Samples/Cognitive-Speech-TTS/blob/master/CustomVoice/script/English%20(United%20States)_en-US/SpeakerAuthorization.txt) for the consent statement for the `en-US` locale:

-| [Speech to text REST API](rest-speech-to-text.md) limit | Not available for F0 | 300 requests per minute |

-| REST API limit | 300 requests per minute | 300 requests per minute |

-## Pre-aligned documents

-If you know you have parallel documents, you may override the

-sentence alignment by supplying pre-aligned text files. You can extract all

- files. Don't have newline characters within a sentence, it will cause poor

-For a training to succeed, the table below shows the minimum number of sentences required in each document type. This limitation is a safety net to ensure your parallel sentences contain enough unique vocabulary to successfully train a translation model. The general guideline is having more in-domain parallel sentences of human translation quality should produce higher-quality models.

-The [Microsoft Q&A](/answers/tags/132/azure-translator) and [Stack Overflow](https://stackoverflow.com/questions/tagged/microsoft-translator) forums are available for the developer community to ask and answer questions about Azure Text Translation and other services. Microsoft monitors the forums and replies to questions that the community has yet to answer.

-> [**Document Translation SDK quickstart**](quickstarts/document-translation-sdk.md) [**Document Translation v1.1 REST API reference**](reference/rest-api-guide.md)

-* Your application submits the SAS token to Azure Storage as part of a REST API request.

-* If the storage service verifies that the SAS is valid, the request is authorized.

-* If the SAS token is deemed invalid, the request is declined, and the error code 403 (Forbidden) is returned.

-**Your storage account** → **containers** → **your container** |**Your storage account** → **containers** → **your container**→ **your file** |

- * Your **source** container or file must have designated **read** and **list** access.

- * Your **target** container or file must have designated **write** and **list** access.

- * **Account key**: There's no imposed maximum time limit; however, best practices recommended that you configure an expiration policy to limit the interval and minimize compromise. [Configure an expiration policy for shared access signatures](/azure/storage/common/sas-expiration-policy).

- * Your **source** container or file must have designated **read** and **list** access.

- * Your **target** container or file must have designated **write** and **list** access.

-That's it! You've learned how to create SAS tokens to authorize how clients access your data.

-> [Get Started with Document Translation](../quickstarts/document-translation-rest-api.md)

-description: Understand how to create and use managed identities in the Azure portal

- Although network access is now permitted, your Translator resource is still unable to access the data in your Storage account. You need to [create a managed identity](#managed-identity-assignments) for and [assign a specific access role](#grant-storage-account-access-for-your-translator-resource) to your Translator resource.

-There are two types of managed identities: **system-assigned** and **user-assigned**. Currently, Document Translation supports **system-assigned managed identity**:

-* A batch Document Translation request is submitted to your Translator service endpoint via a POST request.

-Great! You've learned how to enable and use a system-assigned managed identity. With managed identity for Azure Resources and `Azure RBAC`, you granted Translator specific access rights to your storage resource without including SAS tokens with your HTTP requests.

-> [Quickstart: Get started with Document Translation](../quickstarts/document-translation-rest-api.md)

- Document Translation is a cloud-based feature of the [Azure AI Translator](../../translator-overview.md) service. You can use the Document Translation API to asynchronously translate whole documents in [supported languages](../../language-support.md) and various [file formats](../overview.md#supported-document-formats) while preserving source document structure and text formatting. In this how-to guide, you learn to use Document Translation APIs with a programming language of your choice and the HTTP REST API.

-* An active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/). If you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).

- 1. **Pricing tier**. Document Translation isn't supported in the free tier. Select Standard S1 to try the service.

- 1. After your resource successfully deploys, select **Go to resource**.

-*Requests to the Translator service require a read-only key and custom endpoint to authenticate access. The custom domain endpoint is a URL formatted with your resource name, hostname, and Translator subdirectories and is available in the Azure portal.

-A batch Document Translation request is submitted to your Translator service endpoint via a POST request. If successful, the POST method returns a `202 Accepted` response code and the service creates a batch request. The translated documents are listed in your target container.

-* The POST request URL is POST `https://<NAME-OF-YOUR-RESOURCE>.cognitiveservices.azure.com/translator/text/batch/v1.1/batches`

-* Specify `"storageType": "File"`

-* If you aren't using a [**system-assigned managed identity**](create-use-managed-identities.md) for authentication, make sure you created source URL & SAS tokens for the specific blob/document (not for the container)

-* This sample request returns a single document translated into two target languages

-* To process JSON data, add [Newtonsoft.Json package using .NET CLI](https://www.nuget.org/packages/Newtonsoft.Json/).

-* Update the `build.gradle.kts` file. Keep in mind that you need to update your `mainClassName` depending on the sample:

- ```java

- plugins {

- java

- application

- }

- application {

- mainClassName = "{NAME OF YOUR CLASS}"

- }

- repositories {

- mavenCentral()

- }

- dependencies {

- compile("com.squareup.okhttp:okhttp:2.5.0")

- }

- ```

-```powershell

-gradle build

-gradle run

-```

-description: An overview of the cloud-based batch Document Translation service and process.

-Document Translation is a cloud-based feature of the [Azure AI Translator](../translator-overview.md) service and is part of the Azure AI service family of REST APIs. The Document Translation API can be used to translate multiple and complex documents across all [supported languages and dialects](../../language-support.md), while preserving original document structure and data format.

-## Key features

-| Feature | Description |

-| | -|

-| **Translate large files**| Translate whole documents asynchronously.|

-|**Translate numerous files**|Translate multiple files across all supported languages and dialects while preserving document structure and data format.|

-|**Preserve source file presentation**| Translate files while preserving the original layout and format.|

-|**Apply custom translation**| Translate documents using general and [custom translation](../custom-translator/concepts/customization.md#custom-translator) models.|

-|**Apply custom glossaries**|Translate documents using custom glossaries.|

-|**Automatically detect document language**|Let the Document Translation service determine the language of the document.|

-|**Translate documents with content in multiple languages**|Use the autodetect feature to translate documents with content in multiple languages into your target language.|

-> [!NOTE]

-> When translating documents with content in multiple languages, the feature is intended for complete sentences in a single language. If sentences are composed of more than one language, the content may not all translate into the target language.

-> For more information on input requirements, *see* [Document Translation request limits](../service-limits.md#document-translation)

-## Development options

-You can add Document Translation to your applications using the REST API or a client-library SDK:

-* The [**REST API**](reference/rest-api-guide.md). is a language agnostic interface that enables you to create HTTP requests and authorization headers to translate documents.

-* The [**client-library SDKs**](./quickstarts/document-translation-sdk.md) are language-specific classes, objects, methods, and code that you can quickly use by adding a reference in your project. Currently Document Translation has programming language support for [**C#/.NET**](/dotnet/api/azure.ai.translation.document) and [**Python**](https://pypi.org/project/azure-ai-translation-document/).

-## Get started

-In our quickstart, you learn how to rapidly get started using Document Translation. To begin, you need an active [Azure account](https://azure.microsoft.com/free/cognitive-services/). If you don't have one, you can [create a free account](https://azure.microsoft.com/free).

-> [!div class="nextstepaction"]

-> [Start here](./quickstarts/document-translation-rest-api.md "Learn how to use Document Translation with HTTP REST")

-## Supported document formats

-Document Translation supports the following document file types:

-## Request limits

-For detailed information regarding Azure AI Translator Service request limits, *see* [**Document Translation request limits**](../service-limits.md#document-translation).

-### Legacy file types

-## Supported glossary formats

-## Data residency

-* Translator resources **created** in any region in Switzerland are **processed** at data center in Switzerland North and Switzerland West

-### Document Translation data residency

-|**Any region within Europe (except Switzerland)**| Europe ΓÇö North Europe &bull; West Europe|

-|**Switzerland**|Switzerland ΓÇö Switzerland North &bull; Switzerland West|

-|**Any region within Asia Pacific and Australia**| Asia ΓÇö Southeast Asia &bull; Australia East|

-|**All other regions including Global, North America, and South America** | US ΓÇö East US &bull; West US 2|

-> [Get Started with Document Translation](./quickstarts/document-translation-rest-api.md)

-Cancel a current processing or queued operation. An operation isn't canceled if it's already completed, has failed, or is canceling. A bad request is returned. Documents that have completed translation aren't canceled and are charged. All pending documents are canceled if possible.

-Learn how to find your [custom domain name](../quickstarts/document-translation-rest-api.md).

-|200|OK. Cancel request has been submitted|

-|404|Not found. Resource isn't found.

-|500|Internal Server Error.

-|Other Status Codes|<ul><li>Too many requests</li><li>Server temporary unavailable</li></ul>|

-|lastActionDateTimeUtc|string|Date time in which the operation's status has been updated.|

-|status|String|List of possible statuses for job or document: <ul><li>Canceled</li><li>Cancelling</li><li>Failed</li><li>NotStarted</li><li>Running</li><li>Succeeded</li><li>ValidationFailed</li></ul>|

-|code|string|Enums containing high-level error codes. Possible values:<br/><ul><li>InternalServerError</li><li>InvalidArgument</li><li>InvalidRequest</li><li>RequestRateTooHigh</li><li>ResourceNotFound</li><li>ServiceUnavailable</li><li>Unauthorized</li></ul>|

-> [Get started with Document Translation](../quickstarts/document-translation-rest-api.md)

-Learn how to find your [custom domain name](../quickstarts/document-translation-rest-api.md).

-|Other Status Codes|<ul><li>Too many requests</li><li>Server temporary unavailable</li></ul>|

-|lastActionDateTimeUtc|string|Date time in which the operation's status has been updated.|

-|status|String|List of possible statuses for job or document: <ul><li>Canceled</li><li>Cancelling</li><li>Failed</li><li>NotStarted</li><li>Running</li><li>Succeeded</li><li>ValidationFailed</li></ul>|

-|code|string|Enums containing high-level error codes. Possible values:<br/><ul><li>InternalServerError</li><li>InvalidArgument</li><li>InvalidRequest</li><li>RequestRateTooHigh</li><li>ResourceNotFound</li><li>ServiceUnavailable</li><li>Unauthorized</li></ul>|

-|innerError|InnerTranslationError|New Inner Error format that conforms to Azure AI services API Guidelines. This error message contains required properties ErrorCode, message and optional properties target, details(key value pair), inner error(it can be nested).|

-> [Get started with Document Translation](../quickstarts/document-translation-rest-api.md)

-description: The get documents status method returns the status for all documents in a batch document translation request.

-Learn how to find your [custom domain name](../quickstarts/document-translation-rest-api.md).

-|`$maxpagesize`|query|False|integer int32|`$maxpagesize` is the maximum items returned in a page. If more items are requested via `$top` (or `$top` isn't specified and there are more items to be returned), @nextLink will contain the link to the next page. Clients MAY request server-driven paging with a specific page size by specifying a `$maxpagesize` preference. The server SHOULD honor this preference if the specified page size is smaller than the server's default page size.|

-|`$skip`|query|False|integer int32|$skip indicates the number of records to skip from the list of records held by the server based on the sorting method specified. By default, we sort by descending start time. Clients MAY use $top and `$skip` query parameters to specify the number of results to return and an offset into the collection. When the client returns both `$top` and `$skip`, the server SHOULD first apply `$skip` and then `$top` on the collection. Note: If the server can't honor `$top` and/or `$skip`, the server MUST return an error to the client informing about it instead of just ignoring the query options.|

-|`$top`|query|False|integer int32|`$top` indicates the total number of records the user wants to be returned across all pages. Clients MAY use `$top` and `$skip` query parameters to specify the number of results to return and an offset into the collection. When the client returns both `$top` and `$skip`, the server SHOULD first apply `$skip` and then `$top` on the collection. Note: If the server can't honor `$top` and/or `$skip`, the server MUST return an error to the client informing about it instead of just ignoring the query options.|

-|Other Status Codes|<ul><li>Too many requests</li><li>Server temporary unavailable</li></ul>|

-|value.lastActionDateTimeUtc|string|Date time in which the operation's status has been updated.|

-|value.status|status|List of possible statuses for job or document.<ul><li>Canceled</li><li>Cancelling</li><li>Failed</li><li>NotStarted</li><li>Running</li><li>Succeeded</li><li>ValidationFailed</li></ul>|

-|code|string|Enums containing high-level error codes. Possible values:<br/><ul><li>InternalServerError</li><li>InvalidArgument</li><li>InvalidRequest</li><li>RequestRateTooHigh</li><li>ResourceNotFound</li><li>ServiceUnavailable</li><li>Unauthorized</li></ul>|

-> [Get started with Document Translation](../quickstarts/document-translation-rest-api.md)

-Learn how to find your [custom domain name](../quickstarts/document-translation-rest-api.md).

-|Other Status Codes|<ul><li>Too many requests</li><li>Server temporary unavailable</li></ul>|

- |code|string|Enums containing high-level error codes. Possible values:<ul><li>InternalServerError</li><li>InvalidArgument</li><li>InvalidRequest</li><li>RequestRateTooHigh</li><li>ResourceNotFound</li><li>ServiceUnavailable</li><li>Unauthorized</li></ul>|

-|innerError|InnerTranslationError|New Inner Error format that conforms to Azure AI services API Guidelines. This error message contains required properties ErrorCode, message and optional properties target, details(key value pair), inner error(it can be nested).|

-> [Get started with Document Translation](../quickstarts/document-translation-rest-api.md)

-Learn how to find your [custom domain name](../quickstarts/document-translation-rest-api.md).

-|Other Status Codes|<ul><li>Too many requests</li><li>Server temporary unavailable</li></ul>|

-|code|string|Enums containing high-level error codes. Possible values:<br/><ul><li>InternalServerError</li><li>InvalidArgument</li><li>InvalidRequest</li><li>RequestRateTooHigh</li><li>ResourceNotFound</li><li>ServiceUnavailable</li><li>Unauthorized</li></ul>|

-|innerError|InnerTranslationError|New Inner Error format that conforms to Azure AI services API Guidelines. This error message contains required properties ErrorCode, message and optional properties target, details(key value pair), inner error(it can be nested).|

-the following JSON object is an example of an error response. The schema for other error codes is the same.

-> [Get started with Document Translation](../quickstarts/document-translation-rest-api.md)

-Learn how to find your [custom domain name](../quickstarts/document-translation-rest-api.md).

-|Other Status Codes|<ul><li>Too many requests</li><li>Server temporary unavailable</li></ul>|

-|code|string|Enums containing high-level error codes. Possible values:<br/><ul><li>InternalServerError</li><li>InvalidArgument</li><li>InvalidRequest</li><li>RequestRateTooHigh</li><li>ResourceNotFound</li><li>ServiceUnavailable</li><li>Unauthorized</li></ul>|

-|innerError|InnerTranslationError|New Inner Error format that conforms to Azure AI services API Guidelines. This error message contains required properties ErrorCode, message and optional properties target, details(key value pair), inner error (it can be nested).|

-> [Get started with Document Translation](../quickstarts/document-translation-rest-api.md)

-Learn how to find your [custom domain name](../quickstarts/document-translation-rest-api.md).

-|Other Status Codes|<ul><li>Too many requests</li><li>Server temporary unavailable</li></ul>|

-|lastActionDateTimeUtc|string|Date time in which the operation's status has been updated.|

-|status|String|List of possible statuses for job or document: <ul><li>Canceled</li><li>Cancelling</li><li>Failed</li><li>NotStarted</li><li>Running</li><li>Succeeded</li><li>ValidationFailed</li></ul>|

-|code|string|Enums containing high-level error codes. Possible values:<br/><ul><li>InternalServerError</li><li>InvalidArgument</li><li>InvalidRequest</li><li>RequestRateTooHigh</li><li>ResourceNotFound</li><li>ServiceUnavailable</li><li>Unauthorized</li></ul>|

-|innerError|InnerTranslationError|New Inner Error format that conforms to Azure AI services API Guidelines. This error message contains required properties ErrorCode, message and optional properties target, details(key value pair), inner error(it can be nested).|

-> [Get started with Document Translation](../quickstarts/document-translation-rest-api.md)

-`$top`, `$skip` and `$maxpagesize` query parameters can be used to specify the number of results to return and an offset for the collection.

-Learn how to find your [custom domain name](../quickstarts/document-translation-rest-api.md).

-|Other Status Codes|<ul><li>Too many requests</li><li>Server temporary unavailable</li></ul>|

-|value.lastActionDateTimeUtc|string|Date time in which the operation's status has been updated.|

-|value.status|String|List of possible statuses for job or document: <ul><li>Canceled</li><li>Cancelling</li><li>Failed</li><li>NotStarted</li><li>Running</li><li>Succeeded</li><li>ValidationFailed</li></ul>|

-|code|string|Enums containing high-level error codes. Possible values:<br/><ul><li>InternalServerError</li><li>InvalidArgument</li><li>InvalidRequest</li><li>RequestRateTooHigh</li><li>ResourceNotFound</li><li>ServiceUnavailable</li><li>Unauthorized</li></ul>|

-> [Get started with Document Translation](../quickstarts/document-translation-rest-api.md)

-# Document Translation REST API reference guide

-Document Translation is a cloud-based feature of the Azure AI Translator service and is part of the Azure AI service family of REST APIs. The Document Translation API translates documents across all [supported languages and dialects](../../language-support.md) while preserving document structure and data format. The available methods are listed in the following table:

-> [Swagger UI](https://mtbatchppefrontendapp.azurewebsites.net/swagger/https://docsupdatetracker.net/index.html) [Explore our client libraries and SDKs for C# and Python.](../quickstarts/document-translation-sdk.md)

-Learn how to find your [custom domain name](../quickstarts/document-translation-rest-api.md).

-|**inputs.source.filter.prefix**|`string`|False|&bullet; string|Case-sensitive prefix string to filter documents in the source path for translation. Often used to designate sub-folders for translation. Example: "_FolderA_".|

-|**inputs.source.language**|`string`|False|&bullet; string|The language code for the source documents. If not specified, auto-detect is implemented.

-|**inputs.source.storageSource**|`string`|False|&bullet; string|Storage source for inputs. Defaults to "AzureBlob".|

-|**inputs.targets.category**|`string`|False|&bullet; string|Classification or category for the translation request. Example: "_general_".|

-|**inputs.targets.glossaries.storageSource**|`string`|False|&bullet; string|Storage source for glossaries. Defaults to "_AzureBlob_".|

-|**inputs.targets.storageSource**|`string`|False|&bullet; string|Storage source for targets.Defaults to "_AzureBlob_".|

-|**options.experimental**|`boolean`|False|&bullet;`true`</br></br>&bullet; `false`|Indicates whether the request will include an experimental feature (if applicable). Only the booleans _`true`_ or _`false`_ are valid values.|

-Make sure you've specified the folder name (case sensitive) as prefix in filter.

-* Specify "storageType": "File"

-This sample request shows a single document translated into two target languages

-|503|Service is currently unavailable. Try again later.|

-|Other Status Codes|<ul><li>Too many requests</li><li>Server temporary unavailable</li></ul>|

-|innerError|InnerTranslationError|New Inner Error format that conforms to Azure AI services API Guidelines. This error message contains required properties: ErrorCode, message and optional properties target, details(key value pair), and inner error(it can be nested).|

-> [Get started with Document Translation](../quickstarts/document-translation-rest-api.md)

-description: "Learn to translate text with the Translator service REST APIs. Examples are provided in C#, Go, Java, JavaScript and Python."

-You need an active Azure subscription. If you don't have an Azure subscription, you can [create one for free](https://azure.microsoft.com/free/cognitive-services/)

-<!-- checked -->

-<!--

- > [!div class="nextstepaction"]

-> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=prerequisites)

-1. Select install from the right package manager window to add the package to your project.

-Once you've added a code sample to your application, choose the green **start button** next to formRecognizer_quickstart to build and run your program, or press **F5**.

-1. If you haven't done so already, [download and install Go](https://go.dev/doc/install).

-Once you've added a code sample to your application, your Go program can be executed in a command or terminal prompt. Make sure your prompt's path is set to the **translator-app** folder and use the following command:

-* If you aren't using VS Code, make sure you have the following installed in your development environment:

-Once you've added a code sample to your application, navigate back to your main project directoryΓÇö**translator-text-app**, open a console window, and enter the following commands:

-1. If you haven't done so already, install the latest version of [Node.js](https://nodejs.org/en/download/). Node Package Manager (npm) is included with the Node.js installation.

- * After you've completed the prompts, a `package.json` file will be created in your translator-app directory.

-Once you've added the code sample to your application, run your program:

-1. If you haven't done so already, install the latest version of [Python 3.x](https://www.python.org/downloads/). The Python installer package (pip) is included with the Python installation.

-Once you've added a code sample to your application, build and run your program:

-That's it, congratulations! You've learned to use the Translator service to translate text.

-description: Understand the parameters, headers, and body messages for the Translate method of Azure AI Translator to translate text.

-| category | _Optional parameter_. <br>A string specifying the category (domain) of the translation. This parameter is used to get translations from a customized system built with [Custom Translator](../custom-translator/concepts/customization.md). Add the Category ID from your Custom Translator [project details](../custom-translator/how-to/create-manage-project.md) to this parameter to use your deployed customized system. Default value is: `general`. |

-| profanityAction | _Optional parameter_. <br>Specifies how profanities should be treated in translations. Possible values are: `NoAction` (default), `Marked` or `Deleted`. To understand ways to treat profanity, see [Profanity handling](#handle-profanity). |

-| Authentication header(s) | _Required request header_. <br>See [available options for authentication](./v3-0-reference.md#authentication). |

- * `alignment`: An object with a single string property named `proj`, which maps input text to translated text. The alignment information is only provided when the request parameter `includeAlignment` is `true`. Alignment is returned as a string value of the following format: `[[SourceTextStartIndex]:[SourceTextEndIndex]ΓÇô[TgtTextStartIndex]:[TgtTextEndIndex]]`. The colon separates start and end index, the dash separates the languages, and space separates the words. One word may align with zero, one, or multiple words in the other language, and the aligned words may be noncontiguous. When no alignment information is available, the alignment element is empty. See [Obtain alignment information](#obtain-alignment-information) for an example and restrictions.

-* `sourceText`: An object with a single string property named `text`, which gives the input text in the default script of the source language. `sourceText` property is present only when the input is expressed in a script that's not the usual script for the language. For example, if the input were Arabic written in Latin script, then `sourceText.text` would be the same Arabic text converted into Arab script.

-| X-requestid | Value generated by the service to identify the request. It's used for troubleshooting purposes. |

-|403 | The request isn't authorized. Check the details error message. This status code often indicates that all free translations provided with a trial subscription have been used up. |

-|429 | The server rejected the request because the client has exceeded request limits. |

-Normally, the Translator service retains profanity that is present in the source in the translation. The degree of profanity and the context that makes words profane differ between cultures, and as a result the degree of profanity in the target language may be amplified or reduced.

-If you want to avoid getting profanity in the translation, regardless of the presence of profanity in the source text, you can use the profanity filtering option. The option allows you to choose whether you want to see profanity deleted, marked with appropriate tags (giving you the option to add your own post-processing), or with no action taken. The accepted values of `ProfanityAction` are `Deleted`, `Marked` and `NoAction` (default).

-### Translate content with markup and decide what's translated

-In other words, the colon separates start and end index, the dash separates the languages, and space separates the words. One word may align with zero, one, or multiple words in the other language, and the aligned words may be noncontiguous. When no alignment information is available, the Alignment element is empty. The method returns no error in that case.

-Obtaining alignment information is an experimental feature that we've enabled for prototyping research and experiences with potential phrase mappings. We may choose to stop supporting this feature in the future. Here are some of the notable restrictions where alignments aren't supported:

- * English to/from any other language except Chinese Traditional, Cantonese (Traditional) or Serbian (Cyrillic).

- * from Japanese to Korean or from Korean to Japanese.

- * from Japanese to Chinese Simplified and Chinese Simplified to Japanese.

- * from Chinese Simplified to Chinese Traditional and Chinese Traditional to Chinese Simplified.

-* You don't alignment if the sentence is a canned translation. Example of a canned translation is `This is a test`, `I love you` and other high frequency sentences.

-Each translate request is limited to 50,000 characters, across all the target languages. For example, sending a translate request of 3,000 characters to translate to three different languages results in a request size of 3,000 &times; 3 = 9,000 characters and meets the request limit. You're charged per character, not by the number of requests, therefore, it's recommended that you send shorter requests.

-* You've reached or surpass the quota limit.

-* You've sent a large portion of the quota in too short a period of time.

-The Translator has a maximum latency of 15 seconds using standard models and 120 seconds when using custom models. Typically, responses *for text within 100 characters* are returned in 150 milliseconds to 300 milliseconds. The custom translator models have similar latency characteristics on sustained request rate and may have a higher latency when your request rate is intermittent. Response times vary based on the size of the request and language pair. If you don't receive a translation or an [error response](./reference/v3-0-reference.md#errors) within that time frame, check your code, your network connection, and retry.

-This table lists the content limits for data sent using Document Translation:

-> [!NOTE]

-> Document Translation can't be used to translate secured documents such as those with an encrypted password or with restricted access to copy content.

- The Azure Government cloud is available to US government customers and their partners. US federal, state, local, tribal governments and their partners have access to the Azure Government cloud dedicated instance. Cloud operations are controlled by screened US citizens.

-description: Integrate Translator into your applications, websites, tools, and other solutions to provide multi-language user experiences.

-Translator Service is a cloud-based neural machine translation service that is part of the [Azure AI services](../what-are-ai-services.md) family and can be used with any operating system. Translator powers many Microsoft products and services used by thousands of businesses worldwide to perform language translation and other language-related operations. In this overview, you learn how Translator can enable you to build intelligent, multi-language solutions for your applications across all [supported languages](./language-support.md).

-| [**Document Translation**](document-translation/overview.md) | Translate batch and complex files while preserving the structure and format of the original documents. [Create a glossary](document-translation/how-to-guides/create-use-glossaries.md) to use with document translation.| &bull; [**REST API**](document-translation/reference/rest-api-guide.md)</br>&bull; [**Client-library SDK**](document-translation/quickstarts/document-translation-sdk.md) |

-For detailed information regarding Azure AI Translator Service request limits, *see* [**Text translation request limits**](service-limits.md#text-translation).

-First, you need a Microsoft account; if you don't have one, you can sign up for free at the [**Microsoft account portal**](https://account.microsoft.com/account). Select **Create a Microsoft account** and follow the steps to create and verify your new account.

-* Review [**Translator pricing**](https://azure.microsoft.com/pricing/details/cognitive-services/translator-text-api/).

-* The [Document Translation SDK quickstart](document-translation/quickstarts/document-translation-sdk.md) is now available for the C# and Python programming languages.

-* Translator service has [text and document translation language support](language-support.md) for Basque and Galician. Basque is a language isolate, meaning it isn't related to any other modern language. It's spoken in parts of northern Spain and southern France. Galician is spoken in northern Portugal and western Spain. Both Basque and Galician are official languages of Spain.

-* Translator service has [text and document translation language support](language-support.md) for Upper Sorbian. The Translator team has worked tirelessly to preserve indigenous and endangered languages around the world. Language data provided by the Upper Sorbian language community was instrumental in introducing this language to Translator.

-* Translator service has added [text and document language support](language-support.md) for the following languages:

- * **Tatar**. A Turkic language used by speakers in modern Tatarstan. It's closely related to Crimean Tatar and Siberian Tatar but each belongs to different subgroups.

- * **Uyghur**. A Turkic language with nearly 15 million speakers. It's spoken primarily in Western China.

-* **Feature release**: Translator's [Document Translation](document-translation/overview.md) feature is generally available. Document Translation is designed to translate large files and batch documents with rich content while preserving original structure and format. You can also use custom glossaries and custom models built with [Custom Translator](custom-translator/overview.md) to ensure your documents are translated quickly and accurately.

-* **New release**: Translator service is available in containers as a gated preview. [Submit an online request](https://aka.ms/csgate-translator) and have it approved prior to getting started. Containers enable you to run several Translator service features in your own environment and are great for specific security and data governance requirements. *See*, [Install and run Translator containers (preview)](containers/translator-how-to-install-container.md)

-* **New release**: [Document Translation](document-translation/overview.md) is available as a preview feature of the Translator Service. Preview features are still in development and aren't meant for production use. They're made available on a "preview" basis so customers can get early access and provide feedback. Document Translation enables you to translate large documents and process batch files while still preserving the original structure and format. _See_ [Microsoft Translator blog: Introducing Document Translation](https://www.microsoft.com/translator/blog/2021/02/17/introducing-document-translation/)

-¹ For Azure Open AI models, only customers who have been approved for modified content filtering have full content filtering control, including configuring content filters at severity level high only or turning off content filters. Apply for modified content filters via this form: [Azure OpenAI Limited Access Review: Modified Content Filters and Abuse Monitoring (microsoft.com)](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xURE01NDY1OUhBRzQ3MkQxMUhZSE1ZUlJKTiQlQCN0PWcu)

-| Tool name | Description | Environment | Package name |

-| [Index Lookup](./index-lookup-tool.md) | Search an Azure Machine Learning Vector Index for relevant results using one or more text queries. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

-| [Vector Index Lookup](./vector-index-lookup-tool.md) | Search text or a vector-based query from a vector index. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

-| [Faiss Index Lookup](./faiss-index-lookup-tool.md) | Search a vector-based query from the Faiss index file. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

-| [Vector DB Lookup](./vector-db-lookup-tool.md) | Search a vector-based query from an existing vector database. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

-The following table shows an index of custom tools created by the community to extend prompt flow's capabilities for specific use cases. They aren't officially maintained or endorsed by prompt flow team. For questions or issues when using a tool, please see the support contact in the description.

-| Tool name | Description | Environment | Package name |

-|--|--|-|--|

-| [Azure AI Language tools](https://microsoft.github.io/promptflow/integrations/tools/azure-ai-language-tool.html) | This collection of tools is a wrapper for various Azure AI Language APIs, which can help effectively understand and analyze documents and conversations. The capabilities currently supported include: Abstractive Summarization, Extractive Summarization, Conversation Summarization, Entity Recognition, Key Phrase Extraction, Language Detection, PII Entity Recognition, Conversational PII, Sentiment Analysis, Conversational Language Understanding, Translator. You can learn how to use them by the [Sample flows](https://github.com/microsoft/promptflow/tree/e4542f6ff5d223d9800a3687a7cfd62531a9607c/examples/flows/integrations/azure-ai-language). Support contact: taincidents@microsoft.com | Custom | [promptflow-azure-ai-language](https://pypi.org/project/promptflow-azure-ai-language/) |

-> The feature described in this document, Microsoft Entra Integration (legacy) was **deprecated on June 1st, 2023**. At this time, no new clusters can be created with Microsoft Entra Integration (legacy). All Microsoft Entra Integration (legacy) AKS clusters will be migrated to AKS-managed Microsoft Entra ID automatically starting from December 1st, 2023.

-1. Select **Review + create** to validate your selected options. In the ***Review + create** pane, when you see **Create** light up after validation pass, select **Create**. The deployment may take up to 20 minutes.

-git checkout 20240109

-```bash

-cd <path-to-your-repo>/java-app

-export PASSWORD=<Azure-Container-Registry-password>

-export DB_PASSWORD=<server-admin-password>

-cd <path-to-your-repo>/java-app

- cd <path-to-your-repo>/java-app

- cd <path-to-your-repo>/java-app

-cd <path-to-your-repo>/java-app/target

-docker build -t javaee-cafe:v1 --pull --file=Dockerfile .

-cd <path-to-your-repo>/java-app/target

- cd <path-to-your-repo>/java-app/target

- cd <path-to-your-repo>/java-app/target

-description: Learn how to use Image Cleaner to clean up stale images on Azure Kubernetes Service (AKS)

-# Use Image Cleaner to clean up stale images on your Azure Kubernetes Service (AKS) cluster

-description: Find partner-tested solutions that enable you to build, test, deploy, manage and monitor your Windows-based apps on Windows containers on AKS.

-# Windows AKS Partners Solutions

-Microsoft has collaborated with partners to ensure your build, test, deployment, configuration, and monitoring of your applications perform optimally with Windows containers on AKS.

-Our 3rd party partners featured below have published introduction guides to start using their solutions with your applications running on Windows containers on AKS.

-## DevOps

-

-DevOps streamlines the delivery process, improves collaboration across teams, and enhances software quality, ensuring swift, reliable, and continuous deployment of your Windows-based applications.

-### GitLab

-

-The GitLab DevSecOps Platform supports the Microsoft development ecosystem with performance, accessibility testing, SAST, DAST and Fuzzing security scanning, dependency scanning, SBOM, license management and more.

-As an extensible platform, GitLab also allows you to plug in your own tooling for any stage. GitLab's integration with Azure Kubernetes Services (AKS) enables full DevSecOps workflows for Windows and Linux Container workloads using either Push CD or GitOps Pull CD with flux manifests. Using Cloud Native Buildpaks, GitLab Auto DevOps can build, test and autodeploy OSS .NET projects.

-### CircleCI

-

-## Networking

-Ensure efficient traffic management, enhanced security, and optimal network performance with these solutions to achieve smooth application connectivity and communication.

-### F5 NGINX

-

-NGINX Ingress Controller deployed in AKS, on-premises, and in the cloud implements unified Kubernetes-native API gateways, load balancers, and Ingress controllers to reduce complexity, increase uptime, and provide in-depth insights into app health and performance for containerized Windows workloads.

-Running at the edge of a Kubernetes cluster, NGINX Ingress Controller ensures holistic app security with user and service identities, authorization, access control, encrypted communications, and additional NGINX App Protect modules for Layer 7 WAF and DoS app protection.

-Learn how to manage connectivity to your Windows applications running on Windows nodes in a mixed-node AKS cluster with NGINX Ingress controller in this [blog](https://techcommunity.microsoft.com/t5/containers/improving-customer-experiences-with-f5-nginx-and-windows-on/ba-p/3820344).

-### Calico

-

-Tigera provides an active security platform with full-stack observability for containerized workloads and Microsoft AKS as a fully managed SaaS (Calico Cloud) or a self-managed service (Calico Enterprise). The platform prevents, detects, troubleshoots, and automatically mitigates exposure risks of security breaches for workloads in Microsoft AKS.

-To learn more, [click here](https://techcommunity.microsoft.com/t5/containers/securing-windows-workloads-on-azure-kubernetes-service-with/ba-p/3815429).

-## Observability

-Observability provides deep insights into your systems, enabling rapid issue detection and resolution to enhance your applicationΓÇÖs reliability and performance.

-### Datadog

-Get started by following the recommendations in our [joint blog](https://techcommunity.microsoft.com/t5/containers/gain-full-observability-into-windows-containers-on-azure/ba-p/3853603).

-### New Relic

-

-New Relic's Azure Kubernetes integration is a powerful solution that seamlessly connects New Relic's monitoring and observability capabilities with Azure Kubernetes Service (AKS). By deploying the New Relic Kubernetes integration, users gain deep insights into their AKS clusters' performance, health, and resource utilization. This integration allows users to efficiently manage and troubleshoot containerized applications, optimize resource allocation, and proactively identify and resolve issues in their AKS environments. With New Relic's comprehensive monitoring and analysis tools, businesses can ensure the smooth operation and optimal performance of their Kubernetes workloads on Azure.

-Check this [blog](https://techcommunity.microsoft.com/t5/containers/persistent-storage-for-windows-containers-on-azure-kubernetes/ba-p/3836781) for detailed information.

-## Security

-Ensure the integrity and confidentiality of applications, thereby fostering trust and compliance across your infrastructure.

-Prisma Cloud is a comprehensive Cloud-Native Application Protection Platform (CNAPP) tailor-made to help secure Windows containers on Azure Kubernetes Service (AKS). Gain continuous, real-time visibility and control over Windows container environments including vulnerability and compliance management, identities and permissions, and AI-assisted runtime defense. Integrated container scanning across the pipeline and in Azure Container Registry ensure security throughout the entire application lifecycle.

-See [our guidance](https://techcommunity.microsoft.com/t5/containers/unlocking-new-possibilities-with-prisma-cloud-and-windows/ba-p/3866485) for more details.

-## Storage

-Storage enables standardized and seamless storage interactions, ensuring high application performance and data consistency.

-### NetApp

-

-[Astra](https://www.netapp.com/cloud-services/astra/) provides dynamic storage provisioning for stateful workloads on Azure Kubernetes Service (AKS). It also provides data protection using snapshots and clones. Provision SMB volumes through the Kubernetes control plane, making storage seamless and on-demand for all your Windows AKS workloads.

-Follow the steps provided in [this blog](https://techcommunity.microsoft.com/t5/azure-architecture-blog/azure-netapp-files-smb-volumes-for-azure-kubernetes-services/ba-p/3052900) post to dynamically provision SMB volumes for Windows AKS workloads.

-## Config management

-Automate and standardize the system settings across your environments to enhance efficiency, reduce errors, and ensuring system stability and compliance.

-### Chef

-

-Chef provides visibility and threat detection from build to runtime that monitors, audits, and remediates the security of your Azure cloud services and Kubernetes and Windows container assets. Chef provides comprehensive visibility and continuous compliance into your cloud security posture and helps limit the risk of misconfigurations in cloud-native environments by providing best practices based on CIS, STIG, SOC2, PCI-DSS and other benchmarks. This is part of a broader compliance offering that supports on-premises or hybrid cloud environments including applications deployed on the edge.

-To learn more about ChefΓÇÖs capabilities, check out the comprehensive ΓÇÿhow-toΓÇÖ blog post here: [Securing Your Windows Environments Running on Azure Kubernetes Service with Chef](https://techcommunity.microsoft.com/t5/containers/securing-your-windows-environments-running-on-azure-kubernetes/ba-p/3821830).

-## 4. Generate outbound IP addresses for your new App Service Environment v3

-If the step is in progress, you get a status of `Migrating`. After you get a status of `Ready`, run the following command to view your new outbound IPs. If you don't see the new IPs immediately, wait a few minutes and try again.

-```azurecli

-az rest --method get --uri "${ASE_ID}?api-version=2022-03-01"

-```

-## 5. Update dependent resources with new outbound IPs

-By using the new IPs, update any of your resources or networking components to ensure that your new environment functions as intended after migration is complete. It's your responsibility to make any necessary updates.

-This step is also a good time to review the [inbound and outbound network](networking.md#ports-and-network-restrictions) dependency changes when moving to App Service Environment v3. These changes include the port change for Azure Load Balancer, which now uses port 80. Don't migrate until you complete this step.

-## 6. Delegate your App Service Environment subnet

-## 7. Confirm there are no locks on the virtual network

-## 8. Prepare your configurations

-> If you're configuring a custom domain suffix, when you're adding the network permissions on your Azure key vault, be sure that your key vault allows access from your App Service Environment's new outbound IP addresses that were generated in step 4.

-## 9. Migrate to App Service Environment v3 and check status

-After you get a status of `Ready`, migration is done, and you have an App Service Environment v3 resource. Your apps are now running in your new environment as well as in your old environment.

-## 10. Get the inbound IP address for your new App Service Environment v3 and update dependent resources

-You have two App Service Environments at this stage in the migration process. Your apps are running in both environments. You need to update any dependent resources to use the new inbound IP address for your new App Service Environment v3. For internal facing (ILB) App Service Environments, you need to update your private DNS zones to point to the new inbound IP address.

-You can get the inbound IP address for your new App Service Environment v3 by running the following command.

-## 11. Redirect customer traffic and complete migration

-> [Custom domain suffix](./how-to-custom-domain-suffix.md)

-### Generate outbound IP addresses for your new App Service Environment v3

-The platform creates the [the new outbound IP addresses](networking.md#addresses). While these IPs are getting created, activity with your existing App Service Environment isn't interrupted, however, you can't scale or make changes to your existing environment. This process takes about 15 minutes to complete.

-When completed, you'll be given the new outbound IPs that your future App Service Environment v3 uses. These new IPs have no effect on your existing environment. The IPs used by your existing environment continue to be used up until you redirect customer traffic and complete the migration in the final step.

-You receive the new inbound IP address once migration is complete but before you make the [DNS change to redirect customer traffic to your new App Service Environment v3](#redirect-customer-traffic-and-complete-migration). You don't get the inbound IP at this point in the process because the inbound IP is dependent on the subnet you select for the new environment. You have a chance to update any resources that are dependent on the new inbound IP before you redirect traffic to your new App Service Environment v3.

-### Update dependent resources with new outbound IPs

-The new outbound IPs are created and given to you before you start the actual migration. The new default outbound to the internet public addresses are given so you can adjust any external firewalls, DNS routing, network security groups, and any other resources that rely on these IPs before completing the migration. **It's your responsibility to update any and all resources that will be impacted by the IP address change associated with the new App Service Environment v3. Don't move on to the next step until you've made all required updates.** This step is also a good time to review the [inbound and outbound network](networking.md#ports-and-network-restrictions) dependency changes when moving to App Service Environment v3 including the port change for the Azure Load Balancer health probe, which now uses port 80.

-There's no application downtime during the migration, but as in the outbound IP generation step, you can't scale, modify your existing App Service Environment, or deploy apps to it during this process.

-### Get the inbound IP address for your new App Service Environment v3 and update dependent resources

-You get the new inbound IP address that you can use to set up new endpoints with services like [Traffic Manager](../../traffic-manager/traffic-manager-overview.md) or [Azure Front Door](../../frontdoor/front-door-overview.md). Don't move on to the next step until you account for this change. There's downtime if you don't update dependent resources with the new inbound IP. **It's your responsibility to update any and all resources that are impacted by the IP address change associated with the new App Service Environment v3. Don't move on to the next step until you've made all required updates.**

-> [Custom domain suffix](./how-to-custom-domain-suffix.md)

-description: Implement the security recommendations to help fulfill your security obligations as stated in our shared responsibility model. Improve the security of your app.

-# Security recommendations for App Service

-This article contains security recommendations for Azure App Service. Implementing these recommendations will help you fulfill your security obligations as described in our shared responsibility model and will improve the overall security for your Web App solutions. For more information on what Microsoft does to fulfill service provider responsibilities, read [Azure infrastructure security](../security/fundamentals/infrastructure.md).

-## General

-| Recommendation | Comments |

-|-|-|

-| Stay up to date | Use the latest versions of supported platforms, programming languages, protocols, and frameworks. |

-## Identity and access management

-| Recommendation | Comments |

-|-|-|

-| Disable anonymous access | Unless you need to support anonymous requests, disable anonymous access. For more information on Azure App Service authentication options, see [Authentication and authorization in Azure App Service](overview-authentication-authorization.md).|

-| Require authentication | Whenever possible, use the App Service authentication module instead of writing code to handle authentication and authorization. See [Authentication and authorization in Azure App Service](overview-authentication-authorization.md). |

-| Protect back-end resources with authenticated access | You can either use the user's identity or use an application identity to authenticate to a back-end resource. When you choose to use an application identity use a [managed identity](overview-managed-identity.md).

-| Require client certificate authentication | Client certificate authentication improves security by only allowing connections from clients that can authenticate using certificates that you provide. |

-## Data protection

-| Recommendation | Comments |

-|-|-|

-| Redirect HTTP to HTTPs | By default, clients can connect to web apps by using both HTTP or HTTPS. We recommend redirecting HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated. |

-| Encrypt communication to Azure resources | When your app connects to Azure resources, such as [SQL Database](https://azure.microsoft.com/services/sql-database/) or [Azure Storage](../storage/index.yml), the connection stays in Azure. Since the connection goes through the shared networking in Azure, you should always encrypt all communication. |

-| Require the latest TLS version possible | Since 2018 new Azure App Service apps use TLS 1.2. Newer versions of TLS include security improvements over older protocol versions. |

-| Use FTPS | App Service supports both FTP and FTPS for deploying your files. Use FTPS instead of FTP when possible. When one or both of these protocols are not in use, you should [disable them](deploy-ftp.md#enforce-ftps). |

-| Secure application data | Don't store application secrets, such as database credentials, API tokens, or private keys in your code or configuration files. The commonly accepted approach is to access them as [environment variables](https://wikipedia.org/wiki/Environment_variable) using the standard pattern in your language of choice. In Azure App Service, you can define environment variables through [app settings](./configure-common.md) and [connection strings](./configure-common.md). App settings and connection strings are stored encrypted in Azure. The app settings are decrypted only before being injected into your app's process memory when the app starts. The encryption keys are rotated regularly. Alternatively, you can integrate your Azure App Service app with [Azure Key Vault](../key-vault/index.yml) for advanced secrets management. By [accessing the Key Vault with a managed identity](../key-vault/general/tutorial-net-create-vault-azure-web-app.md), your App Service app can securely access the secrets you need. |

-| **Secure application code** | Follow the steps to ensure the application code is secured. |

-| Static Content | When authoring a web application serving static content, ensure that only the intended files/folders are processed. A configuration/code which serves out all files may not be sure by default. Follow application runtime/frameworkΓÇÖs best practices to secure the static content. |

-| Hidden Folders | Ensure hidden folders like .git, bin, obj, objd, etc., doesnΓÇÖt get accidentally included as part of deployment artifact. Take adequate steps to ensure deployment scripts only deploy required files and nothing more. |

-| In-place deployments | Understand nuances of [in place deployment](https://github.com/projectkudu/kudu/wiki/Deploying-inplace-and-without-repository/#inplace-deployment) in local Git deployment. In-place deployment results in the creation and storage of the .git folder in the content root of the web application. Local Git deployment can activate in-place deployments automatically in some scenarios, even if in-place deployment isn't explicitly configured (for example, if the web app contains previously-deployed content when the local Git repository is initialized). Follow application runtime/frameworkΓÇÖs best practices to secure the content. |

-## Networking

-| Recommendation | Comments |

-|-|-|

-| Use static IP restrictions | Azure App Service on Windows lets you define a list of IP addresses that are allowed to access your app. The allowed list can include individual IP addresses or a range of IP addresses defined by a subnet mask. For more information, see [Azure App Service Static IP Restrictions](app-service-ip-restrictions.md). |

-| Use the isolated pricing tier | Except for the isolated pricing tier, all tiers run your apps on the shared network infrastructure in Azure App Service. The isolated tier gives you complete network isolation by running your apps inside a dedicated [App Service environment](environment/intro.md). An App Service environment runs in your own instance of [Azure Virtual Network](../virtual-network/index.yml).|

-| Use secure connections when accessing on-premises resources | You can use [Hybrid connections](app-service-hybrid-connections.md), [Virtual Network integration](./overview-vnet-integration.md), or [App Service environment's](environment/intro.md) to connect to on-premises resources. |

-| Limit exposure to inbound network traffic | Network security groups allow you to restrict network access and control the number of exposed endpoints. For more information, see [How To Control Inbound Traffic to an App Service Environment](environment/app-service-app-service-environment-control-inbound-traffic.md). |

-| Protect against DDoS attacks | For web workloads, we highly recommend utilizing [Azure DDoS protection](../ddos-protection/ddos-protection-overview.md) and a [web application firewall](../web-application-firewall/overview.md) to safeguard against emerging DDoS attacks. Another option is to deploy [Azure Front Door](../frontdoor/web-application-firewall.md) along with a web application firewall. Azure Front Door offers platform-level [protection against network-level DDoS attacks](../frontdoor/front-door-ddos.md). |

-## Monitoring

-| Recommendation | Comments |

-|-|-|

-|Use Microsoft Defender for Cloud's Microsoft Defender for App Service | [Microsoft Defender for App Service](../security-center/defender-for-app-service-introduction.md) is natively integrated with Azure App Service. Defender for Cloud assesses the resources covered by your App Service plan and generates security recommendations based on its findings. Use the detailed instructions in [these recommendations](../security-center/recommendations-reference.md#appservices-recommendations) to harden your App Service resources. Microsoft Defender for Cloud also provides threat protection and can detect a multitude of threats covering almost the complete list of MITRE ATT&CK tactics from pre-attack to command and control. For a full list of the Azure App Service alerts, see [Microsoft Defender for App Service alerts](../security-center/alerts-reference.md#alerts-azureappserv).|

-## Next steps

-Check with your application provider to see if there are additional security requirements.

-If you use Azure Kubernetes Service (AKS), this tutorial will show you how to enable dynamic configuration for your workloads in AKS by leveraging Azure App Configuration and its Kubernetes Provider. The tutorial assumes that you have already worked through the quickstart and have an App Configuration Kubernetes Provider set up, so before proceeding, make sure you have completed the [Use Azure App Configuration in Azure Kubernetes Service](./quickstart-azure-kubernetes-service.md) quickstart.

-1. Open the *appConfigurationProvider.yaml* file located in the *Deployment* directory. Then, add the `refresh` section under the `configuration` property as shown below. It enables configuration refresh by monitoring the sentinel key.

-1. Open the *deployment.yaml* file in the *Deployment* directory and add the following content to the `spec.containers` section. Your application will load configuration from a volume-mounted file the App Configuration Kubernetes provider generates. By setting this environment variable, your application can [ use polling to monitor changes in mounted files](/dotnet/api/microsoft.extensions.fileproviders.physicalfileprovider.usepollingfilewatcher).

-1. Run the following command to deploy the change. Replace the namespace if you are using your existing AKS application.

-1. After refreshing the browser a few times, you will see the updated content once the ConfigMap is updated in 30 seconds.

-description: Learn how to enable staged rollout of features for targeted audiences

-In this article, you'll learn how to roll out a new feature in an ASP.NET Core web application to specified users and groups, using `TargetingFilter` with Azure App Configuration.

-To roll out features based on users and groups, you'll need a web application that allows users to sign in.

-1. Create a web application that authenticates against a local database using the following command:

-1. Build and run, then select the **Register** link in the upper right corner to create a new user account. Use an email address of `test@contoso.com`. On the **Register Confirmation** screen, select **Click here to confirm your account**.

-1. Follow the instructions in [Quickstart: Add feature flags to an ASP.NET Core app](./quickstart-feature-flag-aspnet-core.md) to add a feature flag to your new web application.

-At this point, you can use the feature flag to enable or disable the `Beta` feature for all users. To enable the feature flag for some users while disabling it for others, update your code to use `TargetingFilter`. In this example, you'll use the signed-in user's email address as the user ID, and the domain name portion of the email address as the group. You'll add the user and group to the `TargetingContext`. The `TargetingFilter` uses this context to determine the state of the feature flag for each request.

-1. Add a *TestTargetingContextAccessor.cs* file:

-1. In *Startup.cs*, add a reference to the *Microsoft.FeatureManagement.FeatureFilters* namespace:

-1. Update the *ConfigureServices* method to register `TargetingFilter`, following the call to `AddFeatureManagement()`:

-The entire *ConfigureServices* method will look like this:

-```csharp

- services.AddDbContext<ApplicationDbContext>(options =>

- options.UseSqlite(

- Configuration.GetConnectionString("DefaultConnection")));

- services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)

- .AddEntityFrameworkStores<ApplicationDbContext>();

- services.AddControllersWithViews();

- services.AddRazorPages();

- // Add feature management, targeting filter, and ITargetingContextAccessor to service collection

- services.AddFeatureManagement().AddFeatureFilter<TargetingFilter>();

- services.AddSingleton<ITargetingContextAccessor, TestTargetingContextAccessor>();

-```

-1. Select the following options:

- The feature filter screen will look like this:

- These settings result in the following behavior:

-1. The **Feature filter** for the feature flag now appears as *Targeting*. This state indicates that the feature flag will be enabled or disabled on a per-request basis, based on the criteria enforced by the *Targeting* feature filter.

-You can create additional users with `@contoso.com` and `@contoso-xyz.com` email addresses to see the behavior of the group settings.

-Users with `contoso-xyz.com` email addresses will not see the *Beta* item. While 50% of users with `@contoso.com` email addresses will see the *Beta* item, the other 50% won't see the *Beta* item.

-1. Run the [az acr login](/cli/azure/acr#az-acr-login) command to login your container registry. The following example logs into a registry named *myregistry*. Replace the registry name with yours.

-To learn more about the Azure App Configuration Kubernetes Provider, see [Azure App Configuration Kubernetes Provider reference](./reference-kubernetes-provider.md).

-The metrics addon can be configured to run in debug mode by changing the configmap setting `enabled` under `debug-mode` to `true` by following the instructions [here](prometheus-metrics-scrape-configuration.md#debug-mode). This mode can affect performance and should only be enabled for a short time for debugging purposes.

-When enabled, all Prometheus metrics that are scraped are hosted at port 9090. Run the following command:

-kubectl port-forward <ama-metrics pod name> -n kube-system 9090

-Go to `127.0.0.1:9090/metrics` in a browser to see if the metrics were scraped by the OpenTelemetry Collector. This user interface can be accessed for every `ama-metrics-*` pod. If metrics aren't there, there could be an issue with the metric or label name lengths or the number of labels. Also check for exceeding the ingestion quota for Prometheus metrics as specified in this article.

-| South Central US | North Europe | | Central India |

-Microsoft also offers System Center Operations Manager Managed Instance (SCOM MI) as an option to migrate a traditional SCOM setup into the cloud with minimal changes. For more information see [About Azure Monitor SCOM Managed Instance][/system-center/scom/operations-manager-managed-instance-overview].

-<!-- convertborder later -->

-<a name="regions-edit-network-features"></a>The option to *[edit network features for existing volumes (preview)](configure-network-features.md#edit-network-features-option-for-existing-volumes)* is supported for the following regions:

-## <a name="edit-network-features-option-for-existing-volumes"></a> Edit network features option for existing volumes (preview)

-This feature currently doesn't support SDK.

-> The option to edit network features is currently in preview. You need to submit a waitlist request for accessing the feature through the **[Azure NetApp Files standard networking features (edit volumes) Public Preview Request Form](https://aka.ms/anfeditnetworkfeaturespreview)**. The feature can take approximately one week to be enabled after you submit the waitlist request. You can check the status of feature registration by using the following command:

-> You can also revert the option from *Standard* back to *Basic* network features. However, before performing the revert operation, you need to submit a waitlist request through the **[Azure NetApp Files standard networking features (edit volumes) Public Preview Request Form](https://aka.ms/anfeditnetworkfeaturespreview)**. The revert capability can take approximately one week to be enabled after you submit the waitlist request. You can check the status of the registration by using the following command:

-Yes, Azure NetApp Files can be used to expand your AVS private cloud storage via [Azure NetApp Files datastores](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md). In addition, you can mount Azure NetApp Files NFS volumes on AVS Windows VMs or Linux VMs. You can map Azure NetApp Files SMB shares on AVS Windows VMs. For more information, see [Azure NetApp Files with Azure VMware Solution]( ../azure-vmware/netapp-files-with-azure-vmware-solution.md).

-Using Azure NetApp Files NFS or SMB volumes with AVS for *Guest OS mounts* is supported in [all AVS and ANF enabled regions](https://azure.microsoft.com/global-infrastructure/services/?products=azure-vmware,netapp).

-## Which Unicode Character Encoding is supported by Azure NetApp Files for the creation and display of file and directory names?

-Azure NetApp Files only supports file and directory names that are encoded with the [UTF-8 Unicode Character Encoding](https://en.wikipedia.org/wiki/UTF-8), *C locale* (or _C.UTF-8_) format for both NFS and SMB volumes. As such only strict ASCII characters are valid.

-If you try to create files or directories with names that use supplementary characters or surrogate pairs such as non-regular characters and emoji that are not supported by C.UTF-8, the operation will fail. In this case, an error from a Windows client might read ΓÇ£The file name you specified is not valid or too long. Specify a different file name.ΓÇ¥

- This option specifies whether the volume will support cool access.

- This option specifies the period (in days) after which infrequently accessed data blocks (cold data blocks) are moved to the Azure storage account. The default value is 31 days. The supported values are between 7 and 183 days.

-[`az rest --method delete --url`](https://management.azure.com/subscriptions/%3csubscrption-id%3e/resourcegroups/%3cresource-group-name%3e/providers/Microsoft.AVS/privateClouds/%3cprivate-cloud-name%3e/addons/arc?api-version=2022-05-01%22)

->[!NOTE]

->The deletion process takes a few hours to complete.

-# Create Azure Recovery Services backup policies using REST API

-The steps to create a backup policy for an Azure Recovery Services vault are outlined in the [policy REST API document](/rest/api/backup/protection-policies/create-or-update). Let's use this document as a reference to create a policy for Azure VM backup.

-To create or update an Azure Backup policy, use the following *PUT* operation

-For example, to create a policy for Azure VM backup, following are the components of the request body.

-For the complete list of definitions in the request body, refer to the [backup policy REST API document](/rest/api/backup/protection-policies/create-or-update).

-#### For Azure VM backup

-#### For SQL in Azure VM backup

-The following is an example request body for SQL in Azure VM backup.

-#### For SAP HANA in Azure VM backup

-The following is an example request body for SQL in Azure VM backup.

-#### For Azure File share backup

-The following is an example request body for Azure File share backup.

-Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke VNet and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different VNet via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), default 0.0.0.0/0 route must not be overwritten.

-### <a name="dns"></a>Can I use Azure Bastion with Azure Private DNS Zones?

-Copy ExportPipeline Resource Manager [template files](https://github.com/Azure/acr/tree/master/docs/image-transfer/ExportPipelines) to a local folder.

-Copy ImportPipeline Resource Manager [template files](https://github.com/Azure/acr/tree/master/docs/image-transfer/ImportPipelines) to a local folder.

-Copy PipelineRun Resource Manager [template files](https://github.com/Azure/acr/tree/master/docs/image-transfer/PipelineRun/PipelineRun-Export) to a local folder.

-Copy PipelineRun Resource Manager [template files](https://github.com/Azure/acr/tree/master/docs/image-transfer/PipelineRun/PipelineRun-Import) to a local folder.

-[az-login]: /cli/azure/reference-index#az_login

-[az-keyvault-secret-set]: /cli/azure/keyvault/secret#az_keyvault_secret_set

-[az-keyvault-secret-show]: /cli/azure/keyvault/secret#az_keyvault_secret_show

-[az-keyvault-set-policy]: /cli/azure/keyvault#az_keyvault_set_policy

-[az-storage-container-generate-sas]: /cli/azure/storage/container#az_storage_container_generate_sas

-[az-storage-blob-list]: /cli/azure/storage/blob#az_storage-blob-list

-[az-deployment-group-create]: /cli/azure/deployment/group#az_deployment_group_create

-[az-deployment-group-delete]: /cli/azure/deployment/group#az_deployment_group_delete

-[az-deployment-group-show]: /cli/azure/deployment/group#az_deployment_group_show

-[az-acr-repository-list]: /cli/azure/acr/repository#az_acr_repository_list

-[az-acr-import]: /cli/azure/acr#az_acr_import

-[az-resource-delete]: /cli/azure/resource#az_resource_delete

-Run the [az storage account generate-sas][az-storage-account-generate-sas] command to generate a SAS token for the container in the source storage account, used for artifact export.

-EXPORT_SAS=?$(az storage account generate-sas \

-[az-storage-account-generate-sas]: /cli/azure/storage/account#az-storage-account-generate-sas

-1. Install Notation v1.0.1 on a Linux amd64 environment. You can also download the package for other environments by following the [Notation installation guide](https://notaryproject.dev/docs/user-guides/installation/).

- curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v1.0.1/notation_1.0.1_linux_amd64.tar.gz

-2. Install the Notation Azure Key Vault plugin on a Linux amd64 environment. You can also download the package for other environments by following the [Notation AKV plugin installation guide](https://github.com/Azure/notation-azure-kv#installation-the-akv-plugin).

- > The plugin directory varies depending upon the operating system being used. The directory path below assumes Ubuntu. Please read the [Notation directory structure for system configuration](https://notaryproject.dev/docs/user-guides/how-to/directory-structure/) for more information.

-

- # Create a directory for the plugin

- mkdir -p ~/.config/notation/plugins/azure-kv

-

- # Download the plugin

- curl -Lo notation-azure-kv.tar.gz \

- https://github.com/Azure/notation-azure-kv/releases/download/v1.0.1/notation-azure-kv_1.0.1_linux_amd64.tar.gz

-

- # Extract to the plugin directory

- tar xvzf notation-azure-kv.tar.gz -C ~/.config/notation/plugins/azure-kv

-3. List the available plugins.

-1. Install `Notation v1.0.0` on a Linux amd64 environment. Follow the [Notation installation guide](https://notaryproject.dev/docs/user-guides/installation/cli/) to download the package for other environments.

- curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v1.0.0/notation_1.0.0_linux_amd64.tar.gz

-2. Install the notation Azure Key Vault plugin on a Linux environment for remote signing. You can also download the package for other environments by following the [Notation AKV plugin installation guide](https://github.com/Azure/notation-azure-kv#installation-the-akv-plugin).

- # Create a directory for the plugin

- mkdir -p ~/.config/notation/plugins/azure-kv

-

- # Download the plugin

- curl -Lo notation-azure-kv.tar.gz https://github.com/Azure/notation-azure-kv/releases/download/v1.0.1/notation-azure-kv_1.0.1_linux_amd64.tar.gz

-

- # Extract to the plugin directory

- tar xvzf notation-azure-kv.tar.gz -C ~/.config/notation/plugins/azure-kv

-> [!NOTE]

-> The plugin directory varies depending upon the operating system in use. The directory path assumes Ubuntu. For more information, see [Notation directory structure for system configuration.](https://notaryproject.dev/docs/user-guides/how-to/directory-structure/)

-3. List the available plugins.

-> [!NOTE]

-> Monitoring costs at pipeline level is a preview feature currently only available in Azure Data Factory, and not Synapse pipelines.

-tags: azure-resource-manager

-tags: azure-resource-manager

-On the Security alerts page, you can [manage and respond to security alerts](managing-and-responding-alerts.md). You can also [review the agentless malware scanner's results](managing-and-responding-alerts.md#review-the-agentless-scans-results). Security alerts can also be [exported to Sentinel](export-to-siem.md).

- ```powershell

- # virus test string

- $TEST_STRING = '$$89-barbados-dublin-damascus-notice-pulled-natural-31$$'

-

-

-

- # File to be created

-

- $FILE_PATH = "C:\temp\virus_test_file.txt"

-

-

-

- # Write the test string to the file without a trailing newline

-

- [IO.File]::WriteAllText($FILE_PATH, $TEST_STRING)

-

-

-

- # Check if the file was created and contains the correct string

-

- if (Test-Path -Path $FILE_PATH) {

-

- $content = [IO.File]::ReadAllText($FILE_PATH)

-

- if ($content -eq $TEST_STRING) {

-

- Write-Host "Test file created and validated successfully."

-

- }

-

- else {

-

- Write-Host "Test file does not contain the correct string."

-

- }

-

- }

-

- else {

-

- Write-Host "Failed to create test file."

-

- }

- ```

-In this quickstart, you will connect your GitHub organizations on the **Environment settings** page in Microsoft Defender for Cloud. This page provides a simple onboarding experience to auto-discover your GitHub repositories.

-| Pricing: | For pricing, see the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/?v=17.23h#pricing).

-| Regions and availability: | Refer to the [support and prerequisites](devops-support.md) section for region support and feature availability. |

-1. Select the organizations to install the GitHub application. It is recommended to grant access to **all repositories** to ensure Defender for Cloud can secure your entire GitHub environment.

-

- - Select **all existing organizations** to auto-discover all repositories in GitHub organizations where the DevOps security GitHub application is installed.

- - Select **all existing and future organizations** to auto-discover all repositories in GitHub organizations where the DevOps security GitHub application is installed and future organizations where the DevOps security GitHub application is installed.

-The **DevOps security** blade shows your onboarded repositories grouped by Organization. The **Recommendations** blade shows all security assessments related to GitHub repositories.

-| Pricing: | For pricing, see the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/?v=17.23h#pricing). |

-| Required permissions: | **Account Administrator** with permissions to sign in to the Azure portal. <br> **Contributor** to create a connector on the Azure subscription. <br> **Group Owner** on the GitLab Group.

-| Regions and availability: | Refer to the [support and prerequisites](devops-support.md) section for region support and feature availability. |

-1. Select **Authorize**.

- - Select **all existing groups** to autodiscover all subgroups and projects in groups you are currently an Owner in.

- - Select **all existing and future groups** to autodiscover all subgroups and projects in all current and future groups you are an Owner in.

-The **DevOps security** blade shows your onboarded repositories by GitLab group. The **Recommendations** blade shows all security assessments related to GitLab projects.

-1. (Optional) If you don't already have a Log Analytics workspace in which to store the data, select **Create new workspace** and follow the on-screen guidance.

-The integration between Microsoft Defender for Cloud and Microsoft Defender XDR brings your cloud environments into Microsoft Defender XDR. With Defender for Cloud's alerts and cloud correlations integrated into Microsoft Defender XDR, SOC teams can now access all security information from a single interface.

- When you download one of these certification reports, you'll be shown the following privacy notice:

-Transparency provided by the compliance offerings (currently in preview), allows you to view the certification status for each of the services provided by Microsoft prior to adding your product to the Azure platform.

-## Continuously export compliance status

-For example, you might want Defender for Cloud to email a specific user when a compliance assessment fails. You'll need to first create the logic app (using [Azure Logic Apps](../logic-apps/logic-apps-overview.md)) and then set up the trigger in a new workflow automation as explained in [Automate responses to Defender for Cloud triggers](workflow-automation.md).

-# Review resources exempted from recommendations

-1. Select **All**, **Yes** or **No**.

-You can also find all resources that have been exempted from one or more recommendations on the Inventory page.

-**To review exempted resources on the Defender for Cloud's Inventory page**:

-To keep track of how users are exempting resources from recommendations, we've created an Azure Resource Manager (ARM) template that deploys a Logic App Playbook, and all necessary API connections to notify you when an exemption has been created.

-[Review security recommendations](review-security-recommendations.md)

-| [Changes in endpoint protection recommendations](#changes-in-endpoint-protection-recommendations) | February 1, 2024 | February 28, 2024 |

-**Estimated date of change: February 2024**

-| Endpoint Detection and Response (EDR) solution should be installed on Virtual Machines | February 2024 |

-| Endpoint Detection and Response (EDR) solution should be installed on EC2s | February 2024 |

-| Endpoint Detection and Response (EDR) solution should be installed on Virtual Machines (GCP) | February 2024 |

-| Endpoint Detection and Response (EDR) configuration issues should be resolved on virtual machines | February 2024 |

-| Endpoint Detection and Response (EDR) configuration issues should be resolved on EC2s | February 2024 |

-| Endpoint Detection and Response (EDR) configuration issues should be resolved on GCP virtual machines | February 2024 |

-> [!IMPORTANT]

-> The **Alerts** page in the Azure portal is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> [Understand your network architecture ┬╗](architecture.md)

-> [!IMPORTANT]

-> The **Alerts** page is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

- - **To download update packages or push updates from the Azure portal**, you'll need access to the Azure portal as a [Security Admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner) user.

- - **To run updates on an OT sensor or on-premises management console**, you'll need access as an **Admin** user.

- - **To update an OT sensor via CLI**, you'll need access to the sensor as a [privileged user](roles-on-premises.md#default-privileged-on-premises-users).

-If you're using a legacy on-premises management console, make sure that you've [updated the on-premises management console](#update-the-on-premises-management-console) *before* updating any connected sensors.

-# [Azure portal (Preview)](#tab/portal)

-This procedure describes how to send a software version update to one or more OT sensors, and then run the updates remotely from the Azure portal. Bulk updates are supported for up to 10 sensors at a time.

-1. In [Defender for IoT](https://portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/~/Getting_started) in the Azure portal, select **Sites and sensors** and then locate the OT sensors with legacy, but [supported versions](#prerequisites) installed.

- If you know your site and sensor name, you can browse or search for it directly. Alternately, filter the sensors listed to show only cloud-connected, OT sensors that have *Remote updates supported*, and have legacy software version installed. For example:

- :::image type="content" source="media/update-ot-software/filter-remote-update.png" alt-text="Screenshot of how to filter for OT sensors that are ready for remote update." lightbox="media/update-ot-software/filter-remote-update.png":::

-1. Select one or more sensors to update, and then select **Sensor update** > **Remote update** > **Step one: Send package to sensor**.

- For an individual sensor, the **Step one: Send package to sensor** option is also available from the **...** options menu to the right of the sensor row. For example:

- :::image type="content" source="media/update-ot-software/remote-update-step-1.png" alt-text="Screenshot of the Send package option." lightbox="media/update-ot-software/remote-update-step-1.png":::

-

- :::image type="content" source="media/update-ot-software/send-package-multiple-versions-400.png" alt-text="Screenshot of sensor update pane with option to choose sensor update version." lightbox="media/update-ot-software/send-package-multiple-versions.png" border="false":::

-1. When you're ready, select **Send package**, and the software transfer to your sensor machine is started. You can see the transfer progress in the **Sensor version** column, with the percentage complete automatically updating in the progress bar, so you can see that the process has started and letting you track its progress until the transfer is complete. For example:

-### Run your sensor update from the Azure portal

-Run the sensor update only when you see the :::image type="icon" source="media/update-ot-software/ready-to-update.png" border="false"::: **Ready to update** icon in the **Sensor version** column.

-1. Select one or more sensors to update, and then select **Sensor update** > **Remote update** > **Step 2: Update sensor** from the toolbar. The **Update sensor** pane opens in the right side of the screen.

- For an individual sensor, the **Step 2: Update sensor** option is also available from the **...** options menu. For example:

- :::image type="content" source="media/update-ot-software/remote-update-step-2.png" alt-text="Screenshot of the Update sensor option." lightbox="media/update-ot-software/remote-update-step-2.png":::

-1. In the **Update sensor** pane that appears, verify your update details.

- When you're ready, select **Update now** > **Confirm update**. In the grid, the **Sensor version** value changes to :::image type="icon" source="media/update-ot-software/installing.png" border="false"::: **Installing**, and an update progress bar appears showing you the percentage complete. The bar automatically updates, so that you can track the progress until the installation is complete.

- When completed, the sensor value switches to the new sensor version number instead.

-If a sensor fails to update for any reason, the software reverts back to the previous version installed, and a sensor health alert is triggered. For more information, see [Understand sensor health](how-to-manage-sensors-on-the-cloud.md#understand-sensor-health) and [Sensor health message reference](sensor-health-messages.md).

-# [OT sensor UI](#tab/sensor)

-# [OT sensor CLI](#tab/cli)

-| **OT networks** | - [Alert suppression rules from the Azure portal (Public preview)](#alert-suppression-rules-from-the-azure-portal-public-preview)<br>- [Focused alerts in OT/IT environments](#focused-alerts-in-otit-environments)<br>- [Alert ID now aligned on the Azure portal and sensor console](#alert-id-now-aligned-on-the-azure-portal-and-sensor-console)<br>- [Newly supported protocols](#newly-supported-protocols)|

-Catalogs help you provide a set of curated IaC templates for your development teams to create environments. You can attach either a [GitHub repository](https://docs.github.com/repositories/creating-and-managing-repositories/about-repositories) or an [Azure DevOps Services repository](/azure/devops/repos/get-started/what-is-repos) as a catalog.

-Microsoft offers a [sample catalog](https://aka.ms/deployment-environments/SampleCatalog) that you can use as your repository. You also can use your own private repository, or you can fork and customize the environment definitions in the sample catalog.

-The OSDU Admin UI enables platform administrators to manage the Azure Data Manager for Energy data partition you connect it to. The management tasks include entitlements (user and group management), legal tags, schemas, reference data, and view objects and visualize those on a map.

- :::image type="content" source="media/how-to-deploy-osdu-admin-ui/app-permission-1.png" alt-text="Screenshot that shows applications read all permission.":::

- :::image type="content" source="media/how-to-deploy-osdu-admin-ui/app-permission-2.png" alt-text="Screenshot that shows user read all permission.":::

-2. Click on Open to clone the repository.

-3. Accept the cloning prompt.

- :::image type="content" source="media/how-to-deploy-osdu-admin-ui/clone-the-repository.png" alt-text="Screenshot that shows cloning the repository.":::

-4. When prompted for a container configuration template,

- 3. Add the [Azure CLI](https://github.com/devcontainers/features/tree/main/src/azure-cli) feature.

- 

-5. After a few minutes, the devcontainer is running.

-

- :::image type="content" source="media/how-to-deploy-osdu-admin-ui/running-devcontainer.png" alt-text="Screenshot that shows running devcontainer.":::

-6. Open the terminal.

- :::image type="content" source="media/how-to-deploy-osdu-admin-ui/open-terminal.png" alt-text="Screenshot that shows opening terminal.":::

-7. Install NVM, Node.js, npm, and Angular CLI by executing the command in the bash terminal.

- :::image type="content" source="media/how-to-deploy-osdu-admin-ui/install-screen.png" alt-text="Screenshot that shows installation.":::

-8. Log into Azure CLI by executing the command on the terminal. It takes you to the login screen.

-9. It takes you to the login screen. Enter your credentials and upon success, you see a success message.

- :::image type="content" source="media/how-to-deploy-osdu-admin-ui/login.png" alt-text="Screenshot that shows successful login.":::

- 

-2. Fetch the value of `id` as the subscription ID by running the following command on the terminal.

-3. If the above ID isn't same as the `subcription-id` from the Azure Data Manager for Energy instance, you need to change subscription.

-4. Enter the required environment variables on the terminal.

- export CLIENT_ID="<client-id>" ## App Registration to be used by OSDU Admin UI, usually the client ID used to provision ADME

- export TENANT_ID="<tenant-id>" ## Tenant ID

- export ADME_URL="<adme-url>" ## Remove www or https from the text

- export DATA_PARTITION="<partition>"

- export WEBSITE_NAME="<storage-name>" ## Unique name of the storage account or static web app that will be generated

- export RESOURCE_GROUP="<resource-group>" ## Name of resource group

- export LOCATION="<location>" ## Azure region to deploy to, i.e. "westeurope"

-1. Fetch the redirect URI.

- export REDIRECT_URI=$(az storage account show --resource-group $RESOURCE_GROUP --name $WEBSITE_NAME --query "primaryEndpoints.web") && \

- echo "Redirect URL: $REDIRECT_URI"

-1. Get the App Registration's Single-page Application (SPA) section.

- ```azurecli-interactive

- echo "https://ms.portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Authentication/appId/$CLIENT_ID/isMSAApp~/false"

-1. Open the link you got from the above result in the browser and add the `REDIRECT_URI`.

-

- 

-2. Install the dependencies.

-3. Modify the parameters in the config file located at `/src/config/config.json`.

- \* [OSDU Connector API](https://community.opengroup.org/osdu/ui/admin-ui-group/admin-ui-totalenergies/connector-api-totalenergies) is built as an interface between consumers and OSDU APIs wrapping some API chain calls and objects. Currently, it manages all operations and actions on project and scenario objects.

-4. If you aren't able to give app permissions in the Prerequisite step because of the subscription constraints, remove `User.ReadBasic.All` and `Application.Read.All` from the `src/config/environments/environment.ts`. Removing these permissions would disable the Admin UI from converting the OIDs of users and applications into the user names and application names respectively.

- :::image type="content" source="media/how-to-deploy-osdu-admin-ui/graph-permission.png" alt-text="Screenshot that shows graph permissions.":::

-5. Build the web UI.

-6. Upload the build to Storage Account.

-7. Fetch the website URL.

-8. Open the Website URL in the browser and validate that it's working correctly and connected to the correct Azure Data Manager for Energy instance.

-For other deployment methods (Terraform or Azure DevOps pipeline), see [OSDU Admin UI DevOps](https://community.opengroup.org/osdu/ui/admin-ui-group/admin-ui-totalenergies/admin-ui-totalenergies/-/tree/main/OSDUApp/devops/azure).

-#### Request format

- ```bash

- https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>

- &response_type=code

- &redirect_uri=<redirect-uri>

- &response_mode=query

- &scope=<client-id>%2f.default&state=12345&sso_reload=true

-```

-#### Sample response

-```bash

-http://localhost:8080/?code=0.BRoAv4j5cvGGr0...au78f&state=12345&session....

-```

-|Parameter| Description|

-| | |

-|code|The authorization code that the app requested. The app can use the authorization code to request an access token for the target resource. Authorization codes are short lived. Typically, they expire after about 10 minutes.|

-|state|If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. This check helps to detect [CSRF attacks](https://tools.ietf.org/html/rfc6749#section-10.12) against the client.|

-|session_state|A unique value that identifies the current user session. This value is a GUID, but it should be treated as an opaque value that's passed without examination.|

-In this article, you learn how to manage users and their memberships in OSDU groups in Azure Data Manager for Energy. [Entitlements APIs](https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/tree/master/) are used to add or remove users to OSDU groups and to check the entitlements when the user tries to access the OSDU services or data. For more information about OSDU groups, see [Entitlement services](concepts-entitlements.md).

-## Install Event Grid preview extension

-By installing the Event Grid preview extension you will get access to the latest features, this step is required in some features that are still in preview.

-```azurecli-interactive

-az extension add --name eventgrid

-```

-If you already installed the Event Grid preview extension, you can update it with the following command.

-```azurecli-interactive

-az extension update --name eventgrid

-```

- az resource create --resource-group $resource_group --namespace Microsoft.EventGrid --resource-type namespaces --name $namespace --location $location --properties "{}"

- az resource create --resource-group $resource_group --namespace Microsoft.EventGrid --resource-type topics --name $topic --parent namespaces/$namespace --properties "{}"

-Create an Event Hubs resource that will be used as the handler destination for the namespace topic push delivery subscription.

-```azurecli-interactive

-eventHubsNamespace="<your-event-hubs-namespace-name>"

-```

-```azurecli-interactive

-eventHubsEventHub="<your-event-hub-name>"

-```

-```azurecli-interactive

-az eventhubs eventhub create --resource-group $resourceGroup --namespace-name $eventHubsNamespace --name $eventHubsEventHub --partition-count 1

-```

-1. Enable system-assigned or user-assigned managed identity: [namespaces](event-grid-namespace-managed-identity.md), continue reading to the next section to find how to enable managed identity using Azure CLI.

- principalId=(az eventgrid namespace show --resource-group $resource_group --name $namespace --query identity.principalId -o tsv)

- eventHubResourceId=(az eventhubs eventhub show --resource-group $resource_group --namespace-name $eventHubsNamespace --name $eventHubsEventHub --query id -o tsv)

- ```azurecli-interactive

- namespace_resource_id=$(az resource show --resource-group $resource_group --namespace Microsoft.EventGrid --resource-type namespaces --name $namespace --query "id" --output tsv)

- key=$(az resource invoke-action --action listKeys --ids $namespace_resource_id --query "key1" --output tsv)

- publish_operation_uri="https://"$(az resource show --resource-group $resource_group --namespace Microsoft.EventGrid --resource-type namespaces --name $namespace --query "properties.topicsConfiguration.hostname" --output tsv)"/topics/"$topic:publish?api-version=2023-06-01-preview

- az resource create --resource-group $resource_group --namespace Microsoft.EventGrid --resource-type namespaces --name $namespace --location eastus --properties "{}"

- az resource create --resource-group $resource_group --namespace Microsoft.EventGrid --resource-type topics --name $topic --parent namespaces/$namespace --properties "{}"

- az resource create --resource-group $resource_group --namespace Microsoft.EventGrid --resource-type eventsubscriptions --name $event_subscription --parent namespaces/$namespace/topics/$topic --properties "{ \"deliveryConfiguration\":{\"deliveryMode\":\"Queue\",\"queue\":{\"receiveLockDurationInSeconds\":300}} }"

- namespace_resource_id=$(az resource show --resource-group $resource_group --namespace Microsoft.EventGrid --resource-type namespaces --name $namespace --query "id" --output tsv)

- key=$(az resource invoke-action --action listKeys --ids $namespace_resource_id --query "key1" --output tsv)

- publish_operation_uri="https://"$(az resource show --resource-group $resource_group --namespace Microsoft.EventGrid --resource-type namespaces --name $namespace --query "properties.topicsConfiguration.hostname" --output tsv)"/topics/"$topic:publish?api-version=2023-06-01-preview

- receive_operation_uri="https://"$(az resource show --resource-group $resource_group --namespace Microsoft.EventGrid --resource-type namespaces --name $namespace --query "properties.topicsConfiguration.hostname" --output tsv)"/topics/"$topic/eventsubscriptions/$event_subscription:receive?api-version=2023-06-01-preview

- acknowledge_operation_uri="https://"$(az resource show --resource-group $resource_group --namespace Microsoft.EventGrid --resource-type namespaces --name $namespace --query "properties.topicsConfiguration.hostname" --output tsv)"/topics/"$topic/eventsubscriptions/$event_subscription:acknowledge?api-version=2023-06-01-preview

-description: In this quickstart, you use a Bicep file to create an Azure policy assignment that identifies non-compliant resources.

-In this quickstart, you use a Bicep file to create a policy assignment that validates resource's compliance with an Azure policy. The policy is assigned to a resource group scope and audits if virtual machines use managed disks. Virtual machines deployed in the resource group that don't use managed disks are _non-compliant_ with the policy assignment.

-> [!NOTE]

-> Azure Policy is a free service. For more information, go to [Overview of Azure Policy](./overview.md).

-1. Select **File** > **Save** and use the filename _policy-policy-assignment.bicep_.

-The resource type defined in the Bicep file is [Microsoft.Authorization/policyAssignments](/azure/templates/microsoft.authorization/policyassignments).

-The following commands create a resource group and deploy the policy definition.

-New-AzResourceGroup -Name "PolicyGroup" -Location "westus"

-New-AzResourceGroupDeployment `

- -Name PolicyDeployment `

- -ResourceGroupName PolicyGroup `

- -TemplateFile policy-assignment.bicep

-az group create --name "PolicyGroup" --location "westus"

- --resource-group PolicyGroup \

-The Bicep file outputs the policy `assignmentId`. You create a variable for the policy assignment ID in the commands that validate the deployment.

-## Validate the deployment

-After the policy assignment is deployed, virtual machines that are deployed to the _PolicyGroup_ resource group are audited for compliance with the managed disk policy.

-1. Sign in to [Azure portal](https://portal.azure.com)

-1. Go to **Policy** and select **Compliance** on the left side of the page.

-1. Search for the _audit-vm-managed-disks_ policy assignment.

-The **Compliance state** for a new policy assignment is shown as **Not started** because it takes a few minutes to become active.

-For more information, go to [How compliance works](./concepts/compliance-states.md).

-You can also get the compliance state with Azure PowerShell or Azure CLI.

-# Verifies policy assignment was deployed

-$rg = Get-AzResourceGroup -Name "PolicyGroup"

-Get-AzPolicyAssignment -Name "audit-vm-managed-disks" -Scope $rg.ResourceId

-# Shows the number of non-compliant resources and policies

-$policyid = (Get-AzPolicyAssignment -Name "audit-vm-managed-disks" -Scope $rg.ResourceId)

-Get-AzPolicyStateSummary -ResourceId $policyid.ResourceId

-The `$rg` variable stores the resource group's properties and `Get-AzPolicyAssignment` shows your policy assignment. The `$policyid` variable stores the policy assignment's resource ID, and `Get-AzPolicyStateSummary` shows the number of non-compliant resources and policies.

-# Verifies policy assignment was deployed

-rg=$(az group show --resource-group PolicyGroup --query id --output tsv)

-az policy assignment show --name "audit-vm-managed-disks" --scope $rg

-# Shows the number of non-compliant resources and policies

-policyid=$(az policy assignment show --name "audit-vm-managed-disks" --scope $rg --query id --output tsv)

-az policy state summarize --resource $policyid

-The `$rg` variable stores the resource group's properties and `az policy assignment show` displays your policy assignment. The `$policyid` variable stores the policy assignment's resource ID and `az policy state summarize` shows the number of non-compliant resources and policies.

-## Clean up resources

-To remove the assignment from Azure, follow these steps:

-1. Select **Compliance** in the left side of the Azure Policy page.

-1. Locate the _audit-vm-managed-disks_ policy assignment.

-1. Right-click the _audit-vm-managed-disks_ policy assignment and select **Delete

- assignment**.

- :::image type="content" source="./media/assign-policy-bicep/delete-assignment.png" alt-text="Screenshot of the context menu to delete an assignment from the Policy Compliance page.":::

-1. Delete the resource group _PolicyGroup_. Go to the Azure resource group and select **Delete resource group**.

-1. Delete the _policy-assignment.bicep_ file.

-You can also delete the policy assignment and resource group with Azure PowerShell or Azure CLI.

-Remove-AzPolicyAssignment -Id $policyid.ResourceId

-Remove-AzResourceGroup -Name "PolicyGroup"

-# Sign out of Azure

-az policy assignment delete --name "audit-vm-managed-disks" --scope $rg

-az group delete --name PolicyGroup

-# Sign out of Azure

-In this quickstart, you assigned a built-in policy definition to a resource group scope and reviewed its compliance report. The policy definition audits if the virtual machine resources in the resource group are compliant and identifies resources that aren't compliant.

-> [Creating and managing policies](./tutorials/create-and-manage.md)

- "type": "secret",

-|secretsProfile.secrets[*].type|Type of object in Azure Key Vault, only ΓÇ£secretΓÇ¥ is supported.|secret|

- "type": "secret",

- "type": "secret",

-```

-With export, data is exported in multiple files each containing resources of only one type. The number of resources in an individual file will be limited. The maximum number of resources is based on system performance. It is currently set to 5,000, but can change. The result is that you may get multiple files for a resource type, which will be enumerated (for example, `Patient-1.ndjson`, `Patient-2.ndjson`).

-| \_till | No | Allows you to only export resources that have been modified till the time provided. This parameter is applicable to only System-Level export. In this case, if historical versions have not been disabled or purged, export guarantees true snapshot view, or, in other words, enables time travel. |

-Identity providers must support OpenID Connect (OIDC), and must be able to issue JSON Web Tokens (JWT) with a `fhirUser` claim, a `azp` or `appId` claim, and an `scp` claim with [SMART on FHIR v1 Scopes](https://www.hl7.org/fhir/smart-app-launch/1.0.0/scopes-and-launch-context/https://docsupdatetracker.net/index.html#scopes-for-requesting-clinical-data).

-The identity provider defines the application with a unique identifier called the `clientId` string (or application ID). The FHIR service validates the access token by checking the `authorized party` (azp) or `application id` (appId) claim against the `clientId` string. The FHIR service rejects requests with a `401 Unauthorized` error code if the `clientId` string and the token claim don't match exactly.

-8. **Verify the azp or appId (authorized party or appId claim)**. The `azp` or `appId` claim must exactly match the `clientId` value provided in the `smartIdentityProvider` identity provider configuration.

-1. You can see the successful set up of the IoT Edge Simulator by reading the progress detail in the integrated terminal.

-* [Azure IoT Edge for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-edge).

-* [Azure IoT Edge for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-edge).

-To identify the IoT Edge devices that are to receive the deployment, you must specify a target condition. A target condition is met when specified criteria is matched by a deviceId, tag value, or a reported property value.

-Learn more about [Deploying modules to IoT Edge devices](module-deployment-monitoring.md).

-Request a TLS client certificate and a private key from your PKI provider. Ensure that the common name (CN) matches the IoT Edge device ID registered with IoT Hub or registration ID with DPS. For example, in the following device identity certificate, `Subject: CN = my-device` is the critical field that needs to match.

- :::image type="content" source="./media/how-to-monitor-module-twins/select-module-twin.png" alt-text="Screenshot showing how to select a module twin to view in the Azure portal .":::

-1. If not already installed, install the [Azure IoT Edge](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-edge) and [Azure IoT Hub](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) extensions.

- :::image type="content" source="./media/how-to-monitor-module-twins/edit-module-twin-vscode.png" alt-text="Screenshot showing how to get a module twin to edit in Visual Studio Code .":::

-* [Azure IoT Edge](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-edge)

-Leave out the `--purge` flag if you plan to reinstall IoT Edge and use the same configuration information in the future. The `--purge` flags deletes all the files associated with IoT Edge, including your configuration files.

-* where data needs to be stored locally until it can be processed or transferred to the cloud. This data can be videos, images, finance data, hospital data, or any other unstructured data.

-* when devices are located in a place with limited connectivity.

-* when you want to efficiently process the data locally to get low latency access to the data, such that you can respond to emergencies as quickly as possible.

-* when you want to reduce bandwidth costs and avoid transferring terabytes of data to the cloud. You can process the data locally and send only the processed data to the cloud.

-Watch the video for quick introduction

-> [!VIDEO https://www.youtube.com/embed/xbwgMNGB_3Y]

- [Azure IoT Hub](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) extensions.

-[Azure IoT Hub](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) extensions.

-* [Visual Studio Code](https://code.visualstudio.com/) configured with the [Azure IoT Edge](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-edge) and [Azure IoT Hub](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) extensions.

-

-# Cross-region (Global) Load Balancer

-description: Learn how to test Azure Public Load Balancer front-end IPv4 and IPv6 addresses for reachability from an Azure VM or an external device. Supports ping and traceroute.

-# Test reachability of Azure Public Load Balancer front-ends with ping and traceroute

-Standard Public Azure Load Balancer front-end IPv4 and IPv6 addresses support testing reachability using ping and traceroute. Testing reachability of a load balancer front-end is useful for troubleshooting inbound connectivity issues to Azure resources. In this article, you learn how to use ping and traceroute for testing a front-end of an existing Standard public load balancer. It can be completed from an Azure Virtual Machine or from a device outside of Azure.

-> Testing inbound connectivity to Azure Load Balancer front-ends is only supported for public load balancers. Testing inbound connectivity to internal load balancer front-ends is not supported.

-This section describes testing reachability of a standard load balancer front-end from a Windows device outside of Azure.

-This section describes testing reachability of a standard load balancer front-end from a Linux device outside of Azure.

-### Test the load balancer's front-end

-Choose either ping or traceroute to test reachability of a standard load balancer front-end from a device outside of Azure.

-Follow these steps to test reachability of a standard public load balancer front-end using `ping` from a Windows device outside of Azure:

-Follow these steps to test reachability of a standard public load balancer front-end using `ping` from a Linux device outside of Azure:

-Follow these steps to test reachability of a standard public load balancer front-end using `tracert` from a Windows device outside of Azure:

-Follow these steps to test reachability of a standard public load balancer front-end using `traceroute` from a Linux device outside of Azure:

-This section describes how to test reachability of a standard public load balancer front-end from an Azure Virtual Machine. First, you create an inbound Network Security Group (NSG) rule on the virtual machine to allow ICMP traffic. Then, you test reachability of the front-end of the load balancer from the virtual machine with ping or traceroute.

-This section describes testing reachability of a standard load balancer front-end from a Windows Virtual Machine on Azure.

-This section describes testing reachability of a standard load balancer front-end from a Linux Virtual Machine on Azure.

-### Test the load balancer's front-end

-Choose either ping or traceroute to test reachability of a standard public load balancer front-end from an Azure Virtual Machine.

-Follow these steps to test reachability of a standard public load balancer front-end using `ping` from a Windows virtual machine:

-Follow these steps to test reachability of a standard public load balancer front-end using `ping` from a Linux virtual machine:

-Follow these steps to test reachability of a standard public load balancer front-end using `tracert` from a Windows virtual machine:

-Follow these steps to test reachability of a standard public load balancer front-end using `traceroute` from a Linux virtual machine:

-Based on the current health probe state of your backend instances, you receive different replies when testing the Load BalancerΓÇÖs front-end with ping. Review the following scenarios for the expected reply:

-> Monitoring is currently in public preview. is currently in public preview. This preview is provided without a service-level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-| Tool name | Description | Environment | Package name |

-| [Index Lookup](./index-lookup-tool.md) | Search an Azure Machine Learning Vector Index for relevant results using one or more text queries. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

-| [Faiss Index Lookup](./faiss-index-lookup-tool.md) | Searches a vector-based query from the Faiss index file. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

-| [Vector DB Lookup](./vector-db-lookup-tool.md) | Searches a vector-based query from existing vector database. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

-| [Vector Index Lookup](./vector-index-lookup-tool.md) | Searches text or a vector-based query from Azure Machine Learning vector index. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

-The following table shows an index of custom tools created by the community to extend prompt flow's capabilities for specific use cases. They aren't officially maintained or endorsed by prompt flow team. For questions or issues when using a tool, please see the support contact provided in the description.

-| Tool name | Description | Environment | Package name |

-|--|--|-|--|

-| [Azure AI Language tools](https://microsoft.github.io/promptflow/integrations/tools/azure-ai-language-tool.html) | This collection of tools is a wrapper for various Azure AI Language APIs, which can help effectively understand and analyze documents and conversations. The capabilities currently supported include: Abstractive Summarization, Extractive Summarization, Conversation Summarization, Entity Recognition, Key Phrase Extraction, Language Detection, PII Entity Recognition, Conversational PII, Sentiment Analysis, Conversational Language Understanding, Translator. You can learn how to use them by the [Sample flows](https://github.com/microsoft/promptflow/tree/e4542f6ff5d223d9800a3687a7cfd62531a9607c/examples/flows/integrations/azure-ai-language). Support contact: taincidents@microsoft.com | Custom | [promptflow-azure-ai-language](https://pypi.org/project/promptflow-azure-ai-language/) |

-In this article, you learn how to configure and submit Azure Machine Learning jobs to train your models. Snippets of code explain the key parts of configuration and submission of a training script. Then use one of the [example notebooks](#notebook-examples) to find the full end-to-end working examples.

-All you need to do is define the environment for each compute target within a **script job configuration**. Then, when you want to run your training experiment on a different compute target, specify the job configuration for that compute.

-* The [Azure Machine Learning SDK for Python](/python/api/overview/azure/ml/install) (>= 1.13.0)

-* A compute target, `my_compute_target`. [Create a compute target](../how-to-create-attach-compute-studio.md)

-You submit your training experiment with a ScriptRunConfig object. This object includes the:

-1. Create an environment where the script will run

-You can either define your own environment, or use an Azure Machine Learning curated environment. [Curated environments](../how-to-use-environments.md#use-a-curated-environment) are predefined environments that are available in your workspace by default. These environments are backed by cached Docker images which reduce the job preparation cost. See [Azure Machine Learning Curated Environments](../resource-curated-environments.md) for the full list of available curated environments.

-If your compute target is your **local machine**, you are responsible for ensuring that all the necessary packages are available in the Python environment where the script runs. Use `python.user_managed_dependencies` to use your current Python environment (or the Python on the path you specify).

-Now that you have a compute target (`my_compute_target`, see [Prerequisites](#prerequisites) and environment (`myenv`, see [Create an environment](#create-an-environment)), create a script job configuration that runs your training script (`train.py`) located in your `project_folder` directory:

-# Set compute target

-# Skip this if you are running on your local computer

-script_run_config.run_config.target = my_compute_target

-If you do not specify an environment, a default environment will be created for you.

-If you have command-line arguments you want to pass to your training script, you can specify them via the **`arguments`** parameter of the ScriptRunConfig constructor, e.g. `arguments=['--arg1', arg1_val, '--arg2', arg2_val]`.

-If you want to override the default maximum time allowed for the job, you can do so via the **`max_run_duration_seconds`** parameter. The system will attempt to automatically cancel the job if it takes longer than this value.

-For more information and examples on running distributed Horovod, TensorFlow and PyTorch jobs, see:

-> When you submit the training job, a snapshot of the directory that contains your training scripts is created and sent to the compute target. It is also stored as part of the experiment in your workspace. If you change files and submit the job again, only the changed files will be uploaded.

-> Similarly, you can write any logs from your training job to the `./logs` folder. To utilize Azure Machine Learning's [TensorBoard integration](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/track-and-monitor-experiments/tensorboard/export-run-history-to-tensorboard/export-run-history-to-tensorboard.ipynb) make sure you write your TensorBoard logs to this folder. While your job is in progress, you will be able to launch TensorBoard and stream these logs. Later, you will also be able to restore the logs from any of your previous jobs.

-* **AttributeError: 'RoundTripLoader' object has no attribute 'comment_handling'**: This error comes from the new version (v0.17.5) of `ruamel-yaml`, an `azureml-core` dependency, that introduces a breaking change to `azureml-core`. In order to fix this error, please uninstall `ruamel-yaml` by running `pip uninstall ruamel-yaml` and installing a different version of `ruamel-yaml`; the supported versions are v0.15.35 to v0.17.4 (inclusive). You can do this by running `pip install "ruamel-yaml>=0.15.35,<0.17.5"`.

- If you are running into this issue for local jobs, check the version of PyJWT installed in your environment where you are starting jobs. The supported versions of PyJWT are < 2.0.0. Uninstall PyJWT from the environment if the version is >= 2.0.0. You may check the version of PyJWT, uninstall and install the right version as follows:

- If you are submitting a user-created environment with your job, consider using the latest version of azureml-core in that environment. Versions >= 1.18.0 of azureml-core already pin PyJWT < 2.0.0. If you need to use a version of azureml-core < 1.18.0 in the environment you submit, make sure to specify PyJWT < 2.0.0 in your pip dependencies.

- * **ModuleErrors (No module named)**: If you are running into ModuleErrors while submitting experiments in Azure Machine Learning, the training script is expecting a package to be installed but it isn't added. Once you provide the package name, Azure Machine Learning installs the package in the environment used for your training job.

- If you are using Estimators to submit experiments, you can specify a package name via `pip_packages` or `conda_packages` parameter in the estimator based on from which source you want to install the package. You can also specify a yml file with all your dependencies using `conda_dependencies_file`or list all your pip requirements in a txt file using `pip_requirements_file` parameter. If you have your own Azure Machine Learning Environment object that you want to override the default image used by the estimator, you can specify that environment via the `environment` parameter of the estimator constructor.

- :::image type="content" source="media/azure-ad-group-sync/add-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Adding a Microsoft Entra group to Grafana team.":::

-1. In the **Select** search box, enter a Microsoft Entra group name.

-1. Select the group name in the search result and **Select**.

- :::image type="content" source="media/azure-ad-group-sync/view-grafana-team.png" alt-text="Screenshot of the Azure portal. Viewing a Grafana team and Microsoft Entra group(s) linked to it.":::

-If you no longer need a Grafana team, follow these steps to delete it, which also removes the link to the Microsoft Entra group.

- :::image type="content" source="media/troubleshoot/troubleshoot-managed-identity.png" alt-text="Screenshot of the Azure platform: Turn on system-assigned managed identity." lightbox="media/troubleshoot/troubleshoot-managed-identity-expanded.png":::

- > [!NOTE]

- > The Availability Zones feature is currently in public preview. Availability Zones is available for an additional cost; however, you will not be charged while the feature is in preview. For more information, see [High availability for Azure Notification Hubs](./notification-hubs-high-availability.md).

-4. From the browser menu, select your Azure Database for PostgreSQL flexible server connection and click **Connect Server**

-5. Enter your Active Directory token password when prompted.

-1. To add an administrator - select **Add Microsoft Entra Admin** and select a user, group, application or a managed identity from the current Microsoft Entra tenant.

-Once first Microsoft Entra administrator is created from the Azure portal or API, you can use the administrator role to manage Microsoft Entra roles in your Azure Database for PostgreSQL flexible server instance.

-| `defaultLanguageCode` | A string indicating the language to return. The service returns recognition results in a specified language. If this parameter isn't specified, the default value is "en". <br/><br/>Supported languages include a subset of [generally available languages](../ai-services/computer-vision/language-support.md#image-analysis) of Azure AI Vision. When a language is newly introduced with general availability status into the AI Vision service, there is expected delay before they are fully integrated within this skill. |

-| `visualFeatures` | An array of strings indicating the visual feature types to return. Valid visual feature types include: <ul><li>*adult* - detects if the image is pornographic (depicts nudity or a sex act), gory (depicts extreme violence or blood) or suggestive (also known as racy content). </li><li>*brands* - detects various brands within an image, including the approximate location. </li><li> *categories* - categorizes image content according to a [taxonomy](../ai-services/Computer-vision/Category-Taxonomy.md) defined by Azure AI services. </li><li>*description* - describes the image content with a complete sentence in supported languages.</li><li>*faces* - detects if faces are present. If present, generates coordinates, gender and age. </li><li>*objects* - detects various objects within an image, including the approximate location. </li><li> *tags* - tags the image with a detailed list of words related to the image content.</li></ul> Names of visual features are case-sensitive. Both *color* and *imageType* visual features have been deprecated, but you can access this functionality through a [custom skill](./cognitive-search-custom-skill-interface.md). Refer to the [Azure AI Vision Image Analysis documentation](../ai-services/computer-vision/language-support.md#image-analysis) on which visual features are supported with each `defaultLanguageCode`.|

-| `defaultLanguageCode` | Language code of the input text. Supported languages include all of the [generally available languages](../ai-services/computer-vision/language-support.md#image-analysis) of Azure AI Vision. You can also specify `unk` (Unknown). </p>If the language code is unspecified or null, the language is set to English. If the language is explicitly set to `unk`, all languages found are auto-detected and returned.|

-+ Vector fields contain floating point values. The dimensions attribute has a minimum of 2 and a maximum of 2048 floating point values each. This quickstart sets the dimensions attribute to 1536 because that's the size of embeddings generated by the Open AI's **text-embedding-ada-002** model.

-* [Power Apps account](https://make.powerapps.com)

-* [Hotels-sample index](search-get-started-portal.md) hosted on your search service

-* [Query API key](search-security-api-keys.md#find-existing-keys)

- * For the URL, enter a sample query for your search index (`search=*` returns all documents, `$select=` lets you choose fields). The API version is required. Fully specified, a URL might look like this: `https://mydemo.search.windows.net/indexes/hotels-sample-index/docs?search=*&$select=HotelName,Description,Address/City&api-version=2020-06-30`

- * For Headers, type `Content-Type`. You'll set the value to `application/json` in a later step.

-1. Select **Import** to auto-fill the Request. Complete setting the parameter metadata by clicking the **...** symbol next to each of the parameters. Select **Back** to return to the Request page after each parameter update.

-1. For *api-version*: Set `2020-06-30` as the **default value**, set **required** to *True*, and set **visibility** as *internal*.

- - {name: api-version, in: query, required: true, type: string, default: '2020-06-30',

-1. Switch back to the wizard and return to the **3. Request** step. Scroll down to the Response section. Select **"Add default response"**. This step is critical because it helps Power Apps understand the schema of the response.

-You'll need a [query API key](search-security-api-keys.md#find-existing-keys) for this task. Each time a connection is created, whether for a test run or inclusion in an app, the connector needs the query API key used for connecting to Azure AI Search.

-1. Select **Edit** on the top right.

-1. Select **5. Test** to open the test page.

-1. In Test Operation, select **+ New Connection**.

-1. On the left, expand **Apps** > **+ New app** > **Canvas**.

- :::image type="content" source="./media/search-howto-powerapps/2-1-create-canvas.png" alt-text="Create canvas app" border="true":::

-1. Select the type of application. For this tutorial, create a **Blank App** with the **Phone Layout**. Give the app a name, such as "Hotel Finder". Select **Create**. The **Power Apps Studio** appears.

-1. In the studio, select the **Data Sources** tab, select **+ Add data**, and then find the new Connector you have just created. In this tutorial, it's called *AzureSearchQuery*. Select **Add a connection**.

-If you're using a free service, remember that you're limited to three indexes, indexers, and data sources. You can delete individual items in the portal to stay under the limit.

-The Azure portal shows basic metrics about query latency, query load (QPS), and throttling. Historical data that feeds into these metrics can be accessed in the portal for 30 days. For longer retention, or to report on operational data and query strings, you must enable a [diagnostic setting](monitor-azure-cognitive-search.md) that specifies a storage option for persisting logged operations and metrics.

-+ Use a single replica and partition, if possible, to create a contained and isolated environment. If you use multiple replicas, query metrics are averaged across multiple nodes, which can lower the precision of results. Similarly, multiple partitions mean that data is divided, with the potential that some partitions might have different data if indexing is also underway. When tuning query performance, a single node and partition gives a more stable environment for testing.

-It's common for queries to execute in milliseconds, so only queries that measure as seconds will appear in metrics.

-Throttled queries refers to queries that are dropped instead of process. In most cases, throttling is a normal part of running the service. It is not necessarily an indication that there is something wrong.

-Throttling occurs when the number of requests currently processed exceed the available resources. You might see an increase in throttled requests when a replica is taken out of rotation or during indexing. Both query and indexing requests are handled by the same set of resources.

-Depending on your client, a throttled request can be indicated in these ways:

-+ A service returns an error "You are sending too many requests. Please try again later."

-+ If you are using the portal (for example, Search Explorer), the query is dropped silently and you will need to click Search again.

-To confirm throttled queries, use **Throttled search queries** metric. You can explore metrics in the portal or create an alert metric as described in this article. For queries that were dropped within the sampling interval, use *Total* to get the percentage of queries that did not execute.

-In the following screenshot, the first number is the count (or number of metrics sent to the log). Additional aggregations, which appear at the top or when hovering over the metric, include average, maximum, and total. In this sample, no requests were dropped.

-2. Under Metric, choose one from the dropdown list and review the list of available aggregations for a preferred type. The aggregation defines how the collected values will be sampled over each time interval.

-5. Layer additional aggregations by choosing **Add metric** and selecting different aggregations.

-6. Zoom into an area of interest on the line chart. Put the mouse pointer at the beginning of the area, click and hold the left mouse button, drag to the other side of area, and release the button. The chart will zoom in on that time range.

-When you enable resource logging, the system captures query requests in the **AzureDiagnostics** table. As a prerequisite, you must have already enabled [resource logging](monitor-azure-cognitive-search.md), specifying a log analytics workspace or another storage option.

-1. Run the following expression to search Query.Search operations, returning a tabular result set consisting of the operation name, query string, the index queried, and the number of documents found. The last two statements exclude query strings consisting of an empty or unspecified search, over a sample index, which cuts down the noise in your results.

- | where Query_s != "?api-version=2020-06-30&search=*"

-1. Optionally, set a Column filter on *Query_s* to search over a specific syntax or string. For example, you could filter over *is equal to* `?api-version=2020-06-30&search=*&%24filter=HotelName`).

-A metric alert establishes a threshold at which you will either receive a notification or trigger a corrective action that you define in advance.

-For a search service, it's common to create a metric alert for search latency and throttled queries. If you know when queries are dropped, you can look for remedies that reduce load or increase capacity. For example, if throttled queries increase during indexing, you could postpone it until query activity subsides.

-When pushing the limits of a particular replica-partition configuration, setting up alerts for query volume thresholds (QPS) is also helpful.

-1. Under the Monitoring section, select **Alerts** and then click **+ New alert rule**. Make sure your search service is selected as the resource.

-1. Under Condition, click **Add**.

- 

- 

-If you specified an email notification, you will receive an email from "Microsoft Azure" with a subject line of "Azure: Activated Severity: 3 `<your rule name>`".

-The solution is to invoke an analyzer during indexing that preserves a complete string, including spaces and special characters if necessary, so that you can include the spaces and characters in your query string. Having a whole, un-tokenized string enables pattern matching for "starts with" or "ends with" queries, where the pattern you provide can be evaluated against a term that isn't transformed by lexical analysis.

-Azure AI Search scans for whole tokenized terms in the index and won't find a match on a partial term unless you include wildcard placeholder operators (`*` and `?`) , or format the query as a regular expression.

-You must have a populated index to work with. Given an existing index and a field containing dashes or partial terms, you can try various analyzers over specific terms to see what tokens are emitted.

-Once you've defined an index with analyzers and field definitions that support your scenario, load documents that have representative strings so that you can test partial string queries.

-The following example adds an [EdgeNGramTokenFilter](https://lucene.apache.org/core/6_6_1/analyzers-common/org/apache/lucene/analysis/ngram/EdgeNGramTokenizer.html) to make prefix matches faster. More tokens are generated for in 2-25 character combinations that include characters: (not only MS, MSF, MSFT, MSFT/, MSFT/S, MSFT/SQ, MSFT/SQL).

-As you can imagine, the extra tokenization results in a larger index. If you have sufficient capacity to accommodate the larger index, this approach with its faster response time might be a better solution.

-This article explains how analyzers both contribute to query problems and solve query problems. As a next step, take a closer look at analyzer impact on indexing and query processing. In particular, consider using the Analyze Text API to return tokenized output so that you can see exactly what an analyzer is creating for your index.

-+ [Analyze Text API (REST)](/rest/api/searchservice/test-analyzer)

-This article describes several approaches for chunking large documents so that you can generate embeddings for vector search. Chunking is only required if source documents are too large for the maximum input size imposed by models.

-> [!NOTE]

-> This article applies to the generally available version of [vector search](vector-search-overview.md), which assumes your application code calls an external library that performs data chunking. A new feature called [integrated vectorization](vector-search-integrated-vectorization.md), currently in preview, offers embedded data chunking. Integrated vectorization takes a dependency on indexers, skillsets, and the Text Split skill.

-## Why is chunking important?

-The models used to generate embedding vectors have maximum limits on the text fragments provided as input. For example, the maximum length of input text for the [Azure OpenAI](/azure/ai-services/openai/how-to/embeddings) embedding models is 8,191 tokens. Given that each token is around 4 characters of text for common OpenAI models, this maximum limit is equivalent to around 6000 words of text. If you're using these models to generate embeddings, it's critical that the input text stays under the limit. Partitioning your content into chunks ensures that your data can be processed by the Large Language Models (LLM) used for indexing and queries.

-## How chunking fits into the workflow

-Because there isn't a native chunking capability in either Azure AI Search or Azure OpenAI, if you have large documents, you must insert a chunking step into indexing and query workflows that breaks up large text. Some libraries that provide chunking include:

-+ [LangChain](https://python.langchain.com/en/latest/https://docsupdatetracker.net/index.html)

-+ [Semantic Kernel](https://github.com/microsoft/semantic-kernel)

-Both libraries support common chunking techniques for fixed size, variable size, or a combination. You can also specify an overlap percentage that duplicates a small amount of content in each chunk for context preservation.

-### Common chunking techniques

-## Simple example of how to create chunks with sentences

-This section uses an example to demonstrate the logic of creating chunks out of sentences. For this example, assume the following:

-+ Tokens are equal to words.

-+ Input = `text_to_chunk(string)`

-+ Output = `sentences(list[string])`

-### Sample input

-`"Barcelona is a city in Spain. It is close to the sea and /n the mountains. /n You can both ski in winter and swim in summer."`

-+ Sentence 1 contains 6 words: `"Barcelona is a city in Spain."`

-+ Sentence 2 contains 9 words: `"It is close to the sea /n and the mountains. /n"`

-+ Sentence 3 contains 10 words: `"You can both ski in winter and swim in summer."`

-### Approach 1: Sentence chunking with "no overlap"

-Given a maximum number of tokens, iterate through the sentences and concatenate sentences until the maximum token length is reached. If a sentence is bigger than the maximum number of chunks, truncate to a maximum number of tokens, and put the rest in the next chunk.

-> [!NOTE]

-> The examples ignore the newline `/n` character because it's not a token, but if the package or library detects new lines, then you'd see those line breaks here.

-**Example: maximum tokens = 10**

-```

-Barcelona is a city in Spain.

-It is close to the sea /n and the mountains. /n

-You can both ski in winter and swim in summer.

-```

-**Example: maximum tokens = 16**

-```

-Barcelona is a city in Spain. It is close to the sea /n and the mountains. /n

-You can both ski in winter and swim in summer.

-```

-**Example: maximum tokens = 6**

-Barcelona is a city in Spain.

-It is close to the sea /n

-and the mountains. /n

-You can both ski in winter

-and swim in summer.

-### Approach 2: Sentence chunking with "10% overlap"

-Follow the same logic with no overlap approach, except that you create an overlap between chunks according to certain ratio.

-A 10% overlap on maximum tokens of 10 is one token.

-**Example: maximum tokens = 10**

-```

-Barcelona is a city in Spain.

-Spain. It is close to the sea /n and the mountains. /n

-mountains. /n You can both ski in winter and swim in summer.

-## Try it out: Chunking and vector embedding generation sample

-A [fixed-sized chunking and embedding generation sample](https://github.com/Azure-Samples/azure-search-power-skills/blob/main/Vector/EmbeddingGenerator/README.md) demonstrates both chunking and vector embedding generation using [Azure OpenAI](/azure/ai-services/openai/) embedding models. This sample uses an [Azure AI Search custom skill](cognitive-search-custom-skill-web-api.md) in the [Power Skills repo](https://github.com/Azure-Samples/azure-search-power-skills/tree/main#readme) to wrap the chunking step.

-This sample is built on LangChain, Azure OpenAI, and Azure AI Search.

-+ [Learn how to generate embeddings](/azure/ai-services/openai/how-to/embeddings?tabs=console)

-+ [Tutorial: Explore Azure OpenAI Service embeddings and document search](/azure/ai-services/openai/tutorials/embeddings?tabs=command-line)

-+ You should know the dimensions limit of the model used to create the embeddings and how similarity is computed. In Azure OpenAI, for **text-embedding-ada-002**, the length of the numerical vector is 1536. Similarity is computed using `cosine`.

-Dimension attributes have a minimum of 2 and a maximum of 2048 dimensions per vector field.

-> |--|-||-|--|

-> | Australia Central | Central US | Italy North | Poland Central | UK South |

-> | Australia East | East Asia | Japan West | South Central US | UK West |

-> | Australia Southeast | East US | Malaysia South | South India | West Central US |

-> | Brazil Southeast | East US 2 EUAP | Mexico Central | Spain Central | West Europe |

-> | Canada Central | France Central | North Central US | Switzerland North | West US |

-> | Canada East | Germany West Central | North Europe | Switzerland West | West US 3 |

-> | Central India | Israel Central | Norway East | UAE North | |

- B. The [sample ARM deployment template](https://github.com/Azure-Samples/service-fabric-cluster-templates/tree/master/SF-Managed-Standard-SKU-2-NT-AppGateway) adds a role assignment to the application gateway with contributor access. For more information on Azure roles, see [Azure built-in roles - Azure RBAC](../role-based-access-control/built-in-roles.md#all). This role assignment is defined in the resources section of template with PrincipalId and a role definition ID determined from the first step.

-Service Fabric managed cluster supports Azure DDoS Network Protection and allows you to associate your VMSS with [Azure DDoS Network Protection Plan](../ddos-protection/ddos-protection-sku-comparison.md). The plan is created by the customer, and they pass the resource id of the plan in managed cluster arm template.

- B. The [sample ARM deployment template](https://github.com/Azure-Samples/service-fabric-cluster-templates/tree/master/SF-Managed-Standard-SKU-1-NT-DDoSNwProtection) adds a role assignment to the DDoS Protection Plan with contributor access. For more information on Azure roles, see [Azure built-in roles - Azure RBAC](../role-based-access-control/built-in-roles.md#all). This role assignment is defined in the resources section of template with PrincipalId and a role definition ID determined from the first step.

-3. The [sample ARM deployment template for Dedicated Host Group](https://github.com/Azure-Samples/service-fabric-cluster-templates/tree/master/SF-Managed-Standard-SKU-2-NT-ADH) used in the previous step also adds a role assignment to the host group with contributor access. For more information on Azure roles, see [Azure built-in roles - Azure RBAC](../role-based-access-control/built-in-roles.md#all). This role assignment is defined in the resources section of template with Principal ID determined from the first step and a role definition ID.

-List pricing information here.

-To read a blob that is in the archive tier, you must first rehydrate the blob to an online tier (hot or cool) tier. You can rehydrate a blob in one of two ways:

-1. Save the new file as *blob-quickstart.py* in the *blob-quickstart* directory.

-Navigate to the directory containing the *blob-quickstart.py* file, then execute the following `python` command to run the app:

-python blob-quickstart.py

-You can move any version of a block blob, including the current version, to a different blob access tier by calling the [Set Blob Tier](/rest/api/storageservices/set-blob-tier) operation. You can take advantage of lower capacity pricing by moving older versions of a blob to the cool or archive tier. For more information, see [Hot, Cool, and Archive access tiers for blob data](access-tiers-overview.md).

-Blob versions, like blob snapshots, are billed at the same rate as active data. How versions are billed depends on whether you have explicitly set the tier for the current or previous versions of a blob (or snapshots). For more information about blob tiers, see [Hot, Cool, and Archive access tiers for blob data](access-tiers-overview.md).

-Update /etc/iscsi/iscsid.conf file with the following values:

-<YourStorageAccountName>.file.core.windows.net:/<YourStorageAccountName>/<FileShareName> /media/<YourStorageAccountName>/<FileShareName> nfs _netdev,nofail,vers=4,minorversion=1,sec=sys 0 0

-||||

-|Azure Synapse dedicated SQL pool|[Queries failing with Data Exfiltration Error](#queries-failing-with-data-exfiltration-error)|Has Workaround|

-|Azure Synapse dedicated SQL pool|[UPDATE STATISTICS statement fails with error: "The provided statistics stream is corrupt."](#update-statistics-failure)|Has Workaround|

-## Azure Synapse Analytics serverless SQL pool active known issues summary

-### Query failures from serverless SQL pool to Azure Cosmos DB analytical store

-Queries from a serverless SQL pool to Azure Cosmos DB analytical store might fail with one of the following error messages:

-The following conditions must be true to confirm this issue:

-1) The connection to Azure Cosmos DB analytical store uses a private endpoint.

-2) Retrying the query succeeds.

-**Workaround**: The engineering team is aware of this behavior and following actions can be taken as quick mitigation:

-1) Retry the failed query. It will automatically refresh the expired token.

-2) Disable the private endpoint. Before applying this change, confirm with your security team that it meets your company security policies.

-### Azure Cosmos DB analytical store view propagates wrong attributes in the column

-While using views in Azure Synapse serverless pool over Cosmos DB analytical store, if there is a change on files in the Cosmos DB analytical store, the change does not get propagated correctly to the SELECT statements, the customer is using on the view. As a result, the attributes get incorrectly mapped to a different column in the results.

-**Workaround**: The engineering team is aware of this behavior and following actions can be taken as quick mitigation:

-1) Recreate the view by renaming the columns.

-2) Avoid using views if possible.

-### Alter database-scoped credential fails if credential has been used

-Sometimes you might not be able to execute the `ALTER DATABASE SCOPED CREDENTIAL` query. The root cause of this issue is the credential was cached after its first use making it inaccessible for alteration. The error returned in such case is following:

-**Workaround**: The engineering team is currently aware of this behavior and is working on a fix. As a workaround you can DROP and CREATE the credentials, which would also mean recreating external tables using the credentials. Alternatively, you can engage Microsoft Support Team for assistance.

-### Query failures in serverless SQL pools

-Token expiration can lead to errors during their query execution, despite having the necessary permissions for the user over the storage. These error messages can also occur due to common user errors, such as when role-based access control (RBAC) roles are not assigned to the storage account.

-Example error messages:

-**Workaround**:

-The resolution is different depending on the authentication, [Microsoft Entra (formerly Azure Active Directory)](security/synapse-workspace-access-control-overview.md) or [managed service identity (MSI)](synapse-service-identity.md):

-For Microsoft Entra token expiration:

-For MSI token expiration:

-## Azure Synapse Analytics dedicated SQL pool active known issues summary

-|Install update on Azure VMs |Microsoft.Compute/virtualMachines/installPatches/action ||

-|Install update on Azure Arc-enabled server |Microsoft.HybridCompute/machines/installPatches/action ||

-To review the logs related to all actions performed by the extension, check for more information in `/var/log/azure/Microsoft.CPlat.Core.Edp.LinuxPatchExtension/`. It includes the following two log files of interest:

-| Public | 1.2.4487 | [Microsoft Store](https://aka.ms/AVDStoreClient) |

-| Insider | 1.2.4577 | Download the public release, then [Enable Insider releases](users/client-features-windows-azure-virtual-desktop-app.md#enable-insider-releases) and check for updates. |

-## Updates for version 1.2.4577 (Insider)

-*Published: August 29, 2023*

-> 3. Schedules triggered on machines deleted and recreated with the same resource ID within 8 hours may fail with ShutdownOrUnresponsive error due to a known limitation. It will be resolved by December, 2023.

-az vm update -g myResourceGroup -n myVmName --license-type UBUNTU_PRO

-A virtual network gateway VPN is limited to 30 tunnels. For connections, you should use Virtual WAN for large-scale VPN. You can connect up to 1,000 branch connections per virtual hub with aggregate of 20 Gbps per hub. A connection is an active-active tunnel from the on-premises VPN device to the virtual hub. You can also have multiple virtual hubs per region, which means you can connect more than 1,000 branches to a single Azure Region by deploying multiple Virtual WAN hubs in that Azure Region, each with its own site-to-site VPN gateway.

- * [Certificate authentication](point-to-site-vpn-client-cert-windows.md#download-the-azure-vpn-client)

-The steps in this article require you to modify and import the Azure VPN Client profile configuration file. To work with VPN client profile configuration files (xml files), do the following:

-1. Using the examples in the sections below, modify the file as necessary, then save your changes.

-* **OpenVPN&reg; Protocol**, an SSL/TLS based VPN protocol. An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which SSL uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (macOS versions 10.13 and above).

-There may be cases when you want to support more than 128 concurrent P2S connection to a VPN gateway but are using SSTP. In such a case, you need to move to IKEv2 or OpenVPN protocol.

-Once the gateway has been configured, existing clients won't be able to connect until you [deploy and configure the OpenVPN clients](point-to-site-vpn-client-cert-windows.md#view-openvpn).

-If you're using Windows 10 or later, you can also use the [Azure VPN Client](point-to-site-vpn-client-cert-windows.md#azurevpn).

- * **IKEv2 and SSTP - native VPN client steps** - If your P2S VPN gateway is configured to use IKEv2/SSTP and certificate authentication, you can connect to your VNet using the native VPN client that's part of your Windows operating system. This configuration doesn't require additional client software. For steps, see [IKEv2 and SSTP - native VPN client](point-to-site-vpn-client-certificate-windows-native.md).

- * **OpenVPN** - If your P2S VPN gateway is configured to use an OpenVPN tunnel and certificate authentication, you have the option of using either the [Azure VPN Client](#openvpn), or the [OpenVPN client](#azurevpn) steps in this article.

-* [IKEv2 and SSTP - native VPN client steps](point-to-site-vpn-client-certificate-windows-native.md)

-* [OpenVPN - OpenVPN client steps](#openvpn)

-* [OpenVPN - Azure VPN Client steps](#azurevpn)

-## <a name="azurevpn"></a>Azure VPN Client steps - OpenVPN

-If your P2S VPN gateway is configured to use an OpenVPN tunnel type and certificate authentication, you can connect using the Azure VPN Client.

-The following steps help you download, install, and configure the Azure VPN Client to connect to your VNet. Note that these steps apply to certificate authentication. If you're using OpenVPN with Microsoft Entra authentication, see the [Microsoft Entra ID](openvpn-azure-ad-client.md) configuration article instead.

-To connect, each client computer requires the following items:

-* The Azure VPN Client software must be installed on each client computer that you want to connect.

-* The Azure VPN Client profile must be configured using the downloaded **azurevpnconfig.xml** configuration file.

-* The client computer must have a client certificate that's installed locally.

-### <a name="view-azurevpn"></a>View configuration files

-When you open the zip file, you'll see the **AzureVPN** folder. Locate the **azurevpnconfig.xml** file. This file contains the settings you use to configure the VPN client profile.

-If you don't see the file, verify the following items:

-* Verify that your VPN gateway is configured to use the OpenVPN tunnel type.

-* If you're using Microsoft Entra authentication, you might not have an AzureVPN folder. See the [Microsoft Entra ID](openvpn-azure-ad-client.md) configuration article instead.

-### Download the Azure VPN Client

-### Configure the VPN client profile

-1. Open the Azure VPN Client.

-1. Click **+** on the bottom left of the page, then select **Import**.

-1. In the window, navigate to the **azurevpnconfig.xml** file, select it, then click **Open**.

-1. From the **Certificate Information** dropdown, select the name of the child certificate (the client certificate). For example, **P2SChildCert**. You can also (optionally) select a [Secondary Profile](#secondary-profile).

- :::image type="content" source="./media/point-to-site-vpn-client-cert-windows/configure-certificate.png" alt-text="Screenshot showing Azure VPN client profile configuration page." lightbox="./media/point-to-site-vpn-client-cert-windows/configure-certificate.png":::

- If you don't see a client certificate in the **Certificate Information** dropdown, you'll need to cancel and fix the issue before proceeding. It's possible that one of the following things is true:

- * The client certificate isn't installed locally on the client computer.

- * There are multiple certificates with exactly the same name installed on your local computer (common in test environments).

- * The child certificate is corrupt.

-1. After the import validates (imports with no errors), click **Save**.

-1. In the left pane, locate the **VPN connection**, then click **Connect**.

-### Optional settings for the Azure VPN Client

-The following sections discuss additional optional configuration settings that are available for the Azure VPN Client.

-#### Secondary Profile

-#### Custom settings: DNS and routing

-You can configure the Azure VPN Client with optional configuration settings such as additional DNS servers, custom DNS, forced tunneling, custom routes, and other additional settings. For a description of the available settings and configuration steps, see [Azure VPN Client optional settings](azure-vpn-client-optional-configurations.md).

-## <a name="openvpn"></a>OpenVPN Client steps - OpenVPN

-If your P2S VPN gateway is configured to use an OpenVPN tunnel type and certificate authentication, you can connect using an OpenVPN client. The following steps help you configure the **OpenVPN &reg; Protocol** client and connect to your VNet.

-### <a name="view-openvpn"></a>View configuration files

-When you open the VPN client configuration package zip file, you should see an OpenVPN folder. If you don't see the folder, verify the following items:

-* Verify that your VPN gateway is configured to use the OpenVPN tunnel type.

-* If you're using Microsoft Entra authentication, you might not have an OpenVPN folder. See the [Microsoft Entra ID](openvpn-azure-ad-client.md) configuration article instead.

-| SOME_NAME | Request body JSON args name Equals SOME_NAME |