-|tag|urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:tag|extensionAttribute1|

-| Azure AD user | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User |

-| Azure AD group | urn:ietf:params:scim:schemas:core:2.0:Group |

-> logging.info("No suitable token exists in cache. Let's get a new one from AAD.")

-> > [!div class="nextstepaction"]

-> > [Make this change for me]()

-> ## Quickstart: Acquire a token and call the Microsoft Graph API from a Windows desktop application

-The state parameter can also be used to encode information of the app's state before redirect. You can pass the user's state in the app, such as the page or view they were on, as input to this parameter. The MSAL.js library allows you to pass your custom state as state parameter in the `Request` object:

-// Request type

-export type AuthenticationParameters = {

- scopes?: Array<string>;

- extraScopesToConsent?: Array<string>;

- prompt?: string;

- extraQueryParameters?: QPDict;

- claimsRequest?: string;

- authority?: string;

- state?: string;

- correlationId?: string;

- account?: Account;

- sid?: string;

- loginHint?: string;

- forceRefresh?: boolean;

-};

-```

-> [!Note]

-> If you would like to skip a cached token and go to the server, please pass in the boolean `forceRefresh` into the AuthenticationParameters object used to make a login/token request.

-> `forceRefresh` should not be used by default, because of the performance impact on your application.

-> Relying on the cache will give your users a better experience.

-> Skipping the cache should only be used in scenarios where you know the currently cached data does not have up-to-date information.

-> Such as an Admin tool that adds roles to a user that needs to get a new token with updated roles.

-For example:

-```javascript

- scopes: ["user.read", "user.write"],

-myMSALObj.loginPopup(loginRequest);

-The passed in state is appended to the unique GUID set by MSAL.js when sending the request. When the response is returned, MSAL.js checks for a state match and then returns the custom passed in state in the `Response` object as `accountState`.

-```javascript

-export type AuthResponse = {

- uniqueId: string;

- tenantId: string;

- tokenType: string;

- idToken: IdToken;

- accessToken: string;

- scopes: Array<string>;

- expiresOn: Date;

- account: Account;

- accountState: string;

-};

-```

-To learn more, read about [building a single-page application (SPA)](scenario-spa-overview.md) using MSAL.js.

- // There is no mitigation - if MFA is configured for your tenant and AAD decides to enforce it,

- // Explanation: the library was unable to query the current Windows logged-in user or this user is not AD or AAD

- // AAD ("federated" users) can benefit from this non-interactive method of authentication.

- // No token found in the cache or AAD insists that a form interactive auth is required (e.g. the tenant admin turned on MFA)

-> logging.info("No suitable token exists in cache. Let's get a new one from AAD.")

- logging.info("No suitable token exists in cache. Let's get a new one from AAD.")

- "secret": "The secret generated by AAD during your confidential app registration",

- "thumbprint": "790E... The thumbprint generated by AAD when you upload your public cert",

-> > [!div class="alert alert-info"]

-> > [Tutorial: Sign in users and call Microsoft Graph](./tutorial-v2-javascript-auth-code.md)

-> > [ASP.NET Core web app tutorials on GitHub](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/)

-> > [Adding Auth to an existing web app - GitHub code sample >](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/auth-code)

-# Create a security plan for external access

-Before you create an external-access security plan, ensure the following conditions are met.

-* [Determine your security posture for external access](1-secure-access-posture.md)

-* Applications and resources to be grouped for access

- * Device state, sign-in location, client application requirements, and user risk

-* Policies that determine when to review and remove access

-* User populations to be grouped for a similar experience

-After you document the information, use Microsoft identity and access management policies, or another identity provider (IdP) to implement the plan.

-## Resources to be grouped for access

-To group resources for access:

-* Microsoft Teams groups files, conversation threads, and other resources. Formulate an external access strategy for Microsoft Teams.

- * See, [Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business](9-secure-access-teams-sharepoint.md)

-* Use entitlement management access packages to create and delegate management of packages of applications, groups, teams, SharePoint sites, etc.

-* Use Cross Tenant Access Settings Inbound Access to define access for application groups of external users

-Document the applications to be grouped. Considerations include:

-* **Risk profile** - Assess the risk if a bad actor gains access to an application.

- * Identify application as high, medium, or low risk. Avoid grouping high-risk with low-risk.

-* **Compliance frameworks** - Determine compliance frameworks for apps

-* **Applications for roles or departments** - Assess applications to be grouped for a role or department access

-* **Collaboration applications** - Identify collaboration applications external users can access, such as Teams and SharePoint

-For application and resource group access by external users, document the following information:

-* Application and resource owners and contact information

-* Access is controlled by IT, or delegated to a business owner

-* Cadence for reviews, by whom, and where it's documented

-* **High** - External users always use MFA

-| Identity protection is high risk| Require user to change password |

-To use device state as policy input, the device is registered or joined to your tenant. Configure cross-tenant access settings must be configured to trust the device claims from the home tenant. See, [Modify inbound access settings](../external-identities/cross-tenant-access-settings-b2b-collaboration.md#modify-inbound-access-settings).

-You can use identity-protection risk policies. However, mitigate issue in the user home tenant. See, [Common Conditional Access policy: Sign-in risk-based multifactor authentication](../conditional-access/howto-conditional-access-policy-risk.md).

-For network locations, you can restrict access to IP addresses ranges you own. Use this method if external partners access applications while at your location. See, [Conditional Access: Block access by location](../conditional-access/howto-conditional-access-policy-location.md)

-Your policies will be customized, however consider the following parameters:

-* **Microsoft 365 groups**:

-Some features, for example entitlement management, are available with an Azure AD Premium 2 (P2) license. Microsoft 365 E5 and Office 365 E5 licenses include Azure AD P2 licenses.

-Other combinations of Microsoft 365, Office 365, and Azure AD have functionality to manage external users. See, [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).

-Entries in bold are recommended.

-Entries in bold are recommended.

-Use entitlement management to provision and deprovision access to groups and teams, applications, and SharePoint sites. Define the connected organizations allowed access, self-service requests, and approval workflows. To ensure access ends correctly, define expiration policies and access reviews for packages.

-Items in bold are recommended.

-* [Secure external access to Microsoft Teams, SharePoint, and OneDrive for Business](9-secure-access-teams-sharepoint.md)

-description: Move to governed collaboration with Azure Ad B2B collaboration.

-# Transition to governed collaboration with Azure Active Directory B2B collaboration

-Understanding collaboration helps secure external access to your resources. We recommend you read the following articles, first:

-Use the information in this article to move external collaboration into Azure Active Directory B2B (Azure AD B2B) collaboration.

-* Learn about: [External Identities in Azure Active Directory](../external-identities/external-identities-overview.md)

-You can limit the organizations your users collaborate with (inbound and outbound), and who in your organization can invite guests. Most organizations permit business units to decide collaboration, and delegate approval and oversight. For example, organizations in government, education, and financial often don't permit open collaboration. You can use Azure AD features to control collaboration.

-You can control access your tenant, by deploying one or more of the following solutions:

-Document the organizations you collaborate with, and organization users' domains, if needed. Domain-based restrictions might be impractical. One collaboration partner can have multiple domains, and a partner can add domains. For example, a partner with multiple business units, with separate domains, and add more domains as they configure synchronization.

-If your users use Azure AD B2B, you can discover the external Azure AD tenants they're collaborating, with via the sign-in logs, PowerShell, or a workbook. Learn more:

-Limits to one domain can prevent authorized collaboration with organizations that have other unrelated domains. For example, the initial point of contact with Contoso might be a US-based employee with email that has a .com domain. However if you allow only the com domain. you can omit Canadian employees who have the ca domain.

-You can allow specific collaboration partners for a subset of users. For example, a university restricts student accounts from accessing external tenants, but allows faculty to collaborate with external organizations.

-### Allowlist and blocklist with External Collaboration Settings

-You can use an allowlist or blocklist to from specific organizations. You can use only an allow or a blocklist, not both.

-* **Allowlist** - Limit collaboration to a list of domains. All other domains are on the blocklist.

-* **Blocklist** - Allow collaboration with domains not on the blocklist

-> These lists don't apply to users in your directory. By default, they don't apply to OneDrive for Business and SharePoint allowlist or blocklists. These lists are separate, but you can enable [SharePoint-OneDrive B2B integration](/sharepoint/sharepoint-azureb2b-integration).

-Some organizations have a blocklist of bad-actor domains from a managed security provider. For example, if the organization does business with Contoso and uses a com domain, an unrelated organization can use the org domain, and attempt a phishing attack.

-### Cross Tenant Access Settings

-You can control inbound and outbound access using Cross Tenant Access Settings. In addition, you can trust multi-factor authentication (MFA), a compliant device, and hybrid Azure Active Directory joined device (HAADJ) claims from external Azure AD tenants. When you configure an organizational policy, it applies to the Azure AD tenant and covers users in that tenant, regardless of domain suffix.

-You can enable collaboration across Microsoft clouds such as Microsoft Azure operated by 21Vianet (Azure China) or Microsoft Azure Government. Determine if your collaboration partners reside in a different Microsoft cloud. Learn more: [Configure Microsoft cloud settings for B2B collaboration (Preview)](../external-identities/cross-cloud-settings.md).

-You can allow inbound access to specific tenants (allowlist), and set the default policy to block access. You then create organizational policies that allow access by user, group, or application.

-You can block access to tenants (blocklist). Set the default policy to Allow and then create organizational policies that block access to some tenants.

-> Cross Tenant Access Settings Inbound Access does not prevent invitations from being sent or redeemed. However, it does control applications access and whether a token is issued to the guest user. If the guest can redeem an invitation, policy blocks application access.

-> Cross Tenant Access Settings apply to Azure AD tenants. To control access for partners not using Azure AD, use External Collaboration Settings.

-### Entitlement Management and Connected Organizations

-Use Entitlement Management to ensure automatic guest-lifecycle governance. Create Access Packages and publish them to external users or to Connected Organizations, which support Azure AD tenants and other domains. When you create an Access Package restrict access to specific Connected Organizations.

-* [Azure Active Directory B2B collaboration invitation redemption](../external-identities/redemption-experience.md)

-When you enable Azure AD B2B, you can invite guest users with links and email invitations. Self service sign-up, and publishing Access Packages to the My Access portal, require more configuration.

-> Self service sign-up enforces no allowlist or blocklist in External Collaboration Settings. Use Cross Tenant Access Settings. You can integrate allowlists and blocklists with self service sign-up using custom API connectors. See, [Add an API connector to a user flow](../external-identities/self-service-sign-up-add-api-connector.md).

-* If security requirements permit, allow all UserType of Member to invite guests

-* Determine if UserType of Guest, the default Azure AD B2B user account, can invite guests

-### External users information

-Invited guest users from a collaboration partner can have trouble redeeming an invitation.

-* The user isn't in partner Azure AD tenant. For example, users at contoso.com are in Active Directory.

- * They can redeem invitations with the email one-time password (OTP).

-## External users access

-Generally, there are resources you can share with external users, and some you can't. You can control what external users access. See, [Manage external access with Entitlement Management](6-secure-access-entitlement-managment.md).

- 

-We recommend the following guest-user restrictions.

- * Use the external collaboration settings to restrict guests from reading groups they aren't members of

- * Create a Conditional Access policy with All guest and external users. Implement a policy to block access.

-* Vendors: **v-**

-* Partners: **p-**

-* Contractors: **c-**

-Evaluate external users with member accounts to determine access. You might have guest users not invited through Entitlement Management or Azure AD B2B

-## Transition current external users to B2B

-* Guest users in Access Packages and Access Reviews

-* External access to Teams, SharePoint, and other resources

-You can transition these internal users while maintaining current access, UPN, and group memberships. See [Invite external users to B2B collaboration](../external-identities/invite-internal-users.md).

-Sharing through SharePoint and OneDrive adds users not in the Entitlement Management process.

-### Documents in email

-Users send documents to external users by email. You can use sensitivity labels to restrict and encrypt access to documents. See, [Learn about sensitivity labels](/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide&preserve-view=true).

-Your users likely use Google Docs, DropBox, Slack, or Zoom. You can block use of these tools from a corporate network, at the firewall level, and with mobile application management for organization-managed devices. However, this action blocks sanctioned instances and doesn't block access from unmanaged devices. Block tools you donΓÇÖt want, and create policies for no unsanctioned usage.

-* On-premises workloads have been replaced with cloud alternatives such as Windows Virtual Desktop, Azure Files, or Google Cloud Print. Azure SQL Managed Instance replaces SQL Server.

-This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Active Directory](whats-new-archive.md).

-### Public Preview - Devices Blade Self-Help Capability for Pending Devices

-In the **All Devices** blade under the registered column, you can now select any pending devices you have, and it will open a context pane to help troubleshoot why the device may be pending. You can also offer feedback on if the summarized information is helpful or not. For more information, see: [Pending devices in Azure Active Directory](/troubleshoot/azure/active-directory/pending-devices).

-In the January 2023 release of Authenticator for iOS, there will be no companion app for watchOS due to it being incompatible with Authenticator security features. This means you won't be able to install or use Authenticator on Apple Watch. This change only impacts Apple Watch, so you'll still be able to use Authenticator on your other devices. For more information, see: [Common questions about the Microsoft Authenticator app](https://support.microsoft.com/account-billing/common-questions-about-the-microsoft-authenticator-app-12d283d1-bcef-4875-9ae5-ac360e2945dd).

-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

-Try out the new guided experience for syncing objects from AD to Azure AD using Azure AD Cloud Sync in Azure Portal. With this new experience, Hybrid Identity Administrators can easily determine which sync engine to use for their scenarios and learn more about the various options they have with our sync solutions. With a rich set of tutorials and videos, customers will be able to learn everything about Azure AD cloud sync in one single place.

-This experience will also help administrators walk through the different steps involved in setting up a cloud sync configuration as well as an intuitive experience to help them easily manage it. Admins can also get insights into their sync configuration by using the "Insights" option which is integrated with Azure Monitor and Workbooks.

-For more information:, see:

-**Product capability:** AAD Connect Cloud Sync

-Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure AD, allowing customers to simply map the needed attributes using Cloud Sync's attribute mapping experience.

-For more details on how to enable this feature, see: [Cloud Sync directory extensions and custom attribute mapping](../cloud-sync/custom-attribute-mapping.md)

-### General Availability - Multiple Password-less Phone Sign-in for iOS Devices

-End users can now enable password-less phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use password-less phone sign-in for all of them from the same iOS device. The Azure AD accounts can be in the same tenant or different tenants. Guest accounts are not supported for multiple account sign-in from one device.

-End users are not required to enable the optional telemetry setting in the Authenticator App. For more information, see: [Enable passwordless sign-in with Microsoft Authenticator](../authentication/howto-authentication-passwordless-phone.md).

-In this Public Preview refresh, we have enhanced the user experience with an updated design and added four new improvements:

-The ability for users to create tenants from the Manage Tenant overview has been present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings blade allows admins to restrict their users from being able to create new tenants. There is also a new [Tenant Creator](../roles/permissions-reference.md#tenant-creator) role to allow specific users to create tenants. For more information, see [Default user permissions](../fundamentals/users-default-permissions.md#restrict-member-users-default-permissions).

-We have consolidated relevant app launcher settings in a new App launchers section in the Azure and Entra portals. The entry point can be found under Enterprise applications, where Collections used to be. You can find the Collections blade by selecting App launchers. In addition, we have added a new App launchers Settings blade. This blade has some settings you may already be familiar with like the Microsoft 365 settings. The new Settings blade also has controls for previews. As an admin, you can choose to try out new app launcher features while they are in preview. Enabling a preview feature means that the feature is turned on for your organization, and will be reflected in the My Apps portal and other app launchers for all of your users. To learn more about the preview settings, see: [End-user experiences for applications](../manage-apps/end-user-experiences.md).

-The Converged Authentication Methods Policy enables you to manage all authentication methods used for MFA and SSPR in one policy, migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in the tenant. For more information, see: [Manage authentication methods for Azure AD](../authentication/concept-authentication-methods-manage.md).

-You can now use administrative units to delegate management of specified devices in your tenant by adding devices to an administrative unit, and assigning built-in and custom device management roles scoped to that administrative unit. For more information, see: [Device management](../roles/administrative-units.md#device-management).

-### Public Preview - Frontline workers using shared devices can now use Edge and Yammer apps on Android

-Companies often provide mobile devices to frontline workers that need to be shared between shifts. MicrosoftΓÇÖs shared device mode allows frontline workers to easily authenticate by automatically signing users in and out of all the apps that have enabled this feature. In addition to Microsoft Teams and Managed Home Screen being generally available, we are excited to announce that Edge and Yammer apps on Android are now in Public Preview.

-For further guidance on deploying frontline solutions, see: [frontline deployment documentation](https://aka.ms/frontlinewhitepaper).

-For steps to setup shared device mode with Intune, see: [Intune setup blog](https://techcommunity.microsoft.com/t5/intune-customer-success/enroll-android-enterprise-dedicated-devices-into-azure-ad-shared/ba-p/1820093).

-In December 2022 we have added the following 44 new applications in our App gallery with Federation support

-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

-As part of our ongoing initiative to improve the developer experience, service reliability, and security of customer applications, we will end support for the Azure Active Directory Authentication Library (ADAL). The final deadline to migrate your applications to Microsoft Authentication Library (MSAL) has been extended to **June 30, 2023**.

-As we consolidate and evolve the Microsoft Identity platform, we are also investing in making significant improvements to the developer experience and service features that make it possible to build secure, robust and resilient applications. To make these features available to our customers we needed to update the architecture of our software development kits. As a result of this change, weΓÇÖve decided that the path forward requires us to sunset ADAL so that we can focus on developer experience investments with MSAL.

-We recognize that changing libraries is not an easy task, and cannot be accomplished quickly. We are committed to helping customers plan their migrations to MSAL as well as execute them with minimal disruption.

-### How to find out which applications in my tenant are using ADAL?

-Refer to our post on [Microsoft Q&A](/answers/questions/360928/information-how-to-find-apps-using-adal-in-your-te.html) for details on identifying ADAL apps with the help of [Azure Workbooks](../../azure-monitor/visualize/workbooks-overview.md).

-### If IΓÇÖm using ADAL, what can I expect after the deadline?

-### What features can I only access with MSAL?

-The number of features and capabilities that we are adding to MSAL libraries are growing weekly. Some of them include:

-To make the migration process easier we published a [comprehensive guide](../develop/msal-migration.md#how-to-migrate-to-msal) that documents the migration paths across different platforms and programming languages.

-In addition to the ADAL to MSAL update, we recommend migrating from Azure AD Graph API to Microsoft Graph. This change will enable you to take advantage of the latest additions and enhancements, such as CAE, across the Microsoft service offering through a single, unified endpoint. You can read more in our [Migrate your apps from Azure AD Graph to Microsoft Graph](/graph/migrate-azure-ad-graph-overview) guide. Any questions can be posted to [Microsoft Q&A](/answers/topics/azure-active-directory.html) or [Stack Overflow](https://stackoverflow.com/questions/tagged/msal)

-For users who don't know or use a password, the Temporary Access Pass can now be used to recover Azure AD-joined PCs when the EnableWebSignIn policy is enabled on the device. For more information, see: [Authentication/EnableWebSignIn](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin).

-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

-Update the Azure AD and Microsoft 365 sign in experience with new company branding capabilities. You can apply your companyΓÇÖs brand guidance to authentication experiences with pre-defined templates. For more information, see: [Configure your company branding](../fundamentals/customize-branding.md).

-Update the company branding functionality on the Azure AD/Microsoft 365 sign in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon. For more information, see: [Configure your company branding](../fundamentals/customize-branding.md).

-This functionality greatly enhances recoverability and resilience when using Administrative Units. Now, when an Administrative Unit is accidentally deleted it can be restored quickly to the same state it was at time of deletion-removing uncertainty around how things were configured and making restoration quick and easy. For more information, see: [List deletedItems (directory objects)](/graph/api/directory-deleteditems-list).

-With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access their services and applications from IPv6 clients and networks. Today, weΓÇÖre excited to announce our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD). This will allow customers to reach the Azure AD services over both IPv4 and IPv6 network protocols (dual stack).

-We have guidance below which is specifically for Azure AD customers who use IPv6 addresses and also use Named Locations in their Conditional Access policies.

-1. Conduct an audit of existing named locations to anticipate potential impact.

-1. Conduct an audit of existing Conditional Access policies to identify use of named locations as a condition to anticipate potential impact.

-We'll continue to share additional guidance on IPv6 enablement in Azure AD at this easy to remember link https://aka.ms/azureadipv6.

-**Product capability:** AAD Connect Cloud Sync

-Microsoft will stop support for Azure AD provisioning agent with versions 1.1.818.0 and below starting Feb 1,2023. If you're using Azure AD cloud sync, please make sure you have the latest version of the agent. You can info about the agent release history [here](../app-provisioning/provisioning-agent-release-version-history.md). You can download the latest version [here](https://download.msappproxy.net/Subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/Connector/provisioningAgentInstaller)

-### General Availability - Limits on the number of configured API permissions for an application registration will be enforced starting in October 2022

-In the end of October, the total number of required permissions for any single application registration must not exceed 400 permissions across all APIs. Applications exceeding the limit won't be able to increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs.

-In the Azure portal, the required permissions are listed under API Permissions within specific applications in the application registration menu. When using Microsoft Graph or Microsoft Graph PowerShell, the required permissions are listed in the requiredResourceAccess property of an [application](/graph/api/resources/application) entity. For more information, see: [Validation differences by supported account types (signInAudience)](../develop/supported-accounts-validation.md).

-Announcing Public preview of Authentication strength, a Conditional Access control that allows administrators to specify which authentication methods can be used to access a resource. For more information, see: [Conditional Access authentication strength (preview)](../authentication/concept-authentication-strengths.md). You can use custom authentication strengths to restrict access by requiring specific FIDO2 keys using the Authenticator Attestation GUIDs (AAGUIDs), and apply this through conditional access policies. For more information, see: [FIDO2 security key advanced options](../authentication/concept-authentication-strengths.md#fido2-security-key-advanced-options).

-We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, weΓÇÖve made Windows Hello for Business much easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Hybrid Cloud Kerberos Trust Deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).

-### General Availability - Deprecation of Azure Multi-Factor Authentication Server

-Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multi-factor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services, and to remain in a supported state, organizations should migrate their usersΓÇÖ authentication data to the cloud-based Azure AD Multi-Factor Authentication service using the latest Migration Utility included in the most recent Azure AD Multi-Factor Authentication Server update. For more information, see: [Migrate from MFA Server to Azure AD Multi-Factor Authentication](../authentication/how-to-migrate-mfa-server-to-azure-mfa.md).

-The number matching feature greatly up-levels the security posture of the Microsoft Authenticator app and protects organizations from MFA fatigue attacks. We highly encourage our customers to adopt this feature applying the rollout controls we have built. Number Matching will begin to be enabled for all users of the Microsoft Authenticator app starting 27th of February 2023.

-Reduce accidental approvals by showing users additional context in Microsoft Authenticator app notifications. Customers can enhance notifications with the following:

-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

-Accidental deletion of users in any system could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service. When the number of deletions to be processed in a single provisioning cycle spikes above a customer defined threshold, the Azure AD provisioning service will pause, provide you visibility into the potential deletions, and allow you to accept or reject the deletions. This functionality has historically been available for Azure AD Connect, and Azure AD Connect Cloud Sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning.

-Identity protection expands its Anonymous and Malicious IP detections to protect ADFS sign-ins. This will automatically apply to all customers who have AD Connect Health deployed and enabled, and will show up as the existing "Anonymous IP" or "Malicious IP" detections with a token issuer type of "AD Federation Services".

-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

-## August 2022

-### General Availability - Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-Customers can now require a fresh authentication each time a user performs a certain action. Forced reauthentication supports requiring a user to reauthenticate during Intune device enrollment, password change for risky users, and risky sign-ins.

-For more information, see: [Configure authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md#require-reauthentication-every-time)

-### General Availability - Multi-Stage Access Reviews

-**Type:** Changed feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-Customers can now meet their complex audit and recertification requirements through multiple stages of reviews. For more information, see: [Create a multi-stage access review](../governance/create-access-review.md#create-a-multi-stage-access-review).

-### Public Preview - External user leave settings

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** B2B/B2C

-Currently, users can self-service leave for an organization without the visibility of their IT administrators. Some organizations may want more control over this self-service process.

-With this feature, IT administrators can now allow or restrict external identities to leave an organization by Microsoft provided self-service controls via Azure Active Directory in the Microsoft Entra portal. In order to restrict users to leave an organization, customers need to include "Global privacy contact" and "Privacy statement URL" under tenant properties.

-

-A new policy API is available for the administrators to control tenant wide policy:

-[externalIdentitiesPolicy resource type](/graph/api/resources/externalidentitiespolicy?view=graph-rest-beta&preserve-view=true)

- For more information, see:

-### Public Preview - Restrict self-service BitLocker for devices

-**Type:** New feature

-**Service category:** Device Registration and Management

-**Product capability:** Access Control

-In some situations, you may want to restrict the ability for end users to self-service BitLocker keys. With this new functionality, you can now turn off self-service of BitLocker keys, so that only specific individuals with right privileges can recover a BitLocker key.

-For more information, see: [Block users from viewing their BitLocker keys (preview)](../devices/device-management-azure-portal.md#block-users-from-viewing-their-bitlocker-keys-preview)

-### Public Preview- Identity Protection Alerts in Microsoft 365 Defender

-**Type:** New feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-Identity Protection risk detections (alerts) are now also available in Microsoft 365 Defender to provide a unified investigation experience for security professionals. For more information, see: [Investigate alerts in Microsoft 365 Defender](/microsoft-365/security/defender/investigate-alerts?view=o365-worldwide#alert-sources&preserve-view=true)

-### New Federated Apps available in Azure AD Application gallery - August 2022

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In August 2022, we've added the following 40 new applications in our App gallery with Federation support

-[Albourne Castle](https://village.albourne.com/castle), [Adra by Trintech](../saas-apps/adra-by-trintech-tutorial.md), [workhub](../saas-apps/workhub-tutorial.md), [4DX](../saas-apps/4dx-tutorial.md), [Ecospend IAM V1](https://iamapi.sb.ecospend.com/account/login), [TigerGraph](../saas-apps/tigergraph-tutorial.md), [Sketch](../saas-apps/sketch-tutorial.md), [Lattice](../saas-apps/lattice-tutorial.md), [snapADDY Single Sign On](https://app.snapaddy.com/login), [RELAYTO Content Experience Platform](https://relayto.com/signin), [oVice](https://tour.ovice.in/login), [Arena](../saas-apps/arena-tutorial.md), [QReserve](../saas-apps/qreserve-tutorial.md), [Curator](../saas-apps/curator-tutorial.md), [NetMotion Mobility](../saas-apps/netmotion-mobility-tutorial.md), [HackNotice](../saas-apps/hacknotice-tutorial.md), [ERA_EHS_CORE](../saas-apps/era-ehs-core-tutorial.md), [AnyClip Teams Connector](https://videomanager.anyclip.com/login), [Wiz SSO](../saas-apps/wiz-sso-tutorial.md), [Tango Reserve by AgilQuest (EU Instance)](../saas-apps/tango-reserve-tutorial.md), [valid8Me](../saas-apps/valid8me-tutorial.md), [Ahrtemis](../saas-apps/ahrtemis-tutorial.md), [KPMG Leasing Tool](../saas-apps/kpmg-tool-tutorial.md) [Mist Cloud Admin SSO](../saas-apps/mist-cloud-admin-tutorial.md), [Work-Happy](https://live.work-happy.com/?azure=true), [Ediwin SaaS EDI](../saas-apps/ediwin-saas-edi-tutorial.md), [LUSID](../saas-apps/lusid-tutorial.md), [Next Gen Math](https://nextgenmath.com/), [Total ID](https://www.tokyo-shoseki.co.jp/ict/), [Cheetah For Benelux](../saas-apps/cheetah-for-benelux-tutorial.md), [Live Center Australia](https://au.livecenter.com/), [Shop Floor Insight](https://www.dmsiworks.com/apps/shop-floor-insight), [Warehouse Insight](https://www.dmsiworks.com/apps/warehouse-insight), [myAOS](../saas-apps/myaos-tutorial.md), [Hero](https://admin.linc-ed.com/), [FigBytes](../saas-apps/figbytes-tutorial.md), [VerosoftDesign](https://verosoft-design.vercel.app/), [ViewpointOne - UK](https://identity-uk.team.viewpoint.com/), [EyeRate Reviews](https://azure-login.eyeratereviews.com/), [Lytx DriveCam](../saas-apps/lytx-drivecam-tutorial.md)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

-### Public preview - New provisioning connectors in the Azure AD Application Gallery - August 2022

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-### General Availability - Workload Identity Federation with App Registrations are available now

-**Type:** New feature

-**Service category:** Other

-**Product capability:** Developer Experience

-Entra Workload Identity Federation allows developers to exchange tokens issued by another identity provider with Azure AD tokens, without needing secrets. It eliminates the need to store, and manage, credentials inside the code or secret stores to access Azure AD protected resources such as Azure and Microsoft Graph. By removing the secrets required to access Azure AD protected resources, workload identity federation can improve the security posture of your organization. This feature also reduces the burden of secret management and minimizes the risk of service downtime due to expired credentials.

-For more information on this capability and supported scenarios, see [Workload identity federation](../develop/workload-identity-federation.md).

-### Public Preview - Entitlement management automatic assignment policies

-**Type:** Changed feature

-**Service category:** Entitlement Management

-**Product capability:** Identity Governance

-In Azure AD entitlement management, a new form of access package assignment policy is being added. The automatic assignment policy includes a filter rule, similar to a dynamic group, that specifies the users in the tenant who should have assignments. When users come into scope of matching that filter rule criteria, an assignment is automatically created, and when they no longer match, the assignment is removed.

- For more information, see: [Configure an automatic assignment policy for an access package in Azure AD entitlement management (Preview)](../governance/entitlement-management-access-package-auto-assignment-policy.md).

-4. [Create an Azure AD security group](../fundamentals/active-directory-groups-create-azure-portal.md) named **Marketing resources** with a membership type of **Assigned**. This group will be the target resource for entitlement management. The group should be empty of members to start.

-In the target tenant: Cross-tenant sync relies on the Azure AD External Identities billing model. To understand the external identities licensing model, see [MAU billing model for Azure AD External Identities](../external-identities/external-identities-pricing.md)

-> | microsoft.directory/servicePrincipals/synchronizationJobs/manage | Start, restart, and pause application provisioning syncronization jobs |

-> | microsoft.directory/servicePrincipals/synchronizationSchema/manage | Create and manage application provisioning syncronization jobs and schema |

-> | microsoft.directory/servicePrincipals/synchronizationJobs/manage | Start, restart, and pause application provisioning syncronization jobs |

-> | microsoft.directory/servicePrincipals/synchronizationSchema/manage | Create and manage application provisioning syncronization jobs and schema |

-> | microsoft.directory/servicePrincipals/synchronizationJobs/manage | Start, restart, and pause application provisioning syncronization jobs |

-> | microsoft.directory/servicePrincipals/synchronizationSchema/manage | Create and manage application provisioning syncronization jobs and schema |

-> | microsoft.directory/servicePrincipals/synchronizationJobs/manage | Start, restart, and pause application provisioning syncronization jobs |

-> | microsoft.directory/servicePrincipals/synchronizationSchema/manage | Create and manage application provisioning syncronization jobs and schema |

->

-> This connector is currently in Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)

-An Azure Kubernetes Service (AKS) cluster distributes resources such as nodes and storage across logical sections of underlying Azure infrastructure. This deployment model when using availability zones, ensures nodes in a given availability zone are physically separated from those defined in another availability zone. AKS clusters deployed with multiple availability zones configured across a cluster provide a higher level of availability to protect against a hardware failure or a planned maintenance event.

-By defining node pools in a cluster to span multiple zones, nodes in a given node pool are able to continue operating even if a single zone has gone down. Your applications can continue to be available even if there is a physical failure in a single datacenter if orchestrated to tolerate failure of a subset of nodes.

-You need the Azure CLI version 2.0.76 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

-AKS clusters can be created using availability zones in any Azure region that has availability zones.

-* You can only define availability zones when the cluster or node pool is created.

-* Availability zone settings can't be updated after the cluster is created. You also can't update an existing, non-availability zone cluster to use availability zones.

-* Clusters with availability zones enabled require use of Azure Standard Load Balancers for distribution across zones. This load balancer type can only be defined at cluster create time. For more information and the limitations of the standard load balancer, see [Azure load balancer standard SKU limitations][standard-lb-limitations].

-Kubernetes is aware of Azure availability zones since version 1.12. You can deploy a PersistentVolumeClaim object referencing an Azure Managed Disk in a multi-zone AKS cluster and [Kubernetes will take care of scheduling](https://kubernetes.io/docs/setup/best-practices/multiple-zones/#storage-access-for-zones) any pod that claims this PVC in the correct availability zone.

-When *creating* an AKS cluster, if you explicitly define a [null value in a template][arm-template-null] with syntax such as `"availabilityZones": null`, the Resource Manager template treats the property as if it doesn't exist, which means your cluster wonΓÇÖt have availability zones enabled. Also, if you create a cluster with a Resource Manager template that omits the availability zones property, availability zones are disabled.

-You can't update settings for availability zones on an existing cluster, so the behavior is different when updating an AKS cluster with Resource Manager templates. If you explicitly set a null value in your template for availability zones and *update* your cluster, there are no changes made to your cluster for availability zones. However, if you omit the availability zones property with syntax such as `"availabilityZones": []`, the deployment attempts to disable availability zones on your existing AKS cluster and **fails**.

-Availability zones are a high-availability offering that protects your applications and data from datacenter failures. Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there's always more than one zone in all zone enabled regions. The physical separation of availability zones within a region protects applications and data from datacenter failures.

-AKS clusters that are deployed using availability zones can distribute nodes across multiple zones within a single region. For example, a cluster in the *East US 2* region can create nodes in all three availability zones in *East US 2*. This distribution of AKS cluster resources improves cluster availability as they're resilient to failure of a specific zone.

-If a single zone becomes unavailable, your applications continue to run if the cluster is spread across multiple zones.

-When you create a cluster using the [az aks create][az-aks-create] command, the `--zones` parameter defines which zones agent nodes are deployed into. The control plane components such as etcd or the API are spread across the available zones in the region if you define the `--zones` parameter at cluster creation time. The specific zones which the control plane components are spread across are independent of what explicit zones are selected for the initial node pool.

-If you don't define any zones for the default agent pool when you create an AKS cluster, control plane components are not guaranteed to spread across availability zones. You can add additional node pools using the [az aks nodepool add][az-aks-nodepool-add] command and specify `--zones` for new nodes, but it will not change how the control plane has been spread across zones. Availability zone settings can only be defined at cluster or node pool create-time.

-The following example creates an AKS cluster named *myAKSCluster* in the resource group named *myResourceGroup*. A total of *3* nodes are created - one agent in zone *1*, one in *2*, and then one in *3*.

-When deciding what zone a new node should belong to, a given AKS node pool will use a [best effort zone balancing offered by underlying Azure Virtual Machine Scale Sets][vmss-zone-balancing]. A given AKS node pool is considered "balanced" if each zone has the same number of VMs or +\- 1 VM in all other zones for the scale set.

-When the cluster is ready, list the agent nodes in the scale set to see what availability zone they're deployed in.

-```console

-As you add additional nodes to an agent pool, the Azure platform automatically distributes the underlying VMs across the specified availability zones.

-Note that in newer Kubernetes versions (1.17.0 and later), AKS is using the newer label `topology.kubernetes.io/zone` in addition to the deprecated `failure-domain.beta.kubernetes.io/zone`. You can get the same result as above with by running the following script:

-```console

-Which will give you a more succinct output:

-As documented in [Well-Known Labels, Annotations and Taints][kubectl-well_known_labels], Kubernetes uses the `topology.kubernetes.io/zone` label to automatically distribute pods in a replication controller or service across the different zones available. In order to test this, you can scale up your cluster from 3 to 5 nodes, to verify correct pod spreading:

-When the scale operation completes after a few minutes, the command `kubectl describe nodes | grep -e "Name:" -e "topology.kubernetes.io/zone"` in a Bash shell should give an output similar to this sample:

-We now have two additional nodes in zones 1 and 2. You can deploy an application consisting of three replicas. We will use NGINX as an example:

-```console

-By viewing nodes where your pods are running, you see pods are running on the nodes corresponding to three different availability zones. For example, with the command `kubectl describe pod | grep -e "^Name:" -e "^Node:"` in a Bash shell you would get an output similar to this:

-As you can see from the previous output, the first pod is running on node 0, which is located in the availability zone `eastus2-1`. The second pod is running on node 2, which corresponds to `eastus2-3`, and the third one in node 4, in `eastus2-2`. Without any additional configuration, Kubernetes is spreading the pods correctly across all three availability zones.

-This article detailed how to create an AKS cluster that uses availability zones. For more considerations on highly available clusters, see [Best practices for business continuity and disaster recovery in AKS][best-practices-bc-dr].

-The Azure VM size for your nodes defines CPUs, memory, size, and the storage type available (such as high-performance SSD or regular HDD). Plan the node size around whether your applications may require large amounts of CPU and memory or high-performance storage. Scale out the number of nodes in your AKS cluster to meet demand.

-For more information on Azure CNI and kubenet and to help determine which option is best for you, see [Configure Azure CNI networking in AKS][azure-cni-aks] and [Use kubenet networking in AKS][kubenet-aks].

-[kubenet-aks]: configure-kubenet.md

-You can use Azure Disks or Files to provide the PersistentVolume. As noted in the [Volumes](#volumes) section, the choice of Disks or Files is often determined by the need for concurrent access to the data or the performance tier.

-To define different tiers of storage, such as Premium and Standard, you can create a *StorageClass*.

-The StorageClass also defines the *reclaimPolicy*. When you delete the pod and the persistent volume is no longer required, the reclaimPolicy controls the behavior of the underlying Azure storage resource. The underlying storage resource can either be deleted or kept for use with a future pod.

-* The subnet assigned to the AKS node pool cannot be a [delegated subnet](../virtual-network/subnet-delegation-overview.md).

-* AKS doesn't apply Network Security Groups (NSGs) to its subnet and will not modify any of the NSGs associated with that subnet. If you provide your own subnet and add NSGs associated with that subnet, you must ensure the security rules in the NSGs allow traffic within the node CIDR range. For more details, see [Network security groups][aks-network-nsg].

-> The number of IP addresses required should include considerations for upgrade and scaling operations. If you set the IP address range to only support a fixed number of nodes, you cannot upgrade or scale your cluster.

-| Kubernetes service address range | This range should not be used by any network element on or connected to this virtual network. Service address CIDR must be smaller than /12. You can reuse this range across different AKS clusters. |

-| Docker bridge address | The Docker bridge network address represents the default *docker0* bridge network address present in all Docker installations. While *docker0* bridge is not used by AKS clusters or the pods themselves, you must set this address to continue to support scenarios such as *docker build* within the AKS cluster. It is required to select a CIDR for the Docker bridge network address because otherwise Docker will pick a subnet automatically, which could conflict with other CIDRs. You must pick an address space that does not collide with the rest of the CIDRs on your networks, including the cluster's service CIDR and pod CIDR. Default of 172.17.0.1/16. You can reuse this range across different AKS clusters. |

-The maxPod per node setting can be defined when you create a new node pool. If you need to increase the maxPod per node setting on an existing cluster, add a new node pool with the new desired maxPod count. After migrating your pods to the new pool, delete the older pool. To delete any older pool in a cluster, ensure you are setting node pool modes as defined in the [system node pools document][system-node-pools].

-**Virtual network**: The virtual network into which you want to deploy the Kubernetes cluster. If you want to create a new virtual network for your cluster, select *Create new* and follow the steps in the *Create virtual network* section. If you want to select an existing virtual network, make sure it is in the same location and Azure subscription as your Kubernetes cluster. For information about the limits and quotas for an Azure virtual network, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits).

-**Azure Network Plugin**: When Azure network plugin is used, the internal LoadBalancer service with "externalTrafficPolicy=Local" can't be accessed from VMs with an IP in clusterCIDR that does not belong to AKS cluster.

-Although it's technically possible to specify a service address range within the same virtual network as your cluster, doing so is not recommended. Unpredictable behavior can result if overlapping IP ranges are used. For more information, see the [FAQ](#frequently-asked-questions) section of this article. For more information on Kubernetes services, see [Services][services] in the Kubernetes documentation.

-**Docker Bridge address**: The Docker bridge network address represents the default *docker0* bridge network address present in all Docker installations. While *docker0* bridge is not used by AKS clusters or the pods themselves, you must set this address to continue to support scenarios such as *docker build* within the AKS cluster. It is required to select a CIDR for the Docker bridge network address because otherwise Docker will pick a subnet automatically which could conflict with other CIDRs. You must pick an address space that does not collide with the rest of the CIDRs on your networks, including the cluster's service CIDR and pod CIDR.

-To configure Azure CNI networking with dynamic IP allocation and enhanced subnet support, see [Configure Azure CNI networking for dynamic allocation of IPs and enhanced subnet support in AKS](/configure-azure-cni-dynamic-ip-allocation.md).

-Learn more about Kubernetes services in the [Kubernetes services documentation][kubernetes-services].

-> As a temporary extension, we have introduced a subscription-level Azure Feature Exposure Control (AFEC) flag to help you fix the permissions for all your users and/or service principals' permissions. Register for this interim feature on your own through a subscription owner, contributor, or custom role. </br>

-> The provision to circumvent the virtual network permission check by using this feature control is **available only for a limited period, until 6th April 2023**. Ensure all the roles and permissions managing Application Gateways are updated by then, as there will be no further extensions. Read more about [Preview Feature registration](../azure-resource-manager/management/preview-features.md?tabs=azure-portal).

-Form Recognizer Identity document (ID) model combines Optical Character Recognition (OCR) with deep learning models to analyze and extract key information from identity documents such as US Drivers Licenses (all 50 states and District of Columbia), international passport biographical pages, US state IDs, social security cards, and permanent resident cards and more. The API analyzes identity documents, extracts key information, and returns a structured JSON data representation.

-The following tools are supported by Form Recognizer v3.0:

-The following tools are supported by Form Recognizer v2.1:

-* For PDF and TIFF, up to 2000 pages are processed. For free tier subscribers, only the first two pages are processed.

-Extract data, including name, birth date, and expiration date, from ID documents. You'll need the following resources:

- :::image type="content" source="media/fott-select-form-type.png" alt-text="Screenshot: select form type dropdown menu.":::

-1. Select **Run analysis**. The Form Recognizer Sample Labeling tool will call the Analyze Prebuilt API and analyze the document.

- * The "pageResults" section includes the tables extracted. For each table, the text, row, and column index, row and column spanning, bounding box, and more are extracted.

-## Supported languages and locales

->[!NOTE]

- > It's not necessary to specify a locale. This is an optional parameter. The Form Recognizer deep-learning technology will auto-detect the language of the text in your image.

-| Model | LanguageΓÇöLocale code | Default |

-|--|:-|:|

-|ID document| <ul><li>English (United States)ΓÇöen-US (driver's license)</li><li>Biographical pages from international passports</br> (excluding visa and other travel documents)</li><li>English (United States)ΓÇöen-US (state ID)</li><li>English (United States)ΓÇöen-US (social security card)</li><li>English (United States)ΓÇöen-US (permanent resident card)</li></ul></br>|English (United States)ΓÇöen-US|

-Below are the fields extracted per document type. The Azure Form Recognizer ID model `prebuilt-idDocument` extracts the below fields in the `documents.*.fields`. It also extracts all the text in the documents, words, lines, and styles that are included in the JSON output in the different sections.

-|`PersonalNumber`|`string`|Personal Id. No.|A234567893|

-|Name| Type | Description | Standardized output|

-|:--|:-|:-|:-|

-| DateOfIssue | Date | Issue date | yyyy-mm-dd |

-| Height | String | Height of the holder. | |

-| Weight | String | Weight of the holder. | |

-| EyeColor | String | Eye color of the holder. | |

-| HairColor | String | Hair color of the holder. | |

-| DocumentDiscriminator | String | Document discriminator is a security code that identifies where and when the license was issued. | |

-| Endorsements | String | More driving privileges granted to a driver such as Motorcycle or School bus. | |

-| Restrictions | String | Restricted driving privileges applicable to suspended or revoked licenses.| |

-| VehicleClassification | String | Types of vehicles that can be driven by a driver. ||

-| CountryRegion | countryRegion | Country or region code compliant with ISO 3166 standard | |

-| DateOfBirth | Date | DOB | yyyy-mm-dd |

-| DateOfExpiration | Date | Expiration date DOB | yyyy-mm-dd |

-| DocumentNumber | String | Relevant passport number, driver's license number, etc. | |

-| FirstName | String | Extracted given name and middle initial if applicable | |

-| LastName | String | Extracted surname | |

-| Nationality | countryRegion | Country or region code compliant with ISO 3166 standard (Passport only) | |

-| Sex | String | Possible extracted values include "M", "F" and "X" | |

-| MachineReadableZone | Object | Extracted Passport MRZ including two lines of 44 characters each | "P<USABROOKS<<JENNIFER<<<<<<<<<<<<<<<<<<<<<<< 3400200135USA8001014F1905054710000307<715816" |

-| DocumentType | String | Document type, for example, Passport, Driver's License, Social security card and more | "passport" |

-| Address | String | Extracted address, address is also parsed to its components - address, city, state, country, zip code ||

-| Region | String | Extracted region, state, province, etc. (Driver's License only) | |

-Receipt digitization is the process of converting scanned receipts into digital form for downstream processing. Azure Form Recognizer OCR-powered receipt data extraction helps to automate the conversion and save time and effort. The output from the receipt data extraction is used for accounts payable and receivables automation, sales data analytics, and other business scenarios.

-The following tools are supported by Form Recognizer v3.0:

-The following tools are supported by Form Recognizer v2.1:

-* For PDF and TIFF, up to 2000 pages are processed. For free tier subscribers, only the first two pages are processed.

-See how data, including time and date of transactions, merchant information, and amount totals, is extracted from receipts. You need the following resources:

-|&bullet; English| United States (-us), Australia (-au), Great Britain (-gb), India (-in), United Arab Emirates (-ae)|

-|&bullet; Dutch| Netherlands (nl-nl)|

-|&bullet; French | France (fr-fr), Canada (fr-ca) |

-|&bullet; German | Germany (de-de) |

-|&bullet; Italian | Italy (it-it) |

-|&bullet; Japanese | Japan (ja-ja)|

-|&bullet; Portuguese| Portugal (pt-pt), Brazil (pt-br)|

-|&bullet; Spanish | Spain (es-es) |

-Form Recognizer service is updated on an ongoing basis. Bookmark this page to stay up to date with release notes, feature enhancements, and our newest documentation.

- * English - United Arab Emirates (en-ae)

- * Dutch - Netherlands (nl-nl)

- * French - Canada (fr-ca)

- * German - (de-de)

- * Italian - (it-it)

- * Japanese - Japan (ja-jp)

- * Portuguese - Brazil (pt-br)

- * Passport, driver's license, and residence permit ID expansion

- * India ID cards and documents

- * Australia ID cards and documents

- * Canada ID cards and documents

- * United Kingdom ID cards and documents

-* Building custom neural models is now supported in the US Gov Virginia region.

-* Preview API versions ```2022-01-30-preview``` and ```2021-09-30-preview``` will be retired January 31 2023. Update to the ```2022-08-31``` API version to avoid any service disruptions.

- * Form Recognizer documentation has been updated to present a versioned experience. Now, you can choose to view content targeting the v3.0 GA experience or the v2.1 GA experience. The v3.0 experience is the default.

- * For a complete list of regions where training is supported see [custom neural models](concept-custom-neural.md).

- * [**prebuilt-idDocument**](concept-id-document.md). Data extraction support for US state ID, social security, and green cards. Support for passport visa information.

- * [**Read model now supports common Microsoft Office document types**](concept-read.md). Document types like Word (docx) and PowerPoint (ppt) are now supported with the Read API. See [Microsoft Office and HTML text extraction](concept-read.md#microsoft-office-and-html-text-extraction).

- * [**General document**](concept-general-document.md) pre-trained model is now updated to support selection marks in addition to API text, tables, structure, key-value pairs, and named entities from forms and documents.

-* Form Recognizer containers v2.1 released in gated preview and are now supported by six feature containersΓÇö**Layout**, **Business Card**,**ID Document**, **Receipt**, **Invoice**, and **Custom**. To use them, you must submit an [online request](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUNlpBU1lFSjJUMFhKNzVHUUVLN1NIOEZETiQlQCN0PWcu), and receive approval.

-* The updated Layout API table feature adds header recognition with column headers that can span multiple rows. Each table cell has an attribute that indicates whether it's part of a header or not. This update can be used to identify which rows make up the table header.

-* Expanded the set of document languages that can be provided to the **[StartRecognizeContent](/dotnet/api/azure.ai.formrecognizer.formrecognizerclient.startrecognizecontent?view=azure-dotnet-preview&preserve-view=true)** method.

- The `ReadingOrder` property is an optional parameter that allows you to specify which reading order algorithmΓÇö`basic` or `natural`ΓÇöshould be applied to order the extraction of text elements. If not specified, the default value is `basic`.

- * The `ReadingOrder` keyword argument is an optional parameter that allows you to specify which reading order algorithmΓÇö`basic` or `natural`ΓÇöshould be applied to order the extraction of text elements. If not specified, the default value is `basic`.

-* Added support for a **[ReadingOrder](/javascript/api/@azure/ai-form-recognizer/formreadingorder?view=azure-node-latest&preserve-view=true to the URL)** type to the content recognition methods. This option enables you to control the algorithm that the service uses to determine how recognized lines of text should be ordered. You can specify which reading order algorithmΓÇö`basic` or `natural`ΓÇöshould be applied to order the extraction of text elements. If not specified, the default value is `basic`.

- The `readingOrder` keyword argument is an optional parameter that allows you to specify which reading order algorithmΓÇö`basic` or `natural`ΓÇöshould be applied to order the extraction of text elements. If not specified, the default value is `basic`.

-* **Supervised table labeling and training, empty-value labeling** - In addition to Form Recognizer's [state-of-the-art deep learning automatic table extraction capabilities](https://techcommunity.microsoft.com/t5/azure-ai/enhanced-table-extraction-from-documents-with-form-recognizer/ba-p/2058011), it now enables customers to label and train on tables. This new release includes the ability to label and train on line items/tables (dynamic and fixed) and train a custom model to extract key-value pairs and line items. Once a model is trained, the model extracts line items as part of the JSON output in the documentResults section.

- * **New language supported: Japanese** - The following new languages are now supported: for `AnalyzeLayout` and `AnalyzeCustomForm`: Japanese (`ja`). [Language support](language-support.md)

- * **Text line style indication (handwritten/other) (Latin languages only)** - Form Recognizer now outputs an `appearance` object classifying whether each text line is handwritten style or not, along with a confidence score. This feature is supported only for Latin languages.

- * **New try-it-out feature in the Form Recognizer Sample and Labeling Tool** - Ability to try out prebuilt Invoice, Receipt, and Business Card models and the Layout API using the Form Recognizer Sample Labeling tool. See how your data is extracted without writing any code.

-* **Form Recognizer v2.1-preview.1 has been released and includes the following features:

- * **New languages supported In addition to English**, the following [languages](language-support.md) are now supported: for `Layout` and `Train Custom Model`: English (`en`), Chinese (Simplified) (`zh-Hans`), Dutch (`nl`), French (`fr`), German (`de`), Italian (`it`), Portuguese (`pt`) and Spanish (`es`).

- * **Checkbox / Selection Mark detection** ΓÇô Form Recognizer supports detection and extraction of selection marks such as check boxes and radio buttons. Selection Marks are extracted in `Layout` and you can now also label and train in `Train Custom Model` - _Train with Labels_ to extract key-value pairs for selection marks.

- * **Model Compose** - allows multiple models to be composed and called with a single model ID. When you submit a document to be analyzed with a composed model ID, a classification step is first performed to route it to the correct custom model. Model Compose is available for `Train Custom Model` - _Train with labels_.

- * The [Sample Labeling tool](https://github.com/microsoft/OCR-Form-Tools) has been updated to support the new v2.1 functionality. See this [quickstart](label-tool.md) for getting started with the tool.

-* **Value types for labeling** You can now specify the types of values you're labeling with the Form Recognizer Sample Labeling tool. The following value types and variations are currently supported:

-* **Table visualization** The Sample Labeling tool now displays tables that were recognized in the document. This feature lets you view recognized and extracted tables from the document prior to labeling and analyzing. This feature can be toggled on/off using the layers option.

-* The following image is an example of how tables are recognized and extracted:

-* TLS 1.2 is now enforced for all HTTP requests to this service. For more information, see [Azure Cognitive Services security](../../cognitive-services/security-features.md).

- All of the APIs for training and using custom models have been renamed, and some synchronous methods are now asynchronous. The following are major changes:

- * Key/value extraction is now initiated by the **/custom/models/{modelID}/analyze** API call. This call returns an operation ID, which you can pass into **custom/models/{modelID}/analyzeResults/{resultID}** to return the extraction results.

- * Operation IDs for the Train operation are now found in the **Location** header of HTTP responses, not the **Operation-Location** header.

- * The APIs for reading sales receipts have been renamed.

- * Receipt data extraction is now initiated by the **/prebuilt/receipt/analyze** API call. This call returns an operation ID, which you can pass into **/prebuilt/receipt/analyzeResults/{resultID}** to return the extraction results.

- * The JSON responses for all API calls have new formats. Some keys and values have been added, removed, or renamed. See the quickstarts for examples of the current JSON formats.

- - **Change Directory:Base Path** - You use the changed directory path when you reopen Visual Studio code IDE. To change the directory using the Command Palette, use **Ctrl+Shift+P -> select Change Directory**. To change the base path from extension configuration settings, select **Manage** icon in the activity bar on the left and go to **Settings > Extensions > Azure Automation > Directory:Base Path**.

-|DataON AZS-6224|1.23.8|1.12.0_2022-10-11|16.0.537.5223| postgres 12.3 (Ubuntu 12.3-1) |

-| Dell EMC PowerFlex |1.21.5|1.4.1_2022-03-08|15.0.2255.119 | postgres 12.3 (Ubuntu 12.3-1) |

-| PowerFlex version 3.6 |1.21.5|1.4.1_2022-03-08|15.0.2255.119 | postgres 12.3 (Ubuntu 12.3-1) |

-| PowerFlex CSI version 1.4 |1.21.5|1.4.1_2022-03-08 | 15.0.2255.119 | postgres 12.3 (Ubuntu 12.3-1) |

-| PowerStore X|1.20.6|1.0.0_2021-07-30|15.0.2148.140 |postgres 12.3 (Ubuntu 12.3-1) |

-|HPE Superdome Flex 280 | 1.26.0 | 1.15.0_2023-01-10 | 16.0.816.19223 | Postgres 14.5(ubuntu 20.04)|

-|HPE Superdome Flex 280|1.20.0|1.8.0_2022-06-14|16.0.41.7339|12.3 (Ubuntu 12.3-1)

-|Kublr 1.21.2 | 1.22.10 | 1.9.0_2022-07-12 | 16.0.312.4243 |PostgreSQL 12.3 (Ubuntu 12.3-1) |

-|Lenovo ThinkAgile MX3520 |AKS on Azure Stack HCI 21H2| 1.10.0_2022-08-09 |16.0.312.4243|postgres 12.3 (Ubuntu 12.3-1)|

-| Karbon 2.2<br/>AOS: 5.19.1.5<br/>AHV: 20201105.1021<br/>PC: Version pc.2021.3.02<br/> | 1.19.8-0 | 1.0.0_2021-07-30 | 15.0.2148.140|postgres 12.3 (Ubuntu 12.3-1)|

-| Portworx Enterprise 2.9 | 1.22.5 | 1.1.0_2021-11-02 | 15.0.2195.191 | postgres 12.3 (Ubuntu 12.3-1) |

-| OpenShift 4.10.16 | 1.23.5 | 1.11.0_2022-09-13 | 16.0.312.4243 | postgres 12.3 (Ubuntu 12.3-1)|

-| TKG 2.1.0 | 1.26.0 | 1.15.0_2023-01-10 | 16.0.816.19223 | postgres 14.5 (Ubuntu 20.04)

-| TKG-1.6.0 | 1.23.8 | 1.11.0_2022-09-13 | 16.0.312.4243 | postgres 12.3 (Ubuntu 12.3-1)

-| TKGm v1.5.3 | 1.22.8 | 1.9.0_2022-07-12 | 16.0.312.4243 | postgres 12.3 (Ubuntu 12.3-1)|

-|Wind River Cloud Platform 22.12 | 1.24.4|1.14.0_2022-12-13 |16.0.816.19223|Postgres 14.5(ubuntu 20.04) |

-|Wind River Cloud Platform 22.06 | 1.23.1|1.9.0_2022-07-12 |16.0.312.4243|postgres 12.3 (Ubuntu 12.3-1) |

-The Azure Connected Machine agent package contains several logical components, which are bundled together:

-* The Extension agent manages VM extensions, including install, uninstall, and upgrade. Extensions are downloaded from Azure and copied to the `%SystemDrive%\%ProgramFiles%\AzureConnectedMachineAgent\ExtensionService\downloads` folder on Windows, and to `/opt/GC_Ext/downloads` on Linux. On Windows, the extension is installed to the following path `%SystemDrive%\Packages\Plugins\<extension>`, and on Linux the extension is installed to `/var/lib/waagent/<extension>`.

-The Windows agent is distributed as a Windows Installer package (MSI) and can be downloaded from the [Microsoft Download Center](https://aka.ms/AzureConnectedMachineAgent).

-After installing the Connected Machine agent for Windows, the following system-wide configuration changes are applied.

-* The following installation folders are created during setup.

-* The following Windows services are created on the target machine during installation of the agent.

-* The following virtual service account is created during agent installation.

-* The following local security group is created during agent installation.

-* The following environmental variables are created during agent installation.

-* There are several log files available for troubleshooting. They are described in the following table.

-* The local security group **Hybrid agent extension applications** is created.

-* During uninstall of the agent, the following artifacts are not removed.

-The Connected Machine agent for Linux is provided in the preferred package format for the distribution (.RPM or .DEB) that's hosted in the Microsoft [package repository](https://packages.microsoft.com/). The agent is installed and configured with the shell script bundle [Install_linux_azcmagent.sh](https://aka.ms/azcmagent).

-Installing, upgrading, and removing the Connected Machine agent will not require you to restart your server.

-After installing the Connected Machine agent for Linux, the following system-wide configuration changes are applied.

-* The following installation folders are created during setup.

-* The following daemons are created on the target machine during installation of the agent.

-* There are several log files available for troubleshooting. They are described in the following table.

-* The following environment variables are created during agent installation. These variables are set in `/lib/systemd/system.conf.d/azcmagent.conf`.

-* During uninstall of the agent, the following artifacts are not removed.

-* The Guest Configuration agent is limited to use up to 5% of the CPU to evaluate policies.

-* The Extension Service agent is limited to use up to 5% of the CPU to install, upgrade, run, and delete extensions. The following exceptions apply:

- * If the extension installs background services that run independent of Azure Arc, such as the Microsoft Monitoring Agent, those services will not be subject to the resource governance constraints listed above.

- * The Log Analytics agent and Azure Monitor Agent are allowed to use up to 60% of the CPU during their install/upgrade/uninstall operations on Red Hat Linux, CentOS, and other enterprise Linux variants. The limit is higher for this combination of extensions and operating systems to accommodate the performance impact of [SELinux](https://www.redhat.com/en/topics/linux/what-is-selinux) on these systems.

-The following metadata information is requested by the agent from Azure:

-To deploy the agent and connect a machine, certain [prerequisites](prerequisites.md) must be met. There are also [networking requirements](network-requirements.md) to be aware of.

-description: The What's new release notes in the Overview section for Azure Arc-enabled servers agent contains six months of activity. Thereafter, the items are removed from the main article and put into this article.

- - Automatic registration of any missing resource providers for first-time users (additional user permissions required to register resource providers)

- - A progress bar now appears while the resource is being created and connected

- - Azure Arc network endpoints are now required, onboarding will abort if they are not accessible

- - Onboarding continues instead of aborting if OS information cannot be obtained

- - Policies are executed in a separate process.

-Resolved issue where proxy configuration could be lost after upgrade on RPM-based distributions.

-## Version 1.22 - September 2022

-### Known issues

-### New features

-### Fixed

-| .NET / C# / F# | Functions 1.0+ | In-process (GA) <br/> Out-of-process ([preview](https://github.com/microsoft/durabletask-dotnet#usage-with-azure-functions)) | n/a |

-| Durable Functions storage provider (Azure Storage) - Preview | All | [Durable Functions extension version 2.7.0 or later][durable-identity],<br/>[Extension bundle 3.3.0 or later][durable-identity] |

-[durable-identity]: ./durable/durable-functions-storage-providers.md#identity-based-connections-preview

-To configure data sources for Log Analytics agents, go to the **Log Analytics workspaces** menu in the Azure portal and select a workspace. Select **Agents configuration**. Select the tab for the data source you want to configure. Use the links in the preceding table to access documentation for each data source and information on their configuration.

- > Editing configuration files for performance counters and Syslog is overwritten if the collection is configured from the [agent's configuration](../agents/agent-data-sources.md#configure-data-sources) in the Azure portal for your workspace. To disable configuration for all agents, disable collection from **Agents configuration**. For a single agent, run the following script:

-Regardless of the installation method used, you need the workspace ID and key for the Log Analytics workspace that the agent will connect to. Select the workspace from the **Log Analytics workspaces** menu in the Azure portal. Under the **Settings** section, select **Agents management**.

-1. In your Log Analytics workspace, select the **Agents Management** tile and then select **Windows Servers**.

-Regardless of the installation method used, you'll require the workspace ID and key for the Log Analytics workspace that the agent will connect to. Select the workspace from the **Log Analytics workspaces** menu in the Azure portal. Then in the **Settings** section, select **Agents management**.

-| Jan 2023 | <ul><li>Fixed issue related to incorrect *EventLevel* and *Task* values for Log Analytics *Event* table, to match Windows Event Viewer values</li><li>Added missing columns for IIS logs - *TimeGenerated, Time, Date, Computer, SourceSystem, AMA, W3SVC, SiteName*</li><li>Reliability improvements for metrics collection</li><li>Fixed machine restart issues on for Arc-enabled servers related to repeated calls to HIMDS service</li></ul> | 1.12.0.0 | None |

-Azure Monitor Agent provides the following benefits over legacy agents:

- - Enhanced security through Managed Identity and Azure Active Directory (Azure AD) tokens (for clients).

- - The AMA agent event throughput is 25% better than the MMA agent.

- - DCRs let you configure data collection for specific machines connected to a workspace as compared to the "all or nothing" approach of legacy agents.

- - With DCRs, you can define which data to ingest and which data to filter out to reduce workspace clutter and save on costs.

- - Easy *multihoming* on Windows and Linux.

- - Centralized, "in the cloud" agent configuration makes every action simpler and more easily scalable throughout the data collection lifecycle, from onboarding to deployment to updates and changes over time.

- - Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights.

-## Migration plan considerations

-Your migration plan to the Azure Monitor Agent should take into account:

- - Review [Azure Monitor Agent's supported services list](agents-overview.md#supported-services-and-features) to ensure that Azure Monitor Agent supports the services you require. If you currently use service(s) in preview, start testing your scenarios during the preview phase. This will save time and ensure you're ready to deploy to production as soon as the service becomes generally available. Moreover you benefit from added security and reduced cost immediately.

- - Use the [AMA Migration Helper](./azure-monitor-agent-migration-tools.md#using-ama-migration-helper) to *discover what solutions and features you're using today that depend on the legacy agents*.

- - If you use Microsoft Sentinel, see [Gap analysis for Microsoft Sentinel](../../sentinel/ama-migrate.md#gap-analysis-between-agents) for a comparison of the extra data collected by Microsoft Sentinel.

- - If you're setting up a *new environment* with resources, such as deployment scripts and onboarding templates, assess the effort of migrating to Azure Monitor Agent later. If the setup will take a significant amount of rework, install Azure Monitor Agent together with a legacy agent in your new environment to decrease the migration effort later.

- - Azure Monitor Agent **can run alongside the legacy Log Analytics agents on the same machine** so that you can continue to use existing functionality during evaluation or migration. You can begin the transition, but ensure you understand the **limitations below**:

- - Be careful when you collect duplicate data from the same machine, as this could skew query results, affect downstream features like alerts, dashboards, workbooks and generate more charges for data ingestion and retention. To avoid data duplication, ensure the agents are *collecting data from different machines* or *sending the data to different destinations*. Additionally,

- - For **Defender for Cloud**, you will only be [billed once per machine](../../defender-for-cloud/auto-deploy-azure-monitoring-agent.md#impact-of-running-with-both-the-log-analytics-and-azure-monitor-agents) when running both agents

- - For **Sentinel**, you can easily [disable the legacy connector](../../sentinel/ama-migrate.md#recommended-migration-plan) to stop ingestion of logs from legacy agents.

- - Running two telemetry agents on the same machine consumes double the resources, including but not limited to CPU, memory, storage space, and network bandwidth.

-## Prerequisites

-Review the [prerequisites](./azure-monitor-agent-manage.md#prerequisites) for use with Azure Monitor Agent. For non-Azure servers, [installing the Azure Arc agent](../../azure-arc/servers/agent-overview.md) is an important prerequisite that then helps to install the agent extension and other required extensions. Using Azure Arc for this purpose comes at no added cost. It's not mandatory to use Azure Arc for server management overall. You can continue using your existing non-Azure management solutions. After the Azure Arc agent is installed, you can follow the same guidance in this article across Azure and non-Azure for migration.

-## Migration testing

-To ensure safe deployment during migration, begin testing with few resources running Azure Monitor Agent in your nonproduction environment. After you validate the data collected on these test resources, roll out to production by following the same steps.

-To start collecting some of the existing data types, see [Create new data collection rules](./data-collection-rule-azure-monitor-agent.md#create-a-data-collection-rule). Alternatively, you can use the [DCR Config Generator](./azure-monitor-agent-migration-tools.md#installing-and-using-dcr-config-generator) to convert existing legacy agent configuration into data collection rules.

-After you *validate* that data is flowing as expected with Azure Monitor Agent, check the `Category` column in the [Heartbeat](/azure/azure-monitor/reference/tables/heartbeat) table for the value *Azure Monitor Agent* for AMA collected data. Ensure it matches data flowing through the existing Log Analytics agent.

-## At-scale migration using Azure Policy

-We recommend using [Azure Policy](../../governance/policy/overview.md) to migrate a large number of agents. Start by analyzing your current monitoring setup with the Log Analytics agent by using the [AMA Migration Helper](./azure-monitor-agent-migration-tools.md#using-ama-migration-helper). Use this tool to find sources like virtual machines, virtual machine scale sets, and non-Azure servers.

-Use the [DCR Config Generator](./azure-monitor-agent-migration-tools.md#installing-and-using-dcr-config-generator) to migrate legacy agent configuration, including data sources and destinations, from the workspace to the new DCRs.

-> [!IMPORTANT]

-> Before you deploy a large number of agents, consider [configuring the workspace](agent-data-sources.md) to disable data collection for the Log Analytics agent. If you leave data collection for the Log Analytics agent enabled, you might collect duplicate data and increase your costs. You might choose to collect duplicate data for a short period during migration until you verify that you've deployed and configured Azure Monitor Agent correctly.

-Validate that Azure Monitor Agent is collecting data as expected and all downstream dependencies, such as dashboards, alerts, and workbooks, function properly.

-After you confirm that Azure Monitor Agent is collecting data properly, [uninstall the Log Analytics agent](./agent-manage.md#uninstall-agent) from monitored resources. Clean up any configuration files, workspace keys, or certificates that were used previously by the Log Analytics agent.

-> [!IMPORTANT]

-> Don't uninstall the legacy agent if you need to use it for System Center Operations Manager scenarios or others solutions not yet available on Azure Monitor Agent.

-1. In the Azure portal, select **Log Analytics workspaces** > your workspace > **Settings**.

-1. Select **Custom logs**.

-1. From the **Data** menu in the **Advanced Settings** for your workspace, select **Custom Logs** to list all your custom logs.

-Configure performance counters from the [Agents configuration menu](../agents/agent-data-sources.md#configure-data-sources) for the Log Analytics workspace.

-Configure Windows event logs from the [Agents configuration menu](../agents/agent-data-sources.md#configure-data-sources) for the Log Analytics workspace.

-[](media/data-sources-windows-events/configure.png#lightbox)

-1. Select **Storage accounts logs** in the **Workspace Data Sources** section of the menu.

-The data is visible in the **Custom logs** section of your Log Analytics workspace.

-You can check your current retention settings for Log Analytics under **General** > **Usage and estimated costs** > **Data Retention** in the Log Analytics UI. This setting affects how long any new ingested data is stored after you migrate your Application Insights resource.

-3. Make sure AzureExporter is properly configured in your `settings.py` under `OPENCENSUS`. For requests from urls that you don't wish to track, add them to `EXCLUDELIST_PATHS`.

- APPINSIGHTS_CONNECTION_STRING='<your-appinsights_connection-string-here>'

- exporter=AzureExporter(connection_string=f'{APPINSIGHTS_CONNECTION_STRING}')

- Yes. Starting from [Application Insights Agent 2.0.0-beta1](https://www.powershellgallery.com/packages/Az.ApplicationMonitor/2.0.0-beta1), ASP.NET Core applications hosted in IIS are supported.

-description: Quickly access your Application Insights request and exception telemetry with CodeLens in Visual Studio.

-# Application Insights telemetry in Visual Studio CodeLens

-Methods in the code of your web app can be annotated with telemetry about run-time exceptions and request response times. If you install [Azure Application Insights](./app-insights-overview.md) in your application, the telemetry appears in Visual Studio [CodeLens](/visualstudio/ide/find-code-changes-and-other-history-with-codelens) - the notes at the top of each function where you're used to seeing useful information such as the number of places the function is referenced or the last person who edited it.

-

-> [!NOTE]

-> Application Insights in CodeLens is available in Visual Studio 2015 Update 3 and later, or with the latest version of [Developer Analytics Tools extension](https://visualstudiogallery.msdn.microsoft.com/82367b81-3f97-4de1-bbf1-eaf52ddc635a). CodeLens is available in the Enterprise and Professional editions of Visual Studio.

->

->

-## Where to find Application Insights data

-Look for Application Insights telemetry in the CodeLens indicators of the public request methods of your web application.

-CodeLens indicators are shown above method and other declarations in C# and Visual Basic code. If Application Insights data is available for a method, you'll see indicators for requests and exceptions such as "100 requests, 1% failed" or "10 exceptions." Click a CodeLens indicator for more details.

-> [!TIP]

-> Application Insights request and exception indicators may take a few extra seconds to load after other CodeLens indicators appear.

->

->

-## Exceptions in CodeLens

-

-The exception CodeLens indicator shows the number of exceptions that have occurred in the past 24 hours from the 15 most frequently occurring exceptions in your application during that period, while processing the request served by the method.

-To see more details, click the exceptions CodeLens indicator:

-* The percentage change in number of exceptions from the most recent 24 hours relative to the prior 24 hours

-* Choose **Go to code** to navigate to the source code for the function throwing the exception

-* Choose **Search** to query all instances of this exception that have occurred in the past 24 hours

-* Choose **Trend** to view a trend visualization for occurrences of this exception in the past 24 hours

-* Choose **View all exceptions in this app** to query all exceptions that have occurred in the past 24 hours

-* Choose **Explore exception trends** to view a trend visualization for all exceptions that have occurred in the past 24 hours.

-> [!TIP]

-> If you see "0 exceptions" in CodeLens but you know there should be exceptions, check to make sure the right Application Insights resource is selected in CodeLens. To select another resource, right-click on your project in the Solution Explorer and choose **Application Insights > Choose Telemetry Source**. CodeLens is only shown for the 15 most frequently occurring exceptions in your application in the past 24 hours, so if an exception is the 16th most frequently or less, you'll see "0 exceptions." Exceptions from ASP.NET views may not appear on the controller methods that generated those views.

->

-> [!TIP]

-> If you see "? exceptions" in CodeLens, you need to associate your Azure account with Visual Studio or your Azure account credential may have expired. In either case, click "? exceptions" and choose **Add an account...** to enter your credentials.

->

->

-## Requests in CodeLens

-

-The request CodeLens indicator shows the number of HTTP requests that been serviced by a method in the past 24 hours, plus the percentage of those requests that failed.

-To see more details, click the requests CodeLens indicator:

-* The absolute and percentage changes in number of requests, failed requests, and average response times over the past 24 hours compared to the prior 24 hours

-* The reliability of the method, calculated as the percentage of requests that did not fail in the past 24 hours

-* Choose **Search** for requests or failed requests to query all the (failed) requests that occurred in the past 24 hours

-* Choose **Trend** to view a trend visualization for requests, failed requests, or average response times in the past 24 hours.

-* Choose the name of the Application Insights resource in the upper left corner of the CodeLens details view to change which resource is the source for CodeLens data.

-## <a name="next"></a>Next steps

-* **[Working with Application Insights in Visual Studio](./visual-studio.md)**. Search telemetry, see data in CodeLens, and configure Application Insights. All within Visual Studio.

-* **[Working with the Application Insights portal](./overview-dashboard.md)**. Dashboards, powerful diagnostic and analytic tools, alerts, a live dependency map of your application, and telemetry export.

-description: Learn about web app performance analysis and diagnostics during debugging and in production.

-# Debug your applications with Application Insights in Visual Studio

-In Visual Studio 2015 and later, you can analyze performance and diagnose issues in your ASP.NET web app both in debugging and in production by using telemetry from [Application Insights](./app-insights-overview.md).

-If you created your ASP.NET web app by using Visual Studio 2017 or later, it already has the Application Insights SDK. Otherwise, if you haven't done so already, [add Application Insights to your app](./asp-net.md).

-To monitor your app when it's in live production, you normally view the Application Insights telemetry in the [Azure portal](https://portal.azure.com), where you can set alerts and apply powerful monitoring tools. But for debugging, you can also search and analyze the telemetry in Visual Studio.

-You can use Visual Studio to analyze telemetry both from your production site and from debugging runs on your development machine. In the latter case, you can analyze debugging runs even if you haven't yet configured the SDK to send telemetry to the Azure portal.

-## <a name="run"></a> Debug your project

-Run your web app in local debug mode by using F5. Open different pages to generate some telemetry.

-In Visual Studio, you see a count of the events that were logged by the Application Insights module in your project.

-

-Select the **Application Insights** button to search your telemetry.

-## Application Insights Search

-The **Application Insights Search** window shows logged events. If you signed in to Azure when you set up Application Insights, you can search the same events in the Azure portal. Right-click the project and select **Application Insights** > **Search**.

-

-> [!NOTE]

-> After you select or clear filters, select **Search** at the end of the text search field.

->

-The free text search works on any fields in the events. For example, you can search for part of the URL of a page. You can also search for the value of a property, such as a client's city, or specific words in a trace log.

-Select any event to see its detailed properties.

-For requests to your web app, you can click through to the code.

-.

-You can also open related items to help diagnose failed requests or exceptions.

-

-## View exceptions and failed requests

-Exception reports show in the **Search** window. In some older types of ASP.NET application, you have to [set up exception monitoring](./asp-net-exceptions.md) to see exceptions that are handled by the framework.

-Select an exception to get a stack trace. If the code of the app is open in Visual Studio, you can click through from the stack trace to the relevant line of the code.

-

-## View request and exception summaries in the code

-In the CodeLens line above each handler method, you see a count of the requests and exceptions logged by Application Insights in the past 24 hours.

-

-> [!NOTE]

-> CodeLens shows Application Insights data only if you've [configured your app to send telemetry to the Application Insights portal](./asp-net.md).

->

-For more information, see [Application Insights telemetry in Visual Studio CodeLens.](./visual-studio-codelens.md)

-## Local monitoring

-From Visual Studio 2015 Update 2: If you haven't configured the SDK to send telemetry to the Application Insights portal so that there's no instrumentation key in ApplicationInsights.config, the diagnostics window displays telemetry from your latest debugging session.

-This is desirable if you've already published a previous version of your app. You don't want the telemetry from your debugging sessions to be mixed up with the telemetry on the Application Insights portal from the published app.

-It's also useful if you have some [custom telemetry](./api-custom-events-metrics.md) that you want to debug before you send telemetry to the portal.

-For example, at first you might have fully configured Application Insights to send telemetry to the portal. But now you want to see the telemetry only in Visual Studio:

- * In the **Search** window's settings, there's an option to search local diagnostics even if your app sends telemetry to the portal.

- * To stop telemetry being sent to the portal, comment out the line `<instrumentationkey>...` from ApplicationInsights.config. When you're ready to send telemetry to the portal again, uncomment it.

-## Next steps

- [Work with the Application Insights portal](./overview-dashboard.md) where you can view dashboards, use powerful diagnostic and analytic tools, get alerts, see a live dependency map of your application, and view exported telemetry data.

-| "Error retrieving data" after adding Container insights through `az aks cli` | When you enable monitoring by using `az aks cli`, Container insights might not be properly deployed. Check whether the solution is deployed. To verify, go to your Log Analytics workspace and see if the solution is available by selecting **Solutions** from the pane on the left side. To resolve this issue, redeploy the solution. Follow the instructions in [Enable Container insights](container-insights-onboard.md). |

-Navigate to your SQL Analytics deployment from the **Solutions** page of the Log Analytics workspace.

-From the Log Analytics workspace in the Azure portal, select **Workspace summary**. Then select the **DNS Analytics** tile. On the solution dashboard, select **Configuration** to open the **DNS Analytics Configuration** page. There are two types of configuration changes that you can make:

-3. In the Log Analytics subscriptions pane, select a workspace and then click the **Workspace summary** menu item.

- 1. In the properties for the workspace under **Workspace Data Sources**, select **Scope Configurations**.

- 1. In the properties for the workspace, select **Solutions**.

-The **Overview** page displays a tile for each solution installed in a Log Analytics workspace. To open this page, go to **Log Analytics workspaces** in the [Azure portal](https://portal.azure.com) and select your workspace. In the **General** section of the menu, select **Workspace Summary**.

-You configure Azure Monitor to import Active Directory security groups from the **Computer Groups** menu item in your Log Analytics workspace in the Azure portal. Select the **Active Directory** tab, and then **Import Active Directory group memberships from computers**. When groups have been imported, the menu lists the number of computers with group membership detected and the number of groups imported. You can click on either of these links to return the **ComputerGroup** records with this information.

-You configure Azure Monitor to import WSUS groups from the **Computer Groups** menu item in your Log Analytics workspace in the Azure portal. Select the **Windows Server Update Service** tab, and then **Import WSUS group memberships**. When groups have been imported, the menu lists the number of computers with group membership detected and the number of groups imported. You can click on either of these links to return the **ComputerGroup** records with this information.

-You configure Azure Monitor to import WSUS groups from the **Computer Groups** menu item in your Log Analytics workspace in the Azure portal. Select the **System Center Configuration Manager** tab, and then **Import Configuration Manager collection memberships**. When collections have been imported, the menu lists the number of computers with group membership detected and the number of groups imported. You can click on either of these links to return the **ComputerGroup** records with this information.

-You can view computer groups that were created from a log query or the Log Search API from the **Computer Groups** menu item in your Log Analytics workspace in the Azure portal. Select the **Saved Groups** tab to view the list of groups.

-The following query can be used to track the data volumes that are subject to the daily cap for a Log Analytics workspace between daily cap resets. This accounts for the security data types that aren't included in the daily cap. In this example, the workspace's reset hour is 14:00. Change this value this for your workspace.

-2. Select **Agents management**.

-* If the subscription mentioned in the warning message no longer exists, go to the **Azure Activity log** pane under **Workspace Data Sources**. Select the relevant subscription, and then select the **Disconnect** button.

- - *Installed solutions*: Select **Solutions** on the workspace navigation pane for a list of installed solutions.

-> * Log Analytics **Workspace Summary** pane (that shows the solutions dashboard)

-> * The **Workspace Summary** pane in the portal (that shows the solutions dashboard)

-1. Go to the **Log Analytics workspaces** menu in the Azure portal and select **Tables (preview)**. The tables in the workspace will appear. Select **Create** > **New custom log (DCR based)**.

- 

- 1.In the **Replace With**, use this regular expression: `$1-$2-$3. This expression creates a new string with each captured group, with a hyphen between them, turning "12345678" into "1234-56-78").

- 

-1. Access Service Map in the Azure portal from your Log Analytics workspace. Select the **Solutions** option from the left pane.

-1. On the left, select **Solutions**.

-4. On the left, select **Solutions**.

-> Customer-managed keys for Azure NetApp Files volume encryption is currently in preview. You need to submit a waitlist request for accessing the feature through the **[Customer-managed keys for Azure NetApp Files volume encryption](https://aka.ms/anfcmkpreviewsignup)** page. Wait for an official confirmation email from the Azure NetApp Files team before using customer-managed keys.

-<!--

- * You will need to call the operation via ARM REST API. Submit a POST request to `/subscriptions/<16 digit subscription ID>/resourceGroups/<resource_group_name>/providers/Microsoft.NetApp/netAppAccounts/<account name>/renewCredentials?api-version=2022-04`.

- This operation is available with the Azure CLI, PowerShell, and SDK beginning with the `2022-05` versions.

- * If the certificate is more than 46 days old, you can call proxy Azure Resource Manager (ARM) operation via REST API to renew the certificate. For example:

- ```rest

- /{accountResourceId}/renewCredentials?api-version=2022-01 ΓÇô example /subscriptions/<16 digit subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.NetApp/netAppAccounts/<account name>/renewCredentials?api-version=2022-01

- ``` -->

- Although there are pre-defined roles with these privileges, it is recommended that you create a custom role with the required permissions. See [Azure custom roles](../role-based-access-control/custom-roles.md) for details.

-**Update November 9, 2022**: A firmware update that enables the Vision SoM and Audio SOM to retain their functionality with the DK beyond the retirement date, will be made available before the retirement date.

-The [Azure Percept](https://azure.microsoft.com/products/azure-percept/) public preview will be evolving to support new edge device platforms and developer experiences. As part of this evolution the Azure Percept DK and Audio Accessory and associated supporting Azure services for the Percept DK will be retired March 30, 2023.

-| Do I need to do anything before March 30, 2023? | Yes, you will need to close the resources and projects associated with the Azure Percept Studio and DK to avoid future billing, as these backend resources and projects will continue to bill after retirement. |

-The following sample enables the [user-defined types in Bicep](https://aka.ms/bicepCustomTypes).

- "userDefineTypes": true

-The available experimental features include:

-For the available resource types and version, see [Bicep resource reference](/azure/templates/). Bicep doesn't support `apiProfile`, which is available in [Azure Resource Manager templates (ARM templates) JSON](../templates/syntax.md).

-`1.0` | Latest | Standard | [Doc](./swagger/signalr-data-plane-rest-v1.md) | [swagger](https://github.com/Azure/azure-signalr/blob/dev/docs/swagger/v1.json)

-| - | - |

-| [Broadcast a message to all clients connected to target hub.](./swagger/signalr-data-plane-rest-v1.md#broadcast-a-message-to-all-clients-connected-to-target-hub) | `POST /api/v1/hubs/{hub}` |

-| [Broadcast a message to all clients belong to the target user.](./swagger/signalr-data-plane-rest-v1.md#broadcast-a-message-to-all-clients-belong-to-the-target-user) | `POST /api/v1/hubs/{hub}/users/{id}` |

-| [Send message to the specific connection.](./swagger/signalr-data-plane-rest-v1.md#send-message-to-the-specific-connection) | `POST /api/v1/hubs/{hub}/connections/{connectionId}` |

-| [Check if the connection with the given connectionId exists](./swagger/signalr-data-plane-rest-v1.md#check-if-the-connection-with-the-given-connectionid-exists) | `GET /api/v1/hubs/{hub}/connections/{connectionId}` |

-| [Close the client connection](./swagger/signalr-data-plane-rest-v1.md#close-the-client-connection) | `DELETE /api/v1/hubs/{hub}/connections/{connectionId}` |

-| [Broadcast a message to all clients within the target group.](./swagger/signalr-data-plane-rest-v1.md#broadcast-a-message-to-all-clients-within-the-target-group) | `POST /api/v1/hubs/{hub}/groups/{group}` |

-| [Check if there are any client connections inside the given group](./swagger/signalr-data-plane-rest-v1.md#check-if-there-are-any-client-connections-inside-the-given-group) | `GET /api/v1/hubs/{hub}/groups/{group}` |

-| [Check if there are any client connections connected for the given user](./swagger/signalr-data-plane-rest-v1.md#check-if-there-are-any-client-connections-connected-for-the-given-user) | `GET /api/v1/hubs/{hub}/users/{user}` |

-| [Add a connection to the target group.](./swagger/signalr-data-plane-rest-v1.md#add-a-connection-to-the-target-group) | `PUT /api/v1/hubs/{hub}/groups/{group}/connections/{connectionId}` |

-| [Remove a connection from the target group.](./swagger/signalr-data-plane-rest-v1.md#remove-a-connection-from-the-target-group) | `DELETE /api/v1/hubs/{hub}/groups/{group}/connections/{connectionId}` |

-| [Check whether a user exists in the target group.](./swagger/signalr-data-plane-rest-v1.md#check-whether-a-user-exists-in-the-target-group) | `GET /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

-| [Add a user to the target group.](./swagger/signalr-data-plane-rest-v1.md#add-a-user-to-the-target-group) | `PUT /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

-| [Remove a user from the target group.](./swagger/signalr-data-plane-rest-v1.md#remove-a-user-from-the-target-group) | `DELETE /api/v1/hubs/{hub}/groups/{group}/users/{user}` |

-| [Remove a user from all groups.](./swagger/signalr-data-plane-rest-v1.md#remove-a-user-from-all-groups) | `DELETE /api/v1/hubs/{hub}/users/{user}/groups` |

-If you want to send message larger than 1 MB, use the Management SDK with `persistent` mode.

-By using NFS datastores backed by Azure NetApp Files, you can expand your storage instead of scaling the clusters. You can also use Azure NetApp Files volumes to replicate data from on-premises or primary VMware environments for the secondary site.

-## Supported regions

-Azure VMware Solution currently supports the following regions:

-**Asia** : East Asia, Japan East, Japan West, Southeast Asia.

-**Australia** : Australia East, Australia Southeast.

-**Brazil** : Brazil South.

-**Europe** : France Central, Germany West Central, North Europe, Sweden Central, Sweden North, Switzerland West, UK South, UK West, West Europe

-**North America** : Canada Central, Canada East, Central US, East US, East US 2, North Central US, South Central US, West US, West US 2.

-This has no impact to the Datastore or private cloud as there is no downtime involved and the IP address/mount path remain unchanged. However, the volume Resource Id will be changed due to the capacity pool change. Therefore to avoid any metadata mismatch re-issue the datastore create command via Azure CLI as follows: `az vmware datastore netapp-volume create`.

-> The input values for **cluster** name, datastore **name**, **private-cloud** (SDDC) name, and **resource-group** must be **exactly the same as the current one**, and the **volume-id** is the new Resource Id of the volume.

-[Solution brief](https://www.citrix.com/content/dam/citrix/en_us/documents/solution-brief/citrix-virtual-apps-and-desktop-service-on-azure-vmware-solution.pdf)

-| Speech-to-text | Analyzes sentiment and transcribes continuous real-time speech or batch audio recordings with intermediate results. | 3.10.0 | Generally available |

-| Custom speech-to-text | Using a custom model from the [Custom Speech portal](https://speech.microsoft.com/customspeech), transcribes continuous real-time speech or batch audio recordings into text with intermediate results. | 3.10.0 | Generally available |

-| Neural text-to-speech | Converts text to natural-sounding speech by using deep neural network technology, which allows for more natural synthesized speech. | 2.9.0 | Generally available |

-description: This article provides instructions on how to use the cross-region feature to recover your Cognitive Service resources in the event of a network outage.

-# CrossΓÇôregion disaster recovery

-One of the first decisions every Cognitive Service customer makes is which region to create their resource in. The choice of region provides customers with the benefits of regional compliance by enforcing data residency requirements. Cognitive Services is available in [multiple geographies](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=cognitive-services) to ensure customers across the world are supported.

-It's rare, but possible, to encounter a network issue that affects an entire region. If your solution needs to always be available, then you should design it to either fail-over into another region or split the workload between two or more regions. Both approaches require at least two resources in different regions and the ability to sync data between them.

-## Feature overview

-The cross-region disaster recovery feature, also known as Single Resource Multiple Region (SRMR), enables this scenario by allowing you to distribute traffic or copy custom models to multiple resources which can exist in any supported geography.

-## SRMR business scenarios

-* To ensure high availability of your application, each Cognitive Service supports a flexible recovery region option that allows you to choose from a list of supported regions.

-* Customers with globally distributed end users can deploy resources in multiple regions to optimize the latency of their applications.

-## Routing profiles

-Azure Traffic Manager routes requests among the selected regions. The SRMR currently supports [Priority](../traffic-manager/traffic-manager-routing-methods.md#priority-traffic-routing-method), [Performance](../traffic-manager/traffic-manager-routing-methods.md#performance-traffic-routing-method) and [Weighted](../traffic-manager/traffic-manager-routing-methods.md#weighted-traffic-routing-method) profiles and is currently available for the following

-* [Computer Vision](./computer-vision/overview.md)

-* [Immersive Reader](../applied-ai-services/immersive-reader/overview.md)

-* [Univariate Anomaly Detector](./anomaly-detector/overview.md)

-> [!NOTE]

-> SRMR is not supported for multi-service resources or free tier resources.

-If you use Priority or Weighted traffic manager profiles, your configuration will behave according to the [Traffic Manager documentation](../traffic-manager/traffic-manager-routing-methods.md).

-## Enable SRMR

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Navigate to your resource's page.

-1. Under the **Resource Management** section on the left pane, select the Regions tab and choose a routing method.

- :::image type="content" source="media/disaster-recovery/routing-method.png" alt-text="Screenshot of the routing method select menu in the Azure portal." lightbox="media/disaster-recovery/routing-method.png":::

-1. Select the **Add Region** link.

-1. On the **Add Region** pop-up screen, set up additional regions for your resources.

- :::image type="content" source="media/disaster-recovery/add-regions.png" alt-text="Screenshot of the Add Region popup in the Azure portal." lightbox="media/disaster-recovery/add-regions.png":::

-1. Save your changes.

-## See also

-* [Create a new resource using the Azure portal](cognitive-services-apis-create-account.md)

-* [Create a new resource using the Azure CLI](cognitive-services-apis-create-account-cli.md)

-* [Create a new resource using the client library](cognitive-services-apis-create-account-client-library.md)

-* [Create a new resource using an ARM template](create-account-resource-manager-template.md)

-The iOS 16 release has introduced a bug that can stop the ACS audio\video call when using Safari mobile browser. Apple is aware of this issue and are looking for a fix on their side. The impact could be that an ACS call might stop working during a call and the only resolution to get it working again is to have the end customer restart their phone.

-Chrome version 98 introduced a regression with anormal generation of video keyframes that impacts resolution of a sent video stream negatively for majority (70%+) of users.

-* Sometimes when incoming PSTN is received the tab with the call or meeting will hang. Related webkit bugs [here](https://bugs.webkit.org/show_bug.cgi?id=233707) and [here](https://bugs.webkit.org/show_bug.cgi?id=233708#c0).

-On iOS for example, while on an ACS call, if a PSTN call comes in, then a microphoneMutedUnexepectedly bad UFD will be raised and audio will stop flowing in the ACS call and the call will be marked as muted. Once the PSTN call is over, the user will have to go and unmute the ACS call for audio to start flowing again in the ACS call. In the case of Android Chrome when a PSTN call comes in, audio will stop flowing in the ACS call and the ACS call will not be marked as muted. Once the PSTN call is finished, android chrome will regain audio automatically and audio will start flowing normally again in the ACS call.

-In case camera is on and an interruption occurs, ACS call may or may not loose the camera. If lost then camera will be marked as off and user will have to go turn it back on after the interruption has released the camera.

-Azure availability zones have a minimum of three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. If a local zone fails, regional services, capacity, and high availability are supported by the other zones in the region. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see [Regions and availability zones](/azure/availability-zones/az-overview.md).

-> [Prepare to deploy an Azure Communications Gateway resource](prepare-to-deploy.md)

-# Security and Azure Communications Gateway

- > [!NOTE]

- >

- > The following solutions don't apply to Standard logic apps.

-* The first document defines the base schema and property must always have the same type across all documents. The only exceptions are:

-> If the account is using [customer-managed keys](./how-to-setup-cmk.md), a user-assigned managed identity must be declared in the Key Vault access policy and must be set as the default identity on the account.

-Get started with the Azure Cosmos DB client library for JavaScript to create databases, containers, and items within your account. Without a credit card or an Azure subscription, you can set up a free [Try Azure Cosmos DB account](https://aka.ms/trycosmosdb). Follow these steps to install the package and try out example code for basic tasks.

-### Create an Azure Cosmos DB account

-### Configure environment variables

-### Install the package

-1. Add the [@azure/cosmos](https://www.npmjs.com/package/@azure/cosmos) npm package to the Node.js project.

-### Create local development environment files

-1. Create a `.gitignore` file and add the following value to ignore your environment file and your node_modules. This configuration file ensures that only secure and relevant files are checked into source code.

- ```text

- .env

- node_modules

-1. Create a `.env` file with the following variables:

- ```text

- COSMOS_ENDPOINT=

- COSMOS_KEY=

-### Create a code file

-Create an `index.js` and add the following boilerplate code to the file to read environment variables:

-### Add dependency to client library

-Add the following code at the end of the `index.js` file to include the required dependency to programmatically access Cosmos DB.

-### Add environment variables to code file

-Add the following code at the end of the `index.js` file to include the required environment variables. The endpoint and key were found at the end of the [account creation steps](#create-an-azure-cosmos-db-account).

-### Add variables for names

-Add the following variables to manage unique database and container names and the [**partition key (`pk`)**](../partitioning-overview.md).

-In this example, we chose to add a timeStamp to the database and container in case you run this sample code more than once.

-The sample code described in this article creates a database named ``adventureworks`` with a container named ``products``. The ``products`` table is designed to contain product details such as name, category, quantity, and a sale indicator. Each product also contains a unique identifier.

-In the `index.js`, add the following code to use the resource **endpoint** and **key** to authenticate to Cosmos DB. Define a new instance of the [``CosmosClient``](/javascript/api/@azure/cosmos/cosmosclient) class.

-Add the following code to use the [``CosmosClient.Databases.createDatabaseIfNotExists``](/javascript/api/@azure/cosmos/databases#@azure-cosmos-databases-createifnotexists) method to create a new database if it doesn't already exist. This method will return a reference to the existing or newly created database.

-Add the following code to query for all items that match a specific filter. Create a [parameterized query expression](/javascript/api/@azure/cosmos/sqlqueryspec) then call the [``Container.Items.query``](/javascript/api/@azure/cosmos/items#@azure-cosmos-items-query) method. This method returns a [``QueryIterator``](/javascript/api/@azure/cosmos/queryiterator) that will manage the pages of results. Then, use a combination of ``while`` and ``for`` loops to [``fetchNext``](/javascript/api/@azure/cosmos/queryiterator#@azure-cosmos-queryiterator-fetchnext) page of results as a [``FeedResponse``](/javascript/api/@azure/cosmos/feedresponse) and then iterate over the individual data objects.

-> - [Azure Resource Manager .NET client library](https://www.nuget.org/packages/Azure.ResourceManager.CosmosDB/)

-> - [Azure Resource Manager .NET client library](https://www.nuget.org/packages/Azure.ResourceManager.CosmosDB/)

-In addition to a partition key that determines the item's logical partition, each item in a container has an *item ID* (unique within a logical partition). Combining the partition key and the *item ID* creates the item's *index*, which uniquely identifies the item. [Choosing a partition key](#choose-partitionkey) is an important decision that will affect your application's performance.

->

-> [!VIDEO https://aka.ms/docs.partitioning-overview]

-This article explains the relationship between logical and physical partitions. It also discusses best practices for partitioning and gives an in-depth view at how horizontal scaling works in Azure Cosmos DB. It's not necessary to understand these internal details to select your partition key but we have covered them so you have clarity on how Azure Cosmos DB works.

-There is no limit to the number of logical partitions in your container. Each logical partition can store up to 20GB of data. Good partition key choices have a wide range of possible values. For example, in a container where all items contain a `foodGroup` property, the data within the `Beef Products` logical partition can grow up to 20 GB. [Selecting a partition key](#choose-partitionkey) with a wide range of possible values ensures that the container is able to scale.

-A container is scaled by distributing data and throughput across physical partitions. Internally, one or more logical partitions are mapped to a single physical partition. Typically smaller containers have many logical partitions but they only require a single physical partition. Unlike logical partitions, physical partitions are an internal implementation of the system and they are entirely managed by Azure Cosmos DB.

-There is no limit to the total number of physical partitions in your container. As your provisioned throughput or data size grows, Azure Cosmos DB will automatically create new physical partitions by splitting existing ones. Physical partition splits do not impact your application's availability. After the physical partition split, all data within a single logical partition will still be stored on the same physical partition. A physical partition split simply creates a new mapping of logical partitions to physical partitions.

-* Should only contain `String` values - or numbers should ideally be converted into a `String`, if there is any chance that they are outside the boundaries of double precision numbers according to [IEEE 754 binary64](https://www.rfc-editor.org/rfc/rfc8259#ref-IEEE754). The [Json specification](https://www.rfc-editor.org/rfc/rfc8259#section-6) calls out the reasons why using numbers outside of this boundary in general is a bad practice due to likely interoperability problems. These concerns are especially relevant for the partition key column, because it is immutable and requires data migration to change it later.

-If your container has a property that has a wide range of possible values, it is likely a great partition key choice. One possible example of such a property is the *item ID*. For small read-heavy containers or write-heavy containers of any size, the *item ID* is naturally a great choice for the partition key.

-* Because there is a unique *item ID* per item, the *item ID* does a great job at evenly balancing RU consumption and data storage.

-description: Learn about how to copy data from Oracle Cloud Storage to supported sink data stores using a Azure Data Factory or Synapse Analytics pipeline.

-# Understanding Data Factory pricing through examples

-For more details about pricing in Azure Data Factory, refer to the [Data Pipeline Pricing and FAQ](https://azure.microsoft.com/pricing/details/data-factory/data-pipeline/).

-The prices used in these examples below are hypothetical and are not intended to imply exact actual pricing. Read/write and monitoring costs are not shown since they are typically negligible and will not impact overall costs significantly. Activity runs are also rounded to the nearest 1000 in pricing calculator estimates.

-## Version 2.1

-## Version 2.0

-| **OT networks** | **Cloud features**: <br>- [Download updates from the Sites and sensors page (Public preview)](#download-updates-from-the-sites-and-sensors-page-public-preview) <br>- [Alerts page GA in the Azure portal](#alerts-ga-in-the-azure-portal) <br>- [Device inventory GA in the Azure portal](#device-inventory-ga-in-the-azure-portal) <br>- [Device inventory grouping enhancements (Public preview)](#device-inventory-grouping-enhancements-public-preview) <br><br> **Sensor version 22.2.3**: [Configure OT sensor settings from the Azure portal (Public preview)](#configure-ot-sensor-settings-from-the-azure-portal-public-preview) |

-In the **New element** panel, the **Primary twin** dropdown list contains names of all the twins in the connected Azure Digital Twins instance.

-A CSV Parser [DAG](https://airflow.apache.org/docs/apache-airflow/1.10.12/concepts.html#dags) allows a customer to load data into Microsoft Energy Data Services Preview instance based on a custom schema that is, a schema that doesn't match the [OSDU&trade;](https://osduforum.org) canonical schema. Customers must create and register the custom schema using the Schema service before loading the data.

-A CSV Parser DAG allows the customers to load the CSV data into the Microsoft Energy Data Services Preview instance. It parses each row of a CSV file and creates a storage metadata record. It performs `schema validation` to ensure that the CSV data conforms to the registered custom schema. It automatically performs `type coercion` on the columns based on the schema data type definition. It generates `unique id` for each row of the CSV record by combining source, entity type and a Base64 encoded string formed by concatenating natural key(s) in the data. It performs `unit conversion` by converting declared frame of reference information into appropriate persistable reference using the Unit service. It performs `CRS conversion` for spatially aware columns based on the Frame of Reference (FoR) information present in the schema. It creates `relationships` metadata as declared in the source schema. Finally, it `persists` the metadata record using the Storage service.

-To execute the CSV Parser DAG workflow, the user must first create and register the schema using the workflow service. Once the schema is created, the user then uses the File service to upload the CSV file to the Microsoft Energy Data Services Preview instances, and also creates the storage record of file generic kind. The file service then provides a file ID to the user, which is used while triggering the CSV Parser workflow using the Workflow service. The Workflow service provides a run ID, which the user could use to track the status of the CSV Parser workflow run.

-> [Tutorial: Sample steps to perform a CSV parser ingestion](tutorial-csv-ingestion.md)

-**IT Developers** build systems to connect data to domain applications (internal and external ΓÇô for example, Petrel) which enables data managers to deliver projects to geoscientists. The DDMS suite on Microsoft Energy Data Services helps automate these workflows and eliminates time spent managing updates.

-**Geoscientists** use domain applications for key Exploration and Production workflows such as Seismic interpretation and Well tie analysis. While these users won't directly interact with the DDMS, their expectations for data performance and accessibility will drive requirements for the DDMS in the Foundation Tier. Azure will enable geoscientists to stream cross domain data instantly in OSDU&trade; compatible applications (for example, Petrel) connected to Microsoft Energy Data Services.

-Microsoft Energy Data Services is an OSDU&trade; compatible product, meaning that its landscape and release model are dependent on OSDU&trade;.

-Currently, OSDU&trade; certification and release process are not fully defined yet and this topic should be defined as a part of the Microsoft Energy Data Services Foundation Architecture.

-OSDU&trade; R3 M8 is the base for the scope of the Microsoft Energy Data Services Foundation Private Preview ΓÇô as a latest stable, tested version of the platform.

-[OSDU&trade; community DDMS Overview](https://community.opengroup.org/osdu/documentation/-/wikis/OSDU&trade;-(C)/Design-and-Implementation/Domain-&-Data-Management-Services#ddms-requirements) provides an extensive overview of DDMS motivation and community requirements from a user, technical, and business perspective. These principles are extended to Microsoft Energy Data Services.

-description: This article describes the various concepts regarding the entitlement services in Microsoft Energy Data Services Preview #Required; article description that is displayed in search results.

-The entitlements service of Microsoft Energy Data Services allows you to create groups, and an entitlement group defines permissions on services/data sources for your Microsoft Energy Data Services instance. Users added by you to that group obtain the associated permissions.

-# Microsoft Energy Data Services Preview indexing and search workflows

-Manifest-based file ingestion provides end-users and systems a robust mechanism for loading metadata about datasets in Microsoft Energy Data Services Preview instance. This metadata is indexed by the system and allows the end-user to search the datasets.

-Microsoft Energy Data Services Preview instance has out-of-the-box support for Manifest-based file ingestion workflow. `Osdu_ingest` Airflow DAG is pre-configured in your instance.

-Before running the Manifest-based file ingestion workflow, customers must ensure that the user accounts running the workflow have access to the core services (Search, Storage, Schema, Entitlement and Legal) and Workflow service (see [Entitlement roles](https://community.opengroup.org/osdu/platform/deployment-and-operations/infra-azure-provisioning/-/blob/master/docs/osdu-entitlement-roles.md) for details). As part of Microsoft Energy Data Services instance provisioning, the OSDU&trade; standard schemas and associated reference data are pre-loaded. Customers must ensure that the user account used for ingesting the manifests is included in appropriate owners and viewers ACLs. Customers must ensure that manifests are configured with correct legal tags, owners and viewers ACLs, reference data, etc.

-description: This is a how-to article on managing data partitions using the Microsoft Energy Data Services Preview instance UI.

-In this article, you'll learn how to add data partitions to an existing Microsoft Energy Data Services instance. The concept of "data partitions" is picked from [OSDU&trade;](https://osduforum.org/) where single deployment can contain multiple partitions.

-You can create maximum five data partitions in one MEDS instance. Currently, in line with the data partition capabilities that are available in OSDU&trade;, you can only create data partitions but can't delete or rename data existing data partitions.

-1. Open the "Data Partitions" menu-item from left-panel of MEDS overview page.

- [](media/how-to-add-more-data-partitions/dynamic-data-partitions-discovery-meds-overview-page.png#lightbox)

- The page shows a table of all data partitions in your MEDS instance with the status of the data partition next to it. Clicking the "Create" option on the top opens a right-pane for next steps.

- Each data partition name needs to be 1-10 characters long and be a combination of lowercase letters, numbers and hyphens only. The data partition name will be prepended with the name of the MEDS instance. Choose a name for your data partition and hit create. As soon as you hit create, the deployment of the underlying data partition resources such as Azure Cosmos DB and Azure Storage accounts is started.

-3. Ensure that a Microsoft Energy Data Services Preview instance is created already

-3. Ensure that your Microsoft Energy Data Services Preview instance is created already

-6. Patch Subproject with the legal tag you created above. Recall that the format of the legal tag will be prefixed with the Microsoft Energy Data Services instance name and data partition name, so it looks like `<instancename>`-`<datapartitionname>`-`<legaltagname>`.

- * Edit the values in the `prepare-records.sh` bash script. Recall that the format of the legal tag will be prefixed with the Microsoft Energy Data Services instance name and data partition name, so it looks like `<instancename>`-`<datapartitionname>`-`<legaltagname>`.

-> [How to convert segy to ovds](./how-to-convert-segy-to-ovds.md)

-#Customer intent: As a developer, I want to set up Lockbox for Microsoft Energy Data Services.

-# Use Customer Lockbox for Microsoft Energy Data Services

-Microsoft Energy Data Services is the managed service offering for OSDU&trade;. There are instances where Microsoft Support may need to access your data or compute layer during a support request. You can use Customer Lockbox as an interface to review and approve or reject these access requests.

-This article covers how Customer Lockbox requests are initiated and tracked for Microsoft Energy Data Services.

-## Lockbox workflow for Microsoft Energy Data Services access

-The Microsoft Energy Data Services team at Microsoft typically does not access customer data. The team tries to resolve issues by using standard tools and telemetry.

-1. You have created a [Microsoft Energy Data Services instance](quickstart-create-microsoft-energy-data-services-instance.md).

-1. You raise an issue for Microsoft Energy Data Services using the Azure portal. The support engineer connects to Microsoft Energy Data Services via Support session and tries to troubleshoot the issue by using standard tools and telemetry. Let us say to mitigate the issue, the recommendation is to restart an AKS (Azure Kubernetes Service) cluster.

-If you have not enabled Lockbox, then your consent is not needed to access the compute or data layer of Microsoft Energy Data Services.

-> [Data security and encryption in Microsoft Energy Data Services](how-to-manage-data-security-and-encryption.md)

-To use the Microsoft Energy Data Services Preview platform endpoint, you must register your app using the [Azure app registration portal](https://go.microsoft.com/fwlink/?linkid=2083908). You can use either a Microsoft account or a work or school account to register an app.

-In this article, you'll learn how to start collecting Airflow Logs for your Microsoft Energy Data Services instances into Azure Monitor. This integration feature helps you debug Airflow DAG ([Directed Acyclic Graph](https://airflow.apache.org/docs/apache-airflow/stable/concepts/dags.html)) run failures.

-Every Microsoft Energy Data Services instance comes inbuilt with an Azure Data Factory-managed Airflow instance. We collect Airflow logs for internal troubleshooting and debugging purposes. Airflow logs can be integrated with Azure Monitor in the following ways:

-1. Open Microsoft Energy Data Services' *Overview* page

-You can integrate Airflow logs with Log Analytics Workspace by using **Diagnostic Settings** under the left panel of your Microsoft Energy Data Services instance overview page.

-In this article, you'll learn how to start collecting Elasticsearch logs for your Microsoft Energy Data Services instances in Azure Monitor. This integration feature is developed to help you debug Elasticsearch related issues inside Azure Monitor.

-Every Microsoft Energy Data Services instance comes inbuilt with a managed Elasticsearch service. We collect Elasticsearch logs for internal troubleshooting and debugging purposes. You can get access to these logs by integrating Elasticsearch logs with Azure Monitor.

-We support two destinations for your Elasticsearch logs from Microsoft Energy Data Services instance:

-1. Open *Microsoft Energy Data Services* overview page

-The editor in Log Analytics workspace support Kusto (KQL) queries through which you can easily perform complicated queries to extract interesting logs data from the Elasticsearch service running in your Microsoft Energy Data Services instance.

-* Start collecting logs from other sources such as Airflow in your Microsoft Energy Data Services instance.

-description: Guide on security in Microsoft Energy Data Services and how to set up customer managed keys on Microsoft Energy Data Services #Required; article description that is displayed in search results.

-#Customer intent: As a developer, I want to set up customer-managed keys on Microsoft Energy Data Services.

-# Data security and encryption in Microsoft Energy Data Services Preview

-This article provides an overview of security features in Microsoft Energy Data Services Preview. It covers the major areas of [encryption at rest](../security/fundamentals/encryption-atrest.md), encryption in transit, TLS, https, microsoft-managed keys, and customer managed key.

-Microsoft Energy Data Services Preview uses several storage resources for storing metadata, user data, in-memory data etc. The platform uses service-side encryption to automatically encrypt all the data when it is persisted to the cloud. Data encryption at rest protects your data to help you to meet your organizational security and compliance commitments. All data in Microsoft Energy Data Services is encrypted with Microsoft-managed keys by default.

-In addition to Microsoft-managed key, you can use your own encryption key to protect the data in Microsoft Energy Data Services Preview. When you specify a customer-managed key, that key is used to protect and control access to the Microsoft-managed key that encrypts your data.

-Microsoft Energy Data Services Preview supports Transport Layer Security (TLS 1.2) protocol to protect data when itΓÇÖs traveling between the cloud services and customers. TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, and algorithm flexibility.

-In addition to TLS, when you interact with Microsoft Energy Data Services, all transactions take place over HTTPS.

-## Set up Customer Managed Keys (CMK) for Microsoft Energy Data Services Preview instance

-> You cannot edit CMK settings once the Microsoft Energy Data Services instance is created.

-2. Using customer-managed keys with Microsoft Energy Data Services requires that both soft delete and purge protection be enabled for the key vault. Soft delete is enabled by default when you create a new key vault and cannot be disabled. You can enable purge protection either when you create the key vault or after it is created.

-1. When you enable customer-managed keys for an existing Microsoft Energy Data Services Preview instance you must specify a managed identity that will be used to authorize access to the key vault that contains the key. The managed identity must have permissions to access the key in the key vault.

-1. Create a **Microsoft Energy Data Services** instance.

- [](media/how-to-manage-data-security-and-encryption/customer-managed-key-2-encryption-tab.png#lightbox)

-14. A Microsoft Energy Data Services instance is created with customer-managed keys.

- [](media/how-to-manage-data-security-and-encryption/customer-managed-key-6-cmk-enabled-meds-overview.png#lightbox)

- [](media/how-to-manage-data-security-and-encryption/customer-managed-key-7-cmk-disabled-meds-instance-created.png#lightbox)

-description: This article describes how to manage legal tags in Microsoft Energy Data Services Preview #Required; article description that is displayed in search results.

-In this article, you'll know how to manage legal tags in your Microsoft Energy Data Services Preview instance. A Legal tag is the entity that represents the legal status of data in the Microsoft Energy Data Services Preview instance. Legal tag is a collection of properties that governs how data can be ingested and consumed. A legal tag is required for data to be [ingested](concepts-csv-parser-ingestion.md) into your Microsoft Energy Data Services Preview instance. It's also required for the [consumption](concepts-index-and-search.md) of the data from your Microsoft Energy Data Services Preview instance. Legal tags are defined at a data partition level individually.

-While in Microsoft Energy Data Services Preview instance, [entitlement service](concepts-entitlements.md) defines access to data for a given user(s), legal tag defines the overall access to the data across users. A user may have access to manage the data within a data partition however, they may not be able to do so-until certain legal requirements are fulfilled.

-Run the below curl command in Azure Cloud Bash to create a legal tag for a given data partition of your Microsoft Energy Data Services Preview instance.

-Consider a Microsoft Energy Data Services instance named "medstest" with a data partition named "dp1"

- "description": "Microsoft Energy Data Services Preview Legal Tag",

- "description": "Microsoft Energy Data Services Preview Legal Tag",

- "description": "Microsoft Energy Data Services Preview Legal Tag",

- "description": "Microsoft Energy Data Services Preview Legal Tag",

-Run the below curl command in Azure Cloud Bash to get the legal tag associated with a data partition of your Microsoft Energy Data Services Preview instance.

-Consider a Microsoft Energy Data Services instance named "medstest" with a data partition named "dp1"

- "description": "Microsoft Energy Data Services Preview Legal Tag",

-description: This article describes how to manage users in Microsoft Energy Data Services Preview #Required; article description that is displayed in search results.

-In this article, you'll know how to manage users in Microsoft Energy Data Services Preview. It uses the [entitlements API](https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/tree/master/) and acts as a group-based authorization system for data partitions within Microsoft Energy Data Service instance. For more information about Microsoft Energy Data Services Preview entitlements, see [entitlement services](concepts-entitlements.md).

-Create a Microsoft Energy Data Services Preview instance using the tutorial at [How to create Microsoft Energy Data Services Preview instance](quickstart-create-microsoft-energy-data-services-instance.md).

-You will need to pass parameters for generating the access token, which you'll need to make valid calls to the Entitlements API of your Microsoft Energy Data Services Preview instance. You will also need these parameters for different user management requests to the Entitlements API. Hence Keep the following values handy for these actions.

-Often called `app-id`, it's the same value that you used to register your application during the provisioning of your [Microsoft Energy Data Services Preview instance](quickstart-create-microsoft-energy-data-services-instance.md). You'll find the `client-id` in the *Essentials* pane of Microsoft Energy Data Services Preview *Overview* page. Copy the `client-id` and paste in an editor to be used later.

-> The 'client-id' that is passed as values in the entitlement API calls needs to be the same which was used for provisioning of your Microsoft Energy Data Services Preview instance.

-Sometimes called an application password, a `client-secret` is a string value your app can use in place of a certificate to identity itself. Navigate to *App Registrations*. Once there, open 'Certificates & secrets' under the *Manage* section. Create a `client-secret` for the `client-id` that you used to create your Microsoft Energy Data Services Preview instance, you can add one now by clicking on *New Client Secret*. Record the secret's `value` for use in your client application code.

-#### Find the `url`for your Microsoft Energy Data Services Preview instance

-Navigate to your Microsoft Energy Data Services Preview *Overview* page on Azure portal. Copy the URI from the essentials pane.

-You have two ways to get the list of data-partitions in your Microsoft Energy Data Services Preview instance.

-Copy the `access_token` value from the response. You'll need it to pass as one of the headers in all calls to the Entitlements API of your Microsoft Energy Data Services Preview instance.

-You can manage user's access to your Microsoft Energy Data Services instance or data partitions. As a prerequisite for this step, you need to find the 'object-id' (OID) of the user(s) first.

-You'll need to input `object-id` (OID) of the users as parameters in the calls to the Entitlements API of your Microsoft Energy Data Services Preview Instance. `object-id`(OID) is the Azure Active Directory User Object ID.

-Run the below curl command in Azure Cloud Bash to get all the groups that are available for your Microsoft Energy Data Services instance and its data partitions.

-Consider a Microsoft Energy Data Services instance named "medstest" with a data partition named "dp1"

-Consider a Microsoft Energy Data Services instance named "medstest" with a data partition named "dp1"

-Consider a Microsoft Energy Data Services instance named "medstest" with a data partition named "dp1"

-Run the below curl command in Azure Cloud Bash to delete a given user to your Microsoft Energy Data Services instance data partition.

-Consider a Microsoft Energy Data Services instance named "medstest" with a data partition named "dp1"

-Create a legal tag for your Microsoft Energy Data Services Preview instance's data partition.

-Begin your journey by ingesting data into your Microsoft Energy Data Services Preview instance.

-description: Learn how to set up private endpoints for Microsoft Energy Data Services by using Azure Private Link.

-#Customer intent: As a developer, I want to set up private endpoints for Microsoft Energy Data Services.

-# Create a private endpoint for Microsoft Energy Data Services

-By using Azure Private Link, you can connect to a Microsoft Energy Data Services Preview instance from your virtual network via a private endpoint, which is a set of private IP addresses in a subnet within the virtual network. You can then limit access to your Microsoft Energy Data Services instance over these private IP addresses.

-You can connect to a Microsoft Energy Data Services instance that's configured with Private Link by using an automatic or manual approval method. To learn more, see the [Private Link documentation](../private-link/private-endpoint-overview.md#access-to-a-private-link-resource-using-approval-workflow).

-This article describes how to set up a private endpoint for Microsoft Energy Data Services.

-[Create a virtual network](../virtual-network/quick-create-portal.md) in the same subscription as the Microsoft Energy Data Services instance. This virtual network will allow automatic approval of the Private Link endpoint.

-Use the following steps to create a private endpoint for an existing Microsoft Energy Data Services Preview instance by using the Azure portal:

-1. From the **All resources** pane, choose a Microsoft Energy Data Services Preview instance.

- > Automatic approval happens only when the Microsoft Energy Data Services instance and the virtual network for the private endpoint are in the same subscription.

- |**Resource**| Your Microsoft Energy Data Services instance|

- |**Target sub-resource**| **MEDS** (for Microsoft Energy Data Services) by default|

-1. Select the **Microsoft Energy Data Services** instance, select **Networking**, and then select the **Private Access** tab. Confirm that your newly created private endpoint connection appears in the list.

-> When the Microsoft Energy Data Services instance and the virtual network are in different tenants or subscriptions, you have to manually approve the request to create a private endpoint. The **Approve** and **Reject** buttons appear on the **Private Access** tab.

-> [Use Lockbox for Microsoft Energy Data Services](how-to-create-lockbox.md)

-description: Learn how to use a managed identity to access Microsoft Energy Data Services from other Azure services.

-#Customer intent: As a developer, I want to use a managed identity to access Microsoft Energy Data Services from other Azure services, such as Azure Functions.

-# Use a managed identity to access Microsoft Energy Data Services from other Azure services

-This article describes how to access the data plane or control plane of Microsoft Energy Data Services from other Microsoft Azure services by using a *managed identity*.

-There's a need for services such as Azure Functions to be able to consume Microsoft Energy Data Services APIs. This interoperability allows you to use the best capabilities of multiple Azure services.

-For example, you can write a script in Azure Functions to ingest data in Microsoft Energy Data Services. In that scenario, you should assume that Azure Functions is the source service and Microsoft Energy Data Services is the target service.

-This article walks you through the five main steps for configuring Azure Functions to access Microsoft Energy Data Services.

-A managed identity from Azure Active Directory (Azure AD) allows your application to easily access other Azure AD-protected resources. The identity is managed by the Azure platform and doesn't require you to create or rotate any secrets. Any Azure service that wants to access Microsoft Energy Data Services control plane or data plane for any operation can use a managed identity to do so.

-Currently, other services can connect to Microsoft Energy Data Services by using a system-assigned or user-assigned managed identity. However, Microsoft Energy Data Services doesn't support system-assigned managed identities.

-For the scenario in this article, you'll use a user-assigned managed identity in Azure Functions to call a data plane API in Microsoft Energy Data Services.

-* [Microsoft Energy Data Services instance](quickstart-create-microsoft-energy-data-services-instance.md)

-To retrieve the object ID for the user-assigned identity that will access the Microsoft Energy Data Services APIs:

-Next, add the application ID to the appropriate groups that will use the entitlement service to access Microsoft Energy Data Services APIs. The following example adds the application ID to two groups:

- * Microsoft Energy Data Services URI

- curl --location --request POST 'https://<Microsoft Energy Data Services URI>/api/entitlements/v2/groups/users@ <data-partition-id>.dataservices.energy/members' \

- curl --location --request POST 'https://<Microsoft Energy Data Services URI>/api/entitlements/v2/groups/ users.datalake.editors@ <data-partition-id>.dataservices.energy/members' \

-Now Azure Functions is ready to access Microsoft Energy Data Services APIs.

-The Azure function generates a token by using the user-assigned identity. The function uses the application ID that's present in the Microsoft Energy Data Services instance while generating the token.

- //To authenticate by using a managed identity, you need to pass the Microsoft Energy Data Services application ID as the resource.

- // Passing the data partition ID of Microsoft Energy Data Services in headers along with the token received using the managed instance.

-With the preceding steps completed, you can now use Azure Functions to access Microsoft Energy Data Services APIs with appropriate use of managed identities.

-> [Lockbox in Microsoft Energy Data Services](how-to-create-lockbox.md)

-description: This article provides an overview of Microsoft Energy Data Services Preview #Required; article description that is displayed in search results.

-# What is Microsoft Energy Data Services Preview?

-Microsoft Energy Data Services Preview is a secure, reliable, hyperscale, fully managed cloud-based data platform solution for the energy industry. It is an enterprise-grade data platform that brings together the capabilities of OSDU&trade; Data Platform, Microsoft's secure and trusted Azure cloud platform, and SLB's extensive domain expertise. It allows customers to free data from silos, provides strong data management, storage, and federation strategy. Microsoft Energy Data Services ensures compatibility with evolving community standards like OSDU&trade; and enables value addition through interoperability with both first-party and third-party solutions.

-Microsoft Energy Data Services conforms to the following principles:

-Microsoft Energy Data Services Preview is a first-party PaaS (Platform as a Service) offering where Microsoft manages the deployment, monitoring, management, scale, security, updates, and upgrades of the service so that the customers can focus on the value from the platform. Microsoft offers seamless upgrades to the latest OSDU&trade; milestone versions after testing and validation.

-Furthermore, Microsoft Energy Data Services Preview provides security capabilities like encryption for data-in-transit and data-at-rest. The authentication and authorization are provided by Azure Active Directory. Microsoft also assumes the responsibility of providing regular security patches and updates.

-Microsoft Energy Data Services Preview also supports multiple data partitions for every platform instance. More data partitions can also be created after creating an instance, as needed.

-Microsoft Energy Data Services Preview is compatible with the OSDU&trade; Technical Standard enables seamless integration of existing applications that have been developed in alignment with the emerging requirements of the OSDU&trade; Standard.

-Most of our customers rely on ubiquitous tools and applications from Microsoft. The Microsoft Energy Data Services Preview platform is piloting how it can seamlessly work with deeply used Microsoft apps like SharePoint for data ingestion, Synapse for data transformations and pipelines, Power BI for data visualization, and other possibilities. A Power BI connector has already been released in the community, and partners are leveraging these tools and connectors to enhance their integrations with Microsoft apps and services.

-> [Quickstart: Create Microsoft Energy Data Services Preview instance](quickstart-create-microsoft-energy-data-services-instance.md)

-description: Quickly create a Microsoft Energy Data Services Preview instance #Required; article description that is displayed in search results.

-# Quickstart: Create a Microsoft Energy Data Services Preview instance

-Get started by creating a Microsoft Energy Data Services Preview instance on Azure portal on a web browser. You first register an Azure application on Active Directory and then use the application ID to create a Microsoft Energy Data Services instance in your chosen Azure Subscription and region.

-The setup of Microsoft Energy Data Services Preview instance can be triggered using a simple interface on Azure portal and takes about 50 minutes to complete.

-Microsoft Energy Data Services Preview is a managed "Platform as a service (PaaS)" offering from Microsoft that builds on top of the [OSDU&trade;](https://osduforum.org/) Data Platform. Microsoft Energy Data Services Preview lets you ingest, transform, and export subsurface data by letting you connect your consuming in-house or third-party applications.

-Active Azure Subscription | You'll need the Azure subscription ID in which you want to install Microsoft Energy Data Services. You need to have appropriate permissions to create Azure resources in this subscription.

-Application ID | You'll need an [application ID](../active-directory/develop/application-model.md) (often referred to as "App ID" or a "client ID"). This application ID will be used for authentication to Azure Active Directory and will be associated with your Microsoft Energy Data Services instance. You can [create an application ID](../active-directory/develop/quickstart-register-app.md) by navigating to Active directory and selecting *App registrations* > *New registration*.

-## Create a Microsoft Energy Data Services Preview instance

- > *Microsoft Energy Data Services* is accessible on the Azure Marketplace only if you use the above Azure portal link.

-1. If you have access to multiple tenants, use the *Directories + subscriptions* filter in the top menu to switch to the tenant in which you want to install Microsoft Energy Data Services.

-1. Use the search bar in the Azure Marketplace (not the global Azure search bar on top of the screen) to search for *Microsoft Energy Data Services*.

- [](media/quickstart-create-microsoft-energy-data-services-instance/search-meds-on-azure-marketplace.png#lightbox)

-1. In the search page, select *Create* on the card titled "Microsoft Energy Data Services (Preview)".

-1. A new window appears. Complete the *Basics* tab by choosing the *subscription*, *resource group*, and the *region* in which you want to create your instance of Microsoft Energy Data Services. Enter the *App ID* that you created during the prerequisite steps.

- [](media/quickstart-create-microsoft-energy-data-services-instance/input-basic-details.png#lightbox)

- Data Partition name | Name should be 1-10 char long consisting of lowercase alphanumeric characters and hyphens. It should start with an alphanumeric character and not contain consecutive hyphens. The data partition names that you chose are automatically prefixed with your Microsoft Energy Data Services instance name. This compound name will be used to refer to your data partition in application and API calls.

- > Microsoft Energy Data Services instance and data partition names, once created, cannot be changed later.

-1. This step is optional. You can download an Azure Resource Manager (ARM) template and use it for automated deployments of Microsoft Energy Data Services in future. Select *Download a template for automation* located on the bottom-right of the screen.

- [](media/quickstart-create-microsoft-energy-data-services-instance/overview-energy-data-services.png#lightbox)

-## Delete a Microsoft Energy Data Services Preview instance

-Deleting a Microsoft Energy Data instance also deletes any data that you've ingested. This action is permanent and the ingested data can't be recovered. To delete a Microsoft Energy Data Services instance, complete the following steps:

-2. This step is optional. Go to Azure Active Directory and delete the *app registration* that you linked to your Microsoft Energy Data Services instance.

-After provisioning a Microsoft Energy Data Services instance, you can learn about user management on this instance.

-description: This topic provides release notes of Microsoft Energy Data Services Preview releases, improvements, bug fixes, and known issues. #Required; article description that is displayed in search results.

-# Release Notes for Microsoft Energy Data Services Preview

-Microsoft Energy Data Services is updated on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

-You can use a managed identity to authenticate to any [service that supports Azure AD (Active Directory) authentication](../active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md) with Microsoft Energy Data Services. For example, you can write a script in Azure Function to ingest data in Microsoft Energy Data Services. Now, you can use managed identity to connect to Microsoft Energy Data Services using system or user assigned managed identity from other Azure services. [Learn more.]( ../energy-data-services/how-to-use-managed-identity.md)

-Availability Zones are physically separate locations within an Azure region made up of one or more datacenters equipped with independent power, cooling, and networking. Availability Zones provide in-region High Availability and protection against local disasters. Microsoft Energy Data Services Preview supports zone-redundant instance by default and there's no setup required by the Customer. [Learn more.](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=energy-data-services&regions=all)

-Most operations, support, and troubleshooting performed by Microsoft personnel do not require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Microsoft Energy Data Services provides you an interface to review and approve or reject data access requests. Microsoft Energy Data Services now supports Lockbox. [Learn more](../security/fundamentals/customer-lockbox-overview.md).

-Azure Private Link on Microsoft Energy Data Services provides private access to the service. This means traffic between your private network and Microsoft Energy Data Services travels over the Microsoft backbone network therefore limiting any exposure over the internet. By using Azure Private Link, you can connect to a Microsoft Energy Data Services instance from your virtual network via a private endpoint, which is a set of private IP addresses in a subnet within the virtual network. You can then limit access to your Microsoft Energy Data Services instance over these private IP addresses. [Create a private endpoint for Microsoft Energy Data Services](how-to-set-up-private-links.md).

-Microsoft Energy Data Services Preview supports customer managed encryption keys (CMK). All data in Microsoft Energy Data Services is encrypted with Microsoft-managed keys by default. In addition to Microsoft-managed key, you can use your own encryption key to protect the data in Microsoft Energy Data Services. When you specify a customer-managed key, that key is used to protect and control access to the Microsoft-managed key that encrypts your data. [Data security and encryption in Microsoft Energy Data Services](how-to-manage-data-security-and-encryption.md).

-Microsoft Energy Data Services is now available in public preview. Information on latest releases, bug fixes, & deprecated functionality for Microsoft Energy Data Services Preview will be updated monthly. Keep tracking this page.

-Microsoft Energy Data Services is developed in alignment with the emerging requirements of the OSDUΓäó Technical Standard, Version 1.0. and is currently aligned with Mercury Release(R3), [Milestone-12](https://community.opengroup.org/osdu/governance/project-management-committee/-/wikis/M12-Release-Notes).

-description: Lists of third-party Microsoft Energy Data Services partners solutions.

-# Microsoft Energy Data Services Preview partners

-Partner community is the growth engine for Microsoft. To help our customers quickly realize the benefits of Microsoft Energy Data Services Preview, we've worked closely with many partners who have tested their software applications and tools on our data platform.

-This article highlights Microsoft partners with software solutions officially supporting Microsoft Energy Data Services.

-| Bluware | Bluware enables energy companies to explore the full value of seismic data for exploration, carbon capture, wind farms, and geothermal workflows. Bluware technology on Microsoft Energy Data Services is increasing workflow productivity utilizing the power of Azure. Bluware's flagship seismic deep learning solution, InteractivAI&trade;, drastically improves the effectiveness of interpretation workflows. The interactive experience reduces seismic interpretation time by 10 times from weeks to hours and provides full control over interpretation results. | [Bluware technologies on Azure](https://go.bluware.com/bluware-on-azure-markeplace) [Bluware Products and Evaluation Packages](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bluwarecorp1581537274084.bluwareazurelisting)|

-| Interica | Interica OneView&trade; harnesses the power of application connectors to extract rich metadata from live projects discovered across the organization. IOV scans automatically discover content and extract detailed metadata at the sub-element level. Quickly and easily discover data across multiple file systems and data silos, and clearly determine which projects contain selected data objects to inform business decisions. Live data discovery enables businesses to see a complete holistic view of subsurface project landscapes for improved time to decisions, more efficient data search, and effective storage management. | [Accelerate Microsoft Energy Data Services adoption with Interica OneView&trade;](https://www.petrosys.com.au/interica-oneview-connecting-to-microsoft-data-services/) [Interica OneView&trade;](https://www.petrosys.com.au/assets/Interica_OneView_Accelerate_MEDS_Azure_adoption.pdf) [Interica OneView&trade; connecting to Microsoft Data Services](https://youtu.be/uPEOo3H01w4)|

-To learn more about Microsoft Energy Data Services, visit

-> [What is Microsoft Energy Data Services Preview?](overview-microsoft-energy-data-services.md)

-This article helps you troubleshoot manifest ingestion workflow issues in Microsoft Energy Data Services Preview instance using the Airflow task logs.

-#Customer intent: As a customer, I want to learn how to use CSV parser ingestion so that I can load CSV data into the Microsoft Energy Data Services Preview instance.

-CSV Parser ingestion provides the capability to ingest CSV files into the Microsoft Energy Data Services Preview instance.

-> * Ingest a sample wellbore data CSV file into the Microsoft Energy Data Services Preview instance using Postman

-### Get Microsoft Energy Data Services Preview instance details

-* Microsoft Energy Data Services Preview instance is created already. If not, follow the steps outlined in [Quickstart: Create a Microsoft Energy Data Services Preview instance](quickstart-create-microsoft-energy-data-services-instance.md)

- | DNS | URI | `<instance>`.energy.azure.com | Overview page of Microsoft Energy Data Services instance|

- | data-partition-id | Data Partition(s) | `<instance>`-`<data-partition-name>` | Overview page of Microsoft Energy Data Services instance|

-* Update the **CURRENT_VALUE** of the Postman environment with the information obtained in [Microsoft Energy Data Services Preview instance details](#get-microsoft-energy-data-services-preview-instance-details)

-## Ingest a sample wellbore data CSV file into the Microsoft Energy Data Services Preview instance using Postman

-#Customer intent: As a customer, I want to learn how to use manifest ingestion so that I can load manifest information into the Microsoft Energy Data Services Preview instance.

-Manifest ingestion provides the capability to ingest manifests into Microsoft Energy Data Services Preview instance

-> * Ingest sample manifests into the Microsoft Energy Data Services Preview instance using Postman

-### Get Microsoft Energy Data Services Preview instance details

-* Microsoft Energy Data Services Preview instance is created already. If not, follow the steps outlined in [Quickstart: Create a Microsoft Energy Data Services Preview instance](quickstart-create-microsoft-energy-data-services-instance.md)

- | DNS | URI | `<instance>`.energy.Azure.com | Overview page of Microsoft Energy Data Services instance|

- | data-partition-id | Data Partition(s) | `<instance>`-`<data-partition-name>` | Overview page of Microsoft Energy Data Services instance|

-* Update the **CURRENT_VALUE** of the postman environment with the information obtained in [Get Microsoft Energy Data Services Preview instance details](#get-microsoft-energy-data-services-preview-instance-details)

-## Ingest sample manifests into the Microsoft Energy Data Services Preview instance using Postman

-## Usage for Microsoft Energy Data Services

-Microsoft Energy Data Services instance is using OSDU&trade; M12 Version of sdutil. Follow the below steps if you would like to use SDUTIL to leverage the SDMS API of your MEDS instance.

-description: This tutorial shows you how to interact with Seismic DDMS Microsoft Energy Data Services #Required; article description that is displayed in search results.

-Seismic DDMS provides the capability to operate on seismic data in the Microsoft Energy Data Services instance.

-### Microsoft Energy Data Services instance details

-* Once the [Microsoft Energy Data Services instance](./quickstart-create-microsoft-energy-data-services-instance.md) is created, note down the following details:

-3. Update the **CURRENT_VALUE** of the Postman Environment with the information obtained in [Microsoft Energy Data Services instance details](#microsoft-energy-data-services-instance-details)

-description: Learn how to work with well data records in your Microsoft Energy Data Services Preview instance by using Well Delivery Domain Data Management Services (Well Delivery DDMS) APIs in Postman.

-Use Well Delivery Domain Data Management Services (Well Delivery DDMS) APIs in Postman to work with well data in your instance of Microsoft Energy Data Services Preview.

-## Get your Microsoft Energy Data Services instance details

-The first step is to get the following information from your [Microsoft Energy Data Services Preview instance](quickstart-create-microsoft-energy-data-services-instance.md) in the [Azure portal](https://portal.azure.com/?microsoft_azure_marketplace_ItemHideKey=Microsoft_Azure_OpenEnergyPlatformHidden):

-1. In the Postman environment, update **CURRENT VALUE** with the information from your [Microsoft Energy Data Services instance](#get-your-microsoft-energy-data-services-instance-details):

- 1. In the **CURRENT VALUE** column, enter the information that's described in the table in [Get your Microsoft Energy Data Services instance details](#get-your-microsoft-energy-data-services-instance-details). Scroll to see all relevant variables.

-The Postman collection for Well Delivery DDMS contains requests you can use to interact with data about wells, wellbores, well logs, and well trajectory data in your Microsoft Energy Data Services instance.

-1. Import the following cURL command in Postman to generate a bearer token. Use the values from your Microsoft Energy Data Services instance.

-Successfully completing the Postman requests that are described in the following Well Delivery DDMS APIs indicates successful ingestion and retrieval of well records in your Microsoft Energy Data Services instance.

-You can delete a wellbore record in your Microsoft Energy Data Services instance by using Well Delivery DDMS APIs. For example:

-You can delete a well record in your Microsoft Energy Data Services instance by using Well Delivery DDMS APIs. For example:

-description: Learn how to work with well data records in your Microsoft Energy Data Services Preview instance by using Wellbore Domain Data Management Services (Wellbore DDMS) APIs in Postman.

-Use Wellbore Domain Data Management Services (Wellbore DDMS) APIs in Postman to work with well data in your instance of Microsoft Energy Data Services Preview.

-## Get your Microsoft Energy Data Services instance details

-The first step is to get the following information from your [Microsoft Energy Data Services Preview instance](quickstart-create-microsoft-energy-data-services-instance.md) in the [Azure portal](https://portal.azure.com/?microsoft_azure_marketplace_ItemHideKey=Microsoft_Azure_OpenEnergyPlatformHidden):

-1. In the Postman environment, update **CURRENT VALUE** with the information from your [Microsoft Energy Data Services instance](#get-your-microsoft-energy-data-services-instance-details):

- 1. In the **CURRENT VALUE** column, enter the information that's described in the table in [Get your Microsoft Energy Data Services instance details](#get-your-microsoft-energy-data-services-instance-details).

-The Postman collection for Wellbore DDMS contains requests you can use to interact with data about wells, wellbores, well logs, and well trajectory data in your Microsoft Energy Data Services instance.

-1. Import the following cURL command in Postman to generate a bearer token. Use the values from your Microsoft Energy Data Services instance.

-Successfully completing the Postman requests that are described in the following Wellbore DDMS APIs indicates successful ingestion and retrieval of well records in your Microsoft Energy Data Services instance.

-Create a well record in your Microsoft Energy Data Services instance.

-Get the well record data for your Microsoft Energy Data Services instance.

-Get the versions of each ingested well record in your Microsoft Energy Data Services instance.

-Get the details of a specific version for a specific well record in your Microsoft Energy Data Services instance.

-Delete a specific well record from your Microsoft Energy Data Services instance.

- > The container you create in a Azure Data Lake Storage Gen 2 using this user interface (UI) is shown under **File systems** in **Storage Explorer**. Similarly, the file system you create in a Data Lake Storage Gen 2 account shows up as a container in this UI.

-# Quickstart: Create a dedicated Azure Event Hubs cluster using Azure portal

-Event Hubs clusters offer **single-tenant deployments** for customers with the most demanding streaming needs. This offering has a guaranteed **99.99%** SLA, which is available only in our dedicated pricing tier. An [Event Hubs cluster](event-hubs-dedicated-overview.md) can ingress millions of events per second with guaranteed capacity and subsecond latency. Namespaces and event hubs created within a cluster include all features of the premium offering and more, but without any ingress limits. The dedicated offering also includes the popular [Event Hubs Capture](event-hubs-capture-overview.md) feature at no additional cost, allowing you to automatically batch and log data streams to [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md) or [Azure Data Lake Storage Gen 1](../data-lake-store/data-lake-store-overview.md).

-> - The dedicated tier isn't available in all regions. Try to create a dedicated cluster in the Azure portal and see supported regions in the **Location** drop-down list on the **Create Event Hubs Cluster** page.

-> - This [Azure Portal](https://aka.ms/eventhubsclusterquickstart) self-serve experience is currently in **preview**. If you have any questions about the dedicated offering, reach out to the [Event Hubs team](mailto:askeventhubs@microsoft.com).

-## Scale Event Hubs dedicated cluster

-1. On the **Event Hubs Cluster** page for your dedicated cluster, select **Scale** on the left menu.

- 2. Select **Scale up or down a dedicated Cluster** if you want to scale up or scale down your dedicated cluster.

- ## Delete a dedicated cluster

-|Azure Firewall DNAT doesn't work for private IP destinations|Azure Firewall DNAT support is limited to Internet egress/ingress. DNAT doesn't currently work for private IP destinations. For example, spoke to spoke.|This is a current limitation.|

-description: Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains.

-Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses, FQDNs, and URLs. The IP addresses, domains and URLs are sourced from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team. [Intelligent Security Graph](https://www.microsoft.com/security/operations/intelligence) powers Microsoft threat intelligence and is used by multiple services including Microsoft Defender for Cloud.<br>

-If you've enabled threat intelligence-based filtering, the associated rules are processed before any of the NAT rules, network rules, or application rules.

-You can choose to just log an alert when a rule is triggered, or you can choose alert and deny mode.

-By default, threat intelligence-based filtering is enabled in alert mode. You canΓÇÖt turn off this feature or change the mode until the portal interface becomes available in your region.

-You can define allowlists so threat intelligence won't filter traffic to any of the listed FQDNs, IP addresses, ranges, or subnets.

-

-This article will walk you through how to perform the tier upgrade on the configuration page of a Front Door Standard profile. Once upgraded, you'll be charge for the Azure Front Door Premium monthly base fee at an hourly rate.

-assignment.

-`Microsoft.Authorization/policyAssignments`, `Microsoft.Authorization/denyAssignments`, `Microsoft.Blueprint/blueprintAssignments`, `Microsoft.Resources/deploymentStacks`, and `Microsoft.Authorization/locks` are all exempt from DenyAction enforcement to prevent lockout scenarios.

-Policy won't block removal of resources that happens during a subscription deletion.

-#### Resource group deletion

-Policy will evaluate resources that support location and tags against `DenyAction` policies during a resource group deletion. Only policies that have the `cascadeBehaviors` set to `deny` in the policy rule will block a resource group deletion. Policy won't block removal of resources that don't support location and tags nor any policy with `mode:all`.

-Cascade deletion occurs when deleting of a parent resource is implicitly deletes all its child resources. Policy won't block removal of child resources when a delete action targets the parent resources. For example, `Microsoft.Insights/diagnosticSettings` is a child resource of `Microsoft.Storage/storageaccounts`. If a `denyAction` policy targets `Microsoft.Insights/diagnosticSettings`, a delete call to the diagnostic setting (child) will fail, but a delete to the storage account (parent) will implicitly delete the diagnostic setting (child).

- - An _array_ that specifies what actions to prevent from being executed.

- - Supported action names are: `delete`.

- - An _object_ that defines what behavior will be followed when the resource is being implicitly deleted by the removal of a resource group.

- - Allowed values are `allow` or `deny`.

- - Default value is `deny`.

-Example: Deny any delete calls targeting database accounts that have a tag environment that equals prod. Since cascade behavior is set to deny, block any DELETE call that targets a resource group with an applicable database account.

- - For _ResourceGroup_, would limit to the **if** condition resource's resource group or the

- resource group specified in **ResourceGroupName**.

-You can use Data Lake Storage Gen1 as additional storage for the cluster as well. In such cases, the cluster default storage can either be an Azure Blob storage or a Azure Data Lake Storage Gen1 account. When running HDInsight jobs against the data stored in Azure Data Lake Storage Gen1 as additional storage, use the fully qualified path. For example:

-To store profiles in Azure API for FHIR, you can `PUT` the `StructureDefinition` with the profile content in the body of the request. A standard `PUT` or a conditional update are both good methods to store profiles on the FHIR service. Use the conditional update if you are unsure which to use.

-Standard `PUT`: `PUT http://<your Azure API for FHIR base URL>/StructureDefinition/profile-id`

-Conditional update: `PUT http://<your Azure API for FHIR base URL>/StructureDefinition?url=http://sample-profile-url`

-PUT https://myAzureAPIforFHIR.azurehealthcareapis.com/StructureDefinition?url=http://hl7.org/fhir/us/core/StructureDefinition/us-core-allergyintolerance

-`GET https://myworkspace-myfhirserver.fhir.azurehealthcareapis.com/StructureDefinition?url=http://hl7.org/fhir/us/core/StructureDefinition/us-core-goal`

-You can define 10 different storage targets for any cache, and larger caches can [support up to 20 storage targets](#size-your-cache-correctly-to-support-your-storage-targets).

-## Size your cache correctly to support your storage targets

-When you create the cache, make sure you select the type and size that will support the number of storage targets you need.

-The number of supported storage targets depends on the cache type and the cache capacity. Cache capacity is a combination of throughput capacity (in GB/s) and storage capacity (in TB).

-* Up to 10 storage targets - A standard cache with the smallest or medium cache storage value for your selected throughput can have a maximum of 10 storage targets.

- For example, if you choose 2 GB/second throughput and don't choose the largest cache storage size (12 TB), your cache supports a maximum of 10 storage targets.

-* Up to 20 storage targets -

- * All read-only high-throughput caches (which have preconfigured cache storage sizes) can support up to 20 storage targets.

- * Standard caches can support up to 20 storage targets if you choose the highest available cache size for your selected throughput value. (If using Azure CLI, choose the highest valid cache size for your cache SKU.)

-Read [Choose cache type and capacity](hpc-cache-create.md#choose-cache-type-and-capacity) to learn more about throughput and cache size settings.

-First, choose the type of cache you want. Options include:

-* **Read-write standard caching** - A flexible, general-purpose cache

-* **Read-only caching** - A high-throughput cache designed to minimize latency for file access

-Read more about these cache type options below in [Choose the cache type for your needs](#choose-the-cache-type-for-your-needs).

-Second, select the cache's capacity. Cache capacity is a combination of two values:

-

-Throughput and cache size also affect how many storage targets are supported for a particular cache. If you want to use more than 10 storage targets with your cache, you must choose the highest available cache storage size value available for your throughput size, or choose the high-throughput read-only configuration. Learn more in [Add storage targets](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets).

-When you choose your cache capacity, you might notice that some cache types have one fixed cache size, and others let you select from multiple cache size options for each throughput value. This is because they use different styles of cache infrastructure.

-* Standard caches - Cache type **Read-write caching**

- With standard caches, you can choose from several cache size values. These caches can be configured for read-only or for read and write caching.

-* High-throughput caches - Cache type **Read-only caching**

- The high-throughput read-only caches are preconfigured with only one cache size option per throughput value. They're designed to optimize file read access only.

-

-This table explains some important differences between the two options.

-| Attribute | Standard cache | Read-only high-throughput cache |

-|--|--|--|

-| Cache type |"Read-write standard caching"| "Read-only caching"|

-| Throughput sizes | 2, 4, or 8 GB/sec | 4.5, 9, or 16 GB/sec |

-| Cache sizes | 3, 6, or 12 TB for 2 GB/sec<br/> 6, 12, or 24 TB for 4 GB/sec<br/> 12, 24, or 48 TB for 8 GB/sec| 21 TB for 4.5 GB/sec <br/> 42 TB for 9 GB/sec <br/> 84 TB for 16 GB/sec |

-| Maximum number of storage targets | [10 or 20](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets) depending on cache size selection | 20 |

-| Compatible storage target types | Azure Blob, on-premises NFS storage, NFS-enabled blob | on-premises NFS storage <br/>NFS-enabled blob storage is in preview for this combination |

-| Caching styles | Read caching or read-write caching | Read caching only |

-| Cache can be stopped to save cost when not needed | Yes | No |

-* [Maximum number of storage targets](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets)

- If you want to use more than 10 storage targets with your cache, choose the highest available cache size value for your SKU. These configurations support up to 20 storage targets.

-If the delegated subnet is too large, it's possible for the Azure NetApp Files volumes to use more IP addresses than a single Azure HPC Cache instance can handle. A single cache has a [limit of 10 storage targets](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets) for most cache throughput/storage size combinations, or 20 storage targets for the largest configurations.

-The size of your cache determines the number of storage targets it can support - up to 10 storage targets for most caches, or up to 20 for the largest sizes. Read [Size your cache correctly to support your storage targets](hpc-cache-add-storage.md#size-your-cache-correctly-to-support-your-storage-targets) for details.

-The [device implementation](tutorial-connect-device.md) should follow the [IoT Plug and Play conventions](../../iot-develop/concepts-convention.md) to ensure that it can communicate with IoT Central. For more information, see the various language [SDKs and samples](../../iot-develop/libraries-sdks.md).

-These SDKs can run on a general MPU-based computing device such as a PC, tablet, smartphone, or Raspberry Pi. The SDKs support development in C and in modern managed languages including in C#, Node.JS, Python, and Java.

-The SDKs are available in **multiple languages** providing the flexibility to choose which best suits your team and scenario.

-| Language | Package | Source | Quickstarts | Samples | Reference |

-| :-- | :-- | :-- | :-- | :-- | :-- |

-| **.NET** | [NuGet](https://www.nuget.org/packages/Microsoft.Azure.Devices.Client) | [GitHub](https://github.com/Azure/azure-iot-sdk-csharp) | [IoT Hub](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp) / [IoT Central](quickstart-send-telemetry-central.md?pivots=programming-language-csharp) | [Samples](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/device/samples) | [Reference](/dotnet/api/microsoft.azure.devices.client) |

-| **Python** | [pip](https://pypi.org/project/azure-iot-device/) | [GitHub](https://github.com/Azure/azure-iot-sdk-python) | [IoT Hub](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-python) / [IoT Central](quickstart-send-telemetry-central.md?pivots=programming-language-python) | [Samples](https://github.com/Azure/azure-iot-sdk-python/tree/main/samples) | [Reference](/python/api/azure-iot-device) |

-| **Node.js** | [npm](https://www.npmjs.com/package/azure-iot-device) | [GitHub](https://github.com/Azure/azure-iot-sdk-node) | [IoT Hub](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-nodejs) / [IoT Central](quickstart-send-telemetry-central.md?pivots=programming-language-nodejs) | [Samples](https://github.com/Azure/azure-iot-sdk-node/tree/main/device/samples) | [Reference](/javascript/api/azure-iot-device/) |

-| **Java** | [Maven](https://mvnrepository.com/artifact/com.microsoft.azure.sdk.iot/iot-device-client) | [GitHub](https://github.com/Azure/azure-iot-sdk-java) | [IoT Hub](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-java) / [IoT Central](quickstart-send-telemetry-central.md?pivots=programming-language-java) | [Samples](https://github.com/Azure/azure-iot-sdk-java/tree/main/iothub/device/iot-device-samples) | [Reference](/java/api/com.microsoft.azure.sdk.iot.device) |

-| **C** | [packages](https://github.com/Azure/azure-iot-sdk-c/blob/master/readme.md#getting-the-sdk) | [GitHub](https://github.com/Azure/azure-iot-sdk-c) | [IoT Hub](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-ansi-c) / [IoT Central](quickstart-send-telemetry-central.md?pivots=programming-language-ansi-c) | [Samples](https://github.com/Azure/azure-iot-sdk-c/tree/master/iothub_client/samples) | [Reference](https://github.com/Azure/azure-iot-sdk-c/) |

-> [!WARNING]

-> The **Azure IoT C SDK** is **not** suitable for embedded applications due to its memory management and threading model. For embedded device SDK options, refer to the [Embedded device SDKs](#embedded-device-sdks).

-These SDKs were designed and created to run on devices with limited compute and memory resources and are implemented using the C language.

-The embedded device SDKs are available for **multiple operating systems** providing the flexibility to choose which best suits your scenario.

-| RTOS | SDK | Source | Samples | Reference |

-| :-- | :-- | :-- | :-- | :-- |

-| **Azure RTOS** | Azure RTOS Middleware | [GitHub](https://github.com/azure-rtos/netxduo) | [Quickstarts](quickstart-devkit-mxchip-az3166.md) | [Reference](https://github.com/azure-rtos/netxduo/tree/master/addons/azure_iot) |

-| **FreeRTOS** | FreeRTOS Middleware | [GitHub](https://github.com/Azure/azure-iot-middleware-freertos) | [Samples](https://github.com/Azure-Samples/iot-middleware-freertos-samples) | [Reference](https://azure.github.io/azure-iot-middleware-freertos) |

-| **Bare Metal** | Azure SDK for Embedded C | [GitHub](https://github.com/Azure/azure-sdk-for-c/tree/master/sdk/docs/iot) | [Samples](https://github.com/Azure/azure-sdk-for-c/blob/master/sdk/samples/iot/README.md) | [Reference](https://azure.github.io/azure-sdk-for-c) |

-A device builder implements the code to run on an IoT device using one of the [Azure IoT device SDKs](./libraries-sdks.md). The device SDKs help the device builder to:

-To use an IoT Plug and Play device that's connected to your IoT hub, one of the Azure IoT service SDKs:

-The digital twin APIs include **Get Digital Twin**, **Update Digital Twin**, **Invoke Component Command** and **Invoke Command** operations more managing a digital twin. You can either use the [REST APIs](/rest/api/iothub/service/digitaltwin) directly or through a [Service SDK](../iot-develop/libraries-sdks.md).

-IoT Plug and Play supports **Get digital twin** and **Update digital twin** operations to manage digital twins. You can use either the [REST APIs](/rest/api/iothub/service/digitaltwin) or one of the [service SDKs](libraries-sdks.md).

-description: Information about the device and service libraries available for developing IoT Plug and Play enabled solutions.

-# Microsoft SDKs for IoT Plug and Play

-The IoT Plug and Play libraries and SDKs enable developers to build IoT solutions using various programming languages on multiple platforms. The following table includes links to samples and quickstarts to help you get started:

-## Device SDKs

-| Language | Package | Code Repository | Samples | Quickstart | Reference |

-|||||||

-| C - Device | [vcpkg 1.3.9](https://github.com/Azure/azure-iot-sdk-c/blob/master/doc/setting_up_vcpkg.md) | [GitHub](https://github.com/Azure/azure-iot-sdk-c) | [Samples](https://github.com/Azure/azure-iot-sdk-c/tree/master/iothub_client/samples/pnp) | [Connect to IoT Hub](tutorial-connect-device.md) | [Reference](https://github.com/Azure/azure-iot-sdk-c/) |

-| .NET - Device | [NuGet 1.41.2](https://www.nuget.org/packages/Microsoft.Azure.Devices.Client) | [GitHub](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/) | [Samples](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/device/samples/solutions/PnpDeviceSamples) | [Connect to IoT Hub](tutorial-connect-device.md) | [Reference](/dotnet/api/microsoft.azure.devices.client) |

-| Java - Device | [Maven 1.26.0](https://mvnrepository.com/artifact/com.microsoft.azure.sdk.iot/iot-device-client) | [GitHub](https://github.com/Azure/azure-iot-sdk-jav) | [Reference](/java/api/com.microsoft.azure.sdk.iot.device) |

-| Python - Device | [pip 2.3.0](https://pypi.org/project/azure-iot-device/) | [GitHub](https://github.com/Azure/azure-iot-sdk-python) | [Samples](https://github.com/Azure/azure-iot-sdk-python/tree/main/samples/pnp) | [Connect to IoT Hub](tutorial-connect-device.md) | [Reference](/python/api/azure-iot-device/azure.iot.device) |

-| Node - Device | [npm 1.17.2](https://www.npmjs.com/package/azure-iot-device)  | [GitHub](https://github.com/Azure/azure-iot-sdk-node) | [Samples](https://github.com/Azure/azure-iot-sdk-node/tree/main/device/samples/javascript/) | [Connect to IoT Hub](tutorial-connect-device.md) | [Reference](/javascript/api/azure-iot-device/) |

-| Embedded C - Device | N/A | [GitHub](https://github.com/Azure/azure-sdk-for-c/)| [Samples](tutorial-connect-device.md?pivots=programming-language-embedded-c#samples) | [How to use Embedded C](tutorial-connect-device.md?pivots=programming-language-embedded-c) | N/A

-## Service SDKs

-| Platform | Package | Code Repository | Samples | Quickstart | Reference |

-|||||||

-| .NET - IoT Hub service | [NuGet 1.38.1](https://www.nuget.org/packages/Microsoft.Azure.Devices ) | [GitHub](https://github.com/Azure/azure-iot-sdk-csharp) | [Samples](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/service/samples/solutions/PnpServiceSamples) | N/A | [Reference](/dotnet/api/microsoft.azure.devices) |

-| Java - IoT Hub service | [Maven 1.26.0](https://mvnrepository.com/artifact/com.microsoft.azure.sdk.iot/iot-service-client/1.26.0) | [GitHub](https://github.com/Azure/azure-iot-sdk-java) | [Samples](https://github.com/Azure/azure-iot-sdk-java/tree/main/service/iot-service-samples/pnp-service-sample) | N/A | [Reference](/java/api/com.microsoft.azure.sdk.iot.service) |

-| Node - IoT Hub service | [npm 1.13.0](https://www.npmjs.com/package/azure-iothub) | [GitHub](https://github.com/Azure/azure-iot-sdk-node) | [Samples](https://github.com/Azure/azure-iot-sdk-node/tree/main/device/samples) | N/A | [Reference](/javascript/api/azure-iothub/) |

-| Python - IoT Hub service | [pip 2.2.3](https://pypi.org/project/azure-iot-hub) | [GitHub](https://github.com/Azure/azure-iot-hub-python) | [Samples](https://github.com/Azure/azure-iot-hub-python/tree/main/samples) | N/A | [Reference](/python/api/azure-iot-hub/) |

-## Next steps

-To try out the SDKs and libraries, see the [Developer Guide](concepts-developer-guide-device.md) and the [device tutorials](tutorial-connect-device.md) and [service tutorials](tutorial-service.md).

-When developing IoT Edge modules, it's important to understand the difference between the development machine and the target IoT Edge device where the module will eventually be deployed. The container that you build to hold your module code must match the operating system (OS) of the *target device*. For example, the most common scenario is someone developing a module on a Windows computer intending to target a Linux device running IoT Edge. In that case, the container operating system would be Linux. As you go through this tutorial, keep in mind the difference between the *development machine OS* and the *container OS*.

-This tutorial targets devices running IoT Edge with Linux containers. You can use your preferred operating system as long as your development machine runs Linux containers. We recommend using Visual Studio Code to develop with Linux containers, so that's what this tutorial will use. You can use Visual Studio as well, although there are differences in support between the two tools.

- * When you install Docker Desktop for Windows, you're asked whether you want to use Linux or Windows containers. This decision can be changed at any time using an easy switch. For this tutorial, we use Linux containers because our modules are targeting Linux devices. For more information, see [Switch between Windows and Linux containers](https://docs.docker.com/docker-for-windows/#switch-between-windows-and-linux-containers).

-2. Once the installation is finished, open Visual Studio Code and select **View** > **Extensions**.

-5. When the extensions are done installing, open the command palette by selecting **View** > **Command Palette**.

-For this tutorial, we use the C# module template because it is the most commonly used template.

-1. Provide Docker image repository for the module: an image repository includes the name of your container registry and the name of your container image. Your container image is prepopulated from the name you provided in the last step. Replace **localhost:5000** with the **Login server** value from your Azure container registry. You can retrieve the Login server value from the Overview page of your container registry in the Azure portal.

-* The **.vscode** folder contains a file called **launch.json**, which is used for debugging modules.

-* The **.env** file holds the credentials to your container registry. These credentials are shared with your IoT Edge device so that it has access to pull the container images.

-* The **deployment.debug.template.json** file and **deployment.template.json** file are templates that help you create a deployment manifest. A *deployment manifest* is a file that defines exactly which modules you want deployed on a device, how they should be configured, and how they can communicate with each other and the cloud. The template files use pointers for some values. When you transform the template into a true deployment manifest, the pointers are replaced with values taken from other solution files.

- * In the `registryCredentials` section, the address is auto-filled from the information you provided when you created the solution. However, the username and password reference the variables stored in the .env file. This configuration is for security, as the .env file is git ignored, but the deployment template is not.

- * In the `SampleModule` section, the container image isn't filled in even though you provided the image repository when you created the solution. This placeholder points to the **module.json** file inside the SampleModule folder. If you go to that file, you'll see that the image field does contain the repository, but also a tag value that is made up of the version and the platform of the container. You can iterate the version manually as part of your development cycle, and you select the container platform using a switcher that we introduce later in this section.

-After selecting a new runtime version, your deployment manifest is dynamically updated to reflect the change to the runtime module images.

-The IoT Edge extension tries to pull your container registry credentials from Azure and populate them in the environment file. Check to see if your credentials are already included. If not, add them now:

-Currently, Visual Studio Code can develop C# modules for Linux AMD64 and ARM32v7 devices. You need to select which architecture you're targeting with each solution, because that affects how the container is built and runs. The default is Linux AMD64.

-2. In the command palette, select the target architecture from the list of options. For this tutorial, we're using an Ubuntu virtual machine as the IoT Edge device, so will keep the default **amd64**.

-1. Open the **Program.cs** file, which is inside the **modules/SampleModule/** folder.

-2. In program.cs, find the **SetInputMessageHandlerAsync** method.

-3. The [SetInputMessageHandlerAsync](/dotnet/api/microsoft.azure.devices.client.moduleclient.setinputmessagehandlerasync) method sets up an input queue to receive incoming messages. Review this method and see how it initializes an input queue called **input1**.

-Provide your container registry credentials to Docker so that it can push your container image to be stored in the registry.

-1. Open the Visual Studio Code integrated terminal by selecting **View** > **Terminal**.

- You may receive a security warning recommending the use of `--password-stdin`. While that best practice is recommended for production scenarios, it's outside the scope of this tutorial. For more information, see the [docker login](https://docs.docker.com/engine/reference/commandline/login/#provide-a-password-using-stdin) reference.

-3. Log in to Azure Container Registry. [Install Azure CLI](/cli/azure/install-azure-cli) to use the `az` command.

->If you get logged out at any point in this tutorial, repeat the Docker and Azure Container Registry sign in steps above to continue.

- :::image type="content" source="./media/tutorial-develop-for-linux/build-and-push-modules.png" alt-text="Screenshot showing the right-click menu option Build and Push IoT Edge Solution." lightbox="./media/tutorial-develop-for-linux/build-and-push-modules.png":::