-> Provisioning of group objects (properties and members) is a distinct concept from [assigning groups](../manage-apps/assign-user-or-group-access-portal.md) to an application. It is possible to assign a group to an application, but only provision the user objects contained in the group. Provisioning of full group objects is not required to use groups in assignments.

-> Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined or if a source attribute is not automatically displayed in the Azure Portal UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . You can then navigate to your application to view the attribute list as described [above](#editing-the-list-of-supported-attributes).

-Custom attributes can't be referential attributes, multi-value or complex-typed attributes. Custom multi-value and complex-typed extension attributes are currently supported only for applications in the gallery. The custom extension schema header is omitted in the example below as it is not sent in requests from the Azure AD SCIM client. This issue will be fixed in the future and the header will be sent in the request.

- - SingleAppRoleAssignments is not compatible with setting scope to "Sync All users and groups."

- - AppRoleAssignmentsComplex is not compatible with setting scope to "Sync All users and groups."

-> [!NOTE]

-> Effective Oct. 1st, 2022, we will begin to enable combined registration for all users in Azure AD tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration.

-This article outlines what combined security registration is. To get started with combined security registration, see the following article:

-> [!div class="nextstepaction"]

-> [Enable combined security registration](howto-registration-mfa-sspr-combined.md)

-> [!IMPORTANT]

-> Users that are enabled for both the original preview and the enhanced combined registration experience see the new behavior. Users that are enabled for both experiences see only the My Account experience. The *My Account* aligns with the look and feel of combined registration and provides a seamless experience for users. Users can see My Account by going to [https://myaccount.microsoft.com](https://myaccount.microsoft.com).

->

-> You can set **Require users to register when signing in** to **Yes** to require all users to register when signing in, ensuring that all users are protected.

->

-> You might encounter an error message while trying to access the Security info option, such as, "Sorry, we can't sign you in". Confirm that you don't have any configuration or group policy object that blocks third-party cookies on the web browser.

-You can disable the use of SSPR for administrator accounts using the [Set-MsolCompanySettings](/powershell/module/msonline/set-msolcompanysettings) PowerShell cmdlet. The `-SelfServePasswordResetEnabled $False` parameter disables SSPR for administrators. Policy changes to disable or enable SSPR for administrator accounts can take up to 60 minutes to take effect.

-² Includes SMS and voice calls.

-> [!NOTE]

-> Starting on August 15th 2020, all new Azure AD tenants will be automatically enabled for combined registration. Tenants created after this date will be unable to utilize the legacy registration workflows.

-> After Sept. 30th, 2022, all existing Azure AD tenants will be automatically enabled for combined registration.

-We recommend that organizations use the [combined registration experience for Azure AD Multi-Factor Authentication and self-service password reset (SSPR)](howto-registration-mfa-sspr-combined.md). SSPR allows users to reset their password in a secure way using the same methods they use for Azure AD Multi-Factor Authentication. Combined registration is a single step for end users. To make sure you understand the functionality and end-user experience, see the [Combined security information registration concepts](concept-registration-mfa-sspr-combined.md).

-## Disable combined registration

-When a user registers a phone number and/or mobile app in the combined registration experience, our service stamps a set of flags (StrongAuthenticationMethods) for those methods on that user. This functionality allows the user to perform Multi-Factor Authentication with those methods whenever Multi-Factor Authentication is required.

-If an admin enables combined registration, users register through the combined registration experience, and then the admin disables combined registration, users might unknowingly be registered for Multi-Factor Authentication also.

-If a user who has completed combined registration goes to the legacy self-service password reset (SSPR) registration page at [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup), the user will be prompted to perform Multi-Factor Authentication before they can access that page. This step is expected from a technical standpoint, but it's new for users who were previously registered for SSPR only. Though this extra step does improve the user's security posture by providing another level of security, admins might want to roll back their users so that they're no longer able to perform Multi-Factor Authentication.

-### Disable the updated experience

-To disable the updated experience for your users, complete these steps:

-1. Sign in to the Azure portal as a user administrator.

-2. Go to **Azure Active Directory** > **User settings** > **Manage user feature settings**.

-3. Under **Users can use the combined security information registration experience**, set the selector to **None**, and then select **Save**.

-Users will no longer be prompted to register by using the updated experience.

-Before combined registration, users registered authentication methods for Azure AD Multi-Factor Authentication and self-service password reset (SSPR) separately. People were confused that similar methods were used for Azure AD Multi-Factor Authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both Azure AD Multi-Factor Authentication and SSPR.

-> Effective Oct. 1st, 2022, we will begin to enable combined registration for all users in Azure AD tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration.

-To make sure you understand the functionality and effects before you enable the new experience, see the [Combined security information registration concepts](concept-registration-mfa-sspr-combined.md).

-## Enable combined registration

-To enable combined registration, complete these steps:

-1. Sign in to the Azure portal as a user administrator or global administrator.

-2. Go to **Azure Active Directory** > **User settings** > **Manage user feature settings**.

-3. Under **Users can use the combined security information registration experience**, choose to enable for a **Selected** group of users or for **All** users.

- 

- > [!IMPORTANT]

- > If your Azure tenant has already been enabled for combined registration, you might not see the configuration option for **Users can use the combined security information registration experience** or even see it grayed out.

-> [!NOTE]

-> After you enable combined registration, users who register or confirm their phone number or mobile app through the new experience can use them for Azure AD Multi-Factor Authentication and SSPR, if those methods are enabled in the Azure AD Multi-Factor Authentication and SSPR policies.

->

-> If you then disable this experience, users who go to the previous SSPR registration page at `https://aka.ms/ssprsetup` are required to perform multi-factor authentication before they can access the page.

-If you have configured the *Site to Zone Assignment List* in Internet Explorer, the following sites have to be in the same zone:

-* *[https://login.microsoftonline.com](https://login.microsoftonline.com)*

-* *[https://Login.windows.net](https://login.windows.net)*

-* *[https://mysignins.microsoft.com](https://mysignins.microsoft.com)*

-* *[https://account.activedirectory.windowsazure.com](https://account.activedirectory.windowsazure.com)*

-Once users are enabled for combined registration, you can then [enable self-service password reset](tutorial-enable-sspr.md) and [enable Azure AD Multi-Factor Authentication](tutorial-enable-azure-mfa.md).

-If you have enabled [combined registration](./concept-registration-mfa-sspr-combined.md), information regarding user activity in the audit logs will be found under **Security** > **Authentication Methods**.

-Before making any changes, you should back up your Azure AD Connect configuration. This way, you can role-back. See [Import and export Azure AD Connect configuration settings](../hybrid/how-to-connect-import-export-config.md) for more information.

-> [!NOTE]

-> Some Conditional Access features are currently in public preview and might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

- - Guest or external users (preview)

-* If you're ready to configure Conditional Access policies for your environment, see the article [Plan a Conditional Access deployment](plan-conditional-access.md).

- 1. Under **What does this policy apply to?**, select **Workload identities (Preview)**.

- 1. Under **What does this policy apply to?**, select **Workload identities (Preview)**.

-1. Under **Conditions** > **Service principal risk (Preview)**

-In this quickstart, you invited and added a single guest user to your directory using PowerShell. Next, learn how to invite guest users in bulk using PowerShell.

-> [!div class="nextstepaction"]

-> [Tutorial: Bulk invite Azure AD B2B collaboration users](tutorial-bulk-invite.md)

-description: If you have internal user accounts for partners, distributors, suppliers, vendors, and other guests, you can change to Azure AD B2B collaboration by inviting them to sign in with their own external credentials or login. Use either PowerShell or the Microsoft Graph invitation API.

-Before the availability of Azure AD B2B collaboration, organizations could collaborate with distributors, suppliers, vendors, and other guest users by setting up internal credentials for them. If you have internal guest users like these, you can invite them to use B2B collaboration instead. These B2B guest users will be able to use their own identities and credentials to sign in, and you wonΓÇÖt need to maintain passwords or manage account lifecycles.

-> In Azure AD Connect sync, thereΓÇÖs a default rule that writes the [onPremisesUserPrincipalName attribute](../hybrid/reference-connect-sync-attributes-synchronized.md#notes) to the user object. Because the presence of this attribute can prevent a user from signing in using external credentials, we block internal-to-external conversions for user objects with this attribute. If youΓÇÖre using Azure AD Connect and you want to be able to invite internal users to B2B collaboration, you'll need to [modify the default rule](../hybrid/how-to-connect-sync-change-the-configuration.md) so the onPremisesUserPrincipalName attribute isnΓÇÖt written to the user object.

-|Azure AD password reset |Azure AD password reset is a back-end service using Redis Cache to track session state. To learn more, go to redis.com to see [Introduction to Redis](https://redis.io/docs/about/).|See, Intro to Redis link in center column.|

-There is no additional work to enable this feature, the unfamiliar properties will be shown by default. For more information, see: [Sign-in risk](../identity-protection/concept-identity-protection-risks.md#sign-in-risk).

-In the January 2023 release of Authenticator for iOS, there's no companion app for watchOS due to it being incompatible with Authenticator security features, meaning you won't be able to install or use Authenticator on Apple Watch. This change only impacts Apple Watch, so you can still use Authenticator on your other devices. For more information, see: [Common questions about the Microsoft Authenticator app](https://support.microsoft.com/account-billing/common-questions-about-the-microsoft-authenticator-app-12d283d1-bcef-4875-9ae5-ac360e2945dd).

-You can now use administrative units to delegate management of specified devices in your tenant by adding devices to an administrative unit. You are also able to assign built-in, and custom device management roles, scoped to that administrative unit. For more information, see: [Device management](../roles/administrative-units.md#device-management).

-[Bionexo IDM](https://login.bionexo.com/), [SMART Meeting Pro](https://www.smarttech.com/en/business/software/meeting-pro), [Venafi Control Plane ΓÇô Datacenter](../saas-apps/venafi-control-plane-tutorial.md), [HighQ](../saas-apps/highq-tutorial.md), [Drawboard PDF](https://pdf.drawboard.com/), [ETU Skillsims](../saas-apps/etu-skillsims-tutorial.md), [TencentCloud IDaaS](../saas-apps/tencent-cloud-idaas-tutorial.md), [TeamHeadquarters Email Agent OAuth](https://thq.entry.com/), [Verizon MDM](https://verizonmdm.vzw.com/), [QRadar SOAR](../saas-apps/qradar-soar-tutorial.md), [Tripwire Enterprise](../saas-apps/tripwire-enterprise-tutorial.md), [Cisco Unified Communications Manager](../saas-apps/cisco-unified-communications-manager-tutorial.md), [Howspace](https://login.in.howspace.com/), [Flipsnack SAML](../saas-apps/flipsnack-saml-tutorial.md), [Albert](http://www.albertinvent.com/), [Altinget.no](https://www.altinget.no/), [Coveo Hosted Services](../saas-apps/coveo-hosted-services-tutorial.md), [Cybozu(cybozu.com)](../saas-apps/cybozu-tutorial.md), [BombBomb](https://app.bombbomb.com/app), [VMware Identity Service](../saas-apps/vmware-identity-service-tutorial.md), [Cimmaron Exchange Sync - Delegated](https://cimmaronsoftware.com/Mortgage-CRM-Exchange-Sync.aspx), [HexaSync](https://app-az.hexasync.com/login), [Trifecta Teams](https://app.trifectateams.net/), [VerosoftDesign](https://verosoft-design.vercel.app/), [Mazepay](https://app.mazepay.com/), [Wistia](../saas-apps/wistia-tutorial.md), [Begin.AI](https://app.begin.ai/), [WebCE](../saas-apps/webce-tutorial.md), [Dream Broker Studio](https://dreambroker.com/studio/login/), [PKSHA Chatbot](../saas-apps/pksha-chatbot-tutorial.md), [PGM-BCP](https://ups-pgm-bcp.4gfactor.com/azure/), [ChartDesk SSO](../saas-apps/chartdesk-sso-tutorial.md), [Elsevier SP](../saas-apps/elsevier-sp-tutorial.md), [GreenCommerce IdentityServer](https://identity.jem-id.nl/Account/Login), [Fullview](https://app.fullview.io/sign-in), [Aqua Platform](../saas-apps/aqua-platform-tutorial.md), [SpedTrack](../saas-apps/spedtrack-tutorial.md), [Pinpoint](https://pinpoint.ddiworld.com/psg2?sso=true), [Darzin Outlook Add-in](https://outlook.darzin.com/graph-login.html), [Simply Stakeholders Outlook Add-in](https://outlook.simplystakeholders.com/graph-login.html), [tesma](../saas-apps/tesma-tutorial.md), [Parkable](../saas-apps/parkable-tutorial.md), [Unite Us](../saas-apps/unite-us-tutorial.md)

-The Temporary Access Pass can now be used to recover Azure AD-joined PCs when the EnableWebSignIn policy is enabled on the device. This is useful for when your users do not know, or have, a password. For more information, see: [Authentication/EnableWebSignIn](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin).

-We are announcing Public preview of Authentication strength, a Conditional Access control that allows administrators to specify which authentication methods can be used to access a resource. For more information, see: [Conditional Access authentication strength (preview)](../authentication/concept-authentication-strengths.md). You can use custom authentication strengths to restrict access by requiring specific FIDO2 keys using the Authenticator Attestation GUIDs (AAGUIDs), and apply this through conditional access policies. For more information, see: [FIDO2 security key advanced options](../authentication/concept-authentication-strengths.md#fido2-security-key-advanced-options).

-[Unifii](https://www.unifii.com.au/), [WaitWell Staff App](https://waitwell.c)

-## September 2022

-### General Availability - SSPR writeback is now available for disconnected forests using Azure AD Connect cloud sync

-**Type:** New feature

-**Service category:** Azure AD Connect Cloud Sync

-**Product capability:** Identity Lifecycle Management

-Azure AD Connect Cloud Sync Password writeback now provides customers the ability to synchronize Azure AD password changes made in the cloud to an on-premises directory in real time. This can be accomplished using the lightweight Azure AD cloud provisioning agent. For more information, see: [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md).

-### General Availability - Device-based conditional access on Linux Desktops

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** SSO

-This feature empowers users on Linux clients to register their devices with Azure AD, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.

-For more information, see:

-### General Availability - Azure AD SCIM Validator

-**Type:** New feature

-**Service category:** Provisioning

-**Product capability:** Outbound to SaaS Applications

-Independent Software Vendors(ISVs) and developers can self-test their SCIM endpoints for compatibility: We have made it easier for ISVs to validate that their endpoints are compatible with the SCIM-based Azure AD provisioning services. This is now in general availability (GA) status.

-For more information, see: [Tutorial: Validate a SCIM endpoint](../app-provisioning/scim-validator-tutorial.md)

-### General Availability - prevent accidental deletions

-**Type:** New feature

-**Service category:** Provisioning

-**Product capability:** Outbound to SaaS Applications

-Accidental deletion of users in any system could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service. When the number of deletions to be processed in a single provisioning cycle spikes above a customer defined threshold the following will happen. The Azure AD provisioning service pauses, provide you with visibility into the potential deletions, and allow you to accept or reject the deletions. This functionality has historically been available for Azure AD Connect, and Azure AD Connect Cloud Sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning.

-For more information, see: [Enable accidental deletions prevention in the Azure AD provisioning service](../app-provisioning/accidental-deletions.md)

-### General Availability - Identity Protection Anonymous and Malicious IP for ADFS on-premises logins

-**Type:** New feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-Identity protection expands its Anonymous and Malicious IP detections to protect ADFS sign-ins. This automatically applies to all customers who have AD Connect Health deployed and enabled, and show up as the existing "Anonymous IP" or "Malicious IP" detections with a token issuer type of "AD Federation Services".

-For more information, see: [What is risk?](../identity-protection/concept-identity-protection-risks.md)

-### New Federated Apps available in Azure AD Application gallery - September 2022

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In September 2022 we've added the following 15 new applications in our App gallery with Federation support:

-[RocketReach SSO](../saas-apps/rocketreach-sso-tutorial.md), [Arena EU](../saas-apps/arena-eu-tutorial.md), [Zola](../saas-apps/zola-tutorial.md), [FourKites SAML2.0 SSO for Tracking](../saas-apps/fourkites-tutorial.md), [Syniverse Customer Portal](../saas-apps/syniverse-customer-portal-tutorial.md), [Rimo](https://rimo.app/), [Q Ware CMMS](https://qware.app/), [Mapiq (OIDC)](https://app.mapiq.com/), [NICE Cxone](../saas-apps/nice-cxone-tutorial.md), [dominKnow|ONE](../saas-apps/dominknowone-tutorial.md), [Waynbo for Azure AD](https://webportal-eu.waynbo.com/Login), [innDex](https://web.inndex.co.uk/azure/authorize), [Profiler Software](https://www.profiler.net.au/), [Trotto go links](https://trot.to/_/auth/login), [AsignetSSOIntegration](../saas-apps/asignet-sso-tutorial.md).

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

-For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest

-# Trigger custom logic apps with entitlement management

-[Azure Logic Apps](../../logic-apps/logic-apps-overview.md) can be used to automate custom workflows and connect apps and services in one place. Users can integrate Azure Logic Apps with entitlement management to broaden their governance workflows beyond the core entitlement management use cases.

-These logic app workflows can then be triggered to run in accordance with entitlement management use cases such as when an access package is granted or requested. For example, an admin could create and link a custom logic app workflow to entitlement management so that when a user requests an access package, the logic app workflow is triggered to ensure that the user is also assigned certain characteristics in a 3rd party SAAS app (like Salesforce) or is sent a custom email.

-Entitlement management use cases that can be integrated with Azure Logic Apps include:

-These triggers in logic app workflows are controlled in a new tab within access package policies called **Rules**. Additionally, a **Custom Extensions** tab on the Catalog page will show all added logic app resources for a given Catalog. This article describes how to create and add logic apps to catalogs and access packages in entitlement management.

-## Create and add a logic app workflow to a catalog for use in entitlement management

-1. In the **Basics** tab, enter the name of the custom extension (linked logic app that you are adding) and description of the workflow. These fields will show up in the **Custom Extensions** tab of the Catalog going forward.

-1. Then go on to the **Details** tab.

-1. In the **Create new logic app** field, select **Yes**. Otherwise, select **No** and move on to step 9 if you are going to use an existing logic app. If you selected yes, select one of the options below and move on to step 9:

- 1. Select **create new Azure AD application** if you want to use a new application as the basis for the new logic app, or

-

- 

- 1. select **an existing Azure AD Application** if you want to use an existing application as the basis for the new logic app.

- 

- > Later, you can edit what your logic app workflow does in workflow designer. To do so, in the **Custom Extensions** tab of **Catalogs**, select the logic app you created.

-1. Next, enter the **Subscription ID**, **Resource group**, **Logic app name**.

-1. Then, select **Validate and Create**.

-1. Review the summary of your custom extension and make sure the details for your logic app callout are correct. Then select **Create**.

- 

-This custom extension to the linked logic app will now appear in your Custom Extensions tab under Catalogs. You will be able to call on this in access package policies.

-## Edit a linked logic app

-1. Sign in to the [Azure portal](https://portal.azure.com)l.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Catalogs**.

-1. In the left menu, select **Custom Extensions**.

-1. Here, you can view all custom extensions (logic apps) that you have added to this Catalog. To edit a logic app workflow, or to create a workflow for a newly-added logic app, select the Azure Logic Apps custom extension under **Endpoint**. This will open the workflow designer and allow you to create your workflow.

-For more information on creating logic app workflows, see [Create an example Consumption workflow with Azure Logic Apps in the Azure portal](../../logic-apps/quickstart-create-example-consumption-workflow.md).

- > For more information about how to create an access package see [Create a new access package in entitlement management](entitlement-management-access-package-create.md). For more information about how to edit an existing access package, see [Change request settings for an access package in Azure AD entitlement management](entitlement-management-access-package-request-policy.md#open-and-edit-an-existing-policys-request-settings).

-1. In the menu below **Stage**, select the access package event you wish to use as trigger for this custom extension (logic app). For example, if you only want to trigger the custom extension logic app workflow when a user requests the access package, select **Request is created**.

-1. In the menu below **Custom Extension**, select the custom extension (logic app) you want to add to the access package. The do action you select will execute when the event selected in the when field occurs.

- 

-To verify that your custom extension has correctly triggered the associated logic app when called upon by the access package **Do** option, you can view the Azure Logic Apps logs.

-The overview page for a specific logic app will show timestamps of when the logic app was last executed. Also, the Resource Group overview for a resource group with a linked custom extension will show the name of that custom extension in the overview if it has been configured correctly.

- $ipdns2 = "8.8.8.8"

-Assign the Application Developer role to grant the ability to create application registrations when the **Users can register applications** setting is set to No. This role also grants permission to consent on one's own behalf when the **Users can consent to apps accessing company data on their behalf** setting is set to No.

-Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like the Microsoft 365 Defender portal, the Microsoft Purview compliance portal, Exchange Online, SharePoint Online, and Skype for Business Online. Furthermore, Global Administrators can [elevate their access](../../role-based-access-control/elevate-access-global-admin.md) to manage all Azure subscriptions and management groups. This allows Global Administrators to get full access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the Azure AD organization becomes a Global Administrator. There can be more than one Global Administrator at your company. Global Administrators can reset the password for any user and all other administrators. A Global Administrator cannot remove their own Global Administrator assignment. This is to prevent a situation where an organization has zero Global Administrators.

-Users in this role have full access to all knowledge, learning and intelligent features settings in the Microsoft 365 admin center. They have a general understanding of the suite of products, licensing details and has responsibility to control access. Knowledge Administrator can create and manage content, like topics, acronyms and learning resources. Additionally, these users can create content centers, monitor service health, and create service requests.

-To achieve AAL1, you can use any NIST single-factor or multifactor [permitted authenticator](nist-authenticator-types.md). Note that Password and Phone (SMS) are not covered in [AAL2](nist-authenticator-assurance-level-2.md) or [AAL3](nist-authenticator-assurance-level-2.md).

-|Password |memorized secret |

-|Phone (SMS)|out-of-band |

-|FIDO 2 security key <br> Microsoft Authenticator app for iOS (passwordless) <br> Windows Hello for Business with software TPM <br> Smartcard (Active Directory Federation Services) | Multi-factor crypto software |

-> We recommend you meet at least AAL2. If necessary, meet AAL3 for business reasons, industry standards, or compliance requirements.

-      "url": "https://www.contoso.com/api/verifier/presentationCallbac",

-AKS now supports an exclusive channel dedicated to controlling node-level OS security updates. This channel, referred to as the node OS auto-upgrade channel, works in tandem with the existing [auto-upgrade][Autoupgrade] channel which is used for Kubernetes version upgrades.

-If using the `node-image` cluster auto-upgrade channel or the `NodeImage` node OS auto-upgrade channel, Linux [unattended upgrades][unattended-upgrades] will be disabled by default. You can't change node OS auto-upgrade channel value if your cluster auto-upgrade channel is `node-image`. In order to set the node OS auto-upgrade channel values , make sure the [cluster auto-upgrade channel][Autoupgrade] is not `node-image`.

-The nodeosupgradechannel is not supported on Mariner and Windows OS nodepools.

-Automatically completed upgrades are functionally the same as manual upgrades. The timing of upgrades is determined by the selected channel. When making changes to auto-upgrade, allow 24 hours for the changes to take effect. By default, a cluster's node OS auto-upgrade channel is set to `Unmanaged`.

-| `Unmanaged`|OS updates will be applied automatically through the OS built-in patching infrastructure. Newly allocated machines will be unpatched initially and will be patched at some point by the OS's infrastructure|Ubuntu applies security patches through unattended upgrade roughly once a day around 06:00 UTC. Windows and Mariner don't apply security patches automatically, so this option behaves equivalently to `None`|

-| `SecurityPatch`|AKS will update the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only" on a regular basis. Some patches, such as kernel patches, can't be applied to existing nodes without disruption. For such patches, the VHD will be updated and existing machines will be upgraded to that VHD following maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] will be disabled by default.|N/A|

-| `NodeImage`|AKS will update the nodes with a newly patched VHD containing security fixes and bug fixes on a weekly cadence. The update to the new VHD is disruptive, following maintenance windows and surge settings. No extra VHD cost is incurred when choosing this option. If you use this channel, Linux [unattended upgrades][unattended-upgrades] will be disabled by default.|

-If youΓÇÖre using Planned Maintenance and node OS auto-upgrade, your upgrade will start during your specified maintenance window.

-[kured]: node-updates-kured.md

-* A pod disruption budget (PDB) is too restrictive and doesn't allow the number of pods to be fall below a certain threshold.

- - hosts:

- - host: hello-world-ingress.MY_CUSTOM_DOMAIN

- - hosts:

- - host: hello-world-ingress.MY_CUSTOM_DOMAIN

-1. Click on the **Actions** tab at the top of the page.

-1. If you already set up a workflow in this repository, you'll be directed to the list of completed runs, in this case, click on the **New Workflow** button. If this is your first workflow in the repository, GitHub will present you with some project templates, click on the **Set up a workflow yourself** link below the description text.

-1. Change the workflow `name` and `on` tags similar to the below. GitHub Actions use the same [POSIX cron syntax][cron-syntax] as any Linux-based system. In this schedule, we're telling the workflow to run every 15 days at 3am.

-1. Create a new job using the below. This job is named `upgrade-node`, runs on an Ubuntu agent, and will connect to your Azure CLI account to execute the needed steps to upgrade the nodes.

-1. You'll get as a result, an Action called **Azure Login** published **by Azure**:

-1. Click on **Azure Login**. On the next screen, click the **copy icon** in the top right of the code sample.

- :::image type="content" source="media/node-upgrade-github-actions/azure-login.png" alt-text="Azure Login action result pane with code sample below, red square around a copy icon highlights the click spot":::

-1. Paste the following under the `steps` key:

-1. From the Azure CLI, run the following command to generate a new username and password.

-1. **In a new browser window** navigate to your GitHub repository and open the **Settings** tab of the repository. Click **Secrets** then, click on **New Repository Secret**.

-1. For *Name*, use `AZURE_CREDENTIALS`.

-1. For *Value*, add the entire contents from the output of the previous step where you created a new username and password.

-1. Click **Add Secret**.

-1. Click the copy button on the *GitHub marketplace result* and paste the contents of the action in the main editor, below the *Azure Login* step, similar to the following:

-1. Click **Start Commit**, add a message title, and save the workflow.

-[auto-upgrade-node-image]: auto-upgrade-node-image.md

- annotations: kubernetes.io/ingress.class: "PublicIngress"

- serviceName: blogservice

- servicePort: 80

- serviceName: storeservice

- servicePort: 80

- PluginInput: ObjectId=$MANAGED_ID;SecretUri=$SECRET_URI # SECRET_URI takes the form https://$akvName.vault.azure.net/secrets/$akvSecretName

-To demonstrate the isolation of an application on the AKS cluster, perform the following steps.

-To demonstrate the deployed application on the AKS cluster isn't isolated and is on the untrusted shim, perform the following steps.

-* Volume mounting Azure Files share support [General-purpose V2](../storage/common/storage-account-overview.md#types-of-storage-accounts) and [General-purpose V1](../storage/common/storage-account-overview.md#types-of-storage-accounts). Follow the instructions for mounting [a volume with Azure Files share](azure-files-csi.md).

-az identity federated-credential create --name federatedIdentityName --identity-name userAssignedIdentityName --resource-group resourceGroupName --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}

-| Pricing tiers | **Basic**, **Standard**, **Premium**. | **Basic**, **Standard**, **Premium**, **Isolated**. |

- |**Unhealthy threshold**|3|Number of consecutive failed attempts to be considered unhealthy. The threshold can be set to 1 or more.|

-1. Check NSGs associated with the application gateway subnet. Ensure that communication to backend isn't blocked.

- kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.8/deploy/manifests/00-crds.yaml

- kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

- --version v1.0.4 \

- # Helm v2

- helm install \

- --name cert-manager \

- --namespace cert-manager \

- --version v1.0.4 \

- jetstack/cert-manager \

- # --set installCRDs=true

-

- apiVersion: certmanager.k8s.io/v1alpha1

- name: letsencrypt-staging

- acme:

- # Secret resource used to store the account's private key.

- name: example-issuer-account-key

- http01: {}

- certmanager.k8s.io/cluster-issuer: letsencrypt-staging

- --public-ip-address myAGPublicIPAddress

- --address-pool contosoPool

- --address-pool fabrikamPool

-# Azure Form Recognizer add-on capabilities

-> [**Read model**](concept-read.md) [**Layout model**](concept-layout.md).

-# Azure Form Recognizer health insurance card model

-# Azure Form Recognizer query field extraction

-> [Try the Form Recognizer Studio quickstart](./quickstarts/try-form-recognizer-studio.md)

- $AAD_ENTITY_OBJECT_ID = (az ad signed-in-user show --query objectId -o tsv)

-> The documents in this section are for GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [learn about GitOps with Flux v2](./conceptual-gitops-flux2.md). Eventually Azure will stop supporting GitOps with Flux v1, so we recommend [migrating to Flux v2](conceptual-gitops-flux2.md#migrate-from-flux-v1) as soon as possible.

-> The workflow described in this document uses GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [learn about CI/CD workflow using GitOps with Flux v2](./conceptual-gitops-flux2-ci-cd.md). Eventually Azure will stop supporting GitOps with Flux v1, so we recommend [migrating to Flux v2](conceptual-gitops-flux2.md#migrate-from-flux-v1) as soon as possible.

-> Eventually Azure will stop supporting GitOps with Flux v1, so we recommend [migrating to Flux v2](#migrate-from-flux-v1) as soon as possible.

-> This tutorial uses GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [go to the tutorial that uses GitOps with Flux v2](./tutorial-gitops-flux2-ci-cd.md). Eventually Azure will stop supporting GitOps with Flux v1, so we recommend [migrating to Flux v2](conceptual-gitops-flux2.md#migrate-from-flux-v1) as soon as possible.

-> [!NOTE]

-> Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.

-> This tutorial is for GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [go to the tutorial for GitOps with Flux v2](./tutorial-use-gitops-flux2.md). Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.

-> The `microsoft.flux` extension released major version 1.0.0. This includes the [multi-tenancy feature](conceptual-gitops-flux2.md#multi-tenancy). If you have existing GitOps Flux v2 configurations that use a previous version of the `microsoft.flux` extension, you can upgrade to the latest extension manually using the Azure CLI: `az k8s-extension create -g <RESOURCE_GROUP> -c <CLUSTER_NAME> -n flux --extension-type microsoft.flux -t <CLUSTER_TYPE>` (use `-t connectedClusters` for Arc clusters and `-t managedClusters` for AKS clusters).

-> [!NOTE]

-> Eventually Azure will stop supporting GitOps with Flux v1, so we recommend [migrating to Flux v2](conceptual-gitops-flux2.md#migrate-from-flux-v1) as soon as possible.

-> This article is for GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [go to the article for using policy with Flux v2](./use-azure-policy-flux-2.md). Eventually Azure will stop supporting GitOps with Flux v1, so we recommend [migrating to Flux v2](conceptual-gitops-flux2.md#migrate-from-flux-v1) as soon as possible.

-> This article is for GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [go to the tutorial for GitOps with Flux v2](./tutorial-use-gitops-flux2.md). Eventually Azure will stop supporting GitOps with Flux v1, so we recommend [migrating to Flux v2](conceptual-gitops-flux2.md#migrate-from-flux-v1) as soon as possible.

-|[Computex Technology Solutions](http://www.computex-inc.com/)|

-|[Derek Coleman & Associates Corporation](https://www.dcassociatesgroup.com/https://docsupdatetracker.net/index.html)|

-|[Parachute Technology](https://www.parachutech.com)|

-|[Tech Data Government Solutions, LLC](https://gov.as.techdata.com/en-us/Pages/default.aspx)|

-

-Metrics, logs, and distributed traces are commonly referred to as the three pillars of observability. A monitoring tool must collect and analyze these three different kinds of data to provide sufficient observability of a monitored system. Observability can be achieved by correlating data from multiple pillars and aggregating data across the entire set of resources being monitored. Because Azure Monitor stores data from multiple sources together, the data can be correlated and analyzed by using a common set of tools. It also correlates data across multiple Azure subscriptions and tenants, in addition to hosting data for other services.

-2. Review the estimated costs for each pricing tier. This estimate assumes that the last 31 days of your usage is typical. In the example below, based on the data patterns from the previous 31 days, this workspace would cost less in the Pay-As-You-Go tier (#1) compared to the 100 GB/day commitment tier (#2).

-|Splunk Observability|[Azure Monitor](../overview.md) is an end-to-end solution for collecting, analyzing, and acting on telemetry from your cloud, multicloud, and on-premises environments, built over a powerful data ingestion pipeline that's shared with Microsoft Sentinel. Azure Monitor offers enterprises a comprehensive solution for monitoring cloud, hybrid, and on-premises environments, with [network isolation](../logs/private-link-security.md), [resilience features and protection from data center failures](../logs/availability-zones.md), [reporting](../overview.md#insights-and-visualizations), and [alerts and response](../overview.md#respond) capabilities.|

-Use Azure Monitor to monitor these types of resources in Azure, other clouds, or on-premises:

- - Applications

- - Guest operating systems

- - Containers

- - Collect your Prometheus metrics with Azure Managed Prometheus and analyze them using PromQL in Azure Managed Grafana.

-

-Azure Monitor can collect data from multiple sources, including from your application, operating systems, the services they rely on, and from the platform itself.

-You can integrate monitoring data from sources outside Azure, including on-premises and other non-Microsoft clouds, using the application, infrastructure, and custom data sources.

-Azure Monitor collects these types of data:

-|Data Type |Description |

-|||

-|Application|Data about the performance and functionality of your application code on any platform.|

-|Infrastructure|**- Container.** Data about containers, such as [Azure Kubernetes Service](../aks/intro-kubernetes.md), [Prometheus](./essentials/prometheus-metrics-overview.md), and about the applications running inside containers.<br>**- Operating system.** Data about the guest operating system on which your application is running.|

-|Azure Platform|**- Azure resource**. The operation of an Azure resource.<br>**- Azure subscription.** The operation and management of an Azure subscription, and data about the health and operation of Azure itself.<br>**- Azure tenant.** Data about the operation of tenant-level Azure services, such as Azure Active Directory.<br>**- Azure resource changes.** Data about changes within your Azure resources and how to address and triage incidents and issues. |

-|Custom Sources|Use the Azure Monitor REST API to send customer metric or log data to Azure Monitor and incorporate monitoring of resources that donΓÇÖt expose monitoring data through other methods.|

-For detailed information about each of the data sources, see [data sources](./data-sources.md).

-## Data collection and routing

-Azure Monitor collects and routes monitoring data using several mechanisms, depending on the data being routed and the destination data platform stores.

-|Collection method|Description |

-|||

-|Direct data routing|Platform metrics are sent automatically to Azure Monitor Metrics by default and without configuration.|

-|[Diagnostic settings](essentials/diagnostic-settings.md)|Use diagnostic settings to determine where to send resource and activity log data on the data platform.|

-|[Data collection rules](essentials/data-collection-rule-overview.md)|Use data collection rules to specify what data should be collected, how to transform that data, and where to send that data.|

-|[Application SDK](app/app-insights-overview.md)|Add the Application Insights SDK to your application code to receive, store, and explore your monitoring data. The SDK pre-processes telemetry and metrics before sending the data to Azure where it's ingested and processed further before being stored in Azure Monitor Logs.|

-|[Azure Monitor REST API](logs/logs-ingestion-api-overview.md)|The Logs Ingestion API in Azure Monitor lets you send data to a Log Analytics workspace from any REST API client.|

-|[Azure Monitor Agents](agents/agents-overview.md)|Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud.|

-|[Azure Monitor managed service for Prometheus](./essentials/prometheus-metrics-overview.md)|Azure Monitor managed service for Prometheus lets you to collect and analyze metrics at scale using a Prometheus-compatible monitoring solution, based on the [Prometheus](https://aka.ms/azureprometheus-promio) project from the Cloud Native Compute Foundation.

-For detailed information about data collection, see [data collection](./best-practices-data-collection.md).

-|Traces|Distributed traces identify the series of related events that follow a user request through a distributed system. A trace measures the operation and performance of your application across the entire set of components in your system. Traces can be used to determine the behavior of application code and the performance of different transactions. Azure Monitor gets distributed trace data from the Application Insights SDK. The trace data is stored in a separate workspace in Azure Monitor Logs.|

-## The Azure portal

-The Azure portal is a web-based, unified console that provides an alternative to command-line tools. With the Azure portal, you can manage your Azure subscription using a graphical user interface. You can build, manage, and monitor everything from simple web apps to complex cloud deployments in the portal.

-The Monitor section of the Azure portal provides a visual interface that gives you access to the data collected for Azure resources and an easy way to access the tools, insights, and visualizations in Azure Monitor.

-## Insights and Visualizations

-Insights and visualizations help increase your visibility into the operation of your computing environment. Some Azure resource providers have curated visualizations that provide a customized monitoring experience and require minimal configuration.

-Insights are large, scalable, curated visualizations. For more information, see List of insights and curated visualizations using Azure Monitor.

-The following table describes the three major insights:

-Visualizations such as charts and tables are effective tools for summarizing monitoring data and presenting it to different audiences. Azure Monitor has its own features for visualizing monitoring data and uses other Azure services for publishing it to different audiences.

-|[Power BI](logs/log-powerbi.md)|Power BI is a business analytics service that provides interactive visualizations across various data sources. It's an effective means of making data available to others within and outside your organization. You can configure Power BI to automatically import log data from Azure Monitor to take advantage of these visualizations.|

-## Analyze

-|[Log Analytics](logs/log-analytics-overview.md)|The Log Analytics user interface in the Azure portal helps you query the log data collected by Azure Monitor so that you can quickly retrieve, consolidate, and analyze collected data. After creating test queries, you can then directly analyze the data with Azure Monitor tools, or you can save the queries for use with visualizations or alert rules. Log Analytics workspaces are based on Azure Data Explorer, using a powerful analysis engine and the rich Kusto query language (KQL). Azure Monitor Logs uses a version of the Kusto Query Language suitable for simple log queries, and advanced functionality such as aggregations, joins, and smart analytics. You can [get started with KQL](logs/get-started-queries.md) quickly and easily.|

-|[Change Analysis](change/change-analysis.md)| The Change Analysis user interface in the Azure portal gives you insight into the cause of live site issues, outages, or component failures. Change Analysis uses the power of [Azure Resource Graph](../governance/resource-graph/overview.md) to detect various types of changes, from the infrastructure layer through application deployment. Change Analysis is a subscription-level Azure resource provider that checks resource changes in the subscription and provides data for diagnostic tools to help users understand what changes might have caused issues.|

-## Respond

-## Integrate

-You may need to integrate Azure Monitor with other systems or to build custom solutions that use your monitoring data. These Azure services work with Azure Monitor to provide integration capabilities.

-description: VM insights integration with Application Change Analysis integration allows you to view any changes made to a virtual machine that may have affected it performance.

-VM insights integration with [Application Change Analysis](../app/change-analysis.md) integration allows you to view any changes made to a virtual machine that may have affected it performance.

-Suppose you have a VM that beings running slow and want to investigate whether recent changes to its configuration could have affected its performance. You view the performance of the VM using VM insights and find that there is an increase in memory usage in the past hour. Change analysis can help you determine whether any configuration changes made around this time were the cause of this increase.

-The Application Change Analysis service aggregates changes from [Azure Resource Graph](../../governance/resource-graph/how-to/get-resource-changes.md) as well as nested properties changes such as network security rules from Azure Resource Manager.

-## Enabling change analysis

-To onboard change analysis in VM insights, you must register the *Microsoft.ChangeAnalysis* resource provider. The first time you launch VM insights or Application Change Analysis in the Azure portal, this resource provider will automatically be registered for you. Application Change Analysis is a free service that has no performance overhead on resources.

-Change analysis is available from the **Performance** or **Map** tab of VM insights by selecting the **Change** option.

-[](media/vminsights-change-analysis/investigate-changes-screenshot-zoom.png#lightbox)

-Click the **Investigate changes** button to launch the Application Change Analysis page filtered for the VM. You can review the listed changes to see if there are any that could have caused the issue. If you are unsure about a particular change, you can reference the **Change by** column to determine the person who made the change.

-[](media/vminsights-change-analysis/change-details-screenshot.png#lightbox)

-description: Describes how to enable VM insights for Azure virtual machines or Virtual Machine Scale Sets using Azure PowerShell.

-# Enable VM insights using PowerShell

-This article describes how to enable VM insights on Azure virtual machines using PowerShell. This procedure can be used for the following:

-> This article only applies to the Log Analytics agent. To enable VM insights with the Azure monitor agent, use other installation methods described in [Enable VM insights overview](vminsights-enable-overview.md).

-To enable VM insights for multiple VMs or Virtual Machine Scale Sets, use the PowerShell script [Install-VMInsights.ps1](https://www.powershellgallery.com/packages/Install-VMInsights), which is available from the Azure PowerShell Gallery. This script iterates through:

-For each virtual machine or Virtual Machine Scale Set, the script verifies whether the VM extension for the Log Analytics agent and Dependency agent is already installed. If both extensions are installed, the script tries to reinstall it. If both extensions aren't installed, the script installs them.

-Verify you're using Azure PowerShell module Az version 1.0.0 or later with `Enable-AzureRM` compatibility aliases enabled. Run `Get-Module -ListAvailable Az` to find the version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

-* See [Use VM insights Map](vminsights-maps.md) to view discovered application dependencies.

-description: Performance is a feature of the VM insights that automatically discovers application components on Windows and Linux systems and maps the communication between services. This article provides details on how to use it in a variety of scenarios.

-# How to chart performance with VM insights

-VM insights includes a set of performance charts that target several key performance indicators (KPIs) to help you determine how well a virtual machine is performing. The charts show resource utilization over a period of time so you can identify bottlenecks, anomalies, or switch to a perspective listing each machine to view resource utilization based on the metric selected. While there are numerous elements to consider when dealing with performance, VM insights monitors key operating system performance indicators related to processor, memory, network adapter, and disk utilization. Performance complements the health monitoring feature and helps expose issues that indicate a possible system component failure, support tuning and optimization to achieve efficiency, or support capacity planning.

-Following are limitations in performance collection with VM insights.

-From Azure Monitor, the Performance feature provides a view of all monitored VMs deployed across workgroups in your subscriptions or in your environment. To access from Azure Monitor, perform the following steps.

-1. In the Azure portal, select **Monitor**.

-2. Choose **Virtual Machines** in the **Solutions** section.

-3. Select the **Performance** tab.

-

-On the **Top N Charts** tab, if you have more than one Log Analytics workspace, choose the workspace enabled with the solution from the **Workspace** selector at the top of the page. The **Group** selector will return subscriptions, resource groups, [computer groups](../logs/computer-groups.md), and virtual machine scale sets of computers related to the selected workspace that you can use to further filter results presented in the charts on this page and across the other pages. Your selection only applies to the Performance feature and does not carry over to Health or Map.

-By default, the charts show the last 24 hours. Using the **TimeRange** selector, you can query for historical time ranges of up to 30 days to show how performance looked in the past.

-The five capacity utilization charts shown on the page are:

-* CPU Utilization % - shows the top five machines with the highest average processor utilization

-* Available Memory - shows the top five machines with the lowest average amount of available memory

-* Logical Disk Space Used % - shows the top five machines with the highest average disk space used % across all disk volumes

-* Bytes Sent Rate - shows the top five machines with highest average of bytes sent

-* Bytes Receive Rate - shows the top five machines with highest average of bytes received

-Clicking on the pin icon at the upper right-hand corner of any one of the five charts will pin the selected chart to the last Azure dashboard you last viewed. From the dashboard, you can resize and reposition the chart. Selecting the chart from the dashboard will redirect you to VM insights and load the correct scope and view.

-Clicking on the icon located to the left of the pin icon on any one of the five charts opens the **Top N List** view. Here you see the resource utilization for that performance metric by individual VM in a list view and which machine is trending highest.

-

-When you click on the virtual machine, the **Properties** pane is expanded on the right to show the properties of the item selected, such as system information reported by the operating system, properties of the Azure VM, etc. Clicking on one of the options under the **Quick Links** section will redirect you to that feature directly from the selected VM.

-

-Switch to the **Aggregated Charts** tab to view the performance metrics filtered by average or percentiles measures.

-

-* CPU Utilization % - defaults showing the average and top 95th percentile

-* Available Memory - defaults showing the average, top 5th, and 10th percentile

-* Logical Disk Space Used % - defaults showing the average and 95th percentile

-* Bytes Sent Rate - defaults showing average bytes sent

-* Bytes Receive Rate - defaults showing average bytes received

-To view the resource utilization by individual VM in a list view and see which machine is trending with highest utilization, select the **Top N List** tab. The **Top N List** page shows the top 20 machines sorted by the most utilized by 95th percentile for the metric *CPU Utilization %*. You can see more machines by selecting **Load More**, and the results expand to show the top 500 machines.

->The list cannot show more than 500 machines at a time.

-

-To filter the results on a specific virtual machine in the list, enter its computer name in the **Search by name** textbox.

-If you would rather view utilization from a different performance metric, from the **Metric** drop-down list select **Available Memory**, **Logical Disk Space Used %**, **Network Received Byte/s**, or **Network Sent Byte/s** and the list updates to show utilization scoped to that metric.

-Selecting a virtual machine from the list opens the **Properties** panel on the right-side of the page and from here you can select **Performance detail**. The **Virtual Machine Detail** page opens and is scoped to that VM, similar in experience when accessing VM Insights Performance directly from the Azure VM.

-To access directly from a virtual machine, perform the following steps.

-1. In the Azure portal, select **Virtual Machines**.

-2. From the list, choose a VM and in the **Monitoring** section choose **Insights**.

-3. Select the **Performance** tab.

-This page not only includes performance utilization charts, but also a table showing for each logical disk discovered, its capacity, utilization, and total average by each measure.

-* CPU Utilization % - defaults showing the average and top 95th percentile

-* Available Memory - defaults showing the average, top 5th, and 10th percentile

-* Logical Disk Space Used % - defaults showing the average and 95th percentile

-* Logical Disk IOPS - defaults showing the average and 95th percentile

-* Logical Disk MB/s - defaults showing the average and 95th percentile

-* Max Logical Disk Used % - defaults showing the average and 95th percentile

-* Bytes Sent Rate - defaults showing average bytes sent

-* Bytes Receive Rate - defaults showing average bytes received

-Clicking on the pin icon at the upper right-hand corner of any one of the charts pins the selected chart to the last Azure dashboard you viewed. From the dashboard, you can resize and reposition the chart. Selecting the chart from the dashboard redirects you to VM insights and loads the performance detail view for the VM.

-

-To access directly from an Azure virtual machine scale set, perform the following steps.

-2. From the list, choose a VM and in the **Monitoring** section choose **Insights** to view the **Performance** tab.

-This page loads the Azure Monitor performance view, scoped to the selected scale set. This enables you to see the Top N Instances in the scale set across the set of monitored metrics, view the aggregate performance across the scale set, and see the trends for selected metrics across the individual instances n the scale set. Selecting an instance from the list view lets you load it's map or navigate into a detailed performance view for that instance.

-Clicking on the pin icon at the upper right-hand corner of any one of the charts pins the selected chart to the last Azure dashboard you viewed. From the dashboard, you can resize and reposition the chart. Selecting the chart from the dashboard redirects you to VM insights and loads the performance detail view for the VM.

-

->You can also access a detailed performance view for a specific instance from the Instances view for your scale set. Navigate to **Instances** under the **Settings** section, and then choose **Insights**.

-# Create interactive reports VM insights with workbooks

-Workbooks combine text,ΓÇ»[log queries](/azure/data-explorer/kusto/query/), metrics, and parameters into rich interactive reports. Workbooks are editable by any other team members who have access to the same Azure resources.

-Workbooks are helpful for scenarios such as:

-* Exploring the usage of your virtual machine when you don't know the metrics of interest in advance: CPU utilization, disk space, memory, network dependencies, etc. Unlike other usage analytics tools, workbooks let you combine multiple kinds of visualizations and analyses, making them great for this kind of free-form exploration.

-* Explaining to your team how a recently provisioned VM is performing, by showing metrics for key counters and other log events.

-* Sharing the results of a resizing experiment of your VM with other members of your team. You can explain the goals for the experiment with text, then show each usage metric and analytics queries used to evaluate the experiment, along with clear call-outs for whether each metric was above- or below-target.

-* Reporting the impact of an outage on the usage of your VM, combining data, text explanation, and a discussion of next steps to prevent outages in the future.

-VM insights includes the following workbooks. You can use these workbooks or use them as a start to create custom workbooks to address your particular requirements.

-| Performance | Provides a customizable version of the Performance view that leverages all of the Log Analytics performance counters that you have enabled. |

-| Connections | Connections provides an in-depth view of the inbound and outbound connections from your VM. |

-| Performance | Provides a customizable version of the Top N List and Charts view in a single workbook that leverages all of the Log Analytics performance counters that you have enabled.|

-| Performance counters | A Top N chart view across a wide set of performance counters. |

-| Connections | Connections provides an in-depth view of the inbound and outbound connections from your monitored VMs. |

-| Active Ports | Provides a list of the processes that have bound to the ports on the monitored VMs and their activity in the chosen timeframe. |

-| Failed Connections | Display the count of failed connections on your monitored VMs, the failure trend, and if the percentage of failures is increasing over time. |

-| Security and Audit | An analysis of your TCP/IP traffic that reports on overall connections, malicious connections, where the IP endpoints reside globally. To enable all features, you will need to enable Security Detection. |

-| Traffic Comparison | This workbook lets you compare network traffic trends for a single machine or a group of machines. |

-## Creating a new workbook

-A workbook is made up of sections consisting of independently editable charts, tables, text, and input controls. To better understand workbooks, let's start by opening a template and walk through creating a custom workbook.

-2. Select a virtual machine.

-3. On the VM insights page, select **Performance** or **Maps** tab and then select **View Workbooks** from the link on the page. From the drop-down list, select **Go to Gallery**.

- :::image type="content" source="media/vminsights-workbooks/workbook-dropdown-gallery-01.png" lightbox="media/vminsights-workbooks/workbook-dropdown-gallery-01.png" alt-text="Screenshot of workbook drop-down list in V M insights.":::

- This launches the workbook gallery with a number of prebuilt workbooks to help you get started.

-7. Create a new workbook by selecting **New**.

-## Editing workbook sections

-Workbooks have two modes: **editing mode**, and **reading mode**. When a new workbook is first launched, it opens in **editing mode**. It shows all the content of the workbook, including any steps and parameters that are otherwise hidden. **Reading mode** presents a simplified report style view. Reading mode allows you to abstract away the complexity that went into creating a report while still having the underlying mechanics only a few clicks away when needed for modification.

-

-1. When you're done editing a section, click **Done Editing** in the bottom-left corner of the section.

-2. To create a duplicate of a section, click the **Clone this section** icon. Creating duplicate sections is a great to way to iterate on a query without losing previous iterations.

-3. To move up a section in a workbook, click the **Move up** or **Move down** icon.

-4. To remove a section permanently, click the **Remove** icon.

-## Adding text and Markdown sections

-Adding headings, explanations, and commentary to your workbooks helps turn a set of tables and charts into a narrative. Text sections in workbooks support the [Markdown syntax](https://daringfireball.net/projects/markdown/) for text formatting, like headings, bold, italics, and bulleted lists.

-To add a text section to your workbook, use the **Add text** button at the bottom of the workbook, or at the bottom of any section.

-## Adding query sections

-

-To add query section to your workbook, use the **Add query** button at the bottom of the workbook, or at the bottom of any section.

-* How many network connection failures did my VM experience over the last two weeks?

-You also aren't only limited to querying from the context of the virtual machine you launched the workbook from. You can query across multiple virtual machines, as well as Log Analytics workspaces, as long as you have access permission to those resources.

-To include data from other Log Analytics workspaces or from a specific Application Insights app using the **workspace** identifier. To learn more about cross-resource queries, refer to the [official guidance](../logs/cross-workspace-query.md).

-Each section has its own advanced settings, which are accessible via the settings  icon located to the right of the **Add parameters** button.

-

-| Custom width | Makes an item an arbitrary size, so you can fit many items on a single line allowing you to better organize your charts and tables into rich interactive reports. |

-| Conditionally visible | Specify to hide steps based on a parameter when in reading mode. |

-| Export a parameter| Allow a selected row in the grid or chart to cause later steps to change values or become visible. |

-| Show query when not editing | Displays the query above the chart or table even when in reading mode.

-| Show open in analytics button when not editing | Adds the blue Analytics icon to the right-hand corner of the chart to allow one-click access.|

-Most of these settings are fairly intuitive, but to understand **Export a parameter** it is better to examine a workbook that makes use of this functionality.

-One of the prebuilt workbooks - **TCP Traffic**, provides information on connection metrics from a VM.

-The first section of the workbook is based on log query data. The second section is also based on log query data, but selecting a row in the first table will interactively update the contents of the charts:

-

-

-The second log query then utilizes the exported values when a row is selected to create a set of values that are then used by the section heading and charts. If no row is selected, it hides the section heading and charts.

-## Adding metrics sections

-Metrics sections give you full access to incorporate Azure Monitor metrics data into your interactive reports. In VM insights, the prebuilt workbooks will typically contain analytic query data rather than metric data. You may choose to create workbooks with metric data, allowing you to take full advantage of the best of both features all in one place. You also have the ability to pull in metric data from resources in any of the subscriptions you have access to.

-Here is an example of virtual machine data being pulled into a workbook to provide a grid visualization of CPU performance:

-

-## Adding parameter sections

-The values of parameters are replaced in query, text or other parameter sections by putting the name of the parameter in braces, like ``{parameterName}``. Parameter names are limited to similar rules as JavaScript identifiers, alphabetic characters or underscores, followed by alphanumeric characters or underscores. For example, **a1** is allowed, but **1a** is not allowed.

-Parameters are linear, starting from the top of a workbook and flowing down to later steps. Parameters declared later in a workbook can override parameters that were declared earlier. This also lets parameters that use queries to access the values from parameters defined earlier. Within a parameter's step itself, parameters are also linear, left to right, where parameters to the right can depend on a parameter declared earlier in that same step.

-

-There are four different types of parameters, which are currently supported:

-| Text | Allows the user to edit a text box, and you can optionally supply a query to fill in the default value. |

-| Time range picker| Allows the user to choose from a predefined set of time range values, or pick from a custom time range.|

-### Using a text parameter

-The value a user types in the text box is replaced directly in the query, with no escaping or quoting. If the value you need is a string, the query should have quotes around the parameter (like **'{parameter}'**).

-The text parameter allows the value in a text box to be used anywhere. It can be a table name, column name, function name, operator, etc. The text parameter type has a setting **Get default value from analytics query**, which allows the workbook author to use a query to populate the default value for that text box.

-When using the default value from a log query, only the first value of the first row (row 0, column 0) is used as the default value. Therefore it is recommended to limit your query to return just one row and one column. Any other data returned by the query is ignored.

-Whatever value the query returns will be replaced directly with no escaping or quoting. If the query returns no rows, the result of the parameter is either an empty string (if the parameter is not required) or undefined (if the parameter is required).

-### Using a drop-down

-The dropdown parameter type lets you create a drop-down control, allowing the selection of one or many values.

-The dropdown is populated by a log query or JSON. If the query returns one column, the values in that column are both the value and the label in the drop-down control. If the query returns two columns, the first column is the value, and the second column is the label shown in the drop-down. If the query returns three columns, the third column is used to indicate the default selection in that drop-down. This column can be any type, but the simplest is to use bool or numeric types, where 0 is false, and 1 is true.

-If the column is a string type, null/empty string is considered false, and any other value is considered true. For single selection drop-downs, the first value with a true value is used as the default selection. For multiple selection drop-downs, all values with a true value are used as the default selected set. The items in the drop-down are shown in whatever order the query returned rows.

-Let's look at the parameters present in the Connections Overview report. Click the edit symbol next to **Direction**.

-

-This will launch the **Edit Parameter** menu item.

-

-The JSON lets you generate an arbitrary table populated with content. For example, the following JSON generates two values in the drop-down:

-A more applicable example is using a drop-down to pick from a set of performance counters by name:

-The query will display results as follows:

-

-Drop-downs are incredibly powerful tools for customizing and creating interactive reports.

-While you can make your own custom time range parameter via the dropdown parameter type, you can also use the out-of-box time range parameter type if you don't need the same degree of flexibility.

-Time range parameter types have 15 default ranges that go from five minutes to the last 90 days. There is also an option to allow custom time range selection, which allows the operator of the report to choose explicit start and stop values for the time range.

-The resource picker parameter type gives you the ability to scope your report to certain types of resources. An example of a prebuilt workbook that leverages the resource picker type is the **Performance** workbook.

-

-## Saving and sharing workbooks with your team

-Workbooks are saved within a Log Analytics Workspace or a virtual machine resource, depending on how you access the workbooks gallery. The workbook can be saved to the **My Reports** section that's private to you or in the **Shared Reports** section that's accessible to everyone with access to the resource. To view all the workbooks in the resource, click the **Open** button in the action bar.

-1. Click **Open** in the action bar

-2. Click the "..." button beside the workbook you want to share

-3. Click **Move to Shared Reports**.

-To share a workbook with a link or via email, click **Share** in the action bar. Keep in mind that recipients of the link need access to this resource in the Azure portal to view the workbook. To make edits, recipients need at least Contributor permissions for the resource.

-To pin a link to a workbook to an Azure Dashboard:

-1. Click **Open** in the action bar

-2. Click the "..." button beside the workbook you want to pin

-3. Click **Pin to dashboard**.

-On this page, you can search, filter, and sort support requests. Select a support request to view details, including its severity and any messages associated with the request.

-1. On the **Support Request** page, select **Change**.

-1. On the **Support Request** page, look for **Advanced diagnostic information** and then select **Change**.

-1. Select **Yes** or **No**, then select **OK** to confirm.

-1. On the **Support Request** page, select the **File upload** box, then browse to find your file and select **Upload**.

-To close a support request, [send a message](#send-a-message) and let us know you'd like to close the request.

-To reopen a closed support request, create a [new message](#send-a-message), which automatically reopens the request.

-$mrgprefix = 'rg-sampleManagedApplication-'

-The `$mrgprefix` and `$mrgtimestamp` variables are concatenated to create a managed resource group name like _rg-sampleManagedApplication-20230310100148_ that's stored in the `$mrgname` variable. The name's format `rg-{definitionName}-{dateTime}` is the same format as the portal's default value. You use the `$mrgname` variable's value when you deploy the managed application.

-mrgprefix='rg-sampleManagedApplication-'

-The `mrgprefix` and `mrgtimestamp` variables are concatenated to create a managed resource group name like _rg-sampleManagedApplication-20230310100148_ that's stored in the `mrgname` variable. The name's format:`rg-{definitionName}-{dateTime}` is the same format as the portal's default value. The `mrgname` and `subid` variable's are concatenated to create the `mrgpath` variable value that creates the managed resource group during the deployment.

- - **Application resources Resource group name**: The name of the managed resource group that contains the resources that are deployed for the managed application. The default name is in the format `rg-{definitionName}-{dateTime}` but you can change the name.

-Go to the managed resource group with the name prefix **rg-sampleManagedApplication** and select **Overview** to display the resources that were deployed. The resource group contains an App Service, App Service plan, and storage account.

-1. Go to your **rg-sampleManagedApplication** resource group.

-When you're finished with the managed application, you can delete the resource groups and that removes all the resources you created. For example, in this quickstart you created the resource groups _applicationGroup_ and a managed resource group with the prefix _rg-sampleManagedApplication_.

-description: Describes how to create and publish an Azure Managed Application in your service catalog that's intended for members of your organization.

-In this section you get identity information from Azure Active Directory, create a resource group, and create the managed application definition.

-# [PowerShell](#tab/azure-powershell)

-# [Azure CLI](#tab/azure-cli)

-```azurecli

-principalid=$(az ad group show --group managedAppDemo --query id --output tsv)

-Next, get the role definition ID of the Azure built-in role you want to grant access to the user, group, or application. You use this variable's value when you deploy the managed application definition.

-# [PowerShell](#tab/azure-powershell)

-```azurepowershell

-$roleid=(Get-AzRoleDefinition -Name Owner).Id

-# [Azure CLI](#tab/azure-cli)

-### Create the managed application definition

-Create a resource group for your managed application definition.

-# [Azure CLI](#tab/azure-cli)

-```azurecli

-az group create --name appDefinitionGroup --location westus3

-```

-Create the managed application definition in the resource group.

-The `blob` command that's run from Azure PowerShell or Azure CLI creates a variable that's used to get the URL for the package _.zip_ file. That variable is used in the command that creates the managed application definition.

-# [PowerShell](#tab/azure-powershell)

-In the `blob` command's `account-name` parameter, replace the placeholder `demostorageaccount` with your unique storage account name.

- - **Azure PowerShell**: `"${principalid}:$roleid"` or you can use curly braces for each variable `"${principalid}:${roleid}"`. Use a comma to separate multiple values: `"${principalid1}:$roleid1", "${principalid2}:$roleid2"`.

- - **Azure CLI**: `"$principalid:$roleid"` or you can use curly braces as shown in PowerShell. Use a space to separate multiple values: `"$principalid1:$roleid1" "$principalid2:$roleid2"`.

-You've published the managed application definition. Now, learn how to deploy an instance of that definition.

-> This article focuses on how to pass a sensitive value as a template parameter. When the secret is passed as a parameter, the key vault can exist in a different subscription than the resource group you're deploying to.

-1. [Download the latest .zip file](https://aka.ms/arm-ttk-latest) for the test toolkit and extract it.

-1. [Download the latest .zip file](https://aka.ms/arm-ttk-latest) for the test toolkit and extract it.

-1. [Download the latest .zip file](https://aka.ms/arm-ttk-latest) for the test toolkit and extract it.

-In this article, we demonstrate options of connecting your **existing** Azure Video Indexer account to an [ARM][docs-arm-overview]-based account.

-[Disaster recovery](video-indexer-disaster-recovery.md)

-> * Export the certificate for LDAPS authentication

-> * Upload the LDAPS certificate to blob storage and generate a SAS URL

- - [Export the certificate for LDAPS authentication](#export-the-certificate-for-ldaps-authentication) and upload it to an Azure Storage account as blob storage. Then, you'll need to [grant access to Azure Storage resources using shared access signature (SAS)](../storage/common/storage-sas-overview.md).

-## Export the certificate for LDAPS authentication

-## Upload the LDAPS certificate to blob storage and generate a SAS URL

- | **CertificateSAS** | Path to SAS strings with the certificates for authentication to the AD source. If you're using multiple certificates, separate each SAS string with a comma. For example, **pathtocert1,pathtocert2**. |

-Azure Web PubSub service works as a data processor service and doesn't store any customer data. Azure Web PubSub service processes customer data within the region the customer deploys the service instance in. If you use Azure Web PubSub service together with other Azure services, like Azure Storage for diagnostics, see [this white paper](https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/) for guidance about how to keep data residency in Azure regions.

-Enhanced soft delete is currently available in the following regions: East US, West US, West US 2, West Central US, Japan East, Brazil South, Australia East, and North Europe.

-# Overview: Generate alt text of images with Image Analysis

-Grow your customer base by making your products and services more accessible. Generate a description of an image in human-readable language, using complete sentences. Computer Vision's algorithms generate various descriptions based on the objects identified in the image. The descriptions are each evaluated, and a confidence score is generated. You then get the list of descriptions, ordered from highest confidence score to lowest.

-## Image captioning example

-The following screenshot is an example of automatically generated alt text for an image.

-## Adding alt text to images

-Alternative text (alt text) is descriptive text that conveys the meaning and context of a visual item in a digital setting, such as on an app or web page. When screen readers such as Microsoft Narrator, JAWS, and NVDA reach digital content with alt text, they read the alt text aloud, allowing people to better understand what is on the screen. Well written, descriptive alt text dramatically reduces ambiguity and improves the user experience. Alt text needs to convey the purpose and meaning of an image, which requires understanding and interpretation in addition to object detection.

-## Key features

-## Benefits for your business

-Accessibility is the design of products, devices, services, vehicles, or environments to be usable by people with disabilities. Accessibility has been an increasingly important topic in product and service development as it makes digital experiences available to more people in the world. Accessibility will boost your business in multiple ways:

-

-## Next Steps

-The following tutorial provides a complete solution to generate alternative text of images on web applications.

-> [!div class="nextstepaction"]

-> [Tutorial: Use Computer Vision to generate image metadata](./Tutorials/storage-lab-tutorial.md)

-description: Walkthrough on how to get started with Azure OpenAI Service ChatGPT API.

-# Quickstart: Get started using ChatGPT with Azure OpenAI Service

-| [GPT-3](#gpt-3-models) | A series of models that can understand and generate natural language. This includes the new [ChatGPT model](#chatgpt-gpt-35-turbo). |

-We recommend starting with the most capable model in a model family to confirm whether the model capabilities meet your requirements. Then you can stay with that model or move to a model with lower capability and cost, optimizing around that model's capabilities.

-### ChatGPT (gpt-35-turbo)

-The ChatGPT model uses the same completion API that you use for other models like text-davinci-002, but it requires a unique prompt format. It's important to use the new prompt format to get the best results. Without the right prompts, the model tends to be verbose and provides less useful responses. To learn more check out our [in-depth how-to](../how-to/chatgpt.md).

-| text-davinci-003 | Yes | No | East US | N/A | 4,097 | Jun 2021 |

-| gpt-35-turbo³ (ChatGPT) | Yes | No | N/A | East US, South Central US | 4,096 | Sep 2021

-<br>³ Currently, only version `"0301"` of this model is available. This version of the model will be deprecated on 8/1/2023 in favor of newer version of the gpt-35-model. See [ChatGPT model versioning](../how-to/chatgpt.md#model-versioning) for more details.

-| text-embeddings-ada-002 | No | Yes | East US, South Central US, West Europe | N/A |2,046 | Sep 2021 |

-description: Learn how to work with Chat Markup Language (preview)

-# Learn how to work with Chat Markup Language (preview)

-The ChatGPT model (`gpt-35-turbo`) is a language model designed for conversational interfaces and the model behaves differently than previous GPT-3 models. Previous models were text-in and text-out, meaning they accepted a prompt string and returned a completion to append to the prompt. However, the ChatGPT model is conversation-in and message-out. The model expects a prompt string formatted in a specific chat-like transcript format, and returns a completion that represents a model-written message in the chat. While the prompt format was designed specifically for multi-turn conversations, you'll find it can also work well for non-chat scenarios too.

-The ChatGPT model can be used with the same [completion API](../reference.md#completions) that you use for other models like text-davinci-002, but it requires a unique prompt format known as Chat Markup Language (ChatML). It's important to use the new prompt format to get the best results. Without the right prompts, the model tends to be verbose and provides less useful responses.

-## Working with the ChatGPT model

-The following code snippet shows the most basic way to use the ChatGPT model. We also have a UI driven experience that you can learn about in the [ChatGPT Quickstart](../chatgpt-quickstart.md).

-```python

-import os

-import openai

-openai.api_type = "azure"

-openai.api_base = "https://{your-resource-name}.openai.azure.com/"

-openai.api_version = "2022-12-01"

-openai.api_key = os.getenv("OPENAI_API_KEY")

-response = openai.Completion.create(

- engine="gpt-35-turbo",

- prompt="<|im_start|>system\nAssistant is a large language model trained by OpenAI.\n<|im_end|>\n<|im_start|>user\nWhat's the difference between garbanzo beans and chickpeas?\n<|im_end|>\n<|im_start|>assistant\n",

- temperature=0,

- max_tokens=500,

- top_p=0.5,

- stop=["<|im_end|>"])

-print(response['choices'][0]['text'])

-```

-> [!NOTE]

-> The following parameters aren't available with the gpt-35-turbo model: `logprobs`, `best_of`, and `echo`. If you set any of these parameters, you'll get an error.

-The `<|im_end|>` token indicates the end of a message. We recommend including `<|im_end|>` token as a stop sequence to ensure that the model stops generating text when it reaches the end of the message. You can read more about the special tokens in the [Chat Markup Language (ChatML)](#chatml) section.

-Consider setting `max_tokens` to a slightly higher value than normal such as 300 or 500. This ensures that the model doesn't stop generating text before it reaches the end of the message.

-## Model versioning

-> [!NOTE]

-> `gpt-35-turbo` is equivalent to the `gpt-3.5-turbo` model from OpenAI.

-Unlike previous GPT-3 and GPT-3.5 models, the `gpt-35-turbo` model will continue to be updated. When creating a [deployment](./create-resource.md#deploy-a-model) of `gpt-35-turbo`, you'll also need to specify a model version.

-Currently, only version `"0301"` is available. This is equivalent to the `gpt-3.5-turbo-0301` model from OpenAI. We'll continue to make updated versions available in the future. You can find model deprecation times on our [models](../concepts/models.md) page.

-One thing that's important to note is that Chat Markup Language (ChatML) will continue to evolve with the new versions of the model. You may need to make updates to your prompts when you upgrade to a new version of the model.

-<a id="chatml"></a>

-## Working with Chat Markup Language (ChatML)

-> [!NOTE]

-> OpenAI continues to improve the `gpt-35-turbo` model and the Chat Markup Language used with the model will continue to evolve in the future. We'll keep this document updated with the latest information.

-OpenAI trained the gpt-35-turbo model on special tokens that delineate the different parts of the prompt. The prompt starts with a system message that is used to prime the model followed by a series of messages between the user and the assistant.

-The format of a basic ChatML prompt is as follows:

-```

-<|im_start|>system

-Provide some context and/or instructions to the model.

-<|im_end|>

-<|im_start|>user

-The userΓÇÖs message goes here

-<|im_end|>

-<|im_start|>assistant

-```

-### System message

-The system message is included at the beginning of the prompt between the `<|im_start|>system` and `<|im_end|>` tokens. This message provides the initial instructions to the model. You can provide various information in the system message including:

-* A brief description of the assistant

-* Personality traits of the assistant

-* Instructions or rules you would like the instructions to follow

-* Data or information needed for the model, such as relevant questions from an FAQ

-You can customize the system message for your use case or just include a basic system message. The system message is optional, but it's recommended to at least include a basic one to get the best results.

-### Messages

-After the system message, you can include a series of messages between the **user** and the **assistant**. Each message should begin with the `<|im_start|>` token followed by the role (`user` or `assistant`) and end with the `<|im_end|>` token.

-```

-<|im_start|>user

-What is thermodynamics?

-<|im_end|>

-```

-To trigger a response from the model, the prompt should end with `<|im_start|>assistant` token indicating that it's the assistant's turn to respond. You can also include messages between the user and the assistant in the prompt as a way to do few shot learning.

-### Prompt examples

-The following section shows examples of different styles of prompts that you could use with the ChatGPT model. These examples are just a starting point, and you can experiment with different prompts to customize the behavior for your own use cases.

-#### Basic example

-If you want the ChatGPT model to behave similarly to [chat.openai.com](https://chat.openai.com/), you can use a basic system message like "Assistant is a large language model trained by OpenAI."

-```

-<|im_start|>system

-Assistant is a large language model trained by OpenAI.

-<|im_end|>

-<|im_start|>user

-What's the difference between garbanzo beans and chickpeas?

-<|im_end|>

-<|im_start|>assistant

-```

-#### Example with instructions

-For some scenarios, you may want to give additional instructions to the model to define guardrails for what the model is able to do.

-```

-<|im_start|>system

-Assistant is an intelligent chatbot designed to help users answer their tax related questions.

-Instructions:

-<|im_end|>

-<|im_start|>user

-When are my taxes due?

-<|im_end|>

-<|im_start|>assistant

-```

-#### Using data for grounding

-You can also include relevant data or information in the system message to give the model extra context for the conversation. If you only need to include a small amount of information, you can hard code it in the system message. If you have a large amount of data that the model should be aware of, you can use [embeddings](../tutorials/embeddings.md?tabs=command-line) or a product like [Azure Cognitive Search](https://azure.microsoft.com/services/search/) to retrieve the most relevant information at query time.

-```

-<|im_start|>system

-Assistant is an intelligent chatbot designed to help users answer technical questions about Azure OpenAI Serivce. Only answer questions using the context below and if you're not sure of an answer, you can say "I don't know".

-Context:

-<|im_end|>

-<|im_start|>user

-What is Azure OpenAI Service?

-<|im_end|>

-<|im_start|>assistant

-```

-#### Few shot learning with ChatML

-You can also give few shot examples to the model. The approach for few shot learning has changed slightly because of the new prompt format. You can now include a series of messages between the user and the assistant in the prompt as few shot examples. These examples can be used to seed answers to common questions to prime the model or teach particular behaviors to the model.

-This is only one example of how you can use few shot learning with ChatGPT. You can experiment with different approaches to see what works best for your use case.

-```

-<|im_start|>system

-Assistant is an intelligent chatbot designed to help users answer their tax related questions.

-<|im_end|>

-<|im_start|>user

-When do I need to file my taxes by?

-<|im_end|>

-<|im_start|>assistant

-In 2023, you will need to file your taxes by April 18th. The date falls after the usual April 15th deadline because April 15th falls on a Saturday in 2023. For more details, see https://www.irs.gov/filing/individuals/when-to-file

-<|im_end|>

-<|im_start|>user

-How can I check the status of my tax refund?

-<|im_end|>

-<|im_start|>assistant

-You can check the status of your tax refund by visiting https://www.irs.gov/refunds

-<|im_end|>

-```

-#### Using Chat Markup Language for non-chat scenarios

-ChatML is designed to make multi-turn conversations easier to manage, but it also works well for non-chat scenarios.

-For example, for an entity extraction scenario, you might use the following prompt:

-```

-<|im_start|>system

-You are an assistant designed to extract entities from text. Users will paste in a string of text and you will respond with entities you've extracted from the text as a JSON object. Here's an example of your output format:

-{

- "name": "",

- "company": "",

- "phone_number": ""

-}

-<|im_end|>

-<|im_start|>user

-Hello. My name is Robert Smith. IΓÇÖm calling from Contoso Insurance, Delaware. My colleague mentioned that you are interested in learning about our comprehensive benefits policy. Could you give me a call back at (555) 346-9322 when you get a chance so we can go over the benefits?

-<|im_end|>

-<|im_start|>assistant

-```

-## Preventing unsafe user inputs

-It's important to add mitigations into your application to ensure safe use of the Chat Markup Language.

-We recommend that you prevent end-users from being able to include special tokens in their input such as `<|im_start|>` and `<|im_end|>`. We also recommend that you include additional validation to ensure the prompts you're sending to the model are well formed and follow the Chat Markup Language format as described in this document.

-You can also provide instructions in the system message to guide the model on how to respond to certain types of user inputs. For example, you can instruct the model to only reply to messages about a certain subject. You can also reinforce this behavior with few shot examples.

-## Managing conversations with ChatGPT

-The token limit for `gpt-35-turbo` is 4096 tokens. This limit includes the token count from both the prompt and completion. The number of tokens in the prompt combined with the value of the `max_tokens` parameter must stay under 4096 or you'll receive an error.

-ItΓÇÖs your responsibility to ensure the prompt and completion falls within the token limit. This means that for longer conversations, you need to keep track of the token count and only send the model a prompt that falls within the token limit.

-The following code sample shows a simple example of how you could keep track of the separate messages in the conversation.

-```python

-import os

-import openai

-openai.api_type = "azure"

-openai.api_base = "https://{your-resource-name}.openai.azure.com/"

-openai.api_version = "2022-12-01"

-openai.api_key = os.getenv('api_key')

-# defining a function to create the prompt from the system message and the conversation messages

-def create_prompt(system_message, messages):

- prompt = system_message

- for message in messages:

- prompt += f"\n<|im_start|>{message['sender']}\n{message['text']}\n<|im_end|>"

- prompt += "\n<|im_start|>assistant\n"

- return prompt

-# defining the user input and the system message

-user_input = "<your user input>"

-system_message = f"<|im_start|>system\n{'<your system message>'}\n<|im_end|>"

-# creating a list of messages to track the conversation

-messages = [{"sender": "user", "text": user_input}]

-response = openai.Completion.create(

- engine="gpt-35-turbo",

- prompt=create_prompt(system_message, messages),

- temperature=0.5,

- max_tokens=250,

- top_p=0.9,

- frequency_penalty=0,

- presence_penalty=0,

- stop=['<|im_end|>']

-)

-messages.append({"sender": "assistant", "text": response['choices'][0]['text']})

-print(response['choices'][0]['text'])

-```

-## Staying under the token limit

-The simplest approach to staying under the token limit is to truncate the oldest messages in the conversation when you reach the token limit.

-You can choose to always include as many tokens as possible while staying under the limit or you could always include a set number of previous messages assuming those messages stay within the limit. It's important to keep in mind that longer prompts take longer to generate a response and incur a higher cost than shorter prompts.

-You can estimate the number of tokens in a string by using the [tiktoken](https://github.com/openai/tiktoken) Python library as shown below.

-```python

-import tiktoken

-cl100k_base = tiktoken.get_encoding("cl100k_base")

-enc = tiktoken.Encoding(

- name="gpt-35-turbo",

- pat_str=cl100k_base._pat_str,

- mergeable_ranks=cl100k_base._mergeable_ranks,

- special_tokens={

- **cl100k_base._special_tokens,

- "<|im_start|>": 100264,

- "<|im_end|>": 100265

- }

-)

-tokens = enc.encode(

- "<|im_start|>user\nHello<|im_end|><|im_start|>assistant",

- allowed_special={"<|im_start|>", "<|im_end|>"}

-)

-assert len(tokens) == 7

-assert tokens == [100264, 882, 198, 9906, 100265, 100264, 78191]

-```

-## Next steps

-* [Learn more about Azure OpenAI](../overview.md).

-* Get started with the ChatGPT model with [the ChatGPT quickstart](../chatgpt-quickstart.md).

-* For more examples check out the [Azure OpenAI Samples GitHub repository](https://github.com/Azure/openai-samples)

-| Models available | GPT-3 base series <br>**New ChatGPT (gpt-35-turbo)**<br> Codex series <br> Embeddings series <br> Learn more in our [Models](./concepts/models.md) page.|

-Azure OpenAI Service gives customers advanced language AI with OpenAI GPT-3, Codex, and DALL-E models with the security and enterprise promise of Azure. Azure OpenAI co-develops the APIs with OpenAI, ensuring compatibility and a smooth transition from one to the other.

-The service provides users access to several different models. Each model provides a different capability and price point. The GPT-3 base models are known as Davinci, Curie, Babbage, and Ada in decreasing order of capability and increasing order of speed.

-| Requests per minute per model* | Davinci-models (002 and later): 120 <br> ChatGPT model: 300 <br> All other models: 300|

-This article provides details on the REST API endpoints for Azure OpenAI, a service in the Azure Cognitive Services suite. The REST APIs are broken up into two categories:

-* **Management APIs**: The Azure Resource Manager (ARM) provides the management layer in Azure that allows you to create, update and delete resource in Azure. All services use a common structure for these operations. [Learn More](../../azure-resource-manager/management/overview.md)

-* **Service APIs**: Azure OpenAI provides you with a set of REST APIs for interacting with the resources & models you deploy via the Management APIs.

-## Management APIs

-Azure OpenAI is deployed as a part of the Azure Cognitive Services. All Cognitive Services rely on the same set of management APIs for creation, update and delete operations. The management APIs are also used for deploying models within an OpenAI resource.

-[**Management APIs reference documentation**](/rest/api/cognitiveservices/)

-We currently have the following versions available: ```2022-12-01```

-| ```deployment-id``` | string | Required | The name of your model deployment. You're required to first deploy a model before you can make calls |

-| ```max_tokens``` | integer | Optional | 16 | The maximum number of tokens to generate in the completion. The token count of your prompt plus max_tokens can't exceed the model's context length. Most models have a context length of 2048 tokens (except davinci-codex, which supports 4096). |

-| ```logit_bias``` | map | Optional | null | Modify the likelihood of specified tokens appearing in the completion. Accepts a json object that maps tokens (specified by their token ID in the GPT tokenizer) to an associated bias value from -100 to 100. You can use this tokenizer tool (which works for both GPT-2 and GPT-3) to convert text to token IDs. Mathematically, the bias is added to the logits generated by the model prior to sampling. The exact effect will vary per model, but values between -1 and 1 should decrease or increase likelihood of selection; values like -100 or 100 should result in a ban or exclusive selection of the relevant token. As an example, you can pass {"50256": -100} to prevent the <\|endoftext\|> token from being generated. |

-Get a vector representation of a given input that can be easily consumed by machine learning models and other algorithms.

-curl https://YOUR_RESOURCE_NAME.openai.azure.com/openai/deployments/YOUR_DEPLOYMENT_NAME/embeddings?api-version=2022-12-01\

-Learn about [managing deployments, models, and finetuning with the REST API](/rest/api/cognitiveservices/azureopenaistable/deployments/create).

-Learn more about the [underlying models that power Azure OpenAI](./concepts/models.md).

-For your Communications Services logs, we've provided a useful [default query pack](../../../azure-monitor/logs/query-packs.md#default-query-pack) to provide an initial set of insights to quickly analyze and understand your data. These query packs are described here: [Log Analytics for Communications Services](log-analytics.md). We've also created many insights and visualizations using workbooks, which are described in: [Workbooks for Communications Services logs](insights.md).

-description: Descriptions of data visualizations available for Communications Services via Workbooks

-# Communications Services Insights Preview

-## Overview

-Within your Communications Resource, we have provided an **Insights Preview** feature that displays a number of data visualizations conveying insights from the Azure Monitor logs and metrics monitored for your Communications Services. The visualizations within Insights are made possible via [Azure Monitor Workbooks](../../../azure-monitor/visualize/workbooks-overview.md). In order to take advantage of Workbooks, follow the instructions outlined in [Enable Azure Monitor in Diagnostic Settings](enable-logging.md), and to enable Workbooks, you will need to send your logs to a [Log Analytics workspace](../../../azure-monitor/logs/log-analytics-overview.md) destination.

-## Accessing Azure Insights for Communication Services

-1. From the **Azure Portal** homepage, select your **Communication Service** resource:

- :::image type="content" source="media\workbooks\azure-portal-home-browser.png" alt-text="Azure Portal Home":::

-2. Once you are inside your resource, scroll down on the left nav bar to the **Monitor** category and click on the **Insights** tab:

- :::image type="content" source="media\workbooks\acs-insights-nav.png" alt-text="Insights navigation":::

-3. This should display the **Insights** dashboard for your Communication Service resource:

- :::image type="content" source="media\workbooks\acs-insights-tab.png" alt-text="Communication Services Insights tab":::

-## Insights dashboard navigation

-The Communication Service Insights dashboards give users an intuitive and clear way to navigate their resourceΓÇÖs log data. The **Overview** section provides a view across all modalities, so the user can see the different ways in which their resource has been used in a specific time range:

-Users can control the time range and time granularity to display with the parameters displayed at the top:

-These parameters are global, meaning that they will update the data displayed across the entire dashboard.

-The **Overview** section contains an additional parameter to control the type of visualization that is displayed:

-This parameter is local, meaning it only affects the plots in this section.

-The rest of the tabs display log data that is related to a specific modality.

-Since **Voice and video** logs are the most complex in nature, this modality is broken down into four subsections:

-The **Summary** tab contains general information about Voice and video usage, including the types of media streams shared, the types of endpoints participating in a call (e.g. VoIP, Bot, Application, PSTN, or Server), the OS usage, and participant end reasons:

-The **Volume** tab under the **Voice and video** modality displays the number of calls and the number of participants in a specific period of time (**Time range** parameter), subdivided into time bins (**Time granularity** parameter):

-The **Volume** tab contains a **Grouping** parameter, which helps visualize the number of calls and participants segmented by either Call type (P2P vs. Group calls) and Interop Calls (pure Azure Communication Services vs. Teams Interop):

-The **Quality** tab under **Voice and video** allows users to inspect the quality distribution of calls, where quality is defined at three levels for this dashboard:

- - Jitter > 30 milliseconds

- - Packet loss rate > 10%

- - Round trip time > 500 milliseconds

-Quality can also be filtered by the types of media streams (**Media Type** parameter) used in the call, e.g. to only get the impacted calls in terms of video stream quality:

-And can also be filtered by endpoint types (**Endpoint Type** parameter), e.g. getting the participant end reasons for PSTN participants. These filters allow for multiple selections:

-The **Details** tab offers a quick way to navigate through the **Voice and video** calls made in a time range by grouping calls by dates, and showing the details of every call made in terms of the participants in that call and the outgoing streams per participant, together with duration and telemetry values for these:

-The details of a call are initially hidden. A list of the participants is displayed after clicking on a call:

-And clicking on a participant displays a list of the outgoing streams for that participant, together with their duration (proportional to the full call duration) and telemetry values, where unhealthy values are displayed in red:

-The **Authentication** tab shows authentication logs, which are created through operations such as issuing an access token or creating an identity. The data displayed includes the types of operations performed and the results of those operations:

-The **Chat** tab displays the data for all chat-related operations and their result types:

-The **SMS** tab displays the operations and results for SMS usage through an Azure Communication Services resource (we currently donΓÇÖt have any data for this modality):

-The **Email** tab displays delivery status, email size, and email count:

-The **Recording** tab displays data relevant to total recordings, recording format, recording channel types and number of recording per call:

-The **Call Automation** tab displays data about calls placed or answered using Call Automation SDK, like active call count, operations executed and errors encountered by your resource over time. You can also examine a particular call by looking at the sequence of operations taken on that call using the SDK:

-## Editing dashboards

-The **Insights** dashboards provided with your **Communication Service** resource can be customized by clicking on the **Edit** button on the top navigation bar:

-Editing these dashboards does not modify the **Insights** tab, but rather creates a separate workbook which can be accessed on your resourceΓÇÖs Workbooks tab:

-For an in-depth description of workbooks, please refer to the [Azure Monitor Workbooks](../../../azure-monitor/visualize/workbooks-overview.md) documentation.

-description: About using Log a Analytics for Call Summary and Call Diagnostic logs

-Before you can take advantage of [Log Analytics](../../../azure-monitor/logs/log-analytics-overview.md) for your Communications Services logs, you must first follow the steps outlined in [Enable logging in Diagnostic Settings](enable-logging.md). Once you have enabled your logs and a [Log Analytics Workspace](../../../azure-monitor/logs/workspace-design.md), you will have access to many helpful [default query packs](../../../azure-monitor/logs/query-packs.md#default-query-pack) that will help you quickly visualize and understand the data available in your logs, which are described below. Through Log Analytics, you also get access to more Communications Services Insights via Azure Monitor Workbooks (see: [Communications Services Insights](insights.md)), the ability to create our own queries and Workbooks, [Log Analytics APIs overview](../../../azure-monitor/logs/api/overview.md) to any query.

-From there, you are presented with a modal screen that contains all of the [default query packs](../../../azure-monitor/logs/query-packs.md#default-query-pack) available for your Communications Services, with list of Query Packs available to navigate to the left.

-If you close the modal screen, you can still navigate to the various query packs, directly access data in the form of tables based on the schema of the logs and metrics you have enabled in your Diagnostic Setting. Here, you can create your own queries from the data using [KQL (Kusto)](/azure/data-explorer/kusto/query/). Learn more about using, editing, and creating queries by reading more about: [Log Analytics Queries](../../../azure-monitor/logs/queries.md)

-If you are looking to build your own Network Diagnostic Tool or to perform deeper integration of this tool into your application, you can leverage [pre-call diagnostic APIs](../voice-video-calling/pre-call-diagnostics.md) for the calling SDK.

-When a user runs a network diagnostic, the tool collects and store service and client telemetry data to verify your network conditions and ensure that they're compatible with Azure Communication Services. The telemetry collected doesn't contain personal identifiable information. The test utilizes both audio and video collected through your device for this verification. The audio and video used for the test aren't stored.

-The test provides a **unique identifier** for your test which you can provide our support team who can provide further help. For more information see [help and support options](../../support.md)

-| | [Azure Communication Services Insights](../../analytics/insights.md) | ✔️ |

-| [Azure Communication Services Insights](../../analytics/insights.md) | ✔️ |

-| | [Azure Communication Services Insights](../analytics/insights.md) | ✔️ |

-| | [Azure Communication Services Insights](../../analytics/insights.md) | ✔️ |

-| | [Azure Communication Services Insights](../../analytics/insights.md) | ✔️ |

-If you choose to use a classification policy, you will receive a [JobClassified Event][job_classified_event] or a [JobClassificationFailed Event][job_classify_failed_event] with the result. Once the job has been successfully classified, it will be automatically queued. If the classification process fails, you'll need to intervene to fix it.

-See the [Rule concepts](router-rule-concepts.md) page for more information.

-Each job carries a collection of worker selectors, that are evaluated against the worker labels. These are conditions that need to be true of a worker to be a match.

-You can use the classification policy to attach these conditions to a job. You can do this by specifying one or more selector attachments.

-For more information see the section [below](#using-label-selector-attachments).

-For more information see the section [below](#using-label-selector-attachments).

-**Conditional label selector -** Evaluates a condition defined by a [rule](router-rule-concepts.md). If it resolves to `true`, then the specified collection of selectors will be attached to the Job.

-**Rule label selector -** Sources a collection of selectors from one of many rule engines. Read the [RouterRule concepts](router-rule-concepts.md) page for more information.

-1. You can update the Job labels, which will cause the Job Router to evaluate the new labels with the previous Classification Policy.

-2. You can update the Classification Policy ID of a Job, which will cause Job Router to process the existing Job against the new policy.

-description: Provides an overview of the Calling SDK.

-The Calling SDK enables end-user devices to drive voice and video communication experiences. This page provides detailed descriptions of Calling features, including platform and browser support information. To get started right away, please check out [Calling quickstarts](../../quickstarts/voice-video-calling/getting-started-with-calling.md) or [Calling hero sample](../../samples/calling-hero-sample.md).

-## Detailed capabilities

-| Screen sharing | Share the entire screen from within the application | ✔️ | ❌ | ❌ | ❌ |

-| | Share a specific application (from the list of running applications) | ✔️ | ❌ | ❌ | ❌ |

-| | Share a web browser tab from the list of open tabs | ✔️ | ❌ | ❌ | ❌ |

-| | Get microphone list | ✔️ | ✔️ | ❌ | ❌ |

-| | Set microphone | ✔️ | ✔️ | ❌ | ❌ |

-| | Get selected microphone | ✔️ | ✔️ | ❌ | ❌ |

-| | Get speakers list | ✔️ | ✔️ | ❌ | ❌ |

-| | Set speaker | ✔️ | ✔️ | ❌ | ❌ |

-| | Get selected speaker | ✔️ | ✔️ | ❌ | ❌ |

-The Communication Services Calling SDK supports the following streaming configurations:

-While the Calling SDK won't enforce these limits, your users may experience performance degradation if they're exceeded.

-## Maximum call duration:

-The maximum call duration is 30 hours, participants that reach the maximum call duration lifetime of 30 hours will be disconnected from the call.

-The following table represents the set of supported browsers which are currently available. **We support the most recent three major versions of the browser (most recent three minor versions for Safari)** unless otherwise indicated.

-* Outgoing Screen Sharing is not supported on iOS or Android.

-* Firefox support is in public preview.

-* ACS only supports Android System WebView on Android, iOS WebView(WKWebView) in public preview. Other types of embedded browsers or WebView on other OS platforms are not officially supported, for example, GeckoView, Chromium Embedded Framework (CEF), Microsoft Edge WebView2.

-Running JavaScript Calling SDK on these platforms is not actively tested, it may or may not work.

-* [An iOS app on Safari can't enumerate/select mic and speaker devices](../known-issues.md#enumerating-devices-isnt-possible-in-safari-when-the-application-runs-on-ios-or-ipados) (for example, Bluetooth); this is a limitation of the OS, and there's always only one device, OS controls default device selection.

-* Support for Android API Level 21 or Higher

-* Support for Java 7 or higher

-* Support for Android Studio 2.0

-* Support for iOS 10.0+ at build time, and iOS 12.0+ at run time

-* Xcode 12.0+

-A new [permissions policy (also called a feature policy)](https://www.w3.org/TR/permissions-policy-1/#iframe-allow-attribute) is being adopted by various browsers. This policy affects calling scenarios by controlling how applications can access a device's camera and microphone through a cross-origin iframe element.

-The Pre-Call API enables developers to programmatically validate a clientΓÇÖs readiness to join an Azure Communication Services Call. The Pre-Call APIs can be accessed through the Calling SDK. They provide multiple diagnostics including device, connection, and call quality. Pre-Call APIs are available only for Web (JavaScript). We will be enabling these capabilities across platforms in the future, please provide us feedback on what platforms you would like to see Pre-Call APIs on.

->Pre-Call diagnostics are available starting on the version [1.9.1-beta.1](https://www.npmjs.com/package/@azure/communication-calling/v/1.9.1-beta.1) of the Calling SDK. Make sure to use that version when trying the instructions below.

-To Access the Pre-Call API, you will need to initialize a `callClient` and provision an Azure Communication Services access token. There you can access the `PreCallDiagnostics` feature and the `startTest` method.

-Individual result objects can be accessed as such using the `preCallDiagnosticsResult` constant above. Results for individual tests will be returned as they are completed with many of the test results being available immediately. In the case of the `inCallDiagnostics` test, the results might take up to 1 minute as the test validates quality of the video and audio.

-In the case that the test fails and the permissions are false for audio and video, the user shouldn't continue into joining a call. Rather you will need to prompt the user to enable the permissions. To do this, it is best to provide specific instruction on how to access permission access based on the OS, version and browser they are on. For more information on permissions check out our [recommendations](https://techcommunity.microsoft.com/t5/azure-communication-services/checklist-for-advanced-calling-experiences-in-mobile-web/ba-p/3266312).

-In the case that devices are not available, the user shouldn't continue into joining a call. Rather the user should be prompted to check device connections to ensure any headsets, cameras or speakers are properly connected. For more information on device management check out our [documentation](../../how-tos/calling-sdk/manage-video.md?pivots=platform-web#device-management)

-InCall diagnostics leverages [media quality stats](./media-quality-sdk.md) to calculate quality scores and diagnose issues. During the pre-call diagnostic, the full set of media quality stats are available for consumption. These will include raw values across video and audio metrics that can be used programatically. The InCall diagnostic provides a convenience layer on top of media quality stats to consume the results without the need to process all the raw data. See section on media stats for instructions to access.

-For granular stats on quality metrics like jitter, packet loss, rtt, etc. `callMediaStatistics` are provided as part of the `preCallDiagnosticsResult` feature. See the [full list and description of the available metrics](./media-quality-sdk.md) in the linked article. You can subscribe to the call media stats to get full collection of them. This is the raw metrics that are used to calculate InCall diagnostic results and which can be consumed granularly for further analysis.

-description: In this document, you'll learn how to create video effects on an Azure Communication Services call.

-The Azure Communication Calling SDK allows you to create video effects that other users on a call will be able to see. For example, for a user doing ACS calling using the WebJS SDK you can now enable that the user can turn on background blur. When background blur enabled a user can feel more comfortable in doing a video call that the output video will just show a user and all other content will be blurred.

-An example using the Azure CLI to

-See [here](https://www.npmjs.com/package/@azure/communication-calling-effects) for more details on the calling commmunication effects npm package page.

-zone_pivot_groups: acs-plat-ios-android

-You can connect custom client apps, custom services, and the publicly switched telephony network (PSTN) to your communications experience. You can acquire [phone numbers](./concepts/telephony/plan-solution.md) directly through Azure Communication Services REST APIs, SDKs, or the Azure portal; and use these numbers for SMS or calling applications or you can simply integrate email capabilities to your applications using production-ready email SDKs. Azure Communication Services [direct routing](./concepts/telephony/plan-solution.md) allows you to use SIP and session border controllers to connect your own PSTN carriers and bring your own phone numbers.

-In addition to REST APIs, [Azure Communication Services client libraries](./concepts/sdk-options.md) are available for various platforms and languages, including Web browsers (JavaScript), iOS (Swift), Android (Java), Windows (.NET). A [UI library](https://aka.ms/acsstorybook) can accelerate development for Web, iOS, and Android apps. Azure Communication Services is identity agnostic and you control how end users are identified and authenticated.

-To learn more, check out our [Microsoft Mechanics video](https://www.youtube.com/watch?v=apBX7ASurgM) or the resources linked below.

-|**[Send an SMS from your app](./quickstarts/sms/send.md)**| Azure Communication Services SMS REST APIs and SDKs is used send and receive SMS messages from service applications.|

-|**[Send an Email from your app](./quickstarts/email/send-email.md)**| Azure Communication Services Email REST APIs and SDKs is used send an email messages from service applications.|

-|**[Add telephony calling to your app](./quickstarts/telephony/pstn-call.md)**|With Azure Communication Services you can add telephony calling capabilities to your application.|

-|**[Connect a Microsoft Bot to a phone number](https://github.com/microsoft/botframework-telephony)**|Telephony channel is a channel in Microsoft Bot Framework that enables the bot to interact with users over the phone. It leverages the power of Microsoft Bot Framework combined with the Azure Communication Services and the Azure Speech Services. |

-Learn more about the Azure Communication Services SDKs with the resources below. REST APIs are available for most functionality if you want to build your own clients or otherwise access the service over the Internet.

-|**[UI Library overview](https://aka.ms/acsstorybook)**| Review the UI Library for the Communication Services |

-There are two other Microsoft communication products you may consider using that are not directly interoperable with Communication Services at this time:

- :::image type="content" source="./media/email-domains-custom-added.png" alt-text="Screenshot that shows that custom domain is successfully added for verification.":::.

-When Azure Managed Domain is provisioned to send mail, it has default Mail from address as donotreply@xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.azurecomm.net and the FROM display name would be the same. You'll able to configure and change the Mail from address and FROM display name to more user friendly value.

- :::image type="content" source="./media/email-domains-overview-updated.png" alt-text="Screenshot that shows that how to save the modified values of Mail From and display name." lightbox="media/email-domains-custom-overview-expanded.png":::

-> [Phone number types](../../concepts/telephony/plan-solution.md)

-> [Learn more about SMS](../../concepts/sms/concepts.md)

-description: In this quickstart, you'll learn how to add live stream calling capabilities to your app using Azure Communication Services.

-Live streaming will empower Contoso to engage thousands of online attendees by adding interactive live audio and video streaming functionality into their web and

-mobile applications that their audiences will love, no matter where they are. Interactive Live Streaming is the ability to broadcast media content to thousands of online

-attendees while enabling some attendees to share their live audio and video, interact via chat, and engage with metadata content such as reactions, polls, quizzes, ads, etc.

-Participants with `Consumer` role will be receiving only the live stream. They won't be able to speak or share video or screen. Developers shouldn't show the unmute, share video, and screen option to end users/consumers. Live stream supports both open and closed Rooms. In Open Rooms the default role is `Consumer`.

-Live streaming will start when the Rooms call starts.

-description: In this quickstart, you'll learn how to join a Teams meeting with the Azure Communication Calling SDK.

-description: In this quickstart, you'll learn how to add video calling capabilities to your app using Azure Communication Services.

-description: In this quickstart, you'll learn how to add calling capabilities to your app using Azure Communication Services.

-1. Wait for your onboarding team to confirm that the onboarding process is complete before testing your portal access.

-## 4. Test your portal access

-Navigate to the [Operator Connect homepage](https://operatorconnect.microsoft.com/) and check that you're able to sign in.

-## 5. Register your deployment's domain name in Active Directory

-## 10. Set up application roles for Azure Communications Gateway in your Project Synergy application

-Azure Communications Gateway contains services that need to access the Operator Connect API on your behalf. To enable this access, you must grant specific application roles to an AzureCommunicationsGateway service principal under the Project Synergy Enterprise Application. You created the Project Synergy application in [1. Add the Project Synergy application to your Azure tenancy](#1-add-the-project-synergy-application-to-your-azure-tenancy). Microsoft created the Azure Communications Gateway service principal for you when you followed [9. Register the Microsoft Voice Services resource provider](#9-register-the-microsoft-voice-services-resource-provider).

-You need to do the following steps in the tenant that contains your Project Synergy application.

-## 11. Add the application ID for Azure Communications Gateway to Operator Connect

-Before you can use the roles that you set up in [10. Set up application roles for Azure Communications Gateway in your Project Synergy application](#10-set-up-application-roles-for-azure-communications-gateway-in-your-project-synergy-application), you must enable the Azure Communications Gateway application within the Operator Connect or Teams Phone Mobile environment.

-To enable the Azure Communications Gateway application and the roles, add the application ID of the AzureCommunicationsGateway service principal to your Operator Connect or Teams Phone Mobile environment:

-1. Optionally, check the application ID of the service principal to confirm that you're adding the right application.

- 1. Search for `AzureCommunicationsGateway` with the search bar: it's under the **Azure Active Directory** subheading.

- 1. On the overview page, check that the value of **Object ID** is `8502a0ec-c76d-412f-836c-398018e2312b`.

-1. Log into the [Operator Connect Number Management Portal](https://operatorconnect.microsoft.com/operator/configuration).

-1. Add a new **Application Id**, pasting in the following value. This value is the application ID for Azure Communications Gateway.

- ```

- 8502a0ec-c76d-412f-836c-398018e2312b

- ```

- IdentityUserAssignedIdentity = $IdentityId

- | Up to 0.25 | 1 GiB |

- | Up to 0.5 | 2 GiB |

- | Up to 1 | 4 GiB |

-**Periodic mode Backups**: By default, periodic mode account backups will be stored in geo-redundant storage. For periodic backup modes, you can configure data redundancy at the account level. There are three redundancy options for the backup storage. They are local redundancy, zone redundancy, or geo redundancy. To learn more, see how to [configure backup redundancy](configure-periodic-backup-restore.md#modify-the-backup-interval-and-retention-period) using portal.

-* Configure and manage periodic backup using [Azure portal](configure-periodic-backup-restore.md)

-| `ComputePort` | Specified the port number to use for the compute interop gateway service. The gateway's HTTP endpoint probe port is calculated as `ComputePort + 79`. Hence, `ComputePort` and `ComputePort + 79` must be open and available. The default value is `8900`. | `Microsoft.Azure.Cosmos.Emulator.exe /ComputePort=65100` |

- - **Backup Policy**: Configure either [periodic](../configure-periodic-backup-restore.md) or [continuous](../provision-account-continuous-backup.md) backup policy.

-> Want to try the API for MongoDB with no commitment? Create an Azure Cosmos DB account using [Try Azure Cosmos DB](../try-free.md) for free.

-## API for MongoDB benefits

-The API for MongoDB has added benefits of being built on Azure Cosmos DB when compared to service offerings such as MongoDB Atlas:

-## How the API for MongoDB works

-The API for MongoDB implements the wire protocol for MongoDB. This implementation allows transparent compatibility with native MongoDB client SDKs, drivers, and tools. Azure Cosmos DB doesn't host the MongoDB database engine. Any MongoDB client driver compatible with the API version you're using should be able to connect, with no special configuration.

-The API for MongoDB is compatible with the following MongoDB server versions:

-All the APIs for MongoDB versions run on the same codebase, making upgrades a simple task that can be completed in seconds with zero downtime. Azure Cosmos DB simply flips a few feature flags to go from one version to another. The feature flags also enable continued support for older API versions such as 3.2 and 3.6. You can choose the server version that works best for you.

-1. Run `mvn package` in a terminal to install required npm modules

-* [Periodic backup](../configure-periodic-backup-restore.md)

-1. [Restore](../configure-periodic-backup-restore.md#request-data-restore-from-a-backup) the parent resource, or re-create the resources.

-* **Periodic backup mode** - This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour. To learn more, see [periodic backup mode](configure-periodic-backup-restore.md).

-* [Configure and manage periodic backup](configure-periodic-backup-restore.md) policy.

-1. In the Azure portal, navigate to Cost Management + Billing.

-1. In the left menu under **Products + services**, select **All billing subscriptions**. If you have a support plan, it's shown in the list.

- :::image type="content" source="./media/cancel-azure-subscription/all-billing-subscriptions.png" alt-text="Screenshot showing all billing subscriptions." lightbox="./media/cancel-azure-subscription/all-billing-subscriptions.png" :::

-> Exchanges will be unavailable for all compute reservations - Azure Reserved Virtual Machine Instances, Azure Dedicated Host reservations, and Azure App Services reservations - purchased on or after **January 1, 2024**. Compute reservations purchased **prior to January 1, 2024** will reserve the right to **exchange one more time** after the policy change goes into effect. Microsoft launched Azure savings plan for compute and it's designed to help you save broadly on predictable compute usage. The savings plan provides more flexibility needed to accommodate changes such as virtual machine series and regions. With savings plan providing the flexibility automatically, we’re adjusting our reservations exchange policy. You can continue to exchange VM sizes (with instance size flexibility) but we'll no longer support exchanging instance series or regions for these compute reservations. For more information about the exchange policy change, see [Changes to the Azure reservation exchange policy](reservation-exchange-policy-changes.md).

-> For a limited time you may [trade-in](../savings-plan/reservation-trade-in.md) your Azure compute reservations for a savings plan. Or, you may continue to use and purchase reservations for those predictable, stable workloads where you know the specific configuration youΓÇÖll need and want additional savings. Learn more about [Azure savings plan for compute](../savings-plan/index.yml) and how it works with reservations.

-When you exchange reservations, the new purchase currency amount must be greater than the refund amount. If your new purchase amount is less than the refund amount, you'll get an error. If you see the error, reduce the quantity that you want to return, or increase the amount to purchase.

-1. If you select the auto-fill return quantity, you can choose to **Refund all** to fill the list with the full quantity that you own for each reservation. Or, select **Optimize for utilization (7-day)** to fill the list with a quantity that optimizes for utilization based on the last seven days of usage. **Select Apply**.

-## Exchange non-premium storage for premium storage

-If you're exchanging for a different size, series, region or payment frequency, the term will be reset for the new reservation.

-> Exchanges will be unavailable for all compute reservations - Azure Reserved Virtual Machine Instances, Azure Dedicated Host reservations, and Azure App Services reservations - purchased on or after **January 1, 2024**. Compute reservations purchased **prior to January 1, 2024** will reserve the right to **exchange one more time** after the policy change goes into effect. Azure savings plan for compute is designed to help you save broadly on predictable compute usage. The savings plan provides more flexibility needed to accommodate changes such as virtual machine series and regions. With savings plan providing the flexibility automatically, we’re adjusting our reservations exchange policy. You can continue to exchange VM sizes (with instance size flexibility) but we'll no longer support exchanging instance series or regions for Azure Reserved Virtual Machine Instances, Azure Dedicated Host reservations, and Azure App Services reservations. For a limited time you may trade-in your Azure compute reservations for a savings plan. Or, you may continue to use and purchase reservations for those predictable, stable workloads where you know the specific configuration you’ll need and want additional savings. For more information, see [Self-service exchanges and refunds for Azure Reservations](../reservations/exchange-and-refund-azure-reservations.md).

-To use centrally manage licenses, you must have a specific role assigned to you, depending on your Azure agreement type:

- If you're not an Enterprise admin, you must be assigned that role by your organization (with full access). For more information about how to become a member of the role, see [Add another enterprise administrator](../manage/ea-portal-administration.md#create-another-enterprise-administrator).

- If you don't have one of the roles above, your organization must assign one to you. For more information about how to become a member of the roles, see [Manage billing roles](../manage/understand-mca-roles.md#manage-billing-roles-in-the-azure-portal).

-In the previous example, detected usage for 108 normalized core licenses is needed to cover all eligible Azure SQL resources. Detected usage for individual resources was 56 normalized core licenses. For the example, we showed 60 standard core licenses plus 12 Enterprise core licenses (12 * 4 = 48). So 60 + 48 = 108. Normalized core license values are covered in more detail in the following [How licenses apply to Azure resources](#how-licenses-apply-to-azure-resources) section.

-The original resource-level way to enable Azure Hybrid Benefit is still available for SQL Server and is currently the only option for Windows Server. It involves a DevOps role selecting the benefit for each individual resource (like a SQL Database or Windows Server VM) when creating or managing it. Doing so results in the hourly cost of that resource being discounted. For more information, see [Azure Hybrid Benefit for Windows Server](/azure/azure-sql/azure-hybrid-benefit).

-Resource-level Azure Hybrid Benefit management can cover all the above, too. It's currently the only option for covering the following resources:

-You get the following:

-To explain how it works further, the term _normalized core license_ or NCL is used. In alignment with the rule above, one SQL Server Standard core license produces one NCL. One SQL Server Enterprise core license produces four NCLs. For example, if you assign four SQL Server Enterprise core licenses and seven SQL Server Standard core licenses, your total coverage and Azure Hybrid Benefit discounting power is equal to 23 NCLs (4\*4+7\*1).

-The following table summarizes how many NCLs you need to fully discount the SQL Server license cost for different resource types. Scope-level management of Azure Hybrid Benefit strictly applies the rules in the product terms, summarized below.

-┬▓ *Subject to a minimum of four vCore licenses per Virtual Machine.*

-We recommend that you establish a proactive rhythm when centrally managing Azure Hybrid Benefit, similar to the following tasks and order:

- - If usage is 100%, you might be using resources beyond the number of licenses assigned. Return to the [Create license assignment experience](create-sql-license-assignments.md) and review the usage that Azure shows. Then assign additional available licenses to the scope for more coverage.

-Fees don't include credits, taxes, or other charges or discounts.

-ConsumedService | EA, PAYG | Name of the service the charge is associated with. For more information about choosing a method to get cost details, see [Choose a cost details solution](../automate/usage-details-best-practices.md).

-For now, within a single copy activity and data flow, you can only **ingest data from Microsoft 365 (Office 365) into [Azure Blob Storage](connector-azure-blob-storage.md), [Azure Data Lake Storage Gen1](connector-azure-data-lake-store.md), and [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md) in JSON format** (type setOfObjects). If you want to load Microsoft 365 (Office 365) into other types of data stores or in other formats, you can chain the first copy activity or data flow with a subsequent activity to further load data into any of the [supported ADF destination stores](copy-activity-overview.md#supported-data-stores-and-formats) (refer to "supported as a sink" column in the "Supported data stores and formats" table).

- 1. The **kr5.ini** file is in the **C:\Program Files\MIT\Kerberos\bin** folder.

- 3. Edit the **krb.ini** file.

-> You will need to enable multifactor authentication for the user who manages the VMs and images that are deployed on your device from the cloud. The cloud operations will fail if the user doesn't have multifactor authentication enabled. For steps to enable multifactor authentication, see [Manage authentication methods for Azure AD Multi-Factor Authentication](../active-directory/authentication/howto-mfa-userdevicesettings.md).

-

-This article describes how to automate initial device configuration and activation of Azure Stack Edge devices using PowerShell. Use the steps in this article as alternatives to the local web user interface setup sequence.

-## Change password and fetch the device configuration

-Use the following steps to sign in to a device, change the password, and fetch the device configuration:

-1. Sign in to the device and change the device password.

- ```azurepowershell

- Set-Login "https://<IP address>" "<CurrentPassword>" "<NewPassword>"

- ```

-1. Fetch the device configuration.

-1. Sign in to the device.

- ```azurepowershell

- Set-Login "https://<IP address>" "<Password>"

- ```

-> Use a config.json file that meets the needs of your organization. [Sample JSON files are available here](https://github.com/Azure-Samples/azure-stack-edge-deploy-vms/tree/master/PowerShellBasedConfiguration/).

-1. Sign in to the device.

- ```azurepowershell

- Set-Login "https://<IP address>" "<Password>"

- ```

-This sequence of PowerShell cmdlets signs in to a two-node device, applies device configuration settings from a JSON file, verifies completion of the operation, and then fetches the new device configuration.

-1. Sign in to the device.

- ```azurepowershell

- Set-Login "https://<IP address>" "<Password>"

- ```

-1. Sign in to the device.

- ```azurepowershell

- Set-Login "https://<IP address>" "Password"

- ```

- Here's sample output showing device activation status:

-Use the following steps to sign in to the device, fetch the status of the `WebProxy` properties, set the `WebProxy` property to ΓÇ£isEnabled = trueΓÇ¥ and set the `WebProxy` URI, and then fetch the status of the changed `WebProxy` properties. After running the package, verify the new device configuration.

-1. Sign in to the device.

- ```azurepowershell

- Set-Login "https://<IP address>" "Password"

- ```

-## Enable proactive log consent

-1. Sign in to the device.

- ```azurepowershell

- Set-Login "https://<IP address>" "Password"

- ```

-To diagnose and troubleshoot any device errors, you can run the diagnostics tests. For more information, see [Run diagnostics](azure-stack-edge-gpu-troubleshoot.md#run-diagnostics).

-Use the following steps to sign in to the device and run device diagnostics to verify status after you apply a device configuration package.

-1. Sign in to the device.

- ```azurepowershell

- Set-Login "https://<IP address>" "Password"

- ```

-For Azure consistent services and NFS, define a virtual IP that allows you to connect to a clustered device instead of a specific node. A virtual IP is an available IP in the cluster network. Any client connecting to the cluster network on the two-node device should be able to access this IP.

-You can set either an ACS or an NFS configuration. Additional options include static or DHCP network settings. For more information about setting virtual IPs, see [Configure virtual IPs](azure-stack-edge-pro-2-deploy-configure-network-compute-web-proxy.md#configure-virtual-ips).

-Use the following steps to set the `DeviceVIP` configuration on a two-node Azure Stack Edge device.

-The example below shows a static ACS configuration, followed by an example that shows a configuration with DHCP enabled.

-1. Sign in to the device.

- ```azurepowershell

- Set-Login "https://<IP address>" "Password"

- ```

-1. Fetch the device configuration.

- ```azurepowershell

- Get-DeviceConfiguration | To-json

- ```

-1. Set the `DeviceVIP` property with a static ACS configuration.

- $acsVip = New-Object PSObject -Property @{ Type = "ACS"; VipAddress = "192.168.181.10"; ClusterNetworkAddress = "192.168.0.0"; IsDhcpEnabled = $false }

- Here's sample output:

- ```output

- acsVIP nfsVIP

-

- @{type=ACS; name=Azure Consistent Services; address=192.168.181.10; network=; isDhcpEnabled=False} @{type=NFS; name=Network File Syst...

- }

- ```

- {

- "acsVIP": {

- "address": "192.168.181.10",

- "name": "Cluster Network 1",

- "address": "192.168.0.0",

- "subnet": "255.255.0.0",

- "dhcpEnabled": true

- },

- "nfsVIP": {

- "type": "NFS",

- "name": "Network File System",

- "address": null,

- "network": null,

- "isDhcpEnabled": false

- },

- "clusterNetworks": [

- {

- "name": "Cluster Network 1",

- "address": "192.168.0.0",

- "subnet": "255.255.0.0",

- "dhcpEnabled": false

- },

- {

- "name": "Cluster Network 4",

- "address": "10.126.72.0",

- "subnet": "255.255.248.0",

- "dhcpEnabled": false

- }

- ]

-Use the following steps to set the `DeviceVIP` configuration on a two-node Azure Stack Edge device.

-The example below shows a sequence of steps to enable DHCP.

-1. Sign in to the device.

- Set-Login "https://<IP address>" "Password"

-1. Fetch the device configuration.

- Get-DeviceConfiguration | To-json

-1. Fetch the `DeviceVIP` configuration.

- Here's sample output showing the initial state of **acsVIP setting "isDhcpEnabled": false** on the device:

- "address": "192.168.181.10",

- "name": "Cluster Network 1",

- "address": "192.168.0.0",

- "subnet": "255.255.0.0",

- "dhcpEnabled": false

- "isDhcpEnabled": false

- },

- "nfsVIP": {

- "type": "NFS",

- "name": "Network File System",

- "address": null,

- "network": null,

- "isDhcpEnabled": false

- "clusterNetworks": [

- {

- "name": "Cluster Network 1",

- "address": "192.168.0.0",

- "subnet": "255.255.0.0",

- "dhcpEnabled": false

- },

- {

- "name": "Cluster Network 2",

- "address": "10.139.218.0",

- "subnet": "255.255.255.0",

- "dhcpEnabled": false

- },

- {

- "name": "Cluster Network 3",

- "address": "10.126.72.0",

- "subnet": "255.255.248.0",

- "dhcpEnabled": false

- }

- ]

- $acsVip = New-Object PSObject -Property @{ Type = "ACS"; VipAddress = "192.168.181.10"; ClusterNetworkAddress = "192.168.0.0"; IsDhcpEnabled = $true }

- Set-DeviceVip -vip $acsVip

- ```output

- acsVIP nfsVIP

-

- @{type=ACS; name=Azure Consistent Services; address=192.168.181.10; network=; isDhcpEnabled=True} @{type=NFS; name=Network File System; address=192.168.3.63; network=; ...

- Here's sample output showing the updated **acsVIP setting "isDhcpEnabled": true** on the device:

- "acsVIP": {

- "type": "ACS",

- "name": "Azure Consistent Services",

- "address": "192.168.181.10",

- "network": {

- "name": "Cluster Network 1",

- "address": "192.168.0.0",

- "subnet": "255.255.0.0",

- "dhcpEnabled": true

- },

- "isDhcpEnabled": true

- },

- "type": "NFS",

- "name": "Network File System",

- "address": "192.168.3.63",

- "network": {

- "name": "Cluster Network 1",

- "address": "192.168.0.0",

- "subnet": "255.255.0.0",

- "dhcpEnabled": false

- },

- "isDhcpEnabled": false

- },

- "clusterNetworks": [

- {

- "name": "Cluster Network 1",

- "address": "192.168.0.0",

- "subnet": "255.255.0.0",

- "dhcpEnabled": false

- },

- {

- "name": "Cluster Network 2",

- "address": "10.139.218.0",

- "subnet": "255.255.255.0",

- "dhcpEnabled": false

- },

- {

- "address": "10.126.72.0",

- "dhcpEnabled": false

- }

- ]

-

-| **Abnormal activity of managed identity associated with Kubernetes (Preview)**<br>(K8S_AbnormalMiAcitivty) | Analysis of Azure Resource Manager operations detected an abnormal behavior of a managed identity used by an AKS addon. The detected activity isn\'t consistent with the behavior of the associated addon. While this activity can be legitimate, such behavior might indicate that the identity was gained by an attacker, possibly from a compromised container in the Kubernetes cluster. | Lateral Movement | Medium |

-If you've got *any* of the Microsoft Defender plan enabled on *any* of your Azure resources, you can access Defender for Cloud's regulatory compliance dashboard and all of its data.

-description: This article provides a walkthrough to create a .NET Core application that sends/receives events to/from Azure Event Hubs with schema validation using Schema Registry.

-**Azure Schema Registry** is a feature of Event Hubs, which provides a central repository for schemas for event-driven and messaging-centric applications. It provides the flexibility for your producer and consumer applications to **exchange data without having to manage and share the schema**. It also provides a simple governance framework for reusable schemas and defines relationship between schemas through a grouping construct (schema groups). For more information, see [Azure Schema Registry in Event Hubs](schema-registry-overview.md).

-This quickstart shows how to send events to and receive events from an event hub with schema validation using the **Azure.Messaging.EventHubs** .NET library.

- - Connection string for the Event Hubs namespace

- - Name of the event hub

-1. Run the following command to install the **Azure.Messaging.EventHubs** NuGet package:

- Install-Package Microsoft.Azure.Data.SchemaRegistry.ApacheAvro -Version 1.0.0-beta.2

- Install-Package Azure.ResourceManager.Compute -Version 1.0.0-beta.1

-1. You can use the same schema content and create the Avro schema file ``Order.avsc`` file inside the OrderProducer project.

-1. Then you can use this schema file to generate code for .NET. You can use any external code generation tool such as [avrogen](https://www.nuget.org/packages/Apache.Avro.Tools/) for code generation. (For example you can run `` avrogen -s .\Order.avsc `` to generate code).

-1. Once you generate code, you should have the corresponding C# types available inside your project. For the above Avro schema, it generates the C# types in ``Microsoft.Azure.Data.SchemaRegistry.example`` namespace.

-1. Add the following `using` statements to the top of the **Program.cs** file:

- using System;

- using System.IO;

- using System.Threading;

- using System.Threading.Tasks;

- ```

-1. Also you can import the generated types related to ``Order`` schema as shown below.

- ```csharp

- using Microsoft.Azure.Data.SchemaRegistry.example;

- ```

-2. Add constants to the `Program` class for the Event Hubs connection string and the event hub name.

- ```csharp

- // connection string to the Event Hubs namespace

- private const string connectionString = "<EVENT HUBS NAMESPACE - CONNECTION STRING>";

- // name of the event hub

- private const string eventHubName = "<EVENT HUB NAME>";

-

- // Schema Registry endpoint

- private const string schemaRegistryEndpoint = "<EVENT HUBS NAMESPACE>.servicebus.windows.net>";

-

- // name of the consumer group

- private const string schemaGroup = "<SCHEMA GROUP>";

- ```

- > [!NOTE]

- > Replace placeholder values with the connection string to your namespace, the name of the event hub, and schema group.

-3. Add the following static property to the `Program` class. See the code comments.

- ```csharp

- // The Event Hubs client types are safe to cache and use as a singleton for the lifetime

- // of the application, which is best practice when events are being published or read regularly.

- static EventHubProducerClient producerClient;

- ```

-1. Replace the `Main` method with the following `async Main` method. See the code comments for details.

- ```csharp

- static async Task Main()

- {

- // Create a producer client that you can use to send events to an event hub

- producerClient = new EventHubProducerClient(connectionString, eventHubName);

- // Create a schema registry client that you can use to serialize and validate data.

- var schemaRegistryClient = new SchemaRegistryClient(endpoint: schemaRegistryEndpoint, credential: new DefaultAzureCredential());

- // Create a batch of events

- using EventDataBatch eventBatch = await producerClient.CreateBatchAsync();

-

- // Create a new order object using the generated type/class 'Order'.

- var sampleOrder = new Order { id = "12345", amount = 55.99, description = "This is a sample order." };

- using var memoryStream = new MemoryStream();

- // Create an Avro object serializer using the Schema Registry client object.

- var producerSerializer = new SchemaRegistryAvroObjectSerializer(schemaRegistryClient, schemaGroup, new SchemaRegistryAvroObjectSerializerOptions { AutoRegisterSchemas = true });

- // Serialize events data to the memory stream object.

- producerSerializer.Serialize(memoryStream, sampleOrder, typeof(Order), CancellationToken.None);

- byte[] _memoryStreamBytes;

- _memoryStreamBytes = memoryStream.ToArray();

- // Create event data with serialized data and add it to an event batch.

- eventBatch.TryAdd(new EventData(_memoryStreamBytes));

- // Send serilized event data to event hub.

- await producerClient.SendAsync(eventBatch);

- Console.WriteLine("A batch of 1 order has been published.");

- }

- ```

-5. Build the project, and ensure that there are no errors.

-6. Run the program and wait for the confirmation message.

-This section shows how to write a .NET Core console application that receives events from an event hub and use schema registry to de-serialize event data.

-1. Run the following command to install the required NuGet package:

- Install-Package Microsoft.Azure.Data.SchemaRegistry.ApacheAvro -Version 1.0.0-beta.2

- Install-Package Azure.ResourceManager.Compute -Version 1.0.0-beta.1

-### Code generation using the Avro schema

-1. You can use the same schema content and create the Avro schema file ``Order.avsc`` file inside the ``OrderProducer`` project.

-1. Then you can use this schema file to generate code for .NET. For this, you can use any external code generation tool such as [avrogen](https://www.nuget.org/packages/Apache.Avro.Tools/). (For example you can run `` avrogen -s .\Order.avsc `` to generate code).

-1. Once you generate code, you should have the corresponding C# types available inside your project. For the above Avro schema, it generates the C# types in ``Microsoft.Azure.Data.SchemaRegistry.example`` namespace.

-1. Add the following `using` statements to the top of the **Program.cs** file:

- using System;

- using System.IO;

- using System.Text;

- using System.Threading.Tasks;

- using System.Threading;

- ```

-1. Also you can import the generated types related to ``Order`` schema as shown below.

- ```csharp

- using Microsoft.Azure.Data.SchemaRegistry.example;

- ```

-2. Add constants to the `Program` class for the Event Hubs connection string and the event hub name.

- ```csharp

- // connection string to the Event Hubs namespace

- private const string connectionString = "<EVENT HUBS NAMESPACE - CONNECTION STRING>";

- // name of the event hub

- private const string eventHubName = "<EVENT HUB NAME>";

- private const string blobStorageConnectionString = "<AZURE STORAGE CONNECTION STRING>";

-

- private const string blobContainerName = "<BLOB CONTAINER NAME>";

-

- // Schema Registry endpoint

- private const string schemaRegistryEndpoint = "<EVENT HUBS NAMESPACE>.servicebus.windows.net>";

-

- // name of the consumer group

- private const string schemaGroup = "<SCHEMA GROUP>";

- ```

-3. Add the following static properties to the `Program` class.

- ```csharp

- static BlobContainerClient storageClient;

- // The Event Hubs client types are safe to cache and use as a singleton for the lifetime

- // of the application, which is best practice when events are being published or read regularly.

- static EventProcessorClient processor;

- ```

-1. Replace the `Main` method with the following `async Main` method. See the code comments for details.

- ```csharp

- static async Task Main()

- {

- // Read from the default consumer group: $Default

- string consumerGroup = EventHubConsumerClient.DefaultConsumerGroupName;

- // Create a blob container client that the event processor will use

- storageClient = new BlobContainerClient(blobStorageConnectionString, blobContainerName);

- // Create an event processor client to process events in the event hub

- processor = new EventProcessorClient(storageClient, consumerGroup, ehubNamespaceConnectionString, eventHubName);

- // Register handlers for processing events and handling errors

- processor.ProcessEventAsync += ProcessEventHandler;

- processor.ProcessErrorAsync += ProcessErrorHandler;

- // Start the processing

- await processor.StartProcessingAsync();

- // Wait for 30 seconds for the events to be processed

- await Task.Delay(TimeSpan.FromSeconds(30));

- // Stop the processing

- await processor.StopProcessingAsync();

- }

- ```

-1. Now, add the following event handler method that includes event de-serialization logic with the schema registry

- ```csharp

- static async Task ProcessEventHandler(ProcessEventArgs eventArgs)

- {

- // Create a schema registry client that you can use to deserialize and validate data.

- var schemaRegistryClient = new SchemaRegistryClient(endpoint: schemaRegistryEndpoint, credential: new DefaultAzureCredential());

- // Retrieve event data and convert it to a byte array.

- byte[] _memoryStreamBytes = eventArgs.Data.Body.ToArray();

- using var consumerMemoryStream = new MemoryStream(_memoryStreamBytes);

- var consumerSerializer = new SchemaRegistryAvroObjectSerializer(schemaRegistryClient, schemaGroup, new SchemaRegistryAvroObjectSerializerOptions { AutoRegisterSchemas = false });

- consumerMemoryStream.Position = 0;

- // Deserialize event data and create order object using schema registry.

- Order sampleOrder = (Order)consumerSerializer.Deserialize(consumerMemoryStream, typeof(Order), CancellationToken.None);

- Console.WriteLine("Received - Order ID: " + sampleOrder.id);

- // Update checkpoint in the blob storage so that the app receives only new events the next time it's run

- await eventArgs.UpdateCheckpointAsync(eventArgs.CancellationToken);

- ```

-

-1. Now, add the following error handler methods to the class.

- ```csharp

- {

- // Write details about the error to the console window

- Console.WriteLine($"\tPartition '{ eventArgs.PartitionId}': an unhandled exception was encountered. This was not expected to happen.");

- Console.WriteLine(eventArgs.Exception.Message);

- return Task.CompletedTask;

- }

-

- ```

-1. Build the project, and ensure that there are no errors.

- Received - Order ID: 12345

-**At-scale insights**: You can use the new **At-Scale Insights** workbook in the **Azure Monitor** portal to monitor your clusters' health and performance across different subscriptions.

-#### At-scale workbooks for new Azure Monitor integrations

-Use our new at-scale workbook to get a multi-cluster monitoring experience for your clusters. Our at-scale workbook shows you which of your clusters have the monitoring pipeline enabled. The workbook also gives you a straightforward way to check the health of multiple clusters at once. To view this workbook:

-1. Go to the **Azure Monitor** page in from the Azure portal home page

-2. Once on the **Azure Monitor** page, select **Insights Hub** under the **Insights** section.

-3. Select **HDInsight Clusters** under the **Analytics** section.

- :::image type="content" source="./media/log-analytics-migration/at-scale-workbook.png" lightbox="./media/log-analytics-migration/at-scale-workbook.png" alt-text="Screenshot that shows the at-scale workbook." border="false":::

-We also improved the out-of-box dashboards both at the cluster-level. There's a button on the top right of every graph that allows you to see the underlying query that produces the information. The graph is a great way to familiarize yourself with how the new tables can be queried effectively. You can access the out-of-box dashboards by following the instructions that you'll find in the [Insights](#insights) and [At-scale workbooks for new Azure Monitor integrations](#at-scale-workbooks-for-new-azure-monitor-integrations) sections.

-### Use an HDInsight at-scale monitoring dashboard

-If you're using the out-of-box monitoring dashboard for HDInsight clusters like HDInsight Spark Monitoring and HDInsight Interactive Monitoring, we're working to provide you the same capabilities on the Azure Monitor portal.

-You'll see that there's an HDInsight clusters option in Azure Monitor.

- :::image type="content" source="./media/log-analytics-migration/hdinsight-azure-monitor.png" lightbox="./media/log-analytics-migration/hdinsight-azure-monitor.png" alt-text="Screenshot that shows the HDInsight option in Azure Monitor." border="false":::

-The Azure Monitor portal's Insights Hub provides you the capability of monitoring multiple HDInsight clusters in one place. We organize the clusters based on the workload type, so you see types like Spark, HBase, and Hive. Instead of going to multiple dashboards, now you can monitor all your HDInsight clusters in this view.

-> [!NOTE]

-> For more information, see the [Insights](#insights) and [At-scale workbooks for new Azure Monitor integrations](#at-scale-workbooks-for-new-azure-monitor-integrations) sections in this article.

-# Understand the MedTech service device message data transformation

-* Normalize - Device mappings applied.

-* Transform - FHIR destination mappings applied.

-Normalize is the next stage where device message data is processed using user-selected/user-created conforming and valid [device mappings](how-to-configure-device-mappings.md). This mapping process results in transforming device message data into a normalized schema.

-Transform is the next stage where normalized messages are processed using user-selected/user-created conforming and valid [FHIR destination mappings](how-to-configure-fhir-mappings.md). Normalized messages get transformed into FHIR Observation resources if a matching FHIR destination mapping has been authored.

-> [How to configure device mappings](how-to-configure-device-mappings.md)

-> [How to configure FHIR destination mappings](how-to-configure-fhir-mappings.md)

-| schemaVersion | Either "1.0" or "1.1". Version 1.1 was introduced with IoT Edge version 1.0.10, and is recommended. | Yes |

-| runtime.type | Has to be "docker" | Yes |

-| runtime.settings.minDockerVersion | Set to the minimum Docker version required by this deployment manifest | Yes |

-| runtime.settings.registryCredentials.{registryId}.username | The username of the container registry. For Azure Container Registry, the username is usually the registry name.<br><br>Registry credentials are necessary for any private module images. | No |

-| runtime.settings.registryCredentials.{registryId}.address | The address of the container registry. For Azure Container Registry, the address is usually *{registry name}.azurecr.io*. | No |

-| systemModules.edgeAgent.type | Has to be "docker" | Yes |

-| systemModules.edgeAgent.startupOrder | An integer value for which spot a module has in the startup order. 0 is first and max integer (4294967295) is last. If a value isn't provided, the default is max integer. | No |

-| systemModules.edgeHub.type | Has to be "docker" | Yes |

-| systemModules.edgeHub.status | Has to be "running" | Yes |

-| systemModules.edgeHub.restartPolicy | Has to be "always" | Yes |

-| systemModules.edgeHub.startupOrder | An integer value for which spot a module has in the startup order. 0 is first and max integer (4294967295) is last. If a value isn't provided, the default is max integer. | No |

-| modules.{moduleId}.type | Has to be "docker" | Yes |

-| modules.{moduleId}.status | {"running" \| "stopped"} | Yes |

-| modules.{moduleId}.restartPolicy | {"never" \| "always"} | Yes |

-| modules.{moduleId}.startupOrder | An integer value for which spot a module has in the startup order. 0 is first and max integer (4294967295) is last. If a value isn't provided, the default is max integer. | No |

-| modules.{moduleId}.imagePullPolicy | {"on-create" \| "never"} | No |

-| modules.{moduleId}.env | A list of environment variables to pass to the module. Takes the format `"<name>": {"value": "<value>"}` | No |

-| lastDesiredStatus.code | This status code refers to the last desired properties seen by the IoT Edge agent. Allowed values: `200` Success, `400` Invalid configuration, `412` Invalid schema version, `417` the desired properties are empty, `500` Failed |

-| lastDesiredStatus.description | Text description of the status |

-| runtime.platform.OS | Reporting the OS running on the device |

-| runtime.platform.architecture | Reporting the architecture of the CPU on the device |

-| systemModules.edgeAgent.runtimeStatus | The reported status of IoT Edge agent: {"running" \| "unhealthy"} |

-| systemModules.edgeAgent.exitCode | The exit code reported by the IoT Edge agent container if the container exits |

-| systemModules.edgeAgent.lastStartTimeUtc | Time when IoT Edge agent was last started |

-| systemModules.edgeAgent.lastExitTimeUtc | Time when IoT Edge agent last exited |

-| systemModules.edgeHub.runtimeStatus | Status of IoT Edge hub: { "running" \| "stopped" \| "failed" \| "backoff" \| "unhealthy" } |

-| systemModules.edgeHub.statusDescription | Text description of the status of IoT Edge hub if unhealthy. |

-| systemModules.edgeHub.exitCode | The exit code reported by the IoT Edge hub container if the container exits |

-| systemModules.edgeHub.lastStartTimeUtc | Time when IoT Edge hub was last started |

-| systemModules.edgeHub.lastExitTimeUtc | Time when IoT Edge hub last exited |

-| systemModules.edgeHub.lastRestartTimeUtc | Time when IoT Edge hub was last restarted |

-| modules.{moduleId}.runtimeStatus | Status of the module: { "running" \| "stopped" \| "failed" \| "backoff" \| "unhealthy" } |

-| modules.{moduleId}.statusDescription | Text description of the status of the module if unhealthy. |

-| modules.{moduleId}.exitCode | The exit code reported by the module container if the container exits |

-| modules.{moduleId}.lastStartTimeUtc | Time when the module was last started |

-| modules.{moduleId}.lastExitTimeUtc | Time when the module last exited |

-| modules.{moduleId}.lastRestartTimeUtc | Time when the module was last restarted |

-| schemaVersion | Either "1.0" or "1.1". Version 1.1 was introduced with IoT Edge version 1.0.10, and is recommended. | Yes |

-| clients.{device or moduleId}.status | The connectivity status of this device or module. Possible values {"connected" \| "disconnected"}. Only module identities can be in disconnected state. Downstream devices connecting to IoT Edge hub appear only when connected. |

-The following example creates an HSM named **ContosoMHSM**, in the resource group **ContosoResourceGroup**, residing in the **West US 3** location, with **the current signed in user** as the only administrator, with **7 days retention period** for soft-delete. Read more about [Managed HSM soft-delete](soft-delete-overview.md)

-az keyvault create --hsm-name "ContosoMHSM" --resource-group "ContosoResourceGroup" --location "westus3" --administrators $oid --retention-days 7

-The service is available in limited regions ΓÇô To learn more about availability, please see [Azure Dedicated HSM purshase options](https://azure.microsoft.com/pricing/details/azure-dedicated-hsm).

- - **Location**: Select a location. For example, **West US 3**.

-Saving images to a compute gallery and replicating those images incurs additional cost. This cost is separate from the Azure Lab Services usage cost. Learn more about [Azure Compute Gallery pricing](../virtual-machines/azure-compute-gallery.md#billing).

- Learn how to [assign an Azure role in Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/role-assignments-steps#step-5-assign-role).

-The Azure Lab Services service principal needs to have the Owner Azure RBAC role on the Azure compute gallery. There are two Azure Lab Services service principals:

-To attach a compute gallery to a lab plan, assign the Owner role to the service principal with application ID `c7bb12bf-0b39-4f7f-9171-f418ff39b76a`.

-> [!NOTE]

-> When you add a role assignment in the Azure portal, the user interface shows the *object ID* of the service principal, which is different from the *application ID*. The object ID for a service principal can be different in each Azure subscription. You can find the service principal object ID in Azure Active Directory, based on its application ID. Learn more about [Service principal objects](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object).

-Follow these steps to grant permissions to the Azure Lab Service service principal by using the Azure CLI:

-az logic workflow show --name $logicAppName &&

-Get-AzLogicApp -Name $logicAppName

-Azure Machine Learning supports MLflow for model management. This represents a convenient way to support the entire model lifecycle for users familiar with the MLFlow client. The following article describes the different capabilities and how it compares with other options.

-* Some operations may be executed directly using the MLflow fluent API (`mlflow.<method>`). However, others may require to create an MLflow client, which allows to communicate with Azure Machine Learning in the MLflow protocol. You can create an `MlflowClient` object as follows. This tutorial will use the object `client` to refer to such MLflow client.

-If you have an MLflow model logged inside of a run and you want to register it in a registry, you can do that by using the run ID and the path where the model was logged. See [Manage experiments and runs with MLflow](how-to-track-experiments-mlflow.md) to know how to query this information if you don't have it.

-The command above will retrieve the model object which contains all the model versions. However, if you want to get the last registered model version of a given model, you can use `get_registered_model`:

-> Stages can only be accessed using the MLflow SDK. They don't show up in the [Azure Machine Learning Studio portal](https://ml.azure.com) and can't be retrieved using neither Azure Machine Learning SDK, Azure Machine Learning CLI, or Azure Machine Learning REST API. Creating deployment from a given model's stage is not supported by the moment.

-By default, if there were an existing model version in that particular stage, it will remain there. Hence, it won't be replaced as multiple model's versions can be in the same stage at the same time. Alternatively, you can indicate `archive_existing_versions=True` to tell MLflow to move the existing model's version to the stage `Archived`.

-Editing registered models is supported in both Mlflow and Azure Machine Learning. However, there are some differences important to be noticed:

-The MLflow client exposes several methods to retrieve and manage models. The following table shows which of those methods are currently supported in MLflow when connected to Azure Machine Learning. It also compares it with other models management capabilities in Azure Machine Learning.

-| Feature | MLflow | Azure Machine Learning with MLflow | Azure Machine Learning CLIv2 | Azure Machine Learning Studio |

-| Listing registered models | **&check;** | **&check;** | **&check;** | **&check;** |

-> - ³ Registered models are immutable objects in Azure Machine Learning.

-> - ⁴ Use search box in Azure Machine Learning Studio. Partial match supported.

-ml_client_registry.model.create_or_update(mlflow_model)

-ml_client_workspace.model.create_or_update(mlflow_model)

-[DeepSpeed](https://www.deepspeed.ai/tutorials/azure/) is supported as a first-class citizen within Azure Machine Learning to run distributed jobs with near linear scalabibility in terms of 

-You can use a [curated environment](resource-curated-environments.md#azure-container-for-pytorch-acpt-preview) for an out of the box environment with the latest state of art technologies including `DeepSpeed`, `ORT`, `MSSCCL`, and `Pytorch` for your DeepSpeed training jobs.

-* ACPT-curated (Azure Container for Pytorch) environment. See [Curated environments](resource-curated-environments.md#azure-container-for-pytorch-acpt-preview) to obtain the ACPT image. Learn how to use the curated environment [here](./how-to-use-environments.md)

-[Azure Container for PyTorch (ACPT)](how-to-manage-environments-v2.md?tabs=cli#curated-environments), a curated environment for PyTorch model training, includes Nebula as a preinstalled, dependent Python package. See [Azure Container for PyTorch (ACPT)](resource-curated-environments.md#azure-container-for-pytorch-acpt-preview) to view the curated environment, and [Enabling Deep Learning with Azure Container for PyTorch in Azure Machine Learning](https://techcommunity.microsoft.com/t5/ai-machine-learning-blog/enabling-deep-learning-with-azure-container-for-pytorch-in-azure/ba-p/3650489) to learn more about the ACPT image.

-This article lists the curated environments with latest framework versions in Azure Machine Learning. Curated environments are provided by Azure Machine Learning and are available in your workspace by default. They are backed by cached Docker images that use the latest version of the Azure Machine Learning SDK, reducing the run preparation cost and allowing for faster deployment time. Use these environments to quickly get started with various machine learning frameworks.

-> Use the [Python SDK](how-to-use-environments.md), [CLI](/cli/azure/ml/environment#az-ml-environment-list), or Azure Machine Learning [studio](how-to-manage-environments-in-studio.md) to get the full list of environments and their dependencies. For more information, see the [environments article](how-to-use-environments.md#use-a-curated-environment).

-* Only have required dependencies and access right in the image/container. 

->[!IMPORTANT]

-> To view more information about curated environment packages and versions, visit the Environments tab in the Azure Machine Learning [studio](./how-to-manage-environments-in-studio.md).

-> [!IMPORTANT]

-> Items marked (preview) in this article are currently in public preview.

-> The preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-### Azure Container for PyTorch (ACPT) (preview)

-**Description**: The Azure Curated Environment for PyTorch is our latest PyTorch curated environment. It is optimized for large, distributed deep learning workloads and comes pre-packaged with the best of Microsoft technologies for accelerated training, e.g., OnnxRuntime Training (ORT), DeepSpeed, MSCCL, etc.

-The following configurations are supported:

-| Environment Name | OS | GPU Version| Python Version | PyTorch Version | ORT-training Version | DeepSpeed Version | torch-ort Version |

-| | | | | | | | |

-| AzureML-ACPT-pytorch-1.12-py39-cuda11.6-gpu | Ubuntu 20.04 | cu116 | 3.9 | 1.12.1 | 1.13.1 | 0.7.3 | 1.13.1 |

-| AzureML-ACPT-pytorch-1.12-py38-cuda11.6-gpu | Ubuntu 20.04 | cu116 | 3.8 | 1.12.1 | 1.12.0 | 0.7.3 | 1.12.0 |

-| AzureML-ACPT-pytorch-1.11-py38-cuda11.5-gpu | Ubuntu 20.04 | cu115 | 3.8 | 1.11.0 | 1.11.1 | 0.7.3 | 1.11.0 |

-| AzureML-ACPT-pytorch-1.11-py38-cuda11.3-gpu | Ubuntu 20.04 | cu113 | 3.8 | 1.11.0 | 1.11.1 | 0.7.3 | 1.11.0 |

-> Currently, due to underlying cuda and cluster incompatibilities, on [NC series](../virtual-machines/nc-series.md) only AzureML-ACPT-pytorch-1.11-py38-cuda11.3-gpu with cuda 11.3 can be used.

-[Turbonomic](https://learn.turbonomic.com/azure-migrate-portal-free-trial) | Assess servers.

->[!Note]

-Create a **main.bicep** file and a **crateFirewallRules.bicep** file with the following content to create a server using public access connectivity method and also create a database on the server. Update the **firewallRules** default value if needed.

-**crateFirewallRules.bicep**

-| Single Server configuration not supported for migration | How and when to migrate? |

-| Single servers with Private Link enabled | Private Link is on the road map for next year. You can also choose to migrate now and perform wNet injection via a point-in-time restore operation to move to private access network connectivity method. |

-| Single servers with Cross-Region Read Replicas enabled | Cross-Region Read Replicas for flexible server (for paired region) is in private preview, and you can start migrating your single server. Cross-Region Read Replicas for flexible server (for any cross-region) is on the road map for later this year, post, which you can migrate your single server. |

-1. [Create a storage account](../storage/common/storage-account-create.md) for diagnsotics with the following additional configuration:

-SQL dynamic metadata includes a list of more than 700 DMVs/DMFs. We list here as an illustration some of the most popular ones, mapped to their role definition in Microsoft Purview DevOps policies and linked to the URL, along with their description.

-| **Accessible by DevOps role** | **Popular DMV / DMF** | **Description**|

-| *SQL Performance Monitor* | [sys.dm_exec_requests](/sql/relational-databases/system-dynamic-management-views/sys-dm-exec-requests-transact-sql)|Monitors the current activity and performance of the server|

-||[sys.dm_os_wait_stats](/sql/relational-databases/system-dynamic-management-views/sys-dm-os-wait-stats-transact-sql)|Identifies performance bottlenecks to enable system tuning|

-|| [sys.dm_exec_query_stats](/sql/relational-databases/system-dynamic-management-views/sys-dm-exec-query-stats-transact-sql)|Identifies queries that are consuming a lot of resources or taking a long time to execute|

-|| [sys.dm_exec_sessions](/sql/relational-databases/system-dynamic-management-views/sys-dm-exec-sessions-transact-sql)|Shows information about all active user connections and internal tasks|

-|| [sys.dm_os_waiting_tasks](/sql/relational-databases/system-dynamic-management-views/sys-dm-os-waiting-tasks-transact-sql)|Helps identify and troubleshoot blocking issues within SQL Server|

-|| [sys.dm_exec_procedure_stats](/sql/relational-databases/system-dynamic-management-views/sys-dm-exec-procedure-stats-transact-sql)|Returns how many times a procedure was executed, the total duration, reads, writes and more|

-| *SQL Security Auditor* |[sys.dm_server_audit_status](/sql/relational-databases/system-dynamic-management-views/sys-dm-server-audit-status-transact-sql)|Returns audit details such as the location of the target, size and status of the audit itself|

-| Both *SQL Performance Monitor* and *SQL Security Auditor*|[sys.dm_audit_actions](/sql/relational-databases/system-dynamic-management-views/sys-dm-audit-actions-transact-sql)|Returns a row for every audit action that can be reported in the audit log and every audit action group that can be configured as part of SQL Server Audit|

-||[sys.dm_audit_class_type_map](/sql/relational-databases/system-dynamic-management-views/sys-dm-audit-class-type-map-transact-sql)|When events are fired, they record the object type, not the securable class. This DMV maps the class_type field in the audit log to the class_desc field in sys.dm_audit_actions|

- > [!NOTE]

- > The following are supported storage account configurations:

- >

- > - Azure regions: Canada Central, Canada East, UK South, UK West, Australia East, Japan East, Korea South, and South Africa North

- > - Performance: Standard

- > - Redundancy options: LRS, GRS, RA-GRS

-* A source storage account **created after the registration step is completed**. Source storage account can be in a different Azure region from your Microsoft Purview account, but needs to follow these configurations:

- > [!NOTE]

- > The following are supported storage account configurations:

- >

- > - Azure regions: Canada Central, Canada East, UK South, UK West, Australia East, Japan East, Korea South, and South Africa North

- > - Performance: Standard

- > - Redundancy options: LRS, GRS, RA-GRS

-The Khronos Group maintains a set of glTF sample models for testing. ARR supports the glTF format both in text (*.gltf*) and in binary (*.glb*) form. We suggest using the PBR models for best visual results:

-## View elevate access logs

-When access is elevated, an entry is added to the logs. As a Global Administrator in Azure AD, you might want to check when access was elevated and who did it. Elevate access log entries do not appear in the standard activity logs, but instead appear in the directory activity logs. This section describes different ways that you can view the elevate access logs.

-### View elevate access logs using the Azure portal

-1. Follow the steps earlier in this article to elevate your access.

-1. Follow the steps earlier in this article to remove elevated access.

-### View elevate access logs using Azure CLI

-1. Follow the steps earlier in this article to elevate your access.

-1. Follow the steps earlier in this article to remove elevated access.

-### Delegate access to a group to view elevate access logs using Azure CLI

-If you want to be able to periodically get the elevate access logs, you can delegate access to a group and then use Azure CLI.

-1. Follow the steps earlier in this article to elevate your access.

-1. Follow the steps earlier in this article to remove elevated access.

-A user in the group can now periodically run the [az rest](/cli/azure/reference-index#az-rest) command to view elevate access logs.

-You can now include cross-workspace queries in scheduled analytics rules. You can use cross-workspace analytics rules in a central SOC, and across tenants (using Azure Lighthouse), suitable for MSSPs. Note these limitations:

-| **[Deception Honey Tokens](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinelhoneytokens.azuresentinelhoneytokens?tab=Overview)** | [Workbooks, analytics rules, playbooks](monitor-key-vault-honeytokens.md) | Security - Threat Protection |Microsoft |

-**This article applies to:** ✔️ Basic/Standard tier ✔️ Enterprise tier

-

-The following quickstarts apply to Basic/Standard tier only. For Enterprise tier quickstarts, see the next section.

-## Enterprise Tier overview

-| Use familiar development tools. | IntelliJ, Visual Studio Code, Eclipse, Spring Tool Suite, Maven, or Gradle |

-**This article applies to:** ✔️ Basic/Standard tier ✔️ Enterprise tier

-This quickstart explains how to deploy a small application to run on Azure Spring Apps.

-The application code used in this tutorial is a simple app. When you've completed this example, the application will be accessible online, and you can manage it through the Azure portal.

-At the end of this quickstart, you'll have a working spring app running on Azure Spring Apps.

-Use the following steps to provision a service instance.

-1. Select **Try It** and sign in to your Azure account in [Azure Cloud Shell](../cloud-shell/overview.md).

-1. Azure Cloud Shell workspaces are temporary. On initial start, the shell prompts you to associate an [Azure Storage](../storage/common/storage-introduction.md) instance with your subscription to persist files across sessions.

-1. Use the following command to choose and link to your subscription.

- az account set --subscription <subscription-id>

- --name <service-instance-name>

-1. Choose **Y** to install the Azure Spring Apps extension and run it.

- --service <service-instance-name> \

- --service <service-instance-name> \

-```url

-https://start.spring.io/#!type=maven-project&language=java&platformVersion=2.6.10&packaging=jar&jvmVersion=11&groupId=com.example&artifactId=hellospring&name=hellospring&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.hellospring&dependencies=web,cloud-eureka,actuator,cloud-config-client

-```

-The following image shows the recommended Initializr settings for the *hellospring* sample project.

-This example uses Java version 11. To use a different Java version, change the Java version setting under **Project Metadata**.

- ```java

- package com.example.hellospring;

- import org.springframework.web.bind.annotation.RestController;

- import org.springframework.web.bind.annotation.RequestMapping;

- @RestController

- public class HelloController {

- @RequestMapping("/")

- public String index() {

- return "Greetings from Azure Spring Apps!";

- }

- ```

-## Provision an instance of Azure Spring Apps

-1. Fill out the form on the Azure Spring Apps **Create** page. Consider the following guidelines:

- - **Service Name**: Specify the service instance name. You'll use this name later in this article where the *\<service-instance-name\>* placeholder appears. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number.

-Once deployment has completed, you can access the app at `https://<service instance name>-hellospring.azuremicroservices.io/`.

-In this quickstart, you learned how to generate a basic Spring project, provision a service instance, build and deploy an app with a public endpoint, and clean up the resources.

-You also have access to powerful logs, metrics, and distributed tracing capability from the Azure portal. For more information, see [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](./quickstart-logs-metrics-tracing.md).

-description: Learn about service quotas and service plans for Azure Spring Apps

-**This article applies to:** ✔️ Basic/Standard tier ✔️ Enterprise tier

-All Azure services set default limits and quotas for resources and features. Azure Spring Apps offers three pricing tiers: Basic, Standard, and Enterprise.

-## Azure Spring Apps service tiers and limits

-| Resource | Scope | Basic | Standard | Enterprise |

-|--|--||--|--|

-| vCPU | per app instance | 1 | 4 | 8 |

-| Memory | per app instance | 2 GB | 8 GB | 32 GB |

-| Azure Spring Apps service instances | per region per subscription | 10 | 10 | 10 |

-| Total app instances | per Azure Spring Apps service instance | 25 | 500 | 500 |

-| Custom Domains | per Azure Spring Apps service instance | 0 | 25 | 25 |

-| Persistent volumes | per Azure Spring Apps service instance | 1 GB/app x 10 apps | 50 GB/app x 10 apps | 50 GB/app x 10 apps |

-| Inbound Public Endpoints | per Azure Spring Apps service instance | 10 ¹ | 10 ¹ | 10 ¹ |

-| Outbound Public IPs | per Azure Spring Apps service instance | 1 ² | 2 ² <br> 1 if using VNet² | 2 ² <br> 1 if using VNet² |

-| User-assigned managed identities | per app instance | 20 | 20 | 20 |

-> The examples in this article assume that you've created a [BlobServiceClient](/javascript/api/@azure/storage-blob/blobserviceclient) object by using the guidance in the [Get started with Azure Blob Storage and JavaScript](storage-blob-javascript-get-started.md) article. Blobs in Azure Storage are organized into containers. Before you can upload a blob, you must first create a container. To learn how to create a container, see [Create a container in Azure Storage with JavaScript](storage-blob-container-create.md).

-|Scale | Up to 2 PiB for a single volume. <br></br> Up to ~4.75 TiB max for a single file.<br></br>No minimum capacity requirements. |Up to 100 TiB for a single file share.<br></br>Up to 4 TiB for a single file.<br></br>100 GiB min capacity. |Up to 100 TiB for a single regular volume, up to 500 TiB for a large volume.<br></br>Up to 16 TiB for a single file.<br></br>Consistent hybrid cloud experience. |

-#### NFS 4.1 protocol support is generally available

-Premium Azure file shares now support either the SMB or the NFS 4.1 protocols. NFS 4.1 is available in all regions where Azure Files supports the premium tier, for both locally redundant storage and zone-redundant storage. Azure file shares created with the NFS 4.1 protocol enabled are fully POSIX-compliant, distributed file shares that support a wide variety of Linux and container-based workloads. Some example workloads include: highly available SAP application layer, enterprise messaging, user home directories, custom line-of-business applications, database backups, database replication, and Azure Pipelines.

-1. In the Synapse workspace where you want to create the new Azure Machine Learning linked service, go to **Management** > **Linked service**, and create a new linked service with type "Azure Machine Learning".

-1. In the Synapse workspace where you want to create the new Azure Machine Learning linked service, go to **Management** -> **Linked service**, create a new linked service with type "Azure Machine Learning".

-> Multi-column distribution is currently in preview for Azure Synapse Analytics. For more information on joining the preview, see multi-column distribution with [CREATE MATERIALIZED VIEW](/sql/t-sql/statements/create-materialized-view-as-select-transact-sql), [CREATE TABLE](/sql/t-sql/statements/create-table-azure-sql-data-warehouse), or [CREATE TABLE AS SELECT](/sql/t-sql/statements/create-materialized-view-as-select-transact-sql).

->[!NOTE]

->Azure Virtual Desktop Insights currently only supports monitoring one subscription, resource group, and host pool at a time. However, the public preview for Azure Virtual Desktop Insights at Scale (preview) lets you select multiple subscriptions, resource groups, and host pools at a time. You can use this preview feature by selecting **Insights (Preview)**. If you can't find the environment you want to monitor, see [our troubleshooting documentation](troubleshoot-insights.md).