+Number match will be enabled for all users of Microsoft Authenticator push notifications after February 27, 2023. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all your users, we highly recommend you use the Azure portal or Graph API to roll out number match for all Microsoft Authenticator users.

+1. Navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/#home).

+1. Navigate to the Microsoft [Entra admin center](https://entra.microsoft.com/#home).

+> A *global administrator* or *root user* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).

+On Azure AD joined and hybrid Azure AD joined devices, unlocking the device, or signing in interactively will only refresh the Primary Refresh Token (PRT) every 4 hours. The last refresh timestamp recorded for PRT compared with the current timestamp must be within the time allotted in SIF policy for PRT to satisfy SIF and grant access to a PRT that has an existing MFA claim. On [Azure AD registered devices](/active-directory/devices/concept-azure-ad-register), unlock/sign-in would not satisfy the SIF policy because the user is not accessing an Azure AD registered device via an Azure AD account. However, the [Azure AD WAM](/azure/active-directory/develop/scenario-desktop-acquire-token-wam) plugin can refresh a PRT during native application authentication using WAM.

+Note: The timestamp captured from user log-in is not necessarily the same as the last recorded timestamp of PRT refresh because of the 4-hour refresh cycle. The case when it is the same is when a PRT has expired and a user log-in refreshes it for 4 hours. In the following examples, assume SIF policy is set to 1 hour and PRT is refreshed at 00:00.

+Example 1: *when you continue to work on the same doc in SPO for an hour*

+Example 2: *when pausing work with a background task running in the browser, then interacting again after the SIF policy time has passed*

+- At 00:00, a user signs in to their Windows 10 Azure AD joined device and starts to upload a document to SharePoint Online.

+- At 00:10, the user gets up and takes a break locking their device. The background upload continues to SharePoint Online.

+- At 02:45, the user returns from their break and unlocks the device. The background upload shows completion.

+- At 02:45, the user is prompted to sign in when they interact again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator since the last sign-in happened at 00:00.

+If the client app (under activity details) is a Browser, we defer sign in frequency enforcement of events/policies on background services until the next user interaction.   

+Example 3: *with 4-hour refresh cycle of primary refresh token from unlock*

+Scenario 1 - User returns within cycle

+- At 00:00, a user signs into their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.

+- At 01:00, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator, 1 hour after the initial sign-in.

+Scenario 2 - User returns outside cycle

+- At 00:00, a user signs into their Windows 10 Azure AD joined device and starts work on a document stored on SharePoint Online.

+- At 00:30, the user gets up and takes a break locking their device.

+- At 04:45, the user returns from their break and unlocks the device.

+- At 05:45, the user is prompted to sign in again based on the sign-in frequency requirement in the Conditional Access policy configured by their administrator, 1 hour after the PRT was refreshed at 04:45 (over 4hrs after the initial sign-in at 00:00).

+>This information last updated on February 3rd, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Azure Active Directory Premium P1 for faculty | AAD_PREMIUM_FACULTY | 30fc3c36-5a95-4956-ba57-c09c2a600bb9 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Defender for Cloud Apps Discovery (932ad362-64a8-4783-9106-97849a1a30b9) |

+| Exchange Online (Plan 1) for Students | EXCHANGESTANDARD_STUDENT | ad2fe44a-915d-4e2b-ade1-6766d50a9d9c | EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>RMS_S_BASIC (31cf2cfc-6b0d-4adc-a336-88b724ed8122) | Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>To-Do (Plan 1) (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>Microsoft Azure Rights Management Service (31cf2cfc-6b0d-4adc-a336-88b724ed8122) |

+| Exchange Online (Plan 1) for Alumni with Yammer | EXCHANGESTANDARD_ALUMNI | aa0f9eb7-eff2-4943-8424-226fb137fcad | EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>YAMMER_EDU (2078e8df-cff6-4290-98cb-5408261a760a) | Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Yammer for Academic (2078e8df-cff6-4290-98cb-5408261a760a) |

+| Intune for Education | INTUNE_EDU | d9d89b70-a645-4c24-b041-8d3cb1884ec7 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>AAD_EDU (3a3976ce-de18-4a87-a78e-5e9245e252df)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>INTUNE_EDU (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>WINDOWS_STORE (a420f25f-a7b3-4ff5-a9d0-5d58f73b537d) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Azure Active Directory for Education (3a3976ce-de18-4a87-a78e-5e9245e252df)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Intune for Education (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>Windows Store Service (a420f25f-a7b3-4ff5-a9d0-5d58f73b537d) |

+| Power BI Pro for Faculty | POWER_BI_PRO_FACULTY | de5f128b-46d7-4cfc-b915-a89ba060ea56 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba) |

+| Project Online Essentials for Faculty | PROJECTESSENTIALS_FACULTY | e433b246-63e7-4d0b-9efa-7940fa3264d6 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SHAREPOINTENTERPRISE_EDU (63038b2c-28d0-45f6-bc36-33062963b498)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Project Online Essentials (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SharePoint (Plan 2) for Education (63038b2c-28d0-45f6-bc36-33062963b498)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97) |

+| Project Plan 3 for Faculty | PROJECTPROFESSIONAL_FACULTY | 46974aed-363e-423c-9e6a-951037cec495 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)<br/>SHAREPOINT_PROJECT_EDU (664a2fed-6c7a-468e-af35-d61740f0ec90)<br/>PROJECT_PROFESSIONAL_FACULTY (22572403-045f-432b-a660-af949c0a77b5)<br/>SHAREPOINTENTERPRISE_EDU (63038b2c-28d0-45f6-bc36-33062963b498)<br/>DYN365_CDS_PROJECT (50554c47-71d9-49fd-bc54-42a2765c555c)<br/>FLOW_FOR_PROJECT (fa200448-008c-4acb-abd4-ea106ed2199d) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>Project Online Desktop Client (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3)<br/>Project Online Service for Education (664a2fed-6c7a-468e-af35-d61740f0ec90)<br/>Project P3 for Faculty (22572403-045f-432b-a660-af949c0a77b5)<br/>SharePoint (Plan 2) for Education (63038b2c-28d0-45f6-bc36-33062963b498)<br/>Common Data Service for Project (50554c47-71d9-49fd-bc54-42a2765c555c)<br/>Power Automate for Project (fa200448-008c-4acb-abd4-ea106ed2199d) |

+ Title: Determine your security posture for external access with Azure Active Directory

+description: Learn about governance of external access and assessing collaboration needs, by scenario

+# Determine your security posture for external access with Azure Active Directory

+As you consider the governance of external access, assess your organization's security and collaboration needs, by scenario. You can start with the level of control the IT team has over the day-to-day collaboration of end users. Organizations in highly regulated industries might require more IT team control. For example, defense contractors can have a requirement to positively identify and document external users, their access, and access removal: all access, scenario-based, or workloads. Consulting agencies can use certain features to allow end users to determine the external users they collaborate with.

+ 

+ > [!NOTE]

+ > A high degree of control over collaboration can lead to higher IT budgets, reduced productivity, and delayed business outcomes. When official collaboration channels are perceived as onerous, end users tend to evade official channels. An example is end users sending unsecured documents by email.

+## Scenario-based planning

+IT teams can delegate partner access to empower employees to collaborate with partners. This delegation can occur while maintaining sufficient security to protect intellectual property.

+Compile and assess your organizations scenarios to help assess employee versus business partner access to resources. Financial institutions might have compliance standards that restrict employee access to resources such as account information. Conversely, the same institutions can enable delegated partner access for projects such as marketing campaigns.

+ 

+### Scenario considerations

+Use the following list to help measure the level of access control.

+* Information sensitivity, and associated risk of its exposure

+* Partner access to information about other end users

+* The cost of a breach versus the overhead of centralized control and end-user friction

+Organizations can start with highly managed controls to meet compliance targets, and then delegate some control to end users, over time. There can be simultaneous access-management models in an organization.

+> [!NOTE]

+> Partner-managed credentials are a method to signal the termination of access to resources, when an external user loses access to resources in their own company. Learn more: [B2B collaboration overview](../external-identities/what-is-b2b.md)

+## External-access security goals

+The goals of IT-governed and delegated access differ. The primary goals of IT-governed access are:

+* Meet governance, regulatory, and compliance (GRC) targets

+* High level of control over partner access to information about end users, groups, and other partners

+The primary goals of delegating access are:

+* Enable business owners to determine collaboration partners, with security constraints

+* Enable partners to request access, based on rules defined by business owners

+### Common goals

+#### Control access to applications, data, and content

+Levels of control can be accomplished through various methods, depending on your version of Azure AD and Microsoft 365.

+* [Azure AD plans and pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing)

+* [Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).

+#### Reduce attack surface

+* [What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md) - manage, control, and monitor access to resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune

+* [Data loss prevention in Exchange Server](/exchange/policy-and-compliance/data-loss-prevention/data-loss-prevention?view=exchserver-2019&preserve-view=true)

+#### Confirm compliance with activity and audit log reviews

+IT teams can delegate access decisions to business owners through entitlement management, while access reviews help confirm continued access. You can use automated data classification with sensitivity labels to automate the encryption of sensitive content, easing compliance for end users.

+## Next steps

+See the following articles to learn more about securing external access to resources. We recommend you follow the listed order.

+1. [Determine your security posture for external access with Azure AD](1-secure-access-posture.md) (You're here)

+2. [Discover the current state of external collaboration in your organization](2-secure-access-current-state.md)

+3. [Create a security plan for external access](3-secure-access-plan.md)

+4. [Secure external access with groups in Azure AD and Microsoft 365](4-secure-access-groups.md)

+5. [Transition to governed collaboration with Azure AD B2B collaboration](5-secure-access-b2b.md)

+6. [Manage external access with Azure AD entitlement management](6-secure-access-entitlement-managment.md)

+7. [Manage external access with Conditional Access policies](7-secure-access-conditional-access.md)

+8. [Control external access to resources in Azure AD with sensitivity labels](8-secure-access-sensitivity-labels.md)

+9. [Secure external access to Microsoft Teams, SharePoint, and OneDrive with Azure AD](9-secure-access-teams-sharepoint.md)

+description: Secure access to Microsoft 365 services as a part of your external access security plan

+# Secure external access to Microsoft Teams, SharePoint, and OneDrive with Azure Active Directory

+Use this article to determine and configure your organization's external collaboration using Microsoft Teams, OneDrive for Business, and SharePoint. A common challenge is balancing security and ease of collaboration for end users and external users. If an approved collaboration method is perceived as restrictive and onerous, end users evade the approved method. End users might email unsecured content, or set up external processes and applications, such as a personal DropBox or OneDrive.

+## External Identities settings and Azure Active Directory

+Sharing in Microsoft 365 is partially governed by the **External Identities, External collaboration** settings in Azure Active Directory (Azure AD). If external sharing is disabled or restricted in Azure AD, it overrides sharing settings configured in Microsoft 365. An exception is if Azure AD B2B integration isn't enabled. You can configure SharePoint and OneDrive to support ad-hoc sharing via one-time password (OTP). The following screenshot shows the External Identities, External collaboration settings dialog.

+ 

+Learn more:

+* [Azure Active Directory admin center](https://aad.portal.azure.com/)

+* [External Identities in Azure AD](../external-identities/external-identities-overview.md)

+### Guest user access

+Guest users are invited to have access to resources.

+1. Go to the Azure Active Directory admin center.

+2. Select **All Services**.

+3. Under **Categories**, select **Identity**.

+4. From the list, select **External Identities**.

+5. Select **External collaboration settings**.

+6. Find the **Guest user access** option.

+To prevent guest-user access to other guest-user details, and to prevent enumeration of group membership, select **Guest users have limited access to properties and memberships of directory objects**.

+### Guest invite settings

+Guest invite settings determine who invites guests and how guests are invited. The settings are enabled if the B2B integration is enabled. It's recommended that administrators and users, in the Guest Inviter role, can invite. This setting allows setup of controlled collaboration processes. For example:

+* Team owner submits a ticket requesting assignment to the Guest Inviter role:

+ * Responsible for guest invitations

+ * Agrees to not add users to SharePoint

+ * Performs regular access reviews

+ * Revokes access as needed

+* The IT team:

+ * After training is complete, the IT team grants the Guest Inviter role

+ * To enable access reviews, assigns Azure AD P2 license to the Microsoft 365 group owner

+ * Creates a Microsoft 365 group access review

+ * Confirms access reviews occur

+ * Removes users added to SharePoint

+1. Select **Email one-time passcodes for guests**.

+2. For **Enable guest self-service sign up via user flows**, select **Yes**.

+For the Collaboration restrictions option, the organization's business requirements dictate the choice of invitation.

+* **Allow invitations to be sent to any domain** - any user can be invited

+* **Deny invitations to the specified domains** - any user outside those domains can be invited

+* **Allow invitations only to the specified domains** - any user outside those domains can't be invited

+## External users and guest users in Teams

+Teams differentiates between external users (outside your organization) and guest users (guest accounts). You can manage collaboration setting in the [Teams Admin portal](https://admin.teams.microsoft.com/company-wide-settings/external-communications) under Org-wide settings. Authorized account credentials are required to sign in to the Teams Admin portal.

+* **External Access** - Teams allows external access by default. The organization can communicate with all external domains

+ * Use External Access setting to restrict or allow domains

+* **Guest Access** - manage guest access in Teams

+Learn more: [Use guest access and external access to collaborate with people outside your organization](/microsoftteams/communicate-with-users-from-other-organizations).

+> The External Identities collaboration feaure in Azure AD controls permissions. You can increase restrictions in Teams, but restrictions can't be lower than Azure AD settings.

+Learn more:

+* [Manage external meetings and chat in Microsoft Teams](/microsoftteams/manage-external-access)

+* [Microsoft 365 identity models and Azure AD](/microsoft-365/enterprise/about-microsoft-365-identity)

+* [Identity models and authentication for Microsoft Teams](/microsoftteams/identify-models-authentication)

+* [Sensitivity labels for Microsoft Teams](/microsoftteams/sensitivity-labels)

+SharePoint administrators can find organization-wide settings in the SharePoint admin center. It's recommended that your organization-wide settings are the minimum security levels. Increase security on some sites, as needed. For example, for a high-risk project, restrict users to certain domains, and disable members from inviting guests.

+Learn more:

+* [SharePoint admin center](https://microsoft-admin.sharepoint.com) - access permissions are required

+* [Get started with the SharePoint admin center](/sharepoint/get-started-new-admin-center)

+* [External sharing overview](/sharepoint/external-sharing-overview)

+### Integrating SharePoint and OneDrive with Azure AD B2B

+As a part of your strategy to govern external collaboration, it's recommended you enable SharePoint and OneDrive integration with Azure AD B2B. Azure AD B2B has guest-user authentication and management. With SharePoint and OneDrive integration, use one-time passcodes for external sharing of files, folders, list items, document libraries, and sites.

+Learn more:

+* [Email one-time passcode authentication](../external-identities/one-time-passcode.md)

+* [SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration)

+* [B2B collaboration overview](../external-identities/what-is-b2b.md)

+> [!NOTE]

+> If you enable Azure AD B2B integration, then SharePoint and OneDrive sharing is subject to the Azure AD organizational relationships settings, such as **Members can invite** and **Guests can invite**.

+### Sharing policies in SharePoint and OneDrive

+In the Azure AD admin center, you can use the External Sharing settings for SharePoint and OneDrive to help configure sharing policies. OneDrive restrictions can't be more permissive than SharePoint settings.

+Learn more: [External sharing overview](/sharepoint/external-sharing-overview)

+ 

+#### External sharing settings recommendations

+Use the guidance in this section when configuring external sharing.

+* **Anyone** - Not recommended. If enabled, regardless of integration status, no Azure policies are applied for this link type.

+ * Don't enable this functionality for governed collaboration

+ * Use it for restrictions on individual sites

+* **New and existing guests** - Recommended, if integration is enabled

+ * Azure AD B2B integration enabled: new and current guests have an Azure AD B2B guest account you can manage with Azure AD policies

+ * Azure AD B2B integration not enabled: new guests don't have an Azure AD B2B account, and can't be managed from Azure AD

+ * Guests have an Azure AD B2B account, depending on how the guest was created

+* **Existing guests** - Recommended, if you don't have integration enabled

+ * With this option enabled, users can share with other users in your directory

+* **Only people in your organization** - Not recommended with external user collaboration

+ * Regardless of integration status, users can share with other users in your organization

+* **Limit external sharing by domain** - By default, SharePoint allows external access. Sharing is allowed with external domains.

+ * Use this option to restrict or allow domains for SharePoint

+* **Allow only users in specific security groups to share externally** - Use this setting to restrict who shares content in SharePoint and OneDrive. The setting in Azure AD applies to all applications. Use the restriction to direct users to training about secure sharing. Completion is the signal to add them to a sharing security group. If this setting is selected, and users can't become an approved sharer, they might find unapproved ways to share.

+* **Allow guests to share items they donΓÇÖt own** - Not recommended. The guidance is to disable this feature.

+* **People who use a verification code must reauthenticate after this many days (default is 30)** - Recommended

+Access controls setting affect all users in your organization. Because you might not be able to control whether external users have compliant devices, the controls won't be addressed in this article.

+* **Idle session sign-out** - Recommended

+ * Use this option to warn and sign out users on unmanaged devices, after a period of inactivity

+ * You can configure the period of inactivity and the warning

+* **Network location** - Set this control to allow access from IP addresses your organization owns.

+ * For external collaboration, set this control if your external partners access resources when in your network, or with your virtual private network (VPN).

+In the SharePoint admin center, you can set how file and folder links are shared. You can configure the setting for each site.

+ 

+With Azure AD B2B integration enabled, sharing files and folders with users outside the organization results in the creation of a B2B user.

+1. For **Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive**, select **Only people in your organization**.

+2. For **Choose the permission that's selected by default for sharing links**, select **Edit**.

+You can customize this setting for a per-site default.

+### Anyone links

+Enabling Anyone links isn't recommended. If you enable it, set an expiration, and restrict users to view permissions. If you select View only permissions for files or folders, users can't change Anyone links to include edit privileges.

+Learn more:

+* [External sharing overview](/sharepoint/external-sharing-overview)

+* [SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration)

+## Next steps

+See the following articles to learn more about securing external access to resources. We recommend you follow the listed order.

+1. [Determine your security posture for external access with Azure AD](1-secure-access-posture.md)

+2. [Discover the current state of external collaboration in your organization](2-secure-access-current-state.md)

+3. [Create a security plan for external access](3-secure-access-plan.md)

+4. [Secure external access with groups in Azure AD and Microsoft 365](4-secure-access-groups.md)

+5. [Transition to governed collaboration with Azure AD B2B collaboration](5-secure-access-b2b.md)

+6. [Manage external access with Azure AD entitlement management](6-secure-access-entitlement-managment.md)

+7. [Manage external access with Conditional Access policies](7-secure-access-conditional-access.md)

+8. [Control external access to resources in Azure AD with sensitivity labels](8-secure-access-sensitivity-labels.md)

+9. [Secure external access to Microsoft Teams, SharePoint, and OneDrive with Azure AD](9-secure-access-teams-sharepoint.md) (You're here)

+ Title: Secure on-premises computer accounts with Active Directory

+description: A guide to help secure on-premises computer accounts, or LocalSystem accounts, with Active Directory

+# Secure on-premises computer accounts with Active Directory

+A computer account, or LocalSystem account, is highly privileged with access to almost all resources on the local computer. The account isn't associated with signed-on user accounts. Services run as LocalSystem access network resources by presenting the computer credentials to remote servers in the format `<domain_name>\\<computer_name>$`. The computer account predefined name is `NT AUTHORITY\SYSTEM`. You can start a service and provide security context for that service.

+ 

+A computer account has the following benefits:

+* **Unrestricted local access** - the computer account provides complete access to the machine's local resources

+* **Automatic password management** - removes the need for manually changed passwords. The account is a member of Active Directory, and its password is changed automatically. With a computer account, there's no need to register the service principal name.

+* **Limited access rights off-machine** - the default access-control list in Active Directory Domain Services (AD DS) permits minimal access to computer accounts. During access by an unauthorized user, the service has limited access to network resources.

+## Computer account security-posture assessment

+Use the following table to review potential computer-account issues and mitigations.

+| Computer-account issue | Mitigation |

+| Computer accounts are subject to deletion and re-creation when the computer leaves and rejoins the domain. | Confirm the requirement to add a computer to an Active Directory group. To verify computer accounts added to a group, use the scripts in the following section.|

+| If you add a computer account to a group, services that run as LocalSystem on that computer get group access rights.| Be selective about computer-account group memberships. Don't make a computer account a member of a domain administrator group. The associated service has complete access to AD DS. |

+| Inaccurate network defaults for LocalSystem. | Don't assume the computer account has the default limited access to network resources. Instead, confirm group memberships for the account. |

+| Unknown services that run as LocalSystem. | Ensure services that run under the LocalSystem account are Microsoft services, or trusted services. |

+## Find services and computer accounts

+To find services that run under the computer account, use the following PowerShell cmdlet:

+## Computer account recommendations

+> Computer accounts are highly privileged, therefore use them if your service requires unrestricted access to local resources, on the machine, and you can't use a managed service account (MSA).

+* Confirm the service owner's service runs with an MSA

+* Use a group managed service account (gMSA), or a standalone managed service account (sMSA), if your service supports it

+* Use a domain user account with the permissions needed to run the service

+* [Securing on-premises service accounts](service-accounts-on-premises.md)

+* [Secure user-based service accounts in Active Directory](service-accounts-user-on-premises.md)

+|Microsoft Authenticator app [Number matching](../authentication/how-to-mfa-number-match.md)|Feature change|Feb 27, 2023|Feb 27, 2023|

+|[Azure AD Authentication Library (ADAL)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Retirement|Jun 30, 2023|Jun 30, 2023|

+|[Azure AD Graph API](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-september-2022-train/ba-p/2967454)|Deprecation|Jun 30, 2023|Jun 30, 2023|

+In this tutorial, an administrator of the application learns how to:

+You can also download an active or inactive certificate by selecting the **SAML Signing Certificate** heading's **Edit** icon (a pencil), which displays the **SAML Signing Certificate** page. Select the ellipsis (**...**) next to the certificate you want to download, and then choose which certificate format you want. You have the other option to download the certificate in privacy-enhanced mail (PEM) format. This format is identical to Base64 but with a **.pem** file name extension, which isn't recognized in Windows as a certificate format.

+By default, Azure configures a certificate to expire after three years when it's created automatically during SAML single sign-on configuration. Because you can't change the date of a certificate after you save it, you've to:

+If you intend to keep certificate expiry validation disabled, then the new certificate shouldn't be created until your scheduled maintenance window for the certificate rollover. If both an expired and an inactive valid certificate exist on the application, Azure AD will automatically utilize the valid certificate. In this case, users may experience application outage.

+Azure AD will send an email notification 60, 30, and 7 days before the SAML certificate expires. You may add more than one email address to receive notifications. To specify the email address(es), you want the notifications to be sent to:

+1. For each email address you want to delete, select the **Delete** icon (garbage can) next to the email address.

+## Step 5: Create a configuration in the source tenant

+#### Symptom - Unable to delete a configuration

+On the **Configurations** page, there isn't a way to delete a configuration.

+**Cause**

+Currently, there isn't a way to delete a configuration on the **Configurations** page. Instead, you must delete the configuration in **Enterprise applications**.

+**Solution**

+1. In the source tenant, select **Azure Active Directory** > **Enterprise applications**.

+1. In the list of all applications, find the name of your configuration. If necessary, you can search by the configuration name.

+1. Select the configuration and then select **Properties**.

+1. Select **Delete** and then **Yes** to delete the configuration.

+ :::image type="content" source="./media/cross-tenant-synchronization-configure/enterprise-applications-configuration-delete.png" alt-text="Screenshot of the Enterprise applications Properties page showing how to delete a configuration." lightbox="./media/cross-tenant-synchronization-configure/enterprise-applications-configuration-delete.png":::

+Once you have your endpoint established, go to **Azure AD** and then **Diagnostic settings.** From here, you can choose what logs to send to the endpoint of your choice. For more information, see the **Create diagnostic settings** section of the [Diagnostic settings in Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md#create-diagnostic-settings) article.

+If you already have an Azure AD license, you need an Azure subscription to set up the storage account and Event Hubs. The Azure subscription comes at no cost, but you have to pay to utilize Azure resources. These resources could include the storage account that you use for archival and the Event Hubs that you use for streaming. The amount of data and, thus, the cost incurred, can vary significantly depending on the tenant size.

+Every audit log event uses about 2 KB of data storage. Sign-in event logs are about 4 KB of data storage. For a tenant with 100,000 users, which would incur about 1.5 million events per day, you would need about 3 GB of data storage per day. Because writes occur in approximately five-minute batches, you can anticipate around 9,000 write operations per month.

+For example, about 18 events per second ordinarily occur for a large tenant of more than 100,000 users, a rate that equates to 5,400 events every five minutes. Audit logs are about 2 KB per event, which equates to 10.8 MB of data. Therefore, 43 messages are sent to the event hub in that five-minute interval.

+The following table contains estimated costs per month for a basic event hub in West US. The volume of event data can vary from tenant to tenant, based on factors like user sign-in behavior. To calculate an accurate estimate of the data volume that you anticipate for your application, use the [Event Hubs pricing calculator](https://azure.microsoft.com/pricing/details/event-hubs/).

+**Q: How do I integrate Azure AD activity logs with my SIEM tools?**

+**A**: You can do integrate with your SIEM tools in two ways:

+- Use Azure Monitor with Event Hubs to stream logs to your SIEM tool. First, [stream the logs to an event hub](tutorial-azure-monitor-stream-logs-to-event-hub.md) and then [set up your SIEM tool](tutorial-azure-monitor-stream-logs-to-event-hub.md#access-data-from-your-event-hub) with the configured event hub.

+- Helpdesk administrators who need to look at applied Conditional Access policies to understand if a policy is the root cause of a ticket that a user opened.

+- Tenant administrators who need to verify that Conditional Access policies have the intended effect on the users of a tenant.

+To see applied Conditional Access policies in the sign-in logs, administrators must have permissions to view *both* the logs and the policies. The least privileged built-in role that grants *both* permissions is *Security Reader*. As a best practice, your Global Administrator should add the Security Reader role to the related administrator accounts.

+The following built-in roles grant permissions to *read Conditional Access policies*:

+The following built-in roles grant permission to *view sign-in logs*:

+The following permissions are the least privileged permissions with the necessary access:

+- To consent to the necessary permissions: `Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All`

+- To view the sign-in logs: `Get-MgAuditLogSignIn`

+## View Conditional Access policies in Azure AD sign-in logs

+The activity details of sign-in logs contain several tabs. The **Conditional Access** tab lists the Conditional Access policies applied to that sign-in event.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the Security Reader role.

+1. In the **Monitoring** section, select **Sign-in logs**.

+1. Select a sign-in item from the table to open the **Activity Details: Sign-ins context** pane.

+1. Select the **Conditional Access** tab.

+If you don't see the Conditional Access policies, confirm you're using a role that provides access to both the sign-in logs and the Conditional Access policies.

+* [Troubleshoot sign-in problems](../conditional-access/troubleshoot-conditional-access.md#azure-ad-sign-in-events)

+* [Review the Conditional Access sign-in logs FAQs](reports-faq.yml#conditional-access)

+* [Learn about the sign-in logs](concept-sign-ins.md)

+

+ * `AADServicePrincipalRiskEvents`

+ * `EnrichedOffice365AuditLogs`

+- [Risky sign-ins report](../identity-protection/howto-identity-protection-investigate-risk.md#risky-sign-ins)

+ Title: Azure Active Directory data retention | Microsoft Docs

+description: Learn how long Azure Active Directory stores the various types of reporting data.

+# Azure Active Directory data retention

+## When does Azure AD start collecting data?

+If you already have activities data with your free license, then you can see it immediately on upgrade. If you donΓÇÖt have any data, then it will take up to three days for the data to show up in the reports after you upgrade to a premium license. For security signals, the collection process starts when you opt-in to use the **Identity Protection Center**.

+## How long does Azure AD store the data?

+You can retain the audit and sign-in activity data for longer than the default retention period outlined in the previous table by routing it to an Azure storage account using Azure Monitor. For more information, see [Archive Azure AD logs to an Azure storage account](quickstart-azure-monitor-route-logs-to-storage-account.md).

+## Can I see last month's data after getting an Azure AD premium license?

+## Next steps

+- [Stream logs to an event hub](tutorial-azure-monitor-stream-logs-to-event-hub.md)

+- [Learn how to download Azure AD logs](howto-download-logs.md)

+API Server VNet Integration is available in all global Azure regions.

+[operator-best-practices-network]: operator-best-practices-network.md

+> - UK South

+> - Australia East

+Values for *httpProxy*, and *httpsProxy* can't be changed after cluster creation. However, the values for *trustedCa* and *NoProxy* can be changed and applied to the cluster with the [az aks update][az-aks-update] command. An aks update for *NoProxy* will automatically inject new environment variables into pods with the new *NoProxy* values. Pods must be rotated for the apps to pick it up. For components under kubernetes, like containerd and the node itself, this won't take effect until a node image upgrade is performed.

+It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. By cleaning these unreferenced images, you can remove an area of risk in your clusters. When done manually, this process can be time intensive, which Image Cleaner can mitigate via automatic image identification and removal.

+> Image Cleaner is a feature based on [Eraser](https://github.com/Azure/eraser).

+Deletion image logs are stored in `eraser-aks-nodepool-xxx` pods for manually deleted images, and in `eraser-collector-xxx` pods for automatically deleted images.

+You can view these logs by running `kubectl logs <pod name> -n kubesystem`. However, this command may return only the most recent logs, since older logs are routinely deleted. To view all logs, follow these steps to enable the [Azure Monitor add-on](./monitor-aks.md) and use the Container Insights pod log table.

+1. Ensure that Azure monitoring is enabled on the cluster. For detailed steps, see [Enable Container Insights for AKS cluster](../azure-monitor/containers/container-insights-enable-aks.md#existing-aks-cluster).

+1. Get the Log Analytics resource ID:

+ ```azurecli

+ az aks show -g <resourceGroupofAKSCluster> -n <nameofAksCluster>

+ ```

+ After a few minutes, the command returns JSON-formatted information about the solution, including the workspace resource ID:

+ ```json

+ "addonProfiles": {

+ "omsagent": {

+ "config": {

+ "logAnalyticsWorkspaceResourceID": "/subscriptions/<WorkspaceSubscription>/resourceGroups/<DefaultWorkspaceRG>/providers/Microsoft.OperationalInsights/workspaces/<defaultWorkspaceName>"

+ },

+ "enabled": true

+ }

+ }

+ ```

+1. In the Azure portal, search for the workspace resource ID, then select **Logs**.

+1. Copy this query into the table, replacing `name` with either `eraser-aks-nodepool-xxx` (for manual mode) or `eraser-collector-xxx` (for automatic mode).

+ ```kusto

+ let startTimestamp = ago(1h);

+ KubePodInventory

+ | where TimeGenerated > startTimestamp

+ | project ContainerID, PodName=Name, Namespace

+ | where PodName contains "name" and Namespace startswith "kube-system"

+ | distinct ContainerID, PodName

+ | join

+ (

+ ContainerLog

+ | where TimeGenerated > startTimestamp

+ )

+ on ContainerID

+ // at this point before the next pipe, columns from both tables are available to be "projected". Due to both

+ // tables having a "Name" column, we assign an alias as PodName to one column which we actually want

+ | project TimeGenerated, PodName, LogEntry, LogEntrySource

+ | summarize by TimeGenerated, LogEntry

+ | order by TimeGenerated desc

+ ```

+1. Select **Run**. Any deleted image logs will appear in the **Results** area.

+ :::image type="content" source="media/image-cleaner/eraser-log-analytics.png" alt-text="Screenshot showing deleted image logs in the Azure portal." lightbox="media/image-cleaner/eraser-log-analytics.png":::

+ > [!NOTE]

+ > App Configuration references do not yet support network-restricted configuration stores.

+## Granting your app access to referenced key vaults

+In addition to storing raw configuration values, Azure App Configuration has its own format for storing [Key Vault references][app-config-key-vault-references]. If the value of an App Configuration reference is a Key Vault reference in App Configuration store, your app will also need to have permission to access the key vault being specified.

+> [!NOTE]

+> [The Azure App Configuration Key Vault references concept][app-config-key-vault-references] should not be confused with [the App Service and Azure Functions Key Vault references concept][app-service-key-vault-references]. Your app may use any combination of these, but there are some important differences to note. If your vault needs to be network restricted or you need the app to periodically update to latest versions, consider using the App Service and Azure Functions direct approach instead of using an App Configuration reference.

+[app-config-key-vault-references]: ../azure-app-configuration/use-key-vault-references-dotnet-core.md

+[app-service-key-vault-references]: app-service-key-vault-references.md

+1. Identify the identity that you used for the App Configuration reference. Access to the vault must be granted to that same identity.

+1. Create an [access policy in Key Vault](../key-vault/general/security-features.md#privileged-access) for that identity. Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or `applicationId` settings, as this is not compatible with a managed identity.

+ Title: "Quickstart: Form Recognizer Studio | v3.0"

+description: Form and document processing, data extraction, and analysis using Form Recognizer Studio

+monikerRange: 'form-recog-3.0.0'

+# Get started: Form Recognizer Studio

+[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/) is an online tool for visually exploring, understanding, and integrating features from the Form Recognizer service in your applications. You can get started by exploring the pre-trained models with sample or your own documents. You can also create projects to build custom template models and reference the models in your applications using the [Python SDK](get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true) and other quickstarts.

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE56n49]

+## Prerequisites for new users

+* An active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/). If you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).

+* A [**Form Recognizer**](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [**Cognitive Services multi-service**](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource.

+> [!TIP]

+> Create a Cognitive Services resource if you plan to access multiple cognitive services under a single endpoint/key. For Form Recognizer access only, create a Form Recognizer resource. Please note that you'll need a single-service resource if you intend to use [Azure Active Directory authentication](../../../active-directory/authentication/overview-authentication.md).

+## Prebuilt models

+Prebuilt models help you add Form Recognizer features to your apps without having to build, train, and publish your own models. You can choose from several prebuilt models, each of which has its own set of supported data fields. The choice of model to use for the analyze operation depends on the type of document to be analyzed. The following prebuilt models are currently supported by Form Recognizer:

+* [**General document**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=document): extract text, tables, structure, key-value pairs and named entities.

+* [**W-2**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.w2): extract text and key information from W-2 tax forms.

+* [**Read**](https://formrecognizer.appliedai.azure.com/studio/read): extract text lines, words, their locations, detected languages, and handwritten style if detected from documents (PDF, TIFF) and images (JPG, PNG, BMP).

+* [**Layout**](https://formrecognizer.appliedai.azure.com/studio/layout): extract text, tables, selection marks, and structure information from documents (PDF, TIFF) and images (JPG, PNG, BMP).

+* [**Invoice**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice): extract text, selection marks, tables, key-value pairs, and key information from invoices.

+* [**Receipt**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=receipt): extract text and key information from receipts.

+* [**ID document**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=idDocument): extract text and key information from driver licenses and international passports.

+* [**Business card**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=businessCard): extract text and key information from business cards.

+After you've completed the prerequisites, navigate to [Form Recognizer Studio General Documents](https://formrecognizer.appliedai.azure.com/studio/document).

+In the following example, we use the General Documents feature. The steps to use other pre-trained features like [W2 tax form](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.w2), [Read](https://formrecognizer.appliedai.azure.com/studio/read), [Layout](https://formrecognizer.appliedai.azure.com/studio/layout), [Invoice](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice), [Receipt](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=receipt), [Business card](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=businessCard), and [ID documents](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=idDocument) models are similar.

+ :::image border="true" type="content" source="../media/quickstarts/form-recognizer-general-document-demo-preview3.gif" alt-text="Selecting the General Document API to analysis a document in the Form Recognizer Studio.":::

+1. Select a Form Recognizer service feature from the Studio home page.

+1. This step is a one-time process unless you've already selected the service resource from prior use. Select your Azure subscription, resource group, and resource. (You can change the resources anytime in "Settings" in the top menu.) Review and confirm your selections.

+1. Select the Analyze button to run analysis on the sample document or try your document by using the Add command.

+1. Use the controls at the bottom of the screen to zoom in and out and rotate the document view.

+1. Observe the highlighted extracted content in the document view. Hover your mouse over the keys and values to see details.

+1. In the output section's Result tab, browse the JSON output to understand the service response format.

+1. In the Code tab, browse the sample code for integration. Copy and download to get started.

+## Added prerequisites for custom projects

+In addition to the Azure account and a Form Recognizer or Cognitive Services resource, you'll need:

+### Azure Blob Storage container

+A **standard performance** [**Azure Blob Storage account**](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM). You'll create containers to store and organize your training documents within your storage account. If you don't know how to create an Azure storage account with a container, following these quickstarts:

+* [**Create a storage account**](../../../storage/common/storage-account-create.md). When creating your storage account, make sure to select **Standard** performance in the **Instance details → Performance** field.

+* [**Create a container**](../../../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container). When creating your container, set the **Public access level** field to **Container** (anonymous read access for containers and blobs) in the **New Container** window.

+### Configure CORS

+[CORS (Cross Origin Resource Sharing)](/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services) needs to be configured on your Azure storage account for it to be accessible from the Form Recognizer Studio. To configure CORS in the Azure portal, you'll need access to the CORS tab of your storage account.

+1. Select the CORS tab for the storage account.

+ :::image type="content" source="../media/quickstarts/cors-setting-menu.png" alt-text="Screenshot of the CORS setting menu in the Azure portal.":::

+1. Start by creating a new CORS entry in the Blob service.

+1. Set the **Allowed origins** to `https://formrecognizer.appliedai.azure.com`.

+ :::image type="content" source="../media/quickstarts/cors-updated-image.png" alt-text="Screenshot that shows CORS configuration for a storage account.":::

+ > [!TIP]

+ > You can use the wildcard character '*' rather than a specified domain to allow all origin domains to make requests via CORS.

+1. Select all the available 8 options for **Allowed methods**.

+1. Approve all **Allowed headers** and **Exposed headers** by entering an * in each field.

+1. Set the **Max Age** to 120 seconds or any acceptable value.

+1. Select the save button at the top of the page to save the changes.

+CORS should now be configured to use the storage account from Form Recognizer Studio.

+### Sample documents set

+1. Go to the [Azure portal](https://portal.azure.com/#home) and navigate as follows: **Your storage account** → **Data storage** → **Containers**

+ :::image border="true" type="content" source="../media/sas-tokens/data-storage-menu.png" alt-text="Screenshot: Data storage menu in the Azure portal.":::

+1. Select a **container** from the list.

+1. Select **Upload** from the menu at the top of the page.

+ :::image border="true" type="content" source="../media/sas-tokens/container-upload-button.png" alt-text="Screenshot: container upload button in the Azure portal.":::

+1. The **Upload blob** window will appear.

+1. Select your file(s) to upload.

+ :::image border="true" type="content" source="../media/sas-tokens/upload-blob-window.png" alt-text="Screenshot: upload blob window in the Azure portal.":::

+> [!NOTE]

+> By default, the Studio will use form documents that are located at the root of your container. However, you can use data organized in folders by specifying the folder path in the Custom form project creation steps. *See* [**Organize your data in subfolders**](../build-training-data-set.md#organize-your-data-in-subfolders-optional)

+## Custom models

+To create custom models, you start with configuring your project:

+1. From the Studio home, select the Custom model card to open the Custom models page.

+1. Use the "Create a project" command to start the new project configuration wizard.

+1. Enter project details, select the Azure subscription and resource, and the Azure Blob storage container that contains your data.

+1. Review and submit your settings to create the project.

+1. From the labeling view, define the labels and their types that you're interested in extracting.

+1. Select the text in the document and select the label from the drop-down list or the labels pane.

+1. Label four more documents to get at least five documents labeled.

+1. Select the Train command and enter model name, select whether you want the custom template (form) or custom neural (document) model to start training your custom model.

+1. Once the model is ready, use the Test command to validate it with your test documents and observe the results.

+### Labeling as tables

+> [!NOTE]

+> * With the release of API versions 2022-06-30-preview and later, custom template models will add support for [cross page tabular fields (tables)](../concept-custom-template.md#tabular-fields).

+> * With the release of API versions 2022-06-30-preview and later, custom neural models will support [tabular fields (tables)](../concept-custom-template.md#tabular-fields) and models trained with API version 2022-08-31, or later will accept tabular field labels.

+1. Use the Delete command to delete models that aren't required.

+1. Download model details for offline viewing.

+1. Select multiple models and compose them into a new model to be used in your applications.

+Using tables as the visual pattern:

+For custom form models, while creating your custom models, you may need to extract data collections from your documents. Data collections may appear in a couple of formats. Using tables as the visual pattern:

+* Dynamic or variable count of values (rows) for a given set of fields (columns)

+* Specific collection of values for a given set of fields (columns and/or rows)

+**Label as dynamic table**

+Use dynamic tables to extract variable count of values (rows) for a given set of fields (columns):

+1. Add a new "Table" type label, select "Dynamic table" type, and name your label.

+1. Add the number of columns (fields) and rows (for data) that you need.

+1. Select the text in your page and then choose the cell to assign to the text. Repeat for all rows and columns in all pages in all documents.

+**Label as fixed table**

+Use fixed tables to extract specific collection of values for a given set of fields (columns and/or rows):

+1. Create a new "Table" type label, select "Fixed table" type, and name it.

+1. Add the number of columns and rows that you need corresponding to the two sets of fields.

+1. Select the text in your page and then choose the cell to assign it to the text. Repeat for other documents.

+### Signature detection

+>[!NOTE]

+> Signature fields are currently only supported for custom template models. When training a custom neural model, labeled signature fields are ignored.

+To label for signature detection: (Custom form only)

+1. In the labeling view, create a new "Signature" type label and name it.

+1. Use the Region command to create a rectangular region at the expected location of the signature.

+1. Select the drawn region and choose the Signature type label to assign it to your drawn region. Repeat for other documents.

+## Next steps

+* Follow our [**Form Recognizer v3.0 migration guide**](../v3-migration-guide.md) to learn the differences from the previous version of the REST API.

+* Explore our [**v3.0 SDK quickstarts**](get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true) to try the v3.0 features in your applications using the new SDKs.

+* Refer to our [**v3.0 REST API quickstarts**](get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true) to try the v3.0 features using the new REST API.

+[Get started with the Form Recognizer Studio](https://formrecognizer.appliedai.azure.com).

+ |Auto Sync¹ | Setting that turns on or off automatic synchronization when a commit is made in the source control repository or GitHub repo. |

+ ^{1 To enable Auto Sync when configuring the source control integration with Azure DevOps, you must be the Project Administrator or the GitHub repo owner. Collaborators can only configure Source Control without Auto Sync.}</br>

+* At least 850 MB free for the Arc agents that will be deployed on the cluster, and capacity to use approximately 7% of a single CPU. For a multi-node Kubernetes cluster environment, pods can get scheduled on different nodes.

+* At least 850 MB free for the Arc agents that will be deployed on the cluster, and capacity to use approximately 7% of a single CPU. For a multi-node Kubernetes cluster environment, pods can get scheduled on different nodes.

+* Oracle Linux 7 and 8

+Example keyEncryptionKeyUrl: `https://test-key-vault.vault.azure.net/keys/testKey/testKeyVersionGuid`

+> The `InsecureTokenProvider` should only be used for development purposes because **using it exposes the tenant key secret in your client-side code bundle.** This must be replaced with an implementation of [ITokenProvider](https://fluidframework.com/docs/apis/azure-client/itokenprovider-interface/) that fetches the token from your own backend service that is responsible for signing it with the tenant key. An example implementation is [AzureFunctionTokenProvider](https://fluidframework.com/docs/apis/azure-client/azurefunctiontokenprovider-class). For more information, see [How to: Write a TokenProvider with an Azure Function](../how-tos/azure-function-token-provider.md). Note that the `id` and `name` fields are arbitrary.

+const user = { id: "userId", name: "userName" };

+ tokenProvider: new InsecureTokenProvider("myTenantKey", user),

+service configuration values. These values can be found in the "Access Key" section of the Fluid Relay resource in the Azure portal. Your `serviceConfig` object should look like this with the values replaced. (For information about how to find these values, see [How to: Provision an Azure Fluid Relay service](../how-tos/provision-fluid-azure-portal.md).) Note that the `id` and `name` fields are arbitrary.

+const user = { id: "userId", name: "userName" };

+ tokenProvider: new InsecureTokenProvider("" /* REPLACE WITH YOUR PRIMARY KEY */, user),

+While the function app is running, Netherite will publish load information about its active partitions to an Azure Storage table named "DurableTaskPartitions". You can use [Azure Storage Explorer](/azure/vs-azure-tools-storage-manage-with-storage-explorer) to check that it's working as expected. If Netherite is running correctly, the table won't be empty; see the example below.

+You need to create an Azure Functions app on Azure. To do this, follow the instructions in the **Create a function app** section of [these instructions](/azure/azure-functions/functions-create-function-app-portal#create-a-function-app-a-function).

+Follow [these steps](/azure/event-hubs/event-hubs-create#create-an-event-hubs-namespace) to create an Event Hubs namespace on the Azure portal. When creating the namespace, you may be prompted to:

+For more information about the Netherite architecture, configuration, and workload behavior, including performance benchmarks, we recommend you take a look at the [Netherite documentation](https://microsoft.github.io/durabletask-netherite/#/).

+|[Advizex Technologies](https://advizex.com/)|

+|[AG Grace Inc](https://aggrace.com/)|

+|[Arctic IT](https://arcticit.com/)|

+|[Caloudi Corporation](https://www.caloudi.com/)|

+|[CDI LLC](https://www.cdillc.com/)|

+|[Cobalt](https://www.cobalt.net/)|

+|[CompuNet Inc.](https://compunet.biz/)|

+|[Core BTS](https://corebts.com/)|

+|[Derek Coleman & Associates Corporation](https://www.dcassociatesgroup.com/https://docsupdatetracker.net/index.html)|

+|[Lunavi](https://www.lunavi.com/)|

+|[Overview Technology Solutions Inc.](https://overviewts.com/)|

+|Philistin & Heller Group, Inc.|

+|[Ridge IT](https://www.ridgeit.com/)|

+|[Syndo LLC](https://www.syndo.llc/)|

+|[TAU SIX LLC](https://www.tau-six.com/)|

+|[Tyto Athene LLC](https://gotyto.com/)|

+|[Zolon Tech](https://www.zolontech.com/)|

+|[Applied Research Solutions](https://www.appliedres.com)|

+|[Coretek](https://www.coretek.com/)|

+|[Leidos](https://www.leidos.com/)|

+|[SentinelBlue LLC](https://www.sentinelblue.com/)|

+> The only permission required to delete a resource group is permission to the delete action for deleting resource groups. You do **not** need permission to delete individual resources within that resource group. Additionally, delete actions that are specified in **notActions** for a roleAssignment are superseded by the resource group delete action. This is consistent with the scope heirarchy in the Azure role-based access control model.

+- [Authorize request to SignalR resources with Azure AD from managed identities](signalr-howto-authorize-managed-identity.md)

+* Short-term retention can be "daily". Retention for "Weekly", "monthly" or "yearly" backup points is referred to as Long-term retention.

+|Remote Session over TLS and firewall traversal for RDP/SSH|Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. Your RDP/SSH session is over TLS on port 443. This enables the traffic to traverse firewalls more securely. Bastion supports TLS 1.2 and above. Older TLS versions are not supported.|

+This section helps you upload files from your local computer to your target VM over SSH or RDP using the **az network bastion tunnel** command. To learn more about the tunnel command and how to connect, see [Connect to a VM using a native client](connect-native-client-windows.md).

+ 1. If you choose to **Create a new SAP transport Directory**, this will create and mount a new transport fileshare on the SID. By Default, this option will create an NFS on AFS storage account and a transport fileshare in the resource group where SAP system will be deployed. However, you can choose to create this storage account in a different resource group by providing the resource group name in **Transport Resource Group**. You can also provide a custom name for the storage account to be created under **Storage account name** section. Leaving the **Storage account name** will create the storage account with service default name **""SIDname""nfs""random characters""** in the chosen transport resource group. Creating a new transport directory will create a ZRS based replication for zonal deployments and LRS based replication for non-zonal deployments. If your region doesn't support ZRS replication deploying a zonal VIS will lead to a failure. In such cases, you can deploy a transport fileshare outside ACSS with ZRS replication and then create a zonal VIS where you select **Use an existing SAP transport Directory** to mount the pre-created fileshare.

+ 1. If you choose to **Use an existing SAP transport Directory**, select the pre - existing NFS fileshare under **File share name** option. The existing transport fileshare will be only mounted on this SID. The selected fileshare shall be in the same region as that of SAP system being created. Currently, file shares existing in a different region can not be selected. Provide the associated privated endpoint of the storage account where the selected fileshare exists under **Private Endpoint** option.

+ 1. You can skip the creation of transport file share by selecting **Dont include SAP transport directory** option. The transport fileshare will neither be created or mounted for this SID.

+1. Under **Configuration Details**, enter the FQDN for your SAP System.

+ Title: Get SAP installation media (preview)

+description: Learn how to download the necessary SAP media for installing the SAP software and upload it for use with Azure Center for SAP solutions.

+#Customer intent: As a developer, I want to download the necessary SAP media for installing the SAP software and upload it for us with Azure Center for SAP solutions.

+# Get SAP installation media (preview)

+After you've [created infrastructure for your new SAP system using *Azure Center for SAP solutions*](deploy-s4hana.md), you need to install the SAP software on your SAP system. However, before you can do this installation, you need to get and upload the SAP installation media for use with Azure Center for SAP solutions.

+In this how-to guide, you'll learn how to get the SAP software installation media through different methods. You'll also learn how to upload the SAP media to an Azure Storage account to prepare for installation. The recommended method is to [run a pre-installation script to automate this upload process](#scripted-upload-method), however, you can also [manually upload the components](#manual-upload-method).

+## Prerequisites

+- An Azure subscription.

+- An Azure account with **Contributor** role access to the subscriptions and resource groups in which the Virtual Instance for SAP solutions exists.

+- A **User-assigned managed identity** with **Storage Blob Data Reader** and **Reader and Data Access** roles on the storage account which has the SAP software.

+- A [network set up for your infrastructure deployment](prepare-network.md).

+- A deployment of S/4HANA infrastructure.

+- The SSH private key for the virtual machines in the SAP system. You generated this key during the infrastructure deployment.

+- If you're installing a Highly Available (HA) SAP system, get the Service Principal identifier (SPN ID) and password to authorize the Azure fence agent (fencing device) against Azure resources.

+ - For more information, see [Use Azure CLI to create an Azure AD app and configure it to access Media Services API](/azure/media-services/previous/media-services-cli-create-and-configure-aad-app).

+ - For an example, see the Red Hat documentation for [Creating an Azure Active Directory Application](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/deploying_red_hat_enterprise_linux_7_on_public_cloud_platforms/configuring-rhel-high-availability-on-azure_cloud-content#azure-create-an-azure-directory-application-in-ha_configuring-rhel-high-availability-on-azure).

+ - To avoid frequent password expiry, use the Azure Command-Line Interface (Azure CLI) to create the Service Principal identifier and password instead of the Azure portal.

+## Supported software

+Azure Center for SAP solutions supports the following SAP software versions: S/4HANA 1909 SPS 03, S/4HANA 2020 SPS 03, and S/4HANA 2021 ISS 00.

+The following operating system (OS) software versions are compatible with these SAP software versions:

+| Publisher | Version | Generation SKU | Patch version name | Supported SAP Software Version |

+| | - | -- | | |

+| Red Hat | RHEL-SAP-HA (8.2 HA Pack) | 82sapha-gen2 | 8.2.2021091202 | S/4HANA 1909 SPS 03, S/4HANA 2020 SPS 03, S/4HANA 2021 ISS 00 |

+| Red Hat | RHEL-SAP-HA (8.4 HA Pack) | 84sapha-gen2 | 8.4.2021091202 | S/4HANA 1909 SPS 03, S/4HANA 2020 SPS 03, S/4HANA 2021 ISS 00 |

+| SUSE | sles-sap-15-sp3 | gen2 | 2022.01.26 | S/4HANA 1909 SPS 03, S/4HANA 2020 SPS 03, S/4HANA 2021 ISS 00 |

+| SUSE | sles-sap-12-sp4 | gen2 | 2022.02.01 | S/4HANA 1909 SPS 03 |

+## Required components

+The following components are necessary for the SAP installation.

+- SAP software installation media (part of the `sapbits` container described later in this article)

+ - All essential SAP packages (*SWPM*, *SAPCAR*, etc.)

+ - SAP software (for example, *S/4HANA 2021 ISS 00*)

+- Supporting software packages for the installation process. (These packages are downloaded automatically and used by Azure Center for SAP solutions during the installation.)

+ - `pip3` version `pip-21.3.1.tar.gz`

+ - `wheel` version 0.37.1

+ - `jq` version 1.6

+ - `ansible` version 2.9.27

+ - `netaddr` version 0.8.0

+- The SAP Bill of Materials (BOM), as generated by Azure Center for SAP solutions. These YAML files list all required SAP packages for the SAP software installation. There's a main BOM (`S41909SPS03_v0011ms.yaml`, `S42020SPS03_v0003ms.yaml`, `S4HANA_2021_ISS_v0001ms.yaml`) and dependent BOMs (`HANA_2_00_059_v0004ms.yaml`, `HANA_2_00_064_v0001ms.yaml` `SUM20SP15_latest.yaml`, `SWPM20SP13_latest.yaml`). They provide the following information:

+ - The full name of the SAP package (`name`)

+ - The package name with its file extension as downloaded (`archive`)

+ - The checksum of the package as specified by SAP (`checksum`)

+ - The shortened filename of the package (`filename`)

+ - The SAP URL to download the software (`url`)

+- Template or INI files, which are stack XML files required to run the SAP packages.

+## Scripted upload method

+To prepare for SAP installation, you can upload the SAP components to your Azure Storage account using script. This method is recommended.

+### Set up storage account

+Before downloading the SAP software, set up an Azure Storage account to store the components.

+1. [Create an Azure Storage account through the Azure portal](../storage/common/storage-account-create.md). Make sure to create the storage account in the same subscription as your SAP system infrastructure.

+1. Create a container within the Azure Storage account named `sapbits`.

+ 1. On the storage account's sidebar menu, select **Containers** under **Data storage**.

+ 1. Select **+ Container**.

+ 1. On the **New container** pane, for **Name**, enter `sapbits`.

+ 1. Select **Create**.

+

+ 1. Grant the **User-assigned managed identity**, which was used during infrastructure deployment, **Storage Blob Data Reader** and **Reader and Data Access** role access on this storage account.

+### Create virtual machine

+Next, set up a virtual machine (VM) where you will download the SAP components later.

+1. Create a **Ubuntu 20.04** VM in Azure. For more information, see [how to create a Linux VM in the Azure portal](../virtual-machines/linux/quick-create-portal.md).

+1. Sign in to the VM.

+1. Install the Azure CLI on the VM.

+ ```bash

+ curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

+ ```

+1. [Update the Azure CLI](/cli/azure/update-azure-cli) to version 2.30.0 or higher.

+1. Sign in to Azure.

+ ```azurecli

+ az login

+ ```

+1. Install Ansible 2.9.27 on the VM.

+ ```bash

+ sudo pip3 install ansible==2.9.27

+ ```

+

+1. Clone the SAP automation repository from GitHub.

+ ```git bash

+ git clone https://github.com/Azure/sap-automation.git

+ ```

+1. Change the branch to `main`.

+ ```git bash

+ git checkout main

+ ```

+

+1. Optionally, check that your current branch is `main`.

+ ```git bash

+ git status

+ ```

+### Download SAP media with script

+Next, download the SAP installation media to the VM using a script.

+1. Run the Ansible script **playbook_bom_download** with your own information.

+ The Ansible command that you run should look like:

+ ```azurecli

+ ansible-playbook ./sap-automation/deploy/ansible/playbook_bom_downloader.yaml -e "bom_base_name=S41909SPS03_v0011ms" -e "deployer_kv_name=dummy_value" -e "s_user=<username>" -e "s_password=<password>" -e "sapbits_access_key=<storageAccountAccessKey>" -e "sapbits_location_base_path=<containerBasePath>"

+ ```

+1. When asked if you have a storage account, enter `Y`.

+

+ 1. For `<username>`, use your SAP username.

+

+ 1. For `<password>`, use your SAP password.

+

+1. For `<bom_base_name>`, use the SAP Version you want to install i.e. **_S41909SPS03_v0011ms_** or **_S42020SPS03_v0003ms_** or **_S4HANA_2021_ISS_v0001ms_**

+

+1. For `<storageAccountAccessKey>`, use your storage account's access key. To find the storage account's key:

+ 1. Find the storage account in the Azure portal that you created.

+

+ 1. On the storage account's sidebar menu, select **Access keys** under **Security + networking**.

+

+ 1. For **key1**, select **Show key and connection string**.

+

+ 1. Copy the **Key** value.

+

+1. For `<containerBasePath>`, use the path to your `sapbits` container. To find the container path:

+ 1. Find the storage account that you created in the Azure portal.

+

+ 1. Find the container named `sapbits`.

+

+ 1. On the container's sidebar menu, select **Properties** under **Settings**.

+

+ 1. Copy down the **URL** value. The format is `https://<your-storage-account>.blob.core.windows.net/sapbits`. The format is `https://<your-storage-account>.blob.core.windows.net/sapbits`.

+Now you can [install the SAP software](install-software.md) through Azure Center for SAP solutions.

+## Manual upload method

+To prepare for SAP installation, you can upload the SAP components to your Azure Storage account manually. This method isn't recommended; instead, it's recommended that you [upload the SAP components using a script](#scripted-upload-method).

+### Set up storage account manually

+First, set up an Azure Storage account for the SAP components:

+> [!NOTE]

+> Don't change the folder name structure for any steps in this process. Otherwise, the installation process fails.

+1. Create a new Azure Storage account for storing the software components.

+1. Grant the roles **Storage Blob Data Reader** and **Reader and Data Access** to the user-assigned managed identity, which you used during infrastructure deployment.

+1. Create a container within the storage account. You can choose any container name, such as **sapbits**.

+1. Create a folder within the container, named **sapfiles**.

+1. Go to the **sapfiles** folder.

+1. Create two subfolders named **archives** and **boms**.

+1. In the **boms** folder, create four subfolders with the following names, depending on the SAP version that you're using..

+ 1. For S/4HANA 1909 SPS 03:

+ 1. **HANA_2_00_059_v0003ms**

+ 1. **S41909SPS03_v0011ms**

+ 1. **SWPM20SP12_latest**

+ 1. **SUM20SP14_latest**

+ 1. For S/4HANA 2020 SPS 03:

+ 1. **HANA_2_00_064_v0001ms**

+ 1. **S42020SPS03_v0003ms**

+ 1. **SWPM20SP12_latest**

+ 1. **SUM20SP14_latest**

+ 1. For S/4HANA 2021 ISS 00:

+ 1. **HANA_2_00_064_v0001ms**

+ 1. **S4HANA_2021_ISS_v0001ms**

+ 1. **SWPM20SP12_latest**

+ 1. **SUM20SP14_latest**

+### Upload SAP media

+Next, upload the SAP software files to the storage account:

+1. Upload the following YAML files to the folders with the same name. Make sure to use the files that correspond to the SAP version that you're using.

+ 1. For S/4HANA 1909 SPS 03:

+ 1. [S41909SPS03_v0011ms.yaml](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S41909SPS03_v0011ms/S41909SPS03_v0011ms.yaml)

+ 1. [HANA_2_00_059_v0004ms.yaml](https://raw.githubusercontent.com/Azure/SAP-automation-samples/main/SAP/HANA_2_00_059_v0004ms/HANA_2_00_059_v0004ms.yaml)

+ 1. [SWPM20SP13_latest.yaml](https://raw.githubusercontent.com/Azure/SAP-automation-samples/main/SAP/SWPM20SP13_latest/SWPM20SP13_latest.yaml)

+ 1. [SUM20SP15_latest.yaml](https://raw.githubusercontent.com/Azure/SAP-automation-samples/main/SAP/SUM20SP15_latest/SUM20SP15_latest.yaml)

+ 1. For S/4HANA 2020 SPS 03:

+ 1. [S42020SPS03_v0003ms.yaml](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S42020SPS03_v0003ms/S42020SPS03_v0003ms.yaml)

+ 1. [HANA_2_00_064_v0001ms.yaml](https://github.com/Azure/sap-automation/blob/main/deploy/ansible/BOM-catalog/archives/HANA_2_00_064_v0001ms/HANA_2_00_064_v0001ms.yaml)

+ 1. [SWPM20SP13_latest.yaml](https://raw.githubusercontent.com/Azure/SAP-automation-samples/main/SAP/SWPM20SP13_latest/SWPM20SP13_latest.yaml)

+ 1. [SUM20SP15_latest.yaml](https://raw.githubusercontent.com/Azure/SAP-automation-samples/main/SAP/SUM20SP15_latest/SUM20SP15_latest.yaml)

+

+ 1. For S/4HANA 2021 ISS 00:

+ 1. [S4HANA_2021_ISS_v0001ms.yaml](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/S4HANA_2021_ISS_v0001ms.yaml)

+ 1. [HANA_2_00_064_v0001ms.yaml](https://github.com/Azure/sap-automation/blob/main/deploy/ansible/BOM-catalog/archives/HANA_2_00_064_v0001ms/HANA_2_00_064_v0001ms.yaml)

+ 1. [SWPM20SP13_latest.yaml](https://raw.githubusercontent.com/Azure/SAP-automation-samples/main/SAP/SWPM20SP13_latest/SWPM20SP13_latest.yaml)

+ 1. [SUM20SP15_latest.yaml](https://raw.githubusercontent.com/Azure/SAP-automation-samples/main/SAP/SUM20SP15_latest/SUM20SP15_latest.yaml)

+

+1. Depending on your SAP version, go to the folder **S41909SPS03_v0011ms** or **S42020SPS03_v0003ms** or **S4HANA_2021_ISS_v0001ms**.

+1. Create a subfolder named **templates**.

+1. Download the following files, depending on your SAP version.

+ 1. For S/4HANA 1909 SPS 03:

+

+ 1. [HANA_2_00_055_v1_install.rsp.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S41909SPS03_v0011ms/templates/HANA_2_00_055_v1_install.rsp.j2)

+

+ 1. [S41909SPS03_v0011ms-app-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S41909SPS03_v0011ms/templates/S41909SPS03_v0011ms-app-inifile-param.j2)

+

+ 1. [S41909SPS03_v0011ms-dbload-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S41909SPS03_v0011ms/templates/S41909SPS03_v0011ms-dbload-inifile-param.j2)

+

+ 1. [S41909SPS03_v0011ms-ers-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S41909SPS03_v0011ms/templates/S41909SPS03_v0011ms-ers-inifile-param.j2)

+

+ 1. [S41909SPS03_v0011ms-generic-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S41909SPS03_v0011ms/templates/S41909SPS03_v0011ms-generic-inifile-param.j2)

+

+ 1. [S41909SPS03_v0011ms-pas-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S41909SPS03_v0011ms/templates/S41909SPS03_v0011ms-pas-inifile-param.j2)

+

+ 1. [S41909SPS03_v0011ms-scs-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S41909SPS03_v0011ms/templates/S41909SPS03_v0011ms-scs-inifile-param.j2)

+

+ 1. [S41909SPS03_v0011ms-scsha-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S41909SPS03_v0011ms/templates/S41909SPS03_v0011ms-scsha-inifile-param.j2)

+

+ 1. [S41909SPS03_v0011ms-web-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S41909SPS03_v0011ms/templates/S41909SPS03_v0011ms-web-inifile-param.j2)

+

+ 1. For S/4HANA 2020 SPS 03:

+

+ 1. [HANA_2_00_055_v1_install.rsp.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S42020SPS03_v0003ms/templates/HANA_2_00_055_v1_install.rsp.j2)

+

+ 1. [HANA_2_00_install.rsp.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S42020SPS03_v0003ms/templates/HANA_2_00_install.rsp.j2)

+

+ 1. [S42020SPS03_v0003ms-app-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S42020SPS03_v0003ms/templates/S42020SPS03_v0003ms-app-inifile-param.j2)

+

+ 1. [S42020SPS03_v0003ms-dbload-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S42020SPS03_v0003ms/templates/S42020SPS03_v0003ms-dbload-inifile-param.j2)

+

+ 1. [S42020SPS03_v0003ms-ers-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S42020SPS03_v0003ms/templates/S42020SPS03_v0003ms-ers-inifile-param.j2)

+

+ 1. [S42020SPS03_v0003ms-generic-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S42020SPS03_v0003ms/templates/S42020SPS03_v0003ms-generic-inifile-param.j2)

+

+ 1. [S42020SPS03_v0003ms-pas-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S42020SPS03_v0003ms/templates/S42020SPS03_v0003ms-pas-inifile-param.j2)

+

+ 1. [S42020SPS03_v0003ms-scs-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S42020SPS03_v0003ms/templates/S42020SPS03_v0003ms-scs-inifile-param.j2)

+

+ 1. [S42020SPS03_v0003ms-scsha-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S42020SPS03_v0003ms/templates/S42020SPS03_v0003ms-scsha-inifile-param.j2)

+

+ 1. For S/4HANA 2021 ISS 00:

+

+ 1. [HANA_2_00_055_v1_install.rsp.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/HANA_2_00_055_v1_install.rsp.j2)

+

+ 1. [HANA_2_00_install.rsp.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/HANA_2_00_install.rsp.j2)

+

+ 1. [NW_ABAP_ASCS_S4HANA2021.CORE.HDB.AB](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/NW_ABAP_ASCS_S4HANA2021.CORE.HDB.ABAP_Distributed.params)

+

+ 1. [NW_ABAP_CI-S4HANA2021.CORE.HDB.ABAP_Distributed.params](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/NW_ABAP_CI-S4HANA2021.CORE.HDB.ABAP_Distributed.params)

+

+ 1. [NW_ABAP_DB-S4HANA2021.CORE.HDB.ABAP_Distributed.params](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/NW_ABAP_DB-S4HANA2021.CORE.HDB.ABAP_Distributed.params)

+

+ 1. [NW_DI-S4HANA2021.CORE.HDB.PD_Distributed.params](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/NW_DI-S4HANA2021.CORE.HDB.PD_Distributed.params)

+

+ 1. [NW_Users_Create-GENERIC.HDB.PD_Distributed.params](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/NW_Users_Create-GENERIC.HDB.PD_Distributed.params)

+

+ 1. [S4HANA_2021_ISS_v0001ms-app-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/S4HANA_2021_ISS_v0001ms-app-inifile-param.j2)

+

+ 1. [S4HANA_2021_ISS_v0001ms-dbload-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/S4HANA_2021_ISS_v0001ms-dbload-inifile-param.j2)

+

+ 1. [S4HANA_2021_ISS_v0001ms-ers-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/S4HANA_2021_ISS_v0001ms-ers-inifile-param.j2)

+

+ 1. [S4HANA_2021_ISS_v0001ms-generic-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/S4HANA_2021_ISS_v0001ms-generic-inifile-param.j2)

+

+ 1. [S4HANA_2021_ISS_v0001ms-pas-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/S4HANA_2021_ISS_v0001ms-pas-inifile-param.j2)

+

+ 1. [S4HANA_2021_ISS_v0001ms-scs-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/S4HANA_2021_ISS_v0001ms-scs-inifile-param.j2)

+

+ 1. [S4HANA_2021_ISS_v0001ms-scsha-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/S4HANA_2021_ISS_v0001ms-scsha-inifile-param.j2)

+

+ 1. [S4HANA_2021_ISS_v0001ms-web-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/S4HANA_2021_ISS_v0001ms-web-inifile-param.j2)

+1. Upload all the files that you downloaded to the **templates** folder.

+1. Go back to the **sapfiles** folder, then go to the **archives** subfolder.

+1. Download all packages that aren't labeled as `download: false` from the main BOM URL. Choose the packages based on your SAP version. You can use the URL mentioned in the BOM to download each package. Make sure to download the exact package versions listed in each BOM.

+ 1. For S/4HANA 1909 SPS 03:

+ 1. [S41909SPS03_v0011ms.yaml](https://github.com/Azure/sap-automation/blob/experimental/deploy/ansible/BOM-catalog/S41909SPS03_v0011ms/S41909SPS03_v0011ms.yaml)

+

+ 1. [HANA_2_00_059_v0004ms.yaml](https://github.com/Azure/SAP-automation-samples/blob/main/SAP/HANA_2_00_059_v0004ms/HANA_2_00_059_v0004ms.yaml)

+

+ 1. [SWPM20SP13_latest.yaml](https://github.com/Azure/SAP-automation-samples/blob/main/SAP/SWPM20SP13_latest/SWPM20SP13_latest.yaml)

+

+ 1. [SUM20SP15_latest.yaml](https://github.com/Azure/SAP-automation-samples/blob/main/SAP/SUM20SP15_latest/SUM20SP15_latest.yaml)

+

+

+ 1. For S/4HANA 2020 SPS 03:

+ 1. [S42020SPS03_v0003ms.yaml](https://github.com/Azure/sap-automation/blob/experimental/deploy/ansible/BOM-catalog/S42020SPS03_v0003ms/S42020SPS03_v0003ms.yaml)

+

+ 1. [HANA_2_00_064_v0001ms.yaml](https://github.com/Azure/sap-automation/blob/main/deploy/ansible/BOM-catalog/archives/HANA_2_00_064_v0001ms/HANA_2_00_064_v0001ms.yaml)

+

+ 1. [SWPM20SP13_latest.yaml](https://github.com/Azure/SAP-automation-samples/blob/main/SAP/SWPM20SP13_latest/SWPM20SP13_latest.yaml)

+

+ 1. [SUM20SP15_latest.yaml](https://github.com/Azure/SAP-automation-samples/blob/main/SAP/SUM20SP15_latest/SUM20SP15_latest.yaml)

+

+ 1. For S/4HANA 2021 ISS 00:

+ 1. [S4HANA_2021_ISS_v0001ms.yaml](https://github.com/Azure/sap-automation/blob/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/S4HANA_2021_ISS_v0001ms.yaml)

+

+ 1. [HANA_2_00_064_v0001ms.yaml](https://github.com/Azure/sap-automation/blob/main/deploy/ansible/BOM-catalog/archives/HANA_2_00_064_v0001ms/HANA_2_00_064_v0001ms.yaml)

+

+ 1. [SWPM20SP13_latest.yaml](https://github.com/Azure/SAP-automation-samples/blob/main/SAP/SWPM20SP13_latest/SWPM20SP13_latest.yaml)

+

+ 1. [SUM20SP15_latest.yaml](https://github.com/Azure/SAP-automation-samples/blob/main/SAP/SUM20SP15_latest/SUM20SP15_latest.yaml)

+1. Repeat the previous step for the main and dependent BOM files.

+1. Upload all the packages that you downloaded to the **archives** folder. Don't rename the files.

+1. Optionally, install other packages that aren't required.

+ 1. Download the package files.

+ 1. Upload the files to the **archives** folder.

+ 1. Open the `S41909SPS03_v0011ms` or `S42020SPS03_v0003ms` or `S4HANA_2021_ISS_v0001ms` YAML file for the BOM.

+ 1. Edit the information for each optional package to `download:true`.

+ 1. Save and reupload the YAML file. Make sure you only have one YAML file in the subfolder (`S41909SPS03_v0011ms` or `S42020SPS03_v0003ms` or `S4HANA_2021_ISS_v0001ms`) of the **boms** folder.

+Now you can [install the SAP software](install-software.md) through Azure Center for SAP solutions.

+## Next steps

+- [Install the SAP software](install-software.md) through Azure Center for SAP solutions

+description: Learn how to install SAP software on an SAP system that you created using Azure Center for SAP solutions. You can either install the SAP software with Azure Center for SAP solutions, or install the software outside the service and detect the installed system.

+In this how-to guide, you'll learn two ways to install the SAP software for your system. Choose whichever method is appropriate for your use case. You can either:

+- [Install the SAP software through Azure Center for SAP solutions directly using the installation wizard](#install-sap-with-azure-center-for-sap-solutions).

+- [Install the SAP software outside of Azure Center for SAP solutions, then detect the installed system from the service](#install-sap-through-outside-method).

+Review the prerequisites for your preferred installation method: [through the Azure Center for SAP solutions installation wizard](#prerequisites-for-wizard-installation) or [through an outside method](#prerequisites-for-outside-installation)

+### Prerequisites for wizard installation

+- An Azure account with **Contributor** role access to the subscriptions and resource groups in which the Virtual Instance for SAP solutions exists.

+- A user-assigned managed identity with **Storage Blob Data Reader** and **Reader and Data Access** roles on the Storage Account which has the SAP software.

+- If you are installing an SAP System through Azure Center for SAP solutions, you should have the SAP installation media available in a storage account. For more information, see [how to download the SAP installation media](get-sap-installation-media.md).

+- If you're installing a Highly Available (HA) SAP system, get the Service Principal identifier (SPN ID) and password to authorize the Azure fence agent (fencing device) against Azure resources. For more information, see [Use Azure CLI to create an Azure AD app and configure it to access Media Services API](/azure/media-services/previous/media-services-cli-create-and-configure-aad-app).

+ - For an example, see the Red Hat documentation for [Creating an Azure Active Directory Application](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/deploying_red_hat_enterprise_linux_7_on_public_cloud_platforms/configuring-rhel-high-availability-on-azure_cloud-content#azure-create-an-azure-directory-application-in-ha_configuring-rhel-high-availability-on-azure).

+ - To avoid frequent password expiry, use the Azure Command-Line Interface (Azure CLI) to create the Service Principal identifier and password instead of the Azure portal.

+### Prerequisites for outside installation

+- An Azure subscription.

+- An Azure account with **Contributor** role access to the subscriptions and resource groups in which the Virtual Instance for SAP solutions exists.

+- A user-assigned managed identity that you created during infrastructure deployment with **Contributor** role access on the subscription, or on all resource groups (compute, network and storage) that the SAP System is a part of.

+- Infrastructure for the SAP system that you previously created through Azure Center for SAP solution. Don't make any changes to this infrastructure.

+- An SAP System (and underlying infrastructure resources) that is up and running.

+- Optionally, you can add fully installed application servers to the system before detecting the SAP software; then, the SAP system with additional application servers will also be detected.

+ - If you add additional application servers to this Virtual Instance for SAP solutions after infrastructure deployment, the previously created user-assigned managed identity also needs **Contributor** role access on the subscription or on the resource group under which this new application server exists.

+ - The number of application virtual machines installed should not be less than the number created during the infrastructure deployment phase in Azure Center for SAP solutions. You can still detect additional application servers.

+Only the following scenarios are supported for this installation method:

+- Infrastructure for S4/HANA was created through Azure Center for SAP solutions. The S4/HANA application was installed outside Azure Center for SAP solutions through a different tool.

+- Only S4/HANA installation done outside Azure Center for SAP solutions can be detected. If you have installed a different SAP Application than S4/HANA, the detection will fail.

+- If you want a fresh installation of S4/HANA software on the infrastructure deployed by Azure Center for SAP solutions, use the wizard installation option instead.

+## Install SAP with Azure Center for SAP solutions

+To install the SAP software directly, use the Azure Center for SAP solutions installation wizard.

+1. Select your Virtual Instance for SAP solutions instance.

+1. On the **Overview** page for the Virtual Instance for SAP solutions resource, select **Install SAP software**.

+1. After the installation completes, sign in with your SAP system credentials. To find the SAP system and HANA DB credentials for the newly installed system, see [how to manage a Virtual Instance for SAP solutions](manage-virtual-instance.md).

+## Install SAP through outside method

+If you install the SAP software elsewhere, you need to detect the software installation and update your Virtual Instance for SAP solutions metadata.

+1. Sign in to the [Azure portal](https://portal.azure.com). Make sure to sign in with an Azure account that has **Contributor** role access to the subscription or resource groups where the SAP system exists.

+1. Search for and select **Azure Center for SAP solutions** in the Azure portal's search bar.

+1. Select **Virtual Instances for SAP solutions**. Then select the Virtual Instance for SAP solutions resource that you want to detect.

+1. On the resource's overview page, select **Confirm already installed software**. Read all the instructions, then select **Confirm**. Extensions will now be installed on ASCS, APP and DB virtual machines and start discovering SAP metadata.

+1. Wait for the Virtual Instance for SAP solutions resource to be detected and populated with the metadata. The process completes after all SAP system components have been detected.

+1. Review the Virtual Instance for SAP solutions resource in the Azure portal. The resource page now shows the SAP system resources, and information about the system.

+### Application servers

+When SAP changes the version of packages for a component in the BOM, you might encounter problems with the automated installation shell script. It's recommended to download your SAP installation media as soon as possible to avoid issues.

+1. Reupload the BOM file(s) in the subfolder (`S41909SPS03_v0011ms` or `S42020SPS03_v0003ms` or `S4HANA_2021_ISS_v0001ms`) of the `boms` folder

+1. Clone the SAP automation repository. For more information, see [how to download the SAP installation media](get-sap-installation-media.md).

+ ```git bash

+ git clone https://github.com/Azure/sap-automation.git

+ ```

+1. Before running the Ansible playbook set the SPASS environment variable below. Single quotes should be present in the command.

+1. Run the Ansible playbook:

+ ```azurecli

+ ```

+ - For `<username>`, use your SAP username.

+ - For `<bom_base_name>`, use the SAP Version you want to install i.e. **_S41909SPS03_v0011ms_** or **_S42020SPS03_v0003ms_** or **_S4HANA_2021_ISS_v0001ms_**

+ - For `<storageAccountAccessKey>`, use your storage account's access key. You found this value in the Download SAP media section

+ - For `<containerBasePath>`, use the path to your `sapbits` container. You found this value in the Download SAP media section. The format is `https://<your-storage-account>.blob.core.windows.net/sapbits`

+- [Manage a Virtual Instance for SAP solutions](manage-virtual-instance.md)

+ Title: Manage Azure Center for SAP solutions resources with Azure RBAC (preview)

+description: Use Azure role-based access control (Azure RBAC) to manage access to your SAP workloads within Azure Center for SAP solutions.

+# Management of Azure Center for SAP solutions resources with Azure RBAC (preview)

+[Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) enables granular access management for Azure. You can use Azure RBAC to manage Virtual Instance for SAP solutions resources within Azure Center for SAP solutions. For example, you can separate duties within your team and grant only the amount of access that users need to perform their jobs.

+*Users* or *user-assigned managed identities* require minimum roles or permissions to use the different capabilities in Azure Center for SAP solutions.

+There are [Azure built-in roles](../role-based-access-control/built-in-roles.md) for Azure Center for SAP solutions, or you can [create Azure custom roles](../role-based-access-control/custom-roles.md) for more control. Azure Center for SAP solutions provides the following built-in roles to deploy and manage SAP systems on Azure:

+- The **Azure Center for SAP solutions administrator** role has the required permissions for a user to deploy infrastructure, install SAP, and manage SAP systems from Azure Center for SAP solutions. The role allows users to:

+ - Deploy infrastructure for a new SAP system

+ - Install SAP software

+ - Register existing SAP systems as a [Virtual Instance for SAP solutions (VIS)](overview.md#what-is-a-virtual-instance-for-sap-solutions) resource.

+ - View the health and status of SAP systems.

+ - Perform operations such as **Start** and **Stop** on the VIS resource.

+ - Do all possible actions with Azure Center for SAP solutions, including the deletion of the VIS resource.

+- The **Azure Center for SAP solutions service role** is intended for use by the user-assigned managed identity. The Azure Center for SAP solutions service uses this identity to deploy and manage SAP systems. This role has permissions to support the deployment and management capabilities in Azure Center for SAP solutions.

+- The **Azure Center for SAP solutions reader** role has permissions to view all VIS resources.

+> [!NOTE]

+> If you're creating a new user-assigned managed identity when you deploy a new SAP system or register an existing system, the user must also have the **Managed Identity Contributor** role. This role is required to make role assignments to a user-assigned managed identity.

+## Deploy infrastructure for new SAP system

+To deploy infrastructure for a new SAP system, a *user* and *user-assigned managed identity* requires the following role or permissions.

+| Built-in roles for *users* |

+| - |

+| **Azure Center for SAP solutions administrator** |

+| Minimum permissions for *users* |

+| - |

+| `Microsoft.Workloads/sapVirtualInstances/write` |

+| `Microsoft.Workloads/Operations/read` |

+| `Microsoft.Workloads/Locations/OperationStatuses/read` |

+| `Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getSizingRecommendations/action` |

+| `Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getSapSupportedSku/action` |

+| `Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getDiskConfigurations/action` |

+| `Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getAvailabilityZoneDetails/action` |

+| `Microsoft.Resources/subscriptions/resourcegroups/deployments/read` |

+| `Microsoft.Resources/subscriptions/resourcegroups/deployments/write` |

+| `Microsoft.Network/virtualNetworks/read` |

+| `Microsoft.Network/virtualNetworks/subnets/read` |

+| `Microsoft.Network/virtualNetworks/subnets/write` |

+| `Microsoft.Compute/sshPublicKeys/write` |

+| `Microsoft.Compute/sshPublicKeys/read` |

+| `Microsoft.Compute/sshPublicKeys /*/generateKeyPair/action` |

+| `Microsoft.Storage/storageAccounts/read` |

+| `Microsoft.Storage/storageAccounts/blobServices/read` |

+| `Microsoft.Storage/storageAccounts/blobServices/containers/read` |

+| `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` |

+| `Microsoft.Storage/storageAccounts/fileServices/read` |

+| `Microsoft.Storage/storageAccounts/fileServices/shares/read` |

+| Built-in roles for *user-assigned managed identities* |

+| - |

+| **Azure Center for SAP solutions service role** |

+| Minimum permissions for *user-assigned managed identities* |

+| - |

+| `Microsoft.Compute/disks/read` |

+| `Microsoft.Compute/disks/write` |

+| `Microsoft.Compute/virtualMachines/read` |

+| `Microsoft.Compute/virtualMachines/write` |

+| `Microsoft.Compute/virtualMachines/extensions/read` |

+| `Microsoft.Compute/virtualMachines/extensions/write` |

+| `Microsoft.Compute/virtualMachines/extensions/delete` |

+| `Microsoft.Compute/virtualMachines/instanceView/read` |

+| `Microsoft.Compute/availabilitySets/read` |

+| `Microsoft.Compute/availabilitySets/write` |

+| `Microsoft.Network/loadBalancers/read` |

+| `Microsoft.Network/loadBalancers/write` |

+| `Microsoft.Network/loadBalancers/backendAddressPools/read` |

+| `Microsoft.Network/loadBalancers/backendAddressPools/write` |

+| `Microsoft.Network/loadBalancers/backendAddressPools/join/action` |

+| `Microsoft.Network/loadBalancers/frontendIPConfigurations/read` |

+| `Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action` |

+| `Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/read` |

+| `Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/write` |

+| `Microsoft.Network/networkInterfaces/read` |

+| `Microsoft.Network/networkInterfaces/write` |

+| `Microsoft.Network/networkInterfaces/join/action` |

+| `Microsoft.Network/networkInterfaces/ipconfigurations/read` |

+| `Microsoft.Network/networkInterfaces/ipconfigurations/join/action` |

+| `Microsoft.Network/privateEndpoints/read` |

+| `Microsoft.Network/privateEndpoints/write` |

+| `Microsoft.Network/virtualNetworks/read` |

+| `Microsoft.Network/virtualNetworks/subnets/read` |

+| `Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action` |

+| `Microsoft.Network/virtualNetworks/subnets/join/action` |

+| `Microsoft.Storage/storageAccounts/read` |

+| `Microsoft.Storage/storageAccounts/write` |

+| `Microsoft.Storage/storageAccounts/listAccountSas/action` |

+| `Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action` |

+| `Microsoft.Storage/storageAccounts/blobServices/read` |

+| `Microsoft.Storage/storageAccounts/blobServices/containers/read` |

+| `Microsoft.Storage/storageAccounts/fileServices/read` |

+| `Microsoft.Storage/storageAccounts/fileServices/write` |

+| `Microsoft.Storage/storageAccounts/fileServices/shares/read` |

+| `Microsoft.Storage/storageAccounts/fileServices/shares/write` |

+## Install SAP software

+To install SAP software, a *user* and *user-assigned managed identity* requires the following role or permissions.

+| Built-in roles for *users* |

+| - |

+| **Azure Center for SAP solutions administrator** |

+| Minimum permissions for *users* |

+| - |

+| `Microsoft.Workloads/sapVirtualInstances/write` |

+| `Microsoft.Workloads/sapVirtualInstances/applicationInstances/read` |

+| `Microsoft.Workloads/sapVirtualInstances/centralInstances/read` |

+| `Microsoft.Workloads/sapVirtualInstances/databaseInstances/read` |

+| `Microsoft.Workloads/sapVirtualInstances/read` |

+| `Microsoft.Workloads/Operations/read` |

+| `Microsoft.Workloads/Locations/OperationStatuses/read` |

+| `Microsoft.Storage/storageAccounts/read` |

+| `Microsoft.Storage/storageAccounts/blobServices/read` |

+| `Microsoft.Storage/storageAccounts/blobServices/containers/read` |

+| `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` |

+| `Microsoft.Storage/storageAccounts/fileServices/read` |

+| `Microsoft.Storage/storageAccounts/fileServices/shares/read` |

+| Built-in roles for *user-assigned managed identities* |

+| - |

+| **Azure Center for SAP solutions service role** |

+| **Reader and Data Access** |

+| Minimum permissions for *user-assigned managed identities* |

+| - |

+| `Microsoft.Compute/disks/read` |

+| `Microsoft.Compute/virtualMachines/read` |

+| `Microsoft.Compute/disks/write` |

+| `Microsoft.Compute/virtualMachines/write` |

+| `Microsoft.Compute/virtualMachines/extensions/delete` |

+| `Microsoft.Compute/virtualMachines/extensions/read` |

+| `Microsoft.Compute/virtualMachines/extensions/write` |

+| `Microsoft.Compute/virtualMachines/instanceView/read` |

+| `Microsoft.Network/loadBalancers/read` |

+| `Microsoft.Network/loadBalancers/backendAddressPools/read` |

+| `Microsoft.Network/loadBalancers/frontendIPConfigurations/read` |

+| `Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/read` |

+| `Microsoft.Network/networkInterfaces/read` |

+| `Microsoft.Network/networkInterfaces/ipconfigurations/read` |

+| `Microsoft.Network/privateEndpoints/read` |

+| `Microsoft.Network/virtualNetworks/read` |

+| `Microsoft.Network/virtualNetworks/subnets/read` |

+| `Microsoft.Storage/storageAccounts/read` |

+| `Microsoft.Storage/storageAccounts/listAccountSas/action` |

+| `Microsoft.Storage/storageAccounts/blobServices/containers/read` |

+| `Microsoft.Storage/storageAccounts/fileServices/read` |

+| `Microsoft.Storage/storageAccounts/fileServices/shares/read` |

+| `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` |

+| `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action` |

+| `Microsoft.Storage/storageAccounts/write` |

+| `Microsoft.Storage/storageAccounts/listAccountSas/action` |

+| `Microsoft.Storage/storageAccounts/fileServices/write` |

+| `Microsoft.Storage/storageAccounts/fileServices/shares/write` |

+## Register and manage existing SAP system

+To register an existing SAP system and manage that system with Azure Center for SAP solutions, a *user* or *user-assigned managed identity* requires the following role or permissions.

+| Built-in roles for *users* |

+| - |

+| **Azure Center for SAP solutions administrator** |

+| Minimum permissions for *users* |

+| - |

+| `Microsoft.Workloads/sapVirtualInstances/write` |

+| `Microsoft.Compute/virtualMachines/read` |

+| Built-in roles for *user-assigned managed identities* |

+| - |

+| **Azure Center for SAP solutions service role** |

+| Minimum permissions for *user-assigned managed identities* |

+| - |

+| `Microsoft.Compute/virtualMachines/read` |

+| `Microsoft.Compute/disks/read` |

+| `Microsoft.Compute/disks/write` |

+| `Microsoft.Compute/virtualMachines/write` |

+| `Microsoft.Compute/virtualMachines/extensions/read` |

+| `Microsoft.Compute/virtualMachines/extensions/write` |

+| `Microsoft.Compute/virtualMachines/instanceView/read` |

+| `Microsoft.Network/loadBalancers/read` |

+| `Microsoft.Network/loadBalancers/backendAddressPools/read` |

+| `Microsoft.Network/loadBalancers/frontendIPConfigurations/read` |

+| `Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/read` |

+| `Microsoft.Network/networkInterfaces/read` |

+| `Microsoft.Network/networkInterfaces/ipconfigurations/read` |

+| `Microsoft.Network/virtualNetworks/read` |

+| `Microsoft.Network/virtualNetworks/subnets/read` |

+## View VIS resources

+To view VIS resources, a *user* or *user-assigned managed identity* requires the following role or permissions.

+| Built-in roles for *users* |

+| - |

+| **Azure Center for SAP solutions reader** |

+| **Reader** |

+| Minimum permissions for *users* |

+| - |

+| `Microsoft.Workloads/sapVirtualInstances/applicationInstances/read` |

+| `Microsoft.Workloads/sapVirtualInstances/centralInstances/read` |

+| `Microsoft.Workloads/sapVirtualInstances/databaseInstances/read` |

+| `Microsoft.Workloads/sapVirtualInstances/read` |

+| `Microsoft.Workloads/Operations/read` |

+| `Microsoft.Workloads/Locations/OperationStatuses/read` |

+| `Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getSizingRecommendations/action` |

+| `Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getSapSupportedSku/action` |

+| `Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getDiskConfigurations/action` |

+| `Microsoft.Workloads/locations/sapVirtualInstanceMetadata/getAvailabilityZoneDetails/action` |

+| `Microsoft.Insights/Metrics/Read` |

+| `Microsoft.ResourceHealth/AvailabilityStatuses/read` |

+| Built-in roles for *user-assigned managed identities* |

+| - |

+| This scenario isn't applicable to *user-assigned managed identities*. |

+| Built-in permissions for *user-assigned managed identities* |

+| - |

+| This scenario isn't applicable to *user-assigned managed identities*. |

+## Start SAP system

+To start the SAP system from a VIS resource, a *user* and *user-assigned managed identity* requires the following role or permissions.

+| Built-in roles for *users* |

+| - |

+| **Azure Center for SAP solutions administrator** |

+| Minimum permissions for *users* |

+| - |

+| `Microsoft.Workloads/sapVirtualInstances/start/action` |

+| Built-in roles for *user-assigned managed identities* |

+| - |

+| **Azure Center for SAP solutions service role** |

+| Minimum permissions for *user-assigned managed identities* |

+| - |

+| `Microsoft.Compute/virtualMachines/read` |

+| `Microsoft.Compute/virtualMachines/extensions/read` |

+| `Microsoft.Compute/virtualMachines/extensions/write` |

+| `Microsoft.Compute/virtualMachines/instanceView/read` |

+## Stop SAP system

+To stop the SAP system from a VIS resource, a *user* and *user-assigned managed identity* requires the following role or permissions.

+| Built-in roles for *users* |

+| - |

+| **Azure Center for SAP solutions administrator** |

+| Minimum permissions for *users* |

+| - |

+| `Microsoft.Workloads/sapVirtualInstances/stop/action` |

+| Built-in roles for *user-assigned managed identities* |

+| - |

+| **Azure Center for SAP solutions service role** |

+| Minimum permissions for *user-assigned managed identities* |

+| - |

+| `Microsoft.Compute/virtualMachines/read` |

+| `Microsoft.Compute/virtualMachines/extensions/read` |

+| `Microsoft.Compute/virtualMachines/extensions/write` |

+| `Microsoft.Compute/virtualMachines/instanceView/read` |

+## View cost analysis

+To view the cost analysis, a *user* requires the following role or permissions.

+| Built-in roles for *users* |

+| - |

+| **Cost Management Reader** |

+| Minimum permissions for *users* |

+| - |

+| `Microsoft.Consumption/*/read**` |

+| `Microsoft.CostManagement/*/read` |

+| `Microsoft.Billing/billingPeriods/read` |

+| `Microsoft.Resources/subscriptions/read` |

+| `Microsoft.Resources/subscriptions/resourceGroups/read` |

+| `Microsoft.Billing/billingProperty/read` |

+| Built-in roles for *user-assigned managed identities* |

+| - |

+| This scenario isn't applicable to *user-assigned managed identities*. |

+| Minimum permissions for *user-assigned managed identities* |

+| - |

+| This scenario isn't applicable to *user-assigned managed identities*. |

+## View Quality Insights

+To view Quality Insights, a *user* requires the following role or permissions.

+| Built-in roles for *users* |

+| - |

+| **Reader** |

+ Minimum permissions for *users* |

+| - |

+| None, except the minimum role assignment. |

+| Built-in roles for *user-assigned managed identities* |

+| - |

+| This scenario isn't applicable to *user-assigned managed identities*. |

+| Minimum permissions for *user-assigned managed identities* |

+| - |

+| This scenario isn't applicable to *user-assigned managed identities*. |

+## Set up Azure Monitor for SAP solutions

+To set up Azure Monitor for SAP solutions for your SAP resources, a *user* requires the following role or permissions.

+| Built-in roles for *users* |

+| - |

+| **Contributor** |

+| Minimum permissions for *users* |

+| - |

+| None, except the minimum role assignment. |

+| Built-in roles for *user-assigned managed identities* |

+| - |

+| This scenario isn't applicable to *user-assigned managed identities*. |

+| Minimum permissions for *user-assigned managed identities* |

+| - |

+| This scenario isn't applicable to *user-assigned managed identities*. |

+## Delete VIS resource

+To delete a VIS resource, a *user* or *user-assigned managed identity* requires the following role or permissions.

+| Built-in roles for *users* |

+| - |

+| **Azure Center for SAP solutions administrator** |

+| Minimum permissions for *users* |

+| - |

+| `Microsoft.Workloads/sapVirtualInstances/delete` |

+| `Microsoft.Workloads/sapVirtualInstances/read` |

+| `Microsoft.Workloads/sapVirtualInstances/applicationInstances/read` |

+| `Microsoft.Workloads/sapVirtualInstances/centralInstances/read` |

+| `Microsoft.Workloads/sapVirtualInstances/databaseInstances/read` |

+| Built-in roles for *user-assigned managed identities* |

+| - |

+| This scenario isn't applicable to *user-assigned managed identities*. |

+| Minimum permissions for *user-assigned managed identities* |

+| - |

+| This scenario isn't applicable to *user-assigned managed identities*. |

+## Next steps

+- [Manage VIS resources in Azure Center for SAP solutions](manage-virtual-instance.md)

+- SAP system with multiple Application Server Instances on a single Virtual Machine

+- SAP system with [clustered Application Server architecture](../virtual-machines/workloads/sap/high-availability-guide-rhel-with-dialog-instance.md)

+- Multiple SIDs running on same set of Virtual Machines. For example, two or more SIDs sharing a single VM for ASCS instance.

+> The free tier limits the request rate to 20 calls per minute. The paid tier allows 30 requests per second (RPS) that can be increased upon request. Note your Azure resource identfier and region, and open an Azure support ticket or contact your account team to request a higher request per second (RPS) rate.

+| Data type | Used for testing | Recommended for testing | Used for training | Recommended for training |

+## Map X-SAMPA to IPA

+| `alphabet` | The phonetic alphabet to use when you synthesize the pronunciation of the string in the `ph` attribute. The string that specifies the alphabet must be specified in lowercase letters. The following options are the possible alphabets that you can specify:<ul><li>`ipa` &ndash; See [SSML phonetic alphabets](speech-ssml-phonetic-sets.md)</li><li>`sapi` &ndash; See [SSML phonetic alphabets](speech-ssml-phonetic-sets.md)</li><li>`ups` &ndash; See [Universal Phone Set](https://documentation.help/Microsoft-Speech-Platform-SDK-11/17509a49-cae7-41f5-b61d-07beaae872ea.htm)</li><li>`x-sampa` &ndash; See [SSML phonetic alphabets](speech-ssml-phonetic-sets.md#map-x-sampa-to-ipa)</li></ul><br>The alphabet applies only to the `phoneme` in the element. | Optional |

+```xml

+<speak version="1.0" xmlns="http://www.w3.org/2001/10/synthesis" xml:lang="en-US">

+ <voice name="en-US-JennyNeural">

+ <phoneme alphabet='x-sampa' ph='he."lou'>hello</phoneme>

+ </voice>

+</speak>

+```

+Use this article to get started with Azure OpenAI with step-by-step instructions to create a resource and deploy a model. While the steps for resource creation and model deployment can be completed in a few minutes, the actual deployment process itself can take more than hour. You can create your resource, start your deployment, and then check back in on your deployment later rather than actively waiting for the deployment to complete.

+The Chat APIs provide an **auto-scaling** service for persistently stored text and data communication. Other key features include:

+> Calling and chat interoperability is in private preview, and restricted to a limited number of Azure Communication Services early adopters. You can [submit this form to request participation in the preview](https://forms.office.com/r/F3WLqPjw0D), and we'll review your scenario(s) and evaluate your participation in the preview.

+> Private Preview APIs and SDKs are provided without a service-level agreement, aren't appropriate for production workloads, and should only be used with test users and test data. Certain features may not be supported or have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+> For support, questions, or to provide feedback or report issues, please use the [Teams interop ad hoc calling and chat channel](https://teams.microsoft.com/l/channel/19%3abfc7d5e0b883455e80c9509e60f908fb%40thread.tacv2/Teams%2520Interop%2520ad%2520hoc%2520calling%2520and%2520chat?groupId=d78f76f3-4229-4262-abfb-172587b7a6bb&tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47). You must be a member of the Azure Communication Service TAP team.

+As part of this preview, the Azure Communication Services SDKs can be used to build applications that enable bring your own identity (BYOI) users to start 1:1 calls or 1:n chats with Teams users. [Standard Azure Communication Services pricing](https://azure.microsoft.com/pricing/details/communication-services/) applies to these users, but there's no extra fee for the interoperability capability itself. Custom applications built with Azure Communication Services to connect and communicate with Teams users or Teams voice applications can be used by end users or by bots, and there's no differentiation in how they appear to Teams users in Teams applications unless explicitly indicated by the developer of the application with a display name.

+To enable calling and chat between your Communication Services users and your Teams tenant, allow your tenant via the [form](https://forms.office.com/r/F3WLqPjw0D) and enable the connection between the tenant and Communication Services resource.

+Azure AD user with [Teams administrator role](/azure/active-directory/roles/permissions-reference#teams-administrator) can run PowerShell cmdlet with MicrosoftTeams module to enable the Communication Services resource in the tenant. First, open the PowerShell and validate the existence of the Teams module with the following command:

+```script

+Get-module *teams*

+```

+If you don't see the MicrosoftTeams module, you need to install it first. To install the module, you need to run PowerShell as an administrator. Then run the following command:

+```script

+ Install-Module -Name MicrosoftTeams

+```

+You'll be informed about the modules that are going to be installed, which you can confirm with a `Y` or `A` answer. If the module is installed but is outdated, you can run the following command to update the module:

+```script

+ Update-Module MicrosoftTeams

+```

+When the module is installed and ready, you can connect to the MicrosftTeams module with the following command. You'll be prompted with an interactive window to log in. The user account that you're going to use needs to have Teams administrator permissions. Otherwise, you might get an `access denied` response in the next steps.

+```script

+Connect-MicrosoftTeams

+```

+After successful login, you can run the cmdlet [Set-CsTeamsAcsFederationConfiguration](/powershell/module/teams/set-csteamsacsfederationconfiguration) to enable Communication Services resource in your tenant. Replace the text `IMMUTABLE_RESOURCE_ID` with an immutable resource ID in your communication resource. You can find more details on how to get this information [here](../troubleshooting-info.md#getting-immutable-resource-id).

+```script

+$allowlist = @('IMMUTABLE_RESOURCE_ID')

+Set-CsTeamsAcsFederationConfiguration -EnableAcsUsers $True -AllowedAcsResources $allowlist

+```

+## Get Teams user ID

+To start a call or chat with a Teams user or Teams Voice application, you need an identifier of the target. You have the following options to retrieve the ID:

+- User interface of [Azure AD](../troubleshooting-info.md?#getting-user-id) or with on-premises directory synchronization [Azure AD Connect](../../../active-directory/hybrid/how-to-connect-sync-whatis.md)

+- Programmatically via [Microsoft Graph API](/graph/api/resources/users)

+With the Calling SDK, a Communication Services user or endpoint can start a 1:1 call with Teams users, identified by their Azure Active Directory (Azure AD) object ID. You can easily modify an existing application that calls other Communication Services users to call Teams users.

+- This functionality isn't currently available in the .NET Calling SDK.

+- Advanced call routing capabilities such as call forwarding, group call pickup, simultaneous ringing, and voice mail aren't supported.

+- There are many features in the Teams client that don't work as expected during 1:1 calls with Communication Services users.

+- Third-party [devices for Teams](/MicrosoftTeams/devices/teams-ip-phones) and [Skype IP phones](/skypeforbusiness/certification/devices-ip-phones) aren't supported.

+With the Chat SDK, Communication Services users or endpoints can have group chats with Teams users, identified by their Azure Active Directory (AAD) object ID. You can easily modify an existing application that creates chats with other Communication Services users to create chats with Teams users instead. Here is an example of how to use the Chat SDK to add Teams users as participants. To learn how to use Chat SDK to send a message, manage participants, and more, see our [quickstart](../../quickstarts/chat/get-started.md?pivots=programming-language-javascript).

+To make testing easier, we've published a sample app [here](https://github.com/Azure-Samples/communication-services-web-chat-hero/tree/teams-interop-chat-adhoc). Update the app with your Communication Services resource and interop enabled Teams tenant to get started.

+While in private preview, a Communication Services user can do various actions using the Communication Services Chat SDK, including sending and receiving plain and rich text messages, typing indicators, read receipts, real-time notifications, and more. However, most of the Teams chat features aren't supported. Here are some key behaviors and known issues:

+- Communication Services users can only initiate chats.

+- Communication Services users can't send or receive GIFs, images, or files. Links to files and images can be shared.

+- Known issue: Communication Services users aren't displayed correctly in the participant list. They're currently displayed as External, but their people cards might need to be more consistent.

+- Known issue: Editing of messages by the Teams user isn't supported.

+Interoperability between Azure Communication Services and Microsoft Teams enables your applications and users to participate in Teams calls, meetings, and chats. It is your responsibility to ensure that the users of your application are notified when recording or transcription are enabled in a Teams call or meeting.

+Microsoft will indicate to you via the Azure Communication Services API that recording or transcription has commenced. You must communicate this fact in real time to your users within your application's user interface. You agree to indemnify Microsoft for all costs and damages incurred due to your failure to comply with this obligation.

+ Title: Azure AD API permissions for communication as Teams external user

+description: This article describes Azure AD API permissions for communication as a Teams external user with Azure Communication Services.

+# Security of communication as Teams external user

+In this article, you'll learn about the security measures and frameworks implemented by Microsoft Teams and Azure Communication Services to provide a secure collaboration environment. The products implement data encryption, secure real-time communication, two-factor authentication, user authentication, and authorization to prevent common security threats. The security frameworks for these services are based on industry standards and best practices.

+## Microsoft Teams

+Microsoft Teams handles security using a combination of technologies and processes to mitigate common security threats and provide a secure collaboration environment. Teams implement multiple layers of security, including data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and two-factor authentication for added protection. The security framework for Teams is built on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security covering all stages of development. Teams also undergo regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Teams integrates with Microsoft's suite of security products and services, such as Azure Active Directory, to provide customers with a comprehensive security solution. You can learn here more about [security in Microsoft Teams](/microsoftteams/teams-security-guide.md).

+Additionally, Microsoft Teams provides several policies and tenant configurations to control Teams external users joining and in-meeting experience. Teams administrators can use settings in the Microsoft Teams admin center or PowerShell to control whether Teams external users can join Teams meetings, bypass lobby, start a meeting, participate in chat, or default role assignment. You can learn more about the [policies here](./teams-administration.md).

+## Azure Communication Services

+Azure Communication Services handles security by implementing various security measures to prevent and mitigate common security threats. These measures include data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and authentication mechanisms to verify the identity of users. The security framework for Azure Communication Services is based on industry standards and best practices. Azure also undergoes regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Azure Communication Services integrates with other Azure security services, such as Azure Active Directory, to provide customers with a comprehensive security solution. Customers can also control access to the services and manage their security settings through the Azure portal. You can learn here more about [Azure security baseline](/security/benchmark/azure/baselines/azure-communication-services-security-baseline?toc=/azure/communication-services/toc.json), about security of [call flows](../../call-flows.md) and [call flow topologies](../../detailed-call-flows.md).

+ Title: Security of communication as Teams user

+description: This article describes the security of communication as a Teams user with Azure Communication Services.

+# Security of communication as Teams user

+In this article, you'll learn about the security measures and frameworks implemented by Microsoft Teams, Azure Communication Services, and Azure Active Directory to provide a secure collaboration environment. The products implement data encryption, secure real-time communication, two-factor authentication, user authentication, and authorization to prevent common security threats. The security frameworks for these services are based on industry standards and best practices.

+## Microsoft Teams

+Microsoft Teams handles security using a combination of technologies and processes to mitigate common security threats and provide a secure collaboration environment. Teams implement multiple layers of security, including data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and two-factor authentication for added protection. The security framework for Teams is built on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security covering all stages of development. Teams also undergo regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Teams integrates with Microsoft's suite of security products and services, such as Azure Active Directory, to provide customers with a comprehensive security solution. You can learn here more about [security in Microsoft Teams](/microsoftteams/teams-security-guide.md).

+## Azure Communication Services

+Azure Communication Services handles security by implementing various security measures to prevent and mitigate common security threats. These measures include data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and authentication mechanisms to verify the identity of users. The security framework for Azure Communication Services is based on industry standards and best practices. Azure also undergoes regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Azure Communication Services integrates with other Azure security services, such as Azure Active Directory, to provide customers with a comprehensive security solution. Customers can also control access to the services and manage their security settings through the Azure portal. You can learn here more about [Azure security baseline](/security/benchmark/azure/baselines/azure-communication-services-security-baseline?toc=/azure/communication-services/toc.json), about security of [call flows](../../call-flows.md) and [call flow topologies](../../detailed-call-flows.md).

+## Azure Active Directory

+Azure Active Directory provides a range of security features for Microsoft Teams to help handle common security threats and provide a secure collaboration environment. Azure AD helps to secure user authentication and authorization, allowing administrators to manage user access to Teams and other applications through a single, centralized platform. Azure AD also integrates with Teams to provide multi-factor authentication and conditional access policies, which can be used to enforce security policies and control access to sensitive information. The security framework for Azure Active Directory is based on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security that covers all stages of development. Azure AD undergoes regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Azure AD integrates with other Azure security services, such as Azure Information Protection, to provide customers with a comprehensive security solution. You can learn here more about [Azure identity management security](/azure/security/fundamentals/identity-management-overview.md).

+By default, indexing policy is set to `automatic`. It's achieved by setting the `automatic` property in the indexing policy to `true`. Setting this property to `true` allows Azure Cosmos DB to automatically index items as they're written.

+- If an explicitly indexed path doesn't exist in an item, a value will be added to the index to indicate that the path is undefined.

+All explicitly included paths will have values added to the index for each item in the container, even if the path is undefined for a given item.

+Unlike with included or excluded paths, you can't create a path with the `/*` wildcard. Every composite path has an implicit `/?` at the end of the path that you don't need to specify. Composite paths lead to a scalar value that is the only value included in the composite index. If a path in a composite index doesn't exist in an item, a value will be added to the index to indicate that the path is undefined.

+Before you can create a document database, you need to create an API for NoSQL account with Azure Cosmos DB.

+Now let's switch to working with code. Let's clone an API for NoSQL app from GitHub, set the connection string, and run it. You'll see how easy it is to work with data programmatically.

+## Run the app

+Now go back to the Azure portal to get your connection string information and launch the app with your endpoint information. This enables your app to communicate with your hosted database.

+1. In the git terminal window, `cd` to the sample code folder.

+ ```bash

+ cd azure-cosmos-java-getting-started

+ ```

+2. In the git terminal window, use the following command to install the required Java packages.

+ ```bash

+ mvn package

+ ```

+3. In the git terminal window, use the following command to start the Java application (replace SYNCASYNCMODE with `sync` or `async` depending on which sample code you would like to run, replace YOUR_COSMOS_DB_HOSTNAME with the quoted URI value from the portal, and replace YOUR_COSMOS_DB_MASTER_KEY with the quoted primary key from portal)

+ ```bash

+ mvn exec:java@SYNCASYNCMODE -DACCOUNT_HOST=YOUR_COSMOS_DB_HOSTNAME -DACCOUNT_KEY=YOUR_COSMOS_DB_MASTER_KEY

+ ```

+ The terminal window displays a notification that the FamilyDB database was created.

+

+4. The app creates database with name `AzureSampleFamilyDB`

+5. The app creates container with name `FamilyContainer`

+6. The app will perform point reads using object IDs and partition key value (which is lastName in our sample).

+7. The app will query items to retrieve all families with last name in ('Andersen', 'Wakefield', 'Johnson')

+8. The app doesn't delete the created resources. Return to the Azure portal to [clean up the resources](#clean-up-resources) from your account so you don't incur charges.

+8. The app doesn't delete the created resources. Return to the Azure portal to [clean up the resources](#clean-up-resources) from your account so you don't incur charges.

+## [Passwordless Sync API](#tab/passwordlesssync)

+## Authenticate using DefaultAzureCredential

+You can authenticate to Cosmos DB for NoSQL using `DefaultAzureCredential` by adding the `azure-identity` [dependency](https://mvnrepository.com/artifact/com.azure/azure-identity) to your application. `DefaultAzureCredential` will automatically discover and use the account you signed-in with in the previous step.

+### Managing database resources using the synchronous (sync) API

+* `CosmosClient` initialization. The `CosmosClient` provides client-side logical representation for the Azure Cosmos DB database service. This client is used to configure and execute requests against the service.

+

+ [!code-java[](~/azure-cosmosdb-java-v4-getting-started/src/main/java/com/azure/cosmos/sample/sync/SyncPasswordlessMain.java?name=CreatePasswordlessSyncClient)]

+* Use the [`az cosmosdb sql database create`](/cli/azure/cosmosdb/sql/database#az-cosmosdb-sql-database-create) and [`az cosmosdb sql container create`](/cli/azure/cosmosdb/sql/container#az-cosmosdb-sql-container-create) commands to create a Cosmos DB NoSQL database and container.

+ ```azurecli-interactive

+ # Create a SQL API database

+ az cosmosdb sql database create \

+ --account-name msdocs-cosmos-nosql \

+ --resource-group msdocs \

+ --name AzureSampleFamilyDB

+ ```

+

+ ```azurecli-interactive

+ # Create a SQL API container

+ az cosmosdb sql container create \

+ --account-name msdocs-cosmos-nosql \

+ --resource-group msdocs \

+ --database-name AzureSampleFamilyDB \

+ --name FamilyContainer \

+ --partition-key-path '/lastName'

+ ```

+* Item creation by using the `createItem` method.

+ [!code-java[](~/azure-cosmosdb-java-v4-getting-started/src/main/java/com/azure/cosmos/sample/sync/SyncPasswordlessMain.java?name=CreateItem)]

+

+* Point reads are performed using `readItem` method.

+ [!code-java[](~/azure-cosmosdb-java-v4-getting-started/src/main/java/com/azure/cosmos/sample/sync/SyncPasswordlessMain.java?name=ReadItem)]

+* SQL queries over JSON are performed using the `queryItems` method.

+ [!code-java[](~/azure-cosmosdb-java-v4-getting-started/src/main/java/com/azure/cosmos/sample/sync/SyncPasswordlessMain.java?name=QueryItems)]

+## Run the app

+Now go back to the Azure portal to get your connection string information and launch the app with your endpoint information. This enables your app to communicate with your hosted database.

+1. In the git terminal window, `cd` to the sample code folder.

+ ```bash

+ cd azure-cosmos-java-getting-started

+ ```

+2. In the git terminal window, use the following command to install the required Java packages.

+ ```bash

+ mvn package

+ ```

+3. In the git terminal window, use the following command to start the Java application. Replace `SYNCASYNCMODE` with `sync-passwordless` or `async-passwordless`, depending upon which sample code you'd like to run. Replace `YOUR_COSMOS_DB_HOSTNAME` with the quoted URI value from the portal, and replace `YOUR_COSMOS_DB_MASTER_KEY` with the quoted primary key from portal.

+ ```bash

+ mvn exec:java@SYNCASYNCMODE -DACCOUNT_HOST=YOUR_COSMOS_DB_HOSTNAME -DACCOUNT_KEY=YOUR_COSMOS_DB_MASTER_KEY

+ ```

+ The terminal window displays a notification that the FamilyDB database was created.

+4. The app will reference the database and container you created via Azure CLI earlier.

+

+5. The app will perform point reads using object IDs and partition key value (which is lastName in our sample).

+6. The app will query items to retrieve all families with last name in ('Andersen', 'Wakefield', 'Johnson')

+## [Passwordless Async API](#tab/passwordlessasync)

+## Authenticate using DefaultAzureCredential

+You can authenticate to Cosmos DB for NoSQL using `DefaultAzureCredential` by adding the `azure-identity` [dependency](https://mvnrepository.com/artifact/com.azure/azure-identity) to your application. `DefaultAzureCredential` will automatically discover and use the account you signed-in with in the previous step.

+### Managing database resources using the asynchronous (async) API

+* Async API calls return immediately, without waiting for a response from the server. In light of this, the following code snippets show proper design patterns for accomplishing all of the preceding management tasks using async API.

+* `CosmosAsyncClient` initialization. The `CosmosAsyncClient` provides client-side logical representation for the Azure Cosmos DB database service. This client is used to configure and execute asynchronous requests against the service.

+

+ [!code-java[](~/azure-cosmosdb-java-v4-getting-started/src/main/java/com/azure/cosmos/sample/async/AsyncPasswordlessMain.java?name=CreatePasswordlessAsyncClient)]

+* Use the [`az cosmosdb sql database create`](/cli/azure/cosmosdb/sql/database#az-cosmosdb-sql-database-create) and [`az cosmosdb sql container create`](/cli/azure/cosmosdb/sql/container#az-cosmosdb-sql-container-create) commands to create a Cosmos DB NoSQL database and container.

+ ```azurecli-interactive

+ # Create a SQL API database

+ az cosmosdb sql database create \

+ --account-name msdocs-cosmos-nosql \

+ --resource-group msdocs \

+ --name AzureSampleFamilyDB

+ ```

+

+ ```azurecli-interactive

+ # Create a SQL API container

+ az cosmosdb sql container create \

+ --account-name msdocs-cosmos-nosql \

+ --resource-group msdocs \

+ --database-name AzureSampleFamilyDB \

+ --name FamilyContainer \

+ --partition-key-path '/lastName'

+ ```

+* As with the sync API, item creation is accomplished using the `createItem` method. This example shows how to efficiently issue numerous async `createItem` requests by subscribing to a Reactive Stream which issues the requests and prints notifications. Since this simple example runs to completion and terminates, `CountDownLatch` instances are used to ensure the program does not terminate during item creation. **The proper asynchronous programming practice is not to block on async calls - in realistic use-cases requests are generated from a main() loop that executes indefinitely, eliminating the need to latch on async calls.**

+ [!code-java[](~/azure-cosmosdb-java-v4-getting-started/src/main/java/com/azure/cosmos/sample/async/AsyncPasswordlessMain.java?name=CreateItem)]

+

+* As with the sync API, point reads are performed using `readItem` method.

+ [!code-java[](~/azure-cosmosdb-java-v4-getting-started/src/main/java/com/azure/cosmos/sample/async/AsyncPasswordlessMain.java?name=ReadItem)]

+* As with the sync API, SQL queries over JSON are performed using the `queryItems` method.

+ [!code-java[](~/azure-cosmosdb-java-v4-getting-started/src/main/java/com/azure/cosmos/sample/async/AsyncPasswordlessMain.java?name=QueryItems)]

+## Run the app

+Now go back to the Azure portal to get your connection string information and launch the app with your endpoint information. This enables your app to communicate with your hosted database.

+1. In the git terminal window, `cd` to the sample code folder.

+ ```bash

+ cd azure-cosmos-java-getting-started

+ ```

+2. In the git terminal window, use the following command to install the required Java packages.

+ ```bash

+ mvn package

+ ```

+3. In the git terminal window, use the following command to start the Java application (replace SYNCASYNCMODE with `sync-passwordless` or `async-passwordless` depending on which sample code you would like to run, replace YOUR_COSMOS_DB_HOSTNAME with the quoted URI value from the portal, and replace YOUR_COSMOS_DB_MASTER_KEY with the quoted primary key from portal)

+ ```bash

+ mvn exec:java@SYNCASYNCMODE -DACCOUNT_HOST=YOUR_COSMOS_DB_HOSTNAME -DACCOUNT_KEY=YOUR_COSMOS_DB_MASTER_KEY

+ ```

+ The terminal window displays a notification that the `AzureSampleFamilyDB` database was created.

+4. The app will reference the database and container you created via Azure CLI earlier.

+

+5. The app will perform point reads using object IDs and partition key value (which is lastName in our sample).

+6. The app will query items to retrieve all families with last name in ('Andersen', 'Wakefield', 'Johnson')

+7. The app doesn't delete the created resources. Switch back to the portal to [clean up the resources](#clean-up-resources). from your account so that you don't incur charges.

+If you're a billing profile Owner, Contributor, Reader, or Invoice Manager you can download your organization's price sheet from the Azure portal. See [View and download your organization's pricing](ea-pricing.md).

+| meterSubCategory | Name of the meter subclassification category. |

+| priceType | Price type for a product. For example, an Azure resource has its pay-as-you-go rate with priceType as *Consumption*. If the resource is eligible for a savings plan, it also has its savings plan rate with another priceType as *SavingsPlan*. |

+| Product | Name of the product accruing the charges. For example, Basic SQL DB vs Standard SQL DB. |

+| serviceFamily | Type of Azure service. For example, Compute, Analytics, and Security. |

+| Term | Duration associated with `priceType`. For example, SavingsPlan priceType has two commitment options: one year and three years. The Term will be *P1Y* for a one-year commitment and *P3Y* for a three-year commitment. |

+| unitPrice | Price per unit at the time of billing (not the effective blended price) as specific to a meter and product order name. Note: The unit price isn't the same as the effective price in usage details downloads when services have differential prices across tiers. If services have multi-tiered pricing, the effective price is a blended rate across the tiers and doesn't show a tier-specific unit price. The blended price or effective price is the net price for the consumed quantity spanning across the multiple tiers (where each tier has a specific unit price). |

+* Complex types are currently unsupported.

+- An Azure account with an active subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+ Title: Azure Event Hubs for Apache Kafka ecosystems

+description: Learn how Apache Kafka application developers can use Azure Event Hubs instead of building and using their own Kafka clusters.

+# Azure Event Hubs for Apache Kafka ecosystems

+Azure Event Hubs provides an Apache Kafka endpoint on an event hub, which enables users to connect to the event hub using the Kafka protocol. You can often use an event hub's Kafka endpoint from your applications without any code changes. You modify only the configuration, that is, update the connection string in configurations to point to the Kafka endpoint exposed by your event hub instead of pointing to a Kafka cluster. Then, you can start streaming events from your applications that use the Kafka protocol into event hubs, which are equivalent to Kafka topics.

+> Event Hubs for Kafka Ecosystems supports [Apache Kafka version 1.0](https://kafka.apache.org/10/documentation.html) and later.

+This article provides detailed information on using Azure Event Hubs to stream data from [Apache Kafka](https://kafka.apache.org) applications without setting up a Kafka cluster on your own.

+Conceptually, Kafka and Event Hubs are very similar. They're both partitioned logs built for streaming data, whereby the client controls which part of the retained log it wants to read. The following table maps concepts between Kafka and Event Hubs.

+| **Melbourne** | [NextDC M1](https://www.nextdc.com/data-centres/m1-melbourne-data-centre) | 2 | Australia Southeast | Supported | AARNet, Devoli, Equinix, Megaport, NETSG, NEXTDC, Optus, Orange, Telstra Corporation, TPG Telecom |

+| **Sydney2** | [NextDC S1](https://www.nextdc.com/data-centres/s1-sydney-data-centre) | 2 | Australia East | Supported | Megaport, NETSG, NextDC |

+| HDInsight 4.0 Kafka | 2.1.0 | Sep 30, 2022 | Oct 1, 2022 |

+| Attribute Keyword | All Studies | All Series | All Instances | Study's Series | Study's Instances | Study Series' Instances |

+| :- | :: | :-: | :: | :: | :-: | :: |

+| `StudyInstanceUID` | X | X | X | | | |

+| `PatientName` | X | X | X | | | |

+| `PatientID` | X | X | X | | | |

+| `PatientBirthDate` | X | X | X | | | |

+| `AccessionNumber` | X | X | X | | | |

+| `ReferringPhysicianName` | X | X | X | | | |

+| `StudyDate` | X | X | X | | | |

+| `StudyDescription` | X | X | X | | | |

+| `ModalitiesInStudy` | X | X | X | | | |

+| `SeriesInstanceUID` | | X | X | X | X | |

+| `Modality` | | X | X | X | X | |

+| `PerformedProcedureStepStartDate` | | X | X | X | X | |

+| `ManufacturerModelName` | | X | X | X | X | |

+| `SOPInstanceUID` | | | X | | X | X |

+- Azure IoT [security best practices](../iot-fundamentals/iot-security-best-practices.md) to guide the deployment process.

+1. On the **Modules** tab, select **Runtime Settings**.

+ :::image type="content" source="./media/how-to-update-iot-edge/configure-runtime.png" alt-text="Screenshot that shows location of the Runtime Settings tab.":::

+1. In **Runtime Settings**, update the **Image URI** value in the **Edge Agent** section with the desired version. Don't select **Apply** yet.

+ :::image type="content" source="./media/how-to-update-iot-edge/runtime-settings-edgeagent.png" alt-text="Screenshot that shows where to update the image U R I with your version in the Edge Agent.":::

+1. Select the **Edge Hub** tab and update the **Image URI** value with the same desired version.

+ :::image type="content" source="./media/how-to-update-iot-edge/runtime-settings-edgehub.png" alt-text="Screenshot that shows where to update the image U R I with your version in the Edge Hub.":::

+1. Select **Apply** to save changes.

+1. Select **Review + create**, review the deployment as seen in the JSON file, and select **Create**.

+Now that the latest IoT Edge service is running on your devices, you also need to [Update the runtime containers](#update-the-runtime-containers) to the latest version. The updating process for runtime containers is the same as the updating process the IoT Edge service.

+[Device Update for IoT Hub](../iot-hub-device-update/index.yml) is a service that enables you to deploy over-the-air updates (OTA) for your IoT Edge devices.

+ Title: Security architecture

+description: Security architecture guidelines and considerations for Azure IoT solutions illustrated using the IoT reference architecture

+# Security architecture for IoT solutions

+When you design and architect an IoT solution, it's important to understand the potential threats and include appropriate defenses. Understanding how an attacker might compromise a system helps you to make sure that the appropriate mitigations are in place from the start.

+## Threat modeling

+Microsoft recommends using a threat modeling process as part of your IoT solution design. If you're not familiar with threat modeling and the secure development lifecycle, see:

+- [Threat modeling](https://www.microsoft.com/securityengineering/sdl/threatmodeling)

+- [Secure development best practices on Azure](/azure/security/develop/secure-dev-overview)

+- [Getting started guide](/azure/security/develop/threat-modeling-tool-getting-started)

+## Security in IoT

+It's helpful to divide your IoT architecture into several zones as part of the threat modeling exercise:

+- Device

+- Field gateway

+- Cloud gateway

+- Service

+Each zone often has its own data and authentication and authorization requirements. You can also use zones to isolate damage and restrict the impact of low trust zones on higher trust zones.

+Each zone is separated by a _trust boundary_, shown as the dotted red line in the following diagram. It represents a transition of data from one source to another. During this transition, the data could be subject to the following threats:

+- Spoofing

+- Tampering

+- Repudiation

+- Information disclosure

+- Denial of service

+- Elevation of privilege

+To learn more, see the [STRIDE model](/azure/security/develop/threat-modeling-tool-threats#stride-model).

+You can use STRIDE to model the threats to each component within each zone. The following sections elaborate on each of the components and specific security concerns and solutions that should be put into place.

+The remainder of this article discusses the threats and mitigations for these zones and components in more detail.

+## Device zone

+The device environment is the space around the device where physical access and local network digital access to the device is feasible. A local network is assumed to be distinct and insulated from ΓÇô but potentially bridged to ΓÇô the public internet. The device environment includes any short-range wireless radio technology that permits peer-to-peer communication of devices. It doesn't include any network virtualization technology creating the illusion of such a local network. It doesn't include public operator networks that require any two devices to communicate across public network space if they were to enter a peer-to-peer communication relationship.

+## Field gateway zone

+A field gateway is a device, appliance, or general-purpose server computer software that acts as communication enabler and, potentially, as a device control system and device data processing hub. The field gateway zone includes the field gateway itself and all the devices attached to it. Field gateways act outside dedicated data processing facilities, are usually location bound, are potentially subject to physical intrusion, and have limited operational redundancy. A field gateway is typically a thing that an attacker could physically sabotage if they gained physical access.

+A field gateway differs from a traffic router in that it has had an active role in managing access and information flow. The field gateway has two distinct surface areas. One faces the devices attached to it and represents the inside of the zone. The other faces all external parties and is the edge of the zone.

+## Cloud gateway zone

+A cloud gateway is a system that enables remote communication from and to devices or field gateways deployed in multiple sites. The cloud gateway typically enables a cloud-based control and data analysis system, or a federation of such systems. In some cases, a cloud gateway may immediately facilitate access to special-purpose devices from terminals such as tablets or phones. In the cloud gateway zone, operational measures prevent targeted physical access and aren't necessarily exposed to a public cloud infrastructure.

+A cloud gateway may be mapped into a network virtualization overlay to insulate the cloud gateway and all of its attached devices or field gateways from any other network traffic. The cloud gateway itself isn't a device control system or a processing or storage facility for device data; those facilities interface with the cloud gateway. The cloud gateway zone includes the cloud gateway itself along with all field gateways and devices directly or indirectly attached to it. The edge of the zone is a distinct surface area that all external parties communicate through.

+## Services zone

+A service in this context is any software component or module that interfaces with devices through a field or cloud gateway. A service can collect data from the devices and command and control those devices. A service is a mediator that acts under its identity towards gateways and other subsystems to:

+- Store and analyze data

+- Issue commands to devices based on data insights or schedules

+- Expose information and control capabilities to authorized end users

+## IoT devices

+IoT devices are often special-purpose devices that range from simple temperature sensors to complex factory production lines with thousands of components inside them. Example IoT device capabilities include:

+- Measuring and reporting environmental conditions

+- Turning valves

+- Controlling servos

+- Sounding alarms

+- Switching lights on or off

+The purpose of these devices dictates their technical design and the available budget for their production and scheduled lifetime operation. The combination of these factors constrains the available operational energy budget, physical footprint, and available storage, compute, and security capabilities.

+Things that can go wrong with an automated or remotely controlled IoT device include:

+- Physical defects

+- Control logic defects

+- Willful unauthorized intrusion and manipulation.

+The consequences of these failures could be severe such as destroyed production lots, buildings burnt down, or injury and death. Therefore, there's a high security bar for devices that make things move or that report sensor data that results in commands that cause things to move.

+### Device control and device data interactions

+Connected special-purpose devices have a significant number of potential interaction surface areas and interaction patterns, all of which must be considered to provide a framework for securing digital access to those devices. _Digital access_ refers to operations that are carried out through software and hardware rather than through direct physical access to the device. For example, physical access could be controlled by putting the device into a room with a lock on the door. While physical access can't be denied using software and hardware, measures can be taken to prevent physical access from leading to system interference.

+As you explore the interaction patterns, look at _device control_ and _device data_ with the same level of attention. Device control refers to any information provided to a device with the intention of modifying its behavior. Device data refers to information that a device emits to any other party about its state and the observed state of its environment.

+## Threat modeling for the Azure IoT reference architecture

+This section uses the [Azure IoT reference architecture](/azure/architecture/reference-architectures/iot) to demonstrate how to think about threat modeling for IoT and how to address the threats identified:

+The following diagram provides a simplified view of the reference architecture by using a data flow diagram model:

+The architecture separates the device and field gateway capabilities. This approach enables you to use more secure field gateway devices. Field gateway devices can communicate with the cloud gateway using secure protocols, which typically require greater processing power than a simple device, such as a thermostat, could provide on its own. In the **Azure Services Zone** in the diagram, the Azure IoT Hub service is the cloud gateway.

+Based on the architecture outlined previously, the following sections show some threat modeling examples. The examples focus on the core elements of a threat model:

+- Processes

+- Communication

+- Storage

+### Processes

+Here are some examples of threats in the processes category. The threats are categorized based on the STRIDE model:

+**Spoofing**: An attacker may extract cryptographic keys from a device, either at the software or hardware level. The attacked then uses these keys to access the system from a different physical or virtual device by using the identity of the original device.

+**Denial of Service**: A device can be rendered incapable of functioning or communicating by interfering with radio frequencies or cutting wires. For example, a surveillance camera that had its power or network connection intentionally knocked out can't report data, at all.

+**Tampering**: An attacker may partially or wholly replace the software on the device. If the device's cryptographic keys are available to the attackers code, it can then use the identity of the device.

+**Tampering**: A surveillance camera that's showing a visible-spectrum picture of an empty hallway could be aimed at a photograph of such a hallway. A smoke or fire sensor could be reporting someone holding a lighter under it. In either case, the device may be technically fully trustworthy towards the system, but it reports manipulated information.

+**Tampering**: An attacker may use extracted cryptographic keys to intercept and suppress data sent from the device and replace it with false data that's authenticated with the stolen keys.

+**Information Disclosure**: If the device is running manipulated software, such manipulated software could potentially leak data to unauthorized parties.

+**Information Disclosure**: An attacker may use extracted cryptographic keys to inject code into the communication path between the device and field gateway or cloud gateway to siphon off information.

+**Denial of Service**: The device can be turned off or turned into a mode where communication isn't possible (which is intentional in many industrial machines).

+**Tampering**: The device can be reconfigured to operate in a state unknown to the control system (outside of known calibration parameters) and thus provide data that can be misinterpreted

+**Elevation of Privilege**: A device that does specific function can be forced to do something else. For example, a valve that is programmed to open half way can be tricked to open all the way.

+**Spoofing/Tampering/Repudiation**: If not secured (which is rarely the case with consumer remote controls), an attacker can manipulate the state of a device anonymously. A good illustration is a remote control that can turn off any TV.

+The following table shows example mitigations to these threats. The values in the threat column are abbreviations:

+- Spoofing (S)

+- Tampering (T)

+- Repudiation (R)

+- Information disclosure (I)

+- Denial of service (D)

+- Elevation of privilege (E)

+| Component | Threat | Mitigation | Risk | Implementation |

+| | | | | |

+| Device |S |Assigning identity to the device and authenticating the device |Replacing device or part of the device with some other device. How do you know you're talking to the right device? |Authenticating the device, using Transport Layer Security (TLS) or IPSec. Infrastructure should support using pre-shared key (PSK) on those devices that can't handle full asymmetric cryptography. Use Azure AD, [OAuth](https://www.rfc-editor.org/pdfrfc/rfc6755.txt.pdf) |

+|| TRID |Apply tamperproof mechanisms to the device, for example, by making it hard to impossible to extract keys and other cryptographic material from the device. |The risk is if someone is tampering the device (physical interference). How are you sure, that device hasn't been tampered with. |The most effective mitigation is a trusted platform module (TPM). A TPM stores keys in special on-chip circuitry from which the keys can't be read, but can only be used for cryptographic operations that use the key. Memory encryption of the device. Key management for the device. Signing the code. |

+|| E |Having access control of the device. Authorization scheme. |If the device allows for individual actions to be performed based on commands from an outside source, or even compromised sensors, it allows the attack to perform operations not otherwise accessible. |Having authorization scheme for the device |

+| Field Gateway |S |Authenticating the Field gateway to Cloud Gateway (such as cert based, PSK, or Claim based.) |If someone can spoof Field Gateway, then it can present itself as any device. |TLS RSA/PSK, IPSec, [RFC 4279](https://tools.ietf.org/html/rfc4279). All the same key storage and attestation concerns of devices in general ΓÇô best case is use TPM. 6LowPAN extension for IPSec to support Wireless Sensor Networks (WSN). |

+|| TRID |Protect the Field Gateway against tampering (TPM) |Spoofing attacks that trick the cloud gateway thinking it's talking to field gateway could result in information disclosure and data tampering |Memory encryption, TPMs, authentication. |

+|| E |Access control mechanism for Field Gateway | | |

+### Communication

+Here are some examples of threats in the communication category. The threats are categorized based on the STRIDE model:

+**Denial of Service**: Constrained devices are generally under DoS threat when they actively listen for inbound connections or unsolicited datagrams on a network. An attacker can open many connections in parallel and either not service them or service them slowly, or flood the device with unsolicited traffic. In both cases, the device can effectively be rendered inoperable on the network.

+**Spoofing, Information Disclosure**: Constrained devices and special-purpose devices often have one-for-all security facilities such as password or PIN protection. Sometimes they wholly rely on trusting the network, and grant access to information to any device is on the same network. If the network is protected by a shared key that gets disclosed, an attacker could control the device or observe the data it transmits.

+**Spoofing**: an attacker may intercept or partially override the broadcast and spoof the originator.

+**Tampering**: An attacker may intercept or partially override the broadcast and send false information.

+**Information Disclosure:** An attacker may eavesdrop on a broadcast and obtain information without authorization.

+**Denial of Service:** An attacker may jam the broadcast signal and deny information distribution.

+The following table shows example mitigations to these threats:

+| Component | Threat | Mitigation | Risk | Implementation |

+| | | | | |

+| Device IoT Hub |TID |(D)TLS (PSK/RSA) to encrypt the traffic |Eavesdropping or interfering the communication between the device and the gateway |Security on the protocol level. With custom protocols, you need to figure out how to protect them. In most cases, the communication takes place from the device to the IoT Hub (device initiates the connection). |

+| Device to Device |TID |(D)TLS (PSK/RSA) to encrypt the traffic. |Reading data in transit between devices. Tampering with the data. Overloading the device with new connections |Security on the protocol level (MQTT/AMQP/HTTP/CoAP. With custom protocols, you need to figure out how to protect them. The mitigation for the DoS threat is to peer devices through a cloud or field gateway and have them only act as clients towards the network. The peering may result in a direct connection between the peers after having been brokered by the gateway |

+| External Entity Device |TID |Strong pairing of the external entity to the device |Eavesdropping the connection to the device. Interfering the communication with the device |Securely pairing the external entity to the device NFC/Bluetooth LE. Controlling the operational panel of the device (Physical) |

+| Field Gateway Cloud Gateway |TID |TLS (PSK/RSA) to encrypt the traffic. |Eavesdropping or interfering the communication between the device and the gateway |Security on the protocol level (MQTT/AMQP/HTTP/CoAP). With custom protocols, you need to figure out how to protect them. |

+| Device Cloud Gateway |TID |TLS (PSK/RSA) to encrypt the traffic. |Eavesdropping or interfering the communication between the device and the gateway |Security on the protocol level (MQTT/AMQP/HTTP/CoAP). With custom protocols, you need to figure out how to protect them. |

+### Storage

+The following table shows example mitigations to the storage threats:

+| Component | Threat | Mitigation | Risk | Implementation |

+| | | | | |

+| Device storage |TRID |Storage encryption, signing the logs |Reading data from the storage, tampering with telemetry data. Tampering with queued or cached command control data. Tampering with configuration or firmware update packages while cached or queued locally can lead to OS and/or system components being compromised |Encryption, message authentication code (MAC), or digital signature. Where possible, strong access control through resource access control lists (ACLs) or permissions. |

+| Device OS image |TRID | |Tampering with OS /replacing the OS components |Read-only OS partition, signed OS image, encryption |

+| Field Gateway storage (queuing the data) |TRID |Storage encryption, signing the logs |Reading data from the storage, tampering with telemetry data, tampering with queued or cached command control data. Tampering with configuration or firmware update packages (destined for devices or field gateway) while cached or queued locally can lead to OS and/or system components being compromised |BitLocker |

+| Field Gateway OS image |TRID | |Tampering with OS /replacing the OS components |Read-only OS partition, signed OS image, Encryption |

+ Title: Security best practices

+description: Security best practices for building, deploying, and operating your IoT solution. Includes recommendations for devices, data, and infrastructure

+# Security best practices for IoT solutions

+You can divide security in an IoT solution into the following three areas:

+- **Device security**: Securing the IoT device while it's deployed in the wild.

+- **Connection security**: Ensuring all data transmitted between the IoT device and IoT Hub is confidential and tamper-proof.

+- **Cloud security**: Providing a means to secure data while it moves through, and is stored in the cloud.

+Implementing the recommendations in this article will help you meet the security obligations described in the shared responsibility model. To learn more about what Microsoft does to fulfill service provider responsibilities, see [Shared responsibilities for cloud computing](../security/fundamentals/shared-responsibility.md).

+## Responsibilities

+You can develop and execute an IoT security strategy with the active participation of the various players involved in the manufacturing, development, and deployment of IoT devices and infrastructure. The following list is a high-level description of these players.

+- **Hardware manufacturer/integrator**: The manufacturers of IoT hardware you're deploying, the integrators assembling hardware from various manufacturers, or the suppliers providing the hardware.

+- **Solution developer**: The solution developer may part of an in-house team or a system integrator specializing in this activity. The IoT solution developer can develop various components of the IoT solution from scratch, or integrate various off-the-shelf or open-source components.

+- **Solution deployer**: After an IoT solution is developed, it needs to be deployed in the field. This process involves deployment of hardware, interconnection of devices, and deployment of solutions in hardware devices or the cloud.

+- **Solution operator**: After the IoT solution is deployed, it requires long-term operations, monitoring, upgrades, and maintenance. These tasks can be done by an in-house team that monitors the correct behavior of overall IoT infrastructure.

+## Microsoft Defender for IoT

+Microsoft Defender for IoT can automatically monitor some of the recommendations included in this article. Microsoft Defender for IoT should be the first line of defense to protect your resources in Azure. Microsoft Defender for IoT periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities. It then provides you with recommendations on how to address them.

+- To learn more about Microsoft Defender for IoT recommendations, see [Security recommendations in Microsoft Defender for IoT](../security-center/security-center-recommendations.md).

+- To learn more about Microsoft Defender for IoT, see [What is Microsoft Defender for IoT?](../security-center/security-center-introduction.md).

+## Device security

+- **Scope hardware to minimum requirements**: Select your device hardware to include the minimum features required for its operation, and nothing more. For example, only include USB ports if they're necessary for the operation of the device in your solution. Extra features can expose the device to unwanted attack vectors.

+- **Select tamper proof hardware**: Select device hardware with built-in mechanisms to detect physical tampering, such as the opening of the device cover or the removal of a part of the device. These tamper signals can be part of the data stream uploaded to the cloud, which can alert operators to these events.

+- **Select secure hardware**: If possible choose device hardware that includes security features such as secure and encrypted storage and boot functionality based on a Trusted Platform Module. These features make devices more secure and help protect the overall IoT infrastructure.

+- **Enable secure upgrades**: Firmware upgrades during the lifetime of the device are inevitable. Build devices with secure paths for upgrades and cryptographic assurance of firmware versions to secure your devices during and after upgrades.

+- **Follow a secure software development methodology**: The development of secure software requires you to consider security from the inception of the project all the way through implementation, testing, and deployment. The [Microsoft Security Development Lifecycle](https://www.microsoft.com/securityengineering/sdl/) provides a step-by-step approach to building secure software.

+- **Use device SDKs whenever possible**: Device SDKs implement various security features such as encryption and authentication that help you develop robust and secure device applications. To learn more, see [Understand and use Azure IoT Hub SDKs](../iot-hub/iot-hub-devguide-sdks.md).

+- **Choose open-source software with care**: Open-source software provides an opportunity to quickly develop solutions. When you're choosing open-source software, consider the activity level of the community for each open-source component. An active community ensures that software is supported and that issues are discovered and addressed. An obscure and inactive open-source software project might not be supported and issues aren't likely be discovered.

+- **Deploy hardware securely**: IoT deployments may require you to deploy hardware in unsecure locations, such as in public spaces or unsupervised locales. In such situations, ensure that hardware deployment is as tamper-proof as possible. For example, if the hardware has USB ports ensure that they're covered securely.

+- **Keep authentication keys safe**: During deployment, each device requires device IDs and associated authentication keys generated by the cloud service. Keep these keys physically safe even after the deployment. Any compromised key can be used by a malicious device to masquerade as an existing device.

+- **Keep the system up-to-date**: Ensure that device operating systems and all device drivers are upgraded to the latest versions. Keeping operating systems up-to-date helps ensure that they're protected against malicious attacks.

+- **Protect against malicious activity**: If the operating system permits, install the latest antivirus and antimalware capabilities on each device operating system.

+- **Audit frequently**: Auditing IoT infrastructure for security-related issues is key when responding to security incidents. Most operating systems provide built-in event logging that you should review frequently to make sure no security breach has occurred. A device can send audit information as a separate telemetry stream to the cloud service where it can be analyzed.

+- **Follow device manufacturer security and deployment best practices**: If the device manufacturer provides security and deployment guidance, follow that guidance in addition to the generic guidance listed in this article.

+- **Use a field gateway to provide security services for legacy or constrained devices**: Legacy and constrained devices might lack the capability to encrypt data, connect with the Internet, or provide advanced auditing. In these cases, a modern and secure field gateway can aggregate data from legacy devices and provide the security required for connecting these devices over the Internet. Field gateways can provide secure authentication, negotiation of encrypted sessions, receipt of commands from the cloud, and many other security features.

+## Connection security

+- **Use X.509 certificates to authenticate your devices to IoT Hub**: IoT Hub supports both X509 certificate-based authentication and security tokens as methods for a device to authenticate with your IoT hub. If possible, use X509-based authentication in production environments as it provides greater security. To learn more, see [Authenticating a device to IoT Hub](../iot-hub/iot-hub-dev-guide-sas.md#authenticating-a-device-to-iot-hub).

+- **Use Transport Layer Security (TLS) 1.2 to secure connections from devices**: IoT Hub uses TLS to secure connections from IoT devices and services. Three versions of the TLS protocol are currently supported: 1.0, 1.1, and 1.2. TLS 1.0 and 1.1 are considered legacy. To learn more, see [Transport Layer Security (TLS) support in IoT Hub](../iot-hub/iot-hub-tls-support.md).

+- **Ensure you have a way to update the TLS root certificate on your devices**: TLS root certificates are long-lived, but they still may expire or be revoked. If there's no way of updating the certificate on the device, the device may not be able to connect to IoT Hub or any other cloud service at a later date.

+- **Consider using Azure Private Link**: Azure Private Link lets you connect your devices to a private endpoint on your VNet, enabling you to block access to your IoT hub's public device-facing endpoints. To learn more, see [Ingress connectivity to IoT Hub using Azure Private Link](../iot-hub/virtual-network-support.md#ingress-connectivity-to-iot-hub-using-azure-private-link).

+## Cloud security

+- **Follow a secure software development methodology**: The development of secure software requires you to consider security from the inception of the project all the way through implementation, testing, and deployment. The [Microsoft Security Development Lifecycle](https://www.microsoft.com/securityengineering/sdl/) provides a step-by-step approach to building secure software.

+- **Choose open-source software with care**: Open-source software provides an opportunity to quickly develop solutions. When you're choosing open-source software, consider the activity level of the community for each open-source component. An active community ensures that software is supported and that issues are discovered and addressed. An obscure and inactive open-source software project might not be supported and issues aren't likely be discovered.

+- **Integrate with care**: Many software security flaws exist at the boundary of libraries and APIs. Functionality that may not be required for the current deployment might still be available by through an API layer. To ensure overall security, make sure to check all interfaces of components being integrated for security flaws.

+- **Protect cloud credentials**: An attacker can use the cloud authentication credentials you use to configure and operate your IoT deployment to gain access to and compromise your IoT system. Protect the credentials by changing the password frequently, and don't use these credentials on public machines.

+- **Define access controls for your IoT hub**: Understand and define the type of access that each component in your IoT Hub solution needs based on the required functionality. There are two ways you can grant permissions for the service APIs to connect to your IoT hub: [Azure Active Directory](../iot-hub/iot-hub-dev-guide-azure-ad-rbac.md) or [Shared Access signatures](../iot-hub/iot-hub-dev-guide-sas.md).

+- **Define access controls for backend services**: Other Azure services can consume the data your IoT Hub ingests from your devices by using the IoT hub's Event Hubs-compatible endpoint. You can also use IoT Hub message routing to deliver the data from your devices to other Azure services. Understand and configure appropriate access permissions for IoT Hub to connect to these services. To learn more, see [Read device-to-cloud messages from the built-in endpoint](../iot-hub/iot-hub-devguide-messages-read-builtin.md) and [Use IoT Hub message routing to send device-to-cloud messages to different endpoints](../iot-hub/iot-hub-devguide-messages-d2c.md).

+- **Monitor your IoT solution from the cloud**: Monitor the overall health of your IoT Hub solution using the [metrics in Azure Monitor](../iot-hub/monitor-iot-hub.md).

+- **Set up diagnostics**: Monitor your operations by logging events in your solution, and then sending the diagnostic logs to Azure Monitor. To learn more, see [Monitor and diagnose problems in your IoT hub](../iot-hub/monitor-iot-hub.md).

+## Next steps

+Read about IoT Hub security in [Azure security baseline for Azure IoT Hub](/security/benchmark/azure/baselines/iot-hub-security-baseline?toc=/azure/iot-hub/TOC.json) and [Security in your IoT workload](/azure/architecture/framework/iot/iot-security).

+ > By default, the **Start** date and time is set to Immediately. Be sure to select a different date and time if you want the deployment to begin later.

+|workflow|complex|device to cloud| A set of values that indicate which deployment the agent is currently working on, ID of current deployment, and acknowledgment of any retry request sent from service to agent. Note that the workflow ID reports a "nodeployment" value once the deployment is cancelled. |"workflow": {"action": 3,"ID": "11b6a7c3-6956-4b33-b5a9-87fdd79d2f01","retryTimestamp": "2022-01-26T11:33:29.9680598Z"}|

+# Quickstart: Azure Key Vault certificate client library for JavaScript

+ ```azurecli

+1. Install the Azure Identity client library, [@azure/identity](https://www.npmjs.com/package/@azure/identity), to authenticate to a Key Vault.

+Create a vault access policy for your key vault that grants key permissions to your user account.

+az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --certificate-permissions delete get list create purge update

+### [Windows](#tab/windows)

+### [PowerShell](#tab/powershell)

+### [macOS or Linux](#tab/linux)

+## Authenticate and create a client

+Application requests to most Azure services must be authorized. Using the [DefaultAzureCredential](/javascript/api/@azure/identity/#@azure-identity-getdefaultazurecredential) method provided by the [Azure Identity client library](/javascript/api/@azure/identity) is the recommended approach for implementing passwordless connections to Azure services in your code. `DefaultAzureCredential` supports multiple authentication methods and determines which method should be used at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code.

+In this quickstart, `DefaultAzureCredential` authenticates to key vault using the credentials of the local development user logged into the Azure CLI. When the application is deployed to Azure, the same `DefaultAzureCredential` code can automatically discover and use a managed identity that is assigned to an App Service, Virtual Machine, or other services. For more information, see [Managed Identity Overview](/azure/active-directory/managed-identities-azure-resources/overview).

+In this code, the name of your key vault is used to create the key vault URI, in the format `https://<your-key-vault-name>.vault.azure.net`. For more information about authenticating to key vault, see [Developer's Guide](/azure/key-vault/general/developers-guide#authenticate-to-key-vault-in-code).

+This code uses the following [Key Vault Certificate classes and methods](/javascript/api/overview/azure/keyvault-certificates-readme):

+

+* [DefaultAzureCredential class](/javascript/api/@azure/identity/#@azure-identity-getdefaultazurecredential)

+* [CertificateClient class](/javascript/api/@azure/keyvault-certificates/certificateclient)

+ * [beginCreateCertificate](/javascript/api/@azure/keyvault-certificates/certificateclient#@azure-keyvault-certificates-certificateclient-begincreatecertificate)

+ * [getCertificate](/javascript/api/@azure/keyvault-certificates/certificateclient#@azure-keyvault-certificates-certificateclient-getcertificate)

+ * [getCertificateVersion](/javascript/api/@azure/keyvault-certificates/certificateclient#@azure-keyvault-certificates-certificateclient-getcertificateversion)

+ * [updateCertificateProperties](/javascript/api/@azure/keyvault-certificates/certificateclient#@azure-keyvault-certificates-certificateclient-updatecertificateproperties)

+ * [updateCertificatePolicy](/javascript/api/@azure/keyvault-certificates/certificateclient#@azure-keyvault-certificates-certificateclient-updatecertificateproperties)

+ * [beginDeleteCertificate](/javascript/api/@azure/keyvault-certificates/certificateclient#@azure-keyvault-certificates-certificateclient-begindeletecertificate)

+* [PollerLike interface](/javascript/api/@azure/core-lro/pollerlike)

+ * [getResult](/javascript/api/@azure/core-lro/pollerlike#@azure-core-lro-pollerlike-getresult)

+ * [pollUntilDone](/javascript/api/@azure/core-lro/pollerlike@azure-core-lro-pollerlike-polluntildone)

+ if(!keyVaultName) throw new Error("KEY_VAULT_NAME is empty");

+# Quickstart: Azure Key Vault key client library for JavaScript

+ ```azurecli

+1. Using the terminal, install the Azure Key Vault secrets client library, [@azure/keyvault-keys](https://www.npmjs.com/package/@azure/keyvault-keys) for Node.js.

+1. Install the Azure Identity client library, [@azure/identity](https://www.npmjs.com/package/@azure/identity) package to authenticate to a Key Vault.

+az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --key-permissions delete get list create update purge

+### [Windows](#tab/windows)

+### [PowerShell](#tab/powershell)

+### [macOS or Linux](#tab/linux)

+## Authenticate and create a client

+Application requests to most Azure services must be authorized. Using the [DefaultAzureCredential](/javascript/api/@azure/identity/#@azure-identity-getdefaultazurecredential) method provided by the [Azure Identity client library](/javascript/api/@azure/identity) is the recommended approach for implementing passwordless connections to Azure services in your code. `DefaultAzureCredential` supports multiple authentication methods and determines which method should be used at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code.

+In this quickstart, `DefaultAzureCredential` authenticates to key vault using the credentials of the local development user logged into the Azure CLI. When the application is deployed to Azure, the same `DefaultAzureCredential` code can automatically discover and use a managed identity that is assigned to an App Service, Virtual Machine, or other services. For more information, see [Managed Identity Overview](/azure/active-directory/managed-identities-azure-resources/overview).

+In this code, the name of your key vault is used to create the key vault URI, in the format `https://<your-key-vault-name>.vault.azure.net`. For more information about authenticating to key vault, see [Developer's Guide](/azure/key-vault/general/developers-guide#authenticate-to-key-vault-in-code).

+The code samples below will show you how to create a client, set a secret, retrieve a secret, and delete a secret.

+This code uses the following [Key Vault Secret classes and methods](/javascript/api/overview/azure/keyvault-keys-readme):

+

+* [DefaultAzureCredential class](/javascript/api/@azure/identity/#@azure-identity-getdefaultazurecredential)

+* [KeyClient class](/javascript/api/@azure/keyvault-keys/keyclient)

+ * [createKey](/javascript/api/@azure/keyvault-keys/keyclient#@azure-keyvault-keys-keyclient-createkey)

+ * [createEcKey](/javascript/api/@azure/keyvault-keys/keyclient#@azure-keyvault-keys-keyclient-createeckey)

+ * [createRsaKey](/javascript/api/@azure/keyvault-keys/keyclient#@azure-keyvault-keys-keyclient-creatersakey)

+ * [getKey](/javascript/api/@azure/keyvault-keys/keyclient#@azure-keyvault-keys-keyclient-getkey)

+ * [listPropertiesOfKeys](/javascript/api/@azure/keyvault-keys/keyclient#@azure-keyvault-keys-keyclient-listpropertiesofkeys)

+ * [updateKeyProperties](/javascript/api/@azure/keyvault-keys/keyclient#@azure-keyvault-keys-keyclient-updatekeyproperties)

+ * [beginDeleteKey](/javascript/api/@azure/keyvault-keys/keyclient#@azure-keyvault-keys-keyclient-begindeletekey)

+ * [getDeletedKey](/javascript/api/@azure/keyvault-keys/keyclient#@azure-keyvault-keys-keyclient-getdeletedkey)

+ * [purgeDeletedKey](/javascript/api/@azure/keyvault-keys/keyclient#@azure-keyvault-keys-keyclient-purgedeletedkey)

+ if(!keyVaultName) throw new Error("KEY_VAULT_NAME is empty");

+|Data Action | Administrator | Crypto Officer | Crypto User | Policy Administrator | Crypto Service Encryption User | Backup | Crypto Auditor|

+# Quickstart: Azure Key Vault secret client library for JavaScript

+ ```azurecli

+1. Using the terminal, install the Azure Key Vault secrets client library, [@azure/keyvault-secrets](https://www.npmjs.com/package/@azure/keyvault-secrets) for Node.js.

+1. Install the Azure Identity client library, [@azure/identity](https://www.npmjs.com/package/@azure/identity) package to authenticate to a Key Vault.

+Create a vault access policy for your key vault that grants secret permissions to your user account with the [az keyvault set-policy](/cli/azure/keyvault#az-keyvault-set-policy) command.

+az keyvault set-policy --name <your-key-vault-name> --upn user@domain.com --secret-permissions delete get list set purge update

+### [Windows](#tab/windows)

+### [PowerShell](#tab/powershell)

+### [macOS or Linux](#tab/linux)

+## Authenticate and create a client

+Application requests to most Azure services must be authorized. Using the [DefaultAzureCredential](/javascript/api/@azure/identity/#@azure-identity-getdefaultazurecredential) method provided by the [Azure Identity client library](/javascript/api/@azure/identity) is the recommended approach for implementing passwordless connections to Azure services in your code. `DefaultAzureCredential` supports multiple authentication methods and determines which method should be used at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code.

+In this quickstart, `DefaultAzureCredential` authenticates to key vault using the credentials of the local development user logged into the Azure CLI. When the application is deployed to Azure, the same `DefaultAzureCredential` code can automatically discover and use a managed identity that is assigned to an App Service, Virtual Machine, or other services. For more information, see [Managed Identity Overview](/azure/active-directory/managed-identities-azure-resources/overview).

+In this code, the name of your key vault is used to create the key vault URI, in the format `https://<your-key-vault-name>.vault.azure.net`. For more information about authenticating to key vault, see [Developer's Guide](/azure/key-vault/general/developers-guide#authenticate-to-key-vault-in-code).

+This code uses the following [Key Vault Secret classes and methods](/javascript/api/overview/azure/keyvault-secretss-readme):

+

+* [DefaultAzureCredential](/javascript/api/@azure/identity/#@azure-identity-getdefaultazurecredential)

+* [SecretClient class](/javascript/api/@azure/keyvault-secrets/secretclient)

+ * [setSecret](/javascript/api/@azure/keyvault-secrets/secretclient#@azure-keyvault-secrets-secretclient-setsecret)

+ * [getSecret](/javascript/api/@azure/keyvault-secrets/secretclient#@azure-keyvault-secrets-secretclient-getsecret)

+ * [updateSecretProperties](/javascript/api/@azure/keyvault-secrets/secretclient#@azure-keyvault-secrets-secretclient-updatesecretproperties)

+ * [beginDeleteSecret](/javascript/api/@azure/keyvault-secrets/secretclient#@azure-keyvault-secrets-secretclient-begindeletesecret)

+### Set up the app framework

+ // If you're using MSI, DefaultAzureCredential should "just work".

+ // Otherwise, DefaultAzureCredential expects the following three environment variables:

+ // - AZURE_TENANT_ID: The tenant ID in Azure Active Directory

+ // - AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant

+ // - AZURE_CLIENT_SECRET: The client secret for the registered application

+ if(!keyVaultName) throw new Error("KEY_VAULT_NAME is empty");

+ // Delete the secret immediately without ability to restore or purge.

+To preallocate a backend pool with an IP address range that later will contain virtual machines and Virtual Machine Scale Sets, configure the pool by IP address and virtual network ID.

+ PrivateIpAddress = '10.0.0.5'

+ * [Private endpoint resources](../private-link/private-endpoint-overview.md) can't be placed in an IP based backend pool

+ * A virtual machine in the same virtual network as an internal load balancer can't access the frontend of the ILB and its backend VMs simultaneously

+ Probe = $probe

+$y_{t+1} = f(y_t, y_{t-1}, \ldots, y_{t-s})$.

+AutoML's forecasting regression models can also be augmented to use historical values of the target and predictors. The result is a hybrid model with characteristics of a time series model and a pure regression model. Historical quantities are additional predictor variables in the regression and we refer to them as **lagged quantities**. The _order_ of the lag refers to how far back the value is known. For example, the current value of an order-two lag of the target for our orange juice demand example is the observed juice demand from two days ago.

+[Naive, Seasonal Naive, Average, Seasonal Average](https://otexts.com/fpp3/simple-methods.html), [ARIMA(X)](https://www.statsmodels.org/dev/generated/statsmodels.tsa.statespace.sarimax.SARIMAX.html), [Exponential Smoothing](https://www.statsmodels.org/dev/generated/statsmodels.tsa.holtwinters.ExponentialSmoothing.html) | [Linear SGD](https://scikit-learn.org/stable/modules/linear_model.html#stochastic-gradient-descent-sgd), [LARS LASSO](https://scikit-learn.org/stable/modules/linear_model.html#lars-lasso), [Elastic Net](https://scikit-learn.org/stable/modules/linear_model.html#elastic-net), [Prophet](https://facebook.github.io/prophet/), [K Nearest Neighbors](https://scikit-learn.org/stable/modules/neighbors.html#nearest-neighbors-regression), [Decision Tree](https://scikit-learn.org/stable/modules/tree.html#regression), [Random Forest](https://scikit-learn.org/stable/modules/ensemble.html#random-forests), [Extremely Randomized Trees](https://scikit-learn.org/stable/modules/ensemble.html#extremely-randomized-trees), [Gradient Boosted Trees](https://scikit-learn.org/stable/modules/ensemble.html#regression), [LightGBM](https://lightgbm.readthedocs.io/en/latest/https://docsupdatetracker.net/index.html), [XGBoost](https://xgboost.readthedocs.io/en/latest/parameter.html), [ForecastTCN](./how-to-auto-train-forecast.md#enable-deep-learning)

+The models in each category are listed roughly in order of the complexity of patterns they're able to incorporate, also known as the **model capacity**. A Naive model, which simply forecasts the last observed value, has low capacity while the Temporal Convolutional Network (ForecastTCN), a deep neural network with potentially millions of tunable parameters, has high capacity.

+AutoML accepts time series data in tabular, "wide" format; that is, each variable must have its own corresponding column. AutoML requires one of the columns to be the time axis for the forecasting problem. This column must be parsable into a datetime type. The simplest time series data set consists of a **time column** and a numeric **target column**. The target is the variable one intends to predict into the future. The following is an example of the format in this simple case:

+### Data length requirements

+To train a forecasting model, you must have a sufficient amount of historical data. This threshold quantity varies with the training configuration. If you've provided validation data, the minimum number of training observations required per time series is given by,

+$T_{\text{user validation}} = H + \text{max}(l_{\text{max}}, s_{\text{window}}) + 1$,

+where $H$ is the forecast horizon, $l_{\text{max}}$ is the maximum lag order, and $s_{\text{window}}$ is the window size for rolling aggregation features. If you're using cross-validation, the minimum number of observations is,

+ $T_{\text{CV}} = 2H + (n_{\text{CV}} - 1) n_{\text{step}} + \text{max}(l_{\text{max}}, s_{\text{window}}) + 1$,

+where $n_{\text{CV}}$ is the number of cross-validation folds and $n_{\text{step}}$ is the CV step size, or offset between CV folds. The basic logic behind these formulas is that you should always have at least a horizon of training observations for each time series, including some padding for lags and cross-validation splits. See [forecasting model selection](./concept-automl-forecasting-sweeping.md#model-selection) for more details on cross-validation for forecasting.

+AutoML's time series models require regularly spaced observations in time. Regularly spaced, here, includes cases like monthly or yearly observations where the number of days between observations may vary. Prior to modeling, AutoML must ensure there are no missing series values _and_ that the observations are regular. Hence, there are two missing data cases:

+This series ostensibly has a daily frequency, but there's no observation for Jan. 2, 2012. In this case, AutoML will attempt to fill in the data by adding a new row for Jan. 2, 2012. The new value for the `quantity` column, and any other columns in the data, will then be imputed like other missing values. Clearly, AutoML must know the series frequency in order to fill in observation gaps like this. AutoML automatically detects this frequency, or, optionally, the user can provide it in the configuration.

+The imputation method for filling missing values can be [configured](./how-to-auto-train-forecast.md#custom-featurization) in the input. The default methods are listed in the following table:

+AutoML generally adds new columns to user data to increase modeling accuracy. Engineered feature can include the following:

+[Calendar features](./concept-automl-forecasting-calendar-features.md) derived from the time index (for example, day of week) | Default

+Categorical features derived from time series IDs | Default

+[Lags of target quantity](./concept-automl-forecasting-lags.md) | Optional

+Seasonal decomposition ([STL](https://otexts.com/fpp3/stl.html)) | Optional

+You can configure featurization from the AutoML SDK via the [ForecastingJob](/python/api/azure-ai-ml/azure.ai.ml.automl.forecastingjob#azure-ai-ml-automl-forecastingjob-set-forecast-settings) class or from the [AzureML Studio web interface](how-to-use-automated-ml-for-ml-models.md#customize-featurization).

+### Non-stationary time series detection and handling

+A time series where mean and variance change over time is called a **non-stationary**. For example, time series that exhibit stochastic trends are non-stationary by nature. To visualize this, the following image plots a series that is generally trending upward. Now, compute and compare the mean (average) values for the first and the second half of the series. Are they the same? Here, the mean of the series in the first half of the plot is significantly smaller than in the second half. The fact that the mean of the series depends on the time interval one is looking at, is an example of the time-varying moments. Here, the mean of a series is the first moment.

+Next, let's examine the following image, which plots the original series in first differences, $\Delta y_{t} = y_t - y_{t-1}$. The mean of the series is roughly constant over the time range while the variance appears to vary. Thus, this is an example of a first order stationary times series.

+AutoML regression models can't inherently deal with stochastic trends, or other well-known problems associated with non-stationary time series. As a result, out-of-sample forecast accuracy can be poor if such trends are present.

+AutoML automatically analyzes time series dataset to determine stationarity. When non-stationary time series are detected, AutoML applies a differencing transform automatically to mitigate the impact of non-stationary behavior.

+Naive, Seasonal Naive, Average, Seasonal Average, Exponential Smoothing, ARIMA, ARIMAX, Prophet | Linear SGD, LARS LASSO, Elastic Net, K Nearest Neighbors, Decision Tree, Random Forest, Extremely Randomized Trees, Gradient Boosted Trees, LightGBM, XGBoost, ForecastTCN

+ForecastTCN | Regression | Static list of models followed by random search over network size, dropout ratio, and learning rate.

+Cross-validation for forecasting jobs is configured by setting the number of cross-validation folds and, optionally, the number of time periods between two consecutive cross-validation folds. See the [custom cross-validation settings](./how-to-auto-train-forecast.md#custom-cross-validation-settings) guide for more information and an example of configuring cross-validation for forecasting.

+* [How to upgrade from v1 to v2](how-to-migrate-from-v1.md)

+* [Deploying models trained in Azure Databricks to Azure Machine Learning with MLflow](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/deploy/track_with_databricks_deploy_aml.ipynb): Demonstrates how to train models in Azure Databricks and deploy them in Azure ML. It also includes how to handle cases where you also want to track the experiments with the MLflow instance in Azure Databricks.

+* [How to upgrade from v1 to v2](how-to-migrate-from-v1.md)

+ > Azure service tags are only supported by some Azure services. For a list of service tags supported with network security groups and Azure Firewall, see the [Virtual network service tags](/azure/virtual-network/service-tags-overview) article.

+ >

+ > If you are using a non-Azure solution such as a 3rd party firewall, download a list of [Azure IP Ranges and Service Tags](https://www.microsoft.com/download/details.aspx?id=56519). Extract the file and search for the service tag within the file. The IP addresses may change periodically.

+> * In the following table, replace `<region>` with the Azure region that contains your Azure Machine Learning workspace.

+| Compute instance | `<region>.tundra.azureml.ms` | UDP | 5831 |

+| Compute instance | `<region>.tundra.azureml.us` | UDP | 5831 |

+| Compute instance | `<region>.tundra.azureml.cn` | UDP | 5831 |

+> [!div class="op_single_selector" title1="Select the version of the Azure Machine Learning SDK you are using:"]

+> * [v1](./v1/how-to-auto-train-forecast-v1.md)

+> * [v2 (current version)](how-to-auto-train-forecast.md)

+In this article, you'll learn how to set up AutoML training for time-series forecasting models with Azure Machine Learning automated ML in the [Azure Machine Learning Python SDK](/python/api/overview/azure/ai-ml-readme).

+> * Prepare data for training.

+> * Configure specific time-series parameters in a [Forecasting Job](/python/api/azure-ai-ml/azure.ai.ml.automl.forecastingjob).

+> * Get predictions from trained time-series models.

+AutoML uses standard machine learning models along with well-known time series models to create forecasts. Our approach incorporates multiple contextual variables and their relationship to one another during training. Since multiple factors can influence a forecast, this method aligns itself well with real world forecasting scenarios. For example, when forecasting sales, interactions of historical trends, exchange rate, and price can all jointly drive the sales outcome. For more details, see our article on [forecasting methodology](./concept-automl-forecasting-methods.md).

+* The ability to launch AutoML training jobs. Follow the [how-to guide for setting up AutoML](how-to-configure-auto-train.md) for details.

+Input data for AutoML forecasting must contain valid time series in tabular format. Each variable must have its own corresponding column in the data table. AutoML requires at least two columns: a **time column** representing the time axis and the **target column** which is the quantity to forecast. Other columns can serve as predictors. For more details, see [how AutoML uses your data](./concept-automl-forecasting-methods.md#how-automl-uses-your-data).

+> When training a model for forecasting future values, ensure all the features used in training can be used when running predictions for your intended horizon. <br> <br> For example, a feature for current stock price could massively increase training accuracy. However, if you intend to forecast with a long horizon, you may not be able to accurately predict future stock values corresponding to future time-series points, and model accuracy could suffer.

+AutoML forecasting jobs require that your training data is represented as an **MLTable** object. An MLTable specifies a data source and steps for loading the data. For more information and use cases, see the [MLTable how-to guide](./how-to-mltable.md). As a simple example, suppose your training data is contained in a CSV file in a local directory, `./train_data/timeseries_train.csv`. You can define a new MLTable by copying the following YAML code to a new file, `./train_data/MLTable`:

+```yml

+$schema: https://azuremlschemas.azureedge.net/latest/MLTable.schema.json

+type: mltable

+paths:

+ - file: ./timeseries_train.csv

+transformations:

+ - read_delimited:

+ delimiter: ','

+ encoding: ascii

+```

+You can now define an input data object, which is required to start a training job, using the AzureML Python SDK as follows:

+from azure.ai.ml.constants import AssetTypes

+from azure.ai.ml import Input

+# Training MLTable defined locally, with local data to be uploaded

+my_training_data_input = Input(

+ type=AssetTypes.MLTABLE, path="./train_data"

+)

+You can specify [validation data](concept-automated-ml.md#training-validation-and-test-data) in a similar way, by creating a MLTable and an input data object. Alternatively, if you don't supply validation data, AutoML automatically creates cross-validation splits from your training data to use for model selection. See our article on [forecasting model selection](./concept-automl-forecasting-sweeping.md#model-selection) for more details. Also see [training data length requirements](./concept-automl-forecasting-methods.md#data-length-requirements) for details on how much training data you need to successfully train a forecasting model.

+Learn more about how AutoML applies cross validation to [prevent over fitting](concept-manage-ml-pitfalls.md#prevent-overfitting).

+## Compute to run experiment

+AutoML uses AzureML Compute, which is a fully managed compute resource, to run the training job. In the following example, a compute cluster named `cpu-compute` is created:

+[!notebook-python[] (~/azureml-examples-main/sdk/python/jobs/configuration.ipynb?name=create-cpu-compute)]

+## Configure experiment

+There are several options that you can use to configure your AutoML forecasting experiment. These configuration parameters are set in the automl.forecasting() task method. You can also set job training settings and exit criteria with the set_training() and set_limits() functions, respectively.

+The following example shows how to create a forecasting job with normalized root mean squared error as the primary metric and automatically configured cross-validation folds:

+```python

+from azure.ai.ml import automl

+# note that the below is a code snippet -- you might have to modify the variable values to run it successfully

+forecasting_job = automl.forecasting(

+ compute=compute_name,

+ experiment_name=exp_name,

+ training_data=my_training_data_input,

+ target_column_name=target_column_name,

+ primary_metric="NormalizedRootMeanSquaredError",

+ n_cross_validations="auto",

+)

+# Limits are all optional

+forecasting_job.set_limits(

+ timeout_minutes=120,

+ trial_timeout_minutes=30,

+ max_concurrent_trials=4,

+)

+```

+Forecasting tasks have many settings that are specific to forecasting. Use the set_forecast_settings() method of a ForecastingJob to set forecasting parameters. In the following example, we provide the name of the time column in the training data and set the forecast horizon:

+```python

+# Forecasting specific configuration

+forecasting_job.set_forecast_settings(

+ time_column_name=time_column_name,

+ forecast_horizon=24

+)

+```

+The time column name is a required setting and you should generally set the forecast horizon according to your prediction scenario. If your data contains multiple time series, you can specify the names of the **time series ID columns**. These columns, when grouped, define the individual series. For example, suppose that you have data consisting of hourly sales from different stores and brands. The following sample shows how to set the time series ID columns assuming the data contains columns named "store" and "brand":

+```python

+# Forecasting specific configuration

+# Add time series IDs for store and brand

+forecasting_job.set_forecast_settings(

+ ..., # other settings

+ time_series_id_column_names=['store', 'brand']

+)

+```

+AutoML tries to automatically detect time series ID columns in your data if none are specified.

+Other settings are optional and reviewed in the [optional settings](#optional-settings) section.

+### Optional settings

+Optional configurations are available for forecasting tasks, such as enabling deep learning and specifying a target rolling window aggregation. A complete list of parameters is available in the [forecast_settings API doc](/python/api/azure-ai-ml/azure.ai.ml.automl.forecastingjob#azure-ai-ml-automl-forecastingjob-set-forecast-settings).

+#### Model search settings

+There are two optional settings that control the model space where AutoML searches for the best model, `allowed_training_algorithms` and `blocked_training_algorithms`. To restrict the search space to a given set of model classes, use allowed_training_algorithms as in the following sample:

+# Only search ExponentialSmoothing and ElasticNet models

+forecasting_job.set_training(

+ allowed_training_algorithms=["ExponentialSmoothing", "ElasticNet"]

+)

+In this case, the forecasting job _only_ searches over Exponential Smoothing and Elastic Net model classes. To remove a given set of model classes from the search space, use the blocked_training_algorithms as in the following sample:

+```python

+# Search over all model classes except Prophet

+forecasting_job.set_training(

+ blocked_training_algorithms=["Prophet"]

+)

+```

+Now, the job searches over all model classes _except_ Prophet. For a list of forecasting model names that are accepted in `allowed_training_algorithms` and `blocked_training_algorithms`, see [supported forecasting models](/python/api/azureml-train-automl-client/azureml.train.automl.constants.supportedmodels.forecasting) and [supported regression models](/python/api/azureml-train-automl-client/azureml.train.automl.constants.supportedmodels.regression).

+#### Enable deep learning

+AutoML ships with a custom deep neural network (DNN) model called `ForecastTCN`. This model is a [temporal convolutional network](https://arxiv.org/abs/1803.01271), or TCN, that applies common imaging task methods to time series modeling. Namely, one-dimensional "causal" convolutions form the backbone of the network and enable the model to learn complex patterns over long durations in the training history.

+The ForecastTCN often achieves higher accuracy than standard time series models when there are thousands or more observations in the training history. However, it also takes longer to train and sweep over ForecastTCN models due to their higher capacity.

+You can enable the ForecastTCN in AutoML by setting the `enable_dnn_training` flag in the set_training() method as follows:

+```python

+# Include ForecastTCN models in the model search

+forecasting_job.set_training(

+ enable_dnn_training=True

+)

+```

+To enable DNN for an AutoML experiment created in the Azure Machine Learning studio, see the [task type settings in the studio UI how-to](how-to-use-automated-ml-for-ml-models.md#create-and-run-experiment).

+> [!NOTE]

+> * When you enable DNN for experiments created with the SDK, [best model explanations](how-to-machine-learning-interpretability-automl.md) are disabled.

+> * DNN support for forecasting in Automated Machine Learning is not supported for runs initiated in Databricks.

+> * GPU compute types are recommended when DNN training is enabled

+#### Target rolling window aggregation

+Recent values of the target are often impactful features in a forecasting model. Rolling window aggregations allow you to add rolling aggregations of data values as features. Generating and using these features as extra contextual data helps with the accuracy of the train model.

+Consider an energy demand forecasting scenario where weather data and historical demand are available.

+The table shows resulting feature engineering that occurs when window aggregation is applied over the most recent three hours. Columns for **minimum, maximum,** and **sum** are generated on a sliding window of three hours based on the defined settings. For instance, for the observation valid on September 8, 2017 4:00am, the maximum, minimum, and sum values are calculated using the **demand values** for September 8, 2017 1:00AM - 3:00AM. This window of three hours shifts along to populate data for the remaining rows.

+

+You can enable rolling window aggregation features and set the window size through the set_forecast_settings() method. In the following sample, we set the window size to "auto" so that AutoML will automatically determine a good value for your data:

+forecasting_job.set_forecast_settings(

+ ..., # other settings

+ target_rolling_window_size='auto'

+)

+```

+#### Short series handling

+Automated ML considers a time series a **short series** if there aren't enough data points to conduct the train and validation phases of model development. See [training data length requirements](./concept-automl-forecasting-methods.md#data-length-requirements) for more details on length requirements.

+AutoML has several actions it can take for short series. These actions are configurable with the `short_series_handling_config` setting. The default value is "auto." The following table describes the settings:

+|Setting|Description

+||

+|`auto`| The default value for short series handling. <br> - _If all series are short_, pad the data. <br> - _If not all series are short_, drop the short series.

+|`pad`| If `short_series_handling_config = pad`, then automated ML adds random values to each short series found. The following lists the column types and what they're padded with: <br> - Object columns with NaNs <br> - Numeric columns with 0 <br> - Boolean/logic columns with False <br> - The target column is padded with random values with mean of zero and standard deviation of 1.

+|`drop`| If `short_series_handling_config = drop`, then automated ML drops the short series, and it will not be used for training or prediction. Predictions for these series will return NaN's.

+|`None`| No series is padded or dropped

+In the following example, we set the short series handling so that all short series are padded to the minimum length:

+```python

+forecasting_job.set_forecast_settings(

+ ..., # other settings

+ short_series_handling_config='pad'

+)

+```

+>[!WARNING]

+>Padding may impact the accuracy of the resulting model, since we are introducing artificial data just to get past training without failures. If many of the series are short, then you may also see some impact in explainability results

+#### Frequency & target data aggregation

+Use the frequency and data aggregation options to avoid failures caused by irregular data. Your data is irregular if it doesn't follow a set cadence in time, like hourly or daily. Point-of-sales data is a good example of irregular data. In these cases, AutoML can aggregate your data to a desired frequency and then build a forecasting model from the aggregates.

+You need to set the `frequency` and `target_aggregate_function` settings to handle irregular data. The frequency setting accepts [Pandas DateOffset strings](https://pandas.pydata.org/pandas-docs/stable/user_guide/timeseries.html#dateoffset-objects) as input. Supported values for the aggregation function are:

+* The target column values are aggregated according to the specified operation. Typically, sum is appropriate for most scenarios.

+* Numerical predictor columns in your data are aggregated by sum, mean, minimum value, and maximum value. As a result, automated ML generates new columns suffixed with the aggregation function name and applies the selected aggregate operation.

+* For categorical predictor columns, the data is aggregated by mode, the most prominent category in the window.

+* Date predictor columns are aggregated by minimum value, maximum value and mode.

+The following example sets the frequency to hourly and the aggregation function to summation:

+# Aggregate the data to hourly frequency

+forecasting_job.set_forecast_settings(

+ ..., # other settings

+ frequency='H',

+ target_aggregate_function='sum'

+)

+#### Custom cross-validation settings

+There are two customizable settings that control cross-validation for forecasting jobs: the number of folds, `n_cross_validations`, and the step size defining the time offset between folds, `cv_step_size`. See [forecasting model selection](./concept-automl-forecasting-sweeping.md#model-selection) for more information on the meaning of these parameters. By default, AutoML sets both settings automatically based on characteristics of your data, but advanced users may want to set them manually. For example, suppose you have daily sales data and you want your validation setup to consist of five folds with a seven-day offset between adjacent folds. The following code sample shows how to set these:

+```python

+from azure.ai.ml import automl

+# Create a job with five CV folds

+forecasting_job = automl.forecasting(

+ ..., # other training parameters

+ n_cross_validations=5,

+)

+# Set the step size between folds to seven days

+forecasting_job.set_forecast_settings(

+ ..., # other settings

+ cv_step_size=7

+)

+```

+### Custom featurization

+By default, AutoML augments training data with engineered features to increase the accuracy of the models. See [automated feature engineering](./concept-automl-forecasting-methods.md#automated-feature-engineering) for more information. Some of the preprocessing steps can be customized using the `set_featurization()` method of the forecasting job.

+Supported customizations for forecasting include:

+|Customization|Description|Options

+|--|--|

+|**Column purpose update**|Override the auto-detected feature type for the specified column.|"Categorical", "DateTime", "Numeric"

+|**Transformer parameter update**|Update the parameters for the specified imputer.|`{"strategy": "constant", "fill_value": <value>}`, `{"strategy": "median"}`, `{"strategy": "ffill"}`

+For example, suppose you have a retail demand scenario where the data includes features like price, an "on sale" flag, and a product type. The following sample shows how you can set customized types and imputers for these features:

+from azure.ai.ml.automl import ColumnTransformer

+# Customize imputation methods for price and is_on_sale features

+# Median value imputation for price, constant value of zero for is_on_sale

+transformer_params = {

+ "imputer": [

+ ColumnTransformer(fields=["price"], parameters={"strategy": "median"}),

+ ColumnTransformer(fields=["is_on_sale"], parameters={"strategy": "constant", "fill_value": 0}),

+ ],

+}

+# Set the featurization

+# Ensure that product_type feature is interpreted as categorical

+forecasting_job.set_featurization(

+ mode="custom",

+ transformer_params=transformer_params,

+ column_name_and_types={"product_type": "Categorical"},

+)

+If you're using the Azure Machine Learning studio for your experiment, see [how to customize featurization in the studio](how-to-use-automated-ml-for-ml-models.md#customize-featurization).

+After all settings are configured, you can launch the forecasting job via the `mlcient` as follows:

+# Submit the AutoML job

+returned_job = ml_client.jobs.create_or_update(

+ forecasting_job

+)

+print(f"Created job: {returned_job}")

+# Get a URL for the status of the job

+returned_job.services["Studio"].endpoint

+## Forecasting with a trained model

+Once you've used AutoML to train and select a best model, the next step is to evaluate the model. If it meets your requirements, you can use it to generate forecasts into the future. This section shows how to write Python scripts for evaluation and prediction. For an example of deploying a trained model with an inference script, see our [example notebook](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/automl-standalone-jobs/automl-forecasting-github-dau/auto-ml-forecasting-github-dau.ipynb).

+Before you put a model into production, you should evaluate its accuracy on a test set held out from the training data. A best practice procedure is a rolling evaluation that rolls the trained forecaster forward in time over the test set, averaging error metrics over several prediction windows. Ideally, the test set for the evaluation is long relative to the model's forecast horizon. Estimates of forecasting error may otherwise be statistically noisy and, therefore, less reliable.

+For example, suppose you train a model on daily sales to predict demand up to two weeks (14 days) into the future. If there's sufficient historic data available, you might reserve the final several months to even a year of the data for the test set. The rolling evaluation begins by generating a 14-day-ahead forecast for the first two weeks of the test set. Then, the forecaster is advanced by some number of days into the test set and you generate another 14-day-ahead forecast from the new position. The process continues until you get to the end of the test set.

+To do a rolling evaluation, you call the `rolling_forecast` method of the `fitted_model`, then compute desired metrics on the result. A rolling evaluation inference script is shown in the following code sample:

+"""

+This is the script that is executed on the compute instance. It relies

+on the model.pkl file which is uploaded along with this script to the

+compute instance.

+"""

+import os

+import pandas as pd

+from sklearn.externals import joblib

+def init():

+ global target_column_name

+ global fitted_model

+ target_column_name = os.environ["TARGET_COLUMN_NAME"]

+ # AZUREML_MODEL_DIR is an environment variable created during deployment

+ # It is the path to the model folder (./azureml-models)

+ # Please provide your model's folder name if there's one

+ model_path = os.path.join(os.environ["AZUREML_MODEL_DIR"], "model.pkl")

+ try:

+ fitted_model = joblib.load(model_path)

+ except Exception:

+ print("Loading pickle failed. Trying torch.load()")

+ import torch

+ model_path = os.path.join(os.environ["AZUREML_MODEL_DIR"], "model.pt")

+ device = torch.device("cuda:0" if torch.cuda.is_available() else "cpu")

+ fitted_model = torch.load(model_path, map_location=device)

+def run(mini_batch):

+ print(f"run method start: {__file__}, run({mini_batch})")

+ resultList = []

+ for test in mini_batch:

+ if not test.endswith(".csv"):

+ continue

+ X_test = pd.read_csv(test, parse_dates=[fitted_model.time_column_name])

+ y_test = X_test.pop(target_column_name).values

+ # Make a rolling forecast, advancing the forecast origin by 1 period on each iteration through the test set

+ X_rf = fitted_model.rolling_forecast(

+ X_test, y_test, step=1, ignore_data_errors=True

+ )

+ resultList.append(X_rf)

+ return pd.concat(resultList, sort=False, ignore_index=True)

+In this sample, the step size for the rolling forecast is set to one which means that the forecaster is advanced one period, or one day in our demand prediction example, at each iteration. The total number of forecasts returned by `rolling_forecast` depends on the length of the test set and this step size. For more details and examples, see the [rolling_forecast() documentation](/python/api/azureml-training-tabular/azureml.training.tabular.models.forecasting_pipeline_wrapper_base.forecastingpipelinewrapperbase#azureml-training-tabular-models-forecasting-pipeline-wrapper-base-forecastingpipelinewrapperbase-rolling-forecast) and the [Forecasting away from training data notebook](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-forecast-function/auto-ml-forecasting-function.ipynb).

+The [forecast_quantiles()](/python/api/azureml-training-tabular/azureml.training.tabular.models.forecasting_pipeline_wrapper_base.forecastingpipelinewrapperbase#azureml-training-tabular-models-forecasting-pipeline-wrapper-base-forecastingpipelinewrapperbase-forecast-quantiles) generates forecasts for given quantiles of the prediction distribution. This method thus provides a way to get a point forecast with a cone of uncertainty around it. Learn more in the [Forecasting away from training data notebook](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-forecast-function/auto-ml-forecasting-function.ipynb).

+ test_dataset, label_query, forecast_destination=pd.Timestamp(2019, 1, 8)

+)

+No quantiles are specified here, so only the point forecast is generated. You may want to understand the predictions at a specific quantile of the distribution. For example, when the forecast is used to control inventory like grocery items or virtual machines for a cloud service. In such cases, the control point is usually something like "we want the item to be in stock and not run out 99% of the time". The following sample demonstrates how to specify forecast quantiles, such as 50th or 95th percentile:

+# Get forecasts for the 5th, 50th, and 90th percentiles

+fitted_model.quantiles = [0.05, 0.5, 0.9]

+ test_dataset, label_query, forecast_destination=pd.Timestamp(2019, 1, 8)

+)

+You can calculate model metrics like, root mean squared error (RMSE) or mean absolute percentage error (MAPE) to help you estimate the models performance. See the Evaluate section of the [Bike share demand notebook](~/azureml-examples-main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-bike-share/auto-ml-forecasting-bike-share.ipynb) for an example.

+Supply a data set in the same format as the test set `test_dataset` but with future datetimes, and the resulting prediction set is the forecasted values for each time-series step. Assume the last records in the data set were for December 31, 2018. To forecast demand, create a time series record for each store starting on January 1, 2019.

+Repeat the necessary steps to load this future data to a data frame and then run `best_run.forecast_quantiles(test_dataset)` to predict future values.

+## Forecasting at scale

+> [!IMPORTANT]

+> Many models and hierarchical time series are currently only supported in AzureML v1. Support for AzureML v2 is forthcoming.

+Grouping is a concept in time series forecasting that allows time series to be combined to train an individual model per group. This approach can be particularly helpful if you have time series that require smoothing, filling or entities in the group that can benefit from history or trends from other entities. Many models and hierarchical time series forecasting are solutions powered by automated machine learning for these large scale forecasting scenarios.

+The Azure Machine Learning many models solution with automated machine learning allows users to train and manage millions of models in parallel. The Many Models Solution Accelerator uses [Azure Machine Learning pipelines](concept-ml-pipelines.md) to train the model. Specifically, a [Pipeline](/python/api/azureml-pipeline-core/azureml.pipeline.core.pipeline%28class%29) object and [ParalleRunStep](/python/api/azureml-pipeline-steps/azureml.pipeline.steps.parallelrunstep) are used and require specific configuration parameters set through the [ParallelRunConfig](/python/api/azureml-pipeline-steps/azureml.pipeline.steps.parallelrunconfig).

+In most applications, customers have a need to understand their forecasts at a macro and micro level of the business; whether that is predicting sales of products at different geographic locations, or understanding the expected workforce demand for different organizations at a company. The ability to train a machine learning model to intelligently forecast on hierarchy data is essential.

+A hierarchical time series is a structure in which the series have nested attributes. Geographic or product catalog attributes are natural examples. The following example shows data with unique attributes that form a hierarchy. Our hierarchy is defined by: the product type such as headphones or tablets, the product category which splits product types into accessories and devices, and the region the products are sold in.

+See the [forecasting sample notebooks](https://github.com/Azure/azureml-examples/tree/main/sdk/python/jobs/automl-standalone-jobs) for detailed code examples of advanced forecasting configuration including:

+* [deep learning models](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/automl-standalone-jobs/automl-forecasting-github-dau/auto-ml-forecasting-github-dau.ipynb)

+* [holiday detection and featurization](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/automl-standalone-jobs/automl-forecasting-task-bike-share/auto-ml-forecasting-bike-share.ipynb)

+* [manual configuration for lags and rolling window aggregation features](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/automl-standalone-jobs/automl-forecasting-task-energy-demand/automl-forecasting-task-energy-demand-advanced.ipynb)

+* Learn about [how AutoML builds forecasting models](./concept-automl-forecasting-methods.md).

+* Learn how to [configure AutoML for various forecasting scenarios](./how-to-automl-forecasting-faq.md#what-modeling-configuration-should-i-use).

+1. [Bike share example](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/automl-standalone-jobs/automl-forecasting-task-bike-share/auto-ml-forecasting-bike-share.ipynb)

+2. [Forecasting using deep learning](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/automl-standalone-jobs/automl-forecasting-github-dau/auto-ml-forecasting-github-dau.ipynb)

+- [Block time series models](./how-to-auto-train-forecast.md#model-search-settings) like ARIMA and Prophet

+|Configuration|Scenario|Pros|Cons|

+|--|--|--|--|

+|**Default AutoML**|Recommended if the dataset has a small number of time series that have roughly similar historic behavior.|- Simple to configure from code/SDK or AzureML Studio <br><br> - AutoML has the chance to cross-learn across different time series since the regression models pool all series together in training. See the [model grouping](./concept-automl-forecasting-methods.md#model-grouping) section for more information.|- Regression models may be less accurate if the time series in the training data have divergent behavior <br> <br> - Time series models may take a long time to train if there are a large number of series in the training data. See the ["why is AutoML slow on my data"](#why-is-automl-slow-on-my-data) answer for more information.|

+|**AutoML with deep learning**|Recommended for datasets with more than 1000 observations and, potentially, numerous time series exhibiting complex patterns. When enabled, AutoML will sweep over temporal convolutional neural network (TCN) models during training. See the [enable deep learning](./how-to-auto-train-forecast.md#enable-deep-learning) section for more information.|- Simple to configure from code/SDK or AzureML Studio <br> <br> - Cross-learning opportunities since the TCN pools data over all series <br> <br> - Potentially higher accuracy due to the large capacity of DNN models. See the [forecasting models in AutoML](./concept-automl-forecasting-methods.md#forecasting-models-in-automl) section for more information.|- Training can take much longer due to the complexity of DNN models <br> <br> - Series with small amounts of history are unlikely to benefit from these models.|

+|**Many Models**|Recommended if you need to train and manage a large number of forecasting models in a scalable way. See the [forecasting at scale](./how-to-auto-train-forecast.md#forecasting-at-scale) section for more information.|- Scalable <br> <br> - Potentially higher accuracy when time series have divergent behavior from one another.|- No cross-learning across time series <br> <br> - You can't configure or launch Many Models jobs from AzureML Studio, only the code/SDK experience is currently available.|

+|**Hierarchical Time Series**|HTS is recommended if the series in your data have nested, hierarchical structure and you need to train or make forecasts at aggregated levels of the hierarchy. See the [hierarchical time series forecasting](how-to-auto-train-forecast.md#hierarchical-time-series-forecasting) section for more information.|- Training at aggregated levels can reduce noise in the leaf node time series and potentially lead to higher accuracy models. <br> <br> - Forecasts can be retrieved for any level of the hierarchy by aggregating or dis-aggregating forecasts from the training level.|- You need to provide the aggregation level for training. AutoML doesn't currently have an algorithm to find an optimal level.|

+> [!NOTE]

+> We recommend using compute nodes with GPUs when deep learning is enabled to best take advantage of high DNN capacity. Training time can be much faster in comparison to nodes with only CPUs. See the GPU optimized compute article for more information.

+> [!NOTE]

+> HTS is designed for tasks where training or prediction is required at aggregated levels in the hierarchy. For hierarchical data requiring only leaf node training and prediction, use [Many Models](./how-to-auto-train-forecast.md#many-models) instead.

+- There are **significant structural differences - regime changes - between the training, validation, or test portions of the data**. For example, consider the effect of the COVID-19 pandemic on demand for almost any good during 2020 and 2021; this is a classic example of a regime change. Over-fitting due to regime change is the most challenging issue to address because it's highly scenario dependent and can require deep knowledge to identify. As a first line of defense, try to reserve 10 - 20% of the total history for validation, or cross-validation, data. It isn't always possible to reserve this amount of validation data if the training history is short, but is a best practice. See our guide on [configuring validation](./how-to-auto-train-forecast.md#training-and-validation-data) for more information.

+- The data has a well defined frequency, but **there are missing observations that create gaps in the series**. In this case, AutoML will attempt to detect the frequency, fill in new observations for the gaps, and impute missing target and feature values therein. The imputation methods can be optionally configured by the user via SDK settings or through the Web UI. See the [custom featurization](./how-to-auto-train-forecast.md#custom-featurization)

+- **The data doesn't have a well defined frequency**. That is, the duration between observations doesn't have a discernible pattern. Transactional data, like that from a point-of-sales system, is one example. In this case, you can set AutoML to aggregate your data to a chosen frequency. You can choose a regular frequency that best suites the data and the modeling objectives. See the [data aggregation](./how-to-auto-train-forecast.md#frequency--target-data-aggregation) section for more information.

+> AutoML doesn't support custom, or user-provided functions for the primary metric. You must choose one of the predefined primary metrics that AutoML supports.

+## Will AutoML always select the same best model given the same training data and configuration?

+[AutoML's model search process](./concept-automl-forecasting-sweeping.md#model-sweeping) is not deterministic, so it does not always select the same model given the same data and configuration.

+## How do I fix an Out-Of-Memory error?

+## What advanced forecasting scenarios are supported by AutoML?

+- Forecasting when there's a gap in time between training and forecasting periods.

+See the [advanced forecasting scenarios notebook](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-forecast-function/auto-ml-forecasting-function.ipynb) for examples and details.

+See our [metrics in studio UI](how-to-log-view-metrics.md#view-jobsruns-information-in-the-studio) guide for finding training and validation metric values. You can view metrics for any forecasting model trained in AutoML by navigating to a model from the AutoML job UI in the studio and clicking on the "metrics" tab.

+If your AutoML forecasting job fails, you'll see an error message in the studio UI that may help to diagnose and fix the problem. The best source of information about the failure beyond the error message is the driver log for the job. Check out the [run logs](how-to-log-view-metrics.md#view-and-download-diagnostic-logs) guide for instructions on finding driver logs.

+## What is a workspace / environment / experiment/ compute instance / compute target?

+To customize featurizations, specify `"featurization": FeaturizationConfig` in your `AutoMLConfig` object. If you're using the Azure Machine Learning studio for your experiment, see the [how-to article](how-to-use-automated-ml-for-ml-models.md#customize-featurization). To customize featurization for forecastings task types, refer to the [forecasting how-to](v1/how-to-auto-train-forecast-v1.md#customize-featurization).

+> If you are using Machine Learning pipelines, like for instance [Scikit-Learn pipelines](https://scikit-learn.org/stable/modules/generated/sklearn.pipeline.Pipeline.html), use the `autolog` functionality of that flavor for logging models. Models are automatically logged when the `fit()` method is called on the pipeline object. The notebook [Training and tracking an XGBoost classifier with MLflow](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/train-and-log/xgboost_classification_mlflow.ipynb) demonstrates how to log a model with preprocessing using pipelines.

+ Title: 'Upgrade from v1 to v2'

+description: Upgrade from v1 to v2 of Azure Machine Learning REST APIs, CLI extension, and Python SDK.

+Workspaces don't need to be upgraded with v2. You can use the same workspace, regardless of whether you're using v1 or v2.

+If you create workspaces using automation, do consider upgrading the code for creating a workspace to v2. Typically Azure resources are managed via Azure Resource Manager (and Bicep) or similar resource provisioning tools. Alternatively, you can use the [CLI (v2) and YAML files](how-to-manage-workspace-cli.md#create-a-workspace).

+With SDK/CLI v1, you can deploy models on ACI or AKS as web services. Your existing v1 model deployments and web services will continue to function as they are, but Using SDK/CLI v1 to deploy models on ACI or AKS as web services is now consiered as **legacy**. For new model deployments, we recommend upgrading to v2. In v2, we offer [managed endpoints or Kubernetes endpoints](./concept-endpoints.md). The following table guides our recommendation:

+|Endpoint type in v2|Upgrade from|Notes|

+For migration steps from your existing ACI web services to managed online endpoints, see our [upgrade guide article](migrate-to-v2-managed-online-endpoints.md) and [blog](https://aka.ms/acimoemigration).

+There are a few scenarios that are common across the machine learning lifecycle using Azure ML. We'll look at a few and give general recommendations for upgrading to v2.

+A key paradigm with v2 is serializing machine learning entities as YAML files for source control with `git`, enabling better GitOps approaches than were possible with v1. For instance, you could enforce policy by which only a service principal used in CI/CD pipelines can create/update/delete some or all entities, ensuring changes go through a governed process like pull requests with required reviewers. Since the files in source control are YAML, they're easy to diff and track changes over time. You and your team may consider shifting to this paradigm as you upgrade to v2.

+ For more information on service tags that can be used with Azure Firewall, see the [Virtual network service tags](/azure/virtual-network/service-tags-overview) article.

+1. Install [ARMClient](https://github.com/projectkudu/ARMClient), a simple command line tool that invokes the Azure Resource Manager API.

+ * [Training and tracking a classifier with MLflow](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/train-and-log/xgboost_classification_mlflow.ipynb): Demonstrates how to track experiments using MLflow, log models and combine multiple flavors into pipelines.

+ * [Manage experiments and runs with MLflow](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/runs-management/run_history.ipynb): Demonstrates how to query experiments, runs, metrics, parameters and artifacts from Azure ML using MLflow.

+The [Training models in Azure Databricks and deploying them on Azure ML](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/deploy/track_with_databricks_deploy_aml.ipynb) demonstrates how to train models in Azure Databricks and deploy them in Azure ML. It also includes how to handle cases where you also want to track the experiments and models with the MLflow instance in Azure Databricks and leverage Azure ML for deployment.

+For a complete example about this scenario please check the example [Training models in Azure Databricks and deploying them on Azure ML](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/deploy/track_with_databricks_deploy_aml.ipynb).

+> Models need to be registered in Azure Machine Learning registry in order to deploy them. If your models happen to be registered in the MLflow instance inside Azure Databricks, you will have to register them again in Azure Machine Learning. If this is you case, please check the example [Training models in Azure Databricks and deploying them on Azure ML](https://github.com/Azure/azureml-examples/blob/main/sdk/python/using-mlflow/deploy/track_with_databricks_deploy_aml.ipynb)

+### Managed (Automatic) Spark compute in Azure Machine Learning Notebooks

+A Managed (Automatic) Spark compute is available in Azure Machine Learning Notebooks by default. To access it in a notebook, select **AzureML Spark Compute** under **Azure Machine Learning Spark** from the **Compute** selection menu.

+To upgrade, you'll need to change your code for submitting jobs to SDK v2. What you run _within_ the job doesn't need to be upgraded to SDK v2. However, it's recommended to remove any code specific to Azure ML from your model training scripts. This separation allows for an easier transition between local and cloud and is considered best practice for mature MLOps. In practice, this means removing `azureml.*` lines of code. Model logging and tracking code should be replaced with MLflow. For more details, see [how to use MLflow in v2](how-to-use-mlflow-cli-runs.md).

+description: Upgrade AutoML from v1 to v2 of Azure Machine Learning SDK

+To upgrade, you'll need to change your code for defining and submitting your hyperparameter tuning experiment to SDK v2. What you run _within_ the job doesn't need to be upgraded to SDK v2. However, it's recommended to remove any code specific to Azure ML from your model training scripts. This separation allows for an easier transition between local and cloud and is considered best practice for mature MLOps. In practice, this means removing `azureml.*` lines of code. Model logging and tracking code should be replaced with MLflow. For more information, see [how to use MLflow in v2](how-to-use-mlflow-cli-runs.md).

+- Upgrade your v1 pipeline to v2. Then invoke your v2 parallel job as a step in your v2 pipeline. See [how to upgrade pipeline from v1 to v2](migrate-to-v2-execution-pipeline.md) for the details about pipeline upgrade.

+> Note: User __entry script__ is compatible between v1 parallel run step and v2 parallel job. So you can keep using the same entry_script.py when you upgrade your parallel run job.

+To upgrade, you'll need to change your code for defining and submitting the pipelines to SDK v2. What you run _within_ the child job doesn't need to be upgraded to SDK v2. However, it's recommended to remove any code specific to Azure ML from your model training scripts. This separation allows for an easier transition between local and cloud and is considered best practice for mature MLOps. In practice, this means removing `azureml.*` lines of code. Model logging and tracking code should be replaced with MLflow. For more information, see [how to use MLflow in v2](how-to-use-mlflow-cli-runs.md).

+| [Configure Apache Spark pools to perform data wrangling](apache-spark-azure-ml-concepts.md) | Public Preview | No | No |

+ Title: Set up AutoML for time-series forecasting (SDKv1)

+description: Set up Azure Machine Learning automated ML to train time-series forecasting models with the Azure Machine Learning Python SDKv1.

+show_latex: true

+# Set up AutoML to train a time-series forecasting model with Python (SDKv1)

+> [!div class="op_single_selector" title1="Select the version of the Azure Machine Learning SDK you are using:"]

+> * [v1](how-to-auto-train-forecast-v1.md)

+> * [v2 (current version)](../how-to-auto-train-forecast.md)

+In this article, you learn how to set up AutoML training for time-series forecasting models with Azure Machine Learning automated ML in the [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/).

+To do so, you:

+> [!div class="checklist"]

+> * Prepare data for time series modeling.

+> * Configure specific time-series parameters in an [`AutoMLConfig`](/python/api/azureml-train-automl-client/azureml.train.automl.automlconfig.automlconfig) object.

+> * Run predictions with time-series data.

+For a low code experience, see the [Tutorial: Forecast demand with automated machine learning](../tutorial-automated-ml-forecast.md) for a time-series forecasting example using automated ML in the [Azure Machine Learning studio](https://ml.azure.com/).

+Unlike classical time series methods, in automated ML, past time-series values are "pivoted" to become additional dimensions for the regressor together with other predictors. This approach incorporates multiple contextual variables and their relationship to one another during training. Since multiple factors can influence a forecast, this method aligns itself well with real world forecasting scenarios. For example, when forecasting sales, interactions of historical trends, exchange rate, and price all jointly drive the sales outcome.

+## Prerequisites

+For this article you need,

+* An Azure Machine Learning workspace. To create the workspace, see [Create workspace resources](../quickstart-create-resources.md).

+* This article assumes some familiarity with setting up an automated machine learning experiment. Follow the [how-to](../how-to-configure-auto-train.md) to see the main automated machine learning experiment design patterns.

+ [!INCLUDE [automl-sdk-version](../../../includes/machine-learning-automl-sdk-version.md)]

+## Training and validation data

+The most important difference between a forecasting regression task type and regression task type within automated ML is including a feature in your training data that represents a valid time series. A regular time series has a well-defined and consistent frequency and has a value at every sample point in a continuous time span.

+> [!IMPORTANT]

+> When training a model for forecasting future values, ensure all the features used in training can be used when running predictions for your intended horizon. For example, when creating a demand forecast, including a feature for current stock price could massively increase training accuracy. However, if you intend to forecast with a long horizon, you may not be able to accurately predict future stock values corresponding to future time-series points, and model accuracy could suffer.

+You can specify separate [training data and validation data](concept-automated-ml-v1.md#training-validation-and-test-data) directly in the `AutoMLConfig` object. Learn more about the [AutoMLConfig](#configure-experiment).

+For time series forecasting, only **Rolling Origin Cross Validation (ROCV)** is used for validation by default. ROCV divides the series into training and validation data using an origin time point. Sliding the origin in time generates the cross-validation folds. This strategy preserves the time series data integrity and eliminates the risk of data leakage.

+Pass your training and validation data as one dataset to the parameter `training_data`. Set the number of cross validation folds with the parameter `n_cross_validations` and set the number of periods between two consecutive cross-validation folds with `cv_step_size`. You can also leave either or both parameters empty and AutoML will set them automatically.

+```python

+automl_config = AutoMLConfig(task='forecasting',

+ training_data= training_data,

+ n_cross_validations="auto", # Could be customized as an integer

+ cv_step_size = "auto", # Could be customized as an integer

+ ...

+ **time_series_settings)

+```

+You can also bring your own validation data, learn more in [Configure data splits and cross-validation in AutoML](../how-to-configure-cross-validation-data-splits.md#provide-validation-data).

+Learn more about how AutoML applies cross validation to [prevent over-fitting models](../concept-manage-ml-pitfalls.md#prevent-overfitting).

+## Configure experiment

+The [`AutoMLConfig`](/python/api/azureml-train-automl-client/azureml.train.automl.automlconfig.automlconfig) object defines the settings and data necessary for an automated machine learning task. Configuration for a forecasting model is similar to the setup of a standard regression model, but certain models, configuration options, and featurization steps exist specifically for time-series data.

+### Supported models

+Automated machine learning automatically tries different models and algorithms as part of the model creation and tuning process. As a user, there is no need for you to specify the algorithm. For forecasting experiments, both native time-series and deep learning models are part of the recommendation system.

+>[!Tip]

+> Traditional regression models are also tested as part of the recommendation system for forecasting experiments. See a complete list of the [supported models](/python/api/azureml-train-automl-client/azureml.train.automl.constants.supportedmodels) in the SDK reference documentation.

+### Configuration settings

+Similar to a regression problem, you define standard training parameters like task type, number of iterations, training data, and number of cross-validations. Forecasting tasks require the `time_column_name` and `forecast_horizon` parameters to configure your experiment. If the data includes multiple time series, such as sales data for multiple stores or energy data across different states, automated ML automatically detects this and sets the `time_series_id_column_names` parameter (preview) for you. You can also include additional parameters to better configure your run, see the [optional configurations](#optional-configurations) section for more detail on what can be included.

+> [!IMPORTANT]

+> Automatic time series identification is currently in public preview. This preview version is provided without a service-level agreement. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+| Parameter&nbsp;name | Description |

+|-|-|

+|`time_column_name`|Used to specify the datetime column in the input data used for building the time series and inferring its frequency.|

+|`forecast_horizon`|Defines how many periods forward you would like to forecast. The horizon is in units of the time series frequency. Units are based on the time interval of your training data, for example, monthly, weekly that the forecaster should predict out.|

+The following code,

+* Leverages the [`ForecastingParameters`](/python/api/azureml-automl-core/azureml.automl.core.forecasting_parameters.forecastingparameters) class to define the forecasting parameters for your experiment training

+* Sets the `time_column_name` to the `day_datetime` field in the data set.

+* Sets the `forecast_horizon` to 50 in order to predict for the entire test set.

+```python

+from azureml.automl.core.forecasting_parameters import ForecastingParameters

+forecasting_parameters = ForecastingParameters(time_column_name='day_datetime',

+ forecast_horizon=50,

+ freq='W')

+

+```

+These `forecasting_parameters` are then passed into your standard `AutoMLConfig` object along with the `forecasting` task type, primary metric, exit criteria, and training data.

+```python

+from azureml.core.workspace import Workspace

+from azureml.core.experiment import Experiment

+from azureml.train.automl import AutoMLConfig

+import logging

+automl_config = AutoMLConfig(task='forecasting',

+ primary_metric='normalized_root_mean_squared_error',

+ experiment_timeout_minutes=15,

+ enable_early_stopping=True,

+ training_data=train_data,

+ label_column_name=label,

+ n_cross_validations="auto", # Could be customized as an integer

+ cv_step_size = "auto", # Could be customized as an integer

+ enable_ensembling=False,

+ verbosity=logging.INFO,

+ forecasting_parameters=forecasting_parameters)

+```

+The amount of data required to successfully train a forecasting model with automated ML is influenced by the `forecast_horizon`, `n_cross_validations`, and `target_lags` or `target_rolling_window_size` values specified when you configure your `AutoMLConfig`.

+The following formula calculates the amount of historic data that what would be needed to construct time series features.

+Minimum historic data required: (2x `forecast_horizon`) + #`n_cross_validations` + max(max(`target_lags`), `target_rolling_window_size`)

+An `Error exception` is raised for any series in the dataset that does not meet the required amount of historic data for the relevant settings specified.

+### Featurization steps

+In every automated machine learning experiment, automatic scaling and normalization techniques are applied to your data by default. These techniques are types of **featurization** that help *certain* algorithms that are sensitive to features on different scales. Learn more about default featurization steps in [Featurization in AutoML](../how-to-configure-auto-features.md#automatic-featurization)

+However, the following steps are performed only for `forecasting` task types:

+* Detect time-series sample frequency (for example, hourly, daily, weekly) and create new records for absent time points to make the series continuous.

+* Impute missing values in the target (via forward-fill) and feature columns (using median column values)

+* Create features based on time series identifiers to enable fixed effects across different series

+* Create time-based features to assist in learning seasonal patterns

+* Encode categorical variables to numeric quantities

+* Detect the non-stationary time series and automatically differencing them to mitigate the impact of unit roots.

+To view the full list of possible engineered features generated from time series data, see [TimeIndexFeaturizer Class](/python/api/azureml-automl-runtime/azureml.automl.runtime.featurizer.transformer.timeseries.time_index_featurizer).

+> [!NOTE]

+> Automated machine learning featurization steps (feature normalization, handling missing data,

+> converting text to numeric, etc.) become part of the underlying model. When using the model for

+> predictions, the same featurization steps applied during training are applied to

+> your input data automatically.

+#### Customize featurization

+You also have the option to customize your featurization settings to ensure that the data and features that are used to train your ML model result in relevant predictions.

+Supported customizations for `forecasting` tasks include:

+|Customization|Definition|

+|--|--|

+|**Column purpose update**|Override the auto-detected feature type for the specified column.|

+|**Transformer parameter update** |Update the parameters for the specified transformer. Currently supports *Imputer* (fill_value and median).|

+|**Drop columns** |Specifies columns to drop from being featurized.|

+To customize featurizations with the SDK, specify `"featurization": FeaturizationConfig` in your `AutoMLConfig` object. Learn more about [custom featurizations](../how-to-configure-auto-features.md#customize-featurization).

+>[!NOTE]

+> The **drop columns** functionality is deprecated as of SDK version 1.19. Drop columns from your dataset as part of data cleansing, prior to consuming it in your automated ML experiment.

+```python

+featurization_config = FeaturizationConfig()

+# `logQuantity` is a leaky feature, so we remove it.

+featurization_config.drop_columns = ['logQuantitity']

+# Force the CPWVOL5 feature to be of numeric type.

+featurization_config.add_column_purpose('CPWVOL5', 'Numeric')

+# Fill missing values in the target column, Quantity, with zeroes.

+featurization_config.add_transformer_params('Imputer', ['Quantity'], {"strategy": "constant", "fill_value": 0})

+# Fill mising values in the `INCOME` column with median value.

+featurization_config.add_transformer_params('Imputer', ['INCOME'], {"strategy": "median"})

+```

+If you're using the Azure Machine Learning studio for your experiment, see [how to customize featurization in the studio](../how-to-use-automated-ml-for-ml-models.md#customize-featurization).

+## Optional configurations

+Additional optional configurations are available for forecasting tasks, such as enabling deep learning and specifying a target rolling window aggregation. A complete list of additional parameters is available in the [ForecastingParameters SDK reference documentation](/python/api/azureml-automl-core/azureml.automl.core.forecasting_parameters.forecastingparameters).

+### Frequency & target data aggregation

+Leverage the frequency, `freq`, parameter to help avoid failures caused by irregular data, that is data that doesn't follow a set cadence, like hourly or daily data.

+For highly irregular data or for varying business needs, users can optionally set their desired forecast frequency, `freq`, and specify the `target_aggregation_function` to aggregate the target column of the time series. Leverage these two settings in your `AutoMLConfig` object can help save some time on data preparation.

+Supported aggregation operations for target column values include:

+|Function | Description

+||

+|`sum`| Sum of target values

+|`mean`| Mean or average of target values

+|`min`| Minimum value of a target 

+|`max`| Maximum value of a targetΓÇ»

+### Enable deep learning

+> [!NOTE]

+> DNN support for forecasting in Automated Machine Learning is in **preview** and not supported for local runs or runs initiated in Databricks.

+You can also apply deep learning with deep neural networks, DNNs, to improve the scores of your model. Automated ML's deep learning allows for forecasting univariate and multivariate time series data.

+Deep learning models have three intrinsic capabilities:

+1. They can learn from arbitrary mappings from inputs to outputs

+1. They support multiple inputs and outputs

+1. They can automatically extract patterns in input data that spans over long sequences.

+To enable deep learning, set the `enable_dnn=True` in the `AutoMLConfig` object.

+```python

+automl_config = AutoMLConfig(task='forecasting',

+ enable_dnn=True,

+ ...

+ forecasting_parameters=forecasting_parameters)

+```

+> [!Warning]

+> When you enable DNN for experiments created with the SDK, [best model explanations](how-to-machine-learning-interpretability-automl.md) are disabled.

+To enable DNN for an AutoML experiment created in the Azure Machine Learning studio, see the [task type settings in the studio UI how-to](../how-to-use-automated-ml-for-ml-models.md#create-and-run-experiment).

+### Target rolling window aggregation

+Often the best information a forecaster can have is the recent value of the target. Target rolling window aggregations allow you to add a rolling aggregation of data values as features. Generating and using these features as extra contextual data helps with the accuracy of the train model.

+For example, say you want to predict energy demand. You might want to add a rolling window feature of three days to account for thermal changes of heated spaces. In this example, create this window by setting `target_rolling_window_size= 3` in the `AutoMLConfig` constructor.

+The table shows resulting feature engineering that occurs when window aggregation is applied. Columns for **minimum, maximum,** and **sum** are generated on a sliding window of three based on the defined settings. Each row has a new calculated feature, in the case of the timestamp for September 8, 2017 4:00am the maximum, minimum, and sum values are calculated using the **demand values** for September 8, 2017 1:00AM - 3:00AM. This window of three shifts along to populate data for the remaining rows.

+

+View a Python code example applying the [target rolling window aggregate feature](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-energy-demand/auto-ml-forecasting-energy-demand.ipynb).

+### Short series handling

+Automated ML considers a time series a **short series** if there are not enough data points to conduct the train and validation phases of model development. The number of data points varies for each experiment, and depends on the max_horizon, the number of cross validation splits, and the length of the model lookback, that is the maximum of history that's needed to construct the time-series features.

+Automated ML offers short series handling by default with the `short_series_handling_configuration` parameter in the `ForecastingParameters` object.

+To enable short series handling, the `freq` parameter must also be defined. To define an hourly frequency, we will set `freq='H'`. View the frequency string options by visiting the [pandas Time series page DataOffset objects section](https://pandas.pydata.org/pandas-docs/stable/user_guide/timeseries.html#dateoffset-objects). To change the default behavior, `short_series_handling_configuration = 'auto'`, update the `short_series_handling_configuration` parameter in your `ForecastingParameter` object.

+```python

+from azureml.automl.core.forecasting_parameters import ForecastingParameters

+forecast_parameters = ForecastingParameters(time_column_name='day_datetime',

+ forecast_horizon=50,

+ short_series_handling_configuration='auto',

+ freq = 'H',

+ target_lags='auto')

+```

+The following table summarizes the available settings for `short_series_handling_config`.

+

+|Setting|Description

+||

+|`auto`| The default value for short series handling. <br> - _If all series are short_, pad the data. <br> - _If not all series are short_, drop the short series.

+|`pad`| If `short_series_handling_config = pad`, then automated ML adds random values to each short series found. The following lists the column types and what they're padded with: <br> - Object columns with NaNs <br> - Numeric columns with 0 <br> - Boolean/logic columns with False <br> - The target column is padded with random values with mean of zero and standard deviation of 1.

+|`drop`| If `short_series_handling_config = drop`, then automated ML drops the short series, and it will not be used for training or prediction. Predictions for these series will return NaN's.

+|`None`| No series is padded or dropped

+>[!WARNING]

+>Padding may impact the accuracy of the resulting model, since we are introducing artificial data just to get past training without failures. If many of the series are short, then you may also see some impact in explainability results

+### Non-stationary time series detection and handling

+A time series whose moments (mean and variance) change over time is called a **non-stationary**. For example, time series that exhibit stochastic trends are non-stationary by nature. To visualize this, the below image plots a series that is generally trending upward. Now, compute and compare the mean (average) values for the first and the second half of the series. Are they the same? Here, the mean of the series in the first half of the plot is significantly smaller than in the second half. The fact that the mean of the series depends on the time interval one is looking at, is an example of the time-varying moments. Here, the mean of a series is the first moment.

+Next, let's examine the image below, which plots the the original series in first differences, $x_t = y_t - y_{t-1}$ where $x_t$ is the change in retail sales and $y_t$ and $y_{t-1}$ represent the original series and its first lag, respectively. The mean of the series is roughly constant regardless the time frame one is looking at. This is an example of a first order stationary times series. The reason we added the first order term is because the first moment (mean) does not change with time interval, the same cannot be said about the variance, which is a second moment.

+AutoML Machine learning models can not inherently deal with stochastic trends, or other well-known problems associated with non-stationary time series. As a result, their out of sample forecast accuracy will be "poor" if such trends are present.

+AutoML automatically analyzes time series dataset to check whether it is stationary or not. When non-stationary time series are detected, AutoML applies a differencing transform automatically to mitigate the impact of non-stationary time series.

+## Run the experiment

+When you have your `AutoMLConfig` object ready, you can submit the experiment. After the model finishes, retrieve the best run iteration.

+```python

+ws = Workspace.from_config()

+experiment = Experiment(ws, "Tutorial-automl-forecasting")

+local_run = experiment.submit(automl_config, show_output=True)

+best_run, fitted_model = local_run.get_output()

+```

+

+## Forecasting with best model

+Use the best model iteration to forecast values for data that wasn't used to train the model.

+

+### Evaluating model accuracy with a rolling forecast

+Before you put a model into production, you should evaluate its accuracy on a test set held out from the training data. A best practice procedure is a so-called rolling evaluation which rolls the trained forecaster forward in time over the test set, averaging error metrics over several prediction windows to obtain statistically robust estimates for some set of chosen metrics. Ideally, the test set for the evaluation is long relative to the model's forecast horizon. Estimates of forecasting error may otherwise be statistically noisy and, therefore, less reliable.

+For example, suppose you train a model on daily sales to predict demand up to two weeks (14 days) into the future. If there is sufficient historic data available, you might reserve the final several months to even a year of the data for the test set. The rolling evaluation begins by generating a 14-day-ahead forecast for the first two weeks of the test set. Then, the forecaster is advanced by some number of days into the test set and you generate another 14-day-ahead forecast from the new position. The process continues until you get to the end of the test set.

+To do a rolling evaluation, you call the `rolling_forecast` method of the `fitted_model`, then compute desired metrics on the result. For example, assume you have test set features in a pandas DataFrame called `test_features_df` and the test set actual values of the target in a numpy array called `test_target`. A rolling evaluation using the mean squared error is shown in the following code sample:

+```python

+from sklearn.metrics import mean_squared_error

+rolling_forecast_df = fitted_model.rolling_forecast(

+ test_features_df, test_target, step=1)

+mse = mean_squared_error(

+ rolling_forecast_df[fitted_model.actual_column_name], rolling_forecast_df[fitted_model.forecast_column_name])

+```

+In this sample, the step size for the rolling forecast is set to one which means that the forecaster is advanced one period, or one day in our demand prediction example, at each iteration. The total number of forecasts returned by `rolling_forecast` thus depends on the length of the test set and this step size. For more details and examples see the [rolling_forecast() documentation](/python/api/azureml-training-tabular/azureml.training.tabular.models.forecasting_pipeline_wrapper_base.forecastingpipelinewrapperbase#azureml-training-tabular-models-forecasting-pipeline-wrapper-base-forecastingpipelinewrapperbase-rolling-forecast) and the [Forecasting away from training data notebook](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-forecast-function/auto-ml-forecasting-function.ipynb).

+

+### Prediction into the future

+The [forecast_quantiles()](/python/api/azureml-train-automl-client/azureml.train.automl.model_proxy.modelproxy#forecast-quantiles-x-values--typing-any--y-values--typing-union-typing-any--nonetype-none--forecast-destination--typing-union-typing-any--nonetype-none--ignore-data-errors--boolfalse--azureml-data-abstract-dataset-abstractdataset) function allows specifications of when predictions should start, unlike the `predict()` method, which is typically used for classification and regression tasks. The forecast_quantiles() method by default generates a point forecast or a mean/median forecast which doesn't have a cone of uncertainty around it. Learn more in the [Forecasting away from training data notebook](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-forecast-function/auto-ml-forecasting-function.ipynb).

+In the following example, you first replace all values in `y_pred` with `NaN`. The forecast origin is at the end of training data in this case. However, if you replaced only the second half of `y_pred` with `NaN`, the function would leave the numerical values in the first half unmodified, but forecast the `NaN` values in the second half. The function returns both the forecasted values and the aligned features.

+You can also use the `forecast_destination` parameter in the `forecast_quantiles()` function to forecast values up to a specified date.

+```python

+label_query = test_labels.copy().astype(np.float)

+label_query.fill(np.nan)

+label_fcst, data_trans = fitted_model.forecast_quantiles(

+ test_dataset, label_query, forecast_destination=pd.Timestamp(2019, 1, 8))

+```

+Often customers want to understand the predictions at a specific quantile of the distribution. For example, when the forecast is used to control inventory like grocery items or virtual machines for a cloud service. In such cases, the control point is usually something like "we want the item to be in stock and not run out 99% of the time". The following demonstrates how to specify which quantiles you'd like to see for your predictions, such as 50th or 95th percentile. If you don't specify a quantile, like in the aforementioned code example, then only the 50th percentile predictions are generated.

+```python

+# specify which quantiles you would like

+fitted_model.quantiles = [0.05,0.5, 0.9]

+fitted_model.forecast_quantiles(

+ test_dataset, label_query, forecast_destination=pd.Timestamp(2019, 1, 8))

+```

+You can calculate model metrics like, root mean squared error (RMSE) or mean absolute percentage error (MAPE) to help you estimate the models performance. See the Evaluate section of the [Bike share demand notebook](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-bike-share/auto-ml-forecasting-bike-share.ipynb) for an example.

+After the overall model accuracy has been determined, the most realistic next step is to use the model to forecast unknown future values.

+Supply a data set in the same format as the test set `test_dataset` but with future datetimes, and the resulting prediction set is the forecasted values for each time-series step. Assume the last time-series records in the data set were for 12/31/2018. To forecast demand for the next day (or as many periods as you need to forecast, <= `forecast_horizon`), create a single time series record for each store for 01/01/2019.

+```output

+day_datetime,store,week_of_year

+01/01/2019,A,1

+01/01/2019,A,1

+```

+Repeat the necessary steps to load this future data to a dataframe and then run `best_run.forecast_quantiles(test_dataset)` to predict future values.

+> [!NOTE]

+> In-sample predictions are not supported for forecasting with automated ML when `target_lags` and/or `target_rolling_window_size` are enabled.

+## Forecasting at scale

+There are scenarios where a single machine learning model is insufficient and multiple machine learning models are needed. For instance, predicting sales for each individual store for a brand, or tailoring an experience to individual users. Building a model for each instance can lead to improved results on many machine learning problems.

+Grouping is a concept in time series forecasting that allows time series to be combined to train an individual model per group. This approach can be particularly helpful if you have time series which require smoothing, filling or entities in the group that can benefit from history or trends from other entities. Many models and hierarchical time series forecasting are solutions powered by automated machine learning for these large scale forecasting scenarios.

+### Many models

+The Azure Machine Learning many models solution with automated machine learning allows users to train and manage millions of models in parallel. Many models The solution accelerator leverages [Azure Machine Learning pipelines](../concept-ml-pipelines.md) to train the model. Specifically, a [Pipeline](/python/api/azureml-pipeline-core/azureml.pipeline.core.pipeline%28class%29) object and [ParalleRunStep](/python/api/azureml-pipeline-steps/azureml.pipeline.steps.parallelrunstep) are used and require specific configuration parameters set through the [ParallelRunConfig](/python/api/azureml-pipeline-steps/azureml.pipeline.steps.parallelrunconfig).

+The following diagram shows the workflow for the many models solution.

+

+The following code demonstrates the key parameters users need to set up their many models run. See the [Many Models- Automated ML notebook](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-many-models/auto-ml-forecasting-many-models.ipynb) for a many models forecasting example

+```python

+from azureml.train.automl.runtime._many_models.many_models_parameters import ManyModelsTrainParameters

+partition_column_names = ['Store', 'Brand']

+automl_settings = {"task" : 'forecasting',

+ "primary_metric" : 'normalized_root_mean_squared_error',

+ "iteration_timeout_minutes" : 10, #This needs to be changed based on the dataset. Explore how long training is taking before setting this value

+ "iterations" : 15,

+ "experiment_timeout_hours" : 1,

+ "label_column_name" : 'Quantity',

+ "n_cross_validations" : "auto", # Could be customized as an integer

+ "cv_step_size" : "auto", # Could be customized as an integer

+ "time_column_name": 'WeekStarting',

+ "max_horizon" : 6,

+ "track_child_runs": False,

+ "pipeline_fetch_max_batch_size": 15,}

+mm_paramters = ManyModelsTrainParameters(automl_settings=automl_settings, partition_column_names=partition_column_names)

+```

+### Hierarchical time series forecasting

+In most applications, customers have a need to understand their forecasts at a macro and micro level of the business; whether that be predicting sales of products at different geographic locations, or understanding the expected workforce demand for different organizations at a company. The ability to train a machine learning model to intelligently forecast on hierarchy data is essential.

+A hierarchical time series is a structure in which each of the unique series are arranged into a hierarchy based on dimensions such as, geography or product type. The following example shows data with unique attributes that form a hierarchy. Our hierarchy is defined by: the product type such as headphones or tablets, the product category which splits product types into accessories and devices, and the region the products are sold in.

+

+

+To further visualize this, the leaf levels of the hierarchy contain all the time series with unique combinations of attribute values. Each higher level in the hierarchy considers one less dimension for defining the time series and aggregates each set of child nodes from the lower level into a parent node.

+

+

+The hierarchical time series solution is built on top of the Many Models Solution and share a similar configuration setup.

+The following code demonstrates the key parameters to set up your hierarchical time series forecasting runs. See the [Hierarchical time series- Automated ML notebook](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-hierarchical-timeseries/auto-ml-forecasting-hierarchical-timeseries.ipynb), for an end to end example.

+```python

+from azureml.train.automl.runtime._hts.hts_parameters import HTSTrainParameters

+model_explainability = True

+engineered_explanations = False # Define your hierarchy. Adjust the settings below based on your dataset.

+hierarchy = ["state", "store_id", "product_category", "SKU"]

+training_level = "SKU"# Set your forecast parameters. Adjust the settings below based on your dataset.

+time_column_name = "date"

+label_column_name = "quantity"

+forecast_horizon = 7

+automl_settings = {"task" : "forecasting",

+ "primary_metric" : "normalized_root_mean_squared_error",

+ "label_column_name": label_column_name,

+ "time_column_name": time_column_name,

+ "forecast_horizon": forecast_horizon,

+ "hierarchy_column_names": hierarchy,

+ "hierarchy_training_level": training_level,

+ "track_child_runs": False,

+ "pipeline_fetch_max_batch_size": 15,

+ "model_explainability": model_explainability,# The following settings are specific to this sample and should be adjusted according to your own needs.

+ "iteration_timeout_minutes" : 10,

+ "iterations" : 10,

+ "n_cross_validations" : "auto", # Could be customized as an integer

+ "cv_step_size" : "auto", # Could be customized as an integer

+ }

+hts_parameters = HTSTrainParameters(

+ automl_settings=automl_settings,

+ hierarchy_column_names=hierarchy,

+ training_level=training_level,

+ enable_engineered_explanations=engineered_explanations

+)

+```

+## Example notebooks

+See the [forecasting sample notebooks](https://github.com/Azure/azureml-examples/tree/main/v1/python-sdk/tutorials/automl-with-azureml) for detailed code examples of advanced forecasting configuration including:

+* [holiday detection and featurization](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-bike-share/auto-ml-forecasting-bike-share.ipynb)

+* [rolling-origin cross validation](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-energy-demand/auto-ml-forecasting-energy-demand.ipynb)

+* [configurable lags](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-bike-share/auto-ml-forecasting-bike-share.ipynb)

+* [rolling window aggregate features](https://github.com/Azure/azureml-examples/blob/main/v1/python-sdk/tutorials/automl-with-azureml/forecasting-energy-demand/auto-ml-forecasting-energy-demand.ipynb)

+## Next steps

+* Learn more about [How to deploy an AutoML model to an online endpoint](../how-to-deploy-automl-endpoint.md).

+* Learn about [Interpretability: model explanations in automated machine learning (preview)](how-to-machine-learning-interpretability-automl.md).

+* Learn about [how AutoML builds forecasting models](../concept-automl-forecasting-methods.md).

+ > Private DNS zone names must end with `mysql.database.azure.com`. If you are connecting to an Azure Database for MySQL flexible server with SSL and you're using an option to perform full verification (sslmode=VERTIFY_IDENTITY) with certificate subject name, use \<servername\>.mysql.database.azure.com in your connection string.

+- In the username field, enter the MySQL Azure Active Directory administrator name. For example, user@tenant.onmicrosoft.com.

+ - **Send subscription activity logs** - Subscription activity logs provide insight into the operations on your resources at the [control plane](../../azure-resource-manager/management/control-plane-and-data-plane.md). Updates on service-health events are also included. Use the activity log to determine the what, who, and when for any write operations (PUT, POST, DELETE). There's a single activity log for each Azure subscription.

+ - **Send Azure resource logs for all defined sources** - Azure resource logs provide insight into operations that were taken on an Azure resource at the [data plane](../../azure-resource-manager/management/control-plane-and-data-plane.md). For example, getting a secret from a Key Vault is a data plane operation. Or, making a request to a database is also a data plane operation. The content of resource logs varies by the Azure service and resource type.

+ - **Send Azure Active Directory logs** ΓÇô Azure Active Directory logs allow you to route the audit, sign-in, and provisioning logs to Dynatrace. The details are listed in [Azure AD activity logs in Azure Monitor](/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor). The global administrator or security administrator for your Azure Active Directory (AAD) tenant can enable AAD logs.

+There are several government entities worldwide that maintain guidelines for TLS with regard to network security, including Department of Health and Human Services (HHS) or the National Institute of Standards and Technology (NIST) in the United States. The level of security that TLS provides is most affected by the TLS protocol version and the supported cipher suites. A cipher suite is a set of algorithms, including a cipher, a key-exchange algorithm and a hashing algorithm, which are used together to establish a secure TLS connection. Most TLS clients and servers support multiple alternatives, so they have to negotiate when establishing a secure connection to select a common TLS version and cipher suite.

+Azure Database for PostgreSQL supports TLS version 1.2 and later. In [RFC 8996](https://datatracker.ietf.org/doc/rfc8996/), the Internet Engineering Task Force (IETF) explicitly states that TLS 1.0 and TLS 1.1 must not be used. Both protocols were deprecated by the end of 2019.

+[Certificate authentication](https://www.postgresql.org/docs/current/auth-cert.html) is performed using **SSL client certificates** for authentication. In this scenario, PostgreSQL server compares the CN (common name) attribute of the client certificate presented, against the requested database user.

+**Azure Database for PostgreSQL - Flexible Server does not support SSL certificate based authentication at this time.**

+0049e2e2-fcea-4bc4-af90-bdb29a9bbe98 5657e26c-cc92-45d9-bc47-9da6cfdb4ed9 FSPG MS Graph App

+> If you are not a **Global Administrator**, **Tenant Creator**, or **Application Owner**, you can't proceed past this step.

+### Create Azure Database for PostgreSQL Flexible Server service principal and grant read access

+If the Azure Database for PostgreSQL Flexible Server service principal doesn't exist, the following command creates it and grants it read access to your customer tenant to request Graph API tokens for Azure AD validation tasks:

+select * from pgaadauth_create_principal('Prod DB Readonly', false, false).

+# Create users in Azure Database for PostgreSQL - Flexible Server

+ CREATE USER <new_user> CREATEDB CREATEROLE PASSWORD '<StrongPassword!>';

+ This SQL code below creates a new database, then it creates a new user in the PostgreSQL instance and grants connect privilege to the new database for that user.

+ CREATE USER <db_user> PASSWORD '<StrongPassword!>';

+ If a user creates a table "role", the table belongs to that user. If another user needs access to the table, you must grant privileges to the other user on the table level.

+ psql --host=mydemoserver.postgres.database.azure.com --port=5432 --username=db_user --dbname=newdb

+## Collect variables for the Kubernetes extensions

+Collect each of the values in the table below.

+| Value | Variable name |

+|--|--|

+|The ID of the Azure subscription in which the Azure resources are deployed. |**SUBSCRIPTION_ID**|

+|The name of the resource group in which the AKS cluster is deployed. This can be found by using the **Manage** button in the **Azure Kubernetes Service** pane of the Azure portal. |**RESOURCE_GROUP_NAME**|

+|The name of the AKS cluster resource. This can be found by using the **Manage** button in the **Azure Kubernetes Service** pane of the Azure portal. |**RESOURCE_NAME**|

+|The region in which the Azure resources are deployed. This must match the region into which the mobile network will be deployed, which must be one of the regions supported by AP5GC: **EastUS** or **WestEurope**.</br></br>This value must be the [region's code name](region-code-names.md); see [Products available by region](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/) for a list of supported regions. |**LOCATION**|

+|The name of the **Custom location** resource to be created for the AKS cluster. </br></br>This value must start and end with alphanumeric characters, and must contain only alphanumeric characters, `-` or `.`. |**CUSTOM_LOCATION**|

+The Azure Private 5G Core private mobile network requires a custom location and specific Kubernetes extensions that you need to configure using the Azure CLI in Azure Cloud Shell.

+> [!TIP]

+> The commands in this section require the `k8s-extension` and `customlocation` extensions to the Azure CLI tool to be installed. If you do not already have them, a prompt will appear to install these when you run commands that require them. See [Use and manage extensions with the Azure CLI](/cli/azure/azure-cli-extensions-overview) for more information on automatic extension installation.

+ | **Distributed tracing redirect URI root** | Make a note of the following part of the redirect URI: **https://*\<local monitoring domain\>***. | `redirect_uri_root` |

+## Disable network policy

+Before a private link service can be created in the virtual network, the setting `privateLinkServiceNetworkPolicies` must be disabled.

+* Disable the network policy with [az network vnet subnet update](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update).

+```azurecli-interactive

+az network vnet subnet update \

+ --name mySubnet \

+ --vnet-name MyVnet \

+ --resource-group CreatePrivLinkService-rg \

+ --disable-private-link-service-network-policies yes

+```

+az network vnet subnet update \

+ --name default \

+ --vnet-name MyVnet \

+ --resource-group myResourceGroup \

+ --disable-private-link-service-network-policies yes

+# Availability zone migration guidance overview for Microsoft Azure products and services

+ Title: Reliability guidance overview for Microsoft Azure products and services

+description: Reliability guidance overview for Microsoft Azure products and services

+# Reliability guidance overview

+Azure reliability guidance is a collection of service-specific reliability guides. Each guide can cover both intra-regional resiliency with [availability zones](availability-zones-overview.md) and information on [cross-region resiliency with disaster recovery](cross-region-replication-azure.md). For a more detailed overview of reliability principles in Azure, see [Reliability in Microsoft Azure Well-Architected Framework](/azure/architecture/framework/resiliency/).

+## Azure services reliability guides

+###  Foundational services

+| **Products** |

+| |

+| [Azure Cosmos DB](../cosmos-db/high-availability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Event Hubs](../event-hubs/event-hubs-geo-dr.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#availability-zones)|

+[Azure ExpressRoute](../expressroute/designing-for-high-availability-with-expressroute.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Key Vault](../key-vault/general/disaster-recovery-guidance.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Load Balancer](../load-balancer/load-balancer-standard-availability-zones.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Public IP](../virtual-network/ip-services/public-ip-addresses.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#availability-zone)|

+[Azure Service Bus](../service-bus-messaging/service-bus-geo-dr.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#availability-zones)|

+[Azure Service Fabric](../service-fabric/service-fabric-cross-availability-zones.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Site Recovery](../site-recovery/site-recovery-overview.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure SQL](/azure/azure-sql/database/high-availability-sla?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Storage: Blob Storage](../storage/common/storage-disaster-recovery-guidance.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Virtual Machine Scale Sets](../virtual-machines/availability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Virtual Machines](../virtual-machines/availability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Virtual Network](../vpn-gateway/create-zone-redundant-vnet-gateway.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure VPN Gateway](../vpn-gateway/about-zone-redundant-vnet-gateways.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+###  Mainstream services

+| **Products** |

+| |

+| [Azure API Management](../api-management/high-availability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure App Configuration](../azure-app-configuration/faq.yml?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#how-does-app-configuration-ensure-high-data-availability)|

+[Azure App Service](/azure/architecture/framework/services/compute/azure-app-service/reliability?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#why-use-app-service)|

+[Azure App Service- App Service Environment](/azure/architecture/reference-architectures/enterprise-integration/ase-high-availability-deployment?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Application Gateway (V2)](../application-gateway/application-gateway-autoscaling-zone-redundant.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Batch](../batch/create-pool-availability-zones.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Bot Service](reliability-bot.md)|

+[Azure Cache for Redis](../azure-cache-for-redis/cache-how-to-zone-redundancy.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Cognitive Search](../search/search-performance-optimization.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Communications Gateway](../communications-gateway/reliability-communications-gateway.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Container Instances](reliability-containers.md)|

+[Azure Container Registry](../container-registry/zone-redundancy.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Data Explorer](/azure/data-explorer/create-cluster-database-portal?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Data Factory](../data-factory/concepts-data-redundancy.md?bc=%2fazure%2freliability%2fbreadcrumb%2ftoc.json&toc=%2fazure%2freliability%2ftoc.json)|

+[Azure Database for MySQL - Flexible Server](../mysql/flexible-server/concepts-high-availability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Database for PostgreSQL - Flexible Server](../postgresql/single-server/concepts-high-availability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure DDoS Protection](../ddos-protection/ddos-faq.yml?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Disk Encryption](../virtual-machines/disks-redundancy.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure DNS - Azure DNS Private Zones](../dns/private-dns-getstarted-portal.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure DNS - Azure DNS Private Resolver](../dns/dns-private-resolver-get-started-portal.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Energy Data Services](reliability-energy-data-services.md )|

+[Azure Event Grid](../event-grid/availability-zones-disaster-recovery.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Firewall](../firewall/deploy-availability-zone-powershell.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Firewall Manager](../firewall-manager/quick-firewall-policy.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Functions](reliability-functions.md)|

+[Azure HDInsight](../hdinsight/hdinsight-use-availability-zones.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure IoT Hub](../iot-hub/iot-hub-ha-dr.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Kubernetes Service (AKS)](../aks/availability-zones.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Logic Apps](../logic-apps/set-up-zone-redundancy-availability-zones.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Monitor](../azure-monitor/logs/availability-zones.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Network Watcher](../network-watcher/frequently-asked-questions.yml?bc=%2fazure%2freliability%2fbreadcrumb%2ftoc.json&toc=%2fazure%2freliability%2ftoc.json#service-availability-and-redundancy)|

+[Azure Notification Hubs](../notification-hubs/availability-zones.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Private 5G Core](../private-5g-core/reliability-private-5g-core.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Private Link](../private-link/availability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Route Server](../route-server/route-server-faq.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+[Azure Virtual WAN](../virtual-wan/virtual-wan-faq.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#how-are-availability-zones-and-resiliency-handled-in-virtual-wan)|

+[Azure Web Application Firewall](../firewall/deploy-availability-zone-powershell.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+## Next steps

+> [!div class="nextstepaction"]

+> [Azure services and regions with availability zones](availability-zones-service-support.md)

+> [!div class="nextstepaction"]

+> [Availability of service by category](availability-service-by-category.md)

+> [!div class="nextstepaction"]

+> [Microsoft commitment to expand Azure availability zones to more regions](https://azure.microsoft.com/blog/our-commitment-to-expand-azure-availability-zones-to-more-regions/)

+> [!div class="nextstepaction"]

+> [Build solutions for high availability using availability zones](/azure/architecture/high-availability/building-solutions-for-high-availability)

+> [!NOTE]

+> These keys are plain text strings using a Base64 representation, and must not be decoded before they are used.

+Premium block blob storage accounts have a higher storage cost but a lower transaction cost as compared to standard general-purpose v2 accounts. If your applications and workloads execute a large number of transactions, premium block blob storage can be cost-effective, especially if the workload is write-heavy.

+## Resources

+To learn more about deleting a container using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for deleting or restoring a container use the following REST API operations:

+- [Restore Container](/rest/api/storageservices/restore-container) (REST API)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-containers/src/main/java/com/blobs/devguide/containers/ContainerDelete.java)

+### See also

+## Resources

+To learn more about leasing a container using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for leasing a container use the following REST API operation:

+- [Lease Container](/rest/api/storageservices/lease-container) (REST API)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-containers/src/main/java/com/blobs/devguide/containers/ContainerLease.java)

+## Resources

+To learn more about setting and retrieving container properties and metadata using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for setting and retrieving properties and metadata use the following REST API operations:

+- [Get Container Metadata](/rest/api/storageservices/get-container-metadata) (REST API)

+The `getProperties` method retrieves container properties and metadata by calling both the [Get Blob Properties](/rest/api/storageservices/get-blob-properties) operation and the [Get Blob Metadata](/rest/api/storageservices/get-blob-metadata) operation.

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-containers/src/main/java/com/blobs/devguide/containers/ContainerPropertiesMetadata.java)

+## Resources

+To learn more about listing containers using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for listing containers use the following REST API operation:

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-containers/src/main/java/com/blobs/devguide/containers/ContainerList.java)

+## See also

+This method synchronously copies the data at the source URL to a blob and waits for the copy to complete before returning a response. The source must be a block blob no larger than 256 MB. The source URL must include a SAS token that provides permissions to read the source blob. To learn more about the underlying operation, see [REST API operations](#rest-api-operations).

+This method triggers a long-running, asynchronous operation. The source may be another blob or an Azure File resource. If the source is in another storage account, the source must either be public or authorized with a SAS token. To learn more about the underlying operation, see [REST API operations](#rest-api-operations).

+## Resources

+To learn more about copying blobs using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for copying blobs use the following REST API operations:

+- [Copy Blob From URL](/rest/api/storageservices/copy-blob-from-url) (REST API)

+- [Abort Copy Blob](/rest/api/storageservices/abort-copy-blob) (REST API)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobCopy.java)

+## Resources

+To learn more about how to delete blobs and restore deleted blobs using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for deleting blobs and restoring deleted blobs use the following REST API operations:

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobDelete.java)

+### See also

+- [Soft delete for blobs](soft-delete-blob-overview.md)

+- [Blob versioning](versioning-overview.md)

+## Resources

+To learn more about how to download blobs using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for downloading blobs use the following REST API operation:

+- [Get Blob](/rest/api/storageservices/get-blob) (REST API)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobDownload.java)

+## Resources

+To learn more about managing blob leases using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for managing blob leases use the following REST API operation:

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobLease.java)

+### See also

+## Resources

+To learn more about how to manage system properties and user-defined metadata using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for managing system properties and user-defined metadata use the following REST API operations:

+- [Get Blob Metadata](/rest/api/storageservices/get-blob-metadata) (REST API)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobPropertiesMetadataTags.java)

+## Resources

+To learn more about how to use index tags to manage and find data using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for managing and using blob index tags use the following REST API operations:

+- [Find Blobs by Tags](/rest/api/storageservices/find-blobs-by-tags) (REST API)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobPropertiesMetadataTags.java)

+### See also

+- [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md)

+- [Use blob index tags to manage and find data on Azure Blob Storage](storage-blob-index-how-to.md)

+## Resources

+To learn more about uploading blobs using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for uploading blobs use the following REST API operations:

+- [Put Blob From URL](/rest/api/storageservices/put-blob-from-url) (REST API)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobUpload.java)

+### See also

+- [Manage and find Azure Blob data with blob index tags](storage-manage-find-blobs.md)

+- [Use blob index tags to manage and find data on Azure Blob Storage](storage-blob-index-how-to.md)

+## Resources

+To learn more about how to list blobs using the Azure Blob Storage client library for Java, see the following resources.

+### REST API operations

+The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library methods for listing blobs use the following REST API operation:

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobList.java)

+### See also

+ If your **PSVersion** value is less than 5.1.\*, as will be the case with most fresh installations of Windows Server 2012 R2, you'll need to upgrade by downloading and installing [Windows Management Framework (WMF) 5.1](https://www.microsoft.com/download/details.aspx?id=54616). The appropriate package to download and install for Windows Server 2012 R2 is **Win8.1AndW2K12R2-KB\*\*\*\*\*\*\*-x64.msu**.

+| Windows Server 2012 R2* | Datacenter, Standard, and Storage Server | Full and Core |

+*Requires downloading and installing [Windows Management Framework (WMF) 5.1](https://www.microsoft.com/download/details.aspx?id=54616). The appropriate package to download and install for Windows Server 2012 R2 is **Win8.1AndW2K12R2-KB\*\*\*\*\*\*\*-x64.msu**.

+|Synapse Monitoring Operator |Read published code artifacts, including logs and outputs for pipeline runs and completed notebooks. Includes ability to list and view details of Apache Spark pools, Data Explorer pools, and Integration runtimes. Requires additional permissions to run/cancel pipelines, Spark notebooks, and Spark jobs.|Workspace |

+> - Autoscale doesn't support scaling of generalized or sysprepped VMs with machine-specific information removed. For more information, see [Remove machine-specific information by generalizing a VM before creating an image](../virtual-machines/generalize.md).

+> - Autoscale doesn't support scaling of generalized or sysprepped VMs with machine-specific information removed. For more information, see [Remove machine-specific information by generalizing a VM before creating an image](../virtual-machines/generalize.md).

+Pooled host pools have a preferred app group type that dictates whether users see RemoteApp or Desktop apps in their feed if both resources have been published to the same user. By default, Azure Virtual Desktop automatically creates a Desktop app group with the friendly name **Default Desktop** whenever you create a host pool and sets the host pool's preferred app group type to **Desktop**. You can remove the Desktop app group at any time. If you want your users to only see RemoteApps in their feed, you should set the **preferred application group type** value to **RemoteApp**. If you want your users to only see session desktops in their feed, you should set the **preferred application group type** value to **Desktop**. You can't create another Desktop app group in a host pool while a Desktop app group exists.

+>If your host poolΓÇÖs *preferred application group type* is set to **Undefined**, that means you havenΓÇÖt set the value yet. You must finish configuring your host pool by setting its *preferred application group type* before you start using it to prevent app incompatibility and session host overload issues.

+A: You'll need to [exchange your reservation](../cost-management-billing/reservations/exchange-and-refund-azure-reservations.md#how-to-exchange-or-refund-an-existing-reservation) through the Azure portal to match the new Dedicated Host SKU.

+### Q: What would happen to my host if I do not migrate by March 31, 2023?

+A: After March 31, 2023 any dedicated host running on the SKUs that are marked for retirement will be set to 'Host Pending Deallocate' state before eventually deallocating the host. For additional assistance please reach out to Azure support.

+### Q: What will happen to my VMs if a Host is automatically deallocated?

+A: If the underlying host is deallocated the VMs that were running on the host would be deallocated but not deleted. You would be able to either create a new host (of same VM family) and allocate VMs on the host or run the VMs on multi-tenant infrastructure.

+1. Leave the **Automatically replace host on failure** setting *Enabled* to automatically service heal the host in case of any host level failure.

+ --auto-replace true \

+ -AutoReplaceOnFailure True `

+## Host Service Healing

+In case of any failure relating to the underlying node, network connectivity or software issues can push the host and VMs on the host to a non-healthy state causing disruption and downtime to your workloads. The default action is for Azure to automatically service heal the impacted host to a healthy node and move all VMs to the healthy host. Once the VMs are service healed and restarted the impacted host will be deallocated. During the service healing process the host and VMs would become unavailable incurring a slight downtime.

+The newly created host would have all the same constraints as the old host:

+ - Resource group

+ - Region

+ - Fault Domain

+ - Host Group

+ - ADH SKU

+ - Auto replace on failure setting

+Users with compliance requirements might need a strong affinity between the host and underlying node and would not like to be automatically service healed, in such scenarios users can choose to opt out of auto service healing at host level by disabling the 'Automatically replace host on failure setting'.

+### Implications

+If you decide to disable auto service healing and if the underlying node encounters a failure your host state will change to 'Host Pending Deallocate' and will eventually be deallocated.

+To avoid deallocation, you would need to manually redeploy the host by creating a new dedicated host and moving all the VMs from the old host to the new host.

+The auto replace host setting is a create time setting and cannot be changed once the host is created. VMs that are manually stopped/deallocated from the impacted host are not moved as part of the automatic service healing.

+ $settings = (get-content -raw ".\settings.json")

+| [**SAP S/4HANA 2022, Fully-Activated Appliance**]( https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/f4e6b3ba-ba8f-485f-813f-be27ed5c8311) | December 15 2022 |This appliance contains SAP S/4HANA 2022 (SP00) with pre-activated SAP Best Practices for SAP S/4HANA core functions, and further scenarios for Service, Master Data Governance (MDG), Portfolio Mgmt. (PPM), Human Capital Management (HCM), Analytics, and more. User access happens via SAP Fiori, SAP GUI, SAP HANA Studio, Windows remote desktop, or the backend operating system for full administrative access. | [Create Appliance](https://cal.sap.com/registration?sguid=f4e6b3ba-ba8f-485f-813f-be27ed5c8311&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8)

+| [**SAP ABAP Platform 1909, Developer Edition**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/7bd4548f-a95b-4ee9-910a-08c74b4f6c37) | June 21 2021 |The SAP ABAP Platform on SAP HANA gives you access to SAP ABAP Platform 1909 Developer Edition on SAP HANA. Note that this solution is preconfigured with many additional elements ΓÇô including: SAP ABAP RESTful Application Programming Model, SAP Fiori launchpad, SAP gCTS, SAP ABAP Test Cockpit, and preconfigured frontend / backend connections, etc It also includes all the standard ABAP AS infrastructure: Transaction Management, database operations / persistence, Change and Transport System, SAP Gateway, interoperability with ABAP Development Toolkit and SAP WebIDE, and much more. | [Create Appliance](https://cal.sap.com/registration?sguid=7bd4548f-a95b-4ee9-910a-08c74b4f6c37provider=208b780d-282b-40ca-9590-5dd5ad1e52e8)

+ [**SAP S/4HANA 2021 FPS02, Fully-Activated Appliance**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/3f4931de-b15b-47f1-b93d-a4267296b8bc) | July 19 2022 | This appliance contains SAP S/4HANA 2021 (FPS02) with pre-activated SAP Best Practices for SAP S/4HANA core functions, and further scenarios for Service, Master Data Governance (MDG), Portfolio Management (PPM), Human Capital Management (HCM), Analytics, Migration Cockpit, and more. User access happens via SAP Fiori, SAP GUI, SAP HANA Studio, Windows remote desktop, or the backend operating system for full administrative access. | [Create Appliance](https://cal.sap.com/registration?sguid=3f4931de-b15b-47f1-b93d-a4267296b8bc&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |

+| [**SAP NetWeaver 7.5 SP15 on SAP ASE**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/solutions/69efd5d1-04de-42d8-a279-813b7a54c1f6) | January 3 2018 | SAP NetWeaver 7.5 SP15 on SAP ASE | [Create Appliance](https://cal.sap.com/registration?sguid=69efd5d1-04de-42d8-a279-813b7a54c1f6&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |

+| [**SAP S/4HANA 2022**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/c4aff915-1af8-4d45-b370-0b38a079f9bc) | December 4 2022 | This solution comes as a standard S/4HANA system installation including a remote desktop for easy frontend access. It contains a pre-configured and activated SAP S/4HANA Fiori UI in client 100, with prerequisite components activated as per SAP note 3166600 Composite SAP note: Rapid Activation for SAP Fiori in SAP S/4HANA 2022 | [Create Appliance](https://cal.sap.com/registration?sguid=f4e6b3ba-ba8f-485f-813f-be27ed5c8311&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |

+| [**SAP Focused Run 4.0 SP00 (configured)**](https://cal.sap.com/catalog?provider=208b780d-282b-40ca-9590-5dd5ad1e52e8#/applianceTemplates/f4a6643f-2731-486c-af82-0508396650b7) | January 19 2023 |SAP Focused Run is designed specifically for businesses that need high-volume system and application monitoring, alerting, and analytics. It's a powerful solution for service providers, who want to host all their customers in one central, scalable, safe, and automated environment. It also addresses customers with advanced needs regarding system management, user monitoring, integration monitoring, and configuration and security analytics. | [Create Appliance](https://cal.sap.com/registration?sguid=f4a6643f-2731-486c-af82-0508396650b7&provider=208b780d-282b-40ca-9590-5dd5ad1e52e8) |