+ 1. To make a POST request similar to the one shown below, you can use an HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview) or [Postman](https://www.postman.com/):

+You can test the app you've deployed by using an HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview) or [Postman](https://www.postman.com/). This time, use `https://custompolicyapi.azurewebsites.net/validate-accesscode` URL as the endpoint.

+## Receive data from REST API

+If your REST API returns data, which you want to include as claims in your policy, you can receive it by specifying claims in the `OutputClaims` element of the RESTful technical profile. If the name of the claim defined in your policy is different from the name defined in the REST API, you need to map these names by using the `PartnerClaimType` attribute.

+Use the steps in [Receiving data](api-connectors-overview.md?pivots=b2c-custom-policy#receiving-data) to learn how to format the data the custom policy expects, how to handle nulls values, and how to parse REST the API's nested JSON body.

+ </BuildingBlocks>

+Notice the `message` and `sub` claims, which we set as [output claims](relyingparty.md#outputclaims) in the `RelyingParty` section.

+- About custom policy [user input types](claimsschema.md#userinputtype).

+While you can use pre-made [custom policy starter pack](./tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack), it's important for you understand how custom policy is built from scratch. In this how-to guide series, you'll learn what you need to understand for you to customize the behavior of your user experience by using custom policies. At the end of this how-to guide series, you should be able to read and understand existing custom policies or write your own from scratch.

+- [Write your first Azure Active Directory B2C custom policy - Hello World!](custom-policies-series-hello-world.md)

+> For comprehensive details about Microsoft's EU Data Boundary commitment, see [Microsoft's EU Data Boundary documentation](/privacy/eudb/eu-data-boundary-learn).

+ Make a note of the target resource group, target virtual network, and target virtual network subnet. These resource names are used during the migration process.

+ Note that the **CorpNetSaw** service tag isn't available by using Azure portal, and the network security group rule for **CorpNetSaw** has to be added by using [PowerShell](powershell-create-instance.md#create-a-network-security-group).

+| Source | Source service tag | Source port ranges | Destination | Service | Destination port ranges | Protocol | Action | Required | Purpose |

+|:--:|:-:|::|:-:|:-:|:--:|:--:|::|:--:|:--|

+| Service tag | AzureActiveDirectoryDomainServices | * | Any | WinRM | 5986 | TCP | Allow | Yes | Management of your domain. |

+| Service tag | CorpNetSaw | * | Any | RDP | 3389 | TCP | Allow | Optional | Debugging for support |

+Note that the **CorpNetSaw** service tag isn't available by using Azure portal, and the network security group rule for **CorpNetSaw** has to be added by using [PowerShell](powershell-create-instance.md#create-a-network-security-group).

+Inbound user provisioning from SAP SuccessFactors to on-premises Active Directory and Azure AD now supports advance provisioning of pre-hires present in the SAP SuccessFactors Onboarding 2.0 module. Upon encountering a new hire profile with future start date, the Azure AD provisioning service queries SAP SuccessFactors to get new hires with one of the following status codes: `active`, `inactive`, `active_external_suite`. The status code `active_external_suite` corresponds to pre-hires present in the SAP SuccessFactors Onboarding 2.0 module. For a description of these status codes, refer to [SAP support note 2736579](https://launchpad.support.sap.com/#/notes/0002736579).

+1. Edit the Source Object scope to apply a scoping filter `userStatus NOT EQUALS

+`

+Azure AD checks the current attribute value in the identity store before updating it. However, only the manager attribute is the checked first for users. Here's an example of a request to determine whether the manager attribute of a user object currently has a certain value:

+Applications that support the SCIM profile described in this article can be connected to Azure AD using the "non-gallery application" feature in the Azure AD application gallery. Once connected, Azure AD runs a synchronization process. The process runs every 40 minutes. The process queries the application's SCIM endpoint for assigned users and groups, and creates or modifies them according to the assignment details.

+It's recommended, but not required, that you support multiple secrets for easy renewal without downtime.

+| [Authenticator Lite](how-to-mfa-authenticator-lite.md) | Disabled |

+| Microsoft Authenticator | High | High | High |

+| Authenticator Lite | High | High | High |

+| Windows Hello for Business | Yes | MFA\* |

+| Microsoft Authenticator | Yes | MFA and SSPR |

+| Authenticator Lite | No | MFA |

+| Certificate-based authentication | Yes | No |

+* Microsoft Authenticator

+* Authenticator Lite (in Outlook)

+ Title: How to enable Microsoft Authenticator Lite for Outlook mobile (preview)

+description: Learn about how to you can set up Microsoft Authenticator Lite for Outlook mobile to help users validate their identity

+# Customer intent: As an identity administrator, I want to encourage users to understand how default protection can improve our security posture.

+# How to enable Microsoft Authenticator Lite for Outlook mobile (preview)

+Microsoft Authenticator Lite is another surface for Azure Active Directory (Azure AD) users to complete multifactor authentication by using push notifications or time-based one-time passcodes (TOTP) on their Android or iOS device. With Authenticator Lite, users can satisfy a multifactor authentication requirement from the convenience of a familiar app. Authenticator Lite is currently enabled in [Outlook mobile](https://www.microsoft.com/microsoft-365/outlook-mobile-for-android-and-ios).

+Users receive a notification in Outlook mobile to approve or deny sign-in, or they can copy a TOTP to use during sign-in.

+>[!NOTE]

+>This is an important security enhancement for users authenticating via telecom transports. The 'Microsoft managed' setting for this feature will be set to enabled on May 26th, 2023. This will enable the feature for all users in tenants where the feature is set to Microsoft managed. If you wish to change the state of this feature, please do so before May 26th, 2023.

+## Prerequisites

+- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for some users or groups by using the Authentication methods policy. You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API.

+- If your organization is using the Active Directory Federation Services (AD FS) adapter or Network Policy Server (NPS) extensions, upgrade to the latest versions for a consistent experience.

+- Users enabled for shared device mode on Outlook mobile aren't eligible for Authenticator Lite.

+- Users must run a minimum Outlook mobile version.

+ | Operating system | Outlook version |

+ |:-:|::|

+ |Android | 4.2308.0 |

+ |iOS | 4.2309.0 |

+## Enable Authenticator Lite

+By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings) and disabled during preview. After general availability, the Microsoft managed state default value will change to enable Authenticator Lite.

+| Property | Type | Description |

+|-||-|

+| excludeTarget | featureTarget | A single entity that is excluded from this feature. <br>You can only exclude one group from Authenticator Lite, which can be a dynamic or nested group.|

+| includeTarget | featureTarget | A single entity that is included in this feature. <br>You can only include one group for Authenticator Lite, which can be a dynamic or nested group.|

+| State | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. |

+Once you identify the single target group, use the following API endpoint to change the **CompanionAppsAllowedState** property under **featureSettings**.

+```http

+https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

+```

+>[!NOTE]

+>In Graph Explorer, you need to consent to the **Policy.ReadWrite.AuthenticationMethod** permission.

+### Request

+```JSON

+//Retrieve your existing policy via a GET.

+//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.

+//Change the Query to PATCH and Run query

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

+ "id": "MicrosoftAuthenticator",

+ "state": "enabled",

+ "isSoftwareOathEnabled": false,

+ "excludeTargets": [],

+ "featureSettings": {

+ "companionAppAllowedState": {

+ "state": "enabled",

+ "includeTarget": {

+ "targetType": "group",

+ "id": "s4432809-3bql-5m2l-0p42-8rq4707rq36m"

+ },

+ "excludeTarget": {

+ "targetType": "group",

+ "id": "00000000-0000-0000-0000-000000000000"

+ }

+ }

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false,

+ "authenticationMode": "any"

+ }

+ ]

+}

+```

+## User registration

+If enabled for Authenticator Lite, users are prompted to register their account directly from Outlook mobile. Authenticator Lite registration isn't available by using [MySignIns](https://aka.ms/mysignins). Users can also enable or disable Authenticator Lite from within Outlook mobile. For more information about the user experience, see [Authenticator Lite support](https://aka.ms/authappliteuserdocs).

+## Monitoring Authenticator Lite usage

+[Sign-in logs](/graph/api/signin-list) can show which app was used to complete user authentication. To view the latest sign-ins, use the following call on the beta API endpoint:

+```http

+GET auditLogs/signIns

+```

+If the sign-in was done by phone app notification, under **authenticationAppDeivceDetails** the **clientApp** field returns **microsoftAuthenticator** or **Outlook**.

+If a user has registered Authenticator Lite, the userΓÇÖs registered authentication methods include **Microsoft Authenticator (in Outlook)**.

+## Push notifications in Authenticator Lite

+Push notifications sent by Authenticator Lite aren't configurable and don't depend on the Authenticator feature settings. The settings for features included in the Authenticator Lite experience are listed in the following table.

+| Authenticator Feature | Authenticator Lite Experience|

+|::|:-:|

+| Number Matching | Enabled |

+| Location Context | Disabled |

+| Application Context | Disabled |

+The following screenshots show what users see when Authenticator Lite sends a push notification.

+## AD FS adapter and NPS extension

+Authenticator Lite enforces number matching in every authentication. If your tenant is using an AD FS adapter or an NPS extension, your users may not be able to complete Authenticator Lite notifications. For more information, see [AD FS adapter](how-to-mfa-number-match.md#ad-fs-adapter) and [NPS extension](how-to-mfa-number-match.md#nps-extension).

+To learn more about verification notifications, see [Microsoft Authenticator authentication method](concept-authentication-authenticator-app.md).

+## Common questions

+### Does Authenticator Lite work as a broker app?

+No, Authenticator Lite is only available for push notifications and TOTP.

+### Can Authenticator Lite be used for SSPR?

+No, Authenticator Lite is only available for push notifications and TOTP.

+### Is this available in Outlook desktop app?

+No, Authenticator Lite is only available on Outlook mobile.

+### Where can users register for Authenticator Lite?

+Users can only register for Authenticator Lite from mobile Outlook. Authenticator Lite registration can be managed from [aka.ms/mysignins](https://aka.ms/mysignins).

+### Can users register Microsoft Authenticator and Authenticator Lite?

+Users that have Microsoft Authenticator on their device can't register Authenticator Lite. If a user has an Authenticator Lite registration and then later downloads Microsoft Authenticator, they can register both. If a user has two devices, they can register Authenticator Lite on one and Microsoft Authenticator on the other.

+## Next steps

+[Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md)

+A preview of **Report Suspicious Activity**, the updated MFA **Fraud Alert** feature, is now available. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt by using Microsoft Authenticator or through their phone. These alerts are integrated with [Identity Protection](../identity-protection/overview-identity-protection.md) for more comprehensive coverage and capability.

+Users who report an MFA prompt as suspicious are set to **High User Risk**. Administrators can use risk-based policies to limit access for these users, or enable self-service password reset (SSPR) for users to remediate problems on their own. If you previously used the **Fraud Alert** automatic blocking feature and don't have an Azure AD P2 license for risk-based policies, you can use risk detection events to identify and disable impacted users and automatically prevent their sign-in. For more information about using risk-based policies, see [Risk-based access policies](../identity-protection/concept-identity-protection-policies.md).

+Once a user has reported a prompt as suspicious, the risk should be investigated and remediated with [Identity Protection](../identity-protection/howto-identity-protection-remediate-unblock.md).

+To learn more, see [What authentication and verification methods are available in Azure Active Directory?](concept-authentication-methods.md)

+On Azure AD joined and hybrid Azure AD joined devices, unlocking the device, or signing in interactively will only refresh the Primary Refresh Token (PRT) every 4 hours. The last refresh timestamp recorded for PRT compared with the current timestamp must be within the time allotted in SIF policy for PRT to satisfy SIF and grant access to a PRT that has an existing MFA claim. On [Azure AD registered devices](../devices/concept-azure-ad-register.md), unlock/sign-in would not satisfy the SIF policy because the user is not accessing an Azure AD registered device via an Azure AD account. However, the [Azure AD WAM](../develop/scenario-desktop-acquire-token-wam.md) plugin can refresh a PRT during native application authentication using WAM.

+* If you're ready to configure Conditional Access policies for your environment, see the article [Plan a Conditional Access deployment](plan-conditional-access.md).

+ Title: Microsoft identity platform app-only access scenario

+description: Learn about when and how to use app-only access in the Microsoft identity platform endpoint.

+# Understanding application-only access

+When an application directly accesses a resource, like Microsoft Graph, its access isn't limited to the files or operations available to any single user. The app calls APIs directly using its own identity, and a user or app with admin rights must authorize it to access the resources. This scenario is application-only access.

+> [!VIDEO https://www.youtube.com/embed/6R3W9T01gdE]

+## When should I use application-only access?

+In most cases, application-only access is broader and more powerful than [delegated access](delegated-access-primer.md), so you should only use app-only access where needed. ItΓÇÖs usually the right choice if:

+- The application needs to run in an automated way, without user input. For example, a daily script that checks emails from certain contacts and sends automated responses.

+- The application needs to access resources belonging to multiple different users. For example, a backup or data loss prevention app might need to retrieve messages from many different chat channels, each with different participants.

+- You find yourself tempted to store credentials locally and allow the app to sign in "as" the user or admin.

+In contrast, you should never use application-only access where a user would normally sign in to manage their own resources. These types of scenarios must use delegated access to be least privileged.

+

+## Authorizing an app to make application-only calls

+To make app-only calls, you need to assign your client app the appropriate app roles. App roles are also referred to as application-only permissions. They're *app* roles because they grant access only in the context of the resource app that defines the role.

+For example, to read a list of all teams created in an organization, you need to assign your application the Microsoft Graph `Team.ReadBasic.All` app role. This app role grants the ability to read this data when Microsoft Graph is the resource app. This assignment doesn't assign your client application to a Teams role that might allow it to view this data through other services.

+As a developer, you need to configure all required app-only permissions, also referred to as app roles on your application registration. You can configure your app's requested app-only permissions through the Azure portal or Microsoft Graph. App-only access doesn't support dynamic consent, so you can't request individual permissions or sets of permissions at runtime.

+Once you've configured all the permissions your app needs, it must get admin consent [admin consent](../manage-apps/grant-admin-consent.md) for it to access the resources. For example, only users with the global admin role can grant app-only permissions (app roles) for the Microsoft Graph API. Users with other admin roles, like application admin and cloud app admin, are able to grant app-only permissions for other resources.

+Admin users can grant app-only permissions by using the Azure portal or by creating grants programmatically through the Microsoft Graph API. You can also prompt for interactive consent from within your app, but this option isn't preferable since app-only access doesn't require a user.

+Consumer users with Microsoft Accounts, like Outlook.com or Xbox Live accounts, can never authorize application-only access.

+Always follow the principle of least privilege: you should never request app roles that your app doesnΓÇÖt need. This principle helps limit the security risk if your app is compromised and makes it easier for administrators to grant your app access. For example, if your app-only needs to identify users without reading their detailed profile information, you should request the more limited Microsoft Graph `User.ReadBasic.All` app role instead ofΓÇ»`User.Read.All`.

+

+## Designing and publishing app roles for a resource service

+If you're building a service on Azure AD that exposes APIs for other clients to call, you may wish to support automated access with app roles (app-only permissions). You can define the app roles for your application in the **App roles** section of your app registration in Azure AD portal. For more information on how to create app roles, see [Declare roles for an application](howto-add-app-roles-in-azure-ad-apps.md#declare-roles-for-an-application).

+When exposing app roles for others to use, provide clear descriptions of the scenario to the admin who is going to assign them. App roles should generally be as narrow as possible and support specific functional scenarios, since app-only access isn't constrained by user rights. Avoid exposing a single role that grants full `read` or full `read/write` access to all APIs and resources your service contains.

+> [!NOTE]

+> App roles (app-only permissions) can also be configured to support assignment to users and groups. Be sure that you configure your app roles correctly for your intended access scenario. If you intend for your APIΓÇÖs app roles to be used for app-only access, select applications as the only allowed member types when creating the app roles.

+## How does application-only access work?

+The most important thing to remember about app-only access is that the calling app acts on its own behalf and as its own identity. There's no user interaction. If the app has been assigned to a given app role for a resource, then the app has fully unconstrained access to all resources and operations governed by that app role.

+Once an app has been assigned to one or more app roles (app-only permissions), it can request an app-only token from Azure AD using the [client credentials flow](v2-oauth2-client-creds-grant-flow.md) or any other supported authentication flow. The assigned roles are added to the `roles` claim of the app's access token.

+

+In some scenarios, the application identity may determine whether access is granted, similarly to user rights in a delegated call. For example, the `Application.ReadWrite.OwnedBy` app role grants an app the ability to manage service principals that the app itself owns.

+## Application-only access example - Automated email notification via Microsoft Graph

+The following example illustrates a realistic automation scenario.

+Alice wants to notify a team by email every time the division reporting folder that resides in a Windows file share registers a new document. Alice creates a scheduled task that runs a PowerShell script to examine the folder and find new files. The script then sends an email using a mailbox protected by a resource API, Microsoft Graph.

+The script runs without any user interaction, therefore the authorization system only checks the application authorization. Exchange Online checks whether the client making the call has been granted the application permission (app role), `Mail.Send` by the administrator. If `Mail.Send` isnΓÇÖt granted to the app, then Exchange Online fails the request.

+| POST /users/{id}/{userPrincipalName}/sendMail | Client app granted Mail.Send | Client app not granted Mail.Send |

+| -- | -- | -- |

+| The script uses AliceΓÇÖs mailbox to send emails. | 200 ΓÇô Access granted. Admin allowed the app to send mail as any user. |403 - Unauthorized. Admin hasnΓÇÖt allowed this client to send emails. |

+| The script creates a dedicated mailbox to send emails. | 200 ΓÇô Access granted. Admin allowed the app to send mail as any user. | 403 - Unauthorized. Admin hasnΓÇÖt allowed this client to send emails. |

+

+The example given is a simple illustration of application authorization. The production Exchange Online service supports many other access scenarios, such as limiting application permissions to specific Exchange Online mailboxes.

+## Next steps

+- [Learn how to create and assign app roles in Azure AD](howto-add-app-roles-in-azure-ad-apps.md)

+- [Overview of permissions in Microsoft Graph](/graph/permissions-overview)

+- [Microsoft Graph permissions reference](/graph/permissions-reference)

+ | **[Resource Group](../../azure-resource-manager/management/overview.md)** | *myResourceGroup* | Select and existing resource group, or name for the new one in which you'll create your function app. |

+- Learn how to [troubleshoot your custom extensions API](custom-extension-troubleshoot.md).

+You can also use [Azure AD sign-in logs](../reports-monitoring/concept-sign-ins.md) in addition to your REST API logs, and hosting environment diagnostics solutions. Using Azure AD sign-in logs, you can find errors, which may affect the users' sign-ins. The Azure AD sign-in logs provide information about the HTTP status, error code, execution duration, and number of retries that occurred the API was called by Azure AD.

+Azure AD sign-in logs also integrate with [Azure Monitor](../../azure-monitor/index.yml). You can set up alerts and monitoring, visualize the data, and integrate with security information and event management (SIEM) tools. For example, you can set up notifications if the number of errors exceed a certain threshold that you choose.

+- Learn more about custom claims providers with the [custom claims provider reference](custom-claims-provider-reference.md) article.

+description: Learn about when and how to use delegated access in the Microsoft identity platform endpoint.

+

+To *access* a protected resource like email or calendar data, your application needs the resource owner's *authorization*. The resource owner can *consent* to or deny your app's request. Understanding these foundational concepts will help you build more secure and trustworthy applications that request only the access they need, when they need it, from users and administrators.

+In this access scenario, the application acts on its own with no user signed in. Application access is used in scenarios such as automation, and backup. This scenario includes apps that run as background services or daemons. It's appropriate when it's undesirable to have a specific user signed in, or when the data required can't be scoped to a single user. For more information about the app-only access scenario, see [App-only-access](app-only-access-primer.md).

+- When the application is coded to specifically prompt for consent during sign-in.

+| AADSTS700027| Client assertion failed signature validation. Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.|

+For details see the code for [GetMsalAccountId](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/257c8f96ec3ff875c351d1377b36403eed942a18/WebApp/Utils/ClaimPrincipalExtension.cs#L38) in the code sample.

+1. Follow the directions [here](./howto-configure-publisher-domain.md#set-a-publisher-domain-in-the-azure-portal) to set a Publisher Domain

+- Error code and message being returned

+As part of the OpenID Connect (OIDC) standard, the [UserInfo endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) returns information about an authenticated user.

+## Next steps

+Program](https://www.microsoft.com/licensing/how-to-buy/how-to-buy), and the [Cloud Solution Providers program](../../lighthouse/concepts/cloud-solution-provider.md). Azure and Microsoft 365 subscribers can also purchase Workload

+Yes, customers can have a mixture of license plans in one tenant.

+If federated identity credentials are provisioned in a loop, you can [provision them serially](../../azure-resource-manager/templates/copy-resources.md#serial-or-parallel) by setting *"mode": "serial"*.

+| 409 | Conflict | Concurrent write request to federated identity credential resources under the same user-assigned identity has been denied.

+Users won't be listed in the local administrator group, the permissions are received through the Primary Refresh Token.

+Don't delete system-managed devices. These devices are generally devices such as Autopilot. Once deleted, these devices can't be reprovisioned.

+> Users from another Microsoft cloud must be invited using their user principal name (UPN). [Email as sign-in](../authentication/howto-authentication-use-email-signin.md#b2b-guest-user-sign-in-with-an-email-address) is not currently supported when collaborating with users from another Microsoft cloud.

+See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.

+>- In the SAML request sent by Azure AD for external federations, the Issuer URL is a tenanted endpoint. For any new federations, we recommend that all our partners set the audience of the SAML or WS-Fed based IdP to a tenanted endpoint. Refer to the [SAML 2.0](#required-saml-20-attributes-and-claims) and [WS-Fed](#required-ws-fed-attributes-and-claims) required attributes and claims sections. Any existing federations configured with the global endpoint will continue to work, but new federations will stop working if your external IdP is expecting a global issuer URL in the SAML request.

+ - Guest users have already redeemed invitations from you, and then later you set up federation with the organization's SAML/WS-Fed IdP. These guest users continue to use the same authentication method they used before you set up federation.

+ - You set up federation with an organization's SAML/WS-Fed IdP and invite guest users, and then the partner organization later moves to Azure AD. The guest users who have already redeemed invitations continue to use the federated SAML/WS-Fed IdP, as long as the federation policy in your tenant exists.

+ - You delete federation with an organization's SAML/WS-Fed IdP. Any guest users currently using the SAML/WS-Fed IdP are unable to sign in.

+With SAML/WS-Fed IdP federation, guest users sign into your Azure AD tenant using their own organizational account. When they're accessing shared resources and are prompted for sign-in, users are redirected to their IdP. After successful sign-in, users are returned to Azure AD to access resources. If the Azure AD session expires or becomes invalid and the federated IdP has SSO enabled, the user experiences SSO. If the federated user's session is valid, the user isn't prompted to sign in again. Otherwise, the user is redirected to their IdP for sign-in.

+No, we block SAML/WS-Fed IdP federation for Azure AD verified domains in favor of native Azure AD managed domain capabilities. If you try to set up SAML/WS-Fed IdP federation with a domain that is DNS-verified in Azure AD, an error occurs.

+If you specify the metadata URL in the IdP settings, Azure AD automatically renews the signing certificate when it expires. However, if the certificate is rotated for any reason before the expiration time, or if you don't provide a metadata URL, Azure AD is unable to renew it. In this case, you need to update the signing certificate manually.

+When SAML/WS-Fed IdP federation is established with a partner organization, it takes precedence over email one-time passcode authentication for new guest users from that organization. If a guest user redeemed an invitation using one-time passcode authentication before you set up SAML/WS-Fed IdP federation, they continue to use one-time passcode authentication.

+No, the [email one-time passcode](one-time-passcode.md) feature should be used in this scenario. A ΓÇ£partially synced tenancyΓÇ¥ refers to a partner Azure AD tenant where on-premises user identities aren't fully synced to the cloud. A guest whose identity doesnΓÇÖt yet exist in the cloud but who tries to redeem your B2B invitation isn't able to sign in. The one-time passcode feature would allow this guest to sign in. The SAML/WS-Fed IdP federation feature addresses scenarios where the guest has their own IdP-managed organizational account, but the organization has no Azure AD presence at all.

+ - If the passive authentication endpoint is `https://fabrikamconglomerate.com/adfs` or `https://fabrikam.com.uk/adfs`, the domain doesn't match the fabrikam.com domain, so the partner needs to add a text record for the authentication URL to their DNS configuration.

+Azure AD B2B can be configured to federate with IdPs that use the SAML protocol with specific requirements listed in this section. For more information about setting up a trust between your SAML IdP and Azure AD, see [Use a SAML 2.0 Identity Provider (IdP) for SSO](../hybrid/how-to-connect-fed-saml-idp.md).

+> Ensure the value matches the cloud for which you're setting up external federation.

+Azure AD B2B can be configured to federate with IdPs that use the WS-Fed protocol. This section discusses the requirements. Currently, the two WS-Fed providers have been tested for compatibility with Azure AD include AD FS and Shibboleth. For more information about establishing a relying party trust between a WS-Fed compliant provider with Azure AD, see the "STS Integration Paper using WS Protocols" available in the [Azure AD Identity Provider Compatibility Docs](https://www.microsoft.com/download/details.aspx?id=56843).

+> Ensure the value matches the cloud for which you're setting up external federation.

+Next, configure federation with the IdP configured in step 1 in Azure AD. You can use either the Azure portal or the [Microsoft Graph API](/graph/api/resources/samlorwsfedexternaldomainfederation?view=graph-rest-beta&preserve-view=true). It might take 5-10 minutes before the federation policy takes effect. During this time, don't attempt to redeem an invitation for the federation domain. The following attributes are required:

+ - **Domain name of federating IdP** - Enter your partnerΓÇÖs IdP target domain name for federation. During this initial configuration, enter just one domain name. You can add more domains later.

+You can remove your federation configuration. If you do, federation guest users who have already redeemed their invitations can no longer sign in. But you can give them access to your resources again by [resetting their redemption status](reset-redemption-status.md).

+1. Sign in to the [Azure portal](https://portal.azure.com/) with an Azure account that's been assigned at least the Contributor role within the subscription or a resource group within the subscription.

+ :::image type="content" source="media/external-identities-pricing/linked-subscriptions.png" alt-text="Screenshot of the link a subscription option.":::

+ :::image type="content" source="media/external-identities-pricing/link-subscription-resource.png" alt-text="Screenshot of how to link a subscription.":::

+- You don't have the appropriate permissions. Be sure to sign in with an Azure account that's been assigned at least the Contributor role within the subscription or a resource group within the subscription.

+For the latest pricing information, see [Azure Active Directory pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

+* [Azure Government developer guide](/azure/azure-government/documentation-government-developer-guide)

+Now within the Azure portal you have access to view key data for your Azure AD-DS Domain Controllers such as: LDAP Searches/sec, Total Query Received/sec, DNS Total Response Sent/sec, LDAP Successful Binds/sec, memory usage, processor time, Kerberos Authentications, and NTLM Authentications. For more information, see: [Check fleet metrics of Azure Active Directory Domain Services](../../active-directory-domain-services/fleet-metrics.md).

+`Word([userPrincipalName],1,"@") & "@contosotest.com"`.

+description: Learn how to migrate Okta sign-on policies to Azure Active Directory Conditional Access.

+In this tutorial, learn to migrate an organization from global or application-level sign-on policies in Okta Conditional Access in Azure Active Directory (Azure AD). Conditional Access policies secure user access in Azure AD and connected applications.

+Learn more: [What is Conditional Access?](/azure/active-directory/conditional-access/overview)

+This tutorial assumes you have:

+* Office 365 tenant federated to Okta for sign-in and multi-factor authentication

+* Azure AD Connect server, or Azure AD Connect cloud provisioning agents configured for user provisioning to Azure AD

+See the following two sections for licensing and credentials prerequisites.

+### Licensing

+There are licensing requirements if you switch from Okta sign-on to Conditional Access. The process requires an Azure AD Premium P1 license to enable registration for Azure AD Multi-Factor Authentication (MFA).

+Learn more: [Assign or remove licenses in the Azure Active Directory portal](/azure/active-directory/fundamentals/license-users-groups)

+### Enterprise Administrator credentials

+To configure the service connection point (SCP) record, ensure you have Enterprise Administrator credentials in the on-premises forest.

+## Evaluate Okta sign-on policies for transition

+Locate and evaluate Okta sign-on policies to determine what will be transitioned to Azure AD.

+1. In Okta go to **Security** > **Authentication** > **Sign On**.

+ 

+2. Go to **Applications**.

+3. From the submenu, select **Applications**

+4. From the **Active apps list**, select the Microsoft Office 365 connected instance.

+ 

+5. Select **Sign On**.

+6. Scroll to the bottom of the page.

+The Microsoft Office 365 application sign-on policy has four rules:

+- **Enforce MFA for mobile sessions** - requires MFA from modern authentication or browser sessions on iOS or Android

+- **Allow trusted Windows devices** - prevents unnecessary verification or factor prompts for trusted Okta devices

+- **Require MFA from untrusted Windows devices** - requires MFA from modern authentication or browser sessions on untrusted Windows devices

+- **Block legacy authentication** - prevents legacy authentication clients from connecting to the service

+The following screenshot is conditions and actions for the four rules, on the Sign On Policy screen.

+ 

+## Configure Conditional Access policies

+Configure Conditional Access policies to match Okta conditions. However, in some scenarios, you might need more setup:

+* Okta network locations to named locations in Azure AD

+ * [Using the location condition in a Conditional Access policy](../conditional-access/location-condition.md)

+* Okta device trust to device-based Conditional Access (two options to evaluate user devices):

+ * See the following section, **Hybrid Azure AD join configuration** to synchronize Windows devices, such as Windows 10, Windows Server 2016 and 2019, to Azure AD

+ * See the following section, **Configure device compliance**

+ * See, [Use hybrid Azure AD join](#hybrid-azure-ad-join-configuration), a feature in Azure AD Connect server that synchronizes Windows devices, such as Windows 10, Windows Server 2016, and Windows Server 2019, to Azure AD

+ * See, [Enroll the device in Microsoft Intune](#configure-device-compliance) and assign a compliance policy

+### Hybrid Azure AD join configuration

+To enable hybrid Azure AD join on your Azure AD Connect server, run the configuration wizard. After configuration, enroll devices.

+ >[!NOTE]

+ >Hybrid Azure AD join isn't supported with the Azure AD Connect cloud provisioning agents.

+1. [Configure hybrid Azure AD join](../devices/howto-hybrid-azure-ad-join.md).

+2. On the **SCP configuration** page, select the **Authentication Service** dropdown.

+ 

+4. Select an Okta federation provider URL.

+5. Select **Add**.

+6. Enter your on-premises Enterprise Administrator credentials

+7. Select **Next**.

+ > [!TIP]

+ > If you blocked legacy authentication on Windows clients in the global or app-level sign-on policy, make a rule that enables the hybrid Azure AD join process to finish. Allow the legacy authentication stack for Windows clients. </br>To enable custom client strings on app policies, contact the [Okta Help Center](https://support.okta.com/help/).

+Hybrid Azure AD join is a replacement for Okta device trust on Windows. Conditional Access policies recognize compliance for devices enrolled in Microsoft Intune.

+#### Device compliance policy

+* [Use compliance policies to set rules for devices you manage with Intune](/mem/intune/protect/device-compliance-get-started)

+* [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy)

+#### Windows 10/11, iOS, iPadOS, and Android enrollment

+If you deployed hybrid Azure AD join, you can deploy another group policy to complete auto-enrollment of these devices in Intune.

+* [Enrollment in Microsoft Intune](/mem/intune/enrollment/)

+* [Quickstart: Set up automatic enrollment for Windows 10/11 devices](/mem/intune/enrollment/quickstart-setup-auto-enrollment)

+* [Enroll Android devices](/mem/intune/enrollment/android-enroll)

+* [Enroll iOS/iPadOS devices in Intune](/mem/intune/enrollment/ios-enroll)

+## Configure Azure AD Multi-Factor Authentication tenant settings

+Before you convert to Conditional Access, confirm the base MFA tenant settings for your organization.

+1. Go to the [Azure portal](https://portal.azure.com).

+2. Sign in as a Global Administrator.

+3. Select **Azure Active Directory** > **Users** > **Multi-Factor Authentication**.

+4. The legacy Azure AD Multi-Factor Authentication portal appears. Or select [Azure AD MFA portal](https://aka.ms/mfaportal).

+ 

+5. Confirm there are no users enabled for legacy MFA: On the **multi-factor authentication** menu, on **Multi-Factor Auth status**, select **Enabled** and **Enforced**. If the tenant has users in the following views, disable them in the legacy menu.

+ 

+6. Ensure the **Enforced** field is empty.

+7. Select the **Service settings** option.

+8. Change the **App passwords** selection to **Do not allow users to create app passwords to sign in to non-browser apps**.

+ 

+9. Clear the checkboxes for **Skip multi-factor authentication for requests from federated users on my intranet** and **Allow users to remember multi-factor authentication on devices they trust (between one to 365 days)**.

+10. Select **Save**.

+ 

+ >[!NOTE]

+ >See [Optimize reauthentication prompts and understand session lifetime for Azure AD MFA](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).

+## Build a Conditional Access policy

+To configure Conditional Access policies, see [Best practices for deploying and designing Conditional Access](../conditional-access/plan-conditional-access.md#conditional-access-policy-components).

+After you configure the prerequisites and established base settings, you can build Conditional Access policy. Policy can be targeted to an application, a test group of users, or both.

+Before you get started:

+* [Understand Conditional Access policy components](../conditional-access/plan-conditional-access.md)

+* [Building a Conditional Access policy](../conditional-access/concept-conditional-access-policies.md)

+1. Go to the [Azure portal](https://portal.azure.com).

+2. On **Manage Azure Active Directory**, select **View**.

+3. Create a policy. See, [Common Conditional Access policy: Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md).

+4. Create a device trust-based Conditional Access rule.

+ 

+ 

+5. After you configure the location-based policy and device trust policy, [Block legacy authentication with Azure AD with Conditional Access](/azure/active-directory/conditional-access/block-legacy-authentication).

+With these three Conditional Access policies, the original Okta sign-on policies experience is replicated in Azure AD.

+## Enroll pilot members in MFA

+Users register for MFA methods.

+For individual registration, users go to [Microsoft Sign-in pane](https://aka.ms/mfasetup).

+To manage registration, users go to [Microsoft My Sign-Ins | Security Info](https://aka.ms/mysecurityinfo).

+Learn more: [Enable combined security information registration in Azure Active Directory](../authentication/howto-registration-mfa-sspr-combined.md).

+ >[!NOTE]

+ >If users registered, they're redirected to the **My Security** page, after they satisfy MFA.

+1. To test, change the created policies to **Enabled test user login**.

+ 

+2. On the Office 365 **Sign-In** pane, the test user John Smith is prompted to sign in with Okta MFA and Azure AD MFA.

+ 

+3. Complete the MFA verification through Okta.

+ 

+4. The user is prompted for Conditional Access.

+5. Ensure the policies are configured to be triggered for MFA.

+ 

+## Add organization members to Conditional Access policies

+After you conduct testing on pilot members, add the remaining organization members to Conditional Access policies, after registration.

+To avoid double-prompting between Azure AD MFA and Okta MFA, opt out from Okta MFA: modify sign-on policies.

+1. Go to the Okta admin console

+2. Select **Security** > **Authentication**

+3. Go to **Sign-on Policy**.

+ > Set global policies to **Inactive** if all applications from Okta are protected by application sign-on policies.

+4. Set the **Enforce MFA** policy to **Inactive**. You can assign the policy to a new group that doesn't include the Azure AD users.

+ 

+5. On the application-level sign-on policy pane, select the **Disable Rule** option.

+6. Select **Inactive**. You can assign the policy to a new group that doesn't include the Azure AD users.

+7. Ensure there's at least one application-level sign-on policy enabled for the application that allows access without MFA.

+ 

+8. Users are prompted for Conditional Access the next time they sign in.

+- [Tutorial: Migrate your applications from Okta to Azure Active Directory](migrate-applications-from-okta-to-azure-active-directory.md)

+- [Tutorial: Migrate Okta federation to Azure Active Directory-managed authentication](migrate-okta-federation-to-azure-active-directory.md)

+- [Tutorial: Migrate Okta sync provisioning to Azure AD Connect-based synchronization](migrate-okta-sync-provisioning-to-azure-active-directory.md)

+> [!VIDEO https://www.youtube.com/embed/7B-PQwNfGBc]

+> [!Important]

+### Configure ADP to support multiple instances in the same tenant

+1. Go to **Basic SAML Configuration** section and configure another test value in **Identifier (Entity ID)** textbox.

+ 

+1. To support multiple instances in the same tenant, please follow the below steps:

+ 

+ 1. Navigate to **Attributes & Claims** section > **Advanced settings** > **Advanced SAML claims options** and click **Edit**.

+ 1. Enable **Append application ID to issuer** checkbox.

+ 1. Enable **Override audience claim** checkbox.

+ 1. In the **Audience claim value** textbox, enter **Identifier (Entity ID)** value, which you've copied from **Basic SAML Configuration** section and click **Save**.

+1. Navigate to **Properties** tab under Manage section and copy **Application ID** from the Azure portal.

+ 

+1. Download and open the **Federation Metadata XML** file from the Azure portal and edit the **entityID** value by adding **Application ID** manually at the end.

+ 

+

+1. **Save** the xml file and use in the ADP side.

+description: In this tutorial, you learn how to configure single sign-on between Azure Active Directory and Cloud Academy.

+# Tutorial: Azure Active Directory SSO integration with Cloud Academy

+In this tutorial, you learn how to integrate Cloud Academy with Azure Active Directory (Azure AD). When you integrate Cloud Academy with Azure AD, you can:

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+ Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+In this section, you create a test user called B.Simon in the Azure portal.

+In this section, you enable B.Simon to use Azure single sign-on by granting that user access to Cloud Academy.

+1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+ :::image type="content" source="./media/cloud-academy-sso-tutorial/test-successful.png" alt-text="Screenshot that shows S S O activation is successful.":::

+In this section, a user called B.Simon is created in Cloud Academy. Cloud Academy supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Cloud Academy, a new one is created after authentication.

+ b. ΓÇ£Five9 Plus Adapter for Microsoft Dynamics CRMΓÇ¥ Admin Guide: [https://manualzz.com/download/25793001](https://manualzz.com/download/25793001)

+ > These values are not real. Update these values with the actual Sign-on URL, Identifier and Relay State. Contact [Lifesize Cloud Client support team](https://support.lifesize.com/) to get Sign-On URL, and Identifier values and you can get Relay State value from SSO Configuration that is explained later in the tutorial. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+In this section, you create a user called Britta Simon at Oracle Access Manager for Oracle E-Business Suite. Work with [Oracle Access Manager for Oracle E-Business Suite support team](https://www.oracle.com/support/advanced-customer-services/cloud/) to add the users in the Oracle Access Manager for Oracle E-Business Suite platform. Users must be created and activated before you use single sign-on.

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Oracle Access Manager for Oracle Retail Merchandising support team](https://www.oracle.com/support/advanced-customer-services/cloud/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+To configure single sign-on on Oracle Access Manager for Oracle Retail Merchandising side, you need to send the downloaded Federation Metadata XML file from Azure portal to [Oracle Access Manager for Oracle Retail Merchandising support team](https://www.oracle.com/support/advanced-customer-services/cloud/). They set this setting to have the SAML SSO connection set properly on both sides.

+In this section, you create a user called Britta Simon at Oracle Access Manager for Oracle Retail Merchandising. Work with [Oracle Access Manager for Oracle Retail Merchandising support team](https://www.oracle.com/support/advanced-customer-services/cloud/) to add the users in the Oracle Access Manager for Oracle Retail Merchandising platform. Users must be created and activated before you use single sign-on.

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Oracle IDCS for PeopleSoft support team](https://www.oracle.com/support/advanced-customer-services/cloud/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+To configure single sign-on on Oracle IDCS for PeopleSoft side, you need to send the downloaded Federation Metadata XML file from Azure portal to [Oracle IDCS for PeopleSoft support team](https://www.oracle.com/support/advanced-customer-services/cloud/). They set this setting to have the SAML SSO connection set properly on both sides.

+In this section, you create a user called Britta Simon at Oracle IDCS for PeopleSoft. Work with [Oracle IDCS for PeopleSoft support team](https://www.oracle.com/support/advanced-customer-services/cloud/) to add the users in the Oracle IDCS for PeopleSoft platform. Users must be created and activated before you use single sign-on.

+* pymetrics supports **SP** initiated SSO. If you need to configure an **IDP** initiated flow, please reach out to [pymetrics support](mailto:solutions-engineering@pymetrics.com).

+ c. In the **Sign-on URL** text box, type a URL using the following pattern:

+* Click on **Test this application** in Azure portal. This will redirect to pymetrics Sign-on URL where you can initiate the login flow.

+* Go to pymetrics Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the pymetrics tile in the My Apps, this will redirect to pymetrics Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+ `https://InstanceName.cloud.tanium.com`

+Once you configure Tanium Cloud SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+| IA.L2-3.5.9<br><br>**Practice statement:** Allow temporary password use for system logons with an immediate change to a permanent password.<br><br>**Objectives:**<br>Determine if:<br>[a.] an immediate change to a permanent password is required when a temporary password is used for system sign-on. | An Azure AD user initial password is a temporary single use password that once successfully used is immediately required to be changed to a permanent password. Microsoft strongly encourages the adoption of passwordless authentication methods. Users can bootstrap Passwordless authentication methods using Temporary Access Pass (TAP). TAP is a time and use limited passcode issued by an admin that satisfies strong authentication requirements. Use of passwordless authentication along with the time and use limited TAP completely eliminates the use of passwords (and their reuse).<br>[Add or delete users - Azure Active Directory](../fundamentals/add-users-azure-active-directory.md)<br>[Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods](../authentication/howto-authentication-temporary-access-pass.md)<br>[Passwordless authentication](../authentication/concept-authentication-passwordless.md) |

+* [Configure CMMC Level 2 additional controls](configure-cmmc-level-2-additional-controls.md)

+Create a cluster using the [`az aks create`][az-aks-create] and specify the *`--api-server-authorized-ip-ranges`* parameter to provide a list of authorized public IP address ranges. When you specify a CIDR range, start with the first IP address in the range. For example, *137.117.106.90/29* is a valid range, but make sure you specify the first IP address in the range, such as *137.117.106.88/29*.

+```azurecli

+az aks update -g $RG -n $AKSNAME --api-server-authorized-ip-ranges $CURRENT_IP/24,73.140.245.0/24

+> The above example adds another IP address to the approved ranges. Note that it still includes the IP address from [Update a cluster's API server authorized IP ranges](#update-a-clusters-api-server-authorized-ip-ranges). If you don't include your existing IP address, this command will replace it with the new one instead of adding it to the authorized ranges. To disable authorized IP ranges, use `az aks update` and specify an empty range "".

+[managed-aad-migrate]: managed-aad.md#upgrade-to-aks-managed-azure-ad-integration

+> An Azure disk can only be mounted with *Access mode* type *ReadWriteOnce*, which makes it available to one pod in AKS. If you need to share a persistent volume across multiple pods, use [Azure Files][azure-files-pvc].

+ * Premium disks are backed by SSD-based high-performance, low-latency disks. They're ideal for VMs running production workloads. When you use the Azure Disks CSI driver on AKS, you can also use the `managed-csi` storage class, which is backed by Standard SSD locally redundant storage (LRS).

+It's not supported to reduce the size of a PVC (to prevent data loss). You can edit an existing storage class by using the `kubectl edit sc` command, or you can create your own custom storage class.

+Both the horizontal pod autoscaler and cluster autoscaler can also decrease the number of pods and nodes as needed. The cluster autoscaler decreases the number of nodes when there has been unused capacity for a period of time. Pods on a node to be removed by the cluster autoscaler are safely scheduled elsewhere in the cluster. For more information about how scaling down works, see [How does scale-down work?](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-scale-down-work).

+For a conceptual overview of cluster extensions, see [Cluster extensions - Azure Arc-enabled Kubernetes][arc-k8s-extensions].

+> The minimum supported version for the `k8s-extension` Azure CLI extension is `1.0.0`. If you are unsure what version you have installed, run `az extension show --name k8s-extension` and look for the `version` field. We recommend using the latest version.

+| [Flux (GitOps)][gitops-overview] | Use GitOps with Flux to manage cluster configuration and application deployment. See also [supported versions of Flux (GitOps)][gitops-support] and [Tutorial: Deploy applications using GitOps with Flux v2][gitops-tutorial].|

+| `--release-train` | Extension authors can publish versions in different release trains such as `Stable`, `Preview`, etc. If this parameter isn't set explicitly, `Stable` is used as default. This parameter can't be used when `--auto-upgrade-minor-version` parameter is set to `false`. |

+[gitops-support]: ../azure-arc/kubernetes/extensions-release.md#flux-gitops

+[gitops-tutorial]: ../azure-arc/kubernetes/tutorial-use-gitops-flux2.md

+[microsoft-azure-fedramp-high]: ../azure-government/compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope

+[azure-bounty-program-overview]: https://www.microsoft.com/msrc/bounty-microsoft-azure

+[kubectl]: https://kubernetes.io/docs/reference/kubectl/

+[cli-aad-upgrade]: managed-aad.md#upgrade-to-aks-managed-azure-ad-integration

+* Changing an AKS-managed Azure AD integrated cluster to legacy Azure AD isn't supported.

+* Make sure Azure CLI version 2.29.0 or later is installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

+* You need `kubectl`, with a minimum version of [1.18.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1181) or [`kubelogin`](https://github.com/Azure/kubelogin). The difference between the minor versions of Kubernetes and `kubectl` shouldn't be more than 1 version. You'll experience authentication issues if you don't use the correct version.

+* If you're using [helm](https://github.com/helm/helm), you need a minimum version of helm 3.3.

+* This article requires that you have an Azure AD group for your cluster. This group will be registered as an admin group on the cluster to grant cluster admin permissions. If you don't have an existing Azure AD group, you can create one using the [`az ad group create`](/cli/azure/ad/group#az_ad_group_create) command.

+1. Create an Azure resource group using the [`az group create`][az-group-create] command.

+ ```azurecli-interactive

+ az group create --name myResourceGroup --location centralus

+ ```

+2. Create an AKS cluster and enable administration access for your Azure AD group using the [`az aks create`][az-aks-create] command.

+ ```azurecli-interactive

+ az aks create -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <id> [--aad-tenant-id <id>]

+ ```

+ A successful creation of an AKS-managed Azure AD cluster has the following section in the response body:

+ ```output

+ "AADProfile": {

+ "adminGroupObjectIds": [

+ "5d24****-****-****-****-****afa27aed"

+ ],

+ "clientAppId": null,

+ "managed": true,

+ "serverAppId": null,

+ "serverAppSecret": null,

+ "tenantId": "72f9****-****-****-****-****d011db47"

+ }

+ ```

+Before you access the cluster using an Azure AD defined group, you need the [Azure Kubernetes Service Cluster User](../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-user-role) built-in role.

+1. Get the user credentials to access the cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.

+ ```azurecli-interactive

+ az aks get-credentials --resource-group myResourceGroup --name myManagedCluster

+ ```

+2. Follow the instructions to sign in.

+3. Use the `kubectl get nodes` command to view nodes in the cluster.

+ ```azurecli-interactive

+ kubectl get nodes

+ ```

+4. Set up [Azure role-based access control (Azure RBAC)](./azure-ad-rbac.md) to configure other security groups for your clusters.

+If you're permanently blocked by not having access to a valid Azure AD group with access to your cluster, you can still obtain the admin credentials to access the cluster directly. You need to have access to the [Azure Kubernetes Service Cluster Admin](../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-admin-role) built-in role.

+Enable AKS-managed Azure AD integration on your existing Kubernetes RBAC enabled cluster using the [`az aks update`][az-aks-update] command. Make sure to set your admin group to keep access on your cluster.

+Download user credentials again to access your cluster by following the steps in [access an Azure AD enabled cluster][access-cluster].

+## Upgrade to AKS-managed Azure AD integration

+If your cluster uses legacy Azure AD integration, you can upgrade to AKS-managed Azure AD integration with no downtime using the [`az aks update`][az-aks-update] command.

+In order to access the cluster, follow the steps in [access an Azure AD enabled cluster][access-cluster] to update kubeconfig.

+Create a new AKS cluster without any local accounts using the [`az aks create`][az-aks-create] command with the `disable-local-accounts` flag.

+Disable local accounts on an existing Azure AD integration enabled AKS cluster using the [`az aks update`][az-aks-update] command with the `disable-local-accounts` parameter.

+AKS supports enabling a disabled local account on an existing cluster using the [`az aks update`][az-aks-update] command with the `enable-local-accounts` parameter.

+Create an example Conditional Access policy to use with AKS:

+1. In the Azure portal, go to the **Azure Active Directory** page and select **Enterprise applications**.

+2. Select **Conditional Access** > **Policies** >**New policy**.

+3. Enter a name for the policy, for example **aks-policy**.

+4. Under **Assignments** select **Users and groups**. Choose the users and groups you want to apply the policy to. In this example, choose the same Azure AD group that has administrator access to your cluster.

+5. Under **Cloud apps or actions > Include**, select **Select apps**. Search for **Azure Kubernetes Service** and select **Azure Kubernetes Service AAD Server**.

+6. Under **Access controls > Grant**, select **Grant access**, **Require device to be marked as compliant**, and **Require all the selected controls**.

+7. Confirm your settings, set **Enable policy** to **On**, and then select **Create**.

+After creating the Conditional Access policy, verify it has been successfully listed:

+1. Get the user credentials to access the cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.

+2. Follow the instructions to sign in.

+3. View the nodes in the cluster using the `kubectl get nodes` command.

+4. In the Azure portal, navigate to **Azure Active Directory** and select **Enterprise applications** > **Activity** > **Sign-ins**.

+5. Under the **Conditional Access** column you should see a status of **Success**. Select the event and then select **Conditional Access** tab. Your Conditional Access policy will be listed.

+Integrate just-in-time access requests with an AKS cluster using AKS-managed Azure AD integration:

+1. In the Azure portal, go to **Azure Active Directory** and select **Properties**.

+2. Note the value listed under **Tenant ID**. It will be referenced in a later step as `<tenant-id>`.

+3. Select **Groups** > **New group**.

+4. Verify the group type **Security** is selected and specify a group name, such as **myJITGroup**. Under the option **Azure AD roles can be assigned to this group (Preview)**, select **Yes** and then select **Create**.

+5. On the **Groups** page, select the group you just created and note the Object ID. It will be referenced in a later step as `<object-id>`.

+6. Create the AKS cluster with AKS-managed Azure AD integration using the [`az aks create`][az-aks-create] command with the `--aad-admin-group-objects-ids` and `--aad-tenant-id parameters` and include the values noted in the steps earlier.

+7. In the Azure portal, select **Activity** > **Privileged Access (Preview)** > **Enable Privileged Access**.

+8. To grant access, select **Add assignments**.

+9. From the **Select role** drop-down list, select the users and groups you want to grant cluster access. These assignments can be modified at any time by a group administrator. Then select **Next**.

+10. Under **Assignment type**, select **Active** and then specify the desired duration. Provide a justification and then select **Assign**. For more information about assignment types, see [Assign eligibility for a privileged access group (preview) in Privileged Identity Management][aad-assignments].

+Once the assignments have been made, verify just-in-time access is working by accessing the cluster:

+1. Get the user credentials to access the cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.

+ ```azurecli-interactive

+ az aks get-credentials --resource-group myResourceGroup --name myManagedCluster

+ ```

+2. Follow the steps to sign in.

+3. Use the `kubectl get nodes` command to view the nodes in the cluster.

+ ```azurecli-interactive

+ kubectl get nodes

+ ```

+4. Note the authentication requirement and follow the steps to authenticate. If successful, you should see an output similar to the following example output:

+ ```output

+ To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AAAAAAAAA to authenticate.

+ NAME STATUS ROLES AGE VERSION

+ aks-nodepool1-61156405-vmss000000 Ready agent 6m36s v1.18.14

+ aks-nodepool1-61156405-vmss000001 Ready agent 6m42s v1.18.14

+ aks-nodepool1-61156405-vmss000002 Ready agent 6m33s v1.18.14

+ ```

+### Apply just-in-time access at the namespace level

+2. Associate the group you want to integrate with just-in-time access with a namespace in the cluster using the [`az role assignment create`][az-role-assignment-create] command.

+ ```azurecli-interactive

+ az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee <AAD-ENTITY-ID> --scope $AKS_ID/namespaces/<namespace-name>

+ ```

+3. Associate the group you configured at the namespace level with PIM to complete the configuration.

+If `kubectl get nodes` returns an error similar to the following:

+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create

+ Title: Stop and start an Azure Kubernetes Service (AKS) cluster

+description: Learn how to stop and start an Azure Kubernetes Service (AKS) cluster.

+# Stop and start an Azure Kubernetes Service (AKS) cluster

+You may not need to continuously run your Azure Kubernetes Service (AKS) workloads. For example, you may have a development cluster that you only use during business hours. This means there are times where your cluster might be idle, running nothing more than the system components. You can reduce the cluster footprint by [scaling all `User` node pools to 0](scale-cluster.md#scale-user-node-pools-to-0), but your [`System` pool](use-system-pools.md) is still required to run the system components while the cluster is running.

+To better optimize your costs during these periods, you can turn off, or stop, your cluster. This action stops your control plane and agent nodes, allowing you to save on all the compute costs, while maintaining all objects except standalone pods. The cluster state is stored for when you start it again, allowing you to pick up where you left off.

+This article assumes you have an existing AKS cluster. If you need an AKS cluster, you can create one using [Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or the [Azure portal][aks-quickstart-portal].

+### About the cluster stop/start feature

+When using the cluster stop/start feature, the following conditions apply:

+- This feature is only supported for Virtual Machine Scale Set backed clusters.

+- The cluster state of a stopped AKS cluster is preserved for up to 12 months. If your cluster is stopped for more than 12 months, you can't recover the state. For more information, see the [AKS support policies](support-policies.md).

+- You can only start or delete a stopped AKS cluster. To perform other operations, like scaling or upgrading, you need to start your cluster first.

+- If you provisioned PrivateEndpoints linked to private clusters, they need to be deleted and recreated again when starting a stopped AKS cluster.

+- When you start your cluster back up, the following behavior is expected:

+ - The IP address of your API server may change.

+ - If you're using cluster autoscaler, when you start your cluster, your current node count may not be between the min and max range values you set. The cluster starts with the number of nodes it needs to run its workloads, which isn't impacted by your autoscaler settings. When your cluster performs scaling operations, the min and max values will impact your current node count, and your cluster will eventually enter and remain in that desired range until you stop your cluster.

+## Stop an AKS cluster

+1. Use the [`az aks stop`][az-aks-stop] command to stop a running AKS cluster, including the nodes and control plane. The following example stops a cluster named *myAKSCluster*:

+ ```azurecli-interactive

+ az aks stop --name myAKSCluster --resource-group myResourceGroup

+ ```

+2. Verify your cluster has stopped using the [`az aks show`][az-aks-show] command and confirming the `powerState` shows as `Stopped`.

+ ```azurecli-interactive

+ az aks show --name myAKSCluster --resource-group myResourceGroup

+ ```

+ Your output should look similar to the following condensed example output:

+ ```json

+ {

+ [...]

+ "nodeResourceGroup": "MC_myResourceGroup_myAKSCluster_westus2",

+ "powerState":{

+ "code":"Stopped"

+ },

+ "privateFqdn": null,

+ "provisioningState": "Succeeded",

+ "resourceGroup": "myResourceGroup",

+ [...]

+ }

+ ```

+ If the `provisioningState` shows `Stopping`, your cluster hasn't fully stopped yet.

+1. Use the [`Stop-AzAksCluster`][stop-azakscluster] cmdlet to stop a running AKS cluster, including the nodes and control plane. The following example stops a cluster named *myAKSCluster*:

+ ```azurepowershell-interactive

+ Stop-AzAksCluster -Name myAKSCluster -ResourceGroupName myResourceGroup

+ ```

+2. Verify your cluster has stopped using the [`Get-AzAksCluster`][get-azakscluster] cmdlet and confirming the `ProvisioningState` shows as `Succeeded`.

+ ```azurepowershell-interactive

+ Get-AzAKSCluster -Name myAKSCluster -ResourceGroupName myResourceGroup

+ ```

+ Your output should look similar to the following condensed example output:

+ ```Output

+ ProvisioningState : Succeeded

+ MaxAgentPools : 100

+ KubernetesVersion : 1.20.7

+ ...

+ ```

+ If the `ProvisioningState` shows `Stopping`, your cluster hasn't fully stopped yet.

+> If you're using [pod disruption budgets](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/), the stop operation can take longer, as the drain process will take more time to complete.

+## Start an AKS cluster

+> Don't repeatedly stop and start your clusters. This can result in errors. Once your cluster is stopped, you should wait at least 15-30 minutes before starting it again.

+1. Use the [`az aks start`][az-aks-start] command to start a stopped AKS cluster. The cluster restarts with the previous control plane state and number of agent nodes. The following example starts a cluster named *myAKSCluster*:

+ ```azurecli-interactive

+ az aks start --name myAKSCluster --resource-group myResourceGroup

+ ```

+2. Verify your cluster has started using the [`az aks show`][az-aks-show] command and confirming the `powerState` shows `Running`.

+ ```azurecli-interactive

+ az aks show --name myAKSCluster --resource-group myResourceGroup

+ ```

+ Your output should look similar to the following condensed example output:

+ ```json

+ {

+ [...]

+ "nodeResourceGroup": "MC_myResourceGroup_myAKSCluster_westus2",

+ "powerState":{

+ "code":"Running"

+ },

+ "privateFqdn": null,

+ "provisioningState": "Succeeded",

+ "resourceGroup": "myResourceGroup",

+ [...]

+ }

+ ```

+ If the `provisioningState` shows `Starting`, your cluster hasn't fully started yet.

+1. Use the [`Start-AzAksCluster`][start-azakscluster] cmdlet to start a stopped AKS cluster. The cluster restarts with the previous control plane state and number of agent nodes. The following example starts a cluster named *myAKSCluster*:

+ ```azurepowershell-interactive

+ Start-AzAksCluster -Name myAKSCluster -ResourceGroupName myResourceGroup

+ ```

+2. Verify your cluster has started using the [`Get-AzAksCluster`][get-azakscluster] cmdlet and confirming the `ProvisioningState` shows `Succeeded`.

+ ```azurepowershell-interactive

+ Get-AzAksCluster -Name myAKSCluster -ResourceGroupName myResourceGroup

+ ```

+ Your output should look similar to the following condensed example output:

+ ```Output

+ ProvisioningState : Succeeded

+ MaxAgentPools : 100

+ KubernetesVersion : 1.20.7

+ ...

+ ```

+ If the `ProvisioningState` shows `Starting`, your cluster hasn't fully started yet.

+[az-aks-stop]: /cli/azure/aks#az_aks_stop

+[az-aks-start]: /cli/azure/aks#az_aks_start

+This article shows how to use [Terraform](/azure/terraform) to create an [Azure Analysis Services](./analysis-services-overview.md) server.

+> [Quickstart: Configure server firewall - Portal](analysis-services-qs-firewall.md)

+This article shows how to use [Terraform](/azure/terraform) to create an [API Management service instance](./api-management-key-concepts.md) on Azure. API Management helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and services. API Management provides the core competencies to ensure a successful API program through developer engagement, business insights, analytics, security, and protection. API Management enables you to create and manage modern API gateways for existing backend services hosted anywhere. For more information, see the [Azure API Management - Overview and key concepts](api-management-key-concepts.md).

+> [Tutorial: Import and publish your first API](import-and-publish.md)

+> To purge a soft-deleted instance, you must have the following RBAC permissions at the subscription scope in addition to Contributor access to the API Management instance: Microsoft.ApiManagement/locations/deletedservices/delete, Microsoft.ApiManagement/deletedservices/read.

+Those who receive notifications include account administrators, service administrators, and co-administrators. Contributors, readers, or other roles won't directly receive notifications, unless they opt-in to receive notification emails, using [Service Health Alerts](../service-health/alerts-activity-log-service-notifications-portal.md).

+- [PHP](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#how-to-update-your-app-to-target-a-different-version-of-php)

+> Azure Database for MySQL - Single Server is on the road to retirement by 16 September 2024. If your existing MySQL database is hosted on Azure Database for MySQL - Single Server, consider migrating to Azure Database for MySQL - Flexible Server using the following steps, or using [Azure Database Migration Service (DMS)](../mysql/single-server/whats-happening-to-mysql-single-server.md#migrate-from-single-server-to-flexible-server).

+[At-scale assessment of .NET web apps](/training/modules/migrate-app-service-migration-assistant/)

+| Feature: Portal listing of Functions or keys | Not available if cluster isn't publicly reachable |

+- [Which Kubernetes distributions can I deploy the extension on?](#which-kubernetes-distributions-can-i-deploy-the-extension-on)

+Only Linux-based apps are supported, both code and custom containers. Windows apps aren't supported.

+FTP deployment isn't supported. Currently `az webapp up` is also not supported. Other deployment methods are supported, including Git, ZIP, CI/CD, Visual Studio, and Visual Studio Code.

+During the preview period, certain App Service features are being validated. When they're supported, their left navigation options in the Azure portal will be activated. Features that aren't yet supported remain grayed out.

+No. Networking features such as hybrid connections or Virtual Network integration, aren't supported. [Access restriction](app-service-ip-restrictions.md) support was added in April 2022. Networking should be handled directly in the networking rules in the Kubernetes cluster itself.

+By default, logs from system components are sent to the Azure team. Application logs aren't sent. You can prevent these logs from being transferred by setting `logProcessor.enabled=false` as an extension configuration setting. This configuration setting will also disable forwarding of application to your Log Analytics workspace. Disabling the log processor might impact time needed for any support cases, and you will be asked to collect logs from standard output through some other means.

+ARM64 based clusters aren't supported at this time.

+### Which Kubernetes distributions can I deploy the extension on?

+The extension has been validated on AKS, AKS on Azure Stack HCI, Google Kubernetes Engine, Amazon Elastic Kubernetes Service and Kubernetes Cluster API.

+- Python applications can use the [OpenCensus package](../azure-monitor/app/opencensus-python.md) to send logs to the application diagnostics log.

+* [Tutorial: Run a load test to identify performance bottlenecks in a web app](../load-testing/tutorial-identify-bottlenecks-azure-portal.md)

+ here's an [article on storing in Azure Key Vault](../key-vault/certificates/quick-create-python.md).

+> [Configure Python app](configure-language-python.md)

+After you add virtual machine scale sets as a backend pool member, you need to upgrade virtual machine scale sets instances. Until you upgrade scale sets instances, the backend will be unhealthy.

+#### Form Recognizer Studio

+### Data extraction support

+### Barcode extraction

+ ### Barcode extraction

+### Extract pages from documents

+> [**`2023-02-28-preview`**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-02-28-preview/operations/AnalyzeDocument) capabilities are currently only available in the following regions:

+* [**Custom classifier model**](concept-custom-classifier.md) is a new capability within Form Recognizer starting with the ```2023-02-28-preview``` API. Try the document classification capability using the [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/document-classifier/projects) or the [REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-02-28-preview/operations/GetClassifyDocumentResult).

+* [**Query fields**](concept-query-fields.md) capabilities, added to the General Document model, use Azure OpenAI models to extract specific fields from documents. Try the **General documents with query fields** feature using the [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio). Query fields are currently only active for resources in the `East US` region.

+* [**Read**](concept-read.md#barcode-extraction) and [**Layout**](concept-layout.md#barcode-extraction) models support **barcode** extraction with the ```2023-02-28-preview``` API.

+* [**Add-on capabilities**](concept-add-on-capabilities.md)

+ * [**Font extraction**](concept-add-on-capabilities.md#font-property-extraction) is now recognized with the ```2023-02-28-preview``` API.

+ * [**Formula extraction**](concept-add-on-capabilities.md#formula-extraction) is now recognized with the ```2023-02-28-preview``` API.

+ * [**High resolution extraction**](concept-add-on-capabilities.md#high-resolution-extraction) is now recognized with the ```2023-02-28-preview``` API.

+* [**Common name key normalization**](concept-general-document.md#key-normalization-common-name) capabilities are added to the General Document model to improve processing forms with variations in key names.

+* [**Custom extraction model updates**](concept-custom.md)

+ * [**Custom neural model**](concept-custom-neural.md) now supports added languages for training and analysis. Train neural models for Dutch, French, German, Italian and Spanish.

+ * [**Custom template model**](concept-custom-template.md) now has an improved signature detection capability.

+* [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio) updates

+ * New model additions in gated preview: **Vaccination cards**, **Contracts**, **US Tax 1098**, **US Tax 1098-E**, and **US Tax 1095-T**. To request access to gated preview models, complete and submit the [**Form Recognizer private preview request form**](https://aka.ms/form-recognizer/preview/survey).

+* [**Receipt model updates**](concept-receipt.md)

+* [**Layout model**](concept-layout.md) now has improved table recognition.

+* [**Read model**](concept-read.md) now has added improvement for single-digit character recognition.

+ * **Auto table labeling**. After you select the table icon within a document, you can opt to autolabel the extracted table in the labeling view.

+ * [**General document**](concept-general-document.md) pretrained model is now updated to support selection marks in addition to API text, tables, structure, key-value pairs, and named entities from forms and documents.

+ * [**General document**](concept-general-document.md) model is a new API that uses a pretrained model to extract text, tables, structure, key-value pairs, and named entities from forms and documents.

+* Migrated to the **`2.1-preview.3`** Form Recognizer service endpoint for all REST API calls.

+* **SDK preview updates for API version `2.1-preview.3` introduces feature updates and enhancements.**

+ * **REST API reference is available** - View the [`v2.1-preview.1 reference`](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeBusinessCardAsync)

+> Start/Stop VM during off-hours version 1 is unavailable in the marketplace now as it will retire by 30 September 2023. We recommend you start using [version 2](../azure-functions/start-stop-vms/overview.md), which is now generally available. The new version offers all existing capabilities and provides new features, such as multi-subscription support from a single Start/Stop instance. If you have the version 1 solution already deployed, you can still use the feature, and we will provide support until 30 September 2023. The details of the announcement will be shared on March 31st 2023.

+> Start/Stop VM during off-hours version 1 is unavailable in the marketplace now as it will retire by 30 September 2023. We recommend you start using [version 2](../azure-functions/start-stop-vms/overview.md), which is now generally available. The new version offers all existing capabilities and provides new features, such as multi-subscription support from a single Start/Stop instance. If you have the version 1 solution already deployed, you can still use the feature, and we will provide support until 30 September 2023. The details of the announcement will be shared on March 31st 2023.

+To re-enable this feature, see [Enable Start/Stop during off-hours](automation-solution-vm-management-enable.md).

+> Start/Stop VM during off-hours version 1 is unavailable in the marketplace now as it will retire by 30 September 2023. We recommend you start using [version 2](../azure-functions/start-stop-vms/overview.md), which is now generally available. The new version offers all existing capabilities and provides new features, such as multi-subscription support from a single Start/Stop instance. If you have the version 1 solution already deployed, you can still use the feature, and we will provide support until 30 September 2023. The details of the announcement will be shared on March 31st 2023.

+To enable the feature on VMs in your environment, see [Enable Start/Stop VMs during off-hours](automation-solution-vm-management-enable.md).

+> Start/Stop VM during off-hours version 1 is unavailable in the marketplace now as it will retire by 30 September 2023. We recommend you start using [version 2](../../azure-functions/start-stop-vms/overview.md), which is now generally available. The new version offers all existing capabilities and provides new features, such as multi-subscription support from a single Start/Stop instance. If you have the version 1 solution already deployed, you can still use the feature, and we will provide support until 30 September 2023. The details of the announcement will be shared on March 31st 2023.

+* Learn about Start/Stop VMs during off-hours in [Start/Stop VMs during off-hours overview](../automation-solution-vm-management.md).

+> Start/Stop VM during off-hours version 1 is unavailable in the marketplace now as it will retire by 30 September 2023. We recommend you start using [version 2](../../azure-functions/start-stop-vms/overview.md), which is now generally available. The new version offers all existing capabilities and provides new features, such as multi-subscription support from a single Start/Stop instance. If you have the version 1 solution already deployed, you can still use the feature, and we will provide support until 30 September 2023. The details of the announcement will be shared on March 31st 2023.

+- Use the [Azure portal](../azure-functions/functions-how-to-use-azure-function-app-settings.md#get-started-in-the-azure-portal) to ensure that the Azure function app contains correct values for the application settings that the Azure function is trying to read.

+- An Azure Container Apps instance. If you don't have one, create an instance using the [Azure portal](../container-apps/quickstart-portal.md) or [the CLI](../container-apps/get-started.md).

+1. To create the container registry, follow the [Azure Container Registry quickstart](../container-registry/container-registry-get-started-portal.md).

+1. Create an ACR instance using the following command. It creates a basic tier registry named *myregistry* with admin user enabled that allows the container app to connect to the registry using admin user credentials. For more information, see [Azure Container Registry quickstart](../container-registry/container-registry-get-started-azure-cli.md).

+> [Enable dynamic configuration](./enable-dynamic-configuration-aspnet-core.md)

+> * There is a non-web Feature Management Library that doesn't have a dependency on spring-web. Refer to GitHub's [documentation](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/spring/spring-cloud-azure-feature-management) for differences.

+description: Create an Azure Arc data controller, on a typical multi-node Kubernetes cluster that you already have created, using the CLI.

+Before you begin, install the `arcdata` extension for Azure (az) CLI.

+Regardless of which target platform you choose, you need to set the following environment variables prior to the creation for the data controller. These environment variables become the credentials used for accessing the metrics and logs dashboards after data controller creation.

+Connect and authenticate to a Kubernetes cluster and have an existing Kubernetes context selected prior to beginning the creation of the Azure Arc data controller. How you connect to a Kubernetes cluster or service varies. See the documentation for the Kubernetes distribution or service that you are using on how to connect to the Kubernetes API server.

+By default, the AKS deployment profile uses the `managed-premium` storage class. The `managed-premium` storage class only works if you have VMs that were deployed using VM images that have premium disks.

+To determine which storage class to use, run the following command.

+> The `--path` parameter should point to the _directory_ containing the control.json file not to the control.json file itself.

+> When deploying to OpenShift Container Platform, specify the `--infrastructure` parameter value. Options are: `aws`, `azure`, `alibaba`, `gcp`, `onpremises`.

+If you want to customize your deployment profile to specify a specific storage class and/or service type, start by creating a new custom deployment profile file based on the kubeadm deployment profile by running the following command. This command creates a directory `custom` in your current working directory and a custom deployment profile file `control.json` in that directory.

+az arcdata dc config replace --path ./custom/control.json --json-values "$.spec.services[*].serviceType=LoadBalancer"

+> When deploying to OpenShift Container Platform, specify the `--infrastructure` parameter value. Options are: `aws`, `azure`, `alibaba`, `gcp`, `onpremises`.

+It takes a few minutes to create the controller completely. You can monitor the progress in another terminal window with the following commands:

+- [Add exporters and pipelines to your telemetry router](adding-exporters-and-pipelines.md)

+Kubernetes provides a way for storage infrastructure providers to plug in drivers (also called "Addons") that extend Kubernetes. Storage addons must comply with the **[Container Storage Interface standard](https://kubernetes.io/blog/2019/01/15/container-storage-interface-ga/)**. There are dozens of addons that can be found in this non-definitive **[list of CSI drivers](https://kubernetes-csi.github.io/docs/drivers.html)**. The specific CSI driver you use depends on factors such as whether you're running in a cloud-hosted, managed Kubernetes service or which OEM provider you use for your hardware.

+To view the storage classes configured in your Kubernetes cluster, run this command:

+The `supplementalGroups` property takes an array of values you can set at deployment. Azure Arc data controller applies these to any database instances it creates.

+At the time the data controller is provisioned, the storage class to be used for each of these persistent volumes is specified by either passing the --storage-class | -sc parameter to the `az arcdata dc create` command or by setting the storage classes in the control.json deployment template file that is used. If you're using the Azure portal to create the data controller in the directly connected mode, the deployment template that you choose either has the storage class predefined in the template or you can select a template that does not have a predefined storage class. If your template does not define a storage class, the portal prompts you for one. If you use a custom deployment template, then you can specify the storage class.

+If you set the storage class using the `--storage-class` or `-sc`parameter, that storage class is used for both log and data storage classes. If you set the storage classes in the deployment template file, you can specify different storage classes for logs and data.

+> If no storage class is specified, the default storage class is used. There can be only one default storage class per Kubernetes cluster. You can [change the default storage class](https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/).

+Each database instance has data, logs, and backup persistent volumes. The storage classes for these persistent volumes can be specified at deployment time. If no storage class is specified the default storage class is used.

+When you create an instance using either `az sql mi-arc create` or `az postgres server-arc create`, there are four parameters that you can use to set the storage classes:

+Each database instance has a separate persistent volume for data files, logs, and backups. This means that there is separation of the I/O for each of these types of files subject to how the volume provisioner provisions storage. Each database instance has its own persistent volume claims and persistent volumes.

+If there are multiple databases on a given database instance, all of the databases use the same persistent volume claim, persistent volume, and storage class. All backups - both differential log backups and full backups use the same persistent volume claim and persistent volume. The persistent volume claims for the database instance pods are shown below:

+- If you're using a local storage volume provisioner, ensure that the local volumes that are provisioned for data, logs, and backups are each landing on different underlying storage devices to avoid contention on disk I/O. The OS should also be on a volume that is mounted to a separate disk(s). This is essentially the same guidance as would be followed for a database instance on physical hardware.

+- Because all databases on a given instance share a persistent volume claim and persistent volume, be sure not to colocate busy database instances on the same database instance. If possible, separate busy databases on to their own database instances to avoid I/O contention. Further, use node label targeting to land database instances onto separate nodes so as to distribute overall I/O traffic across multiple nodes. If you're using virtualization, be sure to consider distributing I/O traffic not just at the node level but also the combined I/O activity happening by all the node VMs on a given physical host.

+The table below shows the total number of persistent volumes required for a sample deployment:

+Microsoft and its OEM, OS, and Kubernetes partners have a validation program for Azure Arc data services. This program provides comparable test results from a certification testing toolkit. The tests evaluate feature compatibility, stress testing results, and performance and scalability. The test results indicate the OS used, Kubernetes distribution used, HW used, the CSI add-on used, and the storage classes used. This helps customers choose the best storage class, OS, Kubernetes distribution, and hardware for their requirements. More information on this program and test results can be found [here](validation-program.md).

+|**Azure Kubernetes Service (AKS)**|Azure Kubernetes Service (AKS) has two types of storage - Azure Files and Azure Managed Disks. Each type of storage has two pricing/performance tiers - standard (HDD) and premium (SSD). Thus, the four storage classes provided in AKS are `azurefile` (Azure Files standard tier), `azurefile-premium` (Azure Files premium tier), `default` (Azure Disks standard tier), and `managed-premium` (Azure Disks premium tier). The default storage class is `default` (Azure Disks standard tier). There are substantial **[pricing differences](https://azure.microsoft.com/pricing/details/storage/)** between the types and tiers that you should consider. For production workloads with high-performance requirements, we recommend using `managed-premium` for all storage classes. For dev/test workloads, proofs of concept, etc. where cost is a consideration, then `azurefile` is the least expensive option. All four of the options can be used for situations requiring remote, shared storage as they are all network-attached storage devices in Azure. Read more about [AKS Storage](../../aks/concepts-storage.md).|

+|**Google Kubernetes Engine (GKE)**|Google Kubernetes Engine (GKE) has just one storage class called `standard`. This class is used for [GCE persistent disks](https://kubernetes.io/docs/concepts/storage/volumes/#gcepersistentdisk). Being the only one, it is also the default. Although there is a [local, static volume provisioner](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/local-ssd#run-local-volume-static-provisioner) for GKE that you can use with direct-attached SSDs, we don't recommend using it as it is not maintained or supported by Google. Read more about [GKE storage](https://cloud.google.com/kubernetes-engine/docs/concepts/persistent-volumes).

+[Azure role-based access control (RBAC)](../../role-based-access-control/overview.md) is an authorization system built on Azure Resource Manager and Azure Active Directory (Azure AD) that provides fine-grained access management of Azure resources.

+- Learn about [access and identity options for Azure Kubernetes Service (AKS) clusters](../../aks/concepts-identity.md).

+* The Kubernetes command-line client, [kubectl](https://kubernetes.io/docs/reference/kubectl/). `kubectl` is already installed if you use Azure Cloud Shell.

+* [Use tags to organize your Azure resources and management hierarchy](../../azure-resource-manager/management/tag-resources.md?tabs=json)

+ :::image type="content" source="media/cache-event-grid-portal/deploy-to-azure.png" alt-text="Deploy to Azure button.":::

+ 1. For **Resource group**, select the resource group that you created when creating the cache instance. It will be easier for you to clean up after you're done with the tutorial by deleting the resource group.

+ | **Subscription** | Drop down and select your subscription. | The subscription in which you want to create this web app. |

+ | **Site Name** | Enter a name for your web app. | This value can't be empty. |

+ | **Hosting plan name** | Enter a name for the App Service plan to use for hosting the web app. | This value can't be empty. |

+1. Select **Web Hook**. You're sending events to your viewer app using a web hook for the endpoint.

+Binding attributes are defined directly in the *function_app.py* file. You use the `cosmos_db_output` decorator to add an [Azure Cosmos DB output binding](./functions-bindings-triggers-python.md#azure-cosmos-db-output-binding):

+[storage account overview]: ../storage/common/storage-account-overview.md

+[create storage account]: ../storage/common/storage-account-create.md?tabs=azure-portal

+[managed identity]: ../active-directory/managed-identities-azure-resources/overview.md

+[geographic scope]: geographic-scope.md

+### [3.0.0-preview.4] (March 10, 2023)

+#### Installation (3.0.0-preview.4)

+The preview is available on [npm][3.0.0-preview.4] and CDN.

+- **NPM:** Refer to the instructions at [azure-maps-control@3.0.0-preview.4][3.0.0-preview.4]

+- **CDN:** Reference the following CSS and JavaScript in the `<head>` element of an HTML file:

+ ```html

+ <link href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/3.0.0-preview.4/atlas.min.css" rel="stylesheet" />

+ <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/3.0.0-preview.4/atlas.min.js"></script>

+ ```

+#### New features (3.0.0-preview.4)

+- Extended map coverage in China, Japan, and Korea.

+- Preview of refreshed map styles (Road / Night / Hybrid / Gray Scale Dark / Gray Scale Light / Terra / High Contrast Dark / High Contrast Light).

+- More details on roads/building footprints/trails coverage.

+- Wider zoom level ranges (1~21) for the Terra style.

+- Greater details on public transit including ferries, metros, and bus stops.

+- Additional information about the altitude of mountains and the location of waterfalls.

+#### Changes (3.0.0-preview.4)

+- Traffic data now only support relative mode.

+- Deprecated `showBuildingModels` in [StyleOptions].

+- Changed the default `minZoom` from -2 to 1.

+#### Bug fixes (3.0.0-preview.4)

+- Cleaned up various memory leaks in [Map.dispose()].

+- Improved style picker's tab navigation for accessibility in list layout.

+- Optimized style switching by avoiding deep cloning objects.

+- Fixed an exception that occurred in [SourceManager] when style switching with sources that weren't vector or raster.

+- **\[BREAKING\]** Previously `sourceadded` events are only emitted if new sources are added to the style. Now `sourceremoved` / `sourceadded` events are emitted when the new source and the original source in the current style aren't equal, even if they have the same source ID.

+- Fixed issue in [language mapping], now `zh-Hant-TW` no longer reverts back to `en-US`.

+### [2.2.4]

+#### Bug fixes (2.2.4)

+- Cleaned up various memory leaks in [Map.dispose()].

+- Improved style picker's tab navigation for accessibility in list layout.

+- Fixed issue in [language mapping], now `zh-Hant-TW` no longer reverts back to `en-US`.

+[3.0.0-preview.4]: https://www.npmjs.com/package/azure-maps-control/v/3.0.0-preview.4

+[2.2.4]: https://www.npmjs.com/package/azure-maps-control/v/2.2.4

+[Map.dispose()]: /javascript/api/azure-maps-control/atlas.map?view=azure-maps-typescript-latest#azure-maps-control-atlas-map-dispose

+[SourceManager]: /javascript/api/azure-maps-control/atlas.sourcemanager

+ Text file requirements and best practices:

+ - Do store files on the local drive of the machine on which Azure Monitor Agent is running.

+ - Do delineate the end of a record with an end of line.

+ - Do use ASCII or UTF-8 encoding. Other formats such as UTF-16 aren't supported.

+ - Do create a new log file every day so that you can remove old files easily.

+ - Do Clean up all old log files in the monitored directory. Azure Monitor Agent does not delete old log files.

+ - Do Not overwrite an exitsing file with new data. You should only append new data to the file.

+ - Do Not rename a file and open a new file with the same name to log to.

+ - Do Not rename or copy large log files in to the monitored directory.

+ - Do Not rename files in the monitored directory to a new name that is also in the monitored directory. This can cause incorrect ingestion behavior.

+ Title: Microsoft Azure Monitor Application Insights JavaScript SDK advanced topics

+description: Microsoft Azure Monitor Application Insights JavaScript SDK advanced topics.

+ms.devlang: javascript

+# Microsoft Azure Monitor Application Insights JavaScript SDK advanced topics

+The Azure Application Insights JavaScript SDK provides advanced features for tracking, monitoring, and debugging your web applications.

+> [!div class="checklist"]

+> - [npm setup](#npm-setup)

+> - [Cookie configuration and management](#cookies)

+> - [Source map un-minify support](#source-map)

+> - [Tree shaking optimized code](#tree-shaking)

+## npm setup

+The npm setup installs the JavaScript SDK as a dependency to your project and enables IntelliSense.

+This option is only needed for developers who require more custom events and configuration.

+### Getting started with npm

+Install via npm.

+```sh

+npm i --save @microsoft/applicationinsights-web

+```

+> [!Note]

+> *Typings are included with this package*, so you do *not* need to install a separate typings package.

+

+```js

+import { ApplicationInsights } from '@microsoft/applicationinsights-web'

+const appInsights = new ApplicationInsights({ config: {

+ connectionString: 'YOUR_CONNECTION_STRING_GOES_HERE'

+ /* ...Other Configuration Options... */

+} });

+appInsights.loadAppInsights();

+appInsights.trackPageView();

+```

+Replace the placeholder 'YOUR_CONNECTION_STRING_GOES_HERE' with your actual connection string found in the Azure portal.

+1. Navigate to the **Overview** pane of your Application Insights resource.

+1. Locate the **Connection String**.

+1. Select the button to copy the connection string to the clipboard.

+### Configuration

+These configuration fields are optional and default to false unless otherwise stated.

+| Name | Type | Default | Description |

+||||-|

+| accountId | string | null | An optional account ID, if your app groups users into accounts. No spaces, commas, semicolons, equals, or vertical bars |

+| sessionRenewalMs | numeric | 1800000 | A session is logged if the user is inactive for this amount of time in milliseconds. Default is 30 minutes |

+| sessionExpirationMs | numeric | 86400000 | A session is logged if it has continued for this amount of time in milliseconds. Default is 24 hours |

+| maxBatchSizeInBytes | numeric | 10000 | Max size of telemetry batch. If a batch exceeds this limit, it's immediately sent and a new batch is started |

+| maxBatchInterval | numeric | 15000 | How long to batch telemetry for before sending (milliseconds) |

+| disableExceptionTracking | boolean | false | If true, exceptions aren't autocollected. Default is false. |

+| disableTelemetry | boolean | false | If true, telemetry isn't collected or sent. Default is false. |

+| enableDebug | boolean | false | If true, **internal** debugging data is thrown as an exception **instead** of being logged, regardless of SDK logging settings. Default is false. <br>***Note:*** Enabling this setting results in dropped telemetry whenever an internal error occurs. It can be useful for quickly identifying issues with your configuration or usage of the SDK. If you don't want to lose telemetry while debugging, consider using `loggingLevelConsole` or `loggingLevelTelemetry` instead of `enableDebug`. |

+| loggingLevelConsole | numeric | 0 | Logs **internal** Application Insights errors to console. <br>0: off, <br>1: Critical errors only, <br>2: Everything (errors & warnings) |

+| loggingLevelTelemetry | numeric | 1 | Sends **internal** Application Insights errors as telemetry. <br>0: off, <br>1: Critical errors only, <br>2: Everything (errors & warnings) |

+| diagnosticLogInterval | numeric | 10000 | (internal) Polling interval (in ms) for internal logging queue |

+| samplingPercentage | numeric | 100 | Percentage of events that is sent. Default is 100, meaning all events are sent. Set it if you wish to preserve your data cap for large-scale applications. |

+| autoTrackPageVisitTime | boolean | false | If true, on a pageview, the _previous_ instrumented page's view time is tracked and sent as telemetry and a new timer is started for the current pageview. It's sent as a custom metric named `PageVisitTime` in `milliseconds` and is calculated via the Date [now()](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Date/now) function (if available) and falls back to (new Date()).[getTime()](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Date/getTime) if now() is unavailable (IE8 or less). Default is false. |

+| disableAjaxTracking | boolean | false | If true, Ajax calls aren't autocollected. Default is false. |

+| disableFetchTracking | boolean | false | The default setting for `disableFetchTracking` is `false`, meaning it's enabled. However, in versions prior to 2.8.10, it was disabled by default. When set to `true`, Fetch requests aren't automatically collected. The default setting changed from `true` to `false` in version 2.8.0. |

+| excludeRequestFromAutoTrackingPatterns | string[] \| RegExp[] | undefined | Provide a way to exclude specific route from automatic tracking for XMLHttpRequest or Fetch request. If defined, for an Ajax / fetch request that the request url matches with the regex patterns, auto tracking is turned off. Default is undefined. |

+| addRequestContext | (requestContext: IRequestionContext) => {[key: string]: any} | undefined | Provide a way to enrich dependencies logs with context at the beginning of api call. Default is undefined. You need to check if `xhr` exists if you configure `xhr` related context. You need to check if `fetch request` and `fetch response` exist if you configure `fetch` related context. Otherwise you may not get the data you need. |

+| overridePageViewDuration | boolean | false | If true, default behavior of trackPageView is changed to record end of page view duration interval when trackPageView is called. If false and no custom duration is provided to trackPageView, the page view performance is calculated using the navigation timing API. Default is false. |

+| maxAjaxCallsPerView | numeric | 500 | Default 500 - controls how many Ajax calls are monitored per page view. Set to -1 to monitor all (unlimited) Ajax calls on the page. |

+| disableDataLossAnalysis | boolean | true | If false, internal telemetry sender buffers are checked at startup for items not yet sent. |

+| disableCorrelationHeaders | boolean | false | If false, the SDK adds two headers ('Request-Id' and 'Request-Context') to all dependency requests to correlate them with corresponding requests on the server side. Default is false. |

+| correlationHeaderExcludedDomains | string[] | undefined | Disable correlation headers for specific domains |

+| correlationHeaderExcludePatterns | regex[] | undefined | Disable correlation headers using regular expressions |

+| correlationHeaderDomains | string[] | undefined | Enable correlation headers for specific domains |

+| disableFlushOnBeforeUnload | boolean | false | Default false. If true, flush method isn't called when onBeforeUnload event triggers |

+| enableSessionStorageBuffer | boolean | true | Default true. If true, the buffer with all unsent telemetry is stored in session storage. The buffer is restored on page load |

+| cookieCfg | [ICookieCfgConfig](javascript-sdk-advanced.md#cookies)<br>[Optional]<br>(Since 2.6.0) | undefined | Defaults to cookie usage enabled see [ICookieCfgConfig](javascript-sdk-advanced.md#cookies) settings for full defaults. |

+| disableCookiesUsage | alias for [`cookieCfg.enabled`](javascript-sdk-advanced.md#cookies)<br>[Optional] | false | Default false. A boolean that indicates whether to disable the use of cookies by the SDK. If true, the SDK doesn't store or read any data from cookies.<br>(Since v2.6.0) If `cookieCfg.enabled` is defined it takes precedence. Cookie usage can be re-enabled after initialization via the core.getCookieMgr().setEnabled(true). |

+| cookieDomain | alias for [`cookieCfg.domain`](javascript-sdk-advanced.md#cookies)<br>[Optional] | null | Custom cookie domain. It's helpful if you want to share Application Insights cookies across subdomains.<br>(Since v2.6.0) If `cookieCfg.domain` is defined it takes precedence over this value. |

+| cookiePath | alias for [`cookieCfg.path`](javascript-sdk-advanced.md#cookies)<br>[Optional]<br>(Since 2.6.0) | null | Custom cookie path. It's helpful if you want to share Application Insights cookies behind an application gateway.<br>If `cookieCfg.path` is defined, it takes precedence. |

+| isRetryDisabled | boolean | false | Default false. If false, retry on 206 (partial success), 408 (timeout), 429 (too many requests), 500 (internal server error), 503 (service unavailable), and 0 (offline, only if detected) |

+| isStorageUseDisabled | boolean | false | If true, the SDK doesn't store or read any data from local and session storage. Default is false. |

+| isBeaconApiDisabled | boolean | true | If false, the SDK sends all telemetry using the [Beacon API](https://www.w3.org/TR/beacon) |

+| disableXhr | boolean | false | Don't use XMLHttpRequest or XDomainRequest (for IE < 9) by default instead attempt to use fetch() or sendBeacon. If no other transport is available, it uses XMLHttpRequest |

+| onunloadDisableBeacon | boolean | false | Default false. when tab is closed, the SDK sends all remaining telemetry using the [Beacon API](https://www.w3.org/TR/beacon) |

+| onunloadDisableFetch | boolean | false | If fetch keepalive is supported don't use it for sending events during unload, it may still fall back to fetch() without keepalive |

+| sdkExtension | string | null | Sets the sdk extension name. Only alphabetic characters are allowed. The extension name is added as a prefix to the 'ai.internal.sdkVersion' tag (for example, 'ext_javascript:2.0.0'). Default is null. |

+| isBrowserLinkTrackingEnabled | boolean | false | Default is false. If true, the SDK tracks all [Browser Link](/aspnet/core/client-side/using-browserlink) requests. |

+| appId | string | null | AppId is used for the correlation between AJAX dependencies happening on the client-side with the server-side requests. When Beacon API is enabled, it can't be used automatically, but can be set manually in the configuration. Default is null |

+| enableCorsCorrelation | boolean | false | If true, the SDK adds two headers ('Request-Id' and 'Request-Context') to all CORS requests to correlate outgoing AJAX dependencies with corresponding requests on the server side. Default is false |

+| namePrefix | string | undefined | An optional value that is used as name postfix for localStorage and session cookie name.

+| sessionCookiePostfix | string | undefined | An optional value that is used as name postfix for session cookie name. If undefined, namePrefix is used as name postfix for session cookie name.

+| userCookiePostfix | string | undefined | An optional value that is used as name postfix for user cookie name. If undefined, no postfix is added on user cookie name.

+| enableAutoRouteTracking | boolean | false | Automatically track route changes in Single Page Applications (SPA). If true, each route change sends a new Pageview to Application Insights. Hash route changes (`example.com/foo#bar`) are also recorded as new page views.

+| enableRequestHeaderTracking | boolean | false | If true, AJAX & Fetch request headers is tracked, default is false. If ignoreHeaders isn't configured, Authorization and X-API-Key headers aren't logged.

+| enableResponseHeaderTracking | boolean | false | If true, AJAX & Fetch request's response headers is tracked, default is false. If ignoreHeaders isn't configured, WWW-Authenticate header isn't logged.

+| ignoreHeaders | string[] | ["Authorization", "X-API-Key", "WWW-Authenticate"] | AJAX & Fetch request and response headers to be ignored in log data. To override or discard the default, add an array with all headers to be excluded or an empty array to the configuration.

+| enableAjaxErrorStatusText | boolean | false | Default false. If true, include response error data text boolean in dependency event on failed AJAX requests. |

+| enableAjaxPerfTracking | boolean | false | Default false. Flag to enable looking up and including extra browser window.performance timings in the reported Ajax (XHR and fetch) reported metrics.

+| maxAjaxPerfLookupAttempts | numeric | 3 | Defaults to 3. The maximum number of times to look for the window.performance timings (if available) is required. Not all browsers populate the window.performance before reporting the end of the XHR request. For fetch requests, it's added after it's complete.

+| ajaxPerfLookupDelay | numeric | 25 | Defaults to 25 ms. The amount of time to wait before reattempting to find the windows.performance timings for an Ajax request, time is in milliseconds and is passed directly to setTimeout().

+| distributedTracingMode | numeric or `DistributedTracingModes` | `DistributedTracingModes.AI_AND_W3C` | Sets the distributed tracing mode. If AI_AND_W3C mode or W3C mode is set, W3C trace context headers (traceparent/tracestate) are generated and included in all outgoing requests. AI_AND_W3C is provided for back-compatibility with any legacy Application Insights instrumented services.

+| enableUnhandledPromiseRejectionTracking | boolean | false | If true, unhandled promise rejections are autocollected as a JavaScript error. When disableExceptionTracking is true (don't track exceptions), the config value is ignored and unhandled promise rejections aren't reported.

+| disableInstrumentationKeyValidation | boolean | false | If true, instrumentation key validation check is bypassed. Default value is false.

+| enablePerfMgr | boolean | false | [Optional] When enabled (true) it creates local perfEvents for code that has been instrumented to emit perfEvents (via the doPerf() helper). It can be used to identify performance issues within the SDK based on your usage or optionally within your own instrumented code.

+| perfEvtsSendAll | boolean | false | [Optional] When _enablePerfMgr_ is enabled and the [IPerfManager](https://github.com/microsoft/ApplicationInsights-JS/blob/master/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IPerfManager.ts) fires a [INotificationManager](https://github.com/microsoft/ApplicationInsights-JS/blob/master/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/INotificationManager.ts).perfEvent() this flag determines whether an event is fired (and sent to all listeners) for all events (true) or only for 'parent' events (false &lt;default&gt;).<br />A parent [IPerfEvent](https://github.com/microsoft/ApplicationInsights-JS/blob/master/shared/AppInsightsCore/src/JavaScriptSDK.Interfaces/IPerfEvent.ts) is an event where no other IPerfEvent is still running at the point of the event being created and its _parent_ property isn't null or undefined. Since v2.5.7

+| createPerfMgr | (core: IAppInsightsCore, notification

+| idLength | numeric | 22 | [Optional] Identifies the default length used to generate new random session and user IDs. Defaults to 22, previous default value was 5 (v2.5.8 or less), if you need to keep the previous maximum length you should set the value to 5.

+| customHeaders | `[{header: string, value: string}]` | undefined | [Optional] The ability for the user to provide extra headers when using a custom endpoint. customHeaders aren't added on browser shutdown moment when beacon sender is used. And adding custom headers isn't supported on IE9 or earlier.

+| convertUndefined | `any` | undefined | [Optional] Provide user an option to convert undefined field to user defined value.

+| eventsLimitInMem | number | 10000 | [Optional] The number of events that can be kept in memory before the SDK starts to drop events when not using Session Storage (the default).

+| disableIkeyDeprecationMessage | boolean | true | [Optional] Disable instrumentation Key deprecation error message. If true, error messages are NOT sent.

+## Cookies

+The Azure Application Insights JavaScript SDK provides instance-based cookie management that allows you to control the use of cookies.

+You can control cookies by enabling or disabling them, setting custom domains and paths, and customizing the functions for managing cookies.

+### Cookie configuration

+ICookieMgrConfig is a cookie configuration for instance-based cookie management added in 2.6.0. The options provided allow you to enable or disable the use of cookies by the SDK. You can also set custom cookie domains and paths and customize the functions for fetching, setting, and deleting cookies.

+The ICookieMgrConfig options are defined in the following table.

+| Name | Type | Default | Description |

+||||-|

+| enabled | boolean | true | The current instance of the SDK uses this boolean to indicate whether the use of cookies is enabled. If false, the instance of the SDK initialized by this configuration doesn't store or read any data from cookies. |

+| domain | string | null | Custom cookie domain. It's helpful if you want to share Application Insights cookies across subdomains. If not provided uses the value from root `cookieDomain` value. |

+| path | string | / | Specifies the path to use for the cookie, if not provided it uses any value from the root `cookiePath` value. |

+| ignoreCookies | string[] | undefined | Specify the cookie name(s) to be ignored, it causes any matching cookie name to never be read or written. They may still be explicitly purged or deleted. You don't need to repeat the name in the `blockedCookies` configuration. (since v2.8.8)

+| blockedCookies | string[] | undefined | Specify the cookie name(s) to never write. It prevents creating or updating any cookie name, but they can still be read unless also included in the ignoreCookies. They may still be purged or deleted explicitly. If not provided, it defaults to the same list in ignoreCookies. (Since v2.8.8)

+| getCookie | `(name: string) => string` | null | Function to fetch the named cookie value, if not provided it uses the internal cookie parsing / caching. |

+| setCookie | `(name: string, value: string) => void` | null | Function to set the named cookie with the specified value, only called when adding or updating a cookie. |

+| delCookie | `(name: string, value: string) => void` | null | Function to delete the named cookie with the specified value, separated from setCookie to avoid the need to parse the value to determine whether the cookie is being added or removed. If not provided it uses the internal cookie parsing / caching. |

+### Cookie management

+Starting from version 2.6.0, the Azure Application Insights JavaScript SDK provides instance-based cookie management that can be disabled and re-enabled after initialization.

+If you disabled cookies during initialization using the `disableCookiesUsage` or `cookieCfg.enabled` configurations, you can re-enable them using the `setEnabled` function of the ICookieMgr object.

+The instance-based cookie management replaces the previous CoreUtils global functions of `disableCookies()`, `setCookie()`, `getCookie()`, and `deleteCookie()`.

+To take advantage of the tree-shaking enhancements introduced in version 2.6.0, it's recommended to no longer use the global functions

+## Source map

+Source map support helps you debug minified JavaScript code with the ability to unminify the minified callstack of your exception telemetry.

+> [!div class="checklist"]

+> - Compatible with all current integrations on the **Exception Details** panel

+> - Supports all current and future JavaScript SDKs, including Node.JS, without the need for an SDK upgrade

+

+To view the unminified callstack, select an Exception Telemetry item in the Azure portal, find the source maps that match the call stack, and drag and drop the source maps onto the call stack in the Azure portal. The source map must have the same name as the source file of a stack frame, but with a `map` extension.

+## Tree shaking

+Tree shaking eliminates unused code from the final JavaScript bundle.

+To take advantage of tree shaking, import only the necessary components of the SDK into your code. By doing so, unused code isn't included in the final bundle, reducing its size and improving performance.

+### Tree shaking enhancements and recommendations

+In version 2.6.0, we deprecated and removed the internal usage of these static helper classes to improve support for tree-shaking algorithms. It lets npm packages safely drop unused code.

+- `CoreUtils`

+- `EventHelper`

+- `Util`

+- `UrlHelper`

+- `DateTimeUtils`

+- `ConnectionStringParser`

+ The functions are now exported as top-level roots from the modules, making it easier to refactor your code for better tree-shaking.

+The static classes were changed to const objects that reference the new exported functions, and future changes are planned to further refactor the references.

+### Tree shaking deprecated functions and replacements

+| Existing | Replacement |

+|-|-|

+| **CoreUtils** | **@microsoft/applicationinsights-core-js** |

+| CoreUtils._canUseCookies | None. Don't use as it causes all of CoreUtils reference to be included in your final code.<br> Refactor your cookie handling to use the `appInsights.getCookieMgr().setEnabled(true/false)` to set the value and `appInsights.getCookieMgr().isEnabled()` to check the value. |

+| CoreUtils.isTypeof | isTypeof |

+| CoreUtils.isUndefined | isUndefined |

+| CoreUtils.isNullOrUndefined | isNullOrUndefined |

+| CoreUtils.hasOwnProperty | hasOwnProperty |

+| CoreUtils.isFunction | isFunction |

+| CoreUtils.isObject | isObject |

+| CoreUtils.isDate | isDate |

+| CoreUtils.isArray | isArray |

+| CoreUtils.isError | isError |

+| CoreUtils.isString | isString |

+| CoreUtils.isNumber | isNumber |

+| CoreUtils.isBoolean | isBoolean |

+| CoreUtils.toISOString | toISOString or getISOString |

+| CoreUtils.arrForEach | arrForEach |

+| CoreUtils.arrIndexOf | arrIndexOf |

+| CoreUtils.arrMap | arrMap |

+| CoreUtils.arrReduce | arrReduce |

+| CoreUtils.strTrim | strTrim |

+| CoreUtils.objCreate | objCreateFn |

+| CoreUtils.objKeys | objKeys |

+| CoreUtils.objDefineAccessors | objDefineAccessors |

+| CoreUtils.addEventHandler | addEventHandler |

+| CoreUtils.dateNow | dateNow |

+| CoreUtils.isIE | isIE |

+| CoreUtils.disableCookies | disableCookies<br>Referencing either causes CoreUtils to be referenced for backward compatibility.<br> Refactor your cookie handling to use the `appInsights.getCookieMgr().setEnabled(false)` |

+| CoreUtils.newGuid | newGuid |

+| CoreUtils.perfNow | perfNow |

+| CoreUtils.newId | newId |

+| CoreUtils.randomValue | randomValue |

+| CoreUtils.random32 | random32 |

+| CoreUtils.mwcRandomSeed | mwcRandomSeed |

+| CoreUtils.mwcRandom32 | mwcRandom32 |

+| CoreUtils.generateW3CId | generateW3CId |

+| **EventHelper** | **@microsoft/applicationinsights-core-js** |

+| EventHelper.Attach | attachEvent |

+| EventHelper.AttachEvent | attachEvent |

+| EventHelper.Detach | detachEvent |

+| EventHelper.DetachEvent | detachEvent |

+| **Util** | **@microsoft/applicationinsights-common-js** |

+| Util.NotSpecified | strNotSpecified |

+| Util.createDomEvent | createDomEvent |

+| Util.disableStorage | utlDisableStorage |

+| Util.isInternalApplicationInsightsEndpoint | isInternalApplicationInsightsEndpoint |

+| Util.canUseLocalStorage | utlCanUseLocalStorage |

+| Util.getStorage | utlGetLocalStorage |

+| Util.setStorage | utlSetLocalStorage |

+| Util.removeStorage | utlRemoveStorage |

+| Util.canUseSessionStorage | utlCanUseSessionStorage |

+| Util.getSessionStorageKeys | utlGetSessionStorageKeys |

+| Util.getSessionStorage | utlGetSessionStorage |

+| Util.setSessionStorage | utlSetSessionStorage |

+| Util.removeSessionStorage | utlRemoveSessionStorage |

+| Util.disableCookies | disableCookies<br>Referencing either causes CoreUtils to be referenced for backward compatibility.<br> Refactor your cookie handling to use the `appInsights.getCookieMgr().setEnabled(false)` |

+| Util.canUseCookies | canUseCookies<br>Referencing either causes CoreUtils to be referenced for backward compatibility.<br>Refactor your cookie handling to use the `appInsights.getCookieMgr().isEnabled()` |

+| Util.disallowsSameSiteNone | uaDisallowsSameSiteNone |

+| Util.setCookie | coreSetCookie<br>Referencing causes CoreUtils to be referenced for backward compatibility.<br>Refactor your cookie handling to use the `appInsights.getCookieMgr().set(name: string, value: string)` |

+| Util.stringToBoolOrDefault | stringToBoolOrDefault |

+| Util.getCookie | coreGetCookie<br>Referencing causes CoreUtils to be referenced for backward compatibility.<br>Refactor your cookie handling to use the `appInsights.getCookieMgr().get(name: string)` |

+| Util.deleteCookie | coreDeleteCookie<br>Referencing causes CoreUtils to be referenced for backward compatibility.<br>Refactor your cookie handling to use the `appInsights.getCookieMgr().del(name: string, path?: string)` |

+| Util.trim | strTrim |

+| Util.newId | newId |

+| Util.random32 | <br>No replacement, refactor your code to use the core random32(true) |

+| Util.generateW3CId | generateW3CId |

+| Util.isArray | isArray |

+| Util.isError | isError |

+| Util.isDate | isDate |

+| Util.toISOStringForIE8 | toISOString |

+| Util.getIEVersion | getIEVersion |

+| Util.msToTimeSpan | msToTimeSpan |

+| Util.isCrossOriginError | isCrossOriginError |

+| Util.dump | dumpObj |

+| Util.getExceptionName | getExceptionName |

+| Util.addEventHandler | attachEvent |

+| Util.IsBeaconApiSupported | isBeaconApiSupported |

+| Util.getExtension | getExtensionByName

+| **UrlHelper** | **@microsoft/applicationinsights-common-js** |

+| UrlHelper.parseUrl | urlParseUrl |

+| UrlHelper.getAbsoluteUrl | urlGetAbsoluteUrl |

+| UrlHelper.getPathName | urlGetPathName |

+| UrlHelper.getCompeteUrl | urlGetCompleteUrl |

+| UrlHelper.parseHost | urlParseHost |

+| UrlHelper.parseFullHost | urlParseFullHost

+| **DateTimeUtils** | **@microsoft/applicationinsights-common-js** |

+| DateTimeUtils.Now | dateTimeUtilsNow |

+| DateTimeUtils.GetDuration | dateTimeUtilsDuration |

+| **ConnectionStringParser** | **@microsoft/applicationinsights-common-js** |

+| ConnectionStringParser.parse | parseConnectionString |

+## Troubleshooting

+See the dedicated [troubleshooting article](/troubleshoot/azure/azure-monitor/app-insights/javascript-sdk-troubleshooting).

+## Next steps

+* [Track usage](usage-overview.md)

+* [Custom events and metrics](api-custom-events-metrics.md)

+* [Build-measure-learn](usage-overview.md)

+* [JavaScript SDK advanced topics](javascript-sdk-advanced.md)

+ Title: Microsoft Azure Monitor Application Insights JavaScript SDK

+description: Microsoft Azure Monitor Application Insights JavaScript SDK is a powerful tool for monitoring and analyzing web application performance.

+ms.devlang: javascript

+# Microsoft Azure Monitor Application Insights JavaScript SDK

+[Microsoft Azure Monitor Application Insights](app-insights-overview.md) JavaScript SDK allows you to monitor and analyze the performance of JavaScript web applications.

+## Prerequisites

+- Azure subscription: [Create an Azure subscription for free](https://azure.microsoft.com/free/)

+- Application Insights resource: [Create an Application Insights resource](create-workspace-resource.md#create-a-workspace-based-resource)

+- An application that uses [JavaScript](/visualstudio/javascript)

+## Get started

+The Application Insights JavaScript SDK is implemented with a runtime snippet for out-of-the-box web analytics.

+### Enable Application Insights SDK for JavaScript

+Only two steps are required to enable the Application Insights SDK for JavaScript.

+#### Add the code snippet

+Add the following code snippet to beginning of every <head> tag for each HTML page you want to monitor.

+```html

+<script type="text/javascript">

+!function(T,l,y){var S=T.location,k="script",D="instrumentationKey",C="ingestionendpoint",I="disableExceptionTracking",E="ai.device.",b="toLowerCase",w="crossOrigin",N="POST",e="appInsightsSDK",t=y.name||"appInsights";(y.name||T[e])&&(T[e]=t);var n=T[t]||function(d){var g=!1,f=!1,m={initialize:!0,queue:[],sv:"5",version:2,config:d};function v(e,t){var n={},a="Browser";return n[E+"id"]=a[b](),n[E+"type"]=a,n["ai.operation.name"]=S&&S.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(m.sv||m.version),{time:function(){var e=new Date;function t(e){var t=""+e;return 1===t.length&&(t="0"+t),t}return e.getUTCFullYear()+"-"+t(1+e.getUTCMonth())+"-"+t(e.getUTCDate())+"T"+t(e.getUTCHours())+":"+t(e.getUTCMinutes())+":"+t(e.getUTCSeconds())+"."+((e.getUTCMilliseconds()/1e3).toFixed(3)+"").slice(2,5)+"Z"}(),iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}}}}var h=d.url||y.src;if(h){function a(e){var t,n,a,i,r,o,s,c,u,p,l;g=!0,m.queue=[],f||(f=!0,t=h,s=function(){var e={},t=d.connectionString;if(t)for(var n=t.split(";"),a=0;a<n.length;a++){var i=n[a].split("=");2===i.length&&(e[i[0][b]()]=i[1])}if(!e[C]){var r=e.endpointsuffix,o=r?e.location:null;e[C]="https://"+(o?o+".":"")+"dc."+(r||"services.visualstudio.com")}return e}(),c=s[D]||d[D]||"",u=s[C],p=u?u+"/v2/track":d.endpointUrl,(l=[]).push((n="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",a=t,i=p,(o=(r=v(c,"Exception")).data).baseType="ExceptionData",o.baseData.exceptions=[{typeName:"SDKLoadFailed",message:n.replace(/\./g,"-"),hasFullStack:!1,stack:n+"\nSnippet failed to load ["+a+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(S&&S.pathname||"_unknown_")+"\nEndpoint: "+i,parsedStack:[]}],r)),l.push(function(e,t,n,a){var i=v(c,"Message"),r=i.data;r.baseType="MessageData";var o=r.baseData;return o.message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+n+")").replace(/\"/g,"")+'"',o.properties={endpoint:a},i}(0,0,t,p)),function(e,t){if(JSON){var n=T.fetch;if(n&&!y.useXhr)n(t,{method:N,body:JSON.stringify(e),mode:"cors"});else if(XMLHttpRequest){var a=new XMLHttpRequest;a.open(N,t),a.setRequestHeader("Content-type","application/json"),a.send(JSON.stringify(e))}}}(l,p))}function i(e,t){f||setTimeout(function(){!t&&m.core||a()},500)}var e=function(){var n=l.createElement(k);n.src=h;var e=y[w];return!e&&""!==e||"undefined"==n[w]||(n[w]=e),n.onload=i,n.onerror=a,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||i(0,t)},n}();y.ld<0?l.getElementsByTagName("head")[0].appendChild(e):setTimeout(function(){l.getElementsByTagName(k)[0].parentNode.appendChild(e)},y.ld||0)}try{m.cookie=l.cookie}catch(p){}function t(e){for(;e.length;)!function(t){m[t]=function(){var e=arguments;g||m.queue.push(function(){m[t].apply(m,e)})}}(e.pop())}var n="track",r="TrackPage",o="TrackEvent";t([n+"Event",n+"PageView",n+"Exception",n+"Trace",n+"DependencyData",n+"Metric",n+"PageViewPerformance","start"+r,"stop"+r,"start"+o,"stop"+o,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),m.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4};var s=(d.extensionConfig||{}).ApplicationInsightsAnalytics||{};if(!0!==d[I]&&!0!==s[I]){var c="onerror";t(["_"+c]);var u=T[c];T[c]=function(e,t,n,a,i){var r=u&&u(e,t,n,a,i);return!0!==r&&m["_"+c]({message:e,url:t,lineNumber:n,columnNumber:a,error:i}),r},d.autoExceptionInstrumented=!0}return m}(y.cfg);function a(){y.onInit&&y.onInit(n)}(T[t]=n).queue&&0===n.queue.length?(n.queue.push(a),n.trackPageView({})):a()}(window,document,{

+src: "https://js.monitor.azure.com/scripts/b/ai.2.min.js", // The SDK URL Source

+// name: "appInsights", // Global SDK Instance name defaults to "appInsights" when not supplied

+// ld: 0, // Defines the load delay (in ms) before attempting to load the sdk. -1 = block page load and add to head. (default) = 0ms load after timeout,

+// useXhr: 1, // Use XHR instead of fetch to report failures (if available),

+crossOrigin: "anonymous", // When supplied this will add the provided value as the cross origin attribute on the script tag

+// onInit: null, // Once the application insights instance has loaded and initialized this callback function will be called with 1 argument -- the sdk instance (DO NOT ADD anything to the sdk.queue -- As they won't get called)

+cfg: { // Application Insights Configuration

+ connectionString: "CONNECTION_STRING"

+}});

+</script>

+```

+#### Define the connection string

+An Application Insights [connection string](sdk-connection-string.md) contains information to connect to the Azure cloud and associate telemetry data with a specific Application Insights resource. The connection string includes the Instrumentation Key (a unique identifier), the endpoint suffix (to specify the Azure cloud), and optional explicit endpoints for individual services. The connection string isn't considered a security token or key.

+In the code snippet, replace the placeholder `"CONNECTION_STRING"` with your actual connection string found in the Azure portal.

+1. Navigate to the **Overview** pane of your Application Insights resource.

+1. Locate the **Connection String**.

+1. Select the button to copy the connection string to the clipboard.

+## Snippet configuration

+Other snippet configuration is optional.

+| Name | Type | Description

+|||-

+| src | string **[required]** | The full URL for where to load the SDK from. This value is used for the "src" attribute of a dynamically added &lt;script /&gt; tag. You can use the public CDN location or your own privately hosted one.

+| name | string *[optional]* | The global name for the initialized SDK, defaults to appInsights. So ```window.appInsights``` is a reference to the initialized instance. Note: If you assign a name value or if a previous instance has been assigned to the global name appInsightsSDK, the SDK initialization code requires it to be in the global namespace as `window.appInsightsSDK=<name value>` to ensure the correct snippet skeleton, and proxy methods are initialized and updated.

+| ld | number in ms *[optional]* | Defines the load delay to wait before attempting to load the SDK. The default value is 0ms. If you use a negative value, the script tag is immediately added to the <head> region of the page and blocks the page load event until the script is loaded or fails.

+| useXhr | boolean *[optional]* | This setting is used only for reporting SDK load failures. Reporting first attempts to use fetch() if available and then fallback to XHR, setting this value to true just bypasses the fetch check. Use of this value is only be required if your application is being used in an environment where fetch would fail to send the failure events.

+| crossOrigin | string *[optional]* | By including this setting, the script tag added to download the SDK includes the crossOrigin attribute with this string value. When not defined (the default) no crossOrigin attribute is added. Recommended values aren't defined (the default); ""; or "anonymous" (For all valid values see the [cross origin HTML attribute](https://developer.mozilla.org/docs/Web/HTML/Attributes/crossorigin) documentation)

+| onInit | function(aiSdk) { ... } *[optional]* | This callback function is called after the main SDK script has been successfully loaded and initialized from the CDN (based on the src value). It's passed a reference to the sdk instance that it's being called for and is also called before the first initial page view. If the SDK has already been loaded and initialized, this callback is still called. NOTE: During the processing of the sdk.queue array, this callback is called. You CANNOT add any more items to the queue because they're ignored and dropped. (Added as part of snippet version 5--the sv:"5" value within the snippet script)

+| cfg | object **[required]** | The configuration passed to the Application Insights SDK during initialization.

+### Example using the snippet onInit callback

+```html

+<script type="text/javascript">

+!function(T,l,y){<!-- Removed the Snippet code for brevity -->}(window,document,{

+src: "https://js.monitor.azure.com/scripts/b/ai.2.min.js",

+crossOrigin: "anonymous",

+onInit: function (sdk) {

+ sdk.addTelemetryInitializer(function (envelope) {

+ envelope.data = envelope.data || {};

+ envelope.data.someField = 'This item passed through my telemetry initializer';

+ });

+}, // Once the application insights instance has loaded and initialized this method will be called

+cfg: { // Application Insights Configuration

+ connectionString: "YOUR_CONNECTION_STRING"

+}});

+</script>

+```

+## What is collected automatically?

+When you enable the App Insights JavaScript SDK, the following data classes are collected automatically:

+- Uncaught exceptions in your app, including information on

+ - Stack trace

+ - Exception details and message accompanying the error

+ - Line & column number of error

+ - URL where error was raised

+- Network Dependency Requests made by your app XHR and Fetch (fetch collection is disabled by default) requests, include information on

+ - Url of dependency source

+ - Command & Method used to request the dependency

+ - Duration of the request

+ - Result code and success status of the request

+ - ID (if any) of user making the request

+ - Correlation context (if any) where request is made

+- User information (for example, Location, network, IP)

+- Device information (for example, Browser, OS, version, language, model)

+- Session information

+> [!Note]

+> For some applications, such as single-page applications (SPAs), the duration may not be recorded and will default to 0.

+For more information, see the following link: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/azure-monitor/app/data-retention-privacy.md

+## Confirm data is flowing

+Check the data flow by going to the Azure portal and navigating to the Application Insights resource that you've enabled the SDK for. From there, you can view the data in the "Live Metrics Stream" or "Metrics" sections.

+Additionally, you can use the SDK's trackPageView() method to manually send a page view event and verify that it appears in the portal.

+If you can't run the application or you aren't getting data as expected, wee the dedicated [troubleshooting article](/troubleshoot/azure/azure-monitor/app-insights/javascript-sdk-troubleshooting).

+### Analytics

+To query your telemetry collected by the JavaScript SDK, select the **View in Logs (Analytics)** button. By adding a `where` statement of `client_Type == "Browser"`, you only see data from the JavaScript SDK. Any server-side telemetry collected by other SDKs is excluded.

+```kusto

+// average pageView duration by name

+let timeGrain=5m;

+let dataset=pageViews

+// additional filters can be applied here

+| where timestamp > ago(1d)

+| where client_Type == "Browser" ;

+// calculate average pageView duration for all pageViews

+dataset

+| summarize avg(duration) by bin(timestamp, timeGrain)

+| extend pageView='Overall'

+// render result in a chart

+| render timechart

+```

+## Advanced SDK configuration

+Additional information is available for the following advanced scenarios:

+- [JavaScript SDK npm setup](javascript-sdk-advanced.md#npm-setup)

+- [React plugin](javascript-framework-extensions.md?tabs=react)

+- [React native plugin](javascript-framework-extensions.md?tabs=reactnative)

+- [Angular plugin](javascript-framework-extensions.md?tabs=reactnative)

+- [Click Analytics plugin](javascript-feature-extensions.md)

+## Frequently asked questions

+#### What is the SDK performance/overhead?

+The Application Insights JavaScript SDK has a minimal overhead on your website. At just 36 KB gzipped, and taking only ~15 ms to initialize, the SDK adds a negligible amount of load time to your website. The minimal components of the library are quickly loaded when you use the SDK, and the full script is downloaded in the background.

+Additionally, while the script is downloading from the CDN, all tracking of your page is queued, so you don't lose any telemetry during the entire life cycle of your page. This setup process provides your page with a seamless analytics system that's invisible to your users.

+#### What browsers are supported?

+ |  |  |  | 

+ | | | | |

+Chrome Latest Γ£ö | Firefox Latest Γ£ö | IE 9+ & Microsoft Edge Γ£ö<br>IE 8- Compatible | Opera Latest Γ£ö | Safari Latest Γ£ö |

+#### Where can I find code examples?

+For runnable examples, see [Application Insights JavaScript SDK samples](https://github.com/microsoft/ApplicationInsights-JS/tree/master/examples).

+#### How can I upgrade from the old version of Application Insights?

+For more information, see [Upgrade from old versions of the Application Insights JavaScript SDK](javascript-sdk-upgrade.md).

+#### What is the ES3/Internet Explorer 8 compatibility?

+We need to take necessary measures to ensure that this SDK continues to "work" and doesn't break the JavaScript execution when loaded by an older browser. It would be ideal to not support older browsers, but numerous large customers can't control which browser their users choose to use.

+This statement doesn't mean that we only support the lowest common set of features. We need to maintain ES3 code compatibility. New features need to be added in a manner that wouldn't break ES3 JavaScript parsing and added as an optional feature.

+See GitHub for full details on [Internet Explorer 8 support](https://github.com/Microsoft/ApplicationInsights-JS#es3ie8-compatibility).

+#### Is the Application Insights SDK open-source?

+Yes, the Application Insights JavaScript SDK is open source. To view the source code or to contribute to the project, see the [official GitHub repository](https://github.com/Microsoft/ApplicationInsights-JS).

+#### How can I update my third-party server configuration?

+The server side needs to be able to accept connections with those headers present. Depending on the `Access-Control-Allow-Headers` configuration on the server side, it's often necessary to extend the server-side list by manually adding `Request-Id`, `Request-Context`, and `traceparent` (W3C distributed header).

+Access-Control-Allow-Headers: `Request-Id`, `traceparent`, `Request-Context`, `<your header>`

+#### How can I disable distributed tracing?

+Distributed tracing can be disabled in configuration.

+## Troubleshooting

+See the dedicated [troubleshooting article](/troubleshoot/azure/azure-monitor/app-insights/javascript-sdk-troubleshooting).

+## Release notes

+Detailed release notes regarding updates and bug fixes can be found on [GitHub](https://github.com/microsoft/ApplicationInsights-JS/releases)

+## Next steps

+* [Track usage](usage-overview.md)

+* [Custom events and metrics](api-custom-events-metrics.md)

+* [Build-measure-learn](usage-overview.md)

+* [JavaScript SDK advanced topics](javascript-sdk-advanced.md)

+ _logger.LogInformation("An example of an Info trace..");

+ using Microsoft.ApplicationInsights.WorkerService;

+ services.AddApplicationInsightsTelemetryWorkerService((ApplicationInsightsServiceOptions options) => options.ConnectionString = "InstrumentationKey=<instrumentation key here>");

+## Horizontal vs. vertical scaling

+Autoscale scales in and out, or horizontally. Scaling horizontally is an increase or decrease of the number of resource instances. For example, for a virtual machine scale set, scaling out means adding more virtual machines. Scaling in means removing virtual machines. Horizontal scaling is flexible in a cloud situation because you can use it to run a large number of VMs to handle load.

+In contrast, scaling up and down, or vertical scaling, keeps the same number of resource instances constant but gives them more capacity in terms of memory, CPU speed, disk space, and network. Vertical scaling is limited by the availability of larger hardware, which eventually reaches an upper limit. Hardware size availability varies in Azure by region. Vertical scaling might also require a restart of the VM during the scaling process. Autoscale does not support vertical scaling.

+| Azure SignalR Service (Premium tier) | [Automatically scale units of an Azure SignalR service](../../azure-signalr/signalr-howto-scale-autoscale.md) |

+* [REST API reference: Autoscale settings](/rest/api/monitor/autoscale-settings)

+ Title: Configure the ContainerLogV2 schema for Container Insights

+# Enable the ContainerLogV2 schema

+Azure Monitor Container insights offers a schema for container logs, called ContainerLogV2. As part of this schema, there are fields to make common queries to view Azure Kubernetes Service (AKS) and Azure Arc-enabled Kubernetes data. In addition, this schema is compatible with [Basic Logs](../logs/basic-logs-configure.md), which offers a low-cost alternative to standard analytics logs.

+>[!NOTE]

+>For Windows containers the PodName is not currently collected with ContainerLogV2

+While transformations themselves don't incur direct costs, the following scenarios can result in additional charges:

+- If a transformation increases the size of the incoming data, such as by adding a calculated column, you'll be charged the standard ingestion rate for the extra data.

+- If a transformation reduces the incoming data by more than 50%, you'll be charged for the amount of filtered data above 50%.

+To calculate the data processing charge resulting from transformations, use the following formula: [GB filtered out by transformations] - ([Total GB ingested] / 2). For example, if you ingest 100 GB of data and your transformations remove 70 GB, you'll be charged for 70 GB - (100 GB / 2), which is 20 GB. This calculation is done per data collection rule and per day basis. To avoid this charge, it's recommended to filter incoming data using alternative methods before applying transformations. By doing so, you can reduce the amount of data processed by transformations and, therefore, minimize any additional costs.

+ Title: Create diagnostic settings at scale using Azure policies and initiatives

+description: Use Azure Policy to create diagnostic settings in Azure Monitor at scale as each Azure resource is created.

+# Create diagnostic settings at scale using Azure Policies and Initiatives

+In order to monitor Azure resources, it's necessary to create [diagnostic settings](./diagnostic-settings.md) for each resource. This process can be difficult to manage when you have many resources. To simplify the process of creating and applying diagnostic settings at scale, use Azure Policy to automatically generate diagnostic settings for both new and existing resources.

+Each Azure resource type has a unique set of categories listed in the diagnostic settings. Each resource type therefore requires a separate policy definition. Some resource types have built-in policy definitions that you can assign without modification. For other resource types, you can create a custom definition.

+## Log category groups

+Log category groups, group together similar types of logs. Category groups make it easy to refer to multiple logs in a single command. An **allLogs** category group exists containing all of the logs. There's also an **audit** category group that includes all audit logs. By using to a category group, you can define a policy that dynamically updates as new log categories are added to group.

+There are generally three built-in policy definitions for each resource type, corresponding to the three destinations to send diagnostics to:

+* Log Analytics workspaces

+* Azure Storage accounts

+* Event hubs

+Assign the policies for the resource type according to which destinations you need.

+A set of policies built-in policies and initiatives based on the audit log category groups have been developed to help you apply diagnostics settings with only a few steps. For more information, see [Enable Diagnostics settings by category group using built-in policies.](./diagnostics-settings-policies-deployifnotexists.md)

+For a complete list of built-in policies for Azure Monitor, see [Azure Policy built-in definitions for Azure Monitor](../policy-reference.md)

+For resource types that don't have a built-in policy, you need to create a custom policy definition. You could do create a new policy manually in the Azure portal by copying an existing built-in policy and then modifying it for your resource type. Alternatively, create the policy programmatically by using a script in the PowerShell Gallery.

+The initiative will be applied to each virtual machine as it's created. A [remediation task](../../governance/policy/how-to/remediate-resources.md) deploys the policy definitions in the initiative to existing resources, so you can create diagnostic settings for any resources that were already created.

+The problem occurs when using a Resource Manager template, REST API, Azure CLI, or Azure PowerShell. Diagnostic settings created via the Azure portal aren't affected as only the supported category names are presented.

+The problem is caused by a recent change in the underlying API. Metric categories other than 'AllMetrics' aren't supported and never were except for a few specific Azure services. In the past, other category names were ignored when deploying a diagnostic setting. The Azure Monitor backend redirected these categories to 'AllMetrics'. As of February 2021, the backend was updated to specifically confirm the metric category provided is accurate. This change has caused some deployments to fail.

+Diagnostic settings don't support resourceIDs with non-ASCII characters (for example, Preproducci├│n). Since you can't rename resources in Azure, your only option is to create a new resource without the non-ASCII characters. If the characters are in a resource group, you can move the resources under it to a new one. Otherwise, you'll need to recreate the resource.

+There are three sources for diagnostic information:

+* Metrics

+* Resource Logs

+* Activity logs

+ Title: Enable diagnostics settings by category group using built-in policies.

+description: Use Azure builtin policies to create diagnostic settings in Azure Monitor.

+

+# Built-in policies for Azure Monitor

+Policies and policy initiatives provide a simple method to enable logging at-scale via diagnostics settings for Azure Monitor. Using a policy initiative, you can turn on audit logging for all [supported resources](#supported-resources) in your Azure environment.

+Enable resource logs to track activities and events that take place on your resources and give you visibility and insights into any changes that occur.

+Assign policies to enable resource logs and to send them to destinations according to your needs. Send logs to Event Hubs for third-party SIEM systems, enabling continuous security operations. Send logs to storage accounts for longer term storage or the fulfillment of regulatory compliance.

+A set of built-in policies and initiatives exists to direct resource logs to Log Analytics Workspaces, Event Hubs, and Storage Accounts. The policies enable audit logging, sending logs belonging to the **audit** log category group to an Event Hub, Log Analytics workspace or Storage Account. The policies' `effect` is `DeployIfNotExists`, which deploys the policy as a default if there aren't other settings defined.

+## Deploy policies.

+Deploy the policies and initiatives using the Portal, CLI, PowerShell, or Azure Resource Management templates

+### [Azure portal](#tab/portal)

+The following steps show how to apply the policy to send audit logs to for key vaults to a log analytics workspace.

+1. From the Policy page, select **Definitions**.

+1. Select your scope. You can apply a policy to the entire subscription, a resource group, or an individual resource.

+1. From the **Definition type** dropdown, select **Policy**.

+1. Select **Monitoring** from the Category dropdown

+1. Enter *keyvault* in the **Search** field.

+1. Select the **Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics** policy,

+ :::image type="content" source="./media/diagnostics-settings-policies-deployifnotexists/policy-definitions.png" alt-text="A screenshot of the policy definitions page.":::

+1. From the policy definition page, select **Assign**

+1. Select the **Parameters** tab.

+1. Select the Log Analytics Workspace that you want to send the audit logs to.

+1. Select the **Remediation** tab.

+ :::image type="content" source="./media/diagnostics-settings-policies-deployifnotexists/assign-policy-parameters.png" alt-text="A screenshot of the assign policy page, parameters tab.":::

+1. On the remediation tab, select the keyvault policy from the **Policy to remediate** dropdown.

+1. Select the **Create a Managed Identity** checkbox.

+1. Under **Type of Managed Identity**, select **System assigned Managed Identity**.

+1. Select **Review + create**, then select **Create** .

+ :::image type="content" source="./media/diagnostics-settings-policies-deployifnotexists/assign-policy-remediation.png" alt-text="A screenshot of the assign policy page, remediation tab.":::

+The policy visible in the resources' diagnostic setting after approximately 30 minutes.

+### [CLI](#tab/cli)

+To apply a policy using the CLI, use the following commands:

+1. Create a policy assignment using [`az policy assignment create`](https://learn.microsoft.com/cli/azure/policy/assignment?view=azure-cli-latest#az-policy-assignment-create).

+ ```azurecli

+ az policy assignment create --name <policy assignment name> --policy "6b359d8f-f88d-4052-aa7c-32015963ecc1" --scope <scope> --params "{\"logAnalytics\": {\"value\": \"<log analytics workspace resource ID"}}" --mi-system-assigned --location <location>

+ ```

+ For example, to apply the policy to send audit logs to a log analytics workspace

+ ```azurecli

+ az policy assignment create --name "policy-assignment-1" --policy "6b359d8f-f88d-4052-aa7c-32015963ecc1" --scope /subscriptions/12345678-aaaa-bbbb-cccc-1234567890ab/resourceGroups/rg-001 --params "{\"logAnalytics\": {\"value\": \"/subscriptions/12345678-aaaa-bbbb-cccc-1234567890ab/resourcegroups/rg-001/providers/microsoft.operationalinsights/workspaces/workspace-001\"}}" --mi-system-assigned --location eastus

+ ```

+1. Assign the required role to the identity created for the policy assignment.

+Find the role in the policy definition by searching for *roleDefinitionIds*

+ ```json

+ ...},

+ "roleDefinitionIds": [

+ "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"

+ ],

+ "deployment": {

+ "properties": {...

+ ```

+ Assign the required role using [`az policy assignment identity assign`](https://learn.microsoft.com/cli/azure/policy/assignment/identity?view=azure-cli-latest):

+ ```azurecli

+ az policy assignment identity assign --system-assigned --resource-group <resource group name> --role <role name or ID> --identity-scope </scope> --name <policy assignment name>

+ ```

+ For example:

+ ```azurecli

+ az policy assignment identity assign --system-assigned --resource-group rg-001 --role 92aaf0da-9dab-42b6-94a3-d43ce8d16293 --identity-scope /subscriptions/12345678-aaaa-bbbb-cccc-1234567890ab/resourceGroups/rg001 --name policy-assignment-1

+ ```

+1. Trigger a scan to find existing resources using [`az policy state trigger-scan`](https://learn.microsoft.com/cli/azure/policy/state?view=azure-cli-latest#az-policy-state-trigger-scan).

+ ```azurecli

+ az policy state trigger-scan --resource-group rg-001

+ ```

+1. Create a remediation task to apply the policy to existing resources using [`az policy remediation create`](https://learn.microsoft.com/cli/azure/policy/remediation?view=azure-cli-latest#az-policy-remediation-create).

+ ```azurecli

+ az policy remediation create -g <resource group name> --policy-assignment <policy assignment name> --name <remediation name>

+ ```

+ For example,

+ ```azurecli

+ az policy remediation create -g rg-001 -n remediation-001 --policy-assignment policy-assignment-1

+ ```

+For more information on policy assignment using CLI, see [Azure CLI reference - az policy assignment](https://learn.microsoft.com/cli/azure/policy/assignment?view=azure-cli-latest#az-policy-assignment-create)

+### [PowerShell](#tab/Powershell)

+To apply a policy using the PowerShell, use the following commands:

+1. Set up your environment.

+ Select your subscription and set your resource group

+ ```azurepowershell

+ Select-AzSubscription <subscriptionID>

+ $rg = Get-AzResourceGroup -Name <resource groups name>

+ ```

+1. Get the policy definition and configure the parameters for the policy. In the example below we assign the policy to send keyVault logs to a Log Analytics workspace

+ ```azurepowershell

+ $definition = Get-AzPolicyDefinition |Where-Object Name -eq 6b359d8f-f88d-4052-aa7c-32015963ecc1

+ $params = @{"logAnalytics"="/subscriptions/<subscriptionID/resourcegroups/<resourcgroup>/providers/microsoft.operationalinsights/workspaces/<log anlaytics workspace name>"}

+ ```

+1. Assign the policy

+ ```azurepowershell

+ $policyAssignment=New-AzPolicyAssignment -Name <assignment name> -DisplayName "assignment display name" -Scope $rg.ResourceId -PolicyDefinition $definition -PolicyparameterObject $params -IdentityType 'SystemAssigned' -Location <location>

+

+ #To get your assignemnt use:

+ $policyAssignment=Get-AzPolicyAssignment -Name '<assignment name>' -Scope '/subscriptions/<subscriptionID>/resourcegroups/<resource group name>'

+ ```

+1. Assign the required role or roles to the system assigned Managed Identity

+ ```azurepowershell

+ $principalID=$policyAssignment.Identity.PrincipalId

+ $roleDefinitionIds=$definition.Properties.policyRule.then.details.roleDefinitionIds

+ $roleDefinitionIds | ForEach-Object {

+ $roleDefId = $_.Split("/") | Select-Object -Last 1

+ New-AzRoleAssignment -Scope $rg.ResourceId -ObjectId $policyAssignment.Identity.PrincipalId -RoleDefinitionId $roleDefId

+ }

+ ```

+1. Scan for compliance, then create a remediation task to force compliance for existing resources.

+ ```azurepowershell

+ Start-AzPolicyComplianceScan -ResourceGroupName $rg.ResourceGroupName

+ Start-AzPolicyRemediation -Name $policyAssignment.Name -PolicyAssignmentId $policyAssignment.PolicyAssignmentId -ResourceGroupName $rg.ResourceGroupName

+ ```

+1. Check compliance

+ ```azurepowershell

+ Get-AzPolicyState -PolicyAssignmentName $policyAssignment.Name -ResourceGroupName $policyAssignment.ResourceGroupName|select-object IsCompliant , ResourceID

+ ```

+## Remediation tasks

+Policies are applied to new resources when they're created. To apply a policy to existing resources, create a remediation task. Remediation tasks bring resources into compliance with a policy.

+Remediation tasks act for specific policies. For initiatives that contain multiple policies, create a remediation task for each policy in the initiative where you have resources that you want to bring into compliance.

+ Define remediation tasks when you first assign the policy, or at any stage after assignment.

+To create a remediation task for policies during the policy assignment, select the **Remediation** tab on **Assign policy** page and select the **Create remediation task** checkbox.

+To create a remediation task after the policy has been assigned, select your assigned policy from the list on the Policy Assignments page.

+

+Select **Remediate**.

+Track the status of your remediation task in the **Remediation tasks** tab of the Policy Remediation page.

+For more information on remediation tasks, see [Remediate noncompliant resources](../../governance/policy/how-to/remediate-resources.md)

+## Assign initiatives

+Initiatives are collections of policies. There are three initiatives for Azure Monitor Diagnostics settings:

+In this example, we assign an initiative for sending audit logs to a Log Analytics workspace.

+### [Azure portal](#tab/portal)

+1. From the policy **Definitions** page, select your scope.

+1. Select *Initiative* in the **Definition type** dropdown.

+1. Select *Monitoring* in the **Category** dropdown.

+1. Enter *audit* in the **Search** field.

+1. Select thee *Enable audit category group resource logging for supported resources to Log Analytics* initiative.

+1. On the following page, select **Assign**

+1. On the **Basics** tab of the **Assign initiative** page, select a **Scope** that you want the initiative to apply to.

+1. Enter a name in the **Assignment name** field.

+1. Select the **Parameters** tab.

+ The **Parameters** contains the parameters defined in the policy. In this case, we need to select the Log Analytics workspace that we want to send the logs to. For more information in the individual parameters for each policy, see [Policy-specific parameters](#policy-specific-parameters).

+1. Select the **Log Analytics workspace** to send your audit logs to.

+1. Select **Review + create** then **Create**

+To verify that your policy or initiative assignment is working, create a resource in the subscription or resource group scope that you defined in your policy assignment.

+After 10 minutes, select the **Diagnostics settings** page for your resource.

+Your diagnostic setting appears in the list with the default name *setByPolicy-LogAnalytics* and the workspace name that you configured in the policy.

+Change the default name in the **Parameters** tab of the **Assign initiative** or policy page by unselecting the **Only show parameters that need input or review** checkbox.

+### [PowerShell](#tab/Powershell)

+1. Set up your environment variables

+ ```azurepowershell

+ # Set up your environment variables.

+ $subscriptionId = <your subscription ID>;

+ $rg = Get-AzResourceGroup -Name <your resource group name>;

+ Select-AzSubscription $subscriptionId;

+ $logAnlayticsWorskspaceId=</subscriptions/$subscriptionId/resourcegroups/$rg.ResourceGroupName/providers/microsoft.operationalinsights/workspaces/<your log analytics workspace>;

+ ```

+1. Get the initiative definition. In this example, we'll use Initiative *Enable audit category group resource logging for supported resources to `

+Log Analytics*, ResourceID "/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5"

+ ```azurepowershell

+ $definition = Get-AzPolicySetDefinition |Where-Object ResourceID -eq /providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5;

+ ```

+1. Set an assignment name and configure parameters. For this initiative, the parameters include the Log Analytics workspace ID.

+ ```azurepowershell

+ $assignmentName=<your assignment name>;

+ $params = @{"logAnalytics"="/subscriptions/$subscriptionId/resourcegroups/$($rg.ResourceGroupName)/providers/microsoft.operationalinsights/workspaces/<your log analytics workspace>"}

+ ```

+1. Assign the initiative using the parameters

+ ```azurepowershell

+ $policyAssignment=New-AzPolicyAssignment -Name $assignmentName -Scope $rg.ResourceId -PolicySetDefinition $definition -PolicyparameterObject $params -IdentityType 'SystemAssigned' -Location eastus;

+ ```

+1. Assign the `Contributor` role to the system assigned Managed Identity. For other initiatives, check which roles are required.

+ ```azurepowershell

+ New-AzRoleAssignment -Scope $rg.ResourceId -ObjectId $policyAssignment.Identity.PrincipalId -RoleDefinitionName Contributor;

+ ```

+1. Scan for policy compliance. The `Start-AzPolicyComplianceScan` command takes a few minutes to return

+ ```azurepowershell

+ Start-AzPolicyComplianceScan -ResourceGroupName $rg.ResourceGroupName;

+ ```

+1. Get a list of resources to remediate and the required parameters by calling `Get-AzPolicyState`

+ ```azurepowershell

+ $assignmentState=Get-AzPolicyState -PolicyAssignmentName $assignmentName -ResourceGroupName $rg.ResourceGroupName;

+ $policyAssignmentId=$assignmentState.PolicyAssignmentId[0];

+ $policyDefinitionReferenceIds=$assignmentState.PolicyDefinitionReferenceId;

+ ```

+1. For each resource type with noncompliant resources, start a remediation task.

+ ```azurepowershell

+ $policyDefinitionReferenceIds | ForEach-Object {

+ $referenceId = $_

+ Start-AzPolicyRemediation -ResourceGroupName $rg.ResourceGroupName -PolicyAssignmentId $policyAssignmentId -PolicyDefinitionReferenceId $referenceId -Name "$($rg.ResourceGroupName) remediation $referenceId";

+ }

+ ```

+1. Check the compliance state when the remediation tasks have completed.

+ ```azurepowershell

+ Get-AzPolicyState -PolicyAssignmentName $assignmentName -ResourceGroupName $rg.ResourceGroupName|select-object IsCompliant , ResourceID

+ ```

+You can get your policy assignment details using the following command:

+ ```azurepowershell

+ $policyAssignment=Get-AzPolicyAssignment -Name $assignmentName -Scope "/subscriptions/$subscriptionId/resourcegroups/$($rg.ResourceGroupName)";

+ ```

+### [CLI](#tab/cli)

+1. Sign in to your Azure account using the `az login` command.

+1. Select the subscription where you want to apply the policy initiative using the `az account set` command.

+1. Assign the initiative using [`az policy assignment create`](https://learn.microsoft.com/cli/azure/policy/assignment?view=azure-cli-latest#az-policy-assignment-create).

+ ```azurecli

+ az policy assignment create --name <assignment name> --resource-group <resource group name> --policy-set-definition <initiative name> --params <parameters object> --mi-system-assigned --location <location>

+ ```

+ For example:

+ ```azurecli

+ az policy assignment create --name "assign-cli-example-01" --resource-group "cli-example-01" --policy-set-definition 'f5b29bc4-feca-4cc6-a58a-772dd5e290a5' --params '{"logAnalytics":{"value":"/subscriptions/12345678-aaaa-bbbb-cccc-1234567890ab/resourcegroups/cli-example-01/providers/microsoft.operationalinsights/workspaces/cli-example-01-ws"}, "diagnosticSettingName":{"value":"AssignedBy-cli-example-01"}}' --mi-system-assigned --location eastus

+ ```

+1. Assign the required role to the system managed identity

+ Find the roles to assign in any of the policy definitions in the initiative by searching the definition for *roleDefinitionIds*, for example:

+ ```json

+ ...},

+ "roleDefinitionIds": [

+ "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"

+ ],

+ "deployment": {

+ "properties": {...

+ ```

+ Assign the required role using [`az policy assignment identity assign`](https://learn.microsoft.com/cli/azure/policy/assignment/identity?view=azure-cli-latest):

+ ```azurecli

+ az policy assignment identity assign --system-assigned --resource-group <resource group name> --role <role name or ID> --identity-scope <scope> --name <policy assignment name>

+ ```

+ For example:

+ ```azurecli

+ az policy assignment identity assign --system-assigned --resource-group "cli-example-01" --role 92aaf0da-9dab-42b6-94a3-d43ce8d16293 --identity-scope "/subscriptions/12345678-aaaa-bbbb-cccc-1234567890ab/resourcegroups/cli-example-01" --name assign-cli-example-01

+ ```

+1. Create remediation tasks for the policies in the initiative.

+ Remediation tasks are created per-policy. Each task is for a specific `definition-reference-id`, specified in the initiative as `policyDefinitionReferenceId`. To find the `definition-reference-id` parameter, use the following command:

+ ```azurecli

+ az policy set-definition show --name f5b29bc4-feca-4cc6-a58a-772dd5e290a5 |grep policyDefinitionReferenceId

+ ```

+ Remediate the resources using [`az policy remediation create`](https://learn.microsoft.com/cli/azure/policy/remediation?view=azure-cli-latest#az-policy-remediation-create)

+ ```azurecli

+ az policy remediation create --resource-group <resource group name> --policy-assignment <assignment name> --name <remediation task name> --definition-reference-id "policy specific reference ID" --resource-discovery-mode ReEvaluateCompliance

+ ```

+ For example:

+ ```azurecli

+ az policy remediation create --resource-group "cli-example-01" --policy-assignment assign-cli-example-01 --name "rem-assign-cli-example-01" --definition-reference-id "keyvault-vaults" --resource-discovery-mode ReEvaluateCompliance

+ ```

+ To create a remediation task for all of the policies in the initiative, use the following example:

+ ```bash

+ for policyDefinitionReferenceId in $(az policy set-definition show --name f5b29bc4-feca-4cc6-a58a-772dd5e290a5 |grep policyDefinitionReferenceId |cut -d":" -f2|sed s/\"//g)

+ do

+ az policy remediation create --resource-group "cli-example-01" --policy-assignment assign-cli-example-01 --name remediate-$policyDefinitionReferenceId --definition-reference-id $policyDefinitionReferenceId;

+ done

+ ```

+## Common parameters

+The following table describes the common parameters for each set of policies.

+|Parameter| Description| Valid Values|Default|

+|||||

+|effect| Enable or disable the execution of the policy|DeployIfNotExists,<br>AuditIfNotExists,<br>Disabled|DeployIfNotExists|

+|diagnosticSettingName|Diagnostic Setting Name||setByPolicy-LogAnalytics|

+|categoryGroup|Diagnostic category group|none,<br>audit,<br>allLogs|audit|

+## Policy-specific parameters

+### Log Analytics policy parameters

+ This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace.

+|Parameter| Description| Valid Values|Default|

+|||||

+|resourceLocationList|Resource Location List to send logs to nearby Log Analytics. <br>"*" selects all locations|Supported locations|\*|

+|logAnalytics|Log Analytics Workspace|||

+### Event Hubs policy parameters

+This policy deploys a diagnostic setting using a category group to route logs to an Event Hub.

+|Parameter| Description| Valid Values|Default|

+|||||

+|resourceLocation|Resource Location must be the same location as the event hub Namespace|Supported locations||

+|eventHubAuthorizationRuleId|Event Hub Authorization Rule ID. The authorization rule is at event hub namespace level. For example, /subscriptions/{subscription ID}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}|||

+|eventHubName|Event Hub Name||Monitoring|

+### Storage Accounts policy parameters

+This policy deploys a diagnostic setting using a category group to route logs to a Storage Account.

+|Parameter| Description| Valid Values|Default|

+|||||

+|resourceLocation|Resource Location must be in the same location as the Storage Account|Supported locations|

+|storageAccount|Storage Account resourceId|||

+## Supported Resources

+Built-in Audit logs policies for Log Analytics workspaces, Event Hubs, and Storage Accounts exist for the following resources:

+* microsoft.agfoodplatform/farmbeats

+* microsoft.apimanagement/service

+* microsoft.appconfiguration/configurationstores

+* microsoft.attestation/attestationproviders

+* microsoft.automation/automationaccounts

+* microsoft.avs/privateclouds

+* microsoft.cache/redis

+* microsoft.cdn/profiles

+* microsoft.cognitiveservices/accounts

+* microsoft.containerregistry/registries

+* microsoft.devices/iothubs

+* microsoft.eventgrid/topics

+* microsoft.eventgrid/domains

+* microsoft.eventgrid/partnernamespaces

+* microsoft.eventhub/namespaces

+* microsoft.keyvault/vaults

+* microsoft.keyvault/managedhsms

+* microsoft.machinelearningservices/workspaces

+* microsoft.media/mediaservices

+* microsoft.media/videoanalyzers

+* microsoft.netapp/netappaccounts/capacitypools/volumes

+* microsoft.network/publicipaddresses

+* microsoft.network/virtualnetworkgateways

+* microsoft.network/p2svpngateways

+* microsoft.network/frontdoors

+* microsoft.network/bastionhosts

+* microsoft.operationalinsights/workspaces

+* microsoft.purview/accounts

+* microsoft.servicebus/namespaces

+* microsoft.signalrservice/signalr

+* microsoft.signalrservice/webpubsub

+* microsoft.sql/servers/databases

+* microsoft.sql/managedinstances

+## Next Steps

+* [Create diagnostic settings at scale using Azure Policy](./diagnostic-settings-policy.md)

+* [Azure Policy built-in definitions for Azure Monitor](../policy-reference.md)

+* [Azure Policy Overview](../../governance/policy/overview.md)

+* [Azure Enterprise Policy as Code](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-enterprise-policy-as-code-a-new-approach/ba-p/3607843)

+| Import | Upload logs from a custom app via the [REST API](./logs-ingestion-api-overview.md) or client library for [.NET](/dotnet/api/overview/azure/Monitor.Ingestion-readme), [Java](/java/api/overview/azure/monitor-ingestion-readme), [JavaScript](/javascript/api/overview/azure/monitor-ingestion-readme), or [Python](/python/api/overview/azure/monitor-ingestion-readme). |

+- Learn about the [monitoring data available](../data-sources.md) for various resources in Azure.

+>Usage for Azure Monitor Logs (Log Analytics) can be billed with the **Log Analytics** service (for Pay-as-you-go Data Ingestion and Data Retention), or with the **Azure Monitor** service (for Commitment Tiers, Basic Logs, Search, Search Jobs, Data Archive and Data Export) or with the **Insight and Analytics** service when using the legacy Per Node pricing tier. Except for a small set of legacy resources, classic Application Insights data ingestion and retention are billed as the **Log Analytics** service. Note then when you change your workspace from a Pay-as-you-go pricing tier to a Commitment Tier, on your bill, the costs will appear to shift from Log Analytics to Azure Monitor, reflecting the service associated to each pricing tier.

+All Azure NetApp Files volumes are encrypted using the FIPS 140-2 standard. Learn [how encryption keys managed](#how-are-encryption-keys-managed).

+By default key management for Azure NetApp Files is handled by the service, using [platform-managed keys](../security/fundamentals/key-management.md). A unique XTS-AES-256 data encryption key is generated for each volume. An encryption key hierarchy is used to encrypt and protect all volume keys. These encryption keys are never displayed or reported in an unencrypted format. When you delete a volume, Azure NetApp Files immediately deletes the volume's encryption keys.

+Alternatively, [customer-managed keys for Azure NetApp Files volume encryption](configure-customer-managed-keys.md) can be used where keys are stored in [Azure Key Vault](../key-vault/general/basic-concepts.md). With customer-managed keys, you can fully manage the relationship between a key's life cycle, key usage permissions, and auditing operations on keys.

+Lastly, customer-managed keys using Azure Dedicated HSM is supported on a controlled basis. Support is currently available in the East US, South Central US, West US 2, and US Gov Virginia regions. You can request access at [anffeedback@microsoft.com](mailto:anffeedback@microsoft.com). As capacity becomes available, requests will be approved.

+## What are SMB/CIFS `oplocks` and are they enabled on Azure NetApp Files volumes?

+SMB/CIFS oplocks (opportunistic locks) enable the redirector on a SMB/CIFS client in certain file-sharing scenarios to perform client-side caching of read-ahead, write-behind, and lock information. A client can then work with a file (read or write it) without regularly reminding the server that it needs access to the file. This improves performance by reducing network traffic. SMB/CIFS oplocks are enabled on Azure NetApp Files SMB and dual-protocol volumes.

+Refer to the [Azure NetApp Files datastore for Azure VMware Solution TCO Estimator](https://aka.ms/anfavscalc) to understand the sizing and associated cost benefits of Azure NetApp Files datastores.

+* Average latency increased by 0.2 ms

+Converts an array to an object with a custom key function and optional custom value function. See [items](bicep-functions-object.md#items) about converting an object to an array.

+Converts a dictionary object to an array. See [toObject](bicep-functions-lambda.md#toobject) about converting an array to an object.

+ Properties are required unless they have an optionality marker `?` after the property value. For example, the `sku` property in the following example is optional:

+ sku: string?

+ recursiveProp: myObjectType?

+In this quickstart, you use the managed application definition that you created using one of the quickstart articles. The deployment creates two resource groups. One resource group contains the managed application and the other is a managed resource group for the deployed resources. The managed application definition deploys an App Service plan, App Service, and storage account.

+- A managed application definition created with [publish an application definition](publish-service-catalog-app.md) or [publish a definition with bring your own storage](publish-service-catalog-bring-your-own-storage.md).

+- An Azure account with an active subscription. If you don't have an account, [create a free account](https://azure.microsoft.com/free/) before you begin.

+- [Visual Studio Code](https://code.visualstudio.com/).

+- Install the latest version of [Azure PowerShell](/powershell/azure/install-az-ps) or [Azure CLI](/cli/azure/install-azure-cli).

+The examples use the resource groups names created in the _quickstart to publish an application definition_. If you used the quickstart to _publish a definition with bring your own storage_, use those resource group names.

+- **Publish application definition**: _packageStorageGroup_ and _appDefinitionGroup_.

+- **Publish definition with bring your own storage**: _packageStorageGroup_, _byosDefinitionStorageGroup_, and _byosAppDefinitionGroup_.

+### Get managed application definition

+# [PowerShell](#tab/azure-powershell)

+To get the managed application's definition with Azure PowerShell, run the following commands.

+In Visual Studio Code, open a new PowerShell terminal and sign in to your Azure subscription.

+```azurepowershell

+Connect-AzAccount

+```

+The command opens your default browser and prompts you to sign in to Azure. For more information, go to [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).

+From Azure PowerShell, get your managed application's definition. In this example, use the resource group name _appDefinitionGroup_ that was created when you deployed the managed application definition.

+```azurepowershell

+Get-AzManagedApplicationDefinition -ResourceGroupName appDefinitionGroup

+```

+`Get-AzManagedApplicationDefinition` lists all the available definitions in the specified resource group, like _sampleManagedApplication_.

+Create a variable for the managed application definition's resource ID.

+```azurepowershell

+$definitionid = (Get-AzManagedApplicationDefinition -ResourceGroupName appDefinitionGroup -Name sampleManagedApplication).ManagedApplicationDefinitionId

+```

+You use the `$definitionid` variable's value when you deploy the managed application.

+# [Portal](#tab/azure-portal)

+To get the managed application's definition from the Azure portal, use the following steps.

+### Create resource group and parameters

+# [PowerShell](#tab/azure-powershell)

+Create a resource group for the managed application that's used during the deployment.

+```azurepowershell

+New-AzResourceGroup -Name applicationGroup -Location westus3

+```

+You also need to create a name for the managed application resource group. The resource group is created when you deploy the managed application.

+Run the following commands to create the managed resource group's name.

+```azurepowershell

+$mrgprefix = 'rg-sampleManagedApplication-'

+$mrgtimestamp = Get-Date -UFormat "%Y%m%d%H%M%S"

+$mrgname = $mrgprefix + $mrgtimestamp

+$mrgname

+```

+The `$mrgprefix` and `$mrgtimestamp` variables are concatenated to create a resource group name like _rg-sampleManagedApplication-20230310100148_ that's stored in the `$mrgname` variable. You use the `$mrgname` variable's value when you deploy the managed application.

+You need to provide several parameters to the deployment command for the managed application. You can use a JSON formatted string or create a JSON file. In this example, we use a JSON formatted string. The PowerShell escape character for the quote marks is the backtick (`` ` ``) character. The backtick is also used for line continuation so that commands can use multiple lines.

+The JSON formatted string's syntax is as follows:

+```json

+"{ `"parameterName`": {`"value`":`"parameterValue`"}, `"parameterName`": {`"value`":`"parameterValue`"} }"

+```

+For readability, the completed JSON string uses the backtick for line continuation. The values are stored in the `$params` variable that's used in the deployment command. The parameters in the JSON string are required to deploy the managed resources.

+```powershell

+$params="{ `"appServicePlanName`": {`"value`":`"demoAppServicePlan`"}, `

+`"appServiceNamePrefix`": {`"value`":`"demoApp`"}, `

+`"storageAccountNamePrefix`": {`"value`":`"demostg1234`"}, `

+`"storageAccountType`": {`"value`":`"Standard_LRS`"} }"

+```

+The parameters to create the managed resources:

+- `appServicePlanName`: Create a plan name. Maximum of 40 alphanumeric characters and hyphens. For example, _demoAppServicePlan_. App Service plan names must be unique within a resource group in your subscription.

+- `appServiceNamePrefix`: Create a prefix for the plan name. Maximum of 47 alphanumeric characters or hyphens. For example, _demoApp_. During deployment, the prefix is concatenated with a unique string to create a name that's globally unique across Azure.

+- `storageAccountNamePrefix`: Use only lowercase letters and numbers and a maximum of 11 characters. For example, _demostg1234_. During deployment, the prefix is concatenated with a unique string to create a name globally unique across Azure. Although you're creating a prefix, the control checks for existing names in Azure and might post a validation message that the name already exists. If so, choose a different prefix.

+- `storageAccountType`: The default is Standard_LRS. The other options are Premium_LRS, Standard_LRS, and Standard_GRS.

+# [Portal](#tab/azure-portal)

+ - **Application Name**: Enter a name for your managed application. For this example, use _demoManagedApplication_.

+ - **Storage account type**: Select **Change type** to choose a storage account type. The default is Standard LRS. The other options are Premium_LRS, Standard_LRS, and Standard_GRS.

+### Deploy the managed application

+# [PowerShell](#tab/azure-powershell)

+Run the following command to deploy the managed application from your Azure PowerShell session.

+```azurepowershell

+New-AzManagedApplication `

+ -Name "demoManagedApplication" `

+ -ResourceGroupName applicationGroup `

+ -Location westus3 `

+ -ManagedResourceGroupName $mrgname `

+ -ManagedApplicationDefinitionId $definitionid `

+ -Kind ServiceCatalog `

+ -Parameter $params

+```

+The parameters used in the deployment command:

+- `Name`: Specify a name for the managed application. For this example, use _demoManagedApplication_.

+- `ResourceGroupName`: Name of the resource group you created for the managed application.

+- `Location`: Specify the region to deploy the resources. For this example, use _westus3_.

+- `ManagedResourceGroupName`: Uses the `$mrgname` parameters value. The managed resource group is created when the managed application is deployed.

+- `ManagedApplicationDefinitionId`: Uses the `$definitionid` variable's value for the managed application definition's resource ID.

+- `Kind`: Specifies that type of managed application. This example uses _ServiceCatalog_.

+- `Parameter`: Uses the `$parms` variable's value in the JSON formatted string.

+# [Portal](#tab/azure-portal)

+Review the summary of the values you selected and verify **Validation Passed** is displayed. Select **Create** to deploy the managed application.

+After the deployment is finished, you can check your managed application's status.

+# [PowerShell](#tab/azure-powershell)

+Run the following commands to check the managed application's status.

+```azurepowershell

+Get-AzManagedApplication -Name demoManagedApplication -ResourceGroupName applicationGroup

+```

+Expand the properties to make it easier to read the `Properties` information.

+```azurepowershell

+Get-AzManagedApplication -Name demoManagedApplication -ResourceGroupName applicationGroup | Select-Object -ExpandProperty Properties

+```

+# [Portal](#tab/azure-portal)

+You can view the resources deployed to the managed resource group.

+# [PowerShell](#tab/azure-powershell)

+To display the managed resource group's resources, run the following command. You created the `$mrgname` variable when you created the parameters.

+```azurepowershell

+Get-AzResource -ResourceGroupName $mrgname

+```

+To display all the role assignments for the managed resource group.

+```azurepowershell

+Get-AzRoleAssignment -ResourceGroupName $mrgname

+```

+The managed application definition you created in the quickstart articles used a group with the Owner role assignment. You can view the group with the following command.

+```azurepowershell

+Get-AzRoleAssignment -ResourceGroupName $mrgname -RoleDefinitionName Owner

+```

+You can also list the deny assignments for the managed resource group.

+```azurepowershell

+Get-AzDenyAssignment -ResourceGroupName $mrgname

+```

+# [Portal](#tab/azure-portal)

+When you're finished with the managed application, you can delete the resource groups and that removes all the resources you created. For example, in this quickstart you created the resource groups _applicationGroup_ and a managed resource group with the prefix _rg-sampleManagedApplication_.

+# [PowerShell](#tab/azure-powershell)

+The command prompts you to confirm that you want to remove the resource group.

+```azurepowershell

+Remove-AzResourceGroup -Name applicationGroup

+```

+# [Portal](#tab/azure-portal)

+Converts an array to an object with a custom key function and optional custom value function. See [items](template-functions-object.md#items) about converting an object to an array.

+Converts a dictionary object to an array. See [toObject](template-functions-lambda.md#toobject) about converting an array to an object.

+In this section, you use a Resource Manager template located in a GitHub repository to deploy a prebuilt sample web application to Azure App Service. Later, you subscribe to your registry's Event Grid events and specify this app as the endpoint to which the events are sent.

+In Event Grid, you subscribe to a *topic* to tell it which events you want to track, and where to send them. The command [`az eventgrid event-subscription create`][az-eventgrid-event-subscription-create] subscribes to the Azure SignalR Service you created and specifies your web app's URL as the endpoint to which it should send events. The environment variables you populated in earlier sections are reused here, so no edits are required.

+For code sample generating an access token through ARM see [C# code sample](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/API-Samples/C%23/ArmBased/Program.cs).

+Learn how to [Upload a video using C#](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/API-Samples/C%23/ArmBased/).

+Learn how to [Upload a video using C#](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/API-Samples/C%23/ArmBased/).

+1. Open the [template file](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/Deploy-Samples/ArmTemplates/avam.template.json) and inspect its contents.

+> The following sample is intended for Classic accounts only and isn't compatible with ARM accounts. For an updated sample for ARM, see [this ARM sample repo](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/API-Samples/C%23/ArmBased/Program.cs).

+Added new code samples including HTTP calls to use Azure Video Indexer create, read, update and delete (CRUD) ARM API for solution developers.

+If you want to use a firewall to secure your storage account and enable trusted storage, [Managed Identities](/azure/media-services/latest/concept-managed-identities) authentication that allows Video Indexer access through the firewall is the preferred option. It allows Video Indexer and Media Services to access the storage account that has been configured without needing public access for [trusted storage access.](../storage/common/storage-network-security.md?tabs=azure-portal#grant-access-to-trusted-azure-services)

+[Disaster recovery](video-indexer-disaster-recovery.md)

+> The following sample is intended for classic accounts only and not compatible with ARM-based accounts. For an updated sample for ARM (recommended), see [this ARM sample repo](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/API-Samples/C%23/ArmBased/Program.cs).

+[Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) backup is a simple, cloud-native process to back up and restore the containerized applications and data running in AKS clusters. You can configure scheduled backup for cluster state and application data (persistent volumes - CSI driver-based Azure Disks). The solution provides granular control to choose a specific namespace or an entire cluster to back up or restore by storing backups locally in a blob container and as disk snapshots. With AKS backup, you can unlock end-to-end scenarios - operational recovery, cloning developer/test environments, or cluster upgrade scenarios.

+AKS backup enables you to back up your Kubernetes workloads and persistent volumes deployed in AKS clusters. The solution requires a [**Backup Extension**](../azure-arc/kubernetes/conceptual-extensions.md) to be installed in the AKS cluster. Backup vault communicates to the Backup Extension to perform backup and restore related operations. You can configure scheduled backups for your clusters as per your backup policy and can restore the backups to the original or an alternate cluster within the same subscription and region. The extension also allows you to enable granular controls to choose a specific namespace or an entire cluster as a backup/restore configuration while performing the specific operation.

+AKS backup uses Managed Identity to access other Azure resources. To configure backup of an AKS cluster and to restore from past backup, Backup vault's Managed Identity requires a set of permissions on the AKS cluster and the snapshot resource group where snapshots are created and managed. Currently, the AKS cluster requires a set of permissions on the Snapshot Resource Group. Also, the Backup Extension creates a User Identity and assigns a set of permissions to access the storage account where backups are stored in a blob. You can grant permissions to the Managed Identity using Azure role-based access control (Azure RBAC). Managed Identity is a service principle of a special type that can only be used with Azure resources. Learn more about [Managed Identities](../active-directory/managed-identities-azure-resources/overview.md).

+- [Prerequisites for Azure Kubernetes Service backup (preview)](azure-kubernetes-service-cluster-backup-concept.md)

+ ```Error

+ ```azurecli-interactive

+ ```azurecli-interactive

+ ```azurecli-interactive

+**Cause**: Specific FQDN/application rules are required to use cluster extensions in the AKS clusters. [Learn more](../aks/limit-egress-traffic.md#cluster-extensions).

+ ```azurecli-interactive

+ ```azurecli-interactive

+ ```azurecli-interactive

+ ```azurecli-interactive

+ ```azurecli-interactive

+- Ensure to perform [all the prerequisites](azure-kubernetes-service-cluster-backup-concept.md) before initiating backup or restore operation for AKS backup.

+ az k8s-extension create --name azure-aks-backup --extension-type Microsoft.DataProtection.Kubernetes --scope cluster --cluster-type managedClusters --cluster-name aksclustername --resource-group aksclusterrg --release-train stable --configuration-settings blobContainer=containername storageAccount=storageaccountname storageAccountResourceGroup=storageaccountrg storageAccountSubscriptionId=subscriptionid

+ az k8s-extension update --name azure-aks-backup --cluster-type managedClusters --cluster-name aksclustername --resource-group aksclusterrg --release-train stable --configuration-settings [blobContainer=containername storageAccount=storageaccountname storageAccountResourceGroup=storageaccountrg storageAccountSubscriptionId=subscriptionid] [cpuLimit=1] [memoryLimit=1Gi]

+ Title: Concept of Immutable vault for Azure Backup

+# Immutable vault for Azure Backup

+- Immutable vault is available in all Azure public regions.

+- Learn [how to manage operations of Azure Backup vault immutability](backup-azure-immutable-vault-how-to-manage.md).

+ Title: How to manage Azure Backup Immutable vault operations

+# Manage Azure Backup Immutable vault operations

+- Learn [about Immutable vault for Azure Backup](backup-azure-immutable-vault-concept.md).

+Azure Backup allows you to securely perform the backup and restore operations of your data from the Recovery Services vaults using [private endpoints](../private-link/private-endpoint-overview.md). Private endpoints use one or more private IP addresses from your Azure Virtual Network (VNet), effectively bringing the service into your VNet.

+>- [US Gov](../azure-government/documentation-government-developer-guide.md)

+- Learn [how to configure and manage private endpoints for Azure Backup](backup-azure-private-endpoints-configure-manage.md).

+Azure Backup allows you to securely perform the backup and restore operations of your data from the Recovery Services vaults using [private endpoints](../private-link/private-endpoint-overview.md). Private endpoints use one or more private IP addresses from your Azure Virtual Network (VNet), effectively bringing the service into your VNet.

+- Learn [about private endpoint for Azure Backup](backup-azure-private-endpoints-concept.md).

+>- Enhanced policy currently doesn't support protecting Ultra SSD. You can use [selective disk backup (preview)](selective-disk-backup-restore.md) to exclude these disks, and then configure backup.

+## Enable selective disk backup and restore (preview)

+You can exclude non-critical disks from backup by using selective disk backup to save costs. Using this capability, you can selectively back up a subset of the data disks that are attached to your VM, and then restore a subset of the disks that are available in a recovery point, both from instant restore and vault tier. [Learn more](selective-disk-backup-restore.md).

+Azure Backup supports backing up all the disks (operating system and data) in a VM together using the virtual machine backup solution. Now, using the selective disks backup and restore functionality, you can back up a subset of the data disks in a VM.

+This is supported both for Enhanced Policy (preview) as well as Standard Policy. This provides an efficient and cost-effective solution for your backup and restore needs. Each recovery point contains only the disks that are included in the backup operation. This further allows you to have a subset of disks restored from the given recovery point during the restore operation. This applies to both restore from snapshots and the vault.

+>[!Note]

+>- This is supported for both backup policies - [Enhanced policy](backup-azure-vms-enhanced-policy.md) and [Standard policy](backup-during-vm-creation.md#create-a-vm-with-backup-configured).

+>- The *Selective disk backup and restore in Enhanced policy (preview)* is available in public Azure regions only.

+2. If you've other backup solutions for part of your VM or data. For example, if you back up your databases or data using a different workload backup solution and you want to use Azure VM level backup for the rest of the data or disks to build an efficient and robust system using the best capabilities available.

+3. If you're using [Enhanced policy](backup-azure-vms-enhanced-policy.md), you can use this solution to exclude unsupported disks (Ultra Disks, Shared Disks) and configure a VM for backup.

+Using PowerShell, Azure CLI, or Azure portal, you can configure selective disk backup of the Azure VM. Using a script, you can include or exclude data disks using their *LUN numbers*. The ability to configure selective disks backup via the Azure portal is limited to the *Backup OS Disk* only for the Standard policy, but can be configured for all data disks for Enhanced policy.

+>[!Note]

+>These CLI steps apply to selective disk backup for VMs using both policies - enhanced and standard.

+During the configure protection operation, you need to specify the disk list setting with an **inclusion**/**exclusion** parameter, giving the *LUN* numbers of the disks to be included or excluded in the backup.

+- If you're using Standard policy to back up the VM, configuring the selective disks backup experience for a VM through the Azure portal is limited to the **Backup OS Disk only** option. To use selective disks backup on already a backed-up VM or for advanced inclusion or exclusion of specific data disks of a VM, use PowerShell or Azure CLI.

+- If you're using Enhanced policy to back up the VM, you can select the data disks you want to back up, and optionally choose to include disks added to the VM in future for back up.

+### Backup OS disk only in the Azure portal (Standard policy)

+## Configure Selective Disk Backup in the Azure Portal (Enhanced Policy)

+When you enable the backup operation using the Azure portal, you can choose the data disks that you want to include in the backup (the OS disk is always included). You can also choose to include disks that are added in the future for backup automatically by enabling the ΓÇ£Include future disksΓÇ¥ option.

+Selective disks backup functionality for Standard policy isn't supported for classic virtual machines and encrypted virtual machines. So Azure VMs that are encrypted with Azure Disk Encryption (ADE) using BitLocker for encryption of Windows VM, and the dm-crypt feature for Linux VMs are unsupported. However, VMs with Azure Disk Encryption enabled can use selective disk backup with Enhanced policy.

+Currently, Azure VM backup doesn't support VMs with ultra-disks or shared disks attached to them. Selective disk backup for Standard policy can't be used to in such cases, which exclude the disk and backup the VM. You can use selective disk backup with Enhanced policy to exclude these disks and configure backup.

+### Standard policy

+If you're using Standard policy, **Protected Instance (PI) cost** is calculated for the OS disk only if you choose to back up using the **OS Disk only** option. If you configure backup and select at least one data disk, the PI cost will be calculated for all the disks attached to the VM. **Backup storage cost** is calculated based on only the included disks and so you get to save on the storage cost. **Snapshot cost** is always calculated for all the disks in the VM (both the included and excluded disks).

+If you've chosen the Cross Region Restore (CRR) feature, then the [CRR pricing](https://azure.microsoft.com/pricing/details/backup/) applies on the backup storage cost after excluding the disk.

+### Enhanced policy

+If you're using Enhanced policy, **Protected Instance (PI)** cost, snapshot cost, and vault tier storage cost are all calculated based on the disks that you've included for backup.

+**Known limitations**

+| OS type | Limitation |

+| | |

+| Windows | - **Spanned volumes**: For spanned volumes (volumes spread across more than one physical disk), ensure that all disks are included in the backup. If not, Azure Backup might not be able to reliably restore the data and exclude it in billing. <br><br> - **Storage pool**: If you're using disks carved out of a storage pool and if a *LUN number* included for backup is common across virtual disks and data disks, the size of the virtual disk is also included in the backup size in addition to the data disks. |

+| Linux | - **Logical volumes**: For logical volumes spread across more than one disk, ensure that all disks are included in the backup. If not, Azure Backup might not be able to reliably restore the data and exclude it in billing. <br><br> - **Distro support**: Azure Backup uses *lsscsi* and *lsblk* to determine the disks being excluded for backup. If your distro (Debian 8.11, 10.13, and so on) doesn't support *lsscsi*, install it using `sudo apt install lsscsi` to ensure Selective disk backup works. |

+If you've chosen the Cross Region Restore (CRR) feature, then the [CRR pricing](https://azure.microsoft.com/pricing/details/backup/) applies on the backup storage cost after excluding the disk.

+If you're using standard policy, the Selective disk backup features let you save on backup vault storage cost by hardening the included disks that are part of the backup. However, the snapshot is taken for all the disks that are attached to the VM. So the snapshot cost is always calculated for all the disks in the VM (both the included and excluded disks). For more information, see [billing](#billing).

+If you're using Enhanced policy, the snapshot is taken only for the OS disk and the data disks that you've included.

+If you're using Standard policy, Azure VM backup doesn't support VMs with ultra-disk or shared disk attached to them and it is not possible to exclude them with selective disk backup and then configure backup.

+If you're using Enhanced policy, you can exclude the unsupported disks from the backup via selective disk backup (in the Azure portal, CLI, PowerShell, and so on), and configure backup for the VM.

+ - [Support for selective disk backup with enhanced policy for Azure VM (preview)](#support-for-selective-disk-backup-with-enhanced-policy-for-azure-vm-preview)

+## Support for selective disk backup with enhanced policy for Azure VM (preview)

+Azure Backup now provides *Selective Disk backup and restore* capability to Enhanced policy. Using this capability, you can selectively back up a subset of the data disks that are attached to your VM, and then restore a subset of the disks that are available in a recovery point, both from instant restore and vault tier.

+This is useful when you:

+- Manage critical data in a subset of the VM disks.

+- Use database backup solutions and want to back up only their OS disk to reduce cost.

+For more information, see [Selective disk backup and restore](selective-disk-backup-restore.md).

+- Currently, [Ephemeral OS disks](create-pool-ephemeral-os-disk.md) are not supported with Spot VMs due to the service managed

+eviction policy of Stop-Deallocate.

+For Batch workloads, the main benefits of using ephemeral OS disks are reduced costs associated with pools, the potential for faster node start time, and improved application performance due to better OS disk performance. When choosing whether ephemeral OS disks should be used for your workload, consider the following impacts:

+- There's lower read/write latency to ephemeral OS disks, which may lead to improved application performance.

+- There's no storage cost for ephemeral OS disks, whereas there's a cost for each managed OS disk.

+- Reimage for compute nodes is faster for ephemeral disks compared to managed disks, when supported by Batch.

+- Ephemeral OS disks aren't highly durable and available; when a VM is removed for any reason, the OS disk is lost. Since Batch workloads are inherently stateless, and don't normally rely on changes to the OS disk being persisted, ephemeral OS disks are appropriate to use for most Batch workloads.

+- Ephemeral OS disks aren't currently supported by all Azure VM series. If a VM size doesn't support an ephemeral OS disk, a managed OS disk must be used.

+The `EphemeralOSDiskSettings` property isn't set by default. You must set this property in order to configure ephemeral OS disk use on the pool nodes.

+> [!TIP]

+> Ephemeral OS disks cannot be used in conjunction with Spot VMs in Batch pools due to the service managed eviction policy.

+- See the [Ephemeral OS Disks FAQ](../virtual-machines/ephemeral-os-disks-faq.md).

+For more information, see [How to bring VMs up-to-date with the latest scale set model](../virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set.md#how-to-bring-vms-up-to-date-with-the-latest-scale-set-model)

+To resolve this, navigate to the virtual machine or Virtual Machine Scale Set in the Azure portal, go to **Identity**, open the **User assigned** tab, and **Add** your user-assigned identity to the virtual machine. Once complete, you may need to reboot the virtual machine for the agent to connect.

+## March 2023 Guest OS

+>[!NOTE]

+>The March Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the March Guest OS. This list is subject to change.

+| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |

+| | | | | |

+| Rel 23-03 | [5023697] | Latest Cumulative Update(LCU) | 5.79 | Mar 14, 2023 |

+| Rel 23-03 | [5022835] | IE Cumulative Updates | 2.135, 3.122, 4.115 | Feb 14, 2023 |

+| Rel 23-03 | [5023705] | Latest Cumulative Update(LCU) | 7.23 | Mar 14, 2023 |

+| Rel 23-03 | [5023702] | Latest Cumulative Update(LCU) | 6.55 | Mar 14, 2023 |

+| Rel 23-03 | [5022523] | .NET Framework 3.5 Security and Quality Rollup  | 2.135 | Feb 14, 2023 |

+| Rel 23-03 | [5022515] | .NET Framework 4.6.2 Security and Quality Rollup  | 2.135 | Feb 14, 2023 |

+| Rel 23-03 | [5022574] | .NET Framework 3.5 Security and Quality Rollup  | 4.115 | Feb 14, 2023 |

+| Rel 23-03 | [5022513] | .NET Framework 4.6.2 Security and Quality Rollup  | 4.115 | Feb 14, 2023 |

+| Rel 23-03 | [5022574] | .NET Framework 3.5 Security and Quality Rollup  | 3.122 | Feb 14, 2023 |

+| Rel 23-03 | [5022512] | .NET Framework 4.6.2 Security and Quality Rollup  | 3.122 | Feb 14, 2023 |

+| Rel 23-03 | [5022511] | . NET Framework 4.7.2 Cumulative Update  | 6.55 | Feb 14, 2023 |

+| Rel 23-03 | [5022507] | .NET Framework 4.8 Security and Quality Rollup  | 7.23 | Feb 14, 2023 |

+| Rel 23-03 | [5023769] | Monthly Rollup  | 2.135 | Mar 14, 2023 |

+| Rel 23-03 | [5023756] | Monthly Rollup  | 3.122 | Mar 14, 2023 |

+| Rel 23-03 | [5023765] | Monthly Rollup  | 4.115 | Mar 14, 2023 |

+| Rel 23-03 | [5023791] | Servicing Stack Update  | 3.122 | Mar 14, 2023 |

+| Rel 23-03 | [5023790] | Servicing Stack update | 4.115 | Mar 14, 2022 |

+| Rel 23-03 | [4578013] | OOB Standalone Security Update  | 4.115 | Aug 19, 2020 |

+| Rel 23-03 | [5023788] | Servicing Stack Update | 5.79 | Mar 14, 2023 |

+| Rel 23-03 | [5017397] | Servicing Stack Update LKG  | 2.135 | Sep 13, 2022 |

+| Rel 23-03 | [4494175] | Microcode  | 5.79 | Sep 1, 2020 |

+| Rel 23-03 | [4494174] | Microcode  | 6.55 | Sep 1, 2020 |

+| Rel 23-03 | [5023793] | Servicing Stack Update  | 7.23 | |

+[5023697]: https://support.microsoft.com/kb/5023697

+[5022835]: https://support.microsoft.com/kb/5022835

+[5023705]: https://support.microsoft.com/kb/5023705

+[5023702]: https://support.microsoft.com/kb/5023702

+[5022523]: https://support.microsoft.com/kb/5022523

+[5022515]: https://support.microsoft.com/kb/5022515

+[5022574]: https://support.microsoft.com/kb/5022574

+[5022513]: https://support.microsoft.com/kb/5022513

+[5022574]: https://support.microsoft.com/kb/5022574

+[5022512]: https://support.microsoft.com/kb/5022512

+[5022511]: https://support.microsoft.com/kb/5022511

+[5022507]: https://support.microsoft.com/kb/5022507

+[5023769]: https://support.microsoft.com/kb/5023769

+[5023756]: https://support.microsoft.com/kb/5023756

+[5023765]: https://support.microsoft.com/kb/5023765

+[5023791]: https://support.microsoft.com/kb/5023791

+[5023790]: https://support.microsoft.com/kb/5023790

+[4578013]: https://support.microsoft.com/kb/4578013

+[5023788]: https://support.microsoft.com/kb/5023788

+[5017397]: https://support.microsoft.com/kb/5017397

+[4494175]: https://support.microsoft.com/kb/4494175

+[4494174]: https://support.microsoft.com/kb/4494174

+You can migrate an existing Azure Custom Vision project to the new Image Analysis 4.0 system. [Custom Vision](../../custom-vision-service/overview.md) is a model customization service that existed before Image Analysis 4.0.

+* An Azure Storage resource - [Create one](../../../storage/common/storage-account-create.md?tabs=azure-portal)

+* An Azure Storage resource - [Create one](../../../storage/common/storage-account-create.md?tabs=azure-portal)

+* See the [Model customization concepts](../concept-model-customization.md) guide for a broad overview of this feature and a list of frequently asked questions.

+> LUIS will be retired on October 1st 2025 and starting April 1st 2023 you will not be able to create new LUIS resources. We recommend [migrating your LUIS applications](../language-service/conversational-language-understanding/how-to/migrate-from-luis.md) to [conversational language understanding](../language-service/conversational-language-understanding/overview.md) to benefit from continued product support and multilingual capabilities.

+> [See more LUIS samples on GitHub](https://github.com/Azure/pizza_luis_bot)

+* You're only interested in matching strictly what the user said. These patterns match more aggressively than [conversational language understanding (CLU)](../language-service/conversational-language-understanding/overview.md).

+* You're only interested in matching strictly what the user said. These patterns match more aggressively than [conversational language understanding (CLU)](../language-service/conversational-language-understanding/overview.md).

+* You're only interested in matching strictly what the user said. These patterns match more aggressively than [conversational language understanding (CLU)](../language-service/conversational-language-understanding/overview.md).

+For information about how to use conversational language understanding without the Speech SDK and without speech recognition, see the [Language service documentation](../language-service/conversational-language-understanding/overview.md).

+> LUIS will be retired on October 1st 2025 and starting April 1st 2023 you will not be able to create new LUIS resources. We recommend [migrating your LUIS applications](../language-service/conversational-language-understanding/how-to/migrate-from-luis.md) to [conversational language understanding](../language-service/conversational-language-understanding/overview.md) to benefit from continued product support and multilingual capabilities.

+* [Intent recognition with CLU quickstart](get-started-intent-recognition-clu.md)

+- [Learn more about Azure OpenAI](../openai/overview.md)

+In addition to [Power Automate](/power-automate/getting-started), you can use the [Azure Cognitive Services for Batch Speech-to-text connector](/connectors/cognitiveservicesspe/) with [Power Apps](/power-apps) and [Logic Apps](../../logic-apps/index.yml).

+To transcribe an audio file that's in your [Azure Blob Storage container](#create-the-azure-blob-storage-container) you need a [Shared Access Signature (SAS) URI](../../storage/common/storage-sas-overview.md) for the file.

+- [Power Platform](/power-platform/)

+## Special characters

+To use the characters `&`, `<`, and `>` within the SSML element's value or text, you must use the entity format. Specifically you must use `&amp;` in place of `&`, `&lt;` use in place of `<`, and use `&gt;` in place of `>`. Otherwise the SSML will not be parsed correctly.

+For example, specify `green &amp; yellow` instead of `green & yellow`. The following SSML will be parsed as expected:

+```xml

+<speak version="1.0" xmlns="http://www.w3.org/2001/10/synthesis" xml:lang="en-US">

+ <voice name="en-US-JennyNeural">

+ My favorite colors are green &amp; yellow.

+ </voice>

+</speak>

+```

+Attribute values must be enclosed by double or single quotation marks. For example, `<prosody volume="90">` and `<prosody volume='90'>` are well-formed, valid elements, but `<prosody volume=90>` won't be recognized.

+ Title: Create and use a glossary with Document Translation

+description: How to create and use a glossary with Document Translation.

+# Use glossaries with Document Translation

+A glossary is a list of terms with definitions that you create for the Document Translation service to use during the translation process. Currently, the glossary feature supports one-to-one source-to-target language translation. Common use cases for glossaries include:

+* **Context-specific terminology**. Create a glossary that designates specific meanings for your unique context.

+* **No translation**. For example, you can restrict Document Translation from translating product name brands by using a glossary with the same source and target text.

+* **Specified translations for ambiguous words**. Choose a specific translation for poly&#8203;semantic words.

+## Create, upload, and use a glossary file

+1. **Create your glossary file.** Create a file in a supported format (preferably tab-separated values) that contains all the terms and phrases you want to use in your translation.

+ To check if your file format is supported, *see* [Get supported glossary formats](../reference/get-supported-glossary-formats.md).

+ The following English-source glossary contains words that can have different meanings depending upon the context in which they're used. The glossary provides the expected translation for each word in the file to help ensure accuracy.

+ For instance, when the word `Bank` appears in a financial document, it should be translated to reflect its financial meaning. If the word `Bank` appears in a geographical document, it may refer to shore to reflect its topographical meaning. Similarly, the word `Crane` can refer to either a bird or machine.

+ ***Example glossary .tsv file: English-to-French***

+ ```tsv

+ Bank Banque

+ Card Carte

+ Crane Grue

+ Office Office

+ Tiger Tiger

+ US United States

+ ```

+1. **Upload your glossary to Azure storage**. To complete this step, you need an [Azure Blob Storage account](https://ms.portal.azure.com/#create/Microsoft.StorageAccount) with [containers](/azure/storage/blobs/storage-quickstart-blobs-portal?branch=main#create-a-container) to store and organize your blob data within your storage account.

+1. **Specify your glossary in the translation request.** Include the **`glossary URL`**, **`format`**, and **`version`** in your **`POST`** request:

+ :::code language="json" source="../../../../../cognitive-services-rest-samples/curl/Translator/translate-with-glossary.json" range="1-23" highlight="13-15":::

+### Case sensitivity

+By default, Azure Cognitive Services Translator service API is **case-sensitive**, meaning that it matches terms in the source text based on case.

+* **Partial sentence application**. When your glossary is applied to **part of a sentence**, the Document Translation API checks whether the glossary term matches the case in the source text. If the casing doesn't match, the glossary isn't applied.

+* **Complete sentence application**. When your glossary is applied to a **complete sentence**, the service becomes **case-insensitive**. It matches the glossary term regardless of its case in the source text. This provision applies the correct results for use cases involving idioms and quotes.

+## Next steps

+Try the Document Translation how-to guide to asynchronously translate whole documents using a programming language of your choice:

+> [!div class="nextstepaction"]

+> [Use Document Translation REST APIs](use-rest-api-programmatically.md)

+> * Azure OpenAI

+> If you're using, Azure OpenAI, LUIS, Speech Services, or Language services, the **CognitiveServicesManagement** tag only enables you use the service using the SDK or REST API. To access and use Azure OpenAI Studio, LUIS portal , Speech Studio or Language Studio from a virtual network, you will need to use the following tags:

+> * **CognitiveServicesFrontEnd**

+> [!NOTE]

+> Azure OpenAI Service uses a different private DNS zone and public DNS zone forwarder than other Azure Cognitive Services. Refer to the [Azure services DNS zone configuration article](../private-link/private-endpoint-dns.md#azure-services-dns-zone-configuration) for the correct zone and forwader names.

+| text-embeddings-ada-002 | No | Yes | East US, South Central US, West Europe | N/A |2,046 | Sep 2021 |

+The ChatGPT model can be used with the same [completion API](../reference.md#completions) that you use for other models like text-davinci-002, but it requires a unique prompt format known as Chat Markup Language (ChatML). It's important to use the new prompt format to get the best results. Without the right prompts, the model tends to be verbose and provides less useful responses.

+You can also include relevant data or information in the system message to give the model extra context for the conversation. If you only need to include a small amount of information, you can hard code it in the system message. If you have a large amount of data that the model should be aware of, you can use [embeddings](../tutorials/embeddings.md?tabs=command-line) or a product like [Azure Cognitive Search](https://azure.microsoft.com/services/search/) to retrieve the most relevant information at query time.

+ Title: Monitoring Azure OpenAI Service

+description: Start here to learn how to monitor Azure OpenAI Service

+This article describes the monitoring data generated by Azure OpenAI Service. Azure OpenAI is part of Cognitive Services, which uses [Azure Monitor](../../../azure-monitor/overview.md). If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](../../../azure-monitor/essentials/monitor-azure-resource.md).

+Azure OpenAI collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](/azure/azure-monitor/essentials/monitor-azure-resource#monitoring-data-from-azure-resources).

+Keep in mind that using diagnostic settings and sending data to Azure Monitor Logs has additional costs associated with it. To understand more, consult the [Azure Monitor cost calculation guide](/azure/azure-monitor/logs/cost-logs).

+You can analyze metrics for *Azure OpenAI* by opening **Metrics** which can be found underneath the **Monitoring** section when viewing your Azure OpenAI resource in the Azure portal. See [Getting started with Azure Metrics Explorer](../../../azure-monitor/essentials/metrics-getting-started.md) for details on using this tool.

+Azure OpenAI is a part of Cognitive Services. For a list of all platform metrics collected for Cognitive Services and Azure OpenAI, see [Cognitive Services supported metrics](../../../azure-monitor/essentials/metrics-supported.md#microsoftcognitiveservicesaccounts).

+Data in Azure Monitor Logs is stored in tables where each table has its own set of unique properties.

+All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in [Azure Monitor resource log schema](../../../azure-monitor/essentials/resource-logs-schema.md).

+The [Activity log](/azure/azure-monitor/essentials/activity-log) is a type of platform log in Azure that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics.

+For a list of the types of resource logs available for Azure OpenAI and other Cognitive Services, see [Resource provider operations for Cognitive Services](/azure/role-based-access-control/resource-provider-operations#microsoftcognitiveservices)

+> When you select **Logs** from the Azure OpenAI menu, Log Analytics is opened with the query scope set to the current Azure OpenAI resource. This means that log queries will only include data from that resource. If you want to run a query that includes data from other resources or data from other Azure services, select **Logs** from the **Azure Monitor** menu. See [Log query scope and time range in Azure Monitor Log Analytics](../../../azure-monitor/logs/scope.md) for details.

+Depending on what type of application you're developing in conjunction with your use of Azure OpenAI, [Azure Monitor Application Insights](../../../azure-monitor/overview.md) may offer additional monitoring benefits at the application layer.

+- See [Monitoring Azure resources with Azure Monitor](../../../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.

+- Read [Understand log searches in Azure Monitor logs](../../../azure-monitor/logs/log-query-overview.md).

+For customers that use Virtual appointments, refer to our Teams Interoperability [user privacy](../interop/guest/privacy.md#chat-storage) for storage of chat messages in Teams meetings.

+- Familiarize yourself with the [Chat SDK](sdk-features.md)

+await routerClient.CreateExceptionPolicyAsync(

+ new CreateExceptionPolicyOptions(

+ exceptionPolicyId: "policy-1",

+ exceptionRules: new List<ExceptionRule>

+ new ExceptionRule(

+ id: "rule-1",

+ trigger: new QueueLengthExceptionTrigger(threshold: 100),

+ actions: new List<ExceptionAction>

+ {

+ new CancelExceptionAction("cancel-action")

+ })

+ {

+ Name = "My exception policy"

+ }

+);

+await routerClient.CreateExceptionPolicyAsync(

+ new CreateExceptionPolicyOptions(

+ exceptionPolicyId: "policy-1",

+ exceptionRules: new List<ExceptionRule>

+ new ExceptionRule(

+ id: "rule-1",

+ trigger: new WaitTimeExceptionTrigger(TimeSpan.FromMinutes(1)),

+ actions: new List<ExceptionAction>

+ {

+ new ManualReclassifyExceptionAction(id: "action1", priority: 10)

+ }),

+ new ExceptionRule(

+ id: "rule-2",

+ trigger: new WaitTimeExceptionTrigger(TimeSpan.FromMinutes(5)),

+ actions: new List<ExceptionAction>

+ {

+ new ManualReclassifyExceptionAction(id: "action2", queueId: "queue-2")

+ })

+ {

+ Name = "My Exception Policy"

+ }

+);

+var worker = await client.CreateWorkerAsync(

+ new CreateWorkerOptions(

+ workerId: "worker-1",

+ totalCapacity: 2)

+ QueueIds = new Dictionary<string, QueueAssignment>()

+ {

+ ["queue-1"] = new QueueAssignment(),

+ ["queue-2"] = new QueueAssignment()

+ },

+ ChannelConfigurations = new Dictionary<string, ChannelConfiguration>()

+ {

+ ["voice"] = new ChannelConfiguration(2),

+ ["chat"] = new ChannelConfiguration(1)

+ },

+ Labels = new Dictionary<string, LabelValue>()

+ {

+ ["Skill"] = new LabelValue(11),

+ ["English"] = new LabelValue(true),

+ ["French"] = new LabelValue(false),

+ ["Vendor"] = new LabelValue("Acme")

+ },

+await routerAdministration.CreateClassificationPolicyAsync(

+ new CreateClassificationPolicyOptions(classificationPolicyId: "my-policy-id")

+ {

+ PrioritizationRule = new StaticRule(new LabelValue(5))

+ });

+await routerAdministration.CreateClassificationPolicyAsync(

+ new CreateClassificationPolicyOptions(classificationPolicyId: "my-policy-id")

+ {

+ PrioritizationRule = new ExpressionRule("If(job.Escalated = true, 10, 5)") // this will check whether the job has a label "Escalated" set to "true"

+ });

+ expression: "If(job.Escalated = true, 10, 5)"

+ If the IP address can't provide reliable geolocation (for example, the caller is on a virtual private network), you must set the ISO code of the calling country or region by using the API in the Azure Communication Services Calling SDK. See the example in the [quickstart for adding emergency calling](../../quickstarts/telephony/emergency-calling.md).

+await client.CreateClassificationPolicyAsync(

+ options: new CreateClassificationPolicyOptions("policy-1")

+ {

+ PrioritizationRule = new FunctionRule("<insert function uri>", new FunctionRuleCredential("<insert function key>"))

+ }

+);

+await routerClient.CreateExceptionPolicyAsync(

+ new CreateExceptionPolicyOptions(

+ exceptionPolicyId: "Escalate_XBOX_Policy",

+ exceptionRules: new Dictionary<string, ExceptionRule>()

+ ["Escalated_Rule"] = new ExceptionRule(new WaitTimeExceptionTrigger(300),

+ new Dictionary<string, ExceptionAction>()

+ {

+ "EscalateReclassifyExceptionAction" = new ReclassifyExceptionAction(

+ classificationPolicyId: "<classification policy id>",

+ labelsToUpsert: new Dictionary<string, LabelValue>()

+ {

+ ["Escalated"] = new LabelValue(true),

+ })

+ })

+ ))

+ {

+ Name = "My exception policy"

+ }

+);

+await routerAdministrationClient.CreateClassificationPolicyAsync(

+ options: new CreateClassificationPolicyOptions("Classify_XBOX_Voice_Jobs")

+ {

+ Name = "Classify XBOX Voice Jobs",

+ PrioritizationRule = new ExpressionRule("If(job.Escalated = true, 10, 1)"),

+ QueueSelectors = new List<QueueSelectorAttachment>()

+ {

+ new ConditionalQueueSelectorAttachment(

+ condition: new ExpressionRule("If(job.Escalated = true, true, false)"),

+ labelSelectors: new List<QueueSelector>()

+ {

+ new QueueSelector("Id", LabelOperator.Equal, new LabelValue("XBOX_Escalation_Queue"))

+ }),

+ new ConditionalQueueSelectorAttachment(

+ condition: new ExpressionRule("If(job.Escalated = false, true, false)"),

+ labelSelectors: new List<QueueSelector>()

+ {

+ new QueueSelector("Id", LabelOperator.Equal, new LabelValue("XBOX_Queue"))

+ })

+ },

+ FallbackQueueId = "Default"

+ });

+await routerAdministrationClient.CreateQueueAsync(

+ options: new CreateQueueOptions("XBOX_Queue", "Round_Robin_Policy")

+ {

+ Name = "XBOX Queue",

+ ExceptionPolicyId = "XBOX_Escalate_Policy"

+ });

+await routerAdministrationClient.CreateQueueAsync(

+ options: new CreateQueueOptions("XBOX_Escalation_Queue", "Round_Robin_Policy")

+ {

+ Name = "XBOX Escalation Queue",

+ });

+await routerClient.CreateJobAsync(

+ options: new CreateJobWithClassificationPolicyOptions(

+ jobId: "<jobId>",

+ channelId: ManagedChannels.AcsVoiceChannel,

+ classificationPolicyId: "Classify_XBOX_Voice_Jobs")

+ RequestedWorkerSelectors = new List<WorkerSelector>

+ {

+ new WorkerSelector(key: "XBOX_Hardware", labelOperator: LabelOperator.GreaterThanEqual, value: new LabelValue(7))

+ }

+ });

+await routerAdministrationClient.CreateClassificationPolicyAsync(

+ options: new CreateClassificationPolicyOptions("XBOX_NA_QUEUE_Priority_1_10")

+ {

+ Name = "Select XBOX Queue and set priority to 1 or 10",

+ PrioritizationRule = new ExpressionRule("If(job.Hardware_VIP = true, 10, 1)"),

+ QueueSelectors = new List<QueueSelectorAttachment>()

+ {

+ new ConditionalQueueSelectorAttachment(

+ condition: new ExpressionRule("If(job.Region = \"NA\", true, false)"),

+ labelSelectors: new List<QueueSelector>()

+ {

+ new QueueSelector("Id", LabelOperator.Equal, new LabelValue("XBOX_NA_QUEUE"))

+ }),

+ new ConditionalQueueSelectorAttachment(

+ condition: new ExpressionRule("If(job.Region != \"NA\", true, false)"),

+ labelSelectors: new List<QueueSelector>()

+ {

+ new QueueSelector("Id", LabelOperator.Equal, new LabelValue("XBOX_DEFAULT_QUEUE"))

+ })

+ }

+ });

+var job = await routerClient.CreateJobAsync(

+ options: new CreateJobWithClassificationPolicyOptions(

+ jobId: "<job id>",

+ channelId: "voice",

+ classificationPolicyId: "XBOX_NA_QUEUE_Priority_1_10")

+ Labels = new Dictionary<string, LabelValue>()

+ {

+ {"Region", new LabelValue("NA")},

+ {"Caller_Id", new LabelValue("tel:7805551212")},

+ {"Caller_NPA_NXX", new LabelValue("780555")},

+ {"XBOX_Hardware", new LabelValue(7)}

+ }

+ });

+await routerAdministrationClient.CreateClassificationPolicyAsync(

+ options: new CreateClassificationPolicyOptions("policy-1")

+ WorkerSelectors = new List<WorkerSelectorAttachment>()

+ {

+ new StaticWorkerSelectorAttachment(new WorkerSelector("Foo", LabelOperator.Equal, new LabelValue("Bar")))

+ }

+ });

+await routerAdministrationClient.CreateClassificationPolicyAsync(

+ options: new CreateClassificationPolicyOptions("policy-1")

+ WorkerSelectors = new List<WorkerSelectorAttachment>()

+ {

+ new ConditionalWorkerSelectorAttachment(

+ condition: new ExpressionRule("job.Urgent = true")),

+ labelSelectors: new List<WorkerSelector>()

+ {

+ new WorkerSelector("Foo", LabelOperator.Equal, "Bar")

+ })

+ }

+ });

+await routerAdministrationClient.CreateClassificationPolicyAsync(

+ options: new CreateClassificationPolicyOptions("policy-1")

+ WorkerSelectors = new List<WorkerSelectorAttachment>()

+ {

+ new PassThroughQueueSelectorAttachment("Foo", LabelOperator.Equal)

+ }

+ });

+await routerAdministrationClient.CreateClassificationPolicyAsync(

+ options: new CreateClassificationPolicyOptions("policy-1")

+ WorkerSelectors = new List<WorkerSelectorAttachment>()

+ new WeightedAllocationWorkerSelectorAttachment(

+ new List<WorkerWeightedAllocation>()

+ new WorkerWeightedAllocation(0.3,

+ new List<WorkerSelector>()

+ {

+ new WorkerSelector("Vendor", LabelOperator.Equal, "A")

+ }),

+ new WorkerWeightedAllocation(0.7,

+ new List<WorkerSelector>()

+ {

+ new WorkerSelector("Vendor", LabelOperator.Equal, "B")

+ })

+ }

+ });

+Once the Job Router has received, and classified a Job using a policy, you have the option of reclassifying it using the SDK. The following example illustrates one way to increase the priority of the Job, simply by specifying the **Job ID**, calling the `ReclassifyJobAsync` method.

+var reclassifiedJob = await routerClient.ReclassifyJobAsync("<job id>");

+await client.reclassifyJob("<jobId>");

+var distributionPolicy = await administrationClient.CreateDistributionPolicyAsync(

+ new CreateDistributionPolicyOptions(

+ distributionPolicyId: "Longest_Idle_45s_Min1Max10",

+ offerTtl: TimeSpan.FromSeconds(45),

+ mode: new LongestIdleMode(

+ minConcurrentOffers: 1,

+ maxConcurrentOffers: 10)

+ {

+ Name = "Longest Idle matching with a 45s offer expiration; min 1, max 10 offers"

+ }

+var queue = await administrationClient.CreateQueueAsync(

+ options: new CreateQueueOptions("XBOX_DEFAULT_QUEUE", "Longest_Idle_45s_Min1Max10")

+ {

+ Name = "XBOX Default Queue"

+ }

+The Job Router SDK will update an existing queue when the `UpdateQueue` or `UpdateQueueAsync` method is called.

+var queue = await administrationClient.UpdateQueueAsync(

+ options: new UpdateQueueOptions("XBOX_DEFAULT_QUEUE")

+ {

+ Name = "XBOX Default Queue",

+ DistributionPolicyId = "Longest_Idle_45s_Min1Max10",

+ Labels = new Dictionary<string, LabelValue>()

+ {

+ ["Additional-Queue-Label"] = new LabelValue("ChatQueue")

+ }

+ });

+await routerClient.CreateJobAsync(

+ options: new CreateJobOptions(

+ jobId: "<job id>",

+ channelId: "<channel id>",

+ queueId: "<queue id>")

+ {

+ RequestedWorkerSelectors = new List<WorkerSelector>()

+ {

+ new WorkerSelector("Id", LabelOperator.Equal, "<preferred worker id>", TimeSpan.FromMinutes(1))

+ }

+ });

+## Authenticate the Job Router clients

+var routerClient = new RouterClient(connectionString);

+var routerAdministrationClient = new RouterAdministrationClient(connectionString);

+var distributionPolicy = await routerAdministrationClient.CreateDistributionPolicyAsync(

+ new CreateDistributionPolicyOptions(

+ distributionPolicyId: "distribution-policy-1",

+ offerTtl: TimeSpan.FromMinutes(1),

+ mode: new LongestIdleMode())

+ {

+ Name = "My distribution policy"

+ }

+var queue = await routerAdministrationClient.CreateQueueAsync(

+ options: new CreateQueueOptions("queue-1", distributionPolicy.Value.Id)

+ {

+ Name = "My job queue"

+ }

+Now, we can submit a job directly to that queue, with a worker selector that requires the worker to have the label `Some-Skill` greater than 10.

+ options: new CreateJobOptions(

+ jobId: jobId,

+ channelId: "my-channel",

+ queueId: queue.Value.Id)

+ Priority = 1,

+ RequestedWorkerSelectors = new List<WorkerSelector>

+ {

+ new WorkerSelector(

+ key: "Some-Skill",

+ labelOperator: LabelOperator.GreaterThan,

+ value: 10)

+ }

+ }

+);

+## Create a worker

+Now, we create a worker to receive work from that queue, with a label of `Some-Skill` equal to 11 and capacity on `my-channel`. In order for the worker to receive offers make sure that the property **AvailableForOffers** is set to **true**.

+var worker = await routerClient.CreateWorkerAsync(

+ new CreateWorkerOptions(

+ workerId: "worker-1",

+ totalCapacity: 1)

+ QueueIds = new Dictionary<string, QueueAssignment>()

+ {

+ [queue.Value.Id] = new QueueAssignment()

+ },

+ ChannelConfigurations = new Dictionary<string, ChannelConfiguration>()

+ {

+ ["my-channel"] = new ChannelConfiguration(1)

+ },

+ Labels = new Dictionary<string, LabelValue>()

+ {

+ ["Some-Skill"] = new LabelValue(11)

+ },

+ AvailableForOffers = true

+We should get a [RouterWorkerOfferIssued][offer_issued_event] from our [Event Grid subscription][subscribe_events].

+ Title: What's new in Azure Communication Services #Required; page title is displayed in search results. Include the brand.

+description: All of the latest additions to Azure Communication Services #Required; article description that is displayed in search results.

+# What's new in Azure Communication Services

+We're adding new capabilities to Azure Communication Services all the time, so we created this page to share the latest developments in the platform. Bookmark this page and make it your go-to resource to find out all the latest capabilities of Azure Communication Services.

+## Updated documentation

+We heard your feedback and made it easier to find the documentation you need as quickly and easily as possible. We're making our docs more readable, easier to understand, and more up-to-date. There's a new landing page design and an updated, better organized table of contents. We've added some of the content you've told us you need and will be continuing to do so, and we're editing existing documentation as well. Don't hesitate to use the feedback link at the top of each page to tell us if a page needs refreshing. Thanks!

+## Teams interoperability (General Availability)

+Azure Communication Services can be used to build custom applications and experiences that enable interaction with Microsoft Teams users over voice, video, chat, and screen sharing. The [Communication Services UI Library](./concepts/ui-library/ui-library-overview.md) provides customizable, production-ready UI components that can be easily added to these applications. The following video demonstrates some of the capabilities of Teams interoperability:

+<br>

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWGTqQ]

+To learn more about teams interoperability, visit the [teams interop overview page](./concepts/teams-interop.md)

+## New calling features

+Our calling team has been working hard to expand and improve our feature set in response to your requests. Some of the new features we've enabled include:

+### Background blur and custom backgrounds (Public Preview)

+Background blur gives users a way to remove visual distractions behind a participant so that callers can engage in a conversation without disruptive activity or confidential information appearing in the background. This feature is especially useful in a context such as telehealth, where a provider or patient might want to obscure their surroundings to protect sensitive information. Background blur can be applied across all virtual appointment scenarios to protect user privacy, including telebanking and virtual hearings. In addition to enhanced confidentiality, the custom backgrounds capability allows for more creativity of expression, allowing users to upload custom backgrounds to host a more fun, personalized calling experience. This feature is currently available on Web Desktop and will be expanding to other platforms in the future.

+*Figure 1: Custom background*

+To learn more about custom backgrounds and background blur, visit the overview on [adding visual effects to your call](./concepts/voice-video-calling/video-effects.md).

+### Raw media access (Public Preview)

+The video media access API provides support for developers to get real-time access to video streams so that they can capture, analyze, and process video content during active calls. Developers can access the incoming call video stream directly on the call object and send custom outgoing video stream during the call. This feature sets the foreground services to support different kinds of video and audio manipulation. Outgoing video access can be captured and implemented with screen sharing, background blur, and video filters before being published to the recipient, allowing viewers to build privacy into their calling experience. In more complex scenarios, video access can be fitted with a virtual environment to support augmented reality. Spatial audio can be injected into remote incoming audio to add music to enhance a waiting room lobby.

+To learn more about raw media access visit the [media access overview](./concepts/voice-video-calling/media-access.md)

+Other new calling features include:

+- Webview support for iOS and Android

+- Early media support in call flows

+- Chat composite for mobile native development

+- Added browser support for JS Calling SDK

+- Call readiness tools

+- Simulcast

+Take a look at our feature update blog posts from [January](https://techcommunity.microsoft.com/t5/azure-communication-services/azure-communication-services-calling-features-update/ba-p/3735073) and [February](https://techcommunity.microsoft.com/t5/azure-communication-services/azure-communication-services-february-2023-feature-updates/ba-p/3737486) for more detailed information and links to numerous quickstarts.

+## Rooms (Public Preview)

+Azure Communication Services provides a concept of a room for developers who are building structured conversations such as virtual appointments or virtual events. Rooms currently allow voice and video calling.

+To learn more about rooms, visit the [overview page](./concepts/rooms/room-concept.md)

+## Sample Builder Rooms integration

+**We are excited to announce that we have integrated Rooms into our Virtual Appointment Sample.**

+Azure Communication Services (ACS) provides the concept of a room. Rooms allow developers to build structured conversations such as scheduled virtual appointments or virtual events. Rooms allow control through roles and permissions and enable invite-only experiences. Rooms currently allow voice and video calling.

+## Enabling a faster sample building experience

+Data indicates that ~40% of customers abandon the Sample Builder due to the challenging nature of the configuration process, particularly during the Microsoft Bookings setup. To address this issue, we've implemented a solution that streamlines the deployment process by using Rooms for direct virtual appointment creation within the Sample Builder. This change results in a significant reduction of deployment time, as the configuration of Microsoft Bookings isn't enforced, but rather transformed into an optional feature that can be configured in the deployed Sample. Additionally, we've incorporated a feedback button into the Sample Builder and made various enhancements to its accessibility. With Sample Builder, customers can effortlessly customize and deploy their applications to Azure or their Git repository, without the need for any coding expertise.

+*Figure 2: Scheduling experience options.*

+*Figure 3:  Feedback form.*

+Sample Builder is already in General Availability and can be accessed [on Azure portal](https://ms.portal.azure.com/#@microsoft.onmicrosoft.com/resource/subscriptions/50ad1522-5c2c-4d9a-a6c8-67c11ecb75b8/resourceGroups/serooney-tests/providers/Microsoft.Communication/CommunicationServices/email-tests/sample_applications).

+## Call Automation (Public Preview)

+Azure Communication Services Call Automation provides developers the ability to build server-based, intelligent call workflows, and call recording for voice and PSTN channels. The SDKs, available for .NET and Java, uses an action-event model to help you build personalized customer interactions. Your communication applications can listen to real-time call events and perform control plane actions (like answer, transfer, play audio, start recording, etc.) to steer and control calls based on your business logic.

+ACS Call Automation can be used to build calling workflows for customer service scenarios, as depicted in the following high-level architecture. You can answer inbound calls or make outbound calls. Execute actions like playing a welcome message, connecting the customer to a live agent on an ACS Calling SDK client app to answer the incoming call request. With support for ACS PSTN or Direct Routing, you can then connect this workflow back to your contact center.

+*Figure 4: Call Automation Architecture*

+To learn more, visit our [Call Automation overview article](./concepts/call-automation/call-automation.md).

+## Phone number expansion now in General Availability (Generally Available)

+ We're excited to announce that we have launched Phone numbers in Canada, United Kingdom, Italy, Ireland and Sweden from Public Preview into General Availability. ACS Direct Offers are now generally available in the following countries and regions: **United States, Puerto Rico, Canada, United Kingdom, Italy, Ireland** and **Sweden**.

+To learn more about the different ways you can acquire a phone number in these regions, visit the [article on how to get and manage phone numbers](./quickstarts/telephony/get-phone-number.md), or [reaching out to the IC3 Service Desk](https://github.com/Azure/Communication/blob/master/special-order-numbers.md). 

+Enjoy all of these new features. Be sure to check back here periodically for more news and updates on all of the new capabilities we've added to our platform! For a complete list of new features and bug fixes, visit our [releases page](https://github.com/Azure/Communication/releases) on GitHub.

+- See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.

+- A "service availability" meter that is charged hourly and includes the use of 1000 users for testing and early adoption.

+- A series of tiered per-user meters that charge based on the number of users that are assigned to the deployment. The per-user fee is based on the maximum number of users during your billing cycle, excluding the 1000 users included in the service availability fee.

+For example, if you have 28,000 users assigned to the deployment each month you'll pay:

+* The service availability fee for each hour in the month

+* 24,000 users in the 1001-25000 tier

+* 3000 users in the 25001-100000 tier

+> [!TIP]

+> If you receive a quote through Microsoft Volume Licensing, pricing may be presented as aggregated so that the values are easily readable (for example showing the per-user meters in groups of 10 or 100 rather than the pricing for individual users). This does not impact the way you will be billed.

+- View [Azure Communications Gateway pricing](https://azure.microsoft.com/pricing/details/communications-gateway/).

+[azure-event-grid-doc]: ../event-grid/monitor-virtual-machine-changes-logic-app.md "Monitor events published by an Event Grid, for example, when Azure resources or third-party resources change"

+A container app flows through four phases: deployment, update, deactivation, and shut down.

+In single revision mode, Container Apps automatically ensures your app doesn't experience downtime when creating a new revision. The existing active revision isn't deactivated until the new revision is ready. If ingress is enabled, the existing revision continues to receive 100% of the traffic until the new revision is ready.

+In multiple revision mode, you control when revisions are activated or deactivated and which revisions receive ingress traffic. If a [traffic splitting rule](./revisions-manage.md#traffic-splitting) is configured with `latestRevision` set to `true`, traffic doesn't switch to the latest revision until it's ready.

+If your application doesn't respond within 30 seconds to the `SIGTERM` message, then [SIGKILL](https://wikipedia.org/wiki/Signal_(IPC)) terminates your container.

+Additionally, make sure your application can gracefully handle shutdowns. Containers restart regularly, so don't expect state to persist inside a container. Instead, use external caches for expensive in-memory cache requirements.

+A Container Apps environment is a secure boundary around groups of container apps that share the same virtual network and write logs to the same logging destination.

+Container Apps environments are fully managed where Azure handles OS upgrades, scale operations, failover procedures, and resource balancing.

+Also, you may provide an [existing virtual network](vnet-custom.md) when you create an environment.

+| `properties.appLogsConfiguration` | Used for configuring the Log Analytics workspace where logs for all apps in the environment are published. |

+Azure Container Apps is a fully managed environment that enables you to run microservices and containerized applications on a serverless platform. Common uses of Azure Container Apps include:

+1. Select **Load file** and upload **template.json**, which you've modified by adding the CCE policy you generated in the previous steps.

+In this section, you use a Resource Manager template located in a GitHub repository to deploy a prebuilt sample web application to Azure App Service. Later, you subscribe to your registry's Event Grid events and specify this app as the endpoint to which the events are sent.

+In Event Grid, you subscribe to a *topic* to tell it which events you want to track, and where to send them. The following [`az eventgrid event-subscription create`][az-eventgrid-event-subscription-create] command subscribes to the container registry you created, and specifies your web app's URL as the endpoint to which it should send events. The environment variables you populated in earlier sections are reused here, so no edits are required.

+You should see output similar to the following while ACR Tasks build and then pushes your image. The following sample output has been truncated for brevity.

+To verify that the built image is in your registry, execute the following command to view the tags in the `myimage` repository:

+* Consistency settings, by default - account is restored with session consistency.

+You can add these configurations to the restored account after the restore is completed.

+## Prerequisites

+* You may use the portal [Cloud Shell](/azure/cloud-shell/quickstart?tabs=powershell) to run container copy commands. Alternately, you may run the commands locally; make sure you have [Azure CLI](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/install-az-ps-msi) downloaded and installed on your machine.

+First, set all of the variables that each individual script uses.

+ --resource-group $resourceGroup `

+For issues related to intra-account container copy, please raise a **New Support Request** from the Azure portal. Set the **Problem Type** as 'Data Migration' and **Problem subtype** as 'Intra-account container copy'.

+To get started using container copy jobs, register for "Intra-account offline container copy (Cassandra & SQL)" preview from the ['Preview Features'](access-previews.md) list in the Azure portal. Once the registration is complete, the preview is effective for all Cassandra and API for NoSQL accounts in the subscription.

+* The platform may deallocate the instances if they're idle for >15 mins.

+Yes, you can create multiple jobs within the same account. The jobs run consecutively. You can [list all the jobs](how-to-container-copy.md#list-all-the-container-copy-jobs-created-in-an-account) created within an account and monitor their progress.

+You must create a job for each container in the database.

+The container copy job runs in the write region. If there are accounts configured with multi-region writes, the job runs in one of the regions from the list.

+* The database uses manual provisioned throughput of 800 RUs. You are charged for this database.

+* Deleting this database removes the container copy job history from the account. It can be safely deleted once all the jobs in the account have completed, if you no longer need the job history. The platform doesn't clean up the *__datatransferstate* database automatically.

+ The job creation request could be blocked if the client IP isn't allowed as per the VNet and Firewall IPs configured on the account. In order to get past this issue, you need to [allow access to the IP through the Firewall setting](how-to-configure-firewall.md). Alternately, you may set **Accept connections from within public Azure datacenters** in your firewall settings and run the container copy commands through the portal [Cloud Shell](/azure/cloud-shell/quickstart?tabs=powershell).

+| <input type="checkbox"/> | Hosting | Use [Windows 64-bit host](performance-tips-query-sdk.md#use-local-query-plan-generation) processing for best performance, whenever possible. For Direct mode latency-sensitive production workloads, we highly recommend using at least 4-cores and 8-GB memory VMs whenever possible.

+|<input type="checkbox"/> | Ephemeral Port Exhaustion | For sparse or sporadic connections, we set the [`IdleConnectionTimeout`](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.idletcpconnectiontimeout?view=azure-dotnet&preserve-view=true) and [`PortReuseMode`](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.portreusemode?view=azure-dotnet&preserve-view=true) to `PrivatePortPool`. The `IdleConnectionTimeout` property helps control the time after which unused connections are closed. This reduces the number of unused connections. By default, idle connections are kept open indefinitely. The value set must be greater than or equal to 10 minutes. We recommended values between 20 minutes and 24 hours. The `PortReuseMode` property allows the SDK to use a small pool of ephemeral ports for various Azure Cosmos DB destination endpoints. |

+|<input type="checkbox"/> | End-to-End Timeouts | To get end-to-end timeouts, you need to use both `RequestTimeout` and `CancellationToken` parameters. For more details [visit our timeout troubleshooting guide](troubleshoot-dotnet-sdk-request-timeout.md). |

+| <input type="checkbox"/> | Parallel Queries | The Azure Cosmos DB SDK supports [running queries in parallel](performance-tips-query-sdk.md?pivots=programming-language-csharp) for better latency and throughput on your queries. We recommend setting the `MaxConcurrency` property within the `QueryRequestsOptions` to the number of partitions you have. If you aren't aware of the number of partitions, start by using `int.MaxValue`, which will give you the best latency. Then decrease the number until it fits the resource restrictions of the environment to avoid high CPU issues. Also, set the `MaxBufferedItemCount` to the expected number of results returned to limit the number of prefetched results. |

+| <input type="checkbox"/> | Performance Testing Backoffs | When performing testing on your application, you should implement backoffs at [`RetryAfter`](performance-tips-dotnet-sdk-v3.md#sdk-usage) intervals. Respecting the backoff helps ensure that you spend a minimal amount of time waiting between retries. |

+## Best practices for HTTP connections

+The .NET SDK uses `HttpClient` to perform HTTP requests regardless of the connectivity mode configured. In [Direct mode](sdk-connection-modes.md#direct-mode) HTTP is used for metadata operations and in Gateway mode it's used for both data plane and metadata operations. One of the [fundamentals of HttpClient](/dotnet/fundamentals/networking/http/httpclient-guidelines#dns-behavior) is to make sure the `HttpClient` can react to DNS changes on your account by **customizing the pooled connection lifetime**. As long as pooled connections are kept open, they don't react to DNS changes. This setting forces pooled **connections to be closed** periodically, ensuring that your application reacts to DNS changes. Our recommendation is that you customize this value according to your [connectivity mode](sdk-connection-modes.md) and workload to balance the performance impact of frequently creating new connections, with needing to react to DNS changes (availability). A 5-minute value would be a good start that can be increased if it's impacting performance particularly for Gateway mode.

+You can inject your custom HttpClient through `CosmosClientOptions.HttpClientFactory`, for example:

+```csharp

+// Use a Singleton instance of the SocketsHttpHandler, which you can share across any HttpClient in your application

+SocketsHttpHandler socketsHttpHandler = new SocketsHttpHandler();

+// Customize this value based on desired DNS refresh timer

+socketsHttpHandler.PooledConnectionLifetime = TimeSpan.FromMinutes(5);

+CosmosClientOptions cosmosClientOptions = new CosmosClientOptions()

+{

+ // Pass your customized SocketHttpHandler to be used by the CosmosClient

+ // Make sure `disposeHandler` is `false`

+ HttpClientFactory = () => new HttpClient(socketsHttpHandler, disposeHandler: false)

+};

+// Use a Singleton instance of the CosmosClient

+return new CosmosClient("<connection-string>", cosmosClientOptions);

+```

+If you use [.NET dependency injection](/dotnet/core/extensions/dependency-injection), you can simplify the Singleton process:

+```csharp

+SocketsHttpHandler socketsHttpHandler = new SocketsHttpHandler();

+// Customize this value based on desired DNS refresh timer

+socketsHttpHandler.PooledConnectionLifetime = TimeSpan.FromMinutes(5);

+// Registering the Singleton SocketsHttpHandler lets you reuse it across any HttpClient in your application

+services.AddSingleton<SocketsHttpHandler>(socketsHttpHandler);

+// Use a Singleton instance of the CosmosClient

+services.AddSingleton<CosmosClient>(serviceProvider =>

+{

+ SocketsHttpHandler socketsHttpHandler = serviceProvider.GetRequiredService<SocketsHttpHandler>();

+ CosmosClientOptions cosmosClientOptions = new CosmosClientOptions()

+ {

+ HttpClientFactory = () => new HttpClient(socketsHttpHandler, disposeHandler: false)

+ };

+ return new CosmosClient("<connection-string>", cosmosClientOptions);

+});

+```

+If you're new to Azure and don't have any consumption usage, read the [Get started guide for Azure developers](../../guides/developer/azure-developer-guide.md) to help you get started with Azure services.

+* [Post questions and find answers on data flows on Microsoft Q&A](./frequently-asked-questions.yml)

+2. Under dataflow run time tab, go to **Compute Custom Properties** section.

+You can do same by editing JSON file of runtime by adding an array with property name and value after an existing property like *cleanup* property.

+| containerUri | Specify the Azure Blob container URI which has enabled Anonymous read access by taking this format `https://<AccountName>.blob.core.windows.net/<ContainerName>` and [Configure anonymous public read access for containers and blobs](../storage/blobs/anonymous-read-access-configure.md#set-the-public-access-level-for-a-container) | Yes |

+For a list of data stores that the Copy activity supports as sources and sinks, see [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats).

+> There are certain features that are not available for Azure-SSIS IR in Azure Synapse Analytics, please check the [limitations](https://aka.ms/AAfq9i3).

+ Upload the **tutorial.py** to a blob storage. ([How to upload a file into blob](../storage/blobs/storage-quickstart-blobs-portal.md))

+* [How to change the password for Managed Airflow environments](password-change-airflow.md)

+## February 2023

+### Data movement

+- Anonymous authentication type supported for Azure Blob storage [Learn more](connector-azure-blob-storage.md?tabs=data-factory#anonymous-authentication)

+- Updated SAP template to easily move SAP data to ADLSGen2 in Delta format [Learn more](industry-sap-templates.md)

+### Monitoring

+Container monitoring view available in default ADF studio [Learn more](how-to-manage-studio-preview-exp.md#container-view)

+### Orchestration

+- Set pipeline output value (Public preview) [Learn more](tutorial-pipeline-return-value.md)

+- Managed Airflow (Public preview) [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-managed-airflow-in-azure-data-factory/ba-p/3730151)

+### Developer productivity

+Dark theme support added (Public preview) [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-dark-mode-for-adf-studio/ba-p/3757961)

+* Test our APIs [here](/rest/api/data-manager-for-agri).

+Follow steps 1-5 in Resource Provider [documentation](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).

+Follow the steps provided in <a href="/azure/active-directory/develop/quickstart-register-app#register-an-application" target="_blank">App Registration</a> **until step 8** to generate the following information:

+Follow the steps provided in <a href="/azure/active-directory/develop/quickstart-register-app#add-a-client-secret" target="_blank">Add a client secret</a> to generate **Client Secret** and copy the client secret generated.

+* Understand our APIs [here](/rest/api/data-manager-for-agri).

+This article shows you how to enable Azure Arc on an existing Kubernetes cluster on your Azure Stack Edge Pro device.

+This procedure assumes that you have read and understood the following articles:

+- [Kubernetes workloads on Azure Stack Edge Pro device](azure-stack-edge-gpu-kubernetes-workload-management.md)

+- [What is Azure Arc-enabled Kubernetes (Preview)?](../azure-arc/kubernetes/overview.md)

+Make sure that you've completed the following prerequisites on your Azure Stack Edge Pro device and the client that you use to access the device:

+1. You have a Windows client system that is used to access the Azure Stack Edge Pro device.

+ - You can have any other client with a [Supported operating system](azure-stack-edge-gpu-system-requirements.md#supported-os-for-clients-connected-to-device) as well. This article describes the procedure when using a Windows client.

+1. You've completed the procedure described in [Access the Kubernetes cluster on Azure Stack Edge Pro device](azure-stack-edge-gpu-create-kubernetes-cluster.md). You have:

+ - Installed `kubectl` on the client.

+ - Make sure that the `kubectl` client version is skewed no more than one version from the Kubernetes master version running on your Azure Stack Edge Pro device.

+ - In the local UI of your Azure Stack Edge Pro device, go to **Software update** and note the Kubernetes server version number.

+ 

+ - Verify these two versions are compatible.

+Before you enable Azure Arc on the Kubernetes cluster, you need to enable and register `Microsoft.Kubernetes` and `Microsoft.KubernetesConfiguration` against your subscription.

+1. To enable a resource provider, in the Azure portal, go to the subscription that you're planning to use for the deployment. Go to **Resource Providers**.

+1. Select a resource provider and from the top of the command bar, select **Register**. Registration takes several minutes.

+ `az ad sp create-for-rbac --name "<Informative name for service principal>"`

+ For information on how to log into the `az cli`, [Start Cloud Shell in Azure portal](/azure/cloud-shell/quickstart). If using `az cli` on a local client to create the service principal, make sure that you're running version 2.25 or later.

+ Here's an example.

+1. Make a note of the `appID`, `name`, `password`, and `tenantID` as you'll use these values as input to the next command.

+ Here's an example.

+ `Set-HcsKubernetesAzureArcAgent -SubscriptionId "<Your Azure Subscription Id>" -ResourceGroupName "<Resource Group Name>" -ResourceName "<Azure Arc resource name (shouldn't exist already)>" -Location "<Region associated with resource group>" -TenantId "<Tenant Id of service principal>" -ClientId "<App id of service principal>"`

+ When this command is run, there's a follow-up prompt to enter the `ClientSecret`. Provide the service principal password.

+ Add the `CloudEnvironment` parameter if you're using a cloud other than Azure public. You can set this parameter to `AZUREPUBLICCLOUD`, `AZURECHINACLOUD`, `AZUREGERMANCLOUD`, and `AZUREUSGOVERNMENTCLOUD`.

+ > - To deploy Azure Arc on your device, make sure that you are using a [Supported region for Azure Arc](https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc).

+ > - `ClientId` and `ClientSecret` are required.

+ Here's an example:

+ Here's a sample output that shows the Azure Arc agents that were deployed on your Kubernetes cluster in the `azure-arc` namespace.

+ `Remove-HcsKubernetesAzureArcAgent`

+To understand how to run an Azure Arc deployment, see

+ Title: 'Configure Azure DDoS Protection diagnostic logging through portal'

+description: Learn how to configure Azure DDoS Protection diagnostic logs.

+# Configure Azure DDoS Protection diagnostic logging through portal

+In this guide, you'll learn how to configure Azure DDoS Protection diagnostic logs, including notifications, mitigation reports and mitigation flow logs.

+- Before you can complete the steps in this guide, you must first create a [Azure DDoS protection plan](manage-ddos-protection.md). DDoS Network Protection must be enabled on a virtual network or DDoS IP Protection must be enabled on a public IP address.

+- In order to use diagnostic logging, you must first create a [Log Analytics workspace with diagnostic settings enabled](ddos-configure-log-analytics-workspace.md).

+- DDoS monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in [Virtual network for Azure services](../virtual-network/virtual-network-for-azure-services.md#services-that-can-be-deployed-into-a-virtual-network) (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this guide, you can quickly create a [Windows](../virtual-machines/windows/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [Linux](../virtual-machines/linux/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) virtual machine.

+## Configure diagnostic logs

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. In the search box at the top of the portal, enter **Monitor**. Select **Monitor** in the search results.

+1. Select **Diagnostic Settings** under **Settings** in the left pane, then select the following information in the **Diagnostic settings** page. Next, select **Add diagnostic setting**.

+ :::image type="content" source="./media/ddos-attack-telemetry/ddos-monitor-diagnostic-settings.png" alt-text="Screenshot of Monitor diagnostic settings.":::

+ | Setting | Value |

+ |--|--|

+ |Subscription | Select the **Subscription** that contains the public IP address you want to log. |

+ | Resource group | Select the **Resource group** that contains the public IP address you want to log. |

+ |Resource type | Select **Public IP Addresses**.|

+ |Resource | Select the specific **Public IP address** you want to log metrics for. |

+1. On the *Diagnostic setting* page, under *Destination details*, select **Send to Log Analytics workspace**, then enter the following information, then select **Save**.

+ :::image type="content" source="./media/ddos-attack-telemetry/ddos-public-ip-diagnostic-setting.png" alt-text="Screenshot of DDoS diagnostic settings.":::

+ | Setting | Value |

+ |--|--|

+ | Diagnostic setting name | Enter **myDiagnosticSettings**. |

+ |**Logs**| Select **allLogs**.|

+ |**Metrics**| Select **AllMetrics**. |

+ |**Destination details**| Select **Send to Log Analytics workspace**.|

+ | Subscription | Select your Azure subscription. |

+ | Log Analytics Workspace | Select **myLogAnalyticsWorkspace**. |

+## Validate

+1. In the search box at the top of the portal, enter **Monitor**. Select **Monitor** in the search results.

+1. Select **Diagnostic Settings** under **Settings** in the left pane, then select the following information in the **Diagnostic settings** page:

+ :::image type="content" source="./media/ddos-attack-telemetry/ddos-monitor-diagnostic-settings-enabled.png" alt-text="Screenshot of Monitor public ip diagnostic settings enabled.":::

+ | Setting | Value |

+ |--|--|

+ |Subscription | Select the **Subscription** that contains the public IP address. |

+ | Resource group | Select the **Resource group** that contains the public IP address. |

+ |Resource type | Select **Public IP Addresses**.|

+1. Confirm your *Diagnostic status* is **Enabled**.

+In this guide, you learned how to configure Azure DDoS Protection diagnostic logs, including notifications, mitigation reports and mitigation flow logs.

+To learn how to configure attack alerts, continue to the next guide.

+> [Configure DDoS protection alerts](alerts.md)

+Images should first be imported to ACR. Learn more about [importing container images to an Azure container registry](../container-registry/container-registry-import-images.md?tabs=azure-cli).

+Learn more about the Defender for Cloud [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads).

+Ensure that you've [onboarded your repositories](./quickstart-onboard-devops.md?branch=main) to Microsoft Defender for Cloud. If you still can't see your repository, ensure that you're signed in with the correct Azure DevOps organization user account. Your Azure subscription and Azure DevOps Organization need to be in the same tenant. If the user for the connector is wrong, you need to delete the previously created connector, sign in with the correct user account and re-create the connector.

+Ensure that you've onboarded the project with the connector and that your repository (that build is for), is onboarded to Microsoft Defender for Cloud. You can learn how to [onboard your DevOps repository](./quickstart-onboard-devops.md?branch=main) to Defender for Cloud.

+- [Overview of Defender for DevOps](defender-for-devops-introduction.md)

+## September 2022

+Updates in September include:

+- [Suppress alerts based on Container and Kubernetes entities](#suppress-alerts-based-on-container-and-kubernetes-entities)

+- [Defender for Servers supports File Integrity Monitoring with Azure Monitor Agent](#defender-for-servers-supports-file-integrity-monitoring-with-azure-monitor-agent)

+- [Legacy Assessments APIs deprecation](#legacy-assessments-apis-deprecation)

+- [Extra recommendations added to identity](#extra-recommendations-added-to-identity)

+- [Removed security alerts for machines reporting to cross-tenant Log Analytics workspaces](#removed-security-alerts-for-machines-reporting-to-cross-tenant-log-analytics-workspaces)

+### Suppress alerts based on Container and Kubernetes entities

+- Kubernetes Namespace

+- Kubernetes Pod

+- Kubernetes Secret

+- Kubernetes ServiceAccount

+- Kubernetes ReplicaSet

+- Kubernetes StatefulSet

+- Kubernetes DaemonSet

+- Kubernetes Job

+- Kubernetes CronJob

+Learn more about [alert suppression rules](alerts-suppression-rules.md).

+### Defender for Servers supports File Integrity Monitoring with Azure Monitor Agent

+File integrity monitoring (FIM) examines operating system files and registries for changes that might indicate an attack.

+FIM is now available in a new version based on Azure Monitor Agent (AMA), which you can [deploy through Defender for Cloud](auto-deploy-azure-monitoring-agent.md).

+Learn more about [File Integrity Monitoring with the Azure Monitor Agent](file-integrity-monitoring-enable-ama.md).

+### Legacy Assessments APIs deprecation

+The following APIs are deprecated:

+- Security Tasks

+- Security Statuses

+- Security Summaries

+These three APIs exposed old formats of assessments and are replaced by the [Assessments APIs](/rest/api/defenderforcloud/assessments) and [SubAssessments APIs](/rest/api/defenderforcloud/sub-assessments). All data that is exposed by these legacy APIs are also available in the new APIs.

+### Extra recommendations added to identity

+Defender for Cloud's recommendations for improving the management of users and accounts.

+#### New recommendations

+The new release contains the following capabilities:

+- **Extended evaluation scope** ΓÇô Coverage has been improved for identity accounts without MFA and external accounts on Azure resources (instead of subscriptions only) which allows your security administrators to view role assignments per account.

+- **Improved freshness interval** - The identity recommendations now have a freshness interval of 12 hours.

+- **Account exemption capability** - Defender for Cloud has many features you can use to customize your experience and ensure that your secure score reflects your organization's security priorities. For example, you can [exempt resources and recommendations from your secure score](exempt-resource.md).

+ This update allows you to exempt specific accounts from evaluation with the six recommendations listed in the following table.

+ Typically, you'd exempt emergency ΓÇ£break glassΓÇ¥ accounts from MFA recommendations, because such accounts are often deliberately excluded from an organization's MFA requirements. Alternatively, you might have external accounts that you'd like to permit access to, that don't have MFA enabled.

+ > [!TIP]

+ > When you exempt an account, it won't be shown as unhealthy and also won't cause a subscription to appear unhealthy.

+ | Recommendation | Assessment key |

+ |--|--|

+ |Accounts with owner permissions on Azure resources should be MFA enabled|6240402e-f77c-46fa-9060-a7ce53997754|

+ |Accounts with write permissions on Azure resources should be MFA enabled|c0cb17b2-0607-48a7-b0e0-903ed22de39b|

+ |Accounts with read permissions on Azure resources should be MFA enabled|dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c|

+ |Guest accounts with owner permissions on Azure resources should be removed|20606e75-05c4-48c0-9d97-add6daa2109a|

+ |Guest accounts with write permissions on Azure resources should be removed|0354476c-a12a-4fcc-a79d-f0ab7ffffdbb|

+ |Guest accounts with read permissions on Azure resources should be removed|fde1c0c9-0fd2-4ecc-87b5-98956cbc1095|

+ |Blocked accounts with owner permissions on Azure resources should be removed|050ac097-3dda-4d24-ab6d-82568e7a50cf|

+ |Blocked accounts with read and write permissions on Azure resources should be removed| 1ff0b4c9-ed56-4de6-be9c-d7ab39645926 |

+The recommendations although in preview, will appear next to the recommendations that are currently in GA.

+### Removed security alerts for machines reporting to cross-tenant Log Analytics workspaces

+In the past, Defender for Cloud let you choose the workspace that your Log Analytics agents report to. When a machine belonged to one tenant (ΓÇ£Tenant AΓÇ¥) but its Log Analytics agent reported to a workspace in a different tenant (ΓÇ£Tenant BΓÇ¥), security alerts about the machine were reported to the first tenant (ΓÇ£Tenant AΓÇ¥).

+With this change, alerts on machines connected to Log Analytics workspace in a different tenant no longer appear in Defender for Cloud.

+If you want to continue receiving the alerts in Defender for Cloud, connect the Log Analytics agent of the relevant machines to the workspace in the same tenant as the machine.

+Learn more about [security alerts](alerts-overview.md).

+Defender for Cloud depends on the [Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) or the [Log Analytics agent](../azure-monitor/agents/log-analytics-agent.md). Make sure that your machines are running one of the supported operating systems as described on the following pages:

+ - [Azure Monitor Agent for Windows supported operating systems](../azure-monitor/agents/agents-overview.md#windows)

+ - [Azure Monitor Agent for Linux supported operating systems](../azure-monitor/agents/agents-overview.md#linux)

+ - [Log Analytics agent for Windows supported operating systems](../azure-monitor/agents/agents-overview.md#windows)

+ - [Log Analytics agent for Linux supported operating systems](../azure-monitor/agents/agents-overview.md#linux)

+- [Manage and respond to security alerts in Defender for Cloud](managing-and-responding-alerts.md)

+We announced previously the [availability of identity recommendations V2 (preview)](release-notes-archive.md#extra-recommendations-added-to-identity), which included enhanced capabilities.

+|Automatically block suspicious behavior | Many of the hardening recommendations in Defender for Cloud offer a *deny* option. This feature lets you prevent the creation of resources that don't satisfy defined hardening criteria. Learn more in [Prevent misconfigurations with Enforce/Deny recommendations](./prevent-misconfigurations.md). |

+Use [Azure Logic Apps](../logic-apps/index.yml) to build automated scalable workflows, business processes, and enterprise orchestrations to integrate your apps and data across cloud services and on-premises systems.

+Defender for Cloud natively integrates with [Microsoft Sentinel](../sentinel/overview.md), Microsoft's cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

+ - [Collect data from Linux-based sources using Syslog](../sentinel/connect-syslog.md)

+To secure hybrid cloud workloads, you can extend Defender for Cloud's protections by connecting on-premises machines to [Azure Arc enabled servers](../azure-arc/servers/overview.md).

+To learn more about Microsoft Defender for Cloud and Microsoft Defender for Cloud, see the complete [Defender for Cloud documentation](index.yml).

+> The additional **Agent type** and **Agent version** columns are used for by device builders. For more information, see [Microsoft Defender for IoT for device builders documentation](../device-builders/index.yml).

+- [Investigate devices on a device map](how-to-work-with-the-sensor-device-map.md)

+ - Select an IoT device entity from the **Entities** list to open its [device entity page](../../sentinel/entity-pages.md). For more information, see [Investigate further with IoT device entities](#investigate-further-with-iot-device-entities).

+For more information, see our blog: [Defending Critical Infrastructure with the Microsoft Sentinel: IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)

+Start by enabling the [Defender for IoT data connector](../../sentinel/data-connectors/microsoft-defender-for-iot.md) to stream all your Defender for IoT events into Microsoft Sentinel.

+ - Access to the Azure portal as a [Security admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner) user. For more information, see [Azure user roles and permissions for Defender for IoT](roles-azure.md).

+For more information, see [Tutorial: Investigate and detect threats for IoT devices](iot-advanced-threat-monitoring.md) and [Navigate and investigate incidents in Microsoft Sentinel](../../sentinel/investigate-incidents.md).

+[Version 2.0.2](release-notes-sentinel.md#version-202) of the Microsoft Defender for IoT solution is now available in the [Microsoft Sentinel content hub](../../sentinel/sentinel-solutions-catalog.md), with improvements in analytics rules for incident creation, an enhanced incident details page, and performance improvements for analytics rule queries.

+[Getting started with Defender for IoT](getting-started.md)