-1. In **Valid OAuth redirect URIs**, enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp`. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your tenant, and `your-domain-name` with your custom domain.

-This section covers the configuration options under optional claims for changing the group attributes used in group claims from the default group objectID to attributes synced from on-premises Windows Active Directory. You can configure groups optional claims for your application through the UI or application manifest.

-This article explains what account types (sometimes called *audiences*) are supported in the Microsoft identity platform applications.

- - In any organization. Such an application is called a *multitenant* web application. You'll sometimes read that it signs in users with their work or school accounts.

-

-Some account types can't be used with certain authentication flows. For instance, in desktop, UWP, or daemon applications:

-1. Sign in to the [Azure Active Directory admin center](https://aad.portal.azure.com) with the Hybrid Identity Administratoristrator credentials for your tenant.

-> Azure CNI Overlay is currently available only in the following regions:

-> - North Central US

-> - West Central US

-> - East US

-> - UK South

-> - Australia East

-| Area | Azure CNI Overlay | Kubenet |

-| -- | -- | -- |

-| Cluster scale | 1000 nodes and 250 pods/node | 400 nodes and 250 pods/node |

-| Network configuration | Simple - no additional configuration required for pod networking | Complex - requires route tables and UDRs on cluster subnet for pod networking |

-| Pod connectivity performance | Performance on par with VMs in a VNet | Additional hop adds minor latency |

-| Kubernetes Network Policies | Azure Network Policies, Calico | Calico |

-| OS platforms supported | Linux and Windows | Linux only |

-Deletion image logs are stored in `eraser-aks-nodepool-xxx` pods for manually deleted images, and in `eraser-collector-xxx` pods for automatically deleted images.

-1. Copy this query into the table, replacing `name` with either `eraser-aks-nodepool-xxx` (for manual mode) or `eraser-collector-xxx` (for automatic mode).

-| [Virtual network injection](virtual-network-concepts.md) | Developer, Premium | Γ¥î | Γ£ö∩╕Ź |

-| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation | Γ£ö∩╕Å | Γ¥î | Γ£ö∩╕Ų |

-² Requires configuration of local CA certificates.<br/>

-> None of the API Management endpoints are registered on the public DNS. The endpoints remain inaccessible until you [configure DNS](#dns-configuration) for the VNet.

-If you use custom domain names for the API Management endpoints, especially if you use a custom domain name for the Management endpoint, you might need to update the value of `config.service.endpoint` in the **\<gateway-name\>.yaml** file to replace the default domain name with the custom domain name. Make sure that the Management endpoint can be accessed from the pod of the self-hosted gateway in the Kubernetes cluster.

-| Hostname of the configuration endpoint | `<apim-service-name>.management.azure-api.net` | `<apim-service-name>.configuration.azure-api.net` | |

-| Public IP addresses of Azure Storage [service tag](../virtual-network/service-tags-overview.md) | Γ£ö∩╕Å | Optional¹ | IP addresses must correspond to primary location of API Management instance. |

-| Hostname of Azure Blob Storage account | Γ£ö∩╕Å | Optional¹ | Account associated with instance (`<blob-storage-account-name>.blob.core.windows.net`) |

-| Hostname of Azure Table Storage account | Γ£ö∩╕Å | Optional¹ | Account associated with instance (`<table-storage-account-name>.table.core.windows.net`) |

-| Endpoints for [Azure Application Insights integration](api-management-howto-app-insights.md) | Optional² | Optional² | Minimal required endpoints are:<ul><li>`rt.services.visualstudio.com:443`</li><li>`dc.services.visualstudio.com:443`</li><li>`{region}.livediagnostics.monitor.azure.com:443`</li></ul>Learn more in [Azure Monitor docs](../azure-monitor/app/ip-addresses.md#outgoing-ports) |

-| Endpoints for [Event Hubs integration](api-management-howto-log-event-hubs.md) | Optional² | Optional² | Learn more in [Azure Event Hubs docs](../event-hubs/network-security.md) |

-| Endpoints for [external cache integration](api-management-howto-cache-external.md) | Optional² | Optional² | This requirement depends on the external cache that is being used |

-¹ Only required in v2 when API inspector or quotas are used in policies.<br/>

-² Only required when feature is used and requires public IP address, port and hostname information.<br/>

-> application gateway ingress controller (AGIC) add-on **only** supports application gateway v2 SKUs (Standard and WAF), and **not** the application gateway v1 SKUs.

-description: This article teaches you to create, test, and publish a simple Python 3 runbook (preview) in your Azure Automation account.

-# Tutorial: Create a Python 3 runbook (preview)

-This tutorial walks you through the creation of a [Python 3 runbook](../automation-runbook-types.md#python-runbooks) (preview) in Azure Automation. Python runbooks compile under Python 2 and 3. You can directly edit the code of the runbook using the text editor in the Azure portal.

-To complete this tutorial, you need the following:

- The Automation account page gives you a quick view of the resources in this account. You should already have some assets. Most of those assets are the modules that are automatically included in a new Automation account. You should also have the Run As account credential asset that's mentioned in the [prerequisites](#prerequisites).

-2. Select **Runbooks** under **Process Automation** to open the list of runbooks.

-3. Select **Add a runbook** to create a new runbook.

-4. Give the runbook the name **MyFirstRunbook-Python**.

-5. Select **Python 3** for **Runbook type**.

-6. Select **Create** to create the runbook and open the textual editor.

-2. Select **Start** to start the test. This should be the only enabled option.

-3. A [runbook job](../automation-runbook-execution.md) is created and its status displayed.

- The job status starts as **Queued**, indicating that it is waiting for a runbook worker in the cloud to become available. It changes to **Starting** when a worker claims the job, and then **Running** when the runbook actually starts running.

-4. When the runbook job completes, its output is displayed. In this case, you should see `Hello World`.

-5. Close the **Test** pane to return to the canvas.

-2. If you scroll left to view the runbook on the **Runbooks** page, you should see an **Authoring Status** of **Published**.

-3. Scroll back to the right to view the pane for **MyFirstRunbook-Python3**.

- The options across the top allow you to start the runbook, view the runbook, or schedule it to start at some time in the future.

-4. Select **Start** and then select **OK** when the **Start Runbook** pane opens.

-5. A **Job** pane is opened for the runbook job that you created. You can close this pane, but let's leave it open so that you can watch the job's progress.

-6. The job status is shown in **Job Summary** and matches the statuses that you saw when you tested the runbook.

-7. Once the runbook status shows **Completed**, select **Output**. The **Output** pane is opened, where you can see `Hello World`.

-8. Close the **Output** pane.

-9. Select **All Logs** to open the **Streams** pane for the runbook job. You should only see `Hello World` in the Output stream. However, this pane can show other streams for a runbook job, such as **Verbose** and **Error**, if the runbook writes to them.

-10. Close the **Streams** pane and the **Job** pane to return to the **MyFirstRunbook-Python3** pane.

-11. Select **Jobs** to open the **Jobs** page for this runbook. This page lists all jobs created by this runbook. You should only see one job listed since you only ran the job once.

-12. You can select this job to open the same **Job** pane that you viewed when you started the runbook. This pane allows you to go back in time and view the details of any job that was created for a particular runbook.

-You've tested and published your runbook, but so far it doesn't do anything useful. You want to have it manage Azure resources.

-To do this, the script has to authenticate using the Run As account credential from your Automation account.

-> The Automation account must have been created with the Run As account for there to be a Run As certificate.

-> If your Automation account was not created with the Run As account, you can authenticate as described in

-> [Authenticate with the Azure Management Libraries for Python](/azure/developer/python/sdk/authentication-overview) or [create a Run As account](../create-run-as-account.md).

-1. Open the textual editor by selecting **Edit** on the **MyFirstRunbook-Python3** pane.

- ```python

- import os

- from azure.mgmt.compute import ComputeManagementClient

- import azure.mgmt.resource

- import automationassets

-

- def get_automation_runas_credential(runas_connection):

- from OpenSSL import crypto

- import binascii

- from msrestazure import azure_active_directory

- import adal

-

- # Get the Azure Automation RunAs service principal certificate

- cert = automationassets.get_automation_certificate("AzureRunAsCertificate")

- pks12_cert = crypto.load_pkcs12(cert)

- pem_pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM,pks12_cert.get_privatekey())

-

- # Get run as connection information for the Azure Automation service principal

- application_id = runas_connection["ApplicationId"]

- thumbprint = runas_connection["CertificateThumbprint"]

- tenant_id = runas_connection["TenantId"]

-

- # Authenticate with service principal certificate

- resource ="https://management.core.windows.net/"

- authority_url = ("https://login.microsoftonline.com/"+tenant_id)

- context = adal.AuthenticationContext(authority_url)

- return azure_active_directory.AdalAuthentication(

- lambda: context.acquire_token_with_client_certificate(

- resource,

- application_id,

- pem_pkey,

- thumbprint)

- )

-

- # Authenticate to Azure using the Azure Automation RunAs service principal

- runas_connection = automationassets.get_automation_connection("AzureRunAsConnection")

- azure_credential = get_automation_runas_credential(runas_connection)

- ```

-Use the compute client to start the VM. Add the following code to the runbook:

-# Initialize the compute management client with the Run As credential and specify the subscription to work against.

- str(runas_connection["SubscriptionId"])

-async_vm_start = compute_client.virtual_machines.start(

-This imports the `sys` module, and creates two variables to hold the resource group and VM names. Notice that the element of the argument list, `sys.argv[0]`, is the name of the script, and is not input by the user.

-async_vm_start = compute_client.virtual_machines.start(

-Arc resource bridge currently supports the following Azure regions:

-With passive geo-replication, the cache instances are typically located in different Azure regions, though that isn't required. One instance acts as the primary, and the other as the secondary. The primary handles read and write requests and propagates changes to the secondary.

-Failover is not automatic. For more information on how to use failover, see [Initiate a failover from geo-primary to geo-secondary (preview)](#initiate-a-failover-from-geo-primary-to-geo-secondary-preview).

-> Geo-replication is designed as a disaster-recovery solution.

-_Passive geo-replication_ is only available in the Premium tier of Azure Cache for Redis. The Enterprise and Enterprise Flash tiers also offer geo-replication, but those tiers use a more advanced version called _active geo-replication_.

-1. You can view the progress of the replication process using **Geo-replication** on the left.

- You can also view the linking status on the left, using **Overview**, for both the primary and secondary caches.

- Once the replication process is complete, the **Link status** changes to **Succeeded**.

-## Geo-primary URLs (preview)

-Once the caches are linked, URLs are generated that always point to the geo-primary cache. If a failover is initiated from the geo-primary to the geo-secondary, the URL remains the same, and the underlying DNS record is updated automatically to point to the new geo-primary.

-Four URLs are shown:

-The goal of the two geo-primary URLs is to make updating the cache address easier on the application side in the event of a failover. Changing the address of either linked cache from `redis.cache.windows.net` to `geo.redis.cache.windows.net` ensures that your application is always pointing to the geo-primary, even if a failover is triggered.

-The URLs for the current geo-primary and current geo-secondary cache are provided in case youΓÇÖd like to link directly to a cache resource without any automatic routing.

-## Initiate a failover from geo-primary to geo-secondary (preview)

-With one click, you can trigger a failover from the geo-primary to the geo-secondary.

-Yes, there are several metrics available to help track the status of the geo-replication. These metrics are available in the Azure portal.

-No, you can only link two caches together.

-In contrast, for clustered caches, we recommend using the metrics with the suffix `Instance Based`, Then, add a split or filter on `ShardId`. For example, to check the server load of shard 1, use the metric "Server Load (Instance Based)", then apply filter `ShardId = 1`.

- - This metric is only emitted **from the geo-primary** cache instance. On the geo-secondary instance, this metric has no value.

- - This metric reports zero most of the time because geo-replication uses partial resynchronizations for any new data added after the initial full synchronization.

- - This metric is only emitted **from the geo-secondary** cache instance. On the geo-primary instance, this metric has no value.

- - Depicts the start of full synchronization between geo-replicated caches. When there are a lot of writes in geo-primary, and replication between the two caches canΓÇÖt keep up, then a full sync is needed. A full sync involves copying the complete data from geo-primary to geo-secondary by taking an RDB snapshot rather than a partial sync that occurs on normal instances. See [this page](https://redis.io/docs/manual/replication/#how-redis-replication-works) for a more detailed explanation.

- - This metric reports zero most of the time because geo-replication uses partial resynchronizations for any new data added after the initial full synchronization.

- - This metric is only emitted **from the geo-secondary** cache instance. On the geo-primary instance, this metric has no value.

- - This metric is only available in the Premium tier for caches with geo-replication enabled.

- - This metric is only emitted **from the geo-secondary** cache instance. On the geo-primary instance, this metric has no value.

- - This metric is only available in the Premium tier for caches with geo-replication enabled.

- - A value of 0 does not mean that data on the geo-replica is lost. It just means that the link between geo-primary and geo-secondary is unhealthy.

-Once you've defined a metric, you can send it to a workbook. Workbooks provide a way to organize your metrics into groups that provide the information in coherent way.

-Using [Azure Functions](../../azure-functions/functions-overview.md) is a fast way to create such an HTTPS endpoint. The example below implements that pattern in a class called [AzureFunctionTokenProvider](https://fluidframework.com/docs/apis/azure-client/azurefunctiontokenprovider-class). It accepts the URL to your Azure Function, `userId` and`userName`.

-This example implementation below uses the [axios](https://www.npmjs.com/package/axios) library to make HTTP requests. You can use other libraries or approaches to making an HTTP request from server code.

-First, you'll need to download the sample app from GitHub. Open a new command window and navigate to the folder where you'd like to download the code and use Git to clone the [FluidHelloWorld repo](https://github.com/microsoft/FluidHelloWorld). The cloning process will create a subfolder named FluidHelloWorld with the project files in it.

-Public safety and justice agencies are under mounting pressure to keep communities safe, reduce crime, and improve responsiveness. Cloud computing is transforming the way law enforcement agencies approach their work. It is helping with intelligent policing awareness systems, body camera systems across the country/region, and day-to-day mobile police collaboration.

-> You are wholly responsible for ensuring your own compliance with all applicable laws and regulations. Information provided in this article does not constitute legal advice, and you should consult your legal advisor for any questions regarding regulatory compliance.

-The CJIS Security Policy v5.9.2 revised multi-factor authentication (MFA) requirements for CJI protection. MFA requires the use of two or more different factors defined as follows:

-1. Use the built-in rule association policies to [associate the generated data collection rules with virtual machines](./data-collection-rule-azure-monitor-agent.md#create-a-data-collection-rule) running the new agent.

-The alerts page summarizes all alert instances in all your Azure resources generated in the last 30 days. You can see all types of alerts from multiple subscriptions in a single pane. You can search for a specific alert and manage alert instances.

-There are a few ways to get to the alerts page:

- :::image type="content" source="media/alerts-managing-alert-instances/alerts-monitor-menu.png" alt-text="Screenshot of the alerts link on the Azure monitor menu. ":::

- :::image type="content" source="media/alerts-managing-alert-instances/alerts-resource-menu.png" alt-text="Screenshot of the alerts link on the menu of a resource in the Azure portal.":::

-## The alerts summary pane

-The alerts summary pane summarizes the alerts fired in the last 24 hours. You can filter the list of alert instances by **time range**, **subscription**, **alert condition**, **severity**, and more. If you navigated to the alerts page by selecting a specific alert severity, the list is pre-filtered for that severity.

-To see more details about a specific alert instance, select the alert instance to open the **Alert Details** page.

-

-## The alerts details page

-The **alerts details** page provides details about the selected alert.

-

-You can query your alerts instances to create custom views outside of the Azure portal, or to analyze your alerts to identify patterns and trends.

-We recommended that you use [Azure Resource Graphs](https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade) with the 'AlertsManagementResources' schema for managing alerts across multiple subscriptions. For a sample query, see [Azure Resource Graph sample queries for Azure Monitor](../resource-graph-samples.md).

-You can use Azure Resource Graphs:

-

-You can also use the [Alert Management REST API](/rest/api/monitor/alertsmanagement/alerts) for lower scale querying or to update fired alerts.

-description: Understanding the non-common alert schema definitions for Azure Monitor for Test Action group

-# Non-common alert schema definitions for Test Action Group (Preview)

-This article describes the non common alert schema definitions for Azure Monitor, including those for webhooks, Azure Logic Apps, Azure Functions, and Azure Automation runbooks.

-The non-common alert schema lets you customize the consumption experience for alert notifications in Azure today. Historically, the three alert types in Azure today (metric, log, and activity log) have had their own email templates, webhook schemas, etc.

-### Metric alerts - Static threshold

-### Metric alerts - Dynamic threshold

-#### `monitoringService` = `Log Alerts V1 ΓÇô Metric`

-#### `monitoringService` = `Log Alerts V1 - Numresults`

-#### `monitoringService` = `Activity Log - Administrative`

-#### `monitoringService` = `ServiceHealth`

-#### `monitoringService` = `Resource Health`

-#### `monitoringService` = `Actual Cost Budget` or `Forecasted Budget`

-# What are Azure Monitor Alerts?

-Alerts help you detect and address issues before users notice them by proactively notifying you when Azure Monitor data indicates that there may be a problem with your infrastructure or application.

-This diagram shows you how alerts work:

-An **alert rule** monitors your telemetry and captures a signal that indicates that something is happening on the specified resource. The alert rule captures the signal and checks to see if the signal meets the criteria of the condition. If the conditions are met, an alert is triggered, which initiates the associated action group and updates the state of the alert.

-

-If you're monitoring more than one resource, the condition is evaluated separately for each of the resources and alerts are fired for each resource separately.

-Once an alert is triggered, the alert is made up of:

- - Notification methods such as email, SMS, and push notifications.

- - Automation Runbooks

- - Azure functions

- - ITSM incidents

- - Logic Apps

- - Secure webhooks

- - Webhooks

- - Event hubs

-You can see all alert instances in all your Azure resources generated in the last 30 days on the **[Alerts page](alerts-page.md)** in the Azure portal.

-This table provides a brief description of each alert type.

-See [this article](alerts-types.md) for detailed information about each alert type and how to choose which alert type best suits your needs.

-|[Metric alerts](alerts-types.md#metric-alerts)|Metric alerts evaluate resource metrics at regular intervals. Metrics can be platform metrics, custom metrics, logs from Azure Monitor converted to metrics or Application Insights metrics. Metric alerts have several additional features, such as the ability to apply multiple conditions and dynamic thresholds.|

-|[Activity log alerts](alerts-types.md#activity-log-alerts)|Activity log alerts are triggered when a new activity log event occurs that matches defined conditions. **Resource Health** alerts and **Service Health** alerts are activity log alerts that report on your service and resource health.|

-|[Prometheus alerts (preview)](alerts-types.md#prometheus-alerts-preview)|Prometheus alerts are used for alerting on performance and health of Kubernetes clusters (including AKS). The alert rules are based on PromQL, which is an open source query language.|

-## Azure role-based access control (Azure RBAC) for alerts

-To create an alert rule, you need to have:

-These built-in Azure roles, supported at all Azure Resource Manager scopes, have permissions to and access alerts information and create alert rules:

-If the target action group or rule location is in a different scope than the two built-in roles, you need to create a user with the appropriate permissions.

-## Alerts and State

-You can configure whether log or metric alerts are stateful or stateless. Activity log alerts are stateless.

- - **Alert frequency of less than 5 minutes**: While the condition continues to be met, a notification is sent somewhere between one and six minutes.

- - **Alert frequency of more than 5 minutes**: While the condition continues to be met, a notification is sent between the configured frequency and double the frequency. For example, for an alert rule with a frequency of 15 minutes, a notification is sent somewhere between 15 to 30 minutes.

-For stateful alerts, the alert is considered resolved when:

-|Alert type |The alert is resolved when |

-|||

-|Metric alerts|The alert condition isn't met for three consecutive checks.|

-|Log alerts| A log alert is considered resolved when the condition isn't met for a specific time range. The time range differs based on the frequency of the alert:<ul> <li>**1 minute**: The alert condition isn't met for 10 minutes.</li> <li>**5-15 minutes**: The alert condition isn't met for three frequency periods.</li> <li>**15 minutes - 11 hours**: The alert condition isn't met for two frequency periods.</li> <li>**11 to 12 hours**: The alert condition isn't met for one frequency period.</li></ul>|

-When an alert is considered resolved, the alert rule sends out a resolved notification using webhooks or email, and the monitor state in the Azure portal is set to resolved.

-See the [Azure Monitor pricing page](https://azure.microsoft.com/pricing/details/monitor/) for information about pricing.

-description: This article shows you how to connect your ITSM products/services with Secure Webhook in Azure Monitor to centrally monitor and manage ITSM work items.

-Secure Webhook is an updated version of [IT Service Management Connector (ITSMC)](./itsmc-overview.md). Both versions allow you to create work items in an ITSM tool when Azure Monitor sends alerts. The functionality includes metric, log, and Activity Log alerts.

-* **Azure AD authentication**: Authentication occurs through Azure AD instead of username/password credentials.

-2. The alert payload is sent by a Secure Webhook action to the ITSM tool.

-3. The ITSM application checks with Azure AD if the alert is authorized to enter the ITSM tool.

-4. If the alert is authorized, the application:

-

- 2. Binds the ID of the configuration item (CI) to the customer management database (CMDB).

-

-* **Alerts resolved in the ITSM tool**: Metric alerts implement "fired" and "resolved" states. When the condition is met, the alert state is "fired." When condition is not met anymore, the alert state is "resolved." In ITSMC, alerts can't be resolved automatically. With Secure Webhook, the resolved state flows to the ITSM tool and so is updated automatically.

-* **[Common alert schema](./alerts-common-schema.md)**: In ITSMC, the schema of the alert payload differs based on the alert type. In Secure Webhook, there's a common schema for all alert types. This common schema contains the CI for all alert types. All alert types will be able to bind their CI with the CMDB.

-* [Create ITSM work items from Azure alerts](./itsmc-overview.md)

-description: This article shows you how to connect your ITSM products/services with ServiceNow on Secure Webhook in Azure Monitor.

-The following sections provide details about how to connect your ServiceNow product and Secure Webhook in Azure.

-* Azure AD is registered.

-* You have the supported version of The ServiceNow Event Management - ITOM (version New York or later).

-* [Application](https://store.servicenow.com/sn_appstore_store.do#!/store/application/ac4c9c57dbb1d090561b186c1396191a/2.2.0) installed on ServiceNow instance.

-1. Use the link https://(instance name).service-now.com/api/sn_em_connector/em/inbound_event?source=azuremonitor the URI for the secure Webhook definition.

-2. Follow the instructions according to the version:

-Standard tests are a single request test that is similar to the [URL ping test](monitor-web-app-availability.md) but more advanced. In addition to validating whether an endpoint is responding and measuring the performance, Standard tests also includes SSL certificate validity, proactive lifetime check, HTTP request verb (for example `GET`,`HEAD`,`POST`, etc.), custom headers, and custom data associated with your HTTP request.

-To create an availability test, you need use an existing Application Insights resource or [create an Application Insights resource](create-new-resource.md).

-> If you are currently using other availability tests, like URL ping tests, you may add Standard tests along side the others. If you would like to use Standard tests instead of one of your other tests, add a Standard test and delete your old test.

-To create a standard test:

-

- :::image type="content" source="./media/availability-standard-test/standard-test.png" alt-text="Screenshot of Availability pane with add standard test tab open." lightbox="./media/availability-standard-test/standard-test.png":::

-1. Input your test name, URL and other settings (explanation below), then select **Create**.

-|Setting | Explanation |

-|--|-|

-|**URL** | The URL can be any web page you want to test, but it must be visible from the public internet. The URL can include a query string. So, for example, you can exercise your database a little. If the URL resolves to a redirect, we follow it up to 10 redirects.|

-|**Parse dependent requests**| Test requests images, scripts, style files, and other files that are part of the web page under test. The recorded response time includes the time taken to get these files. The test fails if any of these resources can't be successfully downloaded within the timeout for the whole test. If the option isn't checked, the test only requests the file at the URL you specified. Enabling this option results in a stricter check. The test could fail for cases, which may not be noticeable when manually browsing the site. |

-|**Enable retries**| When the test fails, it's retried after a short interval. A failure is reported only if three successive attempts fail. Subsequent tests are then performed at the usual test frequency. Retry is temporarily suspended until the next success. This rule is applied independently at each test location. **We recommend this option**. On average, about 80% of failures disappear on retry.|

-| **SSL certificate validation test** | You can verify the SSL certificate on your website to make sure it's correctly installed, valid, trusted, and doesn't give any errors to any of your users. |

-| **Proactive lifetime check** | This setting enables you to define a set time period before your SSL certificate expires. Once it expires, your test will fail. |

-|**Test frequency**| Sets how often the test is run from each test location. With a default frequency of five minutes and five test locations, your site is tested on average every minute.|

-|**Test locations**| The places from where our servers send web requests to your URL. **Our minimum number of recommended test locations is five** to ensure that you can distinguish problems in your website from network issues. You can select up to 16 locations.|

-| **Custom headers** | Key value pairs that define the operating parameters. |

-| **HTTP request verb** | Indicate what action you would like to take with your request. |

-| **Request body** | Custom data associated with your HTTP request. You can upload your own files, type in your content, or disable this feature. |

-|Setting| Explanation|

-| **Test timeout** |Decrease this value to be alerted about slow responses. The test is counted as a failure if the responses from your site haven't been received within this period. If you selected **Parse dependent requests**, then all the images, style files, scripts, and other dependent resources must have been received within this period.|

-| **HTTP response** | The returned status code that is counted as a success. 200 is the code that indicates that a normal web page has been returned.|

-| **Content match** | A string, like "Welcome!" We test that an exact case-sensitive match occurs in every response. It must be a plain string, without wildcards. Don't forget that if your page content changes you might have to update it. **Only English characters are supported with content match** |

-|Setting| Explanation|

-|**Near-realtime** | We recommend using Near-realtime alerts. Configuring this type of alert is done after your availability test is created. |

-The following population tags can be used for the geo-location attribute when deploying an availability URL ping test using Azure Resource Manager.

-| Display Name | Population Name |

-| Display Name | Population Name |

-| Display Name | Population Name |

-Availability test results can be visualized with both line and scatter plot views.

-The scatterplot view shows samples of the test results that have diagnostic test-step detail in them. The test engine stores diagnostic detail for tests that have failures. For successful tests, diagnostic details are stored for a subset of the executions. Hover over any of the green/red dots to see the test, test name, and location.

-Select a particular test, location, or reduce the time period to see more results around the time period of interest. Use Search Explorer to see results from all executions, or use Analytics queries to run custom reports on this data.

-To edit, temporarily disable, or delete a test, select the ellipses next to a test name. It may take up to 20 minutes for configuration changes to propagate to all test agents after a change is made.

-* Review the troubleshooting report to determine what may have caused your test to fail but your application is still available.

-To learn more about the end to end transaction diagnostics experience, visit the [transaction diagnostics documentation](./transaction-diagnostics.md).

-Select on the exception row to see the details of the server-side exception that caused the synthetic availability test to fail. You can also get the [debug snapshot](./snapshot-debugger.md) for richer code level diagnostics.

-In addition to the raw results, you can also view two key Availability metrics in [Metrics Explorer](../essentials/metrics-getting-started.md):

-* Availability: Percentage of the tests that were successful, across all test executions.

-* Test Duration: Average test duration across all test executions.

-* [Availability Alerts](availability-alerts.md)

-* [Web Tests Azure Resource Manager template](/azure/templates/microsoft.insights/webtests?tabs=json)

-Application Insights now supports [Azure Active Directory (Azure AD) authentication](../../active-directory/authentication/overview-authentication.md#what-is-azure-active-directory-authentication). By using Azure AD, you can ensure that only authenticated telemetry is ingested in your Application Insights resources.

-Using various authentication systems can be cumbersome and risky because it's difficult to manage credentials at scale. You can now choose to [opt-out of local authentication](#disable-local-authentication) to ensure only telemetry exclusively authenticated using [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md) and [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md) is ingested in your resource. This feature is a step to enhance the security and reliability of the telemetry used to make both critical operational ([alerting](../alerts/alerts-overview.md#what-are-azure-monitor-alerts), [autoscale](../autoscale/autoscale-overview.md#overview-of-autoscale-in-microsoft-azure), etc.) and business decisions.

-The following are prerequisites to enable Azure AD authenticated ingestion.

- - [Managed identity](../../active-directory/managed-identities-azure-resources/overview.md).

- - [Assigning Azure roles](../../role-based-access-control/role-assignments-portal.md).

-The following SDK's and features are unsupported for use with Azure AD authenticated ingestion.

- Azure AD authentication is only available for Application Insights Java Agent >=3.2.0.

-## Configuring and enabling Azure AD based authentication

-1. Create an identity, if you already don't have one, using either managed identity or service principal:

- 1. Using managed identity (Recommended):

- [Setup a managed identity for your Azure Service](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md) (VM, App Service etc.).

- 1. Using service principal (Not Recommended):

-1. Assign role to the Azure Service.

- Follow the steps in [Assign Azure roles](../../role-based-access-control/role-assignments-portal.md) to add the "Monitoring Metrics Publisher" role from the target Application Insights resource to the Azure resource from which the telemetry is sent.

- > Although role "Monitoring Metrics Publisher" says metrics, it will publish all telemetry to the App Insights resource.

-1. Follow the configuration guidance per language below.

- - For user-assigned, provide the clientId to the constructor.

- - Provide the tenantId, clientId, and clientSecret to the constructor.

-Below is an example of manually creating and configuring a `TelemetryConfiguration` using .NET:

-Below is an example of configuring the `TelemetryConfiguration` using .NET Core:

-

-> Support for Azure AD in the Application Insights Java agent is included starting with [Java 3.2.0-BETA](https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.2.0-BETA).

-1. [Configure your application with the Java agent.](java-in-process-agent.md#get-started)

- > Use the full connection string which includes "IngestionEndpoint" while configuring your app with Java agent. For example `InstrumentationKey=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX;IngestionEndpoint=https://XXXX.applicationinsights.azure.com/`.

- > [!NOTE]

- > For more information about migrating from 2.X SDK to 3.X Java agent, see [Upgrading from Application Insights Java 2.x SDK](java-standalone-upgrade-from-2x.md).

-1. Add the json configuration to ApplicationInsights.json configuration file depending on the authentication being used by you. We recommend users to use managed identities.

-#### System-assigned Managed Identity

-Below is an example of how to configure Java agent to use system-assigned managed identity for authentication with Azure AD.

-Below is an example of how to configure Java agent to use user-assigned managed identity for authentication with Azure AD.

-Below is an example of how to configure Java agent to use service principal for authentication with Azure AD. We recommend users to use this type of authentication only during development. The ultimate goal of adding authentication feature is to eliminate secrets.

-> Azure AD authentication is only available for Python v2.7, v3.6 and v3.7. Support for Azure AD in the Application Insights Opencensus Python SDK

-Construct the appropriate [credentials](/python/api/overview/azure/identity-readme#credentials) and pass it into the constructor of the Azure Monitor exporter. Make sure your connection string is set up with the instrumentation key and ingestion endpoint of your resource.

-Below are the following types of authentication that are supported by the `Opencensus` Azure Monitor exporters. Managed identities are recommended in production environments.

-After the Azure AD authentication is enabled, you can choose to disable local authentication. This configuration will allow you to ingest telemetry authenticated exclusively by Azure AD and impacts data access (for example, through API Keys).

-You can disable local authentication by using the Azure portal, Azure Policy, or programmatically.

-1. From your Application Insights resource, select **Properties** under the *Configure* heading in the left-hand menu. Then select **Enabled (click to change)** if the local authentication is enabled.

- :::image type="content" source="./media/azure-ad-authentication/enabled.png" alt-text="Screenshot of Properties under the *Configure* selected and enabled (select to change) local authentication button.":::

- :::image type="content" source="./media/azure-ad-authentication/disable.png" alt-text="Screenshot of local authentication with the enabled/disabled button highlighted.":::

-1. Once your resource has disabled local authentication, you'll see the corresponding info in the **Overview** pane.

- :::image type="content" source="./media/azure-ad-authentication/overview.png" alt-text="Screenshot of overview tab with the disabled (select to change) highlighted.":::

-### Azure Policy

-Azure Policy for 'DisableLocalAuth' will deny from users to create a new Application Insights resource without this property setting to 'true'. The policy name is 'Application Insights components should block non-AAD auth ingestion'.

-Below is the policy template definition:

-### Programmatic enablement

-Property `DisableLocalAuth` is used to disable any local authentication on your Application Insights resource. When set to `true`, this property enforces that Azure AD authentication must be used for all access.

-Below is an example Azure Resource Manager template that you can use to create a workspace-based Application Insights resource with local auth disabled.

-```JSON

-This section provides distinct troubleshooting scenarios and steps that users can take to resolve any issue before they raise a support ticket.

-The ingestion service will return specific errors, regardless of the SDK language. Network traffic can be collected using a tool such as Fiddler. You should filter traffic to the IngestionEndpoint set in the Connection String.

-#### HTTP/1.1 400 Authentication not supported

-This error indicates that the resource has been configured for Azure AD only. The SDK hasn't been correctly configured and is sending to the incorrect API.

-> "v2/track" does not support Azure AD. When the SDK is correctly configured, telemetry will be sent to "v2.1/track".

-Next steps should be to review the SDK configuration.

-This error indicates that the SDK has been correctly configured, but was unable to acquire a valid token. This error may indicate an issue with Azure Active Directory.

-Next steps should be to identify exceptions in the SDK logs or network errors from Azure Identity.

-#### HTTP/1.1 403 Unauthorized

-This error indicates that the SDK has been configured with credentials that haven't been given permission to the Application Insights resource or subscription.

-Next steps should be to review the Application Insights resource's access control. The SDK must be configured with a credential that has been granted the "Monitoring Metrics Publisher" role.

-### Language specific troubleshooting

-#### Event Source

-The Application Insights .NET SDK emits error logs using event source. To learn more about collecting event source logs visit, [Troubleshooting no data- collect logs with PerfView](asp-net-troubleshoot-no-data.md#PerfView).

-If the SDK fails to get a token, the exception message is logged as:

-`Failed to get AAD Token. Error message: `

-Internal logs could be turned on using the following setup. Once enabled, error logs will be shown in the console including any error related to Azure AD integration. For example, failure to generate the token when wrong credentials are supplied or errors when ingestion endpoint fails to authenticate using the provided credentials.

-You can inspect network traffic using a tool like Fiddler. To enable the traffic to tunnel through fiddler either add the following proxy settings in configuration file:

-Or add following jvm args while running your application:`-Djava.net.useSystemProxies=true -Dhttps.proxyHost=localhost -Dhttps.proxyPort=8888`

-If Azure AD is enabled in the agent, outbound traffic will include the HTTP Header "Authorization".

-#### 401 Unauthorized

-If the following WARN message is seen in the log file `WARN c.m.a.TelemetryChannel - Failed to send telemetry with status code: 401, please check your credentials`, it indicates the agent wasn't successful in sending telemetry. You've probably not enabled Azure AD authentication on the agent, but your Application Insights resource is configured with `DisableLocalAuth: true`. Make sure you're passing in a valid credential and that it has permission to access your Application Insights resource.

-If using fiddler, you might see the following response header: `HTTP/1.1 401 Unauthorized - please provide the valid authorization token`.

-If the following exception is seen in the log file `com.azure.identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established`, it indicates the agent wasn't successful in acquiring the access token. The probable reason might be you've provided invalid `clientId` in your User Assigned Managed Identity configuration

-If the following WARN message is seen in the log file, `WARN c.m.a.TelemetryChannel - Failed to send telemetry with status code: 403, please check your credentials`, it indicates the agent wasn't successful in sending telemetry. This warning might be because of the provided credentials don't grant the access to ingest the telemetry into the component

-If using fiddler, you might see the following response header: `HTTP/1.1 403 Forbidden - provided credentials do not grant the access to ingest the telemetry into the component`.

-Root cause might be one of the following reasons:

-#### Invalid TenantId

-If the following exception is seen in the log file `com.microsoft.aad.msal4j.MsalServiceException: Specified tenant identifier <TENANT-ID> is neither a valid DNS name, nor a valid external domain.`, it indicates the agent wasn't successful in acquiring the access token. The probable reason might be you've provided invalid/wrong `tenantId` in your client secret configuration.

-If the following exception is seen in the log file `com.microsoft.aad.msal4j.MsalServiceException: Invalid client secret is provided`, it indicates the agent wasn't successful in acquiring the access token. The probable reason might be you've provided invalid `clientSecret` in your client secret configuration.

-#### Invalid ClientId

-If the following exception is seen in the log file `com.microsoft.aad.msal4j.MsalServiceException: Application with identifier <CLIENT_ID> was not found in the directory`, it indicates the agent wasn't successful in acquiring the access token. The probable reason might be you've provided invalid/wrong "clientId" in your client secret configuration

- This scenario can occur if the application hasn't been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

-Something is incorrect about the credential you're using and the client isn't able to obtain a token for authorization. It's due to lacking the required data for the state. An example would be passing in a system ManagedIdentityCredential but the resource isn't configured to use system-managed identity.

-Client failed to authenticate with the given credential. Usually occurs when the credential used doesn't have correct role assignments.

-Usually occurs when the provided credentials don't grant access to ingest telemetry for the Application Insights resource. Make sure your AI resource has the correct role assignments.

-* [Monitor your telemetry in the portal](overview-dashboard.md).

-* [Diagnose with Live Metrics Stream](live-stream.md).

-description: Application Insights data model for request telemetry

-A request telemetry item (in [Application Insights](./app-insights-overview.md)) represents the logical sequence of execution triggered by an external request to your application. Every request execution is identified by unique `ID` and `url` containing all the execution parameters. You can group requests by logical `name` and define the `source` of this request. Code execution can result in `success` or `fail` and has a certain `duration`. Both success and failure executions may be grouped further by `resultCode`. Start time for the request telemetry defined on the envelope level.

-Request telemetry supports the standard extensibility model using custom `properties` and `measurements`.

-Name of the request represents code path taken to process the request. Low cardinality value to allow better grouping of requests. For HTTP requests it represents the HTTP method and URL path template like `GET /values/{id}` without the actual `id` value.

-Application Insights web SDK sends request name "as is" with regards to letter case. Grouping on UI is case-sensitive so `GET /Home/Index` is counted separately from `GET /home/INDEX` even though often they result in the same controller and action execution. The reason for that is that urls in general are [case-sensitive](https://www.w3.org/TR/WD-html40-970708/htmlweb.html). You may want to see if all `404` happened for the urls typed in uppercase. You can read more on request name collection by ASP.NET Web SDK in the [blog post](https://apmtips.com/posts/2015-02-23-request-name-and-url/).

-Max length: 1024 characters

-Identifier of a request call instance. Used for correlation between request and other telemetry items. ID should be globally unique. For more information, see [correlation](./correlation.md) page.

-Max length: 128 characters

-## Url

-Request URL with all query string parameters.

-Max length: 2048 characters

-Source of the request. Examples are the instrumentation key of the caller or the ip address of the caller. For more information, see [correlation](./correlation.md) page.

-Max length: 1024 characters

-Request duration in format: `DD.HH:MM:SS.MMMMMM`. Must be positive and less than `1000` days. This field is required as request telemetry represents the operation with the beginning and the end.

-Result of a request execution. HTTP status code for HTTP requests. It may be `HRESULT` value or exception type for other request types.

-Max length: 1024 characters

-Indication of successful or unsuccessful call. This field is required. When not set explicitly to `false` - a request is considered to be successful. Set this value to `false` if operation was interrupted by exception or returned error result code.

-For the web applications, Application Insights define a request as successful when the response code is less than `400` or equal to `401`. However there are cases when this default mapping does not match the semantic of the application. Response code `404` may indicate "no records", which can be part of regular flow. It also may indicate a broken link. For the broken links, you can even implement more advanced logic. You can mark broken links as failures only when those links are located on the same site by analyzing url referrer. Or mark them as failures when accessed from the company's mobile application. Similarly `301` and `302` indicates failure when accessed from the client that doesn't support redirect.

-Partially accepted content `206` may indicate a failure of an overall request. For instance, Application Insights endpoint receives a batch of telemetry items as a single request. It returns `206` when some items in the batch were not processed successfully. Increasing rate of `206` indicates a problem that needs to be investigated. Similar logic applies to `207` Multi-Status where the success may be the worst of separate response codes.

-You can read more on request result code and status code in the [blog post](https://apmtips.com/posts/2016-12-03-request-success-and-response-code/).

-description: Tutorial to find and diagnose run-time exceptions in your application using Azure Application Insights.

-# Find and diagnose run-time exceptions with Azure Application Insights

-Azure Application Insights collects telemetry from your application to help identify and diagnose run-time exceptions. This tutorial takes you through this process with your application. You learn how to:

-> * Modify your project to enable exception tracking

-> * Identify exceptions for different components of your application

-> * View details of an exception

-> * Download a snapshot of the exception to Visual Studio for debugging

-> * Analyze details of failed requests using query language

-> * Create a new work item to correct the faulty code

-## Log in to Azure

-Log in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).

-Application Insights collects any failures in your application and lets you view their frequency across different operations to help you focus your efforts on those with the highest impact. You can then drill down on details of these failures to identify root cause.

-1. Select **Application Insights** and then your subscription.

-2. To open the **Failures** panel either select **Failures** under the **Investigate** menu or click the **Failed requests** graph.

- 

-3. The **Failed requests** panel shows the count of failed requests and the number of users affected for each operation for the application. By sorting this information by user you can identify those failures that most impact users. In this example, the **GET Employees/Create** and **GET Customers/Details** are likely candidates to investigate because of their large number of failures and impacted users. Selecting an operation shows further information about this operation in the right panel.

- 

-4. Reduce the time window to zoom in on the period where the failure rate shows a spike.

- 

-5. See the related samples by clicking on the button with the number of filtered results. The "suggested" samples have related telemetry from all components, even if sampling may have been in effect in any of them. Click on a search result to see the details of the failure.

- 

-6. The details of the failed request shows the Gantt chart which shows that there were two dependency failures in this transaction, which also attributed to over 50% of the total duration of the transaction. This experience presents all telemetry, across components of a distributed application that are related to this operation ID. [Learn more about the new experience](../app/transaction-diagnostics.md). You can select any of the items to see its details on the right side.

- 

-7. The operations detail also shows a FormatException which appears to have caused the failure. You can see that it's due to an invalid zip code. You can open the debug snapshot to see code level debug information in Visual Studio.

- 

-The Snapshot Debugger collects snapshots of the most frequent exceptions in your application to assist you in diagnosing its root cause in production. You can view debug snapshots in the portal to see the call stack and inspect variables at each call stack frame. Afterwards, you have the option to debug the source code by downloading the snapshot and opening it in Visual Studio 2019 Enterprise.

-1. In the properties of the exception, click **Open debug snapshot**.

-2. The **Debug Snapshot** panel opens with the call stack for the request. Click any method to view the values of all local variables at the time of the request. Starting from the top method in this example, we can see local variables that have no value.

- 

-3. The first call that has valid values is **ValidZipCode**, and we can see that a zip code was provided with letters that isn't able to be translated into an integer. This appears to be the error in the code that needs to be corrected.

- 

-4. You then have the option to download this snapshot into Visual Studio where we can locate the actual code that needs to be corrected. To do so, click **Download Snapshot**.

-5. The snapshot is loaded into Visual Studio.

-6. You can now run a debug session in Visual Studio Enterprise that quickly identifies the line of code that caused the exception.

- 

-All data collected by Application Insights is stored in Azure Log Analytics, which provides a rich query language that allows you to analyze the data in a variety of ways. We can use this data to analyze the requests that generated the exception we're researching.

-1. Click the CodeLens information above the code to view telemetry provided by Application Insights.

- 

-1. Click **Analyze impact** to open Application Insights Analytics. It's populated with several queries that provide details on failed requests such as impacted users, browsers, and regions.<br><br><br>

-## Add work item

-If you connect Application Insights to a tracking system such as Azure DevOps or GitHub, you can create a work item directly from Application Insights.

-1. Return to the **Exception Properties** panel in Application Insights.

-2. Click **New Work Item**.

-3. The **New Work Item** panel opens with details about the exception already populated. You can add any additional information before saving it.

- 

-Now that you've learned how to identify run-time exceptions, advance to the next tutorial to learn how to identify and diagnose performance issues.

-description: Web app performance analysis and diagnostics during debugging and in production.

-# Debug your applications with Azure Application Insights in Visual Studio

-In Visual Studio (2015 and later), you can analyze performance and diagnose issues in your ASP.NET web app both in debugging and in production, using telemetry from [Azure Application Insights](./app-insights-overview.md).

-If you created your ASP.NET web app using Visual Studio 2017 or later, it already has the Application Insights SDK. Otherwise, if you haven't done so already, [add Application Insights to your app](./asp-net.md).

-To monitor your app when it's in live production, you normally view the Application Insights telemetry in the [Azure portal](https://portal.azure.com), where you can set alerts and apply powerful monitoring tools. But for debugging, you can also search and analyze the telemetry in Visual Studio. You can use Visual Studio to analyze telemetry both from your production site and from debugging runs on your development machine. In the latter case, you can analyze debugging runs even if you haven't yet configured the SDK to send telemetry to the Azure portal.

-In Visual Studio, you see a count of the events that have been logged by the Application Insights module in your project.

-

-Click this button to search your telemetry.

-## Application Insights search

-The Application Insights Search window shows events that have been logged. (If you signed in to Azure when you set up Application Insights, you can search the same events in the Azure portal.)

-

-> [!NOTE]

-> After you select or deselect filters, click the Search button at the end of the text search field.

-The free text search works on any fields in the events. For example, search for part of the URL of a page; or the value of a property such as client city; or specific words in a trace log.

-Click any event to see its detailed properties.

-

-

-Exception reports show in the Search window. (In some older types of ASP.NET application, you have to [set up exception monitoring](./asp-net-exceptions.md) to see exceptions that are handled by the framework.)

-Click an exception to get a stack trace. If the code of the app is open in Visual Studio, you can click through from the stack trace to the relevant line of the code.

-

-In the Code Lens line above each handler method, you see a count of the requests and exceptions logged by Application Insights in the past 24 h.

-

-> [!NOTE]

-> Code Lens shows Application Insights data only if you have [configured your app to send telemetry to the Application Insights portal](./asp-net.md).

-[More about Application Insights in Code Lens](./visual-studio-codelens.md)

-(From Visual Studio 2015 Update 2) If you haven't configured the SDK to send telemetry to the Application Insights portal (so that there is no instrumentation key in ApplicationInsights.config) then the diagnostics window displays telemetry from your latest debugging session.

-This is desirable if you have already published a previous version of your app. You don't want the telemetry from your debugging sessions to be mixed up with the telemetry on the Application Insights portal from the published app.

-It's also useful if you have some [custom telemetry](./api-custom-events-metrics.md) that you want to debug before sending telemetry to the portal.

-* *At first, I fully configured Application Insights to send telemetry to the portal. But now I'd like to see the telemetry only in Visual Studio.*

-

- * In the Search window's Settings, there's an option to search local diagnostics even if your app sends telemetry to the portal.

- * **[Working with the Application Insights portal](./overview-dashboard.md)**. View dashboards, powerful diagnostic and analytic tools, alerts, a live dependency map of your application, and exported telemetry data.

- You can't grant access to individual custom log tables, but you can grant access to all custom logs. To create a role with access to all custom log tables, create a custom role by using the following actions:

-1. [Configure and enable Azure AD](../app/azure-ad-authentication.md?tabs=net#configuring-and-enabling-azure-ad-based-authentication) in your Application Insights resource.

-1. Configure and turn on Azure AD in your Application Insights resource. For more information, see the following [documentation](../app/azure-ad-authentication.md?tabs=net#configuring-and-enabling-azure-ad-based-authentication)

-When connecting **production** Azure VMware Solution private clouds to an Azure virtual network, an ExpressRoute virtual network gateway with the Ultra Performance Gateway SKU should be used with FastPath enabled to achieve 10Gbps connectivity. Less critical environments can use the Standard or High Performance Gateway SKUs for slower network performance.

-When you register an existing SAP system as a VIS, Azure Center for SAP solutions service needs a **User-assigned managed identity** which has **Virtual Machine Contributor** role access to the Compute resource groups and **Reader** role access to the Network resource groups of the SAP system. Before you register an SAP system with Azure Center for SAP solutions, either [create a new user-assigned managed identity or update role access for an existing managed identity](#setup-user-assigned-managed-identity).

-1. [Assign **Virtual Machine Contributor** role access](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#manage-access-to-user-assigned-managed-identities) to the user-assigned managed identity on the resource group(s) which have the Virtual Machines of the SAP system and **Reader** role on the resource group(s) which have the Network components on the SAP system resources exist.

- 1. For **Managed identity name**, select a **User-assigned managed identity** which has **Virtual Machine Contributor** and **Reader** role access to the [respective resources of this SAP system.](#enable-resource-permissions)

-Different Azure OpenAI embedding models are specifically created to be good at a particular task. **Similarity embeddings** are good at capturing semantic similarity between two or more pieces of text. **Text search embeddings** help measure long documents are relevant to a short query. **Code search embeddings** are useful for embedding code snippets and embedding nature language search queries.

-Learn more about using Azure OpenAI and embeddings to perform document search with our [embeddings tutorial](../tutorials/embeddings.md).

-Microsoft Teams handles security using a combination of technologies and processes to mitigate common security threats and provide a secure collaboration environment. Teams implement multiple layers of security, including data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and two-factor authentication for added protection. The security framework for Teams is built on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security covering all stages of development. Teams also undergo regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Teams integrates with Microsoft's suite of security products and services, such as Azure Active Directory, to provide customers with a comprehensive security solution. You can learn here more about [security in Microsoft Teams](/microsoftteams/teams-security-guide.md).

-| [Who can present in meetings](/microsoftteams/meeting-policies-in-teams-general#designated-presenter-role-mode) | per-user | Controls who in the Teams meeting can share screen | ❌ |

-Microsoft Teams handles security using a combination of technologies and processes to mitigate common security threats and provide a secure collaboration environment. Teams implement multiple layers of security, including data encryption in transit and at rest, secure real-time communication through Microsoft's global network, and two-factor authentication for added protection. The security framework for Teams is built on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security covering all stages of development. Teams also undergo regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Teams integrates with Microsoft's suite of security products and services, such as Azure Active Directory, to provide customers with a comprehensive security solution. You can learn here more about [security in Microsoft Teams](/microsoftteams/teams-security-guide.md).

-Azure Active Directory provides a range of security features for Microsoft Teams to help handle common security threats and provide a secure collaboration environment. Azure AD helps to secure user authentication and authorization, allowing administrators to manage user access to Teams and other applications through a single, centralized platform. Azure AD also integrates with Teams to provide multi-factor authentication and conditional access policies, which can be used to enforce security policies and control access to sensitive information. The security framework for Azure Active Directory is based on the Microsoft Security Development Lifecycle (SDL), a comprehensive and standardized approach to software security that covers all stages of development. Azure AD undergoes regular security assessments and audits to ensure that the platform meets industry standards for security and privacy. Additionally, Azure AD integrates with other Azure security services, such as Azure Information Protection, to provide customers with a comprehensive security solution. You can learn here more about [Azure identity management security](/azure/security/fundamentals/identity-management-overview.md).

-Azure Communication Calling SDK can be used to add Enhanced 911 dialing and Public Safety Answering Point (PSAP) call-back support to your applications in the United States (US) & Puerto Rico. The capability to dial 911 and receive a call-back may be a requirement for your application. Verify the E911 requirements with your legal counsel.

-Calls to 911 are routed over the Microsoft network. Microsoft assigns a temporary phone number as the Call Line Identity (CLI) when 911 calls from the US & Puerto Rico are placed. Microsoft temporarily maintains a mapping of the phone number to the caller's identity. If there's a call-back from the PSAP, we route the call directly to the originating 911 caller. The caller can accept incoming PSAP call even if inbound calling is disabled.

-The service is available for Microsoft phone numbers. It requires that the Azure resource from where the 911 call originates has a Microsoft-issued phone number enabled with outbound dialing (also referred to as ΓÇÿmake calls').

-Azure Communication Services direct routing is currently in public preview and not intended for production workloads. So E911 dialing is out of scope for Azure Communication Services direct routing.

-1. An Azure Communication Services user identity dials 911 using the Calling SDK from the USA or Puerto Rico

-1. Microsoft Azure Communication Services 911 service replaces the userΓÇÖs phone number `alternateCallerId` with a temporary unique phone number. This number allocation remains in place for at least 60 minutes from the time that 911 is first dialed

-1. The 911 call will be first routed to a call center where an agent will request the callerΓÇÖs address

-1. The call center will then route the call to the appropriate PSAP in the USA or Puerto Rico

-1. If the 911 call is unexpectedly dropped, the PSAP then makes a call-back to the user

-1. On receiving the call-back within 60 minutes, Microsoft will route the inbound call directly to the user identity, which initiated the 911 call

-Emergency dialing is automatically enabled for all users of the Azure Communication Client Calling SDK with an acquired Microsoft telephone number that is enabled for outbound dialing in the Azure resource. To use E911 with Microsoft phone numbers, follow the steps:

- 1. Microsoft supports a country US and Puerto Rico ISO codes for 911 dialing

- 1. If the IP address can't provide reliable geo-location, for example the user is on a Virtual Private Network, it's required to set the ISO Code of the calling country using the API in the Azure Communication Services Calling SDK. See example in the E911 quick start

- 1. If the caller is outside of the US and Puerto Rico, the call to 911 won't be permitted

-1. When testing your application dial 933 instead of 911. 933 is enabled for testing purposes; the recorded message will confirm the phone number the emergency call originates from. You should hear a temporary number assigned by Microsoft, which isn't the `alternateCallerId` provided by the application

-1. Ensure your application supports [receiving an incoming call](../../how-tos/calling-sdk/manage-calls.md#receive-an-incoming-call) so call-backs from the PSAP are appropriately routed to the originator of the 911 call. To test inbound calling is working correctly, place inbound VoIP calls to the user of the Calling SDK

-Use the flowlet transformation to run a previously create mapping data flow flowlet. For an overview of flowlets see [Flowlets in mapping data flow | Microsoft Docs](concepts-data-flow-flowlet.md)

-### PowerShell-based rules

-Information about the PowerShell-based rules included by our integration with [PSRule for Azure](https://aka.ms/ps-rule-azure/rules). The tool will only evaluate the rules under the [Security pillar](https://azure.github.io/PSRule.Rules.Azure/en/rules/module/#security) unless the option `--include-non-security-rules` is used.

-> [!NOTE]

-> PowerShell-based rules are included by our integration with [PSRule for Azure](https://aka.ms/ps-rule-azure/rules). The tool will evaluate all rules under the [Security pillar](https://azure.github.io/PSRule.Rules.Azure/en/rules/module/#security).

-### JSON-Based Rules:

-JSON-based rules for ARM templates and bicep files are provided by [Template-Analyzer](https://github.com/Azure/template-analyzer#template-best-practice-analyzer-bpa). Below are details on template-analyzer's rules and remediation details.

-> [!NOTE]

-> Severity levels are scaled from 1 to 3. Where 1 = High, 2 = Medium, 3 = Low.

-#### TA-000001: Diagnostic logs in App Services should be enabled

-Audits the enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

-**Recommendation**: To [enable diagnostic logging](../app-service/troubleshoot-diagnostic-logs.md), in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json), add (or update) the *detailedErrorLoggingEnabled*, *httpLoggingEnabled*, and *requestTracingEnabled* properties, setting their values to `true`.

-**Severity level**: 2

-#### TA-000002: Remote debugging should be turned off for API Apps

-Remote debugging requires inbound ports to be opened on an API app. These ports become easy targets for compromise from various internet-based attacks. If you no longer need to use remote debugging, it should be turned off.

-**Recommendation**: To disable remote debugging, in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json#SiteConfig), remove the *remoteDebuggingEnabled* property or update its value to `false`.

-**Severity level**: 3

-#### TA-000003: FTPS only should be required in your API App

-Enable FTPS enforcement for enhanced security.

-**Recommendation**: To [enforce FTPS](../app-service/deploy-ftp.md?tabs=portal#enforce-ftps) in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json#SiteConfig), add (or update) the *ftpsState* property, setting its value to `"FtpsOnly"` or `"Disabled"` if you don't need FTPS enabled.

-**Severity level**: 1

-#### TA-000004: API App Should Only Be Accessible Over HTTPS

-API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

-**Recommendation**: To [use HTTPS to ensure, server/service authentication and protect data in transit from network layer eavesdropping attacks](../app-service/configure-ssl-bindings.md#enforce-https) in the [Microsoft.Web/Sites resource properties](/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object), add (or update) the *httpsOnly* property, setting its value to `true`.

-**Severity level**: 2

-#### TA-000005: Latest TLS version should be used in your API App

-API apps should require the latest TLS version.

-**Recommendation**: To [enforce the latest TLS version](../app-service/configure-ssl-bindings.md#enforce-tls-versions) in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json#SiteConfig), add (or update) the *minTlsVersion* property, setting its value to `1.2`.

-**Severity level**: 1

-#### TA-000006: CORS shouldn't allow every resource to access your API App

-Cross-Origin Resource Sharing (CORS) shouldn't allow all domains to access your API app. Allow only required domains to interact with your API app.

-**Recommendation**: To allow only required domains to interact with your API app, in the [Microsoft.Web/sites/config resource cors settings object](/azure/templates/microsoft.web/sites/config-web?tabs=json#corssettings-object), add (or update) the *allowedOrigins* property, setting its value to an array of allowed origins. Ensure it isn't* set to "*" (asterisks allows all origins).

-**Severity level**: 3

-#### TA-000007: Managed identity should be used in your API App

-For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.

-**Recommendation**: To [use Managed Identity](../app-service/overview-managed-identity.md?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"` or `"UserAssigned"` and providing any necessary identifiers for the identity if necessary.

-**Severity level**: 2

-#### TA-000008: Remote debugging should be turned off for Function Apps

-Remote debugging requires inbound ports to be opened on a function app. These ports become easy targets for compromise from various internet-based attacks. If you no longer need to use remote debugging, it should be turned off.

-**Recommendation**: To disable remote debugging, in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json#SiteConfig), remove the *remoteDebuggingEnabled* property or update its value to `false`.

-**Severity level**: 3

-#### TA-000009: FTPS only should be required in your Function App

-Enable FTPS enforcement for enhanced security.

-**Recommendation**: To [enforce FTPS](../app-service/deploy-ftp.md?tabs=portal#enforce-ftps), in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json#SiteConfig), add (or update) the *ftpsState* property, setting its value to `"FtpsOnly"` or `"Disabled"` if you don't need FTPS enabled.

-**Severity level**: 1

-#### TA-000010: Function App Should Only Be Accessible Over HTTPS

-Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

-**Recommendation**: To [use HTTPS to ensure, server/service authentication and protect data in transit from network layer eavesdropping attacks](../app-service/configure-ssl-bindings.md#enforce-https), in the [Microsoft.Web/Sites resource properties](/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object), add (or update) the *httpsOnly* property, setting its value to `true`.

-**Severity level**: 2

-#### TA-000011: Latest TLS version should be used in your Function App

-Function apps should require the latest TLS version.

-**Recommendation**: To [enforce the latest TLS version](../app-service/configure-ssl-bindings.md#enforce-tls-versions), in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json#SiteConfig), add (or update) the *minTlsVersion* property, setting its value to `1.2`.

-**Severity level**: 1

-#### TA-000012: CORS shouldn't allow every resource to access your Function Apps

-Cross-Origin Resource Sharing (CORS) shouldn't allow all domains to access your function app. Allow only required domains to interact with your function app.

-**Recommendation**: To allow only required domains to interact with your function app, in the [Microsoft.Web/sites/config resource cors settings object](/azure/templates/microsoft.web/sites/config-web?tabs=json#corssettings-object), add (or update) the *allowedOrigins* property, setting its value to an array of allowed origins. Ensure it isn't* set to "*" (asterisks allows all origins).

-**Severity level**: 3

-#### TA-000013: Managed identity should be used in your Function App

-For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.

-**Recommendation**: To [use Managed Identity](../app-service/overview-managed-identity.md?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"` or `"UserAssigned"` and providing any necessary identifiers for the identity if necessary.

-**Severity level**: 2

-#### TA-000014: Remote debugging should be turned off for Web Applications

-Remote debugging requires inbound ports to be opened on a web application. These ports become easy targets for compromise from various internet-based attacks. If you no longer need to use remote debugging, it should be turned off.

-**Recommendation**: To disable remote debugging, in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json#SiteConfig), remove the *remoteDebuggingEnabled* property or update its value to `false`.

-**Severity level**: 3

-#### TA-000015: FTPS only should be required in your Web App

-Enable FTPS enforcement for enhanced security.

-**Recommendation**: To [enforce FTPS](../app-service/deploy-ftp.md?tabs=portal#enforce-ftps), in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json#SiteConfig), add (or update) the *ftpsState* property, setting its value to `"FtpsOnly"` or `"Disabled"` if you don't need FTPS enabled.

-**Severity level**: 1

-#### TA-000016: Web Application Should Only Be Accessible Over HTTPS

-Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

-**Recommendation**: To [use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks](../app-service/configure-ssl-bindings.md#enforce-https), in the [Microsoft.Web/Sites resource properties](/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object), add (or update) the *httpsOnly* property, setting its value to `true`.

-**Severity level**: 2

-#### TA-000017: Latest TLS version should be used in your Web App

-Web apps should require the latest TLS version.

-**Recommendation**:

-To [enforce the latest TLS version](../app-service/configure-ssl-bindings.md#enforce-tls-versions), in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json#SiteConfig), add (or update) the *minTlsVersion* property, setting its value to `1.2`.

-**Severity level**: 1

-#### TA-000018: CORS shouldn't allow every resource to access your Web Applications

-Cross-Origin Resource Sharing (CORS) shouldn't allow all domains to access your Web application. Allow only required domains to interact with your web app.

-**Recommendation**: To allow only required domains to interact with your web app, in the [Microsoft.Web/sites/config resource cors settings object](/azure/templates/microsoft.web/sites/config-web?tabs=json#corssettings-object), add (or update) the *allowedOrigins* property, setting its value to an array of allowed origins. Ensure it isn't* set to "*" (asterisks allows all origins).

-**Severity level**: 3

-#### TA-000019: Managed identity should be used in your Web App

-For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.

-**Recommendation**: To [use Managed Identity](../app-service/overview-managed-identity.md?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"` or `"UserAssigned"` and providing any necessary identifiers for the identity if necessary.

-**Severity level**: 2

-#### TA-000020: Audit usage of custom RBAC roles

-Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.

-**Recommendation**: [Use built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles](../role-based-access-control/built-in-roles.md)

-**Severity level**: 3

-#### TA-000021: Automation account variables should be encrypted

-It's important to enable encryption of Automation account variable assets when storing sensitive data. This step can only be taken at creation time. If you have Automation Account Variables storing sensitive data that aren't already encrypted, then you'll need to delete them and recreate them as encrypted variables. To apply encryption of the Automation account variable assets, in Azure PowerShell - run [the following command](/powershell/module/az.automation/set-azautomationvariable?view=azps-5.4.0&viewFallbackFrom=azps-1.4.0): `Set-AzAutomationVariable -AutomationAccountName '{AutomationAccountName}' -Encrypted $true -Name '{VariableName}' -ResourceGroupName '{ResourceGroupName}' -Value '{Value}'`

-**Recommendation**: [Enable encryption of Automation account variable assets](../automation/shared-resources/variables.md?tabs=azure-powershell)

-**Severity level**: 1

-#### TA-000022: Only secure connections to your Azure Cache for Redis should be enabled

-Enable only connections via SSL to Redis Cache. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.

-**Recommendation**: To [enable only connections via SSL to Redis Cache](/security/benchmark/azure/baselines/azure-cache-for-redis-security-baseline?toc=/azure/azure-cache-for-redis/TOC.json#44-encrypt-all-sensitive-information-in-transit), in the [Microsoft.Cache/Redis resource properties](/azure/templates/microsoft.cache/redis?tabs=json#rediscreateproperties-object), update the value of the *enableNonSslPort* property from `true` to `false` or remove the property from the template as the default value is `false`.

-**Severity level**: 1

-#### TA-000023: Authorized IP ranges should be defined on Kubernetes Services

-To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It's recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.

-**Recommendation**: [Restrict access by defining authorized IP ranges](../aks/api-server-authorized-ip-ranges.md) or [set up your API servers as private clusters](../aks/private-clusters.md)

-**Severity level**: 1

-#### TA-000024: Role-Based Access Control (RBAC) should be used on Kubernetes Services

-To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. To Use Role-Based Access Control (RBAC) you must recreate your Kubernetes Service cluster and enable RBAC during the creation process.

-**Recommendation**: [Enable RBAC in Kubernetes clusters](../aks/operator-best-practices-identity.md#use-azure-rbac)

-**Severity level**: 1

-#### TA-000025: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version

-Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. [Vulnerability CVE-2019-9946](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9946) has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+. Running on older versions could mean you aren't using latest security classes. Usage of such old classes and types can make your application vulnerable.

-**Recommendation**: To [upgrade Kubernetes service clusters](../aks/upgrade-cluster.md), in the [Microsoft.ContainerService/managedClusters resource properties](/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusterproperties-object), update the *kubernetesVersion* property, setting its value to one of the following versions (making sure to specify the minor version number): 1.11.9+, 1.12.7+, 1.13.5+, or 1.14.0+.

-**Severity level**: 1

-#### TA-000026: Service Fabric clusters should only use Azure Active Directory for client authentication

-Service Fabric clusters should only use Azure Active Directory for client authentication. A Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer, Visual Studio and PowerShell. Access to the cluster must be controlled using AAD.

-**Recommendation**: [Enable AAD client authentication on your Service Fabric clusters](../service-fabric/service-fabric-cluster-creation-setup-aad.md)

-**Severity level**: 1

-#### TA-000027: Transparent Data Encryption on SQL databases should be enabled

-Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements.

-**Recommendation**: To [enable transparent data encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview?tabs=azure-portal), in the [Microsoft.Sql/servers/databases/transparentDataEncryption resource properties](/azure/templates/microsoft.sql/servers/databases/transparentdataencryption?tabs=json), add (or update) the value of the *state* property to `enabled`.

-**Severity level**: 3

-#### TA-000028: SQL servers with auditing to storage account destination should be configured with 90 days retention or higher

-Set the data retention for your SQL Server's auditing to storage account destination to at least 90 days.

-**Recommendation**: For incident investigation purposes, we recommend setting the data retention for your SQL Server's auditing to storage account destination to at least 90 days, in the [Microsoft.Sql/servers/auditingSettings resource properties](/azure/templates/microsoft.sql/2020-11-01-preview/servers/auditingsettings?tabs=json#serverblobauditingpolicyproperties-object), using the *retentionDays* property. Confirm that you're meeting the necessary retention rules for the regions in which you're operating. This is sometimes required for compliance with regulatory standards.

-**Severity level**: 3

-#### TA-000029: Azure API Management APIs should use encrypted protocols only

-Set the protocols property to only include HTTPS.

-**Recommendation**: To use encrypted protocols only, add (or update) the *protocols* property in the [Microsoft.ApiManagement/service/apis resource properties](/azure/templates/microsoft.apimanagement/service/apis?tabs=json), to only include HTTPS. Allowing any other protocols (for example, HTTP, WS) is insecure.

-**Severity level**: 1

-## Recommendation to enable diagnostic logs for Virtual Machine Scale Sets has been deprecated

-2. Select **System Settings**.

-3. In the **Sensor Setup ΓÇô Connection String** section, copy the automatically generated connection string.

-4. Sign in to the sensor console.

-5. On the left pane, select **System Settings**.

-6. Select **Management Console Connection**.

-7. Paste the connection string in the **Connection string** box and select **Connect**.

-8. In the on-premises management console, in the **Site Management** window, assign the sensor to a site and zone.

-2. In the **System Settings** window, select **Network**.

-3. Set the parameters:

-4. Select **Save**.

-3. Set the parameters and select **Save**.

-2. In the sensor, make a directory for the backups:

-3. Edit `fstab`:

-4. Edit and create credentials to share for the SMB server:

-5. Add:

-6. Mount the directory:

-7. Configure a backup directory to the shared folder on the Defender for IoT sensor:ΓÇ»

-To view the PCAP player in your sensor console, you'll first need to configure the relevant advanced configuration option.

-**To show the PCAP player in your sensor console**:

-1. On your sensor console, go to **System settings > Sensor management > Advanced Configurations**.

-1. In the **Advanced configurations** pane, select the **Pcaps** category.

-1. In the configurations displayed, change `enabled=0` to `enabled=1`, and select **Save**.

-The **Play PCAP** option is now available in the sensor console's settings, under: **System settings > Basic > Play PCAP**.

-1. In the **PCAP PLAYER** pane, select **Upload** and then navigate to and select the file you want to upload.

-2. Select **System Settings**.

-3. Select **System Properties** from the **General** section.

-Each type of data has a different retention period and maximum capacity. For more information see [Create data mining queries](how-to-create-data-mining-queries.md) and [Data retention across Microsoft Defender for IoT](references-data-retention.md).

-|:::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-recover.png" border="false"::: **Recover a password** | Individual, OT sensors only. <br><br>Available from the **...** options menu or a sensor details page. Enter the secret identifier obtained on the sensor's sign-in screen. |

-|:::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-export.png" border="false"::: **Export sensor data** | Available from the **Sites and sensors** toolbar only, to download a CSV file with details about all the sensors listed. |

-|:::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-edit.png" border="false"::: **Edit automatic threat intelligence updates** | Individual, OT sensors only. <br><br>Available from the **...** options menu or a sensor details page. <br><br>Select **Edit** and then toggle the **Automatic Threat Intelligence Updates (Preview)** option on or off as needed. Select **Submit** to save your changes. |

-|:::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-delete.png" border="false"::: **Delete a sensor** | For individual sensors only, from the **...** options menu or a sensor details page. |

-| :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-diagnostics.png" border="false"::: **Send diagnostic files to support** | Individual, locally managed OT sensors only. <br><br>Available from the **...** options menu. <br><br>For more information, see [Upload a diagnostics log for support](#upload-a-diagnostics-log-for-support).|

-| **Download SNMP MIB file** | Available from the **Sites and sensors** toolbar **More actions** menu. <br><br>For more information, see [Set up SNMP MIB monitoring](how-to-set-up-snmp-mib-monitoring.md).|

-| **Recover an on-premises management console password** | Available from the **Sites and sensors** toolbar **More actions** menu. <br><br>For more information, see [Manage the on-premises management console](how-to-manage-the-on-premises-management-console.md). |

-| **Define OT network sensor settings** (Preview) | Define selected sensor settings for one or more cloud-connected OT network sensors. For more information, see [Define and view OT sensor settings from the Azure portal (Public preview)](configure-sensor-settings-portal.md). <br><br>Other settings are also available directly from the [OT sensor console](how-to-manage-individual-sensors.md), or the [on-premises management console](how-to-manage-sensors-from-the-on-premises-management-console.md).|

- --project-name <project-name> --environment-type <environment-type-name>

- --project-name <project-name> -n <name> --environment-type <environment-type-name>

-Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and the web browser remain private and encrypted.

-To meet your security or compliance requirements, Azure Front Door (AFD) supports end-to-end TLS encryption. Front Door TLS/SSL offload terminates the TLS connection, decrypts the traffic at the Azure Front Door, and re-encrypts the traffic before forwarding it to the backend. Since connections to the backend happen over the public IP, it is highly recommended you configure HTTPS as the forwarding protocol on your Azure Front Door to enforce end-to-end TLS encryption from the client to the backend. TLS/SSL offload is also supported if you deploy a private backend with AFD Premium using the [PrivateLink](private-link.md) feature.

-End-to-end TLS allows you to secure sensitive data while in transit to the backend while benefiting from Azure Front Door features like global load balancing and caching. Some of the features also include URL-based routing, TCP split, caching on edge location closest to the clients, and customizing HTTP requests at the edge.

-Azure Front Door offloads the TLS sessions at the edge and decrypts client requests. It then applies the configured routing rules to route the requests to the appropriate backend in the backend pool. Azure Front Door then starts a new TLS connection to the backend and re-encrypts all data using the backendΓÇÖs certificate before transmitting the request to the backend. Any response from the backend is encrypted through the same process back to the end user. You can configure your Azure Front Door to use HTTPS as the forwarding protocol to enable end-to-end TLS.

-You can configure the minimum TLS version in Azure Front Door in the custom domain HTTPS settings using the Azure portal or theΓÇ»[Azure REST API](/rest/api/frontdoorservice/frontdoor/frontdoors/createorupdate#minimumtlsversion). Currently, you can choose between 1.0 and 1.2. As such, specifying TLS 1.2 as the minimum version controls the minimum acceptable TLS version Azure Front Door will accept from a client. When Azure Front Door initiates TLS traffic to the backend, it will attempt to negotiate the best TLS version that the backend can reliably and consistently accept.

-## Backend TLS connection (Azure Front Door to backend)

-For HTTPS connections, Azure Front Door expects that your backend presents a certificate from a valid Certificate Authority (CA) with subject name(s) matching the backend *hostname*. As an example, if your backend hostname is set to `myapp-centralus.contosonews.net` and the certificate that your backend presents during the TLS handshake doesn't have `myapp-centralus.contosonews.net` or `*.contosonews.net` in the subject name, then Azure Front Door will refuse the connection and as a result an error.

-From a security standpoint, Microsoft doesn't recommend disabling certificate subject name check. In certain use cases such as for testing, as a work-around to resolve failing HTTPS connection, you can disable certificate subject name check for your Azure Front Door. Note that the origin still needs to present a certificate with a valid trusted chain, but doesn't have to match the origin host name. The option to disable this feature is different for each Azure Front Door tier:

-* Azure Front Door Standard and Premium - it is present in the origin settings.

-* Azure Front Door (classic) - it is present under the Azure Front Door settings in the Azure portal and in the Backend PoolsSettings in the Azure Front Door API.

-## Frontend TLS connection (Client to Front Door)

-To enable the HTTPS protocol for secure delivery of contents on an Azure Front Door custom domain, you can choose to use a certificate that is managed by Azure Front Door or use your own certificate.

-* Azure Front Door managed certificate provides a standard TLS/SSL certificate via DigiCert and is stored in Azure Front Door's Key Vault.

-* If you choose to use your own certificate, you can onboard a certificate from a supported CA that can be a standard TLS, extended validation certificate, or even a wildcard certificate.

-* Self-signed certificates aren't supported. LearnΓÇ»[how to enable HTTPS for a custom domain](front-door-custom-domain-https.md).

- You'll need to ensure that the service principal for Front Door has access to the key vault. Refer to how to grant access to your key vault. The updated certificate rollout operation by Azure Front Door won't cause any production down time provided the subject name or subject alternate name (SAN) for the certificate didn't changed.

-This tutorial shows how to enable the HTTPS protocol for a custom domain that's associated with your Front Door (classic) under the frontend hosts section. By using the HTTPS protocol on your custom domain (for example, https:\//www.contoso.com), you ensure that your sensitive data is delivered securely via TLS/SSL encryption when it's sent across the internet. When your web browser is connected to a web site via HTTPS, it validates the web site's security certificate and verifies it's issued by a legitimate certificate authority. This process provides security and protects your web applications from attacks.

-> * For AFD managed certificates, DigiCertΓÇÖs 64 character limit is enforced. Validation will fail if that limit is exceeded.

-You can use your own certificate to enable the HTTPS feature. This process is done through an integration with Azure Key Vault, which allows you to store your certificates securely. Azure Front Door uses this secure mechanism to get your certificate and it requires a few extra steps. When you create your TLS/SSL certificate, you must create a complete certificate chain with an allowed certificate authority (CA) that is part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). If you use a non-allowed CA, your request will be rejected. If a certificate without complete chain is presented, the requests which involve that certificate are not guaranteed to work as expected.

-# Onboard a root or apex domain on your Front Door

-Azure Front Door supports adding custom domain to Front Door profile. This is done by adding DNS TXT record for domain ownership validation and creating a CNAME record in your DNS configuration to route DNS queries for the custom domain to Azure Front Door endpoint. For apex domain, DNS TXT will continue to be used for domain validation. However, the DNS protocol prevents the assignment of CNAME records at the zone apex. For example, if your domain is `contoso.com`; you can create CNAME records for `somelabel.contoso.com`; but you can't create CNAME for `contoso.com` itself. Front Door doesn't expose the frontend IP address associated with your Front Door profile. So you can't map your apex domain to an IP address if your intent is to onboard it to Azure Front Door.

-Azure Front Door uses CNAME records to validate domain ownership for onboarding of custom domains. Front Door doesn't expose the frontend IP address associated with your Front Door profile. So you can't map your apex domain to an IP address if your intent is to onboard it to Azure Front Door.

-The DNS protocol prevents the assignment of CNAME records at the zone apex. For example, if your domain is `contoso.com`; you can create CNAME records for `somelabel.contoso.com`; but you can't create CNAME for `contoso.com` itself. This restriction presents a problem for application owners who have load-balanced applications behind Azure Front Door. Since using a Front Door profile requires creation of a CNAME record, it isn't possible to point at the Front Door profile from the zone apex.

-This problem can be resolved by using alias records in Azure DNS. Unlike CNAME records, alias records are created at the zone apex. Application owners can use it to point their zone apex record to a Front Door profile that has public endpoints. Application owners point to the same Front Door profile that's used for any other domain within their DNS zone. For example, `contoso.com` and `www.contoso.com` can point to the same Front Door profile.

-Mapping your apex or root domain to your Front Door profile basically requires CNAME flattening or DNS chasing. A mechanism where the DNS provider recursively resolves the CNAME entry until it hits an IP address. This functionality is supported by Azure DNS for Front Door endpoints.

-> [!NOTE]

-> There are other DNS providers as well that support CNAME flattening or DNS chasing, however, Azure Front Door recommends using Azure DNS for its customers for hosting their domains.

-You can use the Azure portal to onboard an apex domain on your Front Door and enable HTTPS on it by associating it with a certificate for TLS termination. Apex domains are also referred as root or naked domains.

-## Onboard the custom domain to your Front Door

-1. Select **Domains** from under *Settings* on the left side pane for your Front Door profile and then select **+ Add** to add a new custom domain.

-1. Close the *Validate the custom domain* page and return to the *Domains* page for the Front Door profile. You should see the *Validation state* change from **Pending** to **Approved**. If not, wait up to 10 minutes for changes to reflect. If your validation doesn't get approved make sure your TXT record is correct and name servers are configured correctly if you're using Azure DNS.

-## Managed certificate renewal for apex domain

-Front Door managed certificates will automatically rotate certificates only if the domain CNAME is pointed to Front Door endpoint. Since the APEX domain doesnΓÇÖt have a CNAME record pointing to Front Door endpoint, the auto-rotation for managed certificate will fail until domain ownership is re-validated. The validation column will become `Pending-revalidation` 45 days before the managed certificate expires. Select the **Pending-revalidation** link and then select the **Regenerate** button to regenerate the TXT token. After that, add the TXT token to the DNS provider settings.

-# Wildcard domains

-Besides apex domains and subdomains, you can also map a wildcard domain to your front-end hosts or custom domains for your Azure Front Door profile. Having wildcard domains in your Azure Front Door configuration simplifies traffic routing behavior for multiple subdomains for an API, application, or website from the same routing rule. You don't need to modify the configuration to add or specify each subdomain separately. As an example, you can define the routing for `customer1.contoso.com`, `customer2.contoso.com`, and `customerN.contoso.com` by using the same routing rule and adding the wildcard domain `*.contoso.com`.

-Key scenarios that are improved with support for wildcard domains include:

-> Currently, adding wildcard domains through Azure DNS is only supported via API, PowerShell, and the Azure CLI. Support for adding and managing wildcard domains in the Azure portal isn't available.

-You can add a wildcard domain following guidance in [add a custom domain](standard-premium/how-to-add-custom-domain.md) for subdomains.

-> * Cache purge for wildcard domain is not supported, you have to specify a subdomain for cache purge.

-You can add as many single-level subdomains of the wildcard as you would like. For example, for the wildcard domain *.contoso.com, you can add subdomains in the form of image.contosto.com, cart.contoso.com, etc. Subdomains like www.image.contoso.com aren't a single-level subdomain of *.contoso.com. This functionality might be required for:

-* Defining a different route for a subdomain than the rest of the domains (from the wildcard domain).

-* Set up a different WAF policy for a specific subdomain.

-> * If you want to add a subdomain of the wildcard domain thatΓÇÖs already validated in the Azure Front Door Standard or Premium profile, the domain validation is automatically approved if it uses the same use your own custom SSL certificate.

-When configuring a routing rule, you can select a wildcard domain as a front-end host. You can also have different route behavior for wildcard domains and subdomains. As described in [How Azure Front Door does route matching](front-door-route-matching.md), the most specific match for the domain across different routing rules is chosen at runtime.

-> You must have matching path patterns across your routing rules, or your clients will see failures. For example, you have two routing rules like Route 1 (`*.foo.com/*` mapped to back-end pool A) and Route 2 (`/bar.foo.com/somePath/*` mapped to back-end pool B). Then, a request arrives for `bar.foo.com/anotherPath/*`. Azure Front Door selects Route 2 based on a more specific domain match, only to find no matching path patterns across the routes.

-Azure Front Door supports two types of domains, non-Azure validated domain and Azure pre-validated domain. Azure managed certificate and customer certificate are supported for both types. For more information, see [Configure HTTPS on a custom domain](how-to-configure-https-custom-domain.md).

-* **Azure pre-validated domains** - are domains validated by another Azure service. This domain type is used when you onboard and validated a domain to an Azure service, and then configured the Azure service behind an Azure Front Door. You don't need to validate the domain through the Azure Front Door when you use this type of domain.

- > [!NOTE]

- > Currently Azure pre-validated domain only supports domain validated by Static Web App.

-* **Non-Azure validated domains** - are domains that aren't validated by any Azure service. This domain type can be hosted with any DNS service and requires domain ownership validation with Azure Front Door.

-* Before you can complete the steps in this tutorial, you must first create a Front Door. For more information, see [Quickstart: Create a Front Door Standard/Premium](create-front-door-portal.md).

-* If you're using Azure to host your [DNS domains](../../dns/dns-overview.md), you must delegate the domain provider's domain name system (DNS) to an Azure DNS. For more information, see [Delegate a domain to Azure DNS](../../dns/dns-delegate-domain-azure-dns.md). Otherwise, if you're using a domain provider to handle your DNS domain, you must manually validate the domain by entering prompted DNS TXT records.

-A custom domain is configured on the **Domains** page of the Front Door profile. A custom domain can be set up and validated prior to endpoint association. A custom domain and its subdomains can only be associated with a single endpoint at a time. However, you can use different subdomains from the same custom domain for different Front Door profiles. You may also map custom domains with different subdomains to the same Front Door endpoint.

- > An Azure pre-validated domain will have a validation state of **Pending** and will automatically change to **Approved** after a few minutes. Once validation gets approved, skip to [**Associate the custom domain to your Front Door endpoint**](#associate-the-custom-domain-to-your-front-door-endpoint) and complete the remaining steps.

-### Domain validation state

-| Domain validation state | Description and actions |

-|--|--|

-| Approved | This status means the domain has been successfully validated. |

-| Internal error | If you see this error, retry validation by selecting the **Refresh** or **Regenerate** button. If you're still experiencing issues, submit a support request to Azure support. |

-| Pending | A domain goes to pending state once the DNS TXT record challenge is generated. Add the DNS TXT record to your DNS provider and wait for the validation to complete. If the status remains **Pending** even after the TXT record has been updated with the DNS provider, select **Regenerate** to refresh the TXT record then add the TXT record to your DNS provider again. |

-| Pending re-validation | This status occurs when the managed certificate is less than 45 days from expiring. If you have a CNAME record already pointing to the Azure Front Door endpoint, no action is required for certificate renewal. If the custom domain is pointed to another CNAME record, select the **Pending re-validation**, and then select **Regenerate** on the *Validate the custom domain* page. Lastly, select **Add** if you're using Azure DNS or manually add the TXT record with your own DNS providerΓÇÖs DNS management. |

-| Refreshing validation token | A domain goes into a *Refreshing Validation Token* state for a brief period after the **Regenerate** button is selected. Once a new TXT record challenge is issued, the state will change to **Pending**. |

-| Rejected | This when the certificate provider/authority rejects the issuance for the managed certificate, for example, when the domain is invalid. Select the **Rejected** link and then select **Regenerate** on the *Validate the custom domain* page, as shown in the screenshots below this table. Then select **Add** to add the TXT record in the DNS provider. |

-| Submitting | When a new custom domain is added and being created, the validation state becomes Submitting. |

-| Timeout | The domain validation state will change from *Pending* to *Timeout* if the TXT record isn't added to your DNS provider within seven days. You'll also see a *Timeout* state if an invalid DNS TXT record has been added. Select the **Timeout** link and then select **Regenerate** on the *Validate the custom domain* page. Then select **Add** to add the TXT record to the DNS provider. |

-> [!NOTE]

-> 1. The default TTL for TXT record is 1 hour. When you need to regenerate the TXT record for re-validation, please pay attention to the TTL for the previous TXT record. If it doesn't expire, the validation will fail until the previous TXT record expires.

-> 2. If the **Regenerate** button doesn't work, delete and recreate the domain.

-> 3. If the domain state doesn't reflect as expected, select the **Refresh** button.

-## Associate the custom domain to your Front Door endpoint

-Azure Front Door enables secure TLS delivery to your applications by default when a custom domain is added. By using the HTTPS protocol on your custom domain, you ensure your sensitive data get delivered securely with TLS/SSL encryption when it's sent across the internet. When your web browser is connected to a web site via HTTPS, it validates the web site's security certificate, and verifies it gets issued by a legitimate certificate authority. This process provides security and protects your web applications from attacks.

-Azure Front Door supports Azure managed certificate and customer-managed certificates.

-* A non-Azure validated domain requires domain ownership validation. The managed certificate (AFD managed) is issued and managed by Azure Front Door. Azure Front Door by default automatically enables HTTPS to all your custom domains using Azure managed certificates. No extra steps are required for getting an AFD managed certificate. A certificate is created during the domain validation process.

-* An Azure pre-validated domain doesn't require domain validation because it's already validated by another Azure service. The managed certificate (Azure managed) is issued and managed by the Azure service. No extra steps are required for getting an Azure managed certificate. Azure Front Door doesn't issue a new managed certificate for this scenario and instead will reuse the managed certificate issued by the Azure service. For supported Azure service for pre-validated domain, refer to [custom domain](how-to-add-custom-domain.md).

-* For both scenarios, you can bring your own certificate.

-## AFD managed certificates for Non-Azure pre-validated domain

- | HTTPS | Select **AFD managed (Recommended)** |

-1. Once the custom domain gets associated to an endpoint successfully, an AFD managed certificate gets deployed to Front Door. This process may take from several minutes to an hour to complete.

-## Azure managed certificates for Azure pre-validated domain

-You can also choose to use your own TLS certificate. When you create your TLS/SSL certificate, you must create a complete certificate chain with an allowed certificate authority (CA) that is part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). If you use a non-allowed CA, your request will be rejected. The root CA must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). If a certificate without complete chain is presented, the requests that involve that certificate aren't guaranteed to work as expected. This certificate must be imported into an Azure Key Vault before you can use it with Azure Front Door Standard/Premium. See how to [import a certificate](../../key-vault/certificates/tutorial-import-certificate.md) to Azure Key Vault.

- > [!WARNING]

- > Azure Front Door currently only supports key vaults in the same subscription as the Front Door profile. Choosing a key vault under a different subscription than your Azure Front Door Standard/Premium profile will result in a failure.

-> Front Door doesn't support certificates with elliptic curve (EC) cryptography algorithms. The certificate must have a complete certificate chain with leaf and intermediate certificates, and root CA must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT).

-> * This action requires you to have Global Administrator permissions in Azure AD. The registration only needs to be performed **once per Azure AD tenant**.

-##### Azure PowerShell

-2. In PowerShell, run the following command:

-##### Azure CLI

-1. If need, install [Azure CLI](/cli/azure/install-azure-cli) on your local machine.

-2. In CLI, run the following command:

-1. When you select a certificate, you must [select the certificate version](#rotate-own-certificate). If you select **Latest**, Azure Front Door will automatically update whenever the certificate is rotated (renewed). Alternatively, you can select a specific certificate version if you prefer to manage certificate rotation yourself.

-## Certificate renewal and changing certificate types

-### AFD managed certificate for Non-Azure pre-validated domain

-AFD managed certificates are automatically rotated when your custom domain uses a CNAME record that points to an Azure Front Door Standard or Premium endpoint.

-Front Door won't automatically rotate certificates in the following scenarios:

-* The custom domain CNAME record is pointing to other DNS resources.

-* The custom domain points to the Azure Front Door through a long chain. For example, if you put Azure Traffic Manager before Azure Front Door, the CNAME chain is `contoso.com` CNAME in `contoso.trafficmanager.net` CNAME in `contoso.z01.azurefd.net`.

-The domain validation state will become *Pending Revalidation* 45 days before the managed certificate expires, or *Rejected* if the managed certificate issuance is rejected by the certificate authority. Refer to [Add a custom domain](how-to-add-custom-domain.md#domain-validation-state) for actions for each of the domain states.

-### Azure managed certificate for Azure pre-validated domain

-Azure managed certificates are automatically rotated by the Azure service that validates the domain.

-### <a name="rotate-own-certificate"></a>Use your own certificate

-In order for the certificate to automatically be rotated to the latest version when a newer version of the certificate is available in your key vault, set the secret version to 'Latest'. If a specific version is selected, you have to reselect the new version manually for certificate rotation. It takes up to 72 hours for the new version of the certificate/secret to be automatically deployed.

-If you want to change the secret version from ΓÇÿLatestΓÇÖ to a specified version or vice versa, add a new certificate.

-## How to switch between certificate types

-1. You can change an existing Azure managed certificate to a user-managed certificate by selecting the certificate state to open the **Certificate details** page.

-1. On the **Certificate details** page, you can change between *Azure managed* and

-*Bring Your Own Certificate (BYOC)*. Then follow the same steps as earlier to choose a certificate. Select **Update** to change the associated certificate with a domain.

- > [!NOTE]

- > * It may take up to an hour for the new certificate to be deployed when you switch between certificate types.

- > * If your domain state is Approved, switching the certificate type between BYOC and managed certificate won't have any downtime. When switching to managed certificate, unless the domain ownership is re-validated and the domain state becomes Approved, you will continue to be served by the previous certificate.

- > * If you switch from BYOC to managed certificate, domain re-validation is required. If you switch from managed certificate to BYOC, you're not required to re-validate the domain.

- >

-

-

-2. Click the 'Overview' tab.

-3. You should see both the Ambari and ssh Network interfaces listed and their private IP Addresses.

-4. Make a note of these IP addresses because they are required to connect to the cluster and properly configure DNS.

-

-If you don't use `TOP`, the query returns a maximum of 10,000 results for a telemetry data-based query and 1,000 for a property-based query.

-| `testId` | string | | *Required*. Id of the test to run. For a new test, enter an Id with characters [a-z0-9_-]. For an existing test, you can get the test Id from the test details page in Azure portal. This field was called `testName` earlier, which has been deprecated. You can still run existing tests with `testName`field. |

-| `description` | string | | Short description of the test. |

- | 443 | Outbound | TCP | Private endpoint / Storage account | Storage account |

- | 445 | Outbound | TCP | Private endpoint / Subnet integrated with Standard logic app | Server Message Block (SMB) File Share |

-1. Submit a training job with identity parameter set to [azure.ai.ml.UserIdentity](/python/api/azure-ai-ml/azure.ai.ml.useridentity). This parameter setting enables the job to access data on behalf of user submitting the job.

- from azure.ai.ml import UserIdentity

- identity= UserIdentity()

-description: Analyze your app or add-in performance and see funnel and acquisitions metrics.

-<! [

-[image](https://user-images.githubusercontent.com/62076972/134597753-6fd281d2-9cdd-4ba0-b45d-645ca18e22d1.png)

-]() >

-The _Acquisitions report_ in the Partner Center dashboard lets you see who has acquired and installed your add-in, app, or visual, and shows info about how customers have arrived at your Microsoft AppSource listing.

-1. In the left-menu, select **Acquistions**.

-A page view means that a customer viewed your solutions's Microsoft AppSource listing page. This includes views by people who aren't signed in. Some customers have opted out of providing this information to Microsoft.

-| India Central | 104.211.96.159 | | |

-| UK West | 51.141.8.11 | | |

-# Monitor network connectivity by using Azure Monitor Agent with Connection Monitor

-description: This article describes how to create a monitor in Connection Monitor by using the Azure portal.

-# Create a monitor in Connection Monitor by using the Azure portal

-# Create a connection monitor by using PowerShell

-description: Learn how to create Connection Monitor using the ARMClient.

-# Create a Connection Monitor using the ARM template

-description: Learn how to use Connection Monitor to monitor network communication in a distributed environment.

-# Monitor network connectivity by using Connection Monitor

-description: Understand the Tests data schema and the Path data schema of Azure Network Watcher Connection Monitor.

-# Customer intent: I need to determine why resources in a virtual network can't communicate with resources in a different network.

-# Customer intent: I need to diagnose virtual machine (VM) network routing problem that prevents communication to different destinations.

-# Customer intent: I need to diagnose virtual machine (VM) network routing problem that prevents communication to different destinations.

-# Customer intent: I need to diagnose virtual machine (VM) network routing problem that prevents communication to different destinations.

-description: This page provides an overview of the Network Watcher connection troubleshooting capability

-# Introduction to connection troubleshoot in Azure Network Watcher

-description: This article describes how to use Network Watcher to perform deep packet inspection collected from a VM

-description: This page provides an overview of the Network Watcher IP flow verify capability

-# Introduction to IP flow verify in Azure Network Watcher

-description: This article provides an overview of the Network Watcher next hop capability.

-# Use next hop to diagnose virtual machine routing problems

-description: This page explains how to manage Network Security Group Flow logs in Azure Network Watcher with Azure PowerShell

-# Configuring Network Security Group Flow logs with Azure PowerShell

-# Configuring Network Security Group flow logs using REST API

-# Manage and analyze Network Security Group flow logs using Network Watcher and Grafana

-description: This page explains how to manage the packet capture feature of Network Watcher using the Azure CLI

-description: Learn how to manage the packet capture feature of Network Watcher in virtual machine scale set using the Azure portal.

-description: This page explains how to manage the packet capture feature of Network Watcher in virtual machine scale set using PowerShell

-description: This page explains how to manage the packet capture feature of Network Watcher using PowerShell

-description: This page explains how to manage the packet capture feature of virtual machine scale set in Network Watcher using Azure REST API

-description: This page explains how to manage the packet capture feature of Network Watcher using Azure REST API

-description: This page provides an overview of the Network Watcher packet capture's capability

-# Introduction to variable packet capture in Azure Network Watcher

-> Packet capture is now also available for **Virtual Machine Scale Sets**. To check it out, visit [Manage packet capture in the Azure portal for VMSS](network-watcher-packet-capture-manage-portal-vmss.md).

-description: Learn how to use Azure PowerShell to parse Network Security Group flow logs, which are created hourly and updated every few minutes in Azure Network Watcher.

-description: This page provides an overview of the Network Watcher - Effective security rules view capability

-description: This page explains how to use the Azure Network Watcher troubleshoot Azure CLI

-# Troubleshoot Virtual Network Gateway and Connections using Azure Network Watcher Azure CLI

-description: This page explains how to use the Azure Network Watcher troubleshoot PowerShell cmdlet

-# Troubleshoot Virtual Network Gateway and Connections using Azure Network Watcher PowerShell

-description: This page explains how to troubleshoot Virtual Network Gateways and Connections with Azure Network Watcher using REST

-# Troubleshoot Virtual Network gateway and Connections using Azure Network Watcher

-description: This page provides an overview of the Network Watcher resource troubleshooting capabilities

-# Introduction to resource troubleshooting in Azure Network Watcher

-Virtual Network Gateways provide connectivity between on-premises resources and other virtual networks within Azure. Monitoring gateways and their connections are critical to ensuring communication is not broken. Network Watcher provides the capability to troubleshoot gateways and connections. The capability can be called through the portal, PowerShell, Azure CLI, or REST API. When called, Network Watcher diagnoses the health of the gateway, or connection, and returns the appropriate results. The request is a long running transaction. The results are returned once the diagnosis is complete.

-description: Learn how to enable network security group (NSG) flow logs programmatically by using an Azure Resource Manager template (ARM template) and Azure PowerShell.

-# Quickstart: Configure network security group flow logs by using an ARM template

-In this quickstart, you learn how to enable [network security group (NSG) flow logs](network-watcher-nsg-flow-logging-overview.md) by using an [Azure Resource Manager](../azure-resource-manager/management/overview.md) template (ARM template) and Azure PowerShell.

-description: Learn how to enable network security group (NSG) flow logs programmatically by using Bicep and Azure PowerShell.

-# Quickstart: Configure network security group flow logs by using a Bicep file

-description: This article provides the list of Traffic Analytics supported regions.

-# Supported regions: NSG

-description: This article explains how to use the built-in policies to manage the deployment of Traffic Analytics

-# Deploy and manage Traffic Analytics using Azure Policy

-# Schema and data aggregation in Traffic Analytics

-description: Learn what traffic analytics is, and how to use traffic analytics for viewing network activity, securing networks, and optimizing performance.

-# Traffic analytics

-description: This article describes the usage scenarios of Traffic Analytics.

-# Usage scenarios

-VPN Gateway helps you create encrypted cross-premises connections to your virtual network from on-premises locations or create encrypted connections between VNets. There are different configurations available for VPN Gateway connections, such as site-to-site, point-to-site, and VNet-to-VNet.

-The following diagram illustrates multiple site-to-site VPN connections to the same virtual network.

-For more information about different types of VPN connections, see [What is VPN Gateway?](../../vpn-gateway/vpn-gateway-about-vpngateways.md).

-Azure Virtual WAN is a networking service that provides optimized and automated branch connectivity to, and through, Azure. Azure regions serve as hubs that you can choose to connect your branches to. You can leverage the Azure backbone to also connect branches for branch-to-VNet connectivity.

-Azure Virtual WAN brings together many Azure cloud connectivity services such as site-to-site VPN, ExpressRoute, and point-to-site user VPN into a single operational interface. Connectivity to Azure VNets is established by using virtual network connections. For more information, see [What is Azure Virtual WAN?](../../virtual-wan/virtual-wan-about.md).

-The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address. For more information, see [What is Azure Bastion?](../../bastion/bastion-overview.md).

- --ssh-key-values ~/.ssh/id_rsa.pub \

-#### Applying filters and splitting on metrics with dimension

-#### Considerations when using the enhanced metrics

- * On **Burstable** SKU - this limit is 10 `database name` dimension

-| Germany West Central | :x: $$ | :x: $ | :heavy_check_mark: | :x: |

-| West US 2 | :x: $$ | :x: $ | :heavy_check_mark: | :heavy_check_mark:|

-This page provides latest news and updates regarding feature additions, engine versions support, extensions, and any other announcements relevant for Flexible Server - PostgreSQL.

-* Public preview of [Enhanced Metrics](./concepts-monitoring.md) for Azure Database for PostgreSQL ΓÇô Flexible Server

-| The default 5G QoS Indicator (5QI) or QoS class identifier (QCI) value for this service. The 5QI (for 5G networks) or QCI (for 4G networks) value identifies a set of QoS characteristics that control QoS forwarding treatment for QoS flows or EPS bearers. </br></br>We recommend you choose a 5QI or QCI value that corresponds to a non-GBR QoS flow or EPS bearer. These values are in the following ranges: 5-9; 69-70; 79-80. For more details, see 3GPP TS 23.501 for 5QI or 3GPP TS 23.203 for QCI.</br></br>You can also choose a non-standardized 5QI or QCI value.</p><p>Azure Private 5G Core doesn't support 5QI or QCI values corresponding to GBR or delay-critical GBR QoS flows or EPS bearers. Don't use a value in any of the following ranges: 1-4; 65-67; 71-76; 82-85. | **5QI/QCI** |No. Defaults to 9.|

-|The default 5QI (for 5G) or QCI (for 4G) value for this data network. These values identify a set of QoS characteristics that control QoS forwarding treatment for QoS flows or EPS bearers. </br></br>We recommend you choose a 5QI or QCI value that corresponds to a non-GBR QoS flow or EPS bearer. These values are in the following ranges: 5-9; 69-70; 79-80. For more details, see 3GPP TS 23.501 for 5QI or 3GPP TS 23.203 for QCI. </br></br>You can also choose a non-standardized 5QI or QCI value. </br></br>Azure Private 5G Core doesn't support 5QI or QCI values corresponding to GBR or delay-critical GBR QoS flows or EPS bearers. Don't use a value in any of the following ranges: 1-4; 65-67; 71-76; 82-85. | **5QI/QCI** | No. Defaults to 9. |

-Raw telemetry events are emitted to Azure Monitor. Events can be sent to a Log Analytics Workspace, archived to a customer storage account of choice, streamed to an event hub or sent to a partner solution for further analysis. Exporting of logs is done via the Diagnostic settings for the Microsoft Purview account on the Azure portal.

-Follow the steps to create a Diagnostic setting for your Microsoft Purview account and send to your preferred destination.

-Create a new diagnostic setting to collect platform logs and metrics by following this article: [Create diagnostic settings to send platform logs and metrics to different destinations](../azure-monitor/essentials/diagnostic-settings.md).

- :::image type="content" source="./media/how-to-monitor-with-azure-monitor/step-one-diagnostic-setting.png" alt-text="Screenshot showing creating diagnostic log." lightbox="./media/how-to-monitor-with-azure-monitor/step-one-diagnostic-setting.png":::

-You can send your logs to:

-

-#### Destination - Log Analytics Workspace

-Select the destination to a log analytics workspace to send the event to. Create a name for the diagnostic setting, select the applicable log category group and select the right subscription and workspace, then click save. The workspace doesn't have to be in the same region as the resource being monitored. Follow this article to [Create a New Log Analytics Workspace](../azure-monitor/logs/quick-create-workspace.md).

- :::image type="content" source="./media/how-to-monitor-with-azure-monitor/step-two-diagnostic-setting.png" alt-text="Screenshot showing assigning log analytics workspace to send event to." lightbox="./media/how-to-monitor-with-azure-monitor/step-two-diagnostic-setting.png":::

- :::image type="content" source="./media/how-to-monitor-with-azure-monitor/step-two-one-diagnostic-setting.png" alt-text="Screenshot showing saved diagnostic log event to log analytics workspace." lightbox="./media/how-to-monitor-with-azure-monitor/step-two-one-diagnostic-setting.png":::

-Verify the changes in **Log Analytics Workspace** by perfoming some operations to populate data such as creating/updating/deleting policy. After which you can open the **Log Analytics Workspace**, navigate to **Logs**, enter query filter as **"purviewsecuritylogs"**, then click **"Run"** to execute the query.

- :::image type="content" source="./media/how-to-monitor-with-azure-monitor/step-two-two-diagnostic-setting.png" alt-text="Screenshot showing log results in the Log Analytics Workspace after a query was run." lightbox="./media/how-to-monitor-with-azure-monitor/step-two-two-diagnostic-setting.png":::

-#### Destination - Storage account

-To log the events to a storage account; create a diagnostic setting name, select the log category,. select the destination as archieve to a storage account, select the right subscription and storage account then click save. A dedicated storage account is recommended for archiving the diagnostic logs. Following this article to [Create a storage account](../storage/common/storage-account-create.md?tabs=azure-portal).

- :::image type="content" source="./media/how-to-monitor-with-azure-monitor/step-three-diagnostic-setting.png" alt-text="Screenshot showing assigning storage account for diagnostic log." lightbox="./media/how-to-monitor-with-azure-monitor/step-three-diagnostic-setting.png":::

- :::image type="content" source="./media/how-to-monitor-with-azure-monitor/step-three-one-diagnostic-setting.png" alt-text="Screenshot showing saved log events to storage account." lightbox="./media/how-to-monitor-with-azure-monitor/step-three-one-diagnostic-setting.png":::

-

-To see logs in the **Storage Account**, create/update/delete a policy, then open the **Storage Account**, navigate to **Containers**, and click on the container name

- :::image type="content" source="./media/how-to-monitor-with-azure-monitor/step-three-two-diagnostic-setting.png" alt-text="Screenshot showing container in storage account where the diagnostic logs have been sent to." lightbox="./media/how-to-monitor-with-azure-monitor/step-three-two-diagnostic-setting.png":::

-Navigate to the flie and download it to see the logs

- :::image type="content" source="./media/how-to-monitor-with-azure-monitor/step-three-three-diagnostic-setting.png" alt-text="Screenshot showing folders with details of logs." lightbox="./media/how-to-monitor-with-azure-monitor/step-three-three-diagnostic-setting.png":::

- :::image type="content" source="./media/how-to-monitor-with-azure-monitor/step-three-four-diagnostic-setting.png" alt-text="Screenshot showing details of logs." lightbox="./media/how-to-monitor-with-azure-monitor/step-three-four-diagnostic-setting.png":::

- - Currently, if you're running on Pv3, then it's possible that you're already on a footprint that supports availability zones. In this scenario, you can create a new App Service plan and specify zone redundancy.

- - If you aren't using Pv3 or a scale unit that supports availability zones, are in an unsupported region, or are unsure, see the [migration guidance](#migration-guidance-redeployment).

-In this article we present security activities and controls to consider when you design applications for the cloud. Training resources along with security questions and concepts to consider during the requirements and design phases of the Microsoft [Security Development Lifecycle

-Before you begin developing your cloud application, take time to

-understand security and privacy on Azure. By taking this step, you can

-reduce the number and severity of exploitable vulnerabilities in your

-application. You'll be more prepared to react appropriately to the

-ever-changing threat landscape.

-Use the following resources during the training stage to familiarize

-yourself with the Azure services that are available to developers and

-with security best practices on Azure:

- - [Developer's guide to

- Azure](https://azure.microsoft.com/campaigns/developer-guide/) shows

- you how to get started with Azure. The guide shows you which

- services you can use to run your applications, store your data,

- incorporate intelligence, build IoT apps, and deploy your solutions

- in a more efficient and secure way.

- - [Get started guide for Azure

- developers](../../guides/developer/azure-developer-guide.md)

- provides essential information for developers who are looking to get

- started using the Azure platform for their development needs.

- - [SDKs and

- tools](../../index.yml?pivot=sdkstools)

- describes the tools that are available on Azure.

- - [Azure DevOps

- Services](/azure/devops/)

- provides development collaboration tools. The tools include

- high-performance pipelines, free Git repositories, configurable

- Kanban boards, and extensive automated and cloud-based load testing.

- The [DevOps Resource

- Center](/azure/devops/learn/) combines our

- resources for learning DevOps practices, Git version control, agile

- methods, how we work with DevOps at Microsoft, and how you can

- assess your own DevOps progression.

- - [Top 5 security items to consider before pushing to

- production](/training/modules/top-5-security-items-to-consider/index?WT.mc_id=Learn-Blog-tajanca)

- shows you how to help secure your web applications on Azure and

- protect your apps against the most common and dangerous web

- application attacks.

- - [Secure DevOps Kit for

- Azure](https://github.com/azsk/AzTS-docs/#readme) is a collection of

- scripts, tools, extensions, and automations that caters to the

- comprehensive Azure subscription and resource security needs of

- DevOps teams that use extensive automation. The Secure DevOps Kit

- for Azure can show you how to smoothly integrate security into your

- native DevOps workflows. The kit addresses tools like security

- verification tests (SVTs), which can help developers write secure

- code and test the secure configuration of their cloud applications

- in the coding and early development stages.

- - [Security best practices for Azure

- solutions](https://azure.microsoft.com/resources/security-best-practices-for-azure-solutions)

- provides a collection of security best practices to use as you

- design, deploy, and manage your cloud solutions by using Azure.

-The requirements definition phase is a crucial step in defining what your application is and what it will do when it's released. The requirements phase is also a time to think about the security controls that you will build into your application. During this phase, you also begin the steps that you will take throughout the SDL to ensure that you release and deploy a secure application.

-This phase is the best time to consider foundational security and

-privacy issues. Defining acceptable levels of security and privacy at

-the start of a project helps a team:

-When you write the requirements for your application, be sure to

-consider security controls that can help keep your application and data

-safe.

- - Does my application contain sensitive data?

- - Does my application collect or store data that requires me to adhere

- to industry standards and compliance programs like the [Federal Financial Institution Examination Council (FFIEC)](/previous-versions/azure/security/blueprints/ffiec-analytics-overview) or the [Payment Card Industry Data Security Standards (PCI DSS)](/previous-versions/azure/security/blueprints/pcidss-analytics-overview)?

- - Does my application collect or contain sensitive personal or

- customer data that can be used, either on its own or with other

- information, to identify, contact, or locate a single person?

- - Does my application collect or contain data that can be used to

- access an individual's medical, educational, financial, or

- employment information? Identifying the sensitivity of your data

- during the requirements phase helps you classify your data and

- identify the data protection method you will use for your

- application.

- - Where and how is my data stored? Consider how you will monitor the

- storage services that your application uses for any unexpected

- changes (such as slower response times). Will you be able to

- influence logging to collect more detailed data and analyze a

- problem in depth?

- - Will my application be available to the public (on the internet) or

- internally only? If your application is available to the public, how

- do you protect the data that might be collected from being used in

- the wrong way? If your application is available internally only,

- consider who in your organization should have access to the

- application and how long they should have access.

- - Do you understand your identity model before you begin designing

- your application? How will you determine that users are who they say

- they are and what a user is authorized to do?

- - Does my application perform sensitive or important tasks (such as

- transferring money, unlocking doors, or delivering medicine)?

- Consider how you will validate that the user performing a sensitive

- task is authorized to perform the task and how you will authenticate

- that the person is who they say they are. Authorization (AuthZ) is

- the act of granting an authenticated security principal permission

- to do something. Authentication (AuthN) is the act of challenging a

- party for legitimate credentials.

- - Does my application perform any risky software activities, like

- allowing users to upload or download files or other data? If your

- application does perform risky activities, consider how your

- application will protect users from handling malicious files or

- data.

-### Review OWASP top 10

-Consider reviewing the [<span class="underline">OWASP Top 10 Application Security Risks</span>](https://owasp.org/www-project-top-ten/).

-The OWASP Top 10 addresses critical security risks to web applications.

-Awareness of these security risks can help you make requirement and

-design decisions that minimize these risks in your application.

-Thinking about security controls to prevent breaches is important.

-However, you also want to [assume a breach](/devops/operate/security-in-devops)

-will occur. Assuming a breach helps answer some important questions

-about security in advance, so they don't have to be answered in an

-emergency:

- - How will I detect an attack?

- - What will I do if there is an attack or breach?

- - How am I going to recover from the attack like data leaking or

- tampering?

-The design phase is critical for establishing best practices for design

-and functional specifications. It also is critical for performing risk

-analysis that helps mitigate security and privacy issues throughout a

-project.

-When you have security requirements in place and use secure design

-concepts, you can avoid or minimize opportunities for a security flaw. A

-security flaw is an oversight in the design of the application that

-might allow a user to perform malicious or unexpected actions after your

-application is released.

-During the design phase, also think about how you can apply security in

-layers; one level of defense isn't necessarily enough. What happens if

-an attacker gets past your web application firewall (WAF)? You want

-another security control in place to defend against that attack.

-With this in mind, we discuss the following secure design concepts and

-the security controls you should address when you design secure

-applications:

-Be sure that you're using the latest version of your framework and all

-the security features that are available in the framework. Microsoft

-offers a comprehensive [set of development

-tools](https://azure.microsoft.com/product-categories/developer-tools/)

-for all developers, working on any platform or language, to deliver

-cloud applications. You can code with the language of your choice by

-choosing from various [SDKs](https://azure.microsoft.com/downloads/).

-You can take advantage of full-featured integrated development

-environments (IDEs) and editors that have advanced debugging

-capabilities and built-in Azure support.

-Microsoft offers a variety of [languages, frameworks, and

-tools](../../index.yml?panel=sdkstools-all&pivot=sdkstools)

-that you can use to develop applications on Azure. An example is [Azure

-for .NET and .NET Core

-developers](/dotnet/azure/). For each language

-and framework that we offer, you'll find quickstarts, tutorials, and API

-references to help you get started fast.

-Azure offers a variety of services you can use to host websites and web

-applications. These services let you develop in your favorite language,

-whether that's .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python.

-[Azure App Service Web

-Apps](../../app-service/overview.md)

-(Web Apps) is one of these services.

-Azure offers other services that you can use to host websites and web

-applications. For most scenarios, Web Apps is the best choice. For a

-micro service architecture, consider [Azure Service

-Fabric](../../service-fabric/index.yml).

-If you need more control over the VMs that your code runs on, consider

-[Azure Virtual

-Machines](../../virtual-machines/index.yml).

-For more information about how to choose between these Azure services,

-see a [comparison of Azure App Service, Virtual Machines, Service

-Fabric, and Cloud

-Services](/azure/architecture/guide/technology-choices/compute-decision-tree).

-See the [Open Web Application Security Project

-(OWASP)](https://www.owasp.org/) page on [using

-components with known

-vulnerabilities](https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities)

-for tool suggestions. You can also subscribe to email alerts for

-security vulnerabilities that are related to components you use.

-To help facilitate the threat modeling process, we designed the [SDL

-Threat Modeling

-Tool](threat-modeling-tool.md)

-with non-security experts in mind. This tool makes threat modeling

-easier for all developers by providing clear guidance about how to

-create and analyze threat models.

-Modeling the application design and enumerating

-[STRIDE](https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxzZWN1cmVwcm9ncmFtbWluZ3xneDo0MTY1MmM0ZDI0ZjQ4ZDMy)

-threatsΓÇöSpoofing, Tampering, Repudiation, Information Disclosure, Denial

-of Service, and Elevation of PrivilegeΓÇöacross all trust boundaries has

-proven an effective way to catch design errors early on. The following

-table lists the STRIDE threats and gives some example mitigations that

-use features provided by Azure. These mitigations won't work in every

-situation.

-| Denial of Service | Availability | Monitor performance metrics for potential denial of service conditions. Implement connection filters. [Azure DDoS protection](../../ddos-protection/ddos-protection-overview.md#next-steps), combined with application design best practices, provides defense against DDoS attacks.|

-We discuss [conducting an attack surface

-review](secure-develop.md#conduct-attack-surface-review) during the verification phase of

-the SDL.

-Use two-factor authentication. Two-factor authentication is the current

-standard for authentication and authorization because it avoids the

-security weaknesses that are inherent in username and password types of

-authentication. Access to the Azure management interfaces (Azure

-portal/remote PowerShell) and to customer-facing services should be

-designed and configured to use [Azure Multi-Factor

-Authentication](../../active-directory/authentication/concept-mfa-howitworks.md).

-Use platform-supplied authentication and authorization mechanisms

-instead of custom code. This is because developing custom authentication

-code can be prone to error. Commercial code (for example, from

-Microsoft) often is extensively reviewed for security. [Azure Active

-Directory (Azure

-AD)](../../active-directory/fundamentals/active-directory-whatis.md)

-is the Azure solution for identity and access management. These Azure AD

-tools and services help with secure development:

-is a set of components that developers use to build apps that

-securely sign in users. The platform assists developers who are building

-single-tenant, line-of-business (LOB) apps and developers who are

-looking to develop multi-tenant apps. In addition to basic sign-in, apps

-built by using the Microsoft identity platform can call Microsoft APIs

-and custom APIs. The Microsoft identity platform supports industry-standard

-protocols like OAuth 2.0 and OpenID Connect.

-B2C)](../../active-directory-b2c/index.yml) is an

-identity management service you can use to customize and control how

-customers sign up, sign in, and manage their profiles when they use

-your applications. This includes applications that are developed for

-iOS, Android, and .NET, among others. Azure AD B2C enables these

-actions while protecting customer identities.

-The concept of [least

-privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)

-means giving users the precise level of access and control they need to

-do their jobs and nothing more.

-Would a software developer need domain admin rights? Would an

-administrative assistant need access to administrative controls on their

-personal computer? Evaluating access to software is no different. If you

-use [Azure role-based access control

-(Azure RBAC)](../../role-based-access-control/overview.md)

-to give users different abilities and authority in your application, you

-wouldn't give everyone access to everything. By limiting access to what

-is required for each role, you limit the risk of a security issue

-occurring.

-Ensure that your application enforces [least

-privilege](/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models#in-applications)

-throughout its access patterns.

-> The rules of least privilege need to apply to the software and to the people creating the software. Software developers can be a huge risk to IT security if they are given too much access. The consequences can be severe if a developer has malicious intent or is given too much access. We recommend that the rules of least privilege be applied to developers throughout the development lifecycle.

-Implement *just-in-time* (JIT) access to further lower the exposure time

-of privileges. Use [Azure AD Privileged Identity

-Management](../../active-directory/roles/security-planning.md#stage-3-take-control-of-administrator-activity)

-### Require re-authentication for important transactions

-[Cross-site request

-forgery](/aspnet/core/security/anti-request-forgery)

-(also known as *XSRF* or *CSRF*) is an attack against web-hosted apps in

-which a malicious web app influences the interaction between a client

-browser and a web app that trusts that browser. Cross-site request

-forgery attacks are possible because web browsers send some types of

-authentication tokens automatically with every request to a website.

-This form of exploitation is also known as a *one-click attack* or

-*session riding* because the attack takes advantage of the user's

-previously authenticated session.

-Always put your keys, certificates, secrets, and connection strings in a

-key management solution. You can use a centralized solution in which

-keys and secrets are stored in hardware security modules (HSMs). Azure

-provides you with an HSM in the cloud with [Azure Key

-Vault](../../key-vault/general/overview.md).

-Protecting data should be an essential part of your security strategy.

-If your data is stored in a database or if it moves back and forth

-between locations, use encryption of [data at

-rest](../fundamentals/encryption-atrest.md)

-(while in the database) and encryption of [data in

-transit](../fundamentals/data-encryption-best-practices.md#protect-data-in-transit)

-(on its way to and from the user, the database, an API, or service

-endpoint). We recommend that you always use SSL/TLS protocols to

-exchange data. Ensure that you use the latest version of TLS for

-encryption (currently, this is version 1.2).

-Some things should never be hard-coded in your software. Some examples

-are hostnames or IP addresses, URLs, email addresses, usernames,

-passwords, storage account keys, and other cryptographic keys. Consider

-implementing requirements around what can or can't be hard-coded in your

-code, including in the comment sections of your code.

-When you put comments in your code, ensure that you don't save any

-sensitive information. This includes your email address, passwords,

-connection strings, information about your application that would only

-be known by someone in your organization, and anything else that might

-give an attacker an advantage in attacking your application or

-organization.

-Basically, assume that everything in your development project will be

-public knowledge when it is deployed. Avoid including sensitive data of

-any kind in the project.

-Earlier, we discussed [Azure Key

-Vault](../../key-vault/general/overview.md). You

-can use Key Vault to store secrets like keys and passwords instead of

-hard-coding them. When you use Key Vault in combination with managed

-identities for Azure resources, your Azure web app can access secret

-configuration values easily and securely without storing any secrets in

-your source control or configuration. To learn more, see [Manage secrets

-in your server apps with Azure Key

-Vault](/training/modules/manage-secrets-with-azure-key-vault/).

-Your application must be able to handle

-[errors](/dotnet/standard/exceptions/) that

-occur during execution in a consistent manner. The application should

-catch all errors and either fail safe or closed.

-You should also ensure that errors are logged with sufficient user

-context to identify suspicious or malicious activity. Logs should be

-retained for a sufficient time to allow delayed forensic analysis. Logs

-should be in a format that can be easily consumed by a log management

-solution. Ensure that alerts for errors that are related to security are

-triggered. Insufficient logging and monitoring allows attackers to

-further attack systems and maintain persistence.

-Implementing correct error and [exception

-handling](/dotnet/standard/exceptions/best-practices-for-exceptions)

-is an important part of defensive coding. Error and exception handling

-are critical to making a system reliable and secure. Mistakes in error

-handling can lead to different kinds of security vulnerabilities, such

-as leaking information to attackers and helping attackers understand

-more about your platform and design.

-[try/catch

-blocks](/dotnet/standard/exceptions/how-to-use-the-try-catch-block-to-catch-exceptions)

-in the code.

-[Azure Logic

-Apps](../../logic-apps/logic-apps-overview.md)

-provides a first-class experience for [handling errors and

-exceptions](../../logic-apps/logic-apps-exception-handling.md)

-that are caused by dependent systems. You can use Logic Apps to create

-workflows to automate tasks and processes that integrate apps, data,

-systems, and services across enterprises and

-organizations.

-[Log](/aspnet/core/fundamentals/logging/)

-your security issues for security investigations and trigger alerts

-about issues to ensure that people know about problems in a timely

-manner. Enable auditing and logging on all components. Audit logs should

-capture user context and identify all important events.

-This series of articles presents security activities and controls to consider when you develop applications for the cloud. The phases of the Microsoft Security Development Lifecycle (SDL) and security

-questions and concepts to consider during each phase of the lifecycle are covered. The goal is to help you define activities and Azure services that you can use in each phase of the lifecycle to design, develop, and deploy a more secure application.

-Security is one of the most important aspects of any application, and

-itΓÇÖs not a simple thing to get right. Fortunately, Azure provides many

-services that can help you secure your application in the cloud. These articles address activities and Azure services you can implement at each

-stage of your software development lifecycle to help you develop more secure code and deploy a more secure application in the cloud.

-Following best practices for secure software development requires

-integrating security into each phase of the software development

-lifecycle, from requirement analysis to maintenance, regardless of the

-project methodology

-([waterfall](https://en.wikipedia.org/wiki/Waterfall_model),

-[agile](https://en.wikipedia.org/wiki/Agile_software_development), or

-[DevOps](https://en.wikipedia.org/wiki/DevOps)). In the wake of

-high-profile data breaches and the exploitation of operational security

-flaws, more developers are understanding that security needs to be

-addressed throughout the development process.

-The later you fix a problem in your development lifecycle, the more that

-fix will cost you. Security issues are no exception. If you disregard

-security issues in the early phases of your software development, each

-phase that follows might inherit the vulnerabilities of the preceding

-phase. Your final product will have accumulated multiple security issues

-and the possibility of a breach. Building security into each phase of

-the development lifecycle helps you catch issues early, and it helps you

-reduce your development costs.

-We follow the phases of the Microsoft [Security Development Lifecycle

-(SDL)](/previous-versions/windows/desktop/cc307891(v=msdn.10))

-to introduce activities and Azure services that you can use to fulfill

-secure software development practices in each phase of the lifecycle.

-The SDL phases are:

- - Training

- - Requirements

- - Design

- - Implementation

- - Verification

- - Release

- - Response

-## Engage your organizationΓÇÖs security team

-Your organization might have a formal application security program that

-assists you with security activities from start to finish during the

-development lifecycle. If your organization has security and compliance

-teams, be sure to engage them before you begin developing your

-application. Ask them at each phase of the SDL whether there are any

-tasks you missed.

-[Microsoft Security Development Lifecycle

-(SDL)](/previous-versions/windows/desktop/cc307891(v=msdn.10))

-ΓÇô The SDL is a software development process from Microsoft that helps

-developers build more secure software. It helps you address security

-compliance requirements while reducing development costs.

-[Open Web Application Security Project

-(OWASP)](https://www.owasp.org/) ΓÇô OWASP is an online

-community that produces freely available articles, methodologies,

-documentation, tools, and technologies in the field of web application

-security.

-[Pushing Left, Like a

-Boss](https://wehackpurple.com/pushing-left-like-a-boss-part-1/)

-ΓÇô A series of online articles that outlines

-different types of application security activities that developers should complete to create more secure code.

-[Microsoft identity

-platform](../../active-directory/develop/index.yml) ΓÇô

-The Microsoft identity platform is an evolution of the Azure AD identity

-service and developer platform. ItΓÇÖs a full-featured platform that

-consists of an authentication service, open-source libraries,

-application registration and configuration, full developer

-documentation, code samples, and other developer content. The Microsoft

-identity platform supports industry-standard protocols like OAuth 2.0

-and OpenID Connect.

-[Security best practices for Azure

-solutions](https://azure.microsoft.com/resources/security-best-practices-for-azure-solutions/)

-ΓÇô A collection of security best practices to use when you design,

-deploy, and manage cloud solutions by using Azure. This paper is

-intended to be a resource for IT pros. This might include designers,

-architects, developers, and testers who build and deploy secure Azure

-solutions.

-[Security and Compliance Blueprints on

-Azure](../../governance/blueprints/samples/azure-security-benchmark-foundation/index.md) ΓÇô

-Azure Security and Compliance Blueprints are resources that can help you

-build and launch cloud-powered applications that comply with stringent

-regulations and standards.

-|**Custom logs** | Collection only | Collection only |

-|**Custom logs** | - | Collection only |

-# Turn on health monitoring for Microsoft Sentinel (preview)

-Monitor the health of supported Microsoft Sentinel resources by turning on the health monitoring feature in Microsoft Sentinel's **Settings** page. Get insights on health drifts, such as the latest failure events or changes from success to failure states, and use this information to create notifications and other automated actions.

-To get health data from the *SentinelHealth* data table, you must first turn on the Microsoft Sentinel health feature for your workspace.

-When the health feature is turned on, the *SentinelHealth* data table is created at the first success or failure event generated for supported resource types.

-The following resource types are currently supported:

-To configure the retention time for your health events, see [Configure data retention and archive policies in Azure Monitor Logs](../azure-monitor/logs/data-retention-archive.md).

-> The *SentinelHealth* data table is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-## Turn on health monitoring for your workspace

-1. Scroll down to the **Health monitoring** section that appears below, and select it to expand.

-1. Select **Configure Diagnostic Settings**.

-1. In the **Diagnostic settings** screen, select **+ Add diagnostic setting**.

- - In the **Logs** column, select the appropriate **Categories** for the resource types you want to monitor, for example **Data Collection - Connectors**.

-The *SentinelHealth* data table is created at the first success or failure event generated for the selected resources.

-## Access the *SentinelHealth* table

-SentinelHealth

-# Health monitoring in Microsoft Sentinel

-Microsoft Sentinel is a critical service for monitoring and ensuring your organizationΓÇÖs information security, so youΓÇÖll want to rest assured that itΓÇÖs always running smoothly. YouΓÇÖll want to be able to make sure that the service's many moving parts are always functioning as intended. You also might like to configure notifications of health drifts for relevant stakeholders who can take action. For example, you can configure email or Microsoft Teams messages to be sent to operations teams, managers, or officers, launch new tickets in your ticketing system, and so on.

-This article describes how Microsoft SentinelΓÇÖs health monitoring feature lets you monitor the activity of some of the serviceΓÇÖs key resources.

-This section describes the function and use cases of the health monitoring components.

-Health data is collected in the *SentinelHealth* table in your Log Analytics workspace. The prevalent way you'll use this data is by querying the table.

-> - The *SentinelHealth* data table is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-**Are my SAP systems running correctly?**

-[Are the SAP systems managed by your organization running correctly](monitor-sap-system-health.md)?. Are the systems up and running, or ar they unreachable? Does Microsoft Sentinel identify these systems as production systems?

-**Did an automation rule run as expected?**

-[Did my automation rule run when it was supposed to](./monitor-automation-health.md) - that is, when its conditions were met? Did all the actions in the automation rule run successfully?

-## How Microsoft Sentinel presents health data

-To dive into the health data that Microsoft Sentinel generates, you can:

-# SentinelHealth tables reference

-Microsoft Sentinel's health monitoring feature covers different kinds of resources, such as [data connectors](monitor-data-connector-health.md) and [automation rules](monitor-automation-health.md). Many of the data fields in the following tables apply across resource types, but some have specific applications for each type. The descriptions below will indicate one way or the other.

-| **TimeGenerated** | Datetime | The time at which the health event occurred. |

-| <a name="operationname_health"></a>**OperationName** | String | The health operation. Possible values depend on the resource type.<br>See [Operation names for different resource types](#operation-names-for-different-resource-types) for details. |

-| <a name="sentinelresourceid_health"></a>**SentinelResourceId** | String | The unique identifier of the resource on which the health event occurred, and its associated Microsoft Sentinel workspace. |

-| **SentinelResourceName** | String | The resource name. |

-| <a name="status_health"></a>**Status** | String | Indicates the overall result of the operation. Possible values depend on the operation name.<br>See [Operation names for different resource types](#operation-names-for-different-resource-types) for details. |

-| **Description** | String | Describes the operation, including extended data as needed. For failures, this can include details of the failure reason. |

-| **SentinelResourceType** | String | The Microsoft Sentinel resource type being monitored.<br>Possible values: `Data connector`, `Automation rule`, `Playbook` |

-| **SentinelResourceKind** | String | A resource classification within the resource type.<br>- For data connectors, this is the type of connected data source. |

-This article describes how to use Microsoft Sentinel's health monitoring features to keep track of your automation rules and playbooks' health from within Microsoft Sentinel.

-Automation health monitoring in Microsoft Sentinel has two parts:

-| Feature | Table | Coverage | Enable from |

-| - | - | - | - |

-| **Microsoft Sentinel automation health logs** | *SentinelHealth* | - Automation rules run<br>- Playbooks triggered | Microsoft Sentinel settings > Health monitoring |

-| **Azure Logic Apps diagnostics logs** | *AzureDiagnostics* | - Playbook run started/ended<br>- Playbook actions/triggers started/ended | Logic Apps resource > [Diagnostics settings](../azure-monitor/essentials/diagnostic-settings.md?tabs=portal#create-diagnostic-settings) |

-

- Set-AzRecoveryServicesVaultContext -ARSVault $vault

- "C:\Program Files (x86)\Microsoft Azure Site Recovery\agent\UnifiedAgentConfigurator.exe" /SourceConfigFilePath "config.json" /CSType CSPrime

-Syntax | `"<InstallLocation>\UnifiedAgentConfigurator.exe" /SourceConfigFilePath "config.json" /CSType CSPrime >`

-To rehydrate a large number of blobs at one time, call the [Blob Batch](/rest/api/storageservices/blob-batch) operation to call [Set Blob Tier](/rest/api/storageservices/set-blob-tier) as a bulk operation. For a code example that shows how to perform the batch operation, see [AzBulkSetBlobTier](/samples/azure/azbulksetblobtier/azbulksetblobtier/).

-> Microsoft recommends that you upload your blobs directly the archive tier for greater efficiency. You can specify the archive tier in the *x-ms-access-tier* header on the [Put Blob](/rest/api/storageservices/put-blob) or [Put Block List](/rest/api/storageservices/put-block-list) operation. The *x-ms-access-tier* header is supported with REST version 2018-11-09 and newer or the latest blob storage client libraries.

-Calling an operation such as [Put Blob](/rest/api/storageservices/put-blob), [Put Block List](/rest/api/storageservices/put-block-list), or [Copy Blob](/rest/api/storageservices/copy-blob) overwrites the data in a blob. When blob soft delete is enabled, overwriting a blob automatically creates a soft-deleted snapshot of the blob's state prior to the write operation. When the retention period expires, the soft-deleted snapshot is permanently deleted.

-| [Access tier - archive](access-tiers-overview.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

-| [Access tier - cool](access-tiers-overview.md) | &#x2705; | &#x2705; | &#x2705;| &#x2705; |

-| [Access tier - hot](access-tiers-overview.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

-**Can I enable either Azure AD DS or on-premises AD DS authentication for Azure file shares using an Azure AD tenant that is different from the Azure file share's primary tenant?**

- No, Azure Files only supports Azure AD DS or on-premises AD DS integration with an Azure AD tenant that resides in the same subscription as the file share. Only one subscription can be associated with an Azure AD tenant. This limitation applies to both Azure AD DS and on-premises AD DS authentication methods. When using on-premises AD DS for authentication, [the AD DS credential must be synced to the Azure AD](../../active-directory/hybrid/how-to-connect-install-roadmap.md) that the storage account is associated with.

-# Azure Synapse Runtime for Apache Spark 2.4

-# Azure Synapse Runtime for Apache Spark 3.1

-abind 1.4-5

-anomalize 0.2.2

-anytime 0.3.9

-arrow 7.0.0

-askpass 1.1

-assertthat 0.2.1

-backports 1.4.1

-base64enc 0.1-3

-BH 1.78.0-0

-bit 4.0.4

-bit64 4.0.5

-blob 1.2.3

-brew 1.0-7

-brio 1.1.3

-broom 0.8.0

-bslib 0.3.1

-cachem 1.0.6

-callr 3.7.0

-car 3.0-13

-carData 3.0-5

-caret 6.0-86

-cellranger 1.1.0

-checkmate 2.1.0

-chron 2.3-56

-cli 3.3.0

-clipr 0.8.0

-colorspace 2.0-3

-commonmark 1.8.0

-config 0.3.1

-corrplot 0.92

-covr 3.5.1

-cpp11 0.4.2

-crayon 1.5.1

-credentials 1.3.2

-crosstalk 1.2.0

-curl 4.3.2

-data.table 1.14.2

-DBI 1.1.2

-dbplyr 2.1.1

-desc 1.4.1

-devtools 2.3.2

-diffobj 0.3.5

-digest 0.6.29

-dplyr 1.0.9

-DT 0.22

-dtplyr 1.2.1

-dygraphs 1.1.1.6

-ellipsis 0.3.2

-evaluate 0.15

-extraDistr 1.9.1

-fansi 1.0.3

-farver 2.1.0

-fastmap 1.1.0

-forcats 0.5.1

-foreach 1.5.2

-forecast 8.13

-forge 0.2.0

-formatR 1.12

-fracdiff 1.5-1

-fs 1.5.2

-furrr 0.3.0

-futile.logger 1.4.3

-futile.options 1.0.1

-future 1.25.0

-future.apply 1.9.0

-gargle 1.2.0

-generics 0.1.2

-gert 1.6.0

-ggplot2 3.3.6

-gh 1.3.0

-gitcreds 0.1.1

-glmnet 4.1-4

-globals 0.14.0

-glue 1.6.2

-gower 1.0.0

-gridExtra 2.3

-gsubfn 0.7

-gtable 0.3.0

-gtools 3.8.2

-hardhat 0.2.0

-haven 2.5.0

-highr 0.9

-hms 1.1.1

-htmltools 0.5.2

-htmlwidgets 1.5.4

-httr 1.4.3

-hwriter 1.3.2.1

-ids 1.0.1

-ini 0.3.1

-inline 0.3.19

-ipred 0.9-12

-isoband 0.2.5

-iterators 1.0.14

-jquerylib 0.1.4

-jsonlite 1.7.2

-knitr 1.39

-labeling 0.4.2

-lambda.r 1.2.4

-later 1.3.0

-lava 1.6.10

-lazyeval 0.2.2

-lifecycle 1.0.1

-listenv 0.8.0

-lme4 1.1-29

-lmtest 0.9-40

-loo 2.5.1

-lubridate 1.8.0

-magrittr 2.0.3

-maptools 1.1-4

-markdown 1.1

-MatrixModels 0.5-0

-matrixStats 0.62.0

-memoise 2.0.1

-mime 0.12

-minqa 1.2.4

-ModelMetrics 1.2.2.2

-modelr 0.1.8

-munsell 0.5.0

-nloptr 2.0.1

-notebookutils 3.1.2-20220721.3

-numDeriv 2016.8-1.1

-openssl 2.0.0

-padr 0.6.0

-parallelly 1.31.1

-pbkrtest 0.5.1

-pillar 1.7.0

-pkgbuild 1.3.1

-pkgconfig 2.0.3

-pkgload 1.2.4

-plogr 0.2.0

-plotly 4.10.0

-plotrix 3.8-1

-plyr 1.8.7

-praise 1.0.0

-prettyunits 1.1.1

-pROC 1.18.0

-processx 3.5.3

-prodlim 2019.11.13

-progress 1.2.2

-progressr 0.10.0

-promises 1.2.0.1

-prophet 0.6.1

-proto 1.0.0

-ps 1.7.0

-purrr 0.3.4

-quadprog 1.5-8

-quantmod 0.4.20

-quantreg 5.93

-R.methodsS3 1.8.1

-R.oo 1.24.0

-R.utils 2.12.0

-r2d3 0.2.6

-R6 2.5.1

-randomForest 4.7-1

-rappdirs 0.3.3

-rcmdcheck 1.4.0

-RColorBrewer 1.1-3

-Rcpp 1.0.8.3

-RcppArmadillo 0.11.0.0.0

-RcppEigen 0.3.3.9.2

-RcppParallel 5.1.5

-RcppRoll 0.3.0

-readr 2.1.2

-readxl 1.4.0

-recipes 0.2.0

-rematch 1.0.1

-rematch2 2.1.2

-remotes 2.4.2

-reprex 2.0.1

-reshape2 1.4.3

-reticulate 1.18

-rex 1.2.1

-rlang 1.0.2

-rmarkdown 2.14

-RODBC 1.3-19

-roxygen2 7.1.2

-rprojroot 2.0.3

-rsample 0.1.1

-RSQLite 2.2.13

-rstan 2.21.5

-rstantools 2.2.0

-rstatix 0.7.0

-rstudioapi 0.13

-rversions 2.1.1

-rvest 1.0.2

-sass 0.4.1

-scales 1.2.0

-selectr 0.4-2

-sessioninfo 1.2.2

-shape 1.4.6

-slider 0.2.2

-sourcetools 0.1.7

-sp 1.4-7

-sparklyr 1.5.2

-SparseM 1.81

-sqldf 0.4-11

-SQUAREM 2021.1

-StanHeaders 2.21.0-7

-stringi 1.7.6

-stringr 1.4.0

-sweep 0.2.3

-sys 3.4

-testthat 3.1.4

-tibble 3.1.7

-tibbletime 0.1.6

-tidyr 1.2.0

-tidyselect 1.1.2

-tidyverse 1.3.1

-timeDate 3043.102

-timetk 2.8.0

-tinytex 0.38

-tseries 0.10-51

-tsfeatures 1.0.2

-TTR 0.24.3

-tzdb 0.3.0

-urca 1.3-0

-usethis 2.1.5

-utf8 1.2.2

-uuid 1.1-0

-vctrs 0.4.1

-viridisLite 0.4.0

-vroom 1.5.7

-waldo 0.4.0

-warp 0.2.0

-whisker 0.4

-withr 2.5.0

-xfun 0.30

-xml2 1.3.3

-xopen 1.0.0

-xtable 1.8-4

-xts 0.12.1

-yaml 2.3.5

-zip 2.2.0

-zoo 1.8-10

-Azure Synapse Analytics supports multiple runtimes for Apache Spark. This document will cover the runtime components and versions for the Azure Synapse Runtime for Apache Spark 3.3.

-> [!NOTE]

-> Azure Synapse Runtime for Apache Spark 3.3 is currently in Public Preview. Please expect some major components version changes as well.

-| .NET Core | 3.1 |

-| .NET | 2.0.0 |

-| Delta Lake | 2.1.0 |

-| Python | 3.8 |

-| R (Preview) | 4.2.2 |

-| **Library** | **Version** | **Library** | **Version** | **Library** | **Version** |

-|:-:|:--:|:--:|:-:|:-:|:-:|

-| activation | 1.1.1 | httpclient5 | 5.1.3 | opentracing-api | 0.33.0 |

-| adal4j | 1.6.3 | httpcore | 4.4.14 | opentracing-noop | 0.33.0 |

-| aircompressor | 0.21 | httpmime | 4.5.13 | opentracing-util | 0.33.0 |

-| algebra | 2.12-2.0.1 | hyperspace-core-spark3.2_2.12 | 0.5.1-synapse | orc-core | 1.7.6 |

-| aliyun-java-sdk-core | 4.5.10 | impulse-core_spark3.2_2.12 | 1.0.4 | orc-mapreduce | 1.7.6 |

-| aliyun-java-sdk-kms | 2.11.0 | impulse-telemetry-mds_spark3.2_2.12 | 1.0.4 | orc-shims | 1.7.6 |

-| aliyun-java-sdk-ram | 3.1.0 | ini4j | 0.5.4 | oro | 2.0.8 |

-| aliyun-sdk-oss | 3.13.0 | isolation-forest_3.2.0_2.12 | 2.0.8 | osgi-resource-locator | 1.0.3 |

-| annotations | 17.0.0 | istack-commons-runtime | 3.0.8 | paranamer | 2.8 |

-| antlr-runtime | 3.5.2 | ivy | 2.5.1 | parquet-column | 1.12.3 |

-| antlr4-runtime | 4.8 | jackson-annotations | 2.13.4 | parquet-common | 1.12.3 |

-| aopalliance-repackaged | 2.6.1 | jackson-core | 2.13.4 | parquet-encoding | 1.12.3 |

-| arpack_combined_all | 0.1 | jackson-core-asl | 1.9.13 | parquet-format-structures | 1.12.3 |

-| arpack | 2.2.1 | jackson-databind | 2.13.4.1 | parquet-hadoop | 1.12.3 |

-| arrow-format | 7.0.0 | jackson-dataformat-cbor | 2.13.4 | parquet-jackson | 1.12.3 |

-| arrow-memory-core | 7.0.0 | jackson-mapper-asl | 1.9.13 | peregrine-spark | 0.10.2 |

-| arrow-memory-netty | 7.0.0 | jackson-module-scala_2.12 | 2.13.4 | pickle | 1.2 |

-| arrow-vector | 7.0.0 | jakarta.annotation-api | 1.3.5 | postgresql | 42.2.9 |

-| audience-annotations | 0.5.0 | jakarta.inject | 2.6.1 | protobuf-java | 2.5.0 |

-| avro | 1.11.0 | jakarta.servlet-api | 4.0.3 | proton-j | 0.33.8 |

-| avro-ipc | 1.11.0 | jakarta.validation-api | 2.0.2 | py4j | 0.10.9.5 |

-| avro-mapred | 1.11.0 | jakarta.ws.rs-api | 2.1.6 | qpid-proton-j-extensions | 1.2.4 |

-| aws-java-sdk-bundle | 1.11.1026 | jakarta.xml.bind-api | 2.3.2 | RoaringBitmap | 0.9.25 |

-| azure-data-lake-store-sdk | 2.3.9 | janino | 3.0.16 | rocksdbjni | 6.20.3 |

-| azure-eventhubs | 3.3.0 | javassist | 3.25.0-GA | scala-collection-compat_2.12 | 2.1.1 |

-| azure-eventhubs-spark_2.12 | 2.3.22 | javatuples | 1.2 | scala-compiler | 2.12.15 |

-| azure-keyvault-core | 1.0.0 | javax.jdo | 3.2.0-m3 | scala-java8 | compat_2.12-0.9.0 |

-| azure-storage | 7.0.1 | javolution | 5.5.1 | scala-library | 2.12.15 |

-| azure-synapse-ml-pandas | 2.12-0.1.1 | jaxb-api | 2.2.11 | scala-parser-combinators_2.12 | 1.1.2 |

-| azure-synapse-ml-predict | 2.12-1.0 | jaxb-runtime | 2.3.2 | scala-reflect | 2.12.15 |

-| blas | 2.2.1 | jcl-over-slf4j | 1.7.32 | scala-xml_2.12 | 1.2.0 |

-| bonecp | 0.8.0.RELEASE | jdo-api | 3.0.1 | scalactic_2.12 | 3.0.5 |

-| breeze | 2.12-1.2 | jdom2 | 2.0.6 | shapeless_2.12 | 2.3.7 |

-| breeze-macros | 2.12-1.2 | jersey-client | 2.36 | shims | 0.9.25 |

-| cats-kernel | 2.12-2.1.1 | jersey-common | 2.36 | slf4j-api | 1.7.32 |

-| chill | 2.12-0.10.0 | jersey-container-servlet | 2.36 | snappy-java | 1.1.8.4 |

-| chill-java | 0.10.0 | jersey-container-servlet-core | 2.36 | spark_diagnostic_cli | 2.0.0_spark-3.3.0 |

-| client-jar-sdk | 1.14.0 | jersey-hk2 | 2.36 | spark-3.3-advisor-core_2.12 | 1.0.14 |

-| cntk | 2.4 | jersey-server | 2.36 | spark-3.3-rpc-history-server-app-listener_2.12 | 1.0.0 |

-| commons-cli | 1.5.0 | jettison | 1.1 | spark-3.3-rpc-history-server-core_2.12 | 1.0.0 |

-| commons-codec | 1.15 | jetty-util | 9.4.48.v20220622 | spark-avro_2.12 | 3.3.1.5.2-76471634 |

-| commons-collections | 3.2.2 | jetty-util-ajax | 9.4.48.v20220622 | spark-catalyst_2.12 | 3.3.1.5.2-76471634 |

-| commons-collections4 | 4.4 | JLargeArrays | 1.5 | spark-cdm-connector-assembly | 1.19.2 |

-| commons-compiler | 3.0.16 | jline | 2.14.6 | spark-core_2.12 | 3.3.1.5.2-76471634 |

-| commons-compress | 1.21 | joda-time | 2.10.13 | spark-enhancement_2.12 | 3.3.1.5.2-76471634 |

-| commons-crypto | 1.1.0 | jodd-core | 3.5.2 | spark-enhancementui_2.12 | 3.0.0 |

-| commons-dbcp | 1.4 | jpam | 1.1 | spark-graphx_2.12 | 3.3.1.5.2-76471634 |

-| commons-io | 2.11.0 | jsch | 0.1.54 | spark-hadoop-cloud_2.12 | 3.3.1.5.2-76471634 |

-| commons-lang | 2.6 | json | 1.8 | spark-hive_2.12 | 3.3.1.5.2-76471634 |

-| commons-lang3 | 3.12.0 | json | 20090211 | spark-hive-thriftserver_2.12 | 3.3.1.5.2-76471634 |

-| commons-logging | 1.1.3 | json-simple | 1.1 | spark-kusto-synapse-connector_3.1_2.12 | 1.1.1 |

-| commons-math3 | 3.6.1 | json4s-ast_2.12 | 3.7.0-M11 | spark-kvstore_2.12 | 3.3.1.5.2-76471634 |

-| commons-pool | 1.5.4 | json4s-core_2.12 | 3.7.0-M11 | spark-launcher_2.12 | 3.3.1.5.2-76471634 |

-| commons-pool2 | 2.11.1 | json4s-jackson_2.12 | 3.7.0-M11 | spark-lighter-contract_2.12 | 2.0.0_spark-3.3.0 |

-| commons-text | 1.10.0 | json4s-scalap_2.12 | 3.7.0-M11 | spark-lighter-core_2.12 | 2.0.0_spark-3.3.0 |

-| compress-lzf | 1.1 | jsr305 | 3.0.0 | spark-microsoft-tools_2.12 | 3.3.1.5.2-76471634 |

-| config | 1.3.4 | jta | 1.1 | spark-mllib_2.12 | 3.3.1.5.2-76471634 |

-| core | 1.1.2 | JTransforms | 3.1 | spark-mllib-local_2.12 | 3.3.1.5.2-76471634 |

-| cos_api-bundle | 5.6.19 | jul-to-slf4j | 1.7.32 | spark-mssql-connector | 1.2.0 |

-| cosmos-analytics-spark-3.2.1-connector | 1.6.3 | kafka-clients | 2.8.1 | spark-network-common_2.12 | 3.3.1.5.2-76471634 |

-| curator-client | 2.13.0 | kryo-shaded | 4.0.2 | spark-network-shuffle_2.12 | 3.3.1.5.2-76471634 |

-| curator-framework | 2.13.0 | kusto-data | 2.8.2 | spark-repl_2.12 | 3.3.1.5.2-76471634 |

-| curator-recipes | 2.13.0 | kusto-ingest | 2.8.2 | spark-sketch_2.12 | 3.3.1.5.2-76471634 |

-| datanucleus-api-jdo | 4.2.4 | kusto-spark_synapse_3.0_2.12 | 2.9.3 | spark-sql_2.12 | 3.3.1.5.2-76471634 |

-| datanucleus-core | 4.1.17 | lapack | 2.2.1 | spark-sql-kafka-0-10_2.12 | 3.3.1.5.2-76471634 |

-| datanucleus-rdbms | 4.1.19 | leveldbjni-all | 1.8 | spark-streaming_2.12 | 3.3.1.5.2-76471634 |

-| delta-core_2.12 | 2.1.0.2 | libfb303 | 0.9.3 | spark-streaming-kafka-0-10_2.12 | 3.3.1.5.2-76471634 |

-| delta-storage | 2.1.0.2 | libshufflejni.so | | spark-streaming-kafka-0-10-assembly_2.12 | 3.3.1.5.2-76471634 |

-| derby | 10.14.2.0 | libthrift | 0.12.0 | spark-tags_2.12 | 3.3.1.5.2-76471634 |

-| dropwizard-metrics-hadoop-metrics2-reporter | 0.1.2 | libvegasjni.so | | spark-token-provider-kafka-0-10_2.12 | 3.3.1.5.2-76471634 |

-| flatbuffers-java | 1.12.0 | lightgbmlib | 3.2.110 | spark-unsafe_2.12 | 3.3.1.5.2-76471634 |

-| fluent-logger-jar-with-dependencies | jdk8 | log4j-1.2-api | 2.17.2 | spark-yarn_2.12 | 3.3.1.5.2-76471634 |

-| genesis-client_2.12 | 0.19.0-jar-with-dependencies | log4j-api | 2.17.2 | SparkCustomEvents | 3.2.0-1.0.5 |

-| gson | 2.8.6 | log4j-core | 2.17.2 | sparknativeparquetwriter_2.12 | 0.6.0-spark-3.3 |

-| guava | 14.0.1 | log4j-slf4j-impl | 2.17.2 | spire_2.12 | 0.17.0 |

-| hadoop-aliyun | 3.3.3.5.2-76471634 | lz4-java | 1.8.0 | spire-macros_2.12 | 0.17.0 |

-| hadoop-annotations | 3.3.3.5.2-76471634 | mdsdclientdynamic | 2.0 | spire-platform_2.12 | 0.17.0 |

-| hadoop-aws | 3.3.3.5.2-76471634 | metrics-core | 4.2.7 | spire-util_2.12 | 0.17.0 |

-| hadoop-azure | 3.3.3.5.2-76471634 | metrics-graphite | 4.2.7 | spray-json_2.12 | 1.3.5 |

-| hadoop-azure-datalake | 3.3.3.5.2-76471634 | metrics-jmx | 4.2.7 | sqlanalyticsconnector | 3.3.0-2.0.8 |

-| hadoop-client-api | 3.3.3.5.2-76471634 | metrics-json | 4.2.7 | ST4 | 4.0.4 |

-| hadoop-client-runtime | 3.3.3.5.2-76471634 | metrics-jvm | 4.2.7 | stax-api | 1.0.1 |

-| hadoop-cloud-storage | 3.3.3.5.2-76471634 | microsoft-catalog-metastore-client | 1.0.83 | stream | 2.9.6 |

-| hadoop-cos | 3.3.3.5.2-76471634 | microsoft-log4j-etwappender | 1.0 | structuredstreamforspark_2.12 | 3.2.0-2.3.0 |

-| hadoop-openstack | 3.3.3.5.2-76471634 | microsoft-spark | | super-csv | 2.2.0 |

-| hadoop-shaded-guava | 1.1.1 | minlog | 1.3.0 | synapseml_2.12 | 0.10.1-22-95f451ab-SNAPSHOT |

-| hadoop-yarn-server-web-proxy | 3.3.3.5.2-76471634 | mssql-jdbc | 8.4.1.jre8 | synapseml-cognitive_2.12 | 0.10.1-22-95f451ab-SNAPSHOT |

-| hdinsight-spark-metrics | 3.2.0-1.0.5 | mysql-connector-java | 8.0.18 | synapseml-core_2.12 | 0.10.1-22-95f451ab-SNAPSHOT |

-| HikariCP | 2.5.1 | netty-all | 4.1.74.Final | synapseml-deep-learning_2.12 | 0.10.1-22-95f451ab-SNAPSHOT |

-| hive-beeline | 2.3.9 | netty-buffer | 4.1.74.Final | synapseml-internal_2.12 | 0.0.0-99-bda3814c-SNAPSHOT |

-| hive-cli | 2.3.9 | netty-codec | 4.1.74.Final | synapseml-lightgbm_2.12 | 0.10.1-22-95f451ab-SNAPSHOT |

-| hive-common | 2.3.9 | netty-common | 4.1.74.Final | synapseml-opencv_2.12 | 0.10.1-22-95f451ab-SNAPSHOT |

-| hive-exec | 2.3.9-core | netty-handler | 4.1.74.Final | synapseml-vw_2.12 | 0.10.1-22-95f451ab-SNAPSHOT |

-| hive-jdbc | 2.3.9 | netty-resolver | 4.1.74.Final | synfs | 3.3.0-20221106.6 |

-| hive-llap-common | 2.3.9 | netty-tcnative-classes | 2.0.48.Final | threeten-extra | 1.5.0 |

-| hive-metastore | 2.3.9 | netty-transport | 4.1.74.Final | tink | 1.6.1 |

-| hive-serde | 2.3.9 | netty-transport-classes-epoll | 4.1.74.Final | TokenLibrary-assembly | 3.3.2 |

-| hive-service-rpc | 3.1.2 | netty-transport-classes-kqueue | 4.1.74.Final | transaction-api | 1.1 |

-| hive-shims-0.23 | 2.3.9 | netty-transport-native-epoll | 4.1.74.Final-linux-aarch_64 | tridenttokenlibrary-assembly | 1.0.8 |

-| hive-shims | 2.3.9 | netty-transport-native-epoll | 4.1.74.Final-linux-x86_64 | univocity-parsers | 2.9.1 |

-| hive-shims-common | 2.3.9 | netty-transport-native-kqueue | 4.1.74.Final-osx-aarch_64 | VegasConnector | 1.2.02_2.12_3.2 |

-| hive-shims-scheduler | 2.3.9 | netty-transport-native-kqueue | 4.1.74.Final-osx-x86_64 | velocity | 1.5 |

-| hive-storage-api | 2.7.2 | netty-transport-native-unix-common | 4.1.74.Final | vw-jni | 8.9.1 |

-| hive-vector-code-gen | 2.3.9 | notebook-utils | 3.3.0-20221106.6 | wildfly-openssl | 1.0.7.Final |

-| hk2-api | 2.6.1 | objenesis | 3.2 | xbean-asm9-shaded | 4.20 |

-| hk2-locator | 2.6.1 | onnxruntime_gpu | 1.8.1 | xz | 1.8 |

-| hk2-utils | 2.6.1 | opencsv | 2.3 | zookeeper | 3.6.2.5.2-76471634 |

-| httpclient | 4.5.13 | opencv | 3.2.0-1 | zookeeper-jute | 3.6.2.5.2-76471634 |

-| | | | | zstd-jni | 1.5.2-1 |

-| **Library** | **Version** | **Library** | **Version** | **Library** | **Version** |

-|:--:|::|:--:|::|:-:|:-:|

-| _libgcc_mutex | 0.1 | keras-applications | 1.0.8 | pyparsing | 2.4.7 |

-| _openmp_mutex | 4.5 | keras-preprocessing | 1.1.2 | pyqt | 5.12.3 |

-| _py-xgboost-mutex | 2.0 | keras2onnx | 1.6.5 | pyqt-impl | 5.12.3 |

-| abseil-cpp | 20210324.0 | kiwisolver | 1.3.1 | pyqt5-sip | 4.19.18 |

-| absl-py | 0.13.0 | koalas | 1.8.0 | pyqtchart | 5.12 |

-| adal | 1.2.7 | krb5 | 1.19.1 | pyqtwebengine | 5.12.1 |

-| adlfs | 0.7.7 | lcms2 | 2.12 | pysocks | 1.7.1 |

-| aiohttp | 3.7.4.post0 | ld_impl_linux-64 | 2.36.1 | python | 3.8.10 |

-| alsa-lib | 1.2.3 | lerc | 2.2.1 | python-dateutil | 2.8.1 |

-| appdirs | 1.4.4 | liac-arff | 2.5.0 | python-flatbuffers | 1.12 |

-| arrow-cpp | 3.0.0 | libaec | 1.0.5 | python_abi | 3.8 |

-| astor | 0.8.1 | libblas | 3.9.0 | pytorch | 1.8.1 |

-| astunparse | 1.6.3 | libbrotlicommon | 1.0.9 | pytz | 2021.1 |

-| async-timeout | 3.0.1 | libbrotlidec | 1.0.9 | pyu2f | 0.1.5 |

-| attrs | 21.2.0 | libbrotlienc | 1.0.9 | pywavelets | 1.1.1 |

-| aws-c-cal | 0.5.11 | libcblas | 3.9.0 | pyyaml | 5.4.1 |

-| aws-c-common | 0.6.2 | libclang | 11.1.0 | pyzmq | 22.1.0 |

-| aws-c-event-stream | 0.2.7 | libcurl | 7.77.0 | qt | 5.12.9 |

-| aws-c-io | 0.10.5 | libdeflate | 1.7 | re2 | 2021.04.01 |

-| aws-checksums | 0.1.11 | libedit | 3.1.20210216 | readline | 8.1 |

-| aws-sdk-cpp | 1.8.186 | libev | 4.33 | regex | 2021.7.6 |

-| azure-datalake-store | 0.0.51 | libevent | 2.1.10 | requests | 2.25.1 |

-| azure-identity | 2021.03.15b1 | libffi | 3.3 | requests-oauthlib | 1.3.0 |

-| azure-storage-blob | 12.8.1 | libgcc-ng | 9.3.0 | retrying | 1.3.3 |

-| backcall | 0.2.0 | libgfortran-ng | 9.3.0 | rsa | 4.7.2 |

-| backports | 1.0 | libgfortran5 | 9.3.0 | ruamel_yaml | 0.15.100 |

-| backports.functools_lru_cache | 1.6.4 | libglib | 2.68.3 | s2n | 1.0.10 |

-| beautifulsoup4 | 4.9.3 | libiconv | 1.16 | salib | 1.3.11 |

-| blas | 2.109 | liblapack | 3.9.0 | scikit-image | 0.18.1 |

-| blas-devel | 3.9.0 | liblapacke | 3.9.0 | scikit-learn | 0.23.2 |

-| blinker | 1.4 | libllvm10 | 10.0.1 | scipy | 1.5.3 |

-| blosc | 1.21.0 | libllvm11 | 11.1.0 | seaborn | 0.11.1 |

-| bokeh | 2.3.2 | libnghttp2 | 1.43.0 | seaborn-base | 0.11.1 |

-| brotli | 1.0.9 | libogg | 1.3.5 | setuptools | 49.6.0 |

-| brotli-bin | 1.0.9 | libopus | 1.3.1 | shap | 0.39.0 |

-| brotli-python | 1.0.9 | libpng | 1.6.37 | six | 1.16.0 |

-| brotlipy | 0.7.0 | libpq | 13.3 | skl2onnx | 1.8.0.1 |

-| brunsli | 0.1 | libprotobuf | 3.15.8 | sklearn-pandas | 2.2.0 |

-| bzip2 | 1.0.8 | libsodium | 1.0.18 | slicer | 0.0.7 |

-| c-ares | 1.17.1 | libssh2 | 1.9.0 | smart_open | 5.1.0 |

-| ca-certificates | 2021.7.5 | libstdcxx-ng | 9.3.0 | smmap | 3.0.5 |

-| cachetools | 4.2.2 | libthrift | 0.14.1 | snappy | 1.1.8 |

-| cairo | 1.16.0 | libtiff | 4.2.0 | soupsieve | 2.2.1 |

-| certifi | 2021.5.30 | libutf8proc | 2.6.1 | sqlite | 3.36.0 |

-| cffi | 1.14.5 | libuuid | 2.32.1000 | statsmodels | 0.12.2 |

-| chardet | 4.0.0 | libuv | 1.41.1 | tabulate | 0.8.9 |

-| charls | 2.2.0 | libvorbis | 1.3.7 | tenacity | 7.0.0 |

-| click | 8.0.1 | libwebp-base | 1.2.0 | tensorboard | 2.4.1 |

-| cloudpickle | 1.6.0 | libxcb | 1.14 | tensorboard-plugin-wit | 1.8.0 |

-| conda | 4.9.2 | libxgboost | 1.4.0 | tensorflow | 2.4.1 |

-| conda-package-handling | 1.7.3 | libxkbcommon | 1.0.3 | tensorflow-base | 2.4.1 |

-| configparser | 5.0.2 | libxml2 | 2.9.12 | tensorflow-estimator | 2.4.0 |

-| cryptography | 3.4.7 | libzopfli | 1.0.3 | termcolor | 1.1.0 |

-| cudatoolkit | 11.1.1 | lightgbm | 3.2.1 | textblob | 0.15.3 |

-| cycler | 0.10.0 | lime | 0.2.0.1 | threadpoolctl | 2.1.0 |

-| cython | 0.29.23 | llvm-openmp | 11.1.0 | tifffile | 2021.4.8 |

-| cytoolz | 0.11.0 | llvmlite | 0.36.0 | tk | 8.6.10 |

-| dash | 1.20.0 | locket | 0.2.1 | toolz | 0.11.1 |

-| dash-core-components | 1.16.0 | lz4-c | 1.9.3 | tornado | 6.1 |

-| dash-html-components | 1.1.3 | markdown | 3.3.4 | tqdm | 4.61.2 |

-| dash-renderer | 1.9.1 | markupsafe | 2.0.1 | traitlets | 5.0.5 |

-| dash-table | 4.11.3 | matplotlib | 3.4.2 | typing-extensions | 3.10.0.0 |

-| dash_cytoscape | 0.2.0 | matplotlib-base | 3.4.2 | typing_extensions | 3.10.0.0 |

-| dask-core | 2021.6.2 | matplotlib-inline | 0.1.2 | unixodbc | 2.3.9 |

-| databricks-cli | 0.12.1 | mkl | 2021.2.0 | urllib3 | 1.26.4 |

-| dataclasses | 0.8 | mkl-devel | 2021.2.0 | wcwidth | 0.2.5 |

-| dbus | 1.13.18 | mkl-include | 2021.2.0 | webencodings | 0.5.1 |

-| debugpy | 1.3.0 | mleap | 0.17.0 | werkzeug | 2.0.1 |

-| decorator | 4.4.2 | mlflow-skinny | 1.18.0 | wheel | 0.36.2 |

-| dill | 0.3.4 | msal | 2021.06.08 | wrapt | 1.12.1 |

-| entrypoints | 0.3 | msal-extensions | 2021.06.08 | xgboost | 1.4.0 |

-| et_xmlfile | 1.1.0 | msrest | 2021.06.01 | xorg-kbproto | 1.0.7002 |

-| expat | 2.4.1 | multidict | 5.1.0 | xorg-libice | 1.0.10 |

-| fire | 0.4.0 | mysql-common | 8.0.25 | xorg-libsm | 1.2.3 |

-| flask | 2.0.1 | mysql-libs | 8.0.25 | xorg-libx11 | 1.7.2 |

-| flask-compress | 1.10.1 | ncurses | 6.2 | xorg-libxext | 1.3.4 |

-| fontconfig | 2.13.1 | networkx | 2.5.1 | xorg-libxrender | 0.9.10003 |

-| freetype | 2.10.4 | ninja | 1.10.2 | xorg-renderproto | 0.11.1002 |

-| fsspec | 2021.6.1 | nltk | 3.6.2 | xorg-xextproto | 7.3.0002 |

-| future | 0.18.2 | nspr | 4.30 | xorg-xproto | 7.0.31007 |

-| gast | 0.3.3 | nss | 3.67 | xz | 5.2.5 |

-| gensim | 3.8.3 | numba | 0.53.1 | yaml | 0.2.5 |

-| geographiclib | 1.52 | numpy | 1.19.4 | yarl | 1.6.3 |

-| geopy | 2.1.0 | oauthlib | 3.1.1 | zeromq | 4.3.4 |

-| gettext | 0.21.0 | olefile | 0.46 | zfp | 0.5.5 |

-| gevent | 21.1.2 | onnx | 1.9.0 | zipp | 3.5.0 |

-| gflags | 2.2.2 | onnxconverter-common | 1.7.0 | zlib | 1.2.11010 |

-| giflib | 5.2.1 | onnxmltools | 1.7.0 | zope.event | 4.5.0 |

-| gitdb | 4.0.7 | onnxruntime | 1.7.2 | zope.interface | 5.4.0 |

-| gitpython | 3.1.18 | openjpeg | 2.4.0 | zstd | 1.4.9 |

-| glib | 2.68.3 | openpyxl | 3.0.7 | azure-common | 1.1.27 |

-| glib-tools | 2.68.3 | openssl | 1.1.1k | azure-core | 1.16.0 |

-| glog | 0.5.0 | opt_einsum | 3.3.0 | azure-graphrbac | 0.61.1 |

-| gobject-introspection | 1.68.0 | orc | 1.6.7 | azure-mgmt-authorization | 0.61.0 |

-| google-auth | 1.32.1 | packaging | 21.0 | azure-mgmt-containerregistry | 8.0.0 |

-| google-auth-oauthlib | 0.4.1 | pandas | 1.2.3 | azure-mgmt-core | 1.3.0 |

-| google-pasta | 0.2.0 | parquet-cpp | 1.5.1 | azure-mgmt-keyvault | 2.2.0 |

-| greenlet | 1.1.0 | parso | 0.8.2 | azure-mgmt-resource | 13.0.0 |

-| grpc-cpp | 1.37.1 | partd | 1.2.0 | azure-mgmt-storage | 11.2.0 |

-| grpcio | 1.37.1 | patsy | 0.5.1 | azureml-core | 1.34.0 |

-| gst-plugins-base | 1.18.4 | pcre | 8.45 | azureml-mlflow | 1.34.0 |

-| gstreamer | 1.18.4 | pexpect | 4.8.0 | azureml-opendatasets | 1.34.0 |

-| h5py | 2.10.0 | pickleshare | 0.7.5 | backports-tempfile | 1.0 |

-| hdf5 | 1.10.6 | pillow | 8.2.0 | backports-weakref | 1.0.post1 |

-| html5lib | 1.1 | pip | 21.1.1 | contextlib2 | 0.6.0.post1 |

-| hummingbird-ml | 0.4.0 | pixman | 0.40.0 | docker | 4.4.4 |

-| icu | 68.1 | plotly | 4.14.3 | ipywidgets | 7.6.3 |

-| idna | 2.10 | pmdarima | 1.8.2 | jeepney | 0.6.0 |

-| imagecodecs | 2021.3.31 | pooch | 1.4.0 | jmespath | 0.10.0 |

-| imageio | 2.9.0 | portalocker | 1.7.1 | jsonpickle | 2.0.0 |

-| importlib-metadata | 4.6.1 | prompt-toolkit | 3.0.19 | kqlmagiccustom | 0.1.114.post8 |

-| intel-openmp | 2021.2.0 | protobuf | 3.15.8 | lxml | 4.6.5 |

-| interpret | 0.2.4 | psutil | 5.8.0 | msrestazure | 0.6.4 |

-| interpret-core | 0.2.4 | ptyprocess | 0.7.0 | mypy | 0.780 |

-| ipykernel | 6.0.1 | py-xgboost | 1.4.0 | mypy-extensions | 0.4.3 |

-| ipython | 7.23.1 | py4j | 0.10.9 | ndg-httpsclient | 0.5.1 |

-| ipython_genutils | 0.2.0 | pyarrow | 3.0.0 | pandasql | 0.7.3 |

-| isodate | 0.6.0 | pyasn1 | 0.4.8 | pathspec | 0.8.1 |

-| itsdangerous | 2.0.1 | pyasn1-modules | 0.2.8 | prettytable | 2.4.0 |

-| jdcal | 1.4.1 | pycairo | 1.20.1 | pyperclip | 1.8.2 |

-| jedi | 0.18.0 | pycosat | 0.6.3 | ruamel-yaml | 0.17.4 |

-| jinja2 | 3.0.1 | pycparser | 2.20 | ruamel-yaml-clib | 0.2.6 |

-| joblib | 1.0.1 | pygments | 2.9.0 | secretstorage | 3.3.1 |

-| jpeg | 9d | pygobject | 3.40.1 | sqlalchemy | 1.4.20 |

-| jupyter_client | 6.1.12 | pyjwt | 2.1.0 | typed-ast | 1.4.3 |

-| jupyter_core | 4.7.1 | pyodbc | 4.0.30 | torchvision | 0.9.1 |

-| jxrlib | 1.1 | pyopenssl | 20.0.1 | websocket-client | 1.1.0 |

-| **Library** | **Version** | **Library** | **Version** | **Library** | **Version** |

-|:--:|:--:|:-:|:-:|:-:|:--:|

-| abind | 1.4-5 | gtools | 3.8.2 | RColorBrewer | 1.1-3 |

-| anomalize | 0.2.2 | hardhat | 0.2.0 | Rcpp | 1.0.8.3 |

-| anytime | 0.3.9 | haven | 2.5.0 | RcppArmadillo | 0.11.0.0.0 |

-| arrow | 7.0.0 | highr | 0.9 | RcppEigen | 0.3.3.9.2 |

-| askpass | 1.1 | hms | 1.1.1 | RcppParallel | 5.1.5 |

-| assertthat | 0.2.1 | htmltools | 0.5.2 | RcppRoll | 0.3.0 |

-| backports | 1.4.1 | htmlwidgets | 1.5.4 | readr | 2.1.2 |

-| base64enc | 0.1-3 | httr | 1.4.3 | readxl | 1.4.0 |

-| BH | 1.78.0-0 | hwriter | 1.3.2.1 | recipes | 0.2.0 |

-| bit | 4.0.4 | ids | 1.0.1 | rematch | 1.0.1 |

-| bit64 | 4.0.5 | ini | 0.3.1 | rematch2 | 2.1.2 |

-| blob | 1.2.3 | inline | 0.3.19 | remotes | 2.4.2 |

-| brew | 1.0-7 | ipred | 0.9-12 | reprex | 2.0.1 |

-| brio | 1.1.3 | isoband | 0.2.5 | reshape2 | 1.4.3 |

-| broom | 0.8.0 | iterators | 1.0.14 | reticulate | 1.18 |

-| bslib | 0.3.1 | jquerylib | 0.1.4 | rex | 1.2.1 |

-| cachem | 1.0.6 | jsonlite | 1.7.2 | rlang | 1.0.2 |

-| callr | 3.7.0 | knitr | 1.39 | rmarkdown | 2.14 |

-| car | 3.0-13 | labeling | 0.4.2 | RODBC | 1.3-19 |

-| carData | 3.0-5 | lambda.r | 1.2.4 | roxygen2 | 7.1.2 |

-| caret | 6.0-86 | later | 1.3.0 | rprojroot | 2.0.3 |

-| cellranger | 1.1.0 | lava | 1.6.10 | rsample | 0.1.1 |

-| checkmate | 2.1.0 | lazyeval | 0.2.2 | RSQLite | 2.2.13 |

-| chron | 2.3-56 | lifecycle | 1.0.1 | rstan | 2.21.5 |

-| cli | 3.3.0 | listenv | 0.8.0 | rstantools | 2.2.0 |

-| clipr | 0.8.0 | lme4 | 1.1-29 | rstatix | 0.7.0 |

-| colorspace | 2.0-3 | lmtest | 0.9-40 | rstudioapi | 0.13 |

-| commonmark | 1.8.0 | loo | 2.5.1 | rversions | 2.1.1 |

-| config | 0.3.1 | lubridate | 1.8.0 | rvest | 1.0.2 |

-| corrplot | 0.92 | magrittr | 2.0.3 | sass | 0.4.1 |

-| covr | 3.5.1 | maptools | 1.1-4 | scales | 1.2.0 |

-| cpp11 | 0.4.2 | markdown | 1.1 | selectr | 0.4-2 |

-| crayon | 1.5.1 | MatrixModels | 0.5-0 | sessioninfo | 1.2.2 |

-| credentials | 1.3.2 | matrixStats | 0.62.0 | shape | 1.4.6 |

-| crosstalk | 1.2.0 | memoise | 2.0.1 | slider | 0.2.2 |

-| curl | 4.3.2 | mime | 0.12 | sourcetools | 0.1.7 |

-| data.table | 1.14.2 | minqa | 1.2.4 | sp | 1.4-7 |

-| DBI | 1.1.2 | ModelMetrics | 1.2.2.2 | sparklyr | 1.5.2 |

-| dbplyr | 2.1.1 | modelr | 0.1.8 | SparseM | 1.81 |

-| desc | 1.4.1 | munsell | 0.5.0 | sqldf | 0.4-11 |

-| devtools | 2.3.2 | nloptr | 2.0.1 | SQUAREM | 2021.1 |

-| diffobj | 0.3.5 | notebookutils | 3.1.2-20220721.3 | StanHeaders | 2.21.0-7 |

-| digest | 0.6.29 | numDeriv | 2016.8-1.1 | stringi | 1.7.6 |

-| dplyr | 1.0.9 | openssl | 2.0.0 | stringr | 1.4.0 |

-| DT | 0.22 | padr | 0.6.0 | sweep | 0.2.3 |

-| dtplyr | 1.2.1 | parallelly | 1.31.1 | sys | 3.4 |

-| dygraphs | 1.1.1.6 | pbkrtest | 0.5.1 | testthat | 3.1.4 |

-| ellipsis | 0.3.2 | pillar | 1.7.0 | tibble | 3.1.7 |

-| evaluate | 0.15 | pkgbuild | 1.3.1 | tibbletime | 0.1.6 |

-| extraDistr | 1.9.1 | pkgconfig | 2.0.3 | tidyr | 1.2.0 |

-| fansi | 1.0.3 | pkgload | 1.2.4 | tidyselect | 1.1.2 |

-| farver | 2.1.0 | plogr | 0.2.0 | tidyverse | 1.3.1 |

-| fastmap | 1.1.0 | plotly | 4.10.0 | timeDate | 3043.102 |

-| forcats | 0.5.1 | plotrix | 3.8-1 | timetk | 2.8.0 |

-| foreach | 1.5.2 | plyr | 1.8.7 | tinytex | 0.38 |

-| forecast | 8.13 | praise | 1.0.0 | tseries | 0.10-51 |

-| forge | 0.2.0 | prettyunits | 1.1.1 | tsfeatures | 1.0.2 |

-| formatR | 1.12 | pROC | 1.18.0 | TTR | 0.24.3 |

-| fracdiff | 1.5-1 | processx | 3.5.3 | tzdb | 0.3.0 |

-| fs | 1.5.2 | prodlim | 2019.11.13 | urca | 1.3-0 |

-| furrr | 0.3.0 | progress | 1.2.2 | usethis | 2.1.5 |

-| futile.logger | 1.4.3 | progressr | 0.10.0 | utf8 | 1.2.2 |

-| futile.options | 1.0.1 | promises | 1.2.0.1 | uuid | 1.1-0 |

-| future | 1.25.0 | prophet | 0.6.1 | vctrs | 0.4.1 |

-| future.apply | 1.9.0 | proto | 1.0.0 | viridisLite | 0.4.0 |

-| gargle | 1.2.0 | ps | 1.7.0 | vroom | 1.5.7 |

-| generics | 0.1.2 | purrr | 0.3.4 | waldo | 0.4.0 |

-| gert | 1.6.0 | quadprog | 1.5-8 | warp | 0.2.0 |

-| ggplot2 | 3.3.6 | quantmod | 0.4.20 | whisker | 0.4 |

-| gh | 1.3.0 | quantreg | 5.93 | withr | 2.5.0 |

-| gitcreds | 0.1.1 | R.methodsS3 | 1.8.1 | xfun | 0.30 |

-| glmnet | 4.1-4 | R.oo | 1.24.0 | xml2 | 1.3.3 |

-| globals | 0.14.0 | R.utils | 2.12.0 | xopen | 1.0.0 |

-| glue | 1.6.2 | r2d3 | 0.2.6 | xtable | 1.8-4 |

-| gower | 1.0.0 | R6 | 2.5.1 | xts | 0.12.1 |

-| gridExtra | 2.3 | randomForest | 4.7-1 | yaml | 2.3.5 |

-| gsubfn | 0.7 | rappdirs | 0.3.3 | zip | 2.2.0 |

-| gtable | 0.3.0 | rcmdcheck | 1.4.0 | zoo | 1.8-10 |

-| [Azure Synapse Runtime for Apache Spark 3.1](./apache-spark-3-runtime.md) | May 26, 2021 | LTS | January 26, 2023 | January 26, 2024 |

-| [Azure Synapse Runtime for Apache Spark 2.4](./apache-spark-24-runtime.md) | December 15, 2020 | __End of Life Announced (EOLA)__ | __July 29, 2022__ | __July 28, 2023__ |

-To enable access from Windows devices not joined to Azure AD, add **targetisaadjoined:i:1** as a [custom RDP property](customize-rdp-properties.md) to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.