-description: In this tutorial, you use Microsoft Sentinel to perform security analytics for Azure Active Directory B2C data.

-#Customer intent: As an IT professional, I want to gather logs and audit data by using Microsoft Sentinel and Azure Monitor so that I can secure my applications that use Azure Active Directory B2C.

-You can further secure your Azure Active Directory B2C (Azure AD B2C) environment by routing logs and audit information to Microsoft Sentinel. Microsoft Sentinel is a cloud-native SIEM (security information and event management) and SOAR (security orchestration, automation, and response) solution. Microsoft Sentinel provides alert detection, threat visibility, proactive hunting, and threat response for Azure AD B2C.

-By using Microsoft Sentinel with Azure AD B2C, you can:

-In this tutorial, you'll learn how to:

-> [!div class="checklist"]

-> * Transfer Azure AD B2C logs to a Log Analytics workspace.

-> * Enable Microsoft Sentinel in a Log Analytics workspace.

-> * Create a sample rule in Microsoft Sentinel that will trigger an incident.

-> * Configure an automated response.

-To define where logs and metrics for a resource should be sent, enable **Diagnostic settings** in Azure AD within your Azure AD B2C tenant. Then, [configure Azure AD B2C to send logs to Azure Monitor](./azure-monitor.md).

-## Deploy a Microsoft Sentinel instance

-After you've configured your Azure AD B2C instance to send logs to Azure Monitor, you need to enable a Microsoft Sentinel instance.

->[!IMPORTANT]

->To enable Microsoft Sentinel, you need contributor permissions to the subscription in which the Microsoft Sentinel workspace resides. To use Microsoft Sentinel, you need either contributor or reader permissions on the resource group that the workspace belongs to.

-1. Go to the [Azure portal](https://portal.azure.com). Select the subscription where the Log Analytics workspace is created.

-2. Search for and select **Microsoft Sentinel**.

- 

-3. Select **Add**.

-4. Select the new workspace.

- 

->[!NOTE]

->You can [run Microsoft Sentinel](../sentinel/quickstart-onboard.md) on more than one workspace, but the data is isolated to a single workspace.

-Now that you've enabled Microsoft Sentinel, get notified when something suspicious occurs in your Azure AD B2C tenant.

-You can create [custom analytics rules](../sentinel/detect-threats-custom.md) to discover threats and anomalous behaviors in your environment. These rules search for specific events or sets of events and alert you when certain event thresholds or conditions are reached. Then they generate incidents for further investigation.

->[!NOTE]

->Microsoft Sentinel provides built-in templates to help you create threat detection rules designed by Microsoft's team of security experts and analysts. Rules created from these templates automatically search across your data for any suspicious activity. There are no native Azure AD B2C connectors available at this time. For the example in this tutorial, we'll create our own rule.

-In the following example, you receive a notification if someone tries to force access to your environment but isn't successful. It might mean a brute-force attack. You want to get notified for two or more unsuccessful logins within 60 seconds.

-1. From the left menu in Microsoft Sentinel, select **Analytics**.

-2. On the action bar at the top, select **+ Create** > **Scheduled query rule**.

- 

-3. In the Analytics Rule wizard, go to the **General** tab and enter the following information:

- | Field | Value |

- |:--|:--|

- |**Name** | Enter a name that's appropriate for Azure AD B2C unsuccessful logins. |

- |**Description** | Enter a description that says the rule will notify on two or more unsuccessful logins within 60 seconds. |

- | **Tactics** | Choose from the categories of attacks by which to classify the rule. These categories are based on the tactics of the [MITRE ATT&CK](https://attack.mitre.org/) framework.<BR>For our example, we'll choose **PreAttack**. <BR> MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. This knowledge base is used as a foundation for the development of specific threat models and methodologies.

- | **Severity** | Select an appropriate severity level. |

- | **Status** | When you create the rule, its status is **Enabled** by default. That status means the rule will run immediately after you finish creating it. If you don't want it to run immediately, select **Disabled**. The rule will then be added to your **Active rules** tab, and you can enable it from there when you need it.|

- 

-4. To define the rule query logic and configure settings, on the **Set rule logic** tab, write a query directly in the

-**Rule query** box.

- 

- This query will alert you when there are two or more unsuccessful logins within 60 seconds to your Azure AD B2C tenant. It will organize the logins by `UserPrincipalName`.

-5. In the **Query scheduling** section, set the following parameters:

- 

-6. Select **Next: Incident settings (Preview)**. You'll configure and add the automated response later.

-7. Go to the **Review and create** tab to review all the settings for your new alert rule. When the **Validation passed** message appears, select **Create** to initialize your alert rule.

- 

-8. View the rule and the incidents that it generates. Find your newly created custom rule of type **Scheduled** in the table under the **Active rules** tab on the main **Analytics** screen. From this list, you can edit, enable, disable, or delete rules by using the corresponding buttons.

- 

-9. View the results of your new rule for Azure AD B2C unsuccessful logins. Go to the **Incidents** page, where you can triage, investigate, and remediate the threats.

- An incident can include multiple alerts. It's an aggregation of all the relevant evidence for a specific investigation. You can set properties such as severity and status at the incident level.

- > [!NOTE]

- > A key feature of Microsoft Sentinel is [incident investigation](../sentinel/investigate-cases.md).

-

-10. To begin an investigation, select a specific incident.

- On the right, you can see detailed information for the incident. This information includes severity, entities involved, the raw events that triggered the incident, and the incident's unique ID.

-11. Select **View full details** on the incident pane. Review the tabs that summarize the incident information and provide more details.

- 

-12. Select **Evidence** > **Events** > **Link to Log Analytics**. The result displays the `UserPrincipalName` value of the identity that's trying to log in with the number of attempts.

- 

-Microsoft Sentinel provides a [robust SOAR capability](../sentinel/automation-in-azure-sentinel.md). Automated actions, called a *playbook* in Microsoft Sentinel, can be attached to analytics rules to suit your requirements.

-In this example, we add an email notification for an incident that the rule creates. To accomplish this task, use an [existing playbook from the Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Incident-Email-Notification). After the playbook is configured, edit the existing rule and select the playbook on the **Automated response** tab.

-

-## Related information

-For more information about Microsoft Sentinel and Azure AD B2C, see:

-## Next steps

-> [!div class="nextstepaction"]

-> [Handle false positives in Microsoft Sentinel](../sentinel/false-positives.md)

-1. Under **Implicit grant and hybrid flows**, select the **ID tokens (used for implicit and hybrid flows)** checkbox.

-description: Tutorial for configuring Keyless with Azure Active Directory B2C for passwordless authentication

-In this sample tutorial, we provide guidance on how to configure Azure Active Directory (AD) B2C with [Keyless](https://keyless.io/). With Azure AD B2C as an Identity provider, you can integrate Keyless with any of your customer applications to provide true passwordless authentication to your users.

-Keyless's solution **Keyless Zero-Knowledge Biometric (ZKBΓäó)** provides passwordless multifactor authentication that eliminates fraud, phishing, and credential reuse ΓÇô all while enhancing customer experience and protecting their privacy.

-## Pre-requisites

-To get started, you'll need:

-The following architecture diagram shows the implementation.

-

-|Step | Description |

-|:--| :--|

-| 1. | User arrives at a login page. Users select sign-in/sign-up and enters the username

-| 2. | The application sends the user attributes to Azure AD B2C for identity verification.

-| 3. | Azure AD B2C collects the user attributes and sends the attributes to Keyless to authenticate the user through the Keyless mobile app.

-| 4. | Keyless sends a push notification to the registered user's mobile device for a privacy-preserving authentication in the form of a facial biometric scan.

-| 5. | After the user responds to the push notification, the user is either granted or denied access to the customer application based on the verification results.

-## Integrate with Azure AD B2C

-To add a new Identity provider, follow these steps:

-1. Sign in to the **[Azure portal](https://portal.azure.com/#home)** as the global administrator of your Azure AD B2C tenant.

-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

-1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.

-1. Navigate to **Dashboard** > **Azure Active Directory B2C** > **Identity providers**

-1. Select **Identity providers**.

-1. Select **Add**.

-### Configure an Identity provider

-To configure an identity provider, follow these steps:

-1. Select **Identity provider type** > **OpenID Connect (Preview)**

-1. Fill out the form to set up the Identity provider:

- |Property | Value |

- |:--| :--|

- | Name | Keyless |

- | Metadata URL | Insert the URI of the hosted Keyless Authentication app, followed by the specific path such as 'https://keyless.auth/.well-known/openid-configuration' |

- | Client Secret | The secret associated with the Keyless Authentication instance - not same as the one configured before. Insert a complex string of your choice. This secret will be used later in the Keyless Container configuration.|

- | Client ID | The ID of the client. This ID will be used later in the Keyless Container configuration.|

- | Scope | openid |

- | Response type | id_token |

- | Response mode | form_post|

-1. Select **OK**.

-1. Select **Map this identity providerΓÇÖs claims**.

-1. Fill out the form to map the Identity provider:

- |Property | Value |

- |:--| :--|

- | UserID | From subscription |

- | Display name | From subscription |

- | Response mode | From subscription |

-1. Select **Save** to complete the setup for your new Open ID Connect (OIDC) Identity provider.

-You should now see Keyless as a new OIDC Identity provider listed within your B2C identity providers.

-1. In your Azure AD B2C tenant, under **Policies**, select **User flows**.

-2. Select **New** user flow.

-3. Select **Sign up and sign in**, select a **version**, and then select **Create**.

-4. Enter a **Name** for your policy.

-5. In the Identity providers section, select your newly created Keyless Identity Provider.

-6. Set up the parameters of your User flow. Insert a name and select the Identity provider youΓÇÖve created. You can also add email address. In this case, Azure wonΓÇÖt redirect the login procedure directly to Keyless instead it will show a screen where the user can choose the option they would like to use.

-7. Leave the **Multi-factor Authentication** field as is.

-8. Select **Enforce conditional access policies**

-9. Under **User attributes and token claims**, select **Email Address** in the Collect attribute option. You can add all the attributes that Azure Active Directory can collect about the user alongside the claims that Azure AD B2C can return to the client application.

-10. Select **Create**.

-11. After a successful creation, select your new **User flow**.

-12. On the left panel, select **Application Claims**. Under options, tick the **email** checkbox and select **Save**.

-1. Open the Azure AD B2C tenant and under Policies select Identity Experience Framework.

-2. Select your previously created SignUpSignIn.

-3. Select Run user flow and select the settings:

- a. Application: select the registered app (sample is JWT)

- b. Reply URL: select the redirect URL

- c. Select Run user flow.

-4. Go through sign-up flow and create an account

-5. Keyless will be called during the flow, after user attribute is created. If the flow is incomplete, check that user isn't saved in the directory.

-For additional information, review the following articles:

-description: Tutorial to configure Azure Active Directory B2C with Saviynt for cross application integration to streamline IT modernization and promote better security, governance, and compliance.ΓÇ»

-# Tutorial for configuring Saviynt with Azure Active Directory B2C

-In this sample tutorial, we provide guidance on how to integrate Azure Active Directory (AD) B2C with [Saviynt](https://saviynt.com/integrations/azure-ad/for-b2c/). SaviyntΓÇÖs Security Manager platform provides the visibility, security, and governance todayΓÇÖs businesses need, in a single unified platform. Saviynt incorporates application risk and governance, infrastructure management, privileged account management, and customer risk analysis.

-In this sample tutorial, you'll set up Saviynt to provide fine grained access control based delegated administration for Azure AD B2C users. Saviynt does the following checks to determine if a user is authorized to manage Azure AD B2C users.

-To get started, you'll need:

-The following architecture diagram shows the implementation.

-

-|Step | Description |

-|:--| :--|

-| 1. | A delegated administrator starts a manage Azure AD B2C user operation through Saviynt.

-| 2. | Saviynt verifies with its authorization engine if the delegated administrator can do the specific operation.

-| 3. | SaviyntΓÇÖs authorization engine sends an authorization success/failure response.

-| 4. | Saviynt allows the delegated administrator to do the required operation.

-| 5. | Saviynt invokes Microsoft Graph API along with user attributes to manage the user in Azure AD B2C

-| 6. | Microsoft Graph API will in turn create/update/delete the user in Azure AD B2C.

-| 7. | Azure AD B2C will send a success/failure response.

-| 8. | Microsoft Graph API will then return the response to Saviynt.

-## Onboard with Saviynt

-1. To create a Saviynt account, contact [Saviynt](https://saviynt.com/contact-us/)

-2. Create delegated administration policies and assign users as delegated administrators with various roles.

-### Create an Azure AD Application for Saviynt

-1. Sign in to the [Azure portal](https://portal.azure.com/#home).

-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

-1. In the Azure portal, search and select **Azure AD B2C**.

-1. Select **App registrations** > **New registration**.

-1. Enter a Name for the application. For example, Saviynt and select **Create**.

-1. Go to **API Permissions** and select **+ Add a permission.**

-1. The Request API permissions page appears. Select **Microsoft APIs** tab and select **Microsoft Graph** as commonly used Microsoft APIs.

-1. Go to the next page, and select **Application permissions**.

-1. Select **Directory**, and select **Directory.Read.All** and **Directory.ReadWrite.All** checkboxes.

-1. Select **Add Permissions**. Review the permissions added.

-1. Select **Grant admin consent for Default Directory** > **Save**.

-1. Go to **Certificates and Secrets** and select **+ Add Client Secret**. Enter the client secret description, select the expiry option, and select **Add**.

-1. The Secret key is generated and displayed in the Client secret section. You'll need to use it later.

-1. Go to **Overview** and get the **Client ID** and **Tenant ID**.

-1. Tenant ID, client ID, and client secret will be needed to complete the setup in Saviynt.

-### Enable Saviynt to Delete users

-The below steps explain how to enable Saviynt to perform user delete operations in Azure AD B2C.

->[!NOTE]

->[Evaluate the risk before granting admin roles access to a service principal.](../active-directory/develop/app-objects-and-service-principals.md)

-1. Install the latest version of MSOnline PowerShell Module on a Windows workstation/server.

-2. Connect to AzureAD PowerShell module and execute the following commands:

-Browse to your Saviynt application tenant and test user life-cycle management and access governance use case.

-For additional information, review the following articles:

-* Custom complex and multivalued attributes are supported but Azure AD doesn't have many complex data structures to pull data from in these cases. Simple paired name/value type complex attributes can be mapped to easily, but flowing data to complex attributes with three or more subattributes aren't well supported at this time.

-The Azure AD provisioning service currently operates under the IP Ranges for AzureActiveDirectory as listed [here](https://www.microsoft.com/download/details.aspx?id=56519&WT.mc_id=rss_alldownloads_all). You can add the IP ranges listed under the AzureActiveDirectory tag to allow traffic from the Azure AD provisioning service into your application. You'll need to review the IP range list carefully for computed addresses. An address such as '40.126.25.32' could be represented in the IP range list as '40.126.0.0/18'. You can also programmatically retrieve the IP range list using the following [API](/rest/api/virtualnetwork/servicetags/list).

-As the combined check for password policy and banned passwords gets rolled out to tenants, Azure AD and Office 365 admin center users may see differences when they create, change, or reset their passwords. This topic explains details about the password policy criteria checked by Azure AD.

-| Password not recently used | When a user changes or resets their password, the new password can't be the same as the current or recently used passwords. |

-Password expiration policies are unchanged but they're included in this topic for completeness. A *global administrator* or *user administrator* can use the [Microsoft Azure AD Module for Windows PowerShell](/powershell/module/Azuread/) to set user passwords not to expire.

-> <b>App passwords</b> are available only to users who have been enforced for per-user MFA. App passwords are not available to users who are enabled for Azure AD Multi-Factor Authentication by a Conditional Access policy. <br />

->Virtual phone numbers are not supported for Voice calls or SMS messages.

-Third party authenticator apps do not provide push notification. As we continue to add more authentication methods to Azure AD, those methods become available in combined registration.

-When registration is enforced, users are shown the minimum number of methods needed to be compliant with both multifactor authentication and SSPR policies, from most to least secure. Users going through combined registration where both MFA and SSPR registration is enforced and the SSPR policy requires two methods will first be required to register an MFA method as the first method and can select another MFA or SSPR specific method as the second registered method (e.g. email, security questions etc.)

- - The user is shown Authenticator app and phone by default.

-If the SSPR policy requires users to review their security info at regular intervals, users are interrupted during sign-in and shown all their registered methods. They can confirm the current info if it's up to date, or they can make changes if they need to. Users must perform multi-factor authentication when accessing this page.

-An admin has not enforced registration.

-By using Azure AD B2C as an identity management service, you can customize and control how your customers sign up, sign in, and manage their profiles when they use your applications.

- User graphUser = await graphClient.Me.Request().GetAsync();

- GraphServiceClient graphClient = new GraphServiceClient(MSGraphURL,

- new DelegateAuthenticationProvider(async (requestMessage) =>

- {

- requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", await SignInUserAndGetTokenUsingMSAL(scopes));

- }));

-Users created by cross-tenant synchronization will have the same experience when accessing Microsoft Teams and other Microsoft 365 services as B2B collaboration users created through a manual invitation. The [userType](../external-identities/user-properties.md) property on the B2B user, whether guest or member, does change the end user experience. Over time, the member userType will be used by the various Microsoft 365 services to provide differentiated end user experiences for users in a multi-tenant organization.

-*Azure AD recommendations* use similar data to support you with the roll-out and management of Microsoft's best practices for Azure AD tenants to keep your tenant in a secure and healthy state. Azure AD recommendations provide a holistic view into your tenant's security, health, and usage.

-

-## How it works

-On a daily basis, Azure AD analyzes the configuration of your tenant. During this analysis, Azure AD compares the data of a recommendation with the actual configuration of your tenant. If a recommendation is flagged as applicable to your tenant, the recommendation appears in the **Recommendations** section of the Azure AD Overview area. The recommendations are listed in order of priority so you can quickly determine where to focus first.

-Each recommendation contains a description, a summary of the value of addressing the recommendation, and a step-by-step action plan. If applicable, impacted resources associated with the recommendation are listed, so you can resolve each affected area. If a recommendation doesn't have any associated resources, the impacted resource type is *Tenant level*. so your step-by-step action plan impacts the entire tenant and not just a specific resource.

-

-## Recommendation details

-Each recommendation provides the same set of details that explain what the recommendation is, why it's important, and how to fix it.

-The **Status** of a recommendation can be updated manually or automatically by the system. If all resources are addressed according to the action plan, the status automatically changes to *Completed* the next time the recommendations service runs. The recommendation service runs every 24-48 hours, depending on the recommendation.

-

-The **Priority** of a recommendation could be low, medium, or high. These values are determined by several factors, such as security implications, health concerns, or potential breaking changes.

-

-The **Impacted resources** for a recommendation could be things like applications or users. This detail gives you an idea of what type of resources you need to address. The impacted resource could also be at the tenant level, so you may need to make a global change.

-The **Status description** tells you the date the recommendation status changed and if it was changed by the system or a user.

-The recommendation's **Value** is an explanation of why completing the recommendation will benefit you, and the value of the associated feature.

-The **Action plan** provides step-by-step instructions to implement a recommendation. May include links to relevant documentation or direct you to other pages in the Azure AD portal.

-## Roles and licenses

-The following roles provide *read-only* access to recommendations:

-The following roles provide *update and read-only* access to recommendations:

-The Azure AD recommendations feature is automatically enabled. If you'd like to disable this feature, go to **Azure AD** > **Preview features**. Locate the **Recommendations** feature, and change the **State**.

-Azure AD only displays the recommendations that apply to your tenant, so you may not see all supported recommendations listed. Currently, all recommendations are available in all tenants, regardless of the license type.

-### Recommendations available for all Azure AD tenants

-The recommendations listed in the following table are available to all Azure AD tenants. The table provides the impacted resources and links to available documentation.

-| Recommendation | Impacted resources | Availability |

-|- |- |- |

-| [Convert per-user MFA to Conditional Access MFA](recommendation-turn-off-per-user-mfa.md) | Users | Generally available |

-| [Migrate applications from AD FS to Azure AD](recommendation-migrate-apps-from-adfs-to-azure-ad.md) | Users | Generally available |

-| [Migrate to Microsoft Authenticator](recommendation-migrate-to-authenticator.md) | Users | Preview |

-| [Minimize MFA prompts from known devices](recommendation-migrate-apps-from-adfs-to-azure-ad.md) | Users | Generally available |

-## How to use Azure AD recommendations

-1. Go to **Azure AD** > **Recommendations**.

-1. Select a recommendation from the list to view the details, status, and action plan.

- 

-1. Follow the **Action plan**.

-1. If applicable, *right-click on the status* of a resource in a recommendation, select **Mark as**, then select a status.

- - The status for the resource appears as regular text, but you can right-click on the status to open the menu.

- - You can set each resource to a different status as needed.

-

- 

-1. The recommendation service automatically marks the recommendation as complete, but if you need to manually change the status of a recommendation, select **Mark as** from the top of the page and select a status.

- 

- - Mark a recommendation as **Dismissed** if you think the recommendation is irrelevant or the data is wrong.

- - Azure AD asks for a reason why you dismissed the recommendation so we can improve the service.

- - Mark a recommendation as **Postponed** if you want to address the recommendation at a later time.

- - The recommendation becomes **Active** when the selected date occurs.

- - You can reactivate a completed or postponed recommendation to keep it top of mind and reassess the resources.

- - Recommendations change to **Completed** if all impacted resources have been addressed.

- - If the service identifies an active resource for a completed recommendation the next time the service runs, the recommendation will automatically change back to **Active**.

- - Completing a recommendation is the only action collected in the audit log. To view these logs, go to **Azure AD** > **Audit logs** and filter the service to "Azure AD recommendations."

-Continue to monitor the recommendations in your tenant for changes.

-### Use Microsoft Graph with Azure Active Directory recommendations

-Azure Active Directory recommendations can be viewed and managed using Microsoft Graph on the `/beta` endpoint. You can view recommendations along with their impacted resources, mark a recommendation as completed by a user, postpone a recommendation for later, and more.

-To get started, follow these instructions to work with recommendations using Microsoft Graph in Graph Explorer. The example uses the Migrate apps from Active Directory Federated Services (ADFS) to Azure AD recommendation.

-1. Sign in to [Graph Explorer](https://aka.ms/ge).

-1. Select **GET** as the HTTP method from the dropdown.

-1. Set the API version to **beta**.

-1. Add the following query to retrieve recommendations, then select the **Run query** button.

- ```http

- GET https://graph.microsoft.com/beta/directory/recommendations

- ```

-1. To view the details of a specific `recommendationType`, use the following API. This example retrieves the detail of the "Migrate apps from AD FS to Azure AD" recommendation.

- ```http

- GET https://graph.microsoft.com/beta/directory/recommendations?$filter=recommendationType eq 'adfsAppsMigration'

- ```

-1. To view the impacted resources for a specific recommendation, expand the `impactedResources` relationship.

- ```http

- GET https://graph.microsoft.com/beta/directory/recommendations?$filter=recommendationType eq 'adfsAppsMigration'&$expand=impactedResources

- ```

-For more information, see the [Microsoft Graph documentation for recommendations](/graph/api/resources/recommendations-api-overview).

-* [Learn more about Microsoft Graph](/graph/overview)

-* [Get started with Azure AD reports](overview-reports.md)

-* [Learn about Azure AD monitoring](overview-monitoring.md)

-* [What is Azure Active Directory recommendations](overview-recommendations.md)

-* [Azure AD reports overview](overview-reports.md)

-* [Learn more about Microsoft Graph](/graph/overview)

-* [Explore the Microsoft Graph API properties for recommendations](/graph/api/resources/recommendation)

-## Logic

-* [Learn more about Microsoft Graph](/graph/overview)

-* [Explore the Microsoft Graph API properties for recommendations](/graph/api/resources/recommendation)

-* [Azure AD reports overview](overview-reports.md)

-* [Learn about requiring MFA for all users using Conditional Access](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)

-* [View the MFA CA policy tutorial](../authentication/tutorial-enable-azure-mfa.md)

-* [Learn more about Microsoft Graph](/graph/overview)

-* [Explore the Microsoft Graph API properties for recommendations](/graph/api/resources/recommendation)

-1. Log in to [Ardoq](https://aad.ardoq.com/).

-1. And `https://aad.ardoq.com/api/scim/v2` will be entered in the **Tenant Url** field in the Provisioning tab of your Ardoq application in the Azure portal.

-| | The last login date for a user doesn't update when user signs in via SSO | |

-If your Azure Files resources are protected with a private endpoint, you must create your own storage class that's customized with the following parameters:

-* `server`: The FQDN of the storage account's private endpoint (for example, `<storage account name>.privatelink.file.core.windows.net`).

- server: <storageAccountName>.privatelink.file.core.windows.net

-Create the storage class by using the [kubectl apply][kubectl-apply] command:

-[aks-rbac-cluster-admin-role]: manage-azure-rbac.md#create-role-assignments-for-users-to-access-cluster

-The Dapr extension for AKS and Arc for Kubernetes requires outbound URLs on `https://:443` to function. In addition to the `https://mcr.microsoft.com/daprio` URL for pulling Dapr artifacts, verify you've included the [outbound URLs required for AKS or Arc for Kubernetes](../azure-arc/kubernetes/quickstart-connect-cluster.md#meet-network-requirements).

-> [!NOTE]

-> This feature is currently supported only in the following regions:

->

-> - West Central US

-> - West Europe

-> - East US

-description: Learn how to use Azure RBAC for Kubernetes Authorization with Azure Kubernetes Service (AKS).

-# Use Azure RBAC for Kubernetes Authorization

-Today you can already leverage [integrated authentication between Azure Active Directory (Azure AD) and AKS](managed-aad.md). When enabled, this integration allows customers to use Azure AD users, groups, or service principals as subjects in Kubernetes RBAC, see more [here](azure-ad-rbac.md).

-This feature frees you from having to separately manage user identities and credentials for Kubernetes. However, you still have to set up and manage Azure RBAC and Kubernetes RBAC separately. For more details on authentication and authorization with RBAC on AKS, see [here](concepts-identity.md).

-This document covers a new approach that allows for the unified management and access control across Azure Resources, AKS, and Kubernetes resources.

-The ability to manage RBAC for Kubernetes resources from Azure gives you the choice to manage RBAC for the cluster resources either using Azure or native Kubernetes mechanisms. When enabled, Azure AD principals will be validated exclusively by Azure RBAC while regular Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC. For more details on authentication and authorization with RBAC on AKS, see [here](concepts-identity.md#azure-rbac-for-kubernetes-authorization).

-### Prerequisites

-### Limitations

-## Create a new cluster using Azure RBAC and managed Azure AD integration

-Create an AKS cluster by using the following CLI commands.

-Create an Azure resource group:

-# Create an Azure resource group

-Create the AKS cluster with managed Azure AD integration and Azure RBAC for Kubernetes Authorization.

-# Create an AKS-managed Azure AD cluster

-az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac

-A successful creation of a cluster with Azure AD integration and Azure RBAC for Kubernetes Authorization has the following section in the response body:

- }

-## Integrate Azure RBAC into an existing cluster

-> [!NOTE]

-> To use Azure RBAC for Kubernetes Authorization, Azure Active Directory integration must be enabled on your cluster. For more, see [Azure Active Directory integration][managed-aad].

-To add Azure RBAC for Kubernetes Authorization into an existing AKS cluster, use the [az aks update][az-aks-update] command with the flag `enable-azure-rbac`.

-To remove Azure RBAC for Kubernetes Authorization from an existing AKS cluster, use the [az aks update][az-aks-update] command with the flag `disable-azure-rbac`.

-## Create role assignments for users to access cluster

-AKS provides the following four built-in roles:

-| Azure Kubernetes Service RBAC Reader | Allows read-only access to see most objects in a namespace. It doesn't allow viewing roles or role bindings. This role doesn't allow viewing `Secrets`, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation) |

-| Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace. This role doesn't allow viewing or modifying roles or role bindings. However, this role allows accessing `Secrets` and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. |

-Roles assignments scoped to the **entire AKS cluster** can be done either on the Access Control (IAM) blade of the cluster resource on Azure portal or by using Azure CLI commands as shown below:

-# Get your AKS Resource ID

-AKS_ID=$(az aks show -g MyResourceGroup -n MyManagedCluster --query id -o tsv)

-```azurecli-interactive

-az role assignment create --role "Azure Kubernetes Service RBAC Admin" --assignee <AAD-ENTITY-ID> --scope $AKS_ID

-```

-where `<AAD-ENTITY-ID>` could be a username (for example, user@contoso.com) or even the ClientID of a service principal.

-You can also create role assignments scoped to a specific **namespace** within the cluster:

-az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee <AAD-ENTITY-ID> --scope $AKS_ID/namespaces/<namespace-name>

-Today, role assignments scoped to namespaces need to be configured via Azure CLI.

-### Create custom roles definitions

-Optionally you may choose to create your own role definition and then assign as above.

-Below is an example of a role definition that allows a user to only read deployments and nothing else. You can check the full list of possible actions [here](../role-based-access-control/resource-provider-operations.md#microsoftcontainerservice).

-Copy the below json into a file called `deploy-view.json`.

-Replace `<YOUR SUBSCRIPTION ID>` by the ID from your subscription, which you can get by running:

-```azurecli-interactive

-az account show --query id -o tsv

-```

-Now we can create the role definition by running the below command from the folder where you saved `deploy-view.json`:

-Now that you have your role definition, you can assign it to a user or other identity by running:

-> [!NOTE]

-> Ensure you have the latest kubectl by running the below command:

->

-> ```azurecli-interactive

-> az aks install-cli

-> ```

->

-> You might need to run it with `sudo` privileges.

-Now that you have assigned your desired role and permissions. You can start calling the Kubernetes API, for example, from `kubectl`.

-For this purpose, let's first get the cluster's kubeconfig using the below command:

-az aks get-credentials -g MyResourceGroup -n MyManagedCluster

-> [!IMPORTANT]

-> You'll need the [Azure Kubernetes Service Cluster User](../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-user-role) built-in role to perform the step above.

-Now, you can use kubectl to, for example, list the nodes in the cluster. The first time you run it you'll need to sign in, and subsequent commands will use the respective access token.

-To unblock additional scenarios like non-interactive logins, older `kubectl` versions or leveraging SSO across multiple clusters without the need to sign in to new cluster, granted that your token is still valid, AKS created an exec plugin called [`kubelogin`](https://github.com/Azure/kubelogin).

-You can use it by running:

-```

-The first time, you'll have to sign in interactively like with regular kubectl, but afterwards you'll no longer need to, even for new Azure AD clusters (as long as your token is still valid).

-## Clean up

-### Clean Role assignment

-```

-Copy the ID or IDs from all the assignments you did and then.

-```azurecli-interactive

-### Clean up role definition

-### Delete cluster and resource group

-az group delete -n MyResourceGroup

-| [Pass-through WebSocket APIs](websocket-api.md) | No | Yes | Yes | Yes | Yes |

-| [Pass-through GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes |

-| [Synthetic GraphQL APIs](graphql-apis-overview.md) | Yes | Yes | Yes | Yes | Yes |

-⁴ The following policies aren't available in the Consumption tier: rate limit by key and quota by key.

-| [Pass-through GraphQL](graphql-apis-overview.md) | ✔️ | ✔️ | ❌ |

-| [Synthetic GraphQL](graphql-apis-overview.md)| ✔️ | ✔️ | ❌ |

-| [Pass-through WebSocket](websocket-api.md) | ✔️ | ❌ | ❌ |

-| [GraphQL resolvers](api-management-policies.md#graphql-resolver-policies) and [GraphQL validation](api-management-policies.md#validation-policies)| ✔️ | ✔️ | ❌ |

-| [Get authorization context](get-authorization-context-policy.md) | ✔️ | ✔️ | ❌ |

-> * These controls are being released during December 2022. It may take several weeks for your API Management service to receive the update.

-> * Visibility and access controls are supported only in the managed developer portal. They are not supported in the [self-hosted portal](developer-portal-self-host.md).

-### GraphQL resolver policies

-In API Management, a [GraphQL resolver](configure-graphql-resolver.md) is configured using policies scoped to a specific operation type and field in a [GraphQL schema](graphql-apis-overview.md#resolvers).

-* Currently, API Management supports GraphQL resolvers that specify HTTP data sources. Configure a single [`http-data-source`](http-data-source-policy.md) policy with elements to specify a request to (and optionally response from) an HTTP data source.

-* You can't include a resolver policy in policy definitions at other scopes such as API, product, or all APIs. It also doesn't inherit policies configured at other scopes.

-* The gateway evaluates a resolver-scoped policy *after* any configured `inbound` and `backend` policies in the policy execution pipeline.

-For more information, see [Configure a GraphQL resolver](configure-graphql-resolver.md).

-## GraphQL resolver policies

-|`context`|[`Api`](#ref-context-api): [`IApi`](#ref-iapi)<br /><br /> [`Deployment`](#ref-context-deployment)<br /><br /> Elapsed: `TimeSpan` - time interval between the value of `Timestamp` and current time<br /><br /> [`GraphQL`](#ref-context-graphql)<br /><br />[`LastError`](#ref-context-lasterror)<br /><br /> [`Operation`](#ref-context-operation)<br /><br /> [`Request`](#ref-context-request)<br /><br /> `RequestId`: `Guid` - unique request identifier<br /><br /> [`Response`](#ref-context-response)<br /><br /> [`Subscription`](#ref-context-subscription)<br /><br /> `Timestamp`: `DateTime` - point in time when request was received<br /><br /> `Tracing`: `bool` - indicates if tracing is on or off <br /><br /> [User](#ref-context-user)<br /><br /> [`Variables`](#ref-context-variables): `IReadOnlyDictionary<string, object>`<br /><br /> `void Trace(message: string)`|

-|<a id="ref-context-graphql"></a>`context.GraphQL`|`GraphQLArguments`: `IGraphQLDataObject`<br /><br /> `Parent`: `IGraphQLDataObject`<br/><br/>[Examples](configure-graphql-resolver.md#graphql-context)|

-|<a id="ref-igraphqldataobject"></a>`IGraphQLDataObject`|TBD<br /><br />|

-description: Configure a GraphQL resolver in Azure AI Management for a field in an object type specified in a GraphQL schema

-# Configure a GraphQL resolver

-Configure a resolver to retrieve or set data for a GraphQL field in an object type specified in a GraphQL schema. The schema must be imported to API Management. Currently, API Management supports resolvers that use HTTP-based data sources (REST or SOAP APIs).

-* A resolver is a resource containing a policy definition that's invoked only when a matching object type and field is executed.

-* Each resolver resolves data for a single field. To resolve data for multiple fields, configure a separate resolver for each.

-* Resolver-scoped policies are evaluated *after* any `inbound` and `backend` policies in the policy execution pipeline. They don't inherit policies from other scopes. For more information, see [Policies in API Management](api-management-howto-policies.md).

-> [!IMPORTANT]

-> * If you use the preview `set-graphql-resolver` policy in policy definitions, you should migrate to the managed resolvers described in this article.

-> * After you configure a managed resolver for a GraphQL field, the gateway will skip the `set-graphql-resolver` policy in any policy definitions. You can't combine use of managed resolvers and the `set-graphql-resolver` policy in your API Management instance.

-## Prerequisites

-## Create a resolver

-1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

-1. In the left menu, select **APIs** and then the name of your GraphQL API.

-1. On the **Design** tab, review the schema for a field in an object type where you want to configure a resolver.

- 1. Select a field, and then in the left margin, hover the pointer.

- 1. Select **+ Add Resolver**.

- :::image type="content" source="media/configure-graphql-resolver/add-resolver.png" alt-text="Screenshot of adding a resolver from a field in GraphQL schema in the portal.":::

-1. On the **Create Resolver** page, update the **Name** property if you want to, optionally enter a **Description**, and confirm or update the **Type** and **Field** selections.

-1. In the **Resolver policy** editor, update the [`http-data-source`](http-data-source-policy.md) policy with child elements for your scenario.

- 1. Update the required `http-request` element with policies to transform the GraphQL operation to an HTTP request.

- 1. Optionally add an `http-response` element, and add child policies to transform the HTTP response of the resolver. If the `http-response` element isn't specified, the response is returned as a raw string.

- 1. Select **Create**.

-

- :::image type="content" source="media/configure-graphql-resolver/configure-resolver-policy.png" alt-text="Screenshot of resolver policy editor in the portal." lightbox="media/configure-graphql-resolver/configure-resolver-policy.png":::

-1. The resolver is attached to the field. Go to the **Resolvers** tab to list and manage the resolvers configured for the API.

- :::image type="content" source="media/configure-graphql-resolver/list-resolvers.png" alt-text="Screenshot of the resolvers list for GraphQL API in the portal." lightbox="media/configure-graphql-resolver/list-resolvers.png":::

- > [!TIP]

- > The **Linked** column indicates whether or not the resolver is configured for a field that's currently in the GraphQL schema. If a resolver isn't linked, it can't be invoked.

-## GraphQL context

-* The context for the HTTP request and HTTP response (if specified) differs from the context for the original gateway API request:

- * `context.GraphQL` properties are set to the arguments (`Arguments`) and parent object (`Parent`) for the current resolver execution.

- * The HTTP request context contains arguments that are passed in the GraphQL query as its body.

- * The HTTP response context is the response from the independent HTTP call made by the resolver, not the context for the complete response for the gateway request.

-The `context` variable that is passed through the request and response pipeline is augmented with the GraphQL context when used with a GraphQL resolver.

-### context.GraphQL.parent

-The `context.ParentResult` is set to the parent object for the current resolver execution. Consider the following partial schema:

-``` graphql

-type Comment {

- id: ID!

- owner: string!

- content: string!

-}

-type Blog {

- id: ID!

- Title: string!

- content: string!

- comments: [Comment]!

- comment(id: ID!): Comment

-}

-type Query {

- getBlog(): [Blog]!

- getBlog(id: ID!): Blog

-}

-```

-Also, consider a GraphQL query for all the information for a specific blog:

-``` graphql

-query {

- getBlog(id: 1) {

- title

- content

- comments {

- id

- owner

- content

- }

- }

-}

-```

-If you set a resolver for the `comments` field in the `Blog` type, you'll want to understand which blog ID to use. You can get the ID of the blog using `context.GraphQL.Parent["id"]` as shown in the following resolver:

-``` xml

-<http-data-source>

- <http-request>

- <set-method>GET</set-method>

- <set-url>@($"https://data.contoso.com/api/blog/{context.GraphQL.Parent["id"]}")

- }</set-url>

- </http-request>

-</http-data-source>

-```

-### context.GraphQL.Arguments

-The arguments for a parameterized GraphQL query are added to `context.GraphQL.Arguments`. For example, consider the following two queries:

-``` graphql

-query($id: Int) {

- getComment(id: $id) {

- content

- }

-}

-query {

- getComment(id: 2) {

- content

- }

-}

-```

-These queries are two ways of calling the `getComment` resolver. GraphQL sends the following JSON payload:

-``` json

-{

- "query": "query($id: Int) { getComment(id: $id) { content } }",

- "variables": { "id": 2 }

-}

-{

- "query": "query { getComment(id: 2) { content } }"

-}

-```

-You can define the resolver as follows:

-``` xml

-<http-data-source>

- <http-request>

- <set-method>GET</set-method>

- <set-url>@($"https://data.contoso.com/api/comment/{context.GraphQL.Arguments["id"]}")</set-url>

- </http-request>

-</http-data-source>

-```

-## Next steps

-For more resolver examples, see:

-* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)

-* [Samples APIs for Azure API Management](https://github.com/Azure-Samples/api-management-sample-apis)

-> * Add a pass-through GraphQL API to your API Management instance.

- :::image type="content" source="media/graphql-api/create-from-graphql-endpoint.png" alt-text="Screenshot of fields for creating a GraphQL API.":::

- | **GraphQL type** | Select **Pass-through GraphQL** to import from an existing GraphQL API endpoint. |

- | **GraphQL API endpoint** | The base URL with your GraphQL API endpoint name. <br /> For example: *`https://example.com/your-GraphQL-name`*. You can also use a common "swapi" GraphQL endpoint such as `https://swapi-graphql.azure-api.net/graphql` as a demo. |

- | **URL scheme** | Make a selection based on your GraphQL endpoint. Select one of the options that includes a WebSocket scheme (**WS** or **WSS**) if your GraphQL API includes the subscription type. Default selection: *HTTP(S)*. |

-1. After the API is created, browse or modify the schema on the **Design** tab.

-### Test a subscription

-If your GraphQL API supports a subscription, you can test it in the test console.

-1. Ensure that your API allows a WebSocket URL scheme (**WS** or **WSS**) that's appropriate for your API. You can enable this setting on the **Settings** tab.

-1. Set up a subscription query in the query editor, and then select **Connect** to establish a WebSocket connection to the backend service.

- :::image type="content" source="media/graphql-api/test-graphql-subscription.png" alt-text="Screenshot of a subscription query in the query editor.":::

-1. Review connection details in the **Subscription** pane.

- :::image type="content" source="media/graphql-api/graphql-websocket-connection.png" alt-text="Screenshot of Websocket connection in the portal.":::

-

-1. Subscribed events appear in the **Subscription** pane. The WebSocket connection is maintained until you disconnect it or you connect to a new WebSocket subscription.

- :::image type="content" source="media/graphql-api/graphql-subscription-event.png" alt-text="Screenshot of GraphQL subscription events in the portal.":::

-## Secure your GraphQL API

-Secure your GraphQL API by applying both existing [access control policies](api-management-policies.md#access-restriction-policies) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks.

-description: Learn about GraphQL and how Azure API Management helps you manage GraphQL APIs.

-# Overview of GraphQL APIs in Azure API Management

-You can use API Management to manage GraphQL APIs - APIs based on the GraphQL query language. GraphQL provides a complete and understandable description of the data in an API, giving clients the power to efficiently retrieve exactly the data they need. [Learn more about GraphQL](https://graphql.org/learn/)

-API Management helps you import, manage, protect, test, publish, and monitor GraphQL APIs. You can choose one of two API models:

-|Pass-through GraphQL |Synthetic GraphQL |

-|||

-| ▪️ Pass-through API to existing GraphQL service endpoint<br><br/>▪️ Support for GraphQL queries, mutations, and subscriptions | ▪️ API based on a custom GraphQL schema<br></br>▪️ Support for GraphQL queries, mutations, and subscriptions<br/><br/>▪️ Configure custom resolvers, for example, to HTTP data sources<br/><br/>▪️ Develop GraphQL schemas and GraphQL-based clients while consuming data from legacy APIs |

-## Availability

-* GraphQL APIs are supported in all API Management service tiers

-* Pass-through and synthetic GraphQL APIs currently aren't supported in a self-hosted gateway

-* GraphQL subscription support in synthetic GraphQL APIs is currently in preview

-## What is GraphQL?

-GraphQL is an open-source, industry-standard query language for APIs. Unlike REST-style APIs designed around actions over resources, GraphQL APIs support a broader set of use cases and focus on data types, schemas, and queries.

-The GraphQL specification explicitly solves common issues experienced by client web apps that rely on REST APIs:

-* It can take a large number of requests to fulfill the data needs for a single page

-* REST APIs often return more data than needed the page being rendered

-* The client app needs to poll to get new information

-Using a GraphQL API, the client app can specify the data they need to render a page in a query document that is sent as a single request to a GraphQL service. A client app can also subscribe to data updates pushed from the GraphQL service in real time.

-## Schema and operation types

-In API Management, add a GraphQL API from a GraphQL schema, either retrieved from a backend GraphQL API endpoint or uploaded by you. A GraphQL schema describes:

-* Data object types and fields that clients can request from a GraphQL API

-* Operation types allowed on the data, such as queries

-For example, a basic GraphQL schema for user data and a query for all users might look like:

-```

-type Query {

- users: [User]

-}

-type User {

- id: String!

- name: String!

-}

-```

-API Management supports the following operation types in GraphQL schemas. For more information about these operation types, see the [GraphQL specification](https://spec.graphql.org/October2021/#sec-Subscription-Operation-Definitions).

-* **Query** - Fetches data, similar to a `GET` operation in REST

-* **Mutation** - Modifies server-side data, similar to a `PUT` or `PATCH` operation in REST

-* **Subscription** - Enables notifying subscribed clients in real time about changes to data on the GraphQL service

- For example, when data is modified via a GraphQL mutation, subscribed clients could be automatically notified about the change.

-> [!IMPORTANT]

-> API Management supports subscriptions implemented using the [graphql-ws](https://github.com/enisdenjo/graphql-ws) WebSocket protocol. Queries and mutations aren't supported over WebSocket.

->

-## Resolvers

-*Resolvers* take care of mapping the GraphQL schema to backend data, producing the data for each field in an object type. The data source could be an API, a database, or another service. For example, a resolver function would be responsible for returning data for the `users` query in the preceding example.

-In API Management, you can create a *custom resolver* to map a field in an object type to a backend data source. You configure resolvers for fields in synthetic GraphQL API schemas, but you can also configure them to override the default field resolvers used by pass-through GraphQL APIs.

-API Management currently supports HTTP-based resolvers to return the data for fields in a GraphQL schema. To use an HTTP-based resolver, configure a [`http-data-source`](http-data-source-policy.md) policy that transforms the API request (and optionally the response) into an HTTP request/response.

-For example, a resolver for the preceding `users` query might map to a `GET` operation in a backend REST API:

-```xml

-<http-data-source>

- <http-request>

- <set-method>GET</set-method>

- <set-url>https://myapi.contoso.com/api/users</set-url>

- </http-request>

-</http-data-source>

-```

-For more information, see [Configure a GraphQL resolver](configure-graphql-resolver.md).

-## Manage GraphQL APIs

-* Secure GraphQL APIs by applying both existing access control policies and a [GraphQL validation policy](validate-graphql-request-policy.md) to secure and protect against GraphQL-specific attacks.

-* Explore the GraphQL schema and run test queries against the GraphQL APIs in the Azure and developer portals.

-## Next steps

-description: Add a synthetic GraphQL API by importing a GraphQL schema to API Management and configuring field resolvers that use HTTP-based data sources.

-# Add a synthetic GraphQL API and set up field resolvers

-> * Set up a resolver for a GraphQL query using an existing HTTP endpoint

-1. Under **Define a new API**, select the **GraphQL** icon.

- :::image type="content" source="media/graphql-api/import-graphql-api.png" alt-text="Screenshot of selecting GraphQL icon from list of APIs.":::

- | Field | Description |

- | **GraphQL type** | Select **Synthetic GraphQL** to import from a GraphQL schema file. |

- | **Fallback GraphQL endpoint** | Optionally enter a URL with a GraphQL API endpoint name. API Management passes GraphQL queries to this endpoint when a custom resolver isn't set for a field. |

- | **Description** | Add a description of your API. |

- | **URL scheme** | Make a selection based on your GraphQL endpoint. Select one of the options that includes a WebSocket scheme (**WS** or **WSS**) if your GraphQL API includes the subscription type. Default selection: *HTTP(S)*. |

-1. After the API is created, browse or modify the schema on the **Design** tab.

-Configure a resolver to map a field in the schema to an existing HTTP endpoint.

-<!-- Add link to resolver how-to article for details -->

-1. On the **Design** tab, review the schema for a field in an object type where you want to configure a resolver.

- 1. Select a field, and then in the left margin, hover the pointer.

- 1. Select **+ Add Resolver**

- :::image type="content" source="media/graphql-schema-resolve-api/add-resolver.png" alt-text="Screenshot of adding a GraphQL resolver in the portal.":::

-1. On the **Create Resolver** page, update the **Name** property if you want to, optionally enter a **Description**, and confirm or update the **Type** and **Field** selections.

-1. In the **Resolver policy** editor, update the `<http-data-source>` element with child elements for your scenario. For example, the following resolver retrieves the *users* field by using a `GET` call on an existing HTTP data source.

-

- :::image type="content" source="media/graphql-schema-resolve-api/configure-resolver-policy.png" alt-text="Screenshot of configuring resolver policy in the portal.":::

-1. Select **Create**.

-1. To resolve data for another field in the schema, repeat the preceding steps to create a resolver.

-## Secure your GraphQL API

-Secure your GraphQL API by applying both existing [access control policies](api-management-policies.md#access-restriction-policies) and a [GraphQL validation policy](validate-graphql-request-policy.md) to protect against GraphQL-specific attacks.

-description: Reference for the http-data-source resolver policy available for use in Azure API Management. Provides policy usage, settings, and examples.

-# HTTP data source for a resolver

-The `http-data-source` resolver policy configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema. The schema must be imported to API Management.

-## Policy statement

-```xml

-<http-data-source>

- <http-request>

- <set-method>...set-method policy configuration...</set-method>

- <set-url>URL</set-url>

- <set-header>...set-header policy configuration...</set-header>

- <set-body>...set-body policy configuration...</set-body>

- <authentication-certificate>...authentication-certificate policy configuration...</authentication-certificate>

- </http-request>

- <http-response>

- <xml-to-json>...xml-to-json policy configuration...</xml-to-json>

- <find-and-replace>...find-and-replace policy configuration...</find-and-replace>

- <set-body>...set-body policy configuration...</set-body>

- <publish-event>...publish-event policy configuration...</publish-event>

- </http-response>

-</http-data-source>

-```

-## Elements

-|Name|Description|Required|

-|-|--|--|

-| http-request | Specifies a URL and child policies to configure the resolver's HTTP request. Each child element can be specified at most once. | Yes |

-| http-response | Optionally specifies child policies to configure the resolver's HTTP response. If not specified, the response is returned as a raw string. Each child element can be specified at most once. | No |

-### http-request elements

-> [!NOTE]

-> Each child element may be specified at most once. Specify elements in the order listed.

-|Element|Description|Required|

-|-|--|--|

-| [set-method](set-method-policy.md) | Sets the method of the resolver's HTTP request. | Yes |

-| set-url | Sets the URL of the resolver's HTTP request. | Yes |

-| [set-header](set-header-policy.md) | Sets a header in the resolver's HTTP request. | No |

-| [set-body](set-body-policy.md) | Sets the body in the resolver's HTTP request. | No |

-| [authentication-certificate](authentication-certificate-policy.md) | Authenticates using a client certificate in the resolver's HTTP request. | No |

-### http-response elements

-> [!NOTE]

-> Each child element may be specified at most once. Specify elements in the order listed.

-|Name|Description|Required|

-|-|--|--|

-| [xml-to-json](xml-to-json-policy.md) | Transforms the resolver's HTTP response from XML to JSON. | No |

-| [find-and-replace](find-and-replace-policy.md) | Finds a substring in the resolver's HTTP response and replaces it with a different substring. | No |

-| [set-body](set-body-policy.md) | Sets the body in the resolver's HTTP response. | No |

-| [publish-event](publish-event-policy.md) | Publishes an event to one or more subscriptions specified in the GraphQL API schema. | No |

-## Usage

-### Usage notes

-* This policy is invoked only when resolving a single field in a matching GraphQL query, mutation, or subscription.

-## Examples

-### Resolver for GraphQL query

-The following example resolves a query by making an HTTP `GET` call to a backend data source.

-#### Example schema

-```

-type Query {

- users: [User]

-}

-type User {

- id: String!

- name: String!

-}

-```

-#### Example policy

-```xml

-<http-data-source>

- <http-request>

- <set-method>GET</set-method>

- <set-url>https://data.contoso.com/get/users</set-url>

- </http-request>

-</http-data-source>

-```

-### Resolver for a GraqhQL query that returns a list, using a liquid template

-The following example uses a liquid template, supported for use in the [set-body](set-body-policy.md) policy, to return a list in the HTTP response to a query. It also renames the `username` field in the response from the REST API to `name` in the GraphQL response.

-#### Example schema

-```

-type Query {

- users: [User]

-}

-type User {

- id: String!

- name: String!

-}

-```

-#### Example policy

-```xml

-<http-data-source>

- <http-request>

- <set-method>GET</set-method>

- <set-url>https://data.contoso.com/users</set-url>

- </http-request>

- <http-response>

- <set-body template="liquid">

- [

- {% JSONArrayFor elem in body %}

- {

- "name": "{{elem.username}}"

- }

- {% endJSONArrayFor %}

- ]

- </set-body>

- </http-response>

-</http-data-source>

-```

-### Resolver for GraphQL mutation

-The following example resolves a mutation that inserts data by making a `POST` request to an HTTP data source. The policy expression in the `set-body` policy of the HTTP request modifies a `name` argument that is passed in the GraphQL query as its body. The body that is sent will look like the following JSON:

-``` json

-{

- "name": "the-provided-name"

-}

-```

-#### Example schema

-```

-type Query {

- users: [User]

-}

-type Mutation {

- makeUser(name: String!): User

-}

-type User {

- id: String!

- name: String!

-}

-```

-#### Example policy

-```xml

-<http-data-source>

- <http-request>

- <set-method>POST</set-method>

- <set-url> https://data.contoso.com/user/create </set-url>

- <set-header name="Content-Type" exists-action="override">

- <value>application/json</value>

- </set-header>

- <set-body>@{

- var args = context.Request.Body.As<JObject>(true)["arguments"];

- JObject jsonObject = new JObject();

- jsonObject.Add("name", args["name"])

- return jsonObject.ToString();

- }</set-body>

- </http-request>

-</http-data-source>

-```

-## Related policies

-* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)

-description: Reference for the publish-event policy available for use in Azure API Management. Provides policy usage, settings, and examples.

-# Publish event to GraphQL subscription

-The `publish-event` policy publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy using an [http-data-source](http-data-source-policy.md) GraphQL resolver for a related field in the schema for another operation type such as a mutation. At runtime, the event is published to connected GraphQL clients. Learn more about [GraphQL APIs in API Management](graphql-apis-overview.md).

-<!--Link to resolver configuration article -->

-## Policy statement

-```xml

-<http-data-source

- <http-request>

- [...]

- </http-request>

- <http-response>

- [...]

- <publish-event>

- <targets>

- <graphql-subscription id="subscription field" />

- </targets>

- </publish-event>

- </http-response>

-</http-data-source>

-```

-## Elements

-|Name|Description|Required|

-|-|--|--|

-| targets | One or more subscriptions in the GraphQL schema, specified in `target` subelements, to which the event is published. | Yes |

-## Usage

-### Usage notes

-* This policy is invoked only when a related GraphQL query or mutation is executed.

-## Example

-The following example policy definition is configured in a resolver for the `createUser` mutation. It publishes an event to the `onUserCreated` subscription.

-### Example schema

-```

-type User {

- id: Int!

- name: String!

-}

-type Mutation {

- createUser(id: Int!, name: String!): User

-}

-type Subscription {

- onUserCreated: User!

-}

-```

-### Example policy

-```xml

-<http-data-source>

- <http-request>

- <set-method>POST</set-method>

- <set-url>https://contoso.com/api/user</set-url>

- <set-body template="liquid">{ "id" : {{body.arguments.id}}, "name" : "{{body.arguments.name}}"}</set-body>

- </http-request>

- <http-response>

- <publish-event>

- <targets>

- <graphql-subscription id="onUserCreated" />

- </targets>

- </publish-event>

- </http-response>

-</http-data-source>

-```

-## Related policies

-* [GraphQL resolver policies](api-management-policies.md#graphql-resolver-policies)

-description: Reference for the set-graphql-resolver policy in Azure API Management. Provides policy usage, settings, and examples. This policy is retired.

-# Set GraphQL resolver (retired)

-> [!IMPORTANT]

-> * The `set-graphql-resolver` policy is retired. Customers using the `set-graphql-resolver` policy must migrate to the [managed resolvers](configure-graphql-resolver.md) for GraphQL APIs, which provide enhanced functionality.

-> * After you configure a managed resolver for a GraphQL field, the gateway skips the `set-graphql-resolver` policy in any policy definitions. You can't combine use of managed resolvers and the `set-graphql-resolver` policy in your API Management instance.

-> Start/Stop VM during off-hours version 1 is unavailable in the marketplace now as it will retire by 30 September 2023. We recommend you start using [version 2](/azure/azure-functions/start-stop-vms/overview), which is now generally available. The new version offers all existing capabilities and provides new features, such as multi-subscription support from a single Start/Stop instance. If you have the version 1 solution already deployed, you can still use the feature, and we will provide support until 30 September 2023. The details of the announcement will be shared on March 31st 2023.

-Most on-premises datacenters enforce strict network rules that prevent inbound communication on the network boundary firewall. Azure Arc-enabled Kubernetes works with these restrictions by not requiring inbound ports on the firewall. Azure Arc agents require outbound communication to a [set list of network endpoints](quickstart-connect-cluster.md#meet-network-requirements).

-Review the [network requirements](quickstart-connect-cluster.md#meet-network-requirements) and ensure that no required endpoints are blocked.

-Review the [network requirements](quickstart-connect-cluster.md#meet-network-requirements) and ensure that no required endpoints are blocked.

-* Your machines have connectivity from your on-premises network or other cloud environment to resources in Azure, either directly or through a proxy server. More details can be found under [network prerequisites](quickstart-connect-cluster.md#meet-network-requirements).

- * If you want to connect an OpenShift cluster to Azure Arc, you need to execute the following command just once on your cluster before running `New-AzConnectedKubernetes`:

- ```bash

- oc adm policy add-scc-to-user privileged system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa

- ```

-## Meet network requirements

-For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see [Azure Arc network requirements (Consolidated)](../network-requirements-consolidated.md).

-Issues with outbound network connectivity from the cluster may arise for different reasons. First make sure all of the [network requirements](quickstart-connect-cluster.md#meet-network-requirements) have been met.

-Problems retrieving the MSI certificate are usually due to network issues. Check to make sure all of the [network requirements](quickstart-connect-cluster.md#meet-network-requirements) have been met, then try again.

- To resolve this issue, try deleting the Arc deployment by running the `az connectedk8s delete` command and reinstalling it. If the issue continues to happen, it could be an issue with your proxy settings. In that case, [try connecting your cluster to Azure Arc via a proxy](./quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server) to connect your cluster to Arc via a proxy. Please also verify if all the [network prerequisites](quickstart-connect-cluster.md#meet-network-requirements) have been met.

-Be sure to use the `connectedk8s` Azure CLI extension with version >= 1.2.0, then [connect your cluster again](quickstart-connect-cluster.md) to Azure Arc. Also, verify that you've met all the [network prerequisites](quickstart-connect-cluster.md#meet-network-requirements) needed for Arc-enabled Kubernetes.

-You can sign up for a free [Azure Maps account](https://azure.microsoft.com/services/azure-maps/) and start developing.

-Data is imperative for maps. Use the Data service to upload and store geospatial data for use with spatial operations or image composition. Bringing customer data closer to the Azure Maps service will reduce latency, increase productivity, and create new scenarios in your applications. For details on this service, see the [Data service documentation](/rest/api/maps/data-v2).

-[Render service V2](/rest/api/maps/render-v2) introduces a new version of the [Get Map Tile V2 API](/rest/api/maps/render-v2/get-map-tile) that supports using Azure Maps tiles not only in the Azure Maps SDKs but other map controls as well. It includes raster and vector tile formats, 256x256 or 512x512 (where applicable) tile sizes and numerous map types such as road, weather, contour, or map tiles created using Azure Maps Creator. For a complete list, see [TilesetID](/rest/api/maps/render-v2/get-map-tile#tilesetid) in the REST API documentation. It's recommended that you use Render service V2 instead of Render service V1. You're required to display the appropriate copyright attribution on the map anytime you use the Azure Maps Render service V2, either as basemaps or layers, in any third-party map control. For more information, see [How to use the Get Map Attribution API](how-to-show-attribution.md).

-* [Dataset service][Dataset service]. Use the Dataset service to create a dataset from a converted drawing package data. For information about Drawing package requirements, see Drawing package requirements.

-* [Conversion service][Conversion service]. Use the Conversion service to convert a DWG design file into drawing package data for indoor maps.

-* [Tileset service][Tileset]. Use the Tileset service to create a vector-based representation of a dataset. Applications can use a tileset to present a visual tile-based view of the dataset.

-* [Custom styling service][Custom styling] (preview). Use the [style service][style] or [visual style editor][style editor] to customize the visual elements of an indoor map.

-* [Feature State service][FeatureState]. Use the Feature State service to support dynamic map styling. Dynamic map styling allows applications to reflect real-time events on spaces provided by IoT systems.

-* [WFS service][WFS]. Use the WFS service to query your indoor map data. The WFS service follows the [Open Geospatial Consortium API](https://docs.opengeospatial.org/is/17-069r3/17-069r3.html) standards for querying a single dataset.

-* [Wayfinding service][wayfinding-preview] (preview). Use the [wayfinding API][wayfind] to generate a path between two points within a facility. Use the [routeset API][routeset] to create the data that the wayfinding service needs to generate paths.

-To access Azure Maps services, go to the [Azure portal](https://portal.azure.com) and create an Azure Maps account.

-[Azure Maps blog](https://azure.microsoft.com/blog/topics/azure-maps/)

-[Tileset]: creator-indoor-maps.md#tilesets

-[Custom styling]: creator-indoor-maps.md#custom-styling-preview

-[style]: /rest/api/maps/v20220901preview/style

-[style editor]: https://azure.github.io/Azure-Maps-Style-Editor

-[FeatureState]: creator-indoor-maps.md#feature-statesets

-[WFS]: creator-indoor-maps.md#web-feature-service-api

-[wayfinding-preview]: creator-indoor-maps.md#wayfinding-preview

-[wayfind]: /rest/api/maps/v20220901preview/wayfinding

-[routeset]: /rest/api/maps/v20220901preview/routeset

-* Bounding Box - Bounding box coordinates can be used to specify an image in the format `{west},{south},{east},{north}`, which is commonly used by [web-mapping Services (WMS)](https://www.opengeospatial.org/standards/wms).

-[Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) provide Azure services with an automatically managed application based security principal that can authenticate with Azure AD. With Azure role-based access control (Azure RBAC), the managed identity security principal can be authorized to access Azure Maps services. Some examples of managed identities include: Azure App Service, Azure Functions, and Azure Virtual Machines. For a list of managed identities, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md). For more information on managed identities, see [Manage authentication in Azure Maps](./how-to-manage-authentication.md).

-| Azure Maps Service | Azure Maps Role Definition |

-| [Data](/rest/api/maps/data) | Azure Maps Data Contributor |

-| [Creator](/rest/api/maps-creator/) | Azure Maps Data Contributor |

-| [Spatial](/rest/api/maps/spatial) | Azure Maps Data Contributor |

-Azure Maps accounts support the standard Azure property in the [Azure Maps Management REST API](/rest/api/maps-management/) for `Microsoft.Maps/accounts` called `disableLocalAuth`. When `true`, all authentication to the Azure Maps data-plane REST API is disabled, except [Azure AD authentication](./azure-maps-authentication.md#azure-ad-authentication). This is configured using Azure Policy to control distribution and management of shared keys and SAS tokens. For more information, see [What is Azure Policy?](../governance/policy/overview.md).

-Consider the case of **Search Service - Non-Batch Reverse**, with its limit of 250 queries per second (QPS) for the following tables. Each table represents estimated total successful transactions from example usage.

-The first table shows one token that has a maximum request per second of 500, and then actual usage of the application was 500 request per second for a duration of 60 seconds. **Search Service - Non-Batch Reverse** has a rate limit of 250, meaning of the total 30,000 requests made in the 60 seconds; 15,000 of those requests will be billable transactions. The remaining requests will result in status code `429 (TooManyRequests)`.

-| Azure Maps Service | QPS Limit: Gen 2 Pricing Tier | QPS Limit: Gen 1 S1 Pricing Tier | QPS Limit: Gen 1 S0 Pricing Tier |

-| Copyright Service | 10 | 10 | 10 |

-| Data Service | 50 | 50 | Not Available |

-| Elevation Service | 50 | 50 | Not Available |

-| Geolocation Service | 50 | 50 | 50 |

-| Render Service - Contour tiles, Digital Elevation Model (DEM) tiles and Customer tiles | 50 | 50 | Not Available |

-| Render Service - Traffic tiles and Static maps | 50 | 50 | 50 |

-| Render Service - Road tiles | 500 | 500 | 50 |

-| Render Service - Satellite tiles | 250 | 250 | Not Available |

-| Render Service - Weather tiles | 100 | 100 | 50 |

-| Route Service - Batch | 10 | 10 | Not Available |

-| Route Service - Non-Batch | 50 | 50 | 50 |

-| Search Service - Batch | 10 | 10 | Not Available |

-| Search Service - Non-Batch | 500 | 500 | 50 |

-| Search Service - Non-Batch Reverse | 250 | 250 | 50 |

-| Spatial Service | 50 | 50 | Not Available |

-| Timezone Service | 50 | 50 | 50 |

-| Traffic Service | 50 | 50 | 50 |

-| Weather Service | 50 | 50 | 50 |

-The Facility 1.0 contains revisions for the Facility feature class definitions for [Azure Maps Services](https://aka.ms/AzureMaps).

-The Facility 2.0 contains revisions for the Facility feature class definitions for [Azure Maps Services](https://aka.ms/AzureMaps).

-To use Creator services, an Azure Maps Creator resource must be created and associated to an Azure Maps account with the Gen 2 pricing tier. For information about how to create an Azure Maps Creator resource in Azure, see [Manage Azure Maps Creator](how-to-manage-creator.md).

-> For pricing information see the *Creator* section in [Azure Maps pricing](https://aka.ms/CreatorPricing).

-Creator usage data is incorporated in your Azure Maps usage charts and activity log. For more information, see [Manage authentication in Azure Maps](./how-to-manage-authentication.md).

-> - Azure Active Directory (Azure AD) in all solutions that are built with an Azure Maps account using Creator services. For more information about Azure AD, see [Azure AD authentication](azure-maps-authentication.md#azure-ad-authentication).

->- Role-based access control settings. Using these settings, map makers can act as the Azure Maps Data Contributor role, and Creator map data users can act as the Azure Maps Data Reader role. For more information, see [Authorization with role-based access control](azure-maps-authentication.md#authorization-with-role-based-access-control).

-Creator collects indoor map data by converting an uploaded drawing package. The drawing package represents a constructed or remodeled facility. For information about drawing package requirements, see [Drawing package requirements](drawing-requirements.md).

-Use the [Azure Maps Data Upload API](/rest/api/maps/data-v2/update) to upload a drawing package. After the Drawing packing is uploaded, the Data Upload API returns a user data identifier (`udid`). The `udid` can then be used to convert the uploaded package into indoor map data.

-The [Azure Maps Conversion service](/rest/api/maps/v2/conversion) converts an uploaded drawing package into indoor map data. The Conversion service also validates the package. Validation issues are classified into two types:

-For more information, see [Drawing package warnings and errors](drawing-conversion-error-codes.md).

-A dataset is a collection of indoor map features. The indoor map features represent facilities that are defined in a converted drawing package. After you create a dataset with the [Dataset service](/rest/api/maps/v2/dataset), you can create any number of [tilesets](#tilesets) or [feature statesets](#feature-statesets).

-At any time, developers can use the [Dataset service](/rest/api/maps/v2/dataset) to add or remove facilities to an existing dataset. For more information about how to update an existing dataset using the API, see the append options in [Dataset service](/rest/api/maps/v2/dataset). For an example of how to update a dataset, see [Data maintenance](#data-maintenance).

-A tileset is a collection of vector data that represents a set of uniform grid tiles. Developers can use the [Tileset service](/rest/api/maps/v2/tileset) to create tilesets from a dataset.

-In addition to the vector data, the tileset provides metadata for map rendering optimization. For example, tileset metadata contains a minimum and maximum zoom level for the tileset. The metadata also provides a bounding box that defines the geographic extent of the tileset. An application can use a bounding box to programmatically set the correct center point. For more information about tileset metadata, see [Tileset List API](/rest/api/maps/v2/tileset/list).

-A style defines the visual appearance of a map. It defines what data to draw, the order to draw it in, and how to style the data when drawing it. Azure Maps Creator styles support the MapLibre standard for [style layers][style layers] and [sprites][sprites].

-When you convert a drawing package after uploading it to your Azure Maps account, default styles are applied to the elements of your map. The custom styling service enables you to customize the visual appearance of your map. You can do this by manually editing the style JSON and importing it into your Azure Maps account using the [Style - Create][create-style] HTTP request, however the recommended approach is to use the [visual style editor][style editor]. For more information, see [Create custom styles for indoor maps](how-to-create-custom-styles.md).

-The map configuration is an array of configurations. Each configuration consists of a [basemap][basemap] and one or more layers, each layer consisting of a [style][style] + [tileset][tileset] tuple.

-The map configuration is used when you [Instantiate the Indoor Manager][instantiate-indoor-manager] of a Map object when developing applications in Azure Maps. It's referenced using the `mapConfigurationId` or `alias`. Map configurations are immutable. When making changes to an existing map configuration, a new map configuration will be created, resulting in a different `mapConfingurationId`. Anytime you create a map configuration using an alias already used by an existing map configuration, it will always point to the new map configuration.

-You can use the [Feature State service](/rest/api/maps/v2/feature-state/create-stateset) to create and manage a feature stateset for a dataset. The stateset is defined by one or more *states*. Each feature, such as a room, can have one *state* attached to it.

-The [Wayfinding service][wayfind] enables you to provide your customers with the shortest path between two points within a facility. Once you've imported your indoor map data and created your dataset, you can use that to create a [routeset][routeset]. The routeset provides the data required to generate paths between two points. The wayfinding service takes into account things such as the minimum width of openings and may optionally exclude elevators or stairs when navigating between levels as a result.

-Creator wayfinding is powered by [Havok][havok].

-When a [wayfinding path][wayfinding path] is successfully generated, it finds the shortest path between two points in the specified facility. Each floor in the journey is represented as a separate leg, as are any stairs or elevators used to move between floors.

-The Wayfinding service includes stairs or elevators in a path based on the value of the vertical penetration's `direction` property. For more information on the direction property, see [verticalPenetration][verticalPenetration] in the Facility Ontology article. See the `avoidFeatures` and `minWidth` properties in the [wayfinding][wayfind] API documentation to learn about other factors that can affect the path selection between floor levels.

-For more information, see the [Indoor maps wayfinding service](how-to-creator-wayfinding.md) how-to article.

-### Web Feature Service API

-You can use the [Web Feature Service (WFS) API](/rest/api/maps/v2/wfs) to query datasets. WFS follows the [Open Geospatial Consortium API Features](https://docs.opengeospatial.org/DRAFTS/17-069r4.html). You can use the WFS API to query features within the dataset itself. For example, you can use WFS to find all mid-size meeting rooms of a specific facility and floor level.

-The [Azure Maps Web SDK](./index.yml) includes the Indoor Maps module. This module offers extended functionalities to the Azure Maps *Map Control* library. The Indoor Maps module renders indoor maps created in Creator. It integrates widgets such as *floor picker* that help users to visualize the different floors.

-You can use the Indoor Maps module to create web applications that integrate indoor map data with other [Azure Maps services](./index.yml). The most common application setups include adding knowledge from other maps - such as road, imagery, weather, and transit - to indoor maps.

-The Indoor Maps module also supports dynamic map styling. For a step-by-step walkthrough to implement feature stateset dynamic styling in an application, see [Use the Indoor Map module](how-to-use-indoor-module.md).

-As you begin to develop solutions for indoor maps, you can discover ways to integrate existing Azure Maps capabilities. For example, you can implement asset tracking or safety scenarios by using the [Azure Maps Geofence API](/rest/api/maps/spatial/postgeofence) with Creator indoor maps. For example, you can use the Geofence API to determine whether a worker enters or leaves specific indoor areas. For more information about how to connect Azure Maps with IoT telemetry, see [this IoT spatial analytics tutorial](tutorial-iot-hub-maps.md).

->When you review a list of items to determine whether to delete them, consider the impact of that deletion on all dependent API or applications. For example, if you delete a tileset that's being used by an application by means of the [Render V2-Get Map Tile API](/rest/api/maps/render-v2/get-map-tile), the application fails to render that tileset.

-2. Use the [Dataset Create API](/rest/api/maps/v2/dataset/create) to append the converted data to the existing dataset.

-3. Use the [Tileset Create API](/rest/api/maps/v2/tileset/create) to generate a new tileset out of the updated dataset.

-> [Create custom styles for indoor maps](how-to-create-custom-styles.md)

-[create-style]: /rest/api/maps/v20220901preview/style/create

-[wayfind]: /rest/api/maps/v20220901preview/wayfinding

-[instantiate-indoor-manager]: how-to-use-indoor-module.md#instantiate-the-indoor-manager

-[style editor]: https://azure.github.io/Azure-Maps-Style-Editor

-You can convert uploaded drawing packages into map data by using the [Azure Maps Conversion service](/rest/api/maps/v2/conversion). This article describes the drawing package requirements for the Conversion API. To view a sample package, you can download the sample [Drawing package](https://github.com/Azure-Samples/am-creator-indoor-data-examples).

-For a guide on how to prepare your drawing package, see [Conversion Drawing Package Guide](drawing-package-guide.md).

-The [Azure Maps Conversion service](/rest/api/maps/v2/conversion) converts the drawing package into map data. The Conversion service works with the AutoCAD DWG file format `AC1032`.

-The drawing package must be zipped into a single archive file, with the .zip extension. The DWG files can be organized in any way inside the package, but the manifest file must live at the root directory of the zipped package. The next sections detail the requirements for the DWG files, manifest file, and the content of these files. To view a sample package, you can download the [sample drawing package](https://github.com/Azure-Samples/am-creator-indoor-data-examples).

-The [Azure Maps Conversion service](/rest/api/maps/v2/conversion) does the following on each DWG file:

-The table below outlines the supported entity types and converted map features for each layer. If a layer contains unsupported entity types, then the [Azure Maps Conversion service](/rest/api/maps/v2/conversion) ignores those entities.

-You can see an example of the Exterior layer as the outline layer in the [sample drawing package](https://github.com/Azure-Samples/am-creator-indoor-data-examples).

-You can see an example of the Units layer in the [sample drawing package](https://github.com/Azure-Samples/am-creator-indoor-data-examples).

-You can see an example of the Walls layer in the [sample drawing package](https://github.com/Azure-Samples/am-creator-indoor-data-examples).

-You can see an example of the Zone layer in the [sample drawing package](https://github.com/Azure-Samples/am-creator-indoor-data-examples).

-You can see an example of the UnitLabel layer in the [sample drawing package](https://github.com/Azure-Samples/am-creator-indoor-data-examples).

-You can see an example of the ZoneLabel layer in the [sample drawing package](https://github.com/Azure-Samples/am-creator-indoor-data-examples).

-The zip folder must contain a manifest file at the root level of the directory, and the file must be named **manifest.json**. It describes the DWG files to allow the [Azure Maps Conversion service](/rest/api/maps/v2/conversion) to parse their content. Only the files identified by the manifest are ingested. Files that are in the zip folder, but aren't properly listed in the manifest, are ignored.

-Although there are requirements when you use the manifest objects, not all objects are required. The following table shows the required and optional objects for version 1.1 of the [Azure Maps Conversion service](/rest/api/maps/v2/conversion).

-|`hoursOfOperation` |string|false| Adheres to the [OSM Opening Hours](https://wiki.openstreetmap.org/wiki/Key:opening_hours/specification) format. |

-Below is the manifest file for the sample drawing package. Go to the [Sample drawing package for Azure Maps Creator](https://github.com/Azure-Samples/am-creator-indoor-data-examples) on GitHub to download the entire package.

-Learn more about the Services module:

-The Azure Maps [Search service](/rest/api/maps/search) supports geocoding, which means that your API request can have search terms, like an address or the name of a place, and returns the result as latitude and longitude coordinates. For example, the Azure Maps [Get Search Address API](/rest/api/maps/search/getsearchaddress) receives queries that contain location information, and returns results as latitude and longitude coordinates.

-However, the Azure Maps [Search service](/rest/api/maps/search) doesn't have the same level of information and accuracy for all regions and countries. Use this article to determine what kind of locations you can reliably search for in each region.

-The Azure Maps [GET Geofence](/rest/api/maps/spatial/getgeofence) and [POST Geofence](/rest/api/maps/spatial/postgeofence) APIs allow you to retrieve proximity of a coordinate relative to a provided geofence or set of fences. This article details how to prepare the geofence data that can be used in the Azure Maps GET and POST API.

-The data for geofence or set of geofences is represented by `Feature` Object and `FeatureCollection` Object in `GeoJSON` format, which is defined in [rfc7946](https://tools.ietf.org/html/rfc7946). In Addition to it:

-* In point-circle scenario, a circle geometry can be represented using a `Point` geometry object with properties elaborated in [Extending GeoJSON geometries](./extend-geojson.md).

-```

-While it's possible to modify your indoor maps styles using [Creators Rest API][creator api], Creator also offers a [visual style editor][style editor] to create custom styles that doesn't require coding. This article will focus exclusively on creating custom styles using this style editor.

-Open the [Creator Style Editor][style editor] and select the **Open** toolbar button.

-Enter your [subscription key][subscription key] in the **Enter your Azure Maps subscription key** field.

-> If the map configuration was created as part of a custom style and has a user provided alias, that alias will appear in the map configuration drop-down list, otherwise the `mapConfigurationId` will appear. The default map configuration ID for any given tileset can be found by using the [tileset Get][tileset get] HTTP request and passing in the tileset ID:

-| 1 | Your Azure Maps account [subscription key][subscription key] |

-> Duplicate aliases are not allowed. If the alias of an existing style or map configuration is used, the style or map configuration that alias points to will be overwritten and the existing style or map configuration will be deleted and references to that ID will result in errors. See [map configuration](creator-indoor-maps.md#map-configuration) in the concepts article for more information.

-> Make a note of the map configuration `alias` value, it will be required when you [Instantiate the Indoor Manager][Instantiate the Indoor Manager] of a Map object when developing applications in Azure Maps.

-Azure Maps Creator has defined a [list of categories][categories]. When you create your [manifest][manifest], you associate each unit in your facility to one of these categories in the [unitProperties][unitProperties] object.

-[tutorial]: tutorial-creator-indoor-maps.md

-[creator api]: /rest/api/maps-creator/

-The [data registry] service enables you to register data content in an Azure Storage Account with your Azure Maps account. An example of data might include a collection of Geofences used in the Azure Maps Geofencing Service. Another example is ZIP files containing drawing packages (DWG) or GeoJSON files that Azure Maps Creator uses to create or update indoor maps.

-> - This article uses the `us.atlas.microsoft.com` geographical URL. If your account wasn't created in the United States, you must use a different geographical URL. For more information, see [Access to Creator Services](how-to-manage-creator.md#access-to-creator-services).

-Once you've uploaded one or more files to an Azure storage account, created and Azure Maps datastore to link to those files, then registered them using the [register][register or replace] API, you can access the data contained in the files.

-[Register Or Replace]: /rest/api/maps/data-registry/register-or-replace

-The Azure Maps Creator [wayfinding service][wayfinding service] allows you to navigate from place to place anywhere within your indoor map. The service utilizes stairs and elevators to navigate between floors and provides guidance to help you navigate around physical obstructions. This article describes how to generate a path from a starting point to a destination point in a sample indoor map.

-> - This article uses the `us.atlas.microsoft.com` geographical URL. If your Creator service wasn't created in the United States, you must use a different geographical URL. For more information, see [Access to Creator Services][how to manage access to creator services].

-> - Replace `{datasetId`} with your `datasetId`. For more information, see the [Check the dataset creation status][check dataset creation status] section of the *Use Creator to create indoor maps* tutorial.

-A [routeset][routeset] is a collection of indoor map data that is used by the wayfinding service.

-In this section, youΓÇÖll use the [wayfinding API][wayfinding API] to generate a path from the routeset you created in the previous section. The wayfinding API requires a query that contains start and end points in an indoor map, along with floor level ordinal numbers. For more information about Creator wayfinding, see [wayfinding][wayfinding] in the concepts article.

-[how to manage access to creator services]: how-to-manage-creator.md#access-to-creator-services

-[check dataset creation status]: tutorial-creator-indoor-maps.md#check-the-dataset-creation-status

- [Web Feature Service (WFS)]: /rest/api/maps/v2/wfs

-Azure Maps Creator enables users to import their indoor map data in GeoJSON format with [Facility Ontology 2.0][Facility Ontology], which can then be used to create a [dataset].

- files, you can download the [Contoso building sample].

-> - This article uses the `us.atlas.microsoft.com` geographical URL. If your Creator service wasn't created in the United States, you must use a different geographical URL. For more information, see [Access to Creator Services](how-to-manage-creator.md#access-to-creator-services).

-<!--1. Enter the following URL to the [Dataset service][Dataset Create 2022-09-01-preview]. The request should look like the following URL (replace {udid} with the `udid` obtained in [Check the GeoJSON package upload status](#check-the-geojson-package-upload-status) section):-->

-```http

-| conversionId | The ID returned when converting your drawing package. For more information, see [Convert a drawing package][conversion]. |

-Each feature class file must match its definition in the [Facility ontology 2.0][Facility ontology] and each feature must have a globally unique identifier.

-[conversion]: tutorial-creator-indoor-maps.md#convert-a-drawing-package

-[Facility Ontology]: creator-facility-ontology.md?pivots=facility-ontology-v2

-[Data Upload API]: /rest/api/maps/data-v2/upload

-[Creator Long-Running Operation API V2]: creator-long-running-operation-v2.md

-| Service Name  | NuGet package  | Samples  |

-| Service Name  | Maven package  | Samples  |

-The Azure Maps JavaScript/TypeScript REST SDK (JavaScript SDK) supports searching using the [Azure Maps search Rest API][search], like searching for an address, fuzzy searching for a point of interest (POI), and searching by coordinates. This article will help you get started building location-aware applications that incorporate the power of Azure Maps.

-> Azure Maps JavaScript SDK supports the LTS version of Node.js. For more information, seeΓÇ»[Node.js Release Working Group][Node.js Release].

-| Service Name  | npm packages | Samples  |

-You can authenticate with Azure AD using the [Azure Identity library][Identity library]. To use the [DefaultAzureCredential][defaultazurecredential] provider, you'll need to install the `@azure/identity` package:

-You'll need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources][Host daemon]. During this process you'll get an Application (client) ID, a Directory (tenant) ID, and a client secret. Copy these values and store them in a secure place. You'll need them in the following steps.

-You can use a `.env` file for these variables. You'll need to install the [dotenv][dotenv] package:

-You need to pass the subscription key to the `AzureKeyCredential` class provided by the [Azure Core Authentication Package][core auth package]. For security reasons, it's better to specify the key as an environment variable than to include it in your source code.

-You can accomplish this by using a `.env` file to store the subscription key variable. You'll need to install the [dotenv][dotenv] package to retrieve the value:

-The code snippet above shows how to use the `MapsSearch` method from the Azure Maps Search client library to create a `client` object with your Azure credentials. You can use either your Azure Maps subscription key or the [Azure AD credential](#using-an-azure-ad-credential) from the previous section. The `path` parameter specifies the API endpoint, which is "/search/fuzzy/{format}" in this case. The `get` method sends an HTTP GET request with the query parameters, such as `query`, `coordinates`, and `countryFilter`. The query searches for Starbucks locations near Seattle in the US. The SDK returns the results as a [FuzzySearchResult][FuzzySearchResult] object and writes them to the console. For more details, see the [FuzzySearchRequest][FuzzySearchRequest] documentation.

-The [searchAddress][searchAddress] query can be used to get the coordinates of an address. Modify the `search.js` from the sample as follows:

-[defaultazurecredential]: https://github.com/Azure/azure-sdk-for-js/tree/@azure/maps-search_1.0.0-beta.1/sdk/identity/identity#defaultazurecredential

-[search]: /rest/api/maps/search

-[Node.js Release]: https://github.com/nodejs/release#release-schedule

-[Identity library]: /javascript/api/overview/azure/identity-readme

-[core auth package]: /javascript/api/@azure/core-auth/

-[Host daemon]: ./how-to-secure-daemon-app.md#host-a-daemon-on-non-azure-resources

-Azure Maps Python SDK supports Python version 3.7 or later. For more information on future Python versions, see [Azure SDK for Python version support policy][support policy].

-| Service Name  | PyPi package  | Samples  |

-> The`MapsSearchClient` is the primary interface for developers using the Azure Maps search library. See [Azure Maps Search package client library][Search package client library] to learn more about the search methods available.

-You can authenticate with Azure AD using the [Azure Identity package][Azure Identity package]. To use the [DefaultAzureCredential][defaultazurecredential] provider, you'll need to install the Azure Identity client package:

-You'll need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources][Host daemon]. During this process you'll get an Application (client) ID, a Directory (tenant) ID, and a client secret. Copy these values and store them in a secure place. You'll need them in the following steps.

-Next you'll need to specify the Azure Maps account you intend to use by specifying the maps’ client ID. The Azure Maps account client ID can be found in the Authentication sections of the Azure Maps account. For more information, see [View authentication details][View authentication details].

-The [Azure Maps Search Package client library for Python][Search package client library] in the *Azure SDK for Python Preview* documentation.

-[Search package client library]: /python/api/overview/azure/maps-search-readme?view=azure-python-preview

-[python latest release]: https://www.python.org/downloads/

-[support policy]: https://github.com/Azure/azure-sdk-for-python/wiki/Azure-SDKs-Python-version-support-policy

-[defaultazurecredential]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity#defaultazurecredential

-[Host daemon]: ./how-to-secure-daemon-app.md#host-a-daemon-on-non-azure-resources

-This article describes how to use the [static image service](/rest/api/maps/render/getmapimage) with image composition functionality. Image composition functionality supports the retrieval of static raster tile that contains custom data.

-> [!Tip]

-1. [Make an Azure Maps account](quick-demo-map-app.md#create-an-azure-maps-account)

-2. [Obtain a primary subscription key](quick-demo-map-app.md#get-the-primary-key-for-your-account), also known as the primary key or the subscription key.

-This article uses the [Postman](https://www.postman.com/) application, but you may use a different API development environment.

-We'll use the Azure Maps [Data Service APIs](/rest/api/maps/data) to store and render overlays.

-> [!Note]

-> [!Note]

->To obtain your own path and pin location information, use the [Data Upload API](/rest/api/maps/data-v2/upload).

-5. Enter the following URL to the [Render Service](/rest/api/maps/render/get-map-image) (replace {`Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key and `udid` with the `udid` of the uploaded data):

-> [!Note]

-You can modify the appearance of a polygon by using style modifiers with the [path parameter](/rest/api/maps/render/getmapimage#uri-parameters).

-5. Enter the following URL to the [Render Service](/rest/api/maps/render/get-map-image) (replace {`Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key):

-> [!Note]

-You can modify the appearance of the pins by adding style modifiers. For example, to make pushpins and their labels larger or smaller, use the `sc` "scale style" modifier. This modifier takes a value that's greater than zero. A value of 1 is the standard scale. Values larger than 1 will make the pins larger, and values smaller than 1 will make them smaller. For more information about style modifiers, see [static image service path parameters](/rest/api/maps/render/getmapimage#uri-parameters).

-5. Enter the following URL to the [Render Service](/rest/api/maps/render/get-map-image) (replace {`Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key):

-* Explore the [Azure Maps Get Map Image API](/rest/api/maps/render/getmapimage) documentation.

-* To learn more about Azure Maps Data service, see the [service documentation](/rest/api/maps/data).

-> [Azure Maps Weather services concepts](./weather-services-concepts.md)

-> [Azure Maps Weather services REST API](/rest/api/maps/weather)

-The [Azure Maps Search Service](/rest/api/maps/search) is a set of RESTful APIs designed to help developers search addresses, places, and business listings by name, category, and other geographic information. In addition to supporting traditional geocoding, services can also reverse geocode addresses and cross streets based on latitudes and longitudes. Latitude and longitude values returned by the search can be used as parameters in other Azure Maps services, such as [Route](/rest/api/maps/route) and [Weather](/rest/api/maps/weather) services.

-* Request latitude and longitude coordinates for an address (geocode address location) by using the [Search Address API](/rest/api/maps/search/getsearchaddress).

-* Search for an address or Point of Interest (POI) using the [Fuzzy Search API](/rest/api/maps/search/getsearchfuzzy).

-* Make a [Reverse Address Search](/rest/api/maps/search/getsearchaddressreverse) to translate coordinate location to street address.

-* Translate coordinate location into a human understandable cross street by using [Search Address Reverse Cross Street API](/rest/api/maps/search/getsearchaddressreversecrossstreet). Most often, this is needed in tracking applications that receive a GPS feed from a device or asset, and wish to know where the coordinate is located.

-1. [Make an Azure Maps account](quick-demo-map-app.md#create-an-azure-maps-account)

-2. [Obtain a primary subscription key](quick-demo-map-app.md#get-the-primary-key-for-your-account), also known as the primary key or the subscription key.

-This tutorial uses the [Postman](https://www.postman.com/) application, but you may choose a different API development environment.

-In this example, we'll use the Azure Maps [Get Search Address API](/rest/api/maps/search/getsearchaddress) to convert an address into latitude and longitude coordinates. This process is also called *geocoding*. In addition to returning the coordinates, the response will also return detailed address properties such as street, postal code, municipality, and country/region information.

->If you have a set of addresses to geocode, you can use the [Post Search Address Batch API](/rest/api/maps/search/postsearchaddressbatch) to send a batch of queries in a single API call.

-## Using Fuzzy Search API

-The Azure Maps [Fuzzy Search API](/rest/api/maps/search/getsearchfuzzy) supports standard single line and free-form searches. We recommend that you use the Azure Maps Search Fuzzy API when you don't know your user input type for a search request. The query input can be a full or partial address. It can also be a Point of Interest (POI) token, like a name of POI, POI category or name of brand. Furthermore, to improve the relevance of your search results, the query results can be constrained by a coordinate location and radius, or by defining a bounding box.

->Most Search queries default to maxFuzzyLevel=1 to gain performance and reduce unusual results. You can adjust fuzziness levels by using the `maxFuzzyLevel` or `minFuzzyLevel` parameters. For more information on `maxFuzzyLevel` and a complete list of all optional parameters, see [Fuzzy Search URI Parameters](/rest/api/maps/search/getsearchfuzzy#uri-parameters)

->To geobias results to the relevant area for your users, always add as many location details as possible. To learn more, see [Best Practices for Search](how-to-use-best-practices-for-search.md#geobiased-search-results).

- >The _json_ attribute in the URL path determines the response format. This article uses json for ease of use and readability. To find other supported response formats, see the `format` parameter definition in the [URI Parameter reference documentation](/rest/api/maps/search/getsearchfuzzy#uri-parameters).

- The ambiguous query string for "pizza" returned 10 [point of interest result](/rest/api/maps/search/getsearchpoi#searchpoiresponse) (POI) in both the "pizza" and "restaurant" categories. Each result includes details such as street address, latitude and longitude values, view port, and entry points for the location. The results are now varied for this query, and are not tied to any reference location.

- In the next step, we'll use the `countrySet` parameter to specify only the countries/regions for which your application needs coverage. For a complete list of supported countries/regions, see [Search Coverage](./geocoding-coverage.md).

-The Azure Maps [Get Search Address Reverse API](/rest/api/maps/search/getsearchaddressreverse) translates coordinates into human readable street addresses. This API is often used for applications that consume GPS feeds and want to discover addresses at specific coordinate points.

->To geobias results to the relevant area for your users, always add as many location details as possible. To learn more, see [Best Practices for Search](how-to-use-best-practices-for-search.md#geobiased-search-results).

->If you have a set of coordinate locations to reverse geocode, you can use [Post Search Address Reverse Batch API](/rest/api/maps/search/postsearchaddressreversebatch) to send a batch of queries in a single API call.

-In this example, we'll be making reverse searches using a few of the optional parameters that are available. For the full list of optional parameters, see [Reverse Search Parameters](/rest/api/maps/search/getsearchaddressreverse#uri-parameters).

- | returnRoadUse | true | Returns road use types at the address. For all possible road use types, see [Road Use Types](/rest/api/maps/search/getsearchaddressreverse#uri-parameters).|

- | returnMatchType | true| Returns the type of match. For all possible values, see [Reverse Address Search Results](/rest/api/maps/search/getsearchaddressreverse#searchaddressreverseresult)

-6. Next, we'll add the `entityType` key, and set its value to `Municipality`. The `entityType` key will override the `returnMatchType` key in the previous step. We'll also need to remove `returnSpeedLimit` and `returnRoadUse` since we're requesting information about the municipality. For all possible entity types, see [Entity Types](/rest/api/maps/search/getsearchaddressreverse#entitytype).

-7. Click **Send**. Compare the results to the results returned in step 5. Because the requested entity type is now `municipality`, the response does not include street address information. Also, the returned `geometryId` can be used to request boundary polygon through Azure Maps Get [Search Polygon API](/rest/api/maps/search/getsearchpolygon).

->To get more information on these parameters, as well as to learn about others, see the [Reverse Search Parameters section](/rest/api/maps/search/getsearchaddressreverse#uri-parameters).

-> [Azure Maps Search Service REST API](/rest/api/maps/search)

-> [Azure Maps Search Service Best Practices](how-to-use-best-practices-for-search.md)

-The following small JavaScript code example shows how you could use your SAS token with the JavaScript [Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#supplying_request_options) to get and return Azure Maps information. The example uses the Azure Maps [Get Search Address](/rest/api/maps/search/get-search-address) API version 1.0. Supply your own value for `<your SAS token>`.

-When using the [Azure Maps Render service V2](/rest/api/maps/render-v2), either as a basemap or layer, you're required to display the appropriate data provider copyright attribution on the map. This information should be displayed in the lower right-hand corner of the map.

-The [Get Map Attribution API](/rest/api/maps/render-v2/get-map-attribution) enables you to request map copyright attribution information so that you can display in on the map within your applications.

-The attribution is automatically displayed and updated on the map When using any of the Azure Maps SDKs. This includes the [Web SDK](how-to-use-map-control.md), [Android SDK](how-to-use-android-map-control-library.md) and the [iOS SDK](how-to-use-ios-map-control-library.md).

-| tilesetId | TilesetID | A tileset is a collection of raster or vector data broken up into a uniform grid of square tiles at preset zoom levels. Every tileset has a tilesetId to use when making requests. The tilesetId for tilesets created using Azure Maps Creator are generated through the [Tileset Create API](/rest/api/maps/v2/tileset/create). There are ready-to-use tilesets supplied by Azure Maps, such as `microsoft.base.road`, `microsoft.base.hybrid` and `microsoft.weather.radar.main`, a complete list can be found the [Get Map Attribution](/rest/api/maps/render-v2/get-map-attribution#tilesetid) REST API documentation. |

-| zoom | integer | Zoom level for the selected tile. The valid range depends on the tile, see the [TilesetID](/rest/api/maps/render-v2/get-map-attribution#tilesetid) table for valid values for a specific tileset. For more information, see the [Zoom levels and tile grid](zoom-levels-and-tile-grid.md) article. |

-| subscription-key | string | One of the Azure Maps keys provided from an Azure Map Account. For more information, see the [Authentication with Azure Maps](azure-maps-authentication.md) article. |

-* For more information, see the [Azure Maps Render service V2](/rest/api/maps/render-v2) documentation.

-description: Learn how to route vehicles by using Route Service from Microsoft Azure Maps.

-The Route Directions and Route Matrix APIs in Azure Maps [Route Service](/rest/api/maps/route) can be used to calculate the estimated arrival times (ETAs) for each requested route. Route APIs consider factors such as real-time traffic information and historic traffic data, like the typical road speeds on the requested day of the week and time of day. The APIs return the shortest or fastest routes available to multiple destinations at a time in sequence or in optimized order, based on time or distance. Users can also request specialized routes and details for walkers, bicyclists, and commercial vehicles like trucks. In this article, we'll share the best practices to call Azure Maps [Route Service](/rest/api/maps/route), and you'll learn how-to:

- * Choose between the Route Directions APIs and the Matrix Routing API

- * Request historic and predicted travel times, based on real-time and historical traffic data

- * Request route details, like time and distance, for the entire route and each leg of the route

- * Request route for a commercial vehicle, like a truck

- * Request traffic information along a route, like jams and toll information

- * Request a route that consists of one or more stops (waypoints)

- * Optimize a route of one or more stops to obtain the best order to visit each stop (waypoint)

- * Optimize alternative routes using supporting points. For example, offer alternative routes that pass an electric vehicle charging station.

- * Use the [Route Service](/rest/api/maps/route) with the Azure Maps Web SDK

-1. [Make an Azure Maps account](quick-demo-map-app.md#create-an-azure-maps-account)

-2. [Obtain a primary subscription key](quick-demo-map-app.md#get-the-primary-key-for-your-account), also known as the primary key or the subscription key.

-For more information about the coverage of the Route Service, see the [Routing Coverage](routing-coverage.md).

-This article uses the [Postman app](https://www.postman.com/downloads/) to build REST calls, but you can choose any API development environment.

-This option can be used to color the sections when rendering the map, as in the image below:

-* Optimizations based on the requested route type, without changing the order of waypoints. You can find the [supported route types here](/rest/api/maps/route/postroutedirections#routetype)

-2. Use the route path to find the desired locations along or near the route path. For example, you can use Azure Maps [Point of Interest API](/rest/api/maps/search/getsearchpoi) or query your own data in your database.

-4. Add these locations as supporting points in a new route request to the [Post Route Directions API](/rest/api/maps/route/postroutedirections). To learn more about the supporting points, see the [Post Route Directions API documentation](/rest/api/maps/route/postroutedirections#supportingpoints).

-When calling the [Post Route Directions API](/rest/api/maps/route/postroutedirections), you can set the minimum deviation time or the distance constraints, along with the supporting points. Use these parameters if you want to offer alternative routes, but you also want to limit the travel time. When these constraints are used, the alternative routes will follow the reference route from the origin point for the given time or distance. In other words, the other routes diverge from the reference route per the given constraints.

-The Azure Maps Web SDK provides a [Service module](/javascript/api/azure-maps-rest/). This module is a helper library that makes it easy to use the Azure Maps REST APIs in web or Node.js applications, using JavaScript or TypeScript. The Service module can be used to render the returned routes on the map. The module automatically determines which API to use with GET and POST requests.

-description: Learn how to apply the best practices when using the Search Service from Microsoft Azure Maps.

-# Best practices for Azure Maps Search Service

-Azure Maps [Search Service](/rest/api/maps/search) includes APIs that offer various capabilities to help developers to search addresses, places, business listings by name or category, and other geographic information. For example,[Fuzzy Search API](/rest/api/maps/search/getsearchfuzzy) allows users to search for an address or Point of Interest (POI).

-This article explains how to apply sound practices when you call data from Azure Maps Search Service. You'll learn how to:

-1. [Make an Azure Maps account](quick-demo-map-app.md#create-an-azure-maps-account)

-2. [Obtain a primary subscription key](quick-demo-map-app.md#get-the-primary-key-for-your-account), also known as the primary key or the subscription key.

-This article uses the [Postman app](https://www.postman.com/downloads/) to build REST calls, but you can choose any API development environment.

-When you search for a full or partial address by using Azure Maps Search Service, the API reads keywords from your search query. Then it returns the longitude and latitude coordinates of the address. This process is called *geocoding*.

-The ability to geocode in a country/region depends on the availability of road data and the precision of the geocoding service. For more information about Azure Maps geocoding capabilities by country or region, see [Geocoding coverage](./geocoding-coverage.md).

-We recommend that you use the Azure Maps [Search Fuzzy API](/rest/api/maps/search/getsearchfuzzy) when you don't know your user inputs for a search query. For example, input from the user could be an address or the type of Point of Interest (POI), like *shopping mall*. The API combines POI searching and geocoding into a canonical *single-line search*:

-* `POI` - **Points of interest**: Points on a map that are considered to be worth attention or that might be interesting. The [Search Address API](/rest/api/maps/search/getsearchaddress) doesn't return POIs.

-When you do a reverse-geocode search in the [Search Address Reverse API](/rest/api/maps/search/getsearchaddressreverse), the service can return polygons for administrative areas. For example, you might want to fetch the area polygon for a city. To narrow the search to specific geography entity types, include the `entityType` parameter in your requests.

-The resulting response contains the geography ID and the entity type that was matched. If you provide more than one entity, then the endpoint returns the *smallest entity available*. You can use the returned geometry ID to get the geography's geometry through the [Search Polygon service](/rest/api/maps/search/getsearchpolygon).

-Use the `language` parameter to set the language for the returned search results. If the request doesn't set the language, then by default Search Service uses the most common language in the country or region. When no data is available in the specified language, the default language is used.

-For more information, see [Azure Maps supported languages](./supported-languages.md).

-To explore brand searching, let's make a [POI category search](/rest/api/maps/search/getsearchpoicategory) request. In the following example, we look for gas stations near the Microsoft campus in Redmond, Washington. The response shows brand information for each POI that was returned.

-To retrieve POI results around a specific location, you can try using the [Search Nearby API](/rest/api/maps/search/getsearchnearby). The endpoint returns only POI results. It doesn't take in a search query parameter.

-Let's find an address in Seattle by making an address-search request to the Azure Maps Search Service. In the following request URL, we set the `countrySet` parameter to `US` to search for the address in the USA.

-The `Score` parameter for each response object indicates how the matching score relates to the scores of other objects in the same response. For more information about response object parameters, see [Get Search Address](/rest/api/maps/search/getsearchaddress).

-A response type of *Geometry* can include the geometry ID that's returned in the `dataSources` object under `geometry` and `id`. For example, you can use the [Search Polygon service](/rest/api/maps/search/getsearchpolygon) to request the geometry data in a GeoJSON format. By using this format, you can get a city or airport outline for a set of entities. You can then use this boundary data to [Set up a geofence](./tutorial-geofence.md) or [Search POIs inside the geometry](/rest/api/maps/search/postsearchinsidegeometry).

-Responses for the [Search Address](/rest/api/maps/search/getsearchaddress) API or the [Search Fuzzy](/rest/api/maps/search/getsearchfuzzy) API can include the geometry ID that's returned in the `dataSources` object under `geometry` and `id`:

-> [How to build Azure Maps Search Service requests](./how-to-search-for-address.md)

-> [Search Service API documentation](/rest/api/maps/search)

-There are two ways to make a reverse address search. One way is to query the [Azure Maps Reverse Address Search API](/rest/api/maps/search/getsearchaddressreverse) through a service module. The other way is to use the [Fetch API](https://fetch.spec.whatwg.org/) to make a request to the [Azure Maps Reverse Address Search API](/rest/api/maps/search/getsearchaddressreverse) to find an address. Both ways are surveyed below.

-In the code above, the first block constructs a map object and sets the authentication mechanism to use the access token. You can see [create a map](./map-create.md) for instructions.

-The second code block creates a `TokenCredential` to authenticate HTTP requests to Azure Maps with the access token. It then passes the `TokenCredential` to `atlas.service.MapsURL.newPipeline()` and creates a [Pipeline](/javascript/api/azure-maps-rest/atlas.service.pipeline) instance. The `searchURL` represents a URL to Azure Maps [Search](/rest/api/maps/search) operations.

-The third code block updates the style of mouse cursor to a pointer and creates a [popup](/javascript/api/azure-maps-control/atlas.popup#open) object. You can see [add a popup on the map](./map-add-popup.md) for instructions.

-The fourth block of code adds a mouse click [event listener](/javascript/api/azure-maps-control/atlas.map#events). When triggered, it creates a search query with the coordinates of the clicked point. It then uses the [getSearchAddressReverse](/javascript/api/azure-maps-rest/atlas.service.searchurl#searchaddressreverse-aborter--geojson-position--searchaddressreverseoptions-)method to query the [Get Search Address Reverse API](/rest/api/maps/search/getsearchaddressreverse) for the address of the coordinates. A GeoJSON feature collection is then extracted using the `geojson.getFeatures()` method from the response.

-The change of cursor, the popup object, and the click event are all created in the map's [load event listener](/javascript/api/azure-maps-control/atlas.map#events). This code structure ensures map fully loads before retrieving the coordinates information.

-In the code above, the first block of code constructs a map object and sets the authentication mechanism to use the access token. You can see [create a map](./map-create.md) for instructions.

-The second block of code updates the style of the mouse cursor to a pointer. It instantiates a [popup](/javascript/api/azure-maps-control/atlas.popup#open) object. You can see [add a popup on the map](./map-add-popup.md) for instructions.

-The third block of code adds an event listener for mouse clicks. Upon a mouse click, it uses the [Fetch API](https://fetch.spec.whatwg.org/) to query the [Azure Maps Reverse Address Search API](/rest/api/maps/search/getsearchaddressreverse) for the clicked coordinates address. For a successful response, it collects the address for the clicked location. It defines the popup content and position using the [setOptions](/javascript/api/azure-maps-control/atlas.popup#setoptions-popupoptions-) function of the popup class.

-The change of cursor, the popup object, and the click event are all created in the map's [load event listener](/javascript/api/azure-maps-control/atlas.map#events). This code structure ensures the map fully loads before retrieving the coordinates information.

-> [Show traffic](./map-show-traffic.md)

-There are two ways to do so. The first way is to query the [Azure Maps Route API](/rest/api/maps/route/getroutedirections) through a service module. The second way is to use the [Fetch API](https://fetch.spec.whatwg.org/) to make a search request to the [Azure Maps Route API](/rest/api/maps/route/getroutedirections). Both ways are discussed below.

-In the above code, the first block constructs a map object and sets the authentication mechanism to use the access token. You can see [create a map](./map-create.md) for instructions.

-The second block of code creates a `TokenCredential` to authenticate HTTP requests to Azure Maps with the access token. It then passes the `TokenCredential` to `atlas.service.MapsURL.newPipeline()` and creates a [Pipeline](/javascript/api/azure-maps-rest/atlas.service.pipeline) instance. The `routeURL` represents a URL to Azure Maps [Route](/rest/api/maps/route) operations.

-The third block of code creates and adds a [DataSource](/javascript/api/azure-maps-control/atlas.source.datasource) object to the map.

-The fourth block of code creates start and end [points](/javascript/api/azure-maps-control/atlas.data.point) objects and adds them to the dataSource object.

-A line is a [Feature](/javascript/api/azure-maps-control/atlas.data.feature) for LineString. A [LineLayer](/javascript/api/azure-maps-control/atlas.layer.linelayer) renders line objects wrapped in the [DataSource](/javascript/api/azure-maps-control/atlas.source.datasource) as lines on the map. The fourth block of code creates and adds a line layer to the map. See properties of a line layer at [LinestringLayerOptions](/javascript/api/azure-maps-control/atlas.linelayeroptions).

-A [symbol layer](/javascript/api/azure-maps-control/atlas.layer.symbollayer) uses texts or icons to render point-based data wrapped in the [DataSource](/javascript/api/azure-maps-control/atlas.source.datasource). The texts or the icons render as symbols on the map. The fifth block of code creates and adds a symbol layer to the map.

-The sixth block of code queries the Azure Maps routing service, which is part of the [service module](how-to-use-services-module.md). The [calculateRouteDirections](/javascript/api/azure-maps-rest/atlas.service.routeurl#methods) method of the RouteURL is used to get a route between the start and end points. A GeoJSON feature collection from the response is then extracted using the `geojson.getFeatures()` method and is added to the datasource. It then renders the response as a route on the map. For more information about adding a line to the map, see [add a line on the map](map-add-line-layer.md).

-The last block of code sets the bounds of the map using the Map's [setCamera](/javascript/api/azure-maps-control/atlas.map#setcamera-cameraoptionscameraboundsoptionsanimationoptions-) property.

-The route query, data source, symbol, line layers, and camera bounds are created inside the [event listener](/javascript/api/azure-maps-control/atlas.map#events). This code structure ensures the results are displayed only after the map fully loads.

-In the code above, the first block of code constructs a map object and sets the authentication mechanism to use the access token. You can see [create a map](./map-create.md) for instructions.

-The second block of code creates and adds a [DataSource](/javascript/api/azure-maps-control/atlas.source.datasource) object to the map.

-The third code block creates the start and destination points for the route. Then, it adds them to the data source. You can see [add a pin on the map](map-add-pin.md) for instructions about using [addPins](/javascript/api/azure-maps-control/atlas.map).

-A [LineLayer](/javascript/api/azure-maps-control/atlas.layer.linelayer) renders line objects wrapped in the [DataSource](/javascript/api/azure-maps-control/atlas.source.datasource) as lines on the map. The fourth block of code creates and adds a line layer to the map. See properties of a line layer at [LineLayerOptions](/javascript/api/azure-maps-control/atlas.linelayeroptions).

-A [symbol layer](/javascript/api/azure-maps-control/atlas.layer.symbollayer) uses text or icons to render point-based data wrapped in the [DataSource](/javascript/api/azure-maps-control/atlas.source.datasource) as symbols on the map. The fifth block of code creates and adds a symbol layer to the map. See properties of a symbol layer at [SymbolLayerOptions](/javascript/api/azure-maps-control/atlas.symbollayeroptions).

-The next code block creates `SouthWest` and `NorthEast` points from the start and destination points and sets the bounds of the map using the Map's [setCamera](/javascript/api/azure-maps-control/atlas.map#setcamera-cameraoptionscameraboundsoptionsanimationoptions-) property.

-The last block of code uses the [Fetch API](https://fetch.spec.whatwg.org/) to make a search request to the [Azure Maps Route API](/rest/api/maps/route/getroutedirections). The response is then parsed. If the response was successful, the latitude and longitude information is used to create an array a line by connecting those points. The line data is then added to data source to render the route on the map. You can see [add a line on the map](map-add-line-layer.md) for instructions.

-The route query, data source, symbol, line layers, and camera bounds are created inside the [event listener](/javascript/api/azure-maps-control/atlas.map#events). Again, we want to ensure that results are displayed after the map loads fully.

-> [Interacting with the map - mouse events](./map-events.md)

-There are two ways to search for a location of interest. One way is to use a service module to make a search request. The other way is to make a search request to [Azure Maps Fuzzy search API](/rest/api/maps/search/getsearchfuzzy) through the [Fetch API](https://fetch.spec.whatwg.org/). Both ways are discussed below.

-In the code above, the first block constructs a map object and sets the authentication mechanism to use the access token. You can see [create a map](./map-create.md) for instructions.

-The second block of code creates a `TokenCredential` to authenticate HTTP requests to Azure Maps with the access token. It then passes the `TokenCredential` to `atlas.service.MapsURL.newPipeline()` and creates a [Pipeline](/javascript/api/azure-maps-rest/atlas.service.pipeline) instance. The `searchURL` represents a URL to Azure Maps [Search](/rest/api/maps/search) operations.

-The third block of code creates a data source object using the [DataSource](/javascript/api/azure-maps-control/atlas.source.datasource) class and add search results to it. A [symbol layer](/javascript/api/azure-maps-control/atlas.layer.symbollayer) uses text or icons to render point-based data wrapped in the [DataSource](/javascript/api/azure-maps-control/atlas.source.datasource) as symbols on the map. A symbol layer is then created. The data source is added to the symbol layer, which is then added to the map.

-The fourth code block uses the [SearchFuzzy](/javascript/api/azure-maps-rest/atlas.service.models.searchgetsearchfuzzyoptionalparams) method in the [service module](how-to-use-services-module.md). It allows you to perform a free form text search via the [Get Search Fuzzy rest API](/rest/api/maps/search/getsearchfuzzy) to search for point of interest. Get requests to the Search Fuzzy API can handle any combination of fuzzy inputs. A GeoJSON feature collection from the response is then extracted using the `geojson.getFeatures()` method and added to the data source, which automatically results in the data being rendered on the map via the symbol layer.

-The last block of code adjusts the camera bounds for the map using the Map's [setCamera](/javascript/api/azure-maps-control/atlas.map#setcamera-cameraoptionscameraboundsoptionsanimationoptions-) property.

-The search request, data source, symbol layer, and camera bounds are inside the [event listener](/javascript/api/azure-maps-control/atlas.map#events) of the map. We want to ensure that the results are displayed after the map fully loads.

-In the code above, the first block of code constructs a map object. It sets the authentication mechanism to use the access token. You can see [create a map](./map-create.md) for instructions.

-The third block of code uses the [Fetch API](https://fetch.spec.whatwg.org/). The [Fetch API](https://fetch.spec.whatwg.org/) is used to make a request to [Azure Maps Fuzzy search API](/rest/api/maps/search/getsearchfuzzy) to search for the points of interest. The Fuzzy search API can handle any combination of fuzzy inputs. It then handles and parses the search response and adds the result pins to the searchPins array.

-The fourth block of code creates a data source object using the [DataSource](/javascript/api/azure-maps-control/atlas.source.datasource) class. In the code, we add search results to the source object. A [symbol layer](/javascript/api/azure-maps-control/atlas.layer.symbollayer) uses text or icons to render point-based data wrapped in the [DataSource](/javascript/api/azure-maps-control/atlas.source.datasource) as symbols on the map. A symbol layer is then created. The data source is added to the symbol layer, which is then added to the map.

-The last block of code creates a [BoundingBox](/javascript/api/azure-maps-control/atlas.data.boundingbox) object. It uses the array of results, and then it adjusts the camera bounds for the map using the Map's [setCamera](/javascript/api/azure-maps-control/atlas.map#setcamera-cameraoptionscameraboundsoptionsanimationoptions-). It then renders the result pins.

-The search request, the data source, symbol layer, and the camera bounds are set within the map's [event listener](/javascript/api/azure-maps-control/atlas.map#events) to ensure that the results are displayed after the map loads fully.

-> [Show directions from A to B](map-route.md)

-* [Weather Services](/rest/api/maps/weather) ΓÇô Gain access to real-time and forecast weather data.

-You can call the Azure Maps [Rest API][Rest API] directly from any programming language, however that can be error prone work requiring extra effort. To make incorporating Azure Maps in your applications easier and less error prone, the Azure Maps team has encapsulated their REST API in SDKs for C# (.NET), Python, JavaScript/Typescript, and Java.

-Azure Maps C# SDK supports any .NET version that is compatible with [.NET standard 2.0][.NET Standard versions].

-| Service Name  | NuGet package  | Samples  |

-For more information, see the [C# SDK Developers Guide](how-to-dev-guide-csharp-sdk.md).

-## Python SDK

-Azure Maps Python SDK supports Python version 3.7 or later. Check the [Azure SDK for Python policy planning][Python-version-support-policy] for more details on future Python versions.

-| Service Name  | PyPi package  | Samples  |

-For more information, see the [python SDK Developers Guide](how-to-dev-guide-py-sdk.md).

-| Service Name  | npm packages | Samples  |

-For more information, see the [JavaScript/TypeScript SDK Developers Guide](how-to-dev-guide-js-sdk.md).

-| Service Name  | Maven package  | Samples  |

-For more information, see the [Java SDK Developers Guide](how-to-dev-guide-java-sdk.md).

-<!-- C# SDK Developers Guide >

-[.NET Standard versions]: https://dotnet.microsoft.com/platform/dotnet-standard#versions

-[Python-version-support-policy]: https://github.com/Azure/azure-sdk-for-python/wiki/Azure-SDKs-Python-version-support-policy

-Affected Azure Maps REST

-The Azure Maps [Traffic API](/rest/api/maps/traffic) is a suite of web services designed for developers to create web and mobile applications around real-time traffic. This data can be visualized on maps or used to generate smarter routes that factor in current driving conditions.

-1. An [Azure Maps account](quick-demo-map-app.md#create-an-azure-maps-account) using the Gen 1 (S1) or Gen 2 pricing tier.

-2. An [Azure Maps primary subscription key](quick-demo-map-app.md#get-the-primary-key-for-your-account).

-For more information about Azure Maps authentication, see [Manage authentication in Azure Maps](how-to-manage-authentication.md).

-[Visual Studio Code](https://code.visualstudio.com/) is recommended for this tutorial, but you can use any suitable integrated development environment (IDE).

-To see a live sample of what you will create in this tutorial, see [Simple Store Locator](https://samples.azuremaps.com/?sample=simple-store-locator) on the **Azure Maps Code Samples** site.

-* The [Map images](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/Samples/Tutorials/Simple%20Store%20Locator/images).

-The following screenshot shows the general layout of the Contoso Coffee store locator application. To view and interact with the live sample, see the [Simple Store Locator](https://samples.azuremaps.com/?sample=simple-store-locator) sample application on the **Azure Maps Code Samples** site.

-The excel file containing the full dataset for the Contoso Coffee locator sample application can be downloaded from the [data](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/Samples/Tutorials/Simple%20Store%20Locator/data) folder of the _Azure Maps code samples_ repository in GitHub.

-* The **Latitude** and **Longitude** columns contain the coordinates for each Contoso Coffee location. If you don't have coordinate information, you can use the Azure Maps [Search service](/rest/api/maps/search) to determine the location coordinates.

-> Azure Maps renders data in the [Spherical Mercator projection](glossary.md#spherical-mercator-projection) "[EPSG:3857](https://epsg.io/3857)" but reads data in "[EPSG:4326](https://epsg.io/4326)" that use the WGS84 datum.

-1. Download the Excel workbook [ContosoCoffee.xlsx](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/Samples/Tutorials/Simple%20Store%20Locator/data) and Open it in Excel.

-1. Open [Visual Studio Code](https://code.visualstudio.com/), or your choice of development environments.

-9. If you haven't already, download the 10 [Map images](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/Samples/Tutorials/Simple%20Store%20Locator/images) from the images directory in the GitHub Repository and add them to the *images* folder.

-After you finish, *https://docsupdatetracker.net/index.html* should look like [Simple Store Locator.html](https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/master/Samples/Tutorials/Simple%20Store%20Locator/Simple%20Store%20Locator.html).

-1. Adds an [event listener](/javascript/api/azure-maps-control/atlas.map#events) called `ready` to wait until the page has completed its loading process. When the page loading is complete, the event handler creates more event listeners to monitor the loading of the map, and give functionality to the search and **My location** buttons.

-* Enable [suggestions as you type](https://samples.azuremaps.com/?sample=search-autosuggest-and-jquery-ui) in the search box.

-* Add [support for multiple languages](https://samples.azuremaps.com/?sample=map-localization).

-* Allow the user to [filter locations along a route](https://samples.azuremaps.com/?sample=filter-data-along-route).

-* Add the ability to [set filters](https://samples.azuremaps.com/?sample=filter-symbols-by-property).

-* Deploy your store locator as an [Azure App Service Web App](../app-service/quickstart-html.md).

-* Store your data in a database and search for nearby locations. To learn more, see the [SQL Server spatial data types overview](/sql/relational-databases/spatial/spatial-data-types-overview?preserve-view=true&view=sql-server-2017) and [Query spatial data for the nearest neighbor](/sql/relational-databases/spatial/query-spatial-data-for-nearest-neighbor?preserve-view=true&view=sql-server-2017).

-* To view this sample live, see [Simple Store Locator](https://samples.azuremaps.com/?sample=simple-store-locator) on the **Azure Maps Code Samples** site.

-* learn more about the coverage and capabilities of Azure Maps by using [Zoom levels and tile grid](zoom-levels-and-tile-grid.md).

-* You can also [Use data-driven style expressions](data-driven-style-expressions-web-sdk.md) to apply to your business logic.

-> You can also create a dataset from a GeoJSON package. For more information, see [Create a dataset using a GeoJson package (Preview)](how-to-dataset-geojson.md).

-1. [Make an Azure Maps account](quick-demo-map-app.md#create-an-azure-maps-account).

-2. [Obtain a primary subscription key](quick-demo-map-app.md#get-the-primary-key-for-your-account), also known as the primary key or the subscription key.

-3. [Create a Creator resource](how-to-manage-creator.md).

-4. Download the [Sample drawing package](https://github.com/Azure-Samples/am-creator-indoor-data-examples/blob/master/Sample%20-%20Contoso%20Drawing%20Package.zip).

-This tutorial uses the [Postman](https://www.postman.com/) application, but you can use a different API development environment.

-> * This article uses the `us.atlas.microsoft.com` geographical URL. If your Creator service wasn't created in the United States, you must use a different geographical URL. For more information, see [Access to Creator Services](how-to-manage-creator.md#access-to-creator-services).

-Use the [Data Upload API](/rest/api/maps/data-v2/upload) to upload the drawing package to Azure Maps resources.

-The Data Upload API is a long running transaction that implements the pattern defined in [Creator Long-Running Operation API V2](creator-long-running-operation-v2.md).

-5. Enter the following URL to the [Data Upload API](/rest/api/maps/data-v2/upload) The request should look like the following URL:

-Now that the drawing package is uploaded, you'll use the `udid` for the uploaded package to convert the package into map data. The [Conversion API](/rest/api/maps/v2/conversion) uses a long-running transaction that implements the pattern defined in the [Creator Long-Running Operation](creator-long-running-operation-v2.md) article.

-5. Enter the following URL to the [Conversion Service](/rest/api/maps/v2/conversion/convert) (replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key and `udid` with the `udid` of the uploaded package):

-The sample drawing package should be converted without errors or warnings. However, if you receive errors or warnings from your own drawing package, the JSON response includes a link to the [Drawing error visualizer](drawing-error-visualizer.md). You can use the Drawing Error visualizer to inspect the details of errors and warnings. To receive recommendations to resolve conversion errors and warnings, see [Drawing conversion errors and warnings](drawing-conversion-error-codes.md).

-A dataset is a collection of map features, such as buildings, levels, and rooms. To create a dataset, use the [Dataset Create API](/rest/api/maps/v2/dataset/create). The Dataset Create API takes the `conversionId` for the converted drawing package and returns a `datasetId` of the created dataset.

-5. Enter the following URL to the [Dataset API](/rest/api/maps/v2/dataset). The request should look like the following URL (replace `{conversionId`} with the `conversionId` obtained in [Check drawing package conversion status](#check-the-drawing-package-conversion-status)):

-5. Enter the following URL to the [Tileset API](/rest/api/maps/v2/tileset). The request should look like the following URL (replace `{datasetId`} with the `datasetId` obtained in the [Check the dataset creation status](#check-the-dataset-creation-status) section above:

-Once your tileset creation completes, you can get the `mapConfigurationId` using the [tileset get](/rest/api/maps/v20220901preview/tileset/get) HTTP request:

-5. Enter the following URL to the [Tileset API](/rest/api/maps/v20220901preview/tileset), passing in the tileset ID you obtained in the previous step.

-For more information, see [Map configuration](creator-indoor-maps.md#map-configuration) in the indoor maps concepts article.

-1. An [Azure Maps primary subscription key](quick-demo-map-app.md#get-the-primary-key-for-your-account), also known as the primary key or the subscription key. For more information on authentication in Azure Maps, see [manage authentication in Azure Maps](how-to-manage-authentication.md).

-3. Next, add the following JavaScript code to the `GetMap` function, just beneath the code added in the last step. This code creates a map control and initializes it using your Azure Maps primary subscription keys that you provide. Make sure and replace the string `<Your Azure Maps Key>` with the Azure Maps primary key that you copied from your Maps account.

- // Replace <Your Azure Maps Key> with your Azure Maps primary subscription key. https://aka.ms/am-primaryKey

- subscriptionKey: '<Your Azure Maps Key>'

-4. Save the file and open it in your browser. The browser will display a basic map by calling `atlas.Map` using your Azure Maps primary subscription key.

- :::image type="content" source="./media/tutorial-prioritized-routes/basic-map.png" alt-text="A screenshot that shows the most basic map you can make by calling the atlas Map API, using your Azure Maps primary subscription key.":::

-2. Next add the following script block just below the previous code just added in the map `ready` event handler. This is the code to build the search query. It uses the [Fuzzy Search Service](/rest/api/maps/search/get-search-fuzzy), a basic search API of the Search Service. Fuzzy Search Service handles most fuzzy inputs like addresses, places, and points of interest (POI). This code searches for nearby gas stations within the specified radius of the provided latitude and longitude. A GeoJSON feature collection from the response is then extracted using the `geojson.getFeatures()` method and added to the data source, which automatically results in the data being rendered on the maps symbol layer. The last part of this script block sets the maps camera view using the bounding box of the results using the Map's [setCamera](/javascript/api/azure-maps-control/atlas.map#setcamera-cameraoptionscameraboundsoptionsanimationoptions-) property.

-Azure Maps [Severe weather alerts][severe-weather-alerts] service returns severe weather alerts from both official Government Meteorological Agencies and other leading severe weather alert providers. The service can return details such as alert type, category, level and detailed description. Severe weather includes conditions like hurricanes, tornados, tsunamis, severe thunderstorms, and fires.

-The script below renders the turbine locations on the map by calling the Azure Maps [Get Map Image service](/rest/api/maps/render/getmapimage).

- > Custom data collection rules have a suffix of *Custom-*; for example, *Custom-rulename*. The *Custom-rulename* in the stream declaration must match the *Custom-rulename* name in the Log Analytics workspace.

-description: The latest updates for Application Insights SDKs.

-# Release Notes - Application Insights

-This page outlines where to find detailed release notes regarding updates and bug fixes for each of the Application Insights SDKs.

-## SDK

-* .NET SDKs

- - For version 2.12 and newer: [.NET SDKs (Including ASP.NET, ASP.NET Core, and Logging Adapters)](https://github.com/Microsoft/ApplicationInsights-dotnet/releases)

- - For older releases:

- - [ASP.NET Web Server SDK](https://github.com/Microsoft/ApplicationInsights-server-dotnet/releases)

- - [.NET SDK](https://github.com/Microsoft/ApplicationInsights-dotnet/releases)

- - [.NET Logging Adapters](https://github.com/Microsoft/ApplicationInsights-dotnet-logging/releases)

- - [ASP.NET Core](https://github.com/Microsoft/ApplicationInsights-aspnet5/releases)

-* [Java](https://github.com/Microsoft/ApplicationInsights-Java/releases)

-* [JavaScript](https://github.com/microsoft/ApplicationInsights-JS/releases)

-* [Python Azure Monitor Exporter](https://github.com/census-instrumentation/opencensus-python/blob/master/contrib/opencensus-ext-azure/CHANGELOG.md)

-Read also our [blogs](https://azure.microsoft.com/blog/tag/application-insights/) and [Service Updates](https://azure.microsoft.com/updates/?service=application-insights) which summarize major improvements in the Application Insights service as a whole.

-## Next steps

-Get started with codeless monitor codeless monitoring:

-* [Azure VM and Azure virtual machine scale set IIS-hosted apps](./azure-vm-vmss-apps.md)

-* [IIS server](./status-monitor-v2-overview.md)

-* [Azure Web Apps](./azure-web-apps.md)

-Get started with code-based monitoring:

-* [ASP.NET](./asp-net.md)

-* [ASP.NET Core](./asp-net-core.md)

-* [Java](./opentelemetry-enable.md?tabs=java)

-* [Node.js](./nodejs.md)

-* [Python](./opencensus-python.md)

-5. Using the dropdown, choose one of the "Cost presets", for more configuration, you may select the "Edit profile settings"

-3. If you have not previously configured Container Insights, select the 'Configure Azure Monitor' button. For clusters already onboarded to Insights, select the "Monitoring Settings" button in the toolbar

-4. Using the dropdown, choose one of the "Cost presets", for more configuration, you may select the "Edit advanced collection settings"

-Consider a scenario where your organization's different business units share Kubernetes infrastructure and a Log Analytics workspace. Each business unit is separated by a Kubernetes namespace. You can visualize how much data is ingested in each workspace by using the **Data Usage** runbook. The runbook is available from the **View Workbooks** dropdown list.

-| Guest performance | Specifies whether to collect performance data from the guest operating system. This option is required for all machines. |

-If you've allocated at least 4 TiB of quota for a volume, you can initiate a support request to increase the `maxfiles` (inodes) limit beyond 106,255,630. For every 106,255,630 files you increase (or a fraction thereof), you need to increase the corresponding volume quota by 4 TiB. For example, if you increase the `maxfiles` limit from 106,255,630 files to 212,511,260 files (or any number in between), you need to increase the volume quota from 4 TiB to 8 TiB.

-You can increase the `maxfiles` limit to 531,278,150 if your volume quota is at least 20 TiB.

-description: This topic demonstrates how to use animated character detection with Azure Video Indexer.

-# Use the animated character detection with portal and API

-Azure Video Indexer supports detection, grouping, and recognition of characters in animated content, this functionality is available through the Azure portal and through API. Review [this overview](animated-characters-recognition.md) article.

-This article demonstrates to how to use the animated character detection with the Azure portal and the Azure Video Indexer API.

-## Use the animated character detection with portal

-In the trial accounts the Custom Vision integration is managed by Azure Video Indexer, you can start creating and using the animated characters model. If using the trial account, you can skip the following ("Connect your Custom Vision account") section.

-### Connect your Custom Vision account (paid accounts only)

-If you own an Azure Video Indexer paid account, you need to connect a Custom Vision account first. If you don't have a Custom Vision account already, create one. For more information, see [Custom Vision](../cognitive-services/custom-vision-service/overview.md).

-> [!NOTE]

-> Both accounts need to be in the same region. The Custom Vision integration is currently not supported in the Japan region.

-Paid accounts that have access to their Custom Vision account can see the models and tagged images there. Learn more aboutΓÇ»[improving your classifier in Custom Vision](../cognitive-services/custom-vision-service/getting-started-improving-your-classifier.md).

-The training of the model should be done only via Azure Video Indexer, and not via the Custom Vision website.

-#### Connect a Custom Vision account with API

-Follow these steps to connect your Custom Vision account to Azure Video Indexer, or to change the Custom Vision account that is currently connected to Azure Video Indexer:

-1. Browse to [www.customvision.ai](https://www.customvision.ai) and sign in.

-1. Copy the keys for the Training and Prediction resources:

- > [!NOTE]

- > To provide all the keys you need to have two separate resources in Custom Vision, one for training and one for prediction.

-1. Provide other information:

- * Endpoint

- * Prediction resource ID

-1. Browse and sign in to the [Azure Video Indexer](https://vi.microsoft.com/).

-1. Select the question mark on the top-right corner of the page and choose **API Reference**.

-1. Make sure you're subscribed to API Management by clicking **Products** tab. If you have an API connected you can continue to the next step, otherwise, subscribe.

-1. On the developer portal, select the **Complete API Reference** and browse to **Operations**.

-1. Select **Connect Custom Vision Account** and select **Try it**.

-1. Fill in the required fields and the access token and select **Send**.

- For more information about how to get the Azure Video Indexer access token, go to the [developer portal](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Get-Account-Access-Token), and see the [relevant documentation](video-indexer-use-apis.md#obtain-access-token-using-the-authorization-api).

-1. Once the call return 200 OK response, your account is connected.

-1. To verify your connection by browse to the [Azure Video Indexer](https://vi.microsoft.com/) portal:

-1. Select the **Content model customization** button in the top-right corner.

-1. Go to the **Animated characters** tab.

-1. Once you select Manage models in Custom Vision, you'll be transferred to the Custom Vision account you just connected.

-> [!NOTE]

-> Currently, only models that were created via Azure Video Indexer are supported. Models that are created through Custom Vision will not be available. In addition, the best practice is to edit models that were created through Azure Video Indexer only through the Azure Video Indexer platform, since changes made through Custom Vision may cause unintended results.

-### Create an animated characters model

-1. Browse to the [Azure Video Indexer](https://vi.microsoft.com/) website and sign in.

-1. To customize a model in your account, select the **Content model customization** button on the left of the page.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="./media/content-model-customization/content-model-customization.png" alt-text="Customize content model in Azure Video Indexer ":::

-1. Go to the **Animated characters** tab in the model customization section.

-1. Select **Add model**.

-1. Name your model and select enter to save the name.

-> [!NOTE]

-> The best practice is to have one custom vision model for each animated series.

-### Index a video with an animated model

-For the initial training, upload at least two videos. Each should be preferably longer than 15 minutes, before expecting good recognition model. If you have shorter episodes, we recommend uploading at least 30 minutes of video content before training. This will allow you to merge groups that belong to the same character from different scenes and backgrounds, and therefore increase the chance it will detect the character in the following episodes you index. To train a model on multiple videos (episodes), you need to index them all with the same animation model.

-1. Select the **Upload** button.

-1. Choose a video to upload (from a file or a URL).

-1. Select **Advanced options**.

-1. Under **People / Animated characters** choose **Animation models**.

-1. If you have one model it will be chosen automatically, and if you have multiple models you can choose the relevant one out of the dropdown menu.

-1. Select upload.

-1. Once the video is indexed, you'll see the detected characters in the **Animated characters** section in the **Insights** pane.

-Before tagging and training the model, all animated characters will be named ΓÇ£Unknown #XΓÇ¥. After you train the model, they'll also be recognized.

-### Customize the animated characters models

-1. Name the characters in Azure Video Indexer.

- 1. After the model created character group, it's recommended to review these groups in Custom Vision.

- 1. To tag an animated character in your video, go to the **Insights** tab and select the **Edit** button on the top-right corner of the window.

- 1. In the **Insights** pane, select any of the detected animated characters and change their names from "Unknown #X" to a temporary name (or the name that was previously assigned to the character).

- 1. After typing in the new name, select the check icon next to the new name. This saves the new name in the model in Azure Video Indexer.

-1. Paid accounts only: Review the groups in Custom Vision

- > [!NOTE]

- > Paid accounts that have access to their Custom Vision account can see the models and tagged images there. Learn more aboutΓÇ»[improving your classifier in Custom Vision](../cognitive-services/custom-vision-service/getting-started-improving-your-classifier.md). ItΓÇÖs important to note that training of the model should be done only via Azure Video Indexer (as described in this topic), and not via the Custom Vision website.

- 1. Go to the **Custom Models** page in Azure Video Indexer and choose the **Animated characters** tab.

- 1. Select the Edit button for the model you're working on to manage it in Custom Vision.

- 1. Review each character group:

- * If the group contains unrelated images, it's recommended to delete these in the Custom Vision website.

- * If there are images that belong to a different character, change the tag on these specific images by selecting the image, adding the right tag and deleting the wrong tag.

- * If the group isn't correct, meaning it contains mainly non-character images or images from multiple characters, you can delete in Custom Vision website or in Azure Video Indexer insights.

- * The grouping algorithm will sometimes split your characters to different groups. It's therefore recommended to give all the groups that belong to the same character the same name (in Azure Video Indexer Insights), which will immediately cause all these groups to appear as on in Custom Vision website.

- 1. Once the group is refined, make sure the initial name you tagged it with reflects the character in the group.

-1. Train the model

- 1. After you finished editing all names you want, you need to train the model.

- 1. Once a character is trained into the model, it will be recognized it the next video indexed with that model.

- 1. Open the customization page and select the **Animated characters** tab and then select the **Train** button to train your model. In order to keep the connection between Video

-

-Indexer and the model, don't train the model in the Custom Vision website (paid accounts have access to Custom Vision website), only in Azure Video Indexer.

-Once trained, any video that will be indexed or reindexed with that model will recognize the trained characters.

-## Delete an animated character and the model

-1. Delete an animated character.

- 1. To delete an animated character in your video insights, go to the **Insights** tab and select the **Edit** button on the top-right corner of the window.

- 1. Choose the animated character and then select the **Delete** button under their name.

- > [!NOTE]

- > This will delete the insight from this video but will not affect the model.

-1. Delete a model.

- 1. Select the **Content model customization** button on the top menu and go to the **Animated characters** tab.

- 1. Select the ellipsis icon to the right of the model you wish to delete and then on the delete button.

-

- * Paid account: the model will be disconnected from Azure Video Indexer and you won't be able to reconnect it.

- * Trial account: the model will be deleted from Customs vision as well.

-

- > [!NOTE]

- > In a trial account, you only have one model you can use. After you delete it, you canΓÇÖt train other models.

-## Use the animated character detection with API

-1. Connect a Custom Vision account.

- If you own an Azure Video Indexer paid account, you need to connect a Custom Vision account first. <br/>

- If you donΓÇÖt have a Custom Vision account already, create one. For more information, see [Custom Vision](../cognitive-services/custom-vision-service/overview.md).

- [Connect your Custom Vision account using API](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Connect-Custom-Vision-Account).

-1. Create an animated characters model.

- Use the [create animation model](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Create-Animation-Model) API.

-1. Index or reindex a video.

- Use the [re-indexing](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Re-Index-Video) API.

-1. Customize the animated characters models.

- Use the [train animation model](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Train-Animation-Model) API.

-### View the output

-See the animated characters in the generated JSON file.

-```json

-"animatedCharacters": [

- {

- "videoId": "e867214582",

- "confidence": 0,

- "thumbnailId": "00000000-0000-0000-0000-000000000000",

- "seenDuration": 201.5,

- "seenDurationRatio": 0.3175,

- "isKnownCharacter": true,

- "id": 4,

- "name": "Bunny",

- "appearances": [

- {

- "startTime": "0:00:52.333",

- "endTime": "0:02:02.6",

- "startSeconds": 52.3,

- "endSeconds": 122.6

- },

- {

- "startTime": "0:02:40.633",

- "endTime": "0:03:16.6",

- "startSeconds": 160.6,

- "endSeconds": 196.6

- },

- ]

- },

-]

-```

-## Limitations

-* Currently, the "animation identification" capability isn't supported in East-Asia region.

-* Characters that appear to be small or far in the video may not be identified properly if the video's quality is poor.

-* The recommendation is to use a model per set of animated characters (for example per an animated series).

-## Next steps

-[Azure Video Indexer overview](video-indexer-overview.md)

-description: Azure Video Indexer supports detection, grouping, and recognition of characters in animated content via integration with Cognitive Services custom vision. This functionality is available both through the portal and through the API.

-# Animated character detection

-Azure Video Indexer supports detection, grouping, and recognition of characters in animated content via integration with [Cognitive Services custom vision](https://azure.microsoft.com/services/cognitive-services/custom-vision-service/). This functionality is available both through the portal and through the API.

-After uploading an animated video with a specific animation model, Azure Video Indexer extracts keyframes, detects animated characters in these frames, groups similar character, and chooses the best sample. Then, it sends the grouped characters to Custom Vision that identifies characters based on the models it was trained on.

-Before you start training your model, the characters are detected namelessly. As you add names and train the model the Azure Video Indexer will recognize the characters and name them accordingly.

-## Flow diagram

-The following diagram demonstrates the flow of the animated character detection process.

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="./media/animated-characters-recognition/flow.png" alt-text="Image of a flow diagram ." lightbox="./media/animated-characters-recognition/flow.png":::

-## Accounts

-Depending on a type of your Azure Video Indexer account, different feature sets are available. For information on how to connect your account to Azure, see [Create an Azure Video Indexer account connected to Azure](connect-to-azure.md).

-* The trial account: Azure Video Indexer uses an internal Custom Vision account to create model and connect it to your Azure Video Indexer account.

-* The paid account: you connect your Custom Vision account to your Azure Video Indexer account (if you donΓÇÖt already have one, you need to create an account first).

-### Trial vs. paid

-|Functionality|Trial|Paid|

-||||

-|Custom Vision account|Managed behind the scenes by Azure Video Indexer. |Your Custom Vision account is connected to Azure Video Indexer.|

-|Number of animation models|One|Up to 100 models per account (Custom Vision limitation).|

-|Training the model|Azure Video Indexer trains the model for new characters additional examples of existing characters.|The account owner trains the model when they're ready to make changes.|

-|Advanced options in Custom Vision|No access to the Custom Vision portal.|You can adjust the models yourself in the Custom Vision portal.|

-## Use the animated character detection with portal and API

-For details, see [Use the animated character detection with portal and API](animated-characters-recognition-how-to.md).

-## Limitations

-* Currently, the "animation identification" capability isn't supported in East-Asia region.

-* Characters that appear to be small or far in the video may not be identified properly if the video's quality is poor.

-* The recommendation is to use a model per set of animated characters (for example per an animated series).

-## Next steps

-[Azure Video Indexer overview](video-indexer-overview.md)

-## Animated characters

-* [Animated character detection](animated-characters-recognition.md)

-### Customizing content models - People/Animated characters and Brand categories

-Azure Video Indexer allows you to customize some of its models to be adapted to your specific use case. These models include animated characters, brands, language, and person. If you have customized models, this section enables you to configure if one of the created models should be used for the indexing.

-### Animated character identification improvements

-Azure Video Indexer supports detection, grouping, and recognition of characters in animated content via integration with Cognitive Services custom vision. We added a major improvement to this AI algorithm in the detection and characters recognition, as a result insight accuracy and identified characters are significantly improved.

-Configure the custom vision account on paid accounts using the Azure Video Indexer website (previously, this was only supported by API). To do that, sign in to the Azure Video Indexer website, choose Model Customization > Animated characters > Configure.

- When indexing animated characters, you can now search for them in the accountΓÇÖs video galley. For more information, see [Animated characters recognition](animated-characters-recognition.md).

- Ability to detect group ad recognize characters in animated content, via integration with custom vision. For more information, see [Animated character detection](animated-characters-recognition.md).

-|`widgets` | Strings separated by comma | Allows you to control the insights that you want to render.<br/>Example: `https://www.videoindexer.ai/embed/insights/<accountId>/<videoId>/?widgets=people,keywords` renders only people and keywords UI insights.<br/>Available options: `people`, `animatedCharacters`, `keywords`, `audioEffects`, `labels`, `sentiments`, `emotions`, `topics`, `keyframes`, `transcript`, `ocr`, `speakers`, `scenes`, `spokenLanguage`, `observedPeople`, `namedEntities`.|

-The possible values are: `people`, `animatedCharacters` , `keywords`, `labels`, `sentiments`, `emotions`, `topics`, `keyframes`, `transcript`, `ocr`, `speakers`, `scenes`, `namedEntities`, `logos`.

-|`faces/animatedCharacters`|Contains zero or more faces. For more information, see [faces/animatedCharacters](#facesanimatedcharacters).|

-|`faces/animatedCharacters`|The [faces/animatedCharacters](#facesanimatedcharacters) insight.|

-#### faces/animatedCharacters

-The `animatedCharacters` element replaces `faces` if the video was indexed with an animated characters model. This indexing is done through a custom model in Custom Vision. Azure Video Indexer runs it on keyframes.

-If faces (not animated characters) are present, Azure Video Indexer uses the Face API on all the video's frames to detect faces and celebrities.

-Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure

-You can access Cloud Shell in three ways:

- ![Icon to launch Cloud Shell from the Azure portal][14]

- the **Try It** button that appears with Azure CLI and Azure PowerShell code snippets:

- ```azurecli-interactive

- az account show

- ```

- ```azurepowershell-interactive

- Get-AzSubscription

- ```

- The **Try It** button opens Cloud Shell directly alongside the documentation using Bash (for

- Azure CLI snippets) or PowerShell (for Azure PowerShell snippets).

- To run the command, use **Copy** in the code snippet, use

- <kbd>Ctrl</kbd>+<kbd>Shift</kbd>+<kbd>V</kbd> (Windows/Linux) or

- <kbd>Cmd</kbd>+<kbd>Shift</kbd>+<kbd>V</kbd> (macOS) to paste the command, and then press

- <kbd>Enter</kbd>.

-## Features

-### Browser-based shell experience

-Cloud Shell enables access to a browser-based command-line experience built with Azure management

-tasks in mind. Use Cloud Shell to work untethered from a local machine in a way only the cloud

-can provide.

-### Choice of preferred shell experience

-Users can choose between Bash or PowerShell.

-1. Select **Cloud Shell**.

- ![Cloud Shell icon][13]

-1. Select **Bash** or **PowerShell**.

- ![Choose either Bash or PowerShell][12]

- After first launch, you can use the shell type drop-down control to switch between Bash and

- PowerShell:

- ![Drop-down control to select Bash or PowerShell][15]

-### Authenticated and configured Azure workstation

-Cloud Shell is managed by Microsoft so it comes with popular command-line tools and language

-support. Cloud Shell also securely authenticates automatically for instant access to your resources

-through the Azure CLI or Azure PowerShell cmdlets.

-View the full [list of tools installed in Cloud Shell.][07]

-### Integrated Cloud Shell editor

-Cloud Shell offers an integrated graphical text editor based on the open source Monaco Editor.

-Create and edit configuration files by running `code .` for seamless deployment through Azure CLI or

-Azure PowerShell.

-[Learn more about the Cloud Shell editor][20].

-### Multiple access points

-### Connect your Microsoft Azure Files storage

-Cloud Shell machines are temporary, but your files are persisted in two ways: through a disk image,

-and through a mounted file share named `clouddrive`. On first launch, Cloud Shell prompts to create

-a resource group, storage account, and Azure Files share on your behalf. This is a one-time step and

-the resources created are automatically attached for all future sessions. A single file share can be

-mapped and is used by both Bash and PowerShell in Cloud Shell.

-Read more to learn how to mount a [new or existing storage account][16] or to learn about the

-[persistence mechanisms used in Cloud Shell][17].

-> [!NOTE]

-> Azure storage firewall isn't supported for cloud shell storage accounts.

-## Concepts

-Learn more about features in [Bash in Cloud Shell][06] and [PowerShell in Cloud Shell][01].

-## Compliance

-### Encryption at rest

-All Cloud Shell infrastructure is compliant with double encryption at rest by default. No action is

-required by users.

-The machine hosting Cloud Shell is free, with a pre-requisite of a mounted Azure Files share.

-Regular storage costs apply.

-[01]: ./features.md

-[02]: /samples/browse

-[03]: /cli/azure

-[04]: /powershell/azure

-[05]: /training

-[06]: features.md

-[07]: features.md#pre-installed-tools

-[08]: https://azure.microsoft.com/features/azure-portal/mobile-app/

-[09]: https://marketplace.visualstudio.com/items?itemName=ms-vscode.azure-account

-[10]: https://portal.azure.com

-[11]: https://shell.azure.com

-[12]: media/overview/overview-choices.png

-[13]: media/overview/overview-cloudshell-icon.png

-[14]: media/overview/portal-launch-icon.png

-[15]: media/overview/select-shell-drop-down.png

-[16]: persisting-shell-storage.md

-[17]: persisting-shell-storage.md#how-cloud-shell-storage-works

-[18]: quickstart-powershell.md

-[19]: quickstart.md

-[20]: using-cloud-shell-editor.md

-description: Learn how to use the PowerShell in your browser with Azure Cloud Shell.

-ms.contributor: jahelmic

-tags: azure-resource-manager

-# Quickstart for PowerShell in Azure Cloud Shell

-This document details how to use the PowerShell in Cloud Shell in the [Azure portal][06].

-The PowerShell experience in Azure Cloud Shell now runs [PowerShell 7.2][02] in a Linux environment.

-There are differences in the PowerShell experience in Cloud Shell compared Windows PowerShell.

-The filesystem in Linux is case-sensitive. Windows considers `file.txt` and `FILE.txt` to be the

-same file. In Linux, they're considered to be different files. Proper casing must be used while

-tab-completing in the filesystem. PowerShell specific experiences, such as tab-completing cmdlet

-names, parameters, and values, aren't case-sensitive.

-For a detailed list of differences, see [PowerShell differences on non-Windows platforms][01].

-## Start Cloud Shell

-1. Select on **Cloud Shell** button from the top navigation bar of the Azure portal

- ![Screenshot showing how to start Azure Cloud Shell from the Azure portal.][09]

-1. Select the PowerShell environment from the drop-down and you'll be in Azure drive `(Azure:)`

- ![Screenshot showing how to select the PowerShell environment for the Azure Cloud Shell.][08]

-## Registering your subscription with Azure Cloud Shell

-Azure Cloud Shell needs access to manage resources. Access is provided through namespaces that must

-be registered to your subscription. Use the following commands to register the Microsoft.CloudShell

-RP namespace in your subscription:

-```azurepowershell-interactive

-Select-AzSubscription -SubscriptionId <SubscriptionId>

-Register-AzResourceProvider -ProviderNamespace Microsoft.CloudShell

-```

-> [!NOTE]

-> You only need to register the namespace once per subscription.

-## Run PowerShell commands

-Run regular PowerShell commands in the Cloud Shell, such as:

-```azurepowershell-interactive

-PS Azure:\> Get-Date

-```

-```output

-# You will see output similar to the following:

-Friday, July 27, 2018 7:08:48 AM

-```

-```azurepowershell-interactive

-PS Azure:\> Get-AzVM -Status

-```

-```output

-# You will see output similar to the following:

-ResourceGroupName Name Location VmSize OsType ProvisioningState PowerState

-MyResourceGroup2 Demo westus Standard_DS1_v2 Windows Succeeded running

-MyResourceGroup MyVM1 eastus Standard_DS1 Windows Succeeded running

-MyResourceGroup MyVM2 eastus Standard_DS2_v2_Promo Windows Succeeded deallocated

-```

-### Interact with virtual machines

-You can find all your virtual machines under the current subscription via `VirtualMachines`

-directory.

-```azurepowershell-interactive

-PS Azure:\MySubscriptionName\VirtualMachines> dir

-```

-```output

-# You will see output similar to the following:

- Directory: Azure:\MySubscriptionName\VirtualMachines

-Name ResourceGroupName Location VmSize OsType NIC ProvisioningState PowerState

-TestVm1 MyResourceGroup1 westus Standard_DS2_v2 Windows my2008r213 Succeeded stopped

-TestVm2 MyResourceGroup1 westus Standard_DS1_v2 Windows jpstest Succeeded deallocated

-TestVm10 MyResourceGroup2 eastus Standard_DS1_v2 Windows mytest Succeeded running

-```

-#### Invoke PowerShell script across remote VMs

- > [!WARNING]

- > Please refer to [Troubleshooting remote management of Azure VMs][11].

-Assuming you have a VM, MyVM1, let's use `Invoke-AzVMCommand` to invoke a PowerShell script block on

-the remote machine.

-```azurepowershell-interactive

-Enable-AzVMPSRemoting -Name MyVM1 -ResourceGroupname MyResourceGroup

-Invoke-AzVMCommand -Name MyVM1 -ResourceGroupName MyResourceGroup -Scriptblock {Get-ComputerInfo} -Credential (Get-Credential)

-```

-You can also navigate to the VirtualMachines directory first and run `Invoke-AzVMCommand` as follows.

-```azurepowershell-interactive

-PS Azure:\> cd MySubscriptionName\ResourceGroups\MyResourceGroup\Microsoft.Compute\virtualMachines

-PS Azure:\MySubscriptionName\ResourceGroups\MyResourceGroup\Microsoft.Compute\virtualMachines> Get-Item MyVM1 | Invoke-AzVMCommand -Scriptblock {Get-ComputerInfo} -Credential (Get-Credential)

-```

-```output

-# You will see output similar to the following:

-PSComputerName : 65.52.28.207

-RunspaceId : 2c2b60da-f9b9-4f42-a282-93316cb06fe1

-WindowsBuildLabEx : 14393.1066.amd64fre.rs1_release_sec.170327-1835

-WindowsCurrentVersion : 6.3

-WindowsEditionId : ServerDatacenter

-WindowsInstallationType : Server

-WindowsInstallDateFromRegistry : 5/18/2017 11:26:08 PM

-WindowsProductId : 00376-40000-00000-AA947

-WindowsProductName : Windows Server 2016 Datacenter

-WindowsRegisteredOrganization :

-...

-```

-#### Interactively sign-in to a remote VM

-You can use `Enter-AzVM` to interactively log into a VM running in Azure.

-```azurepowershell-interactive

-Enter-AzVM -Name MyVM1 -ResourceGroupName MyResourceGroup -Credential (Get-Credential)

-```

-You can also navigate to the `VirtualMachines` directory first and run `Enter-AzVM` as follows:

-```azurepowershell-interactive

-Get-Item MyVM1 | Enter-AzVM -Credential (Get-Credential)

-```

-### Discover WebApps

-By entering into the `WebApps` directory, you can easily navigate your web apps resources

-```azurepowershell-interactive

-dir .\WebApps\

-```

-```output

-# You will see output similar to the following:

- Directory: Azure:\MySubscriptionName\WebApps

-Name State ResourceGroup EnabledHostNames Location

-mywebapp1 Stopped MyResourceGroup1 {mywebapp1.azurewebsites.net... West US

-mywebapp2 Running MyResourceGroup2 {mywebapp2.azurewebsites.net... West Europe

-mywebapp3 Running MyResourceGroup3 {mywebapp3.azurewebsites.net... South Central US

-```

-```azurepowershell-interactive

-# You can use Azure cmdlets to Start/Stop your web apps

-PS Azure:\MySubscriptionName\WebApps> Start-AzWebApp -Name mywebapp1 -ResourceGroupName MyResourceGroup1

-```

-```output

-# You will see output similar to the following:

-Name State ResourceGroup EnabledHostNames Location

-mywebapp1 Running MyResourceGroup1 {mywebapp1.azurewebsites.net ... West US

-```

-```azurepowershell-interactive

-# Refresh the current state with -Force

-PS Azure:\MySubscriptionName\WebApps> dir -Force

-```

-```output

-# You will see output similar to the following:

- Directory: Azure:\MySubscriptionName\WebApps

-Name State ResourceGroup EnabledHostNames Location

-mywebapp1 Running MyResourceGroup1 {mywebapp1.azurewebsites.net... West US

-mywebapp2 Running MyResourceGroup2 {mywebapp2.azurewebsites.net... West Europe

-mywebapp3 Running MyResourceGroup3 {mywebapp3.azurewebsites.net... South Central US

-```

-## SSH

-To authenticate to servers or VMs using SSH, generate the public-private key pair in Cloud Shell and

-publish the public key to `authorized_keys` on the remote machine, such as

-`/home/user/.ssh/authorized_keys`.

-> [!NOTE]

-> You can create SSH private-public keys using `ssh-keygen` and publish them to

-> `$env:USERPROFILE\.ssh` in Cloud Shell.

-### Using SSH

-Follow instructions [here][03] to create a new VM configuration using Azure PowerShell cmdlets.

-Before calling into `New-AzVM` to kick off the deployment, add SSH public key to the VM

-configuration. The newly created VM will contain the public key in the `~\.ssh\authorized_keys`

-location, thereby enabling credential-free SSH session to the VM.

-```azurepowershell-interactive

-# Create VM config object - $vmConfig using instructions on linked page above

-# Generate SSH keys in Cloud Shell

-ssh-keygen -t rsa -b 2048 -f $HOME\.ssh\id_rsa

-# Ensure VM config is updated with SSH keys

-$sshPublicKey = Get-Content "$HOME\.ssh\id_rsa.pub"

-Add-AzVMSshPublicKey -VM $vmConfig -KeyData $sshPublicKey -Path "/home/azureuser/.ssh/authorized_keys"

-# Create a virtual machine

-New-AzVM -ResourceGroupName <yourResourceGroup> -Location <vmLocation> -VM $vmConfig

-# SSH to the VM

-ssh azureuser@MyVM.Domain.Com

-```

-## List available commands

-Under `Azure` drive, type `Get-AzCommand` to get context-specific Azure commands.

-Alternatively, you can always use `Get-Command *az* -Module Az.*` to find out the available Azure

-commands.

-## Install custom modules

-You can run `Install-Module` to install modules from the [PowerShell Gallery][07].

-## Get-Help

-Type `Get-Help` to get information about PowerShell in Azure Cloud Shell.

-```azurepowershell-interactive

-Get-Help

-```

-For a specific command, you can still do `Get-Help` followed by a cmdlet.

-```azurepowershell-interactive

-Get-Help Get-AzVM

-```

-## Use Azure Files to store your data

-You can create a script, say `helloworld.ps1`, and save it to your `clouddrive` to use it across

-shell sessions.

-```azurepowershell-interactive

-cd $HOME\clouddrive

-# Create a new file in clouddrive directory

-New-Item helloworld.ps1

-# Open the new file for editing

-code .\helloworld.ps1

-# Add the content, such as 'Hello World!'

-.\helloworld.ps1

-Hello World!

-```

-Next time when you use PowerShell in Cloud Shell, the `helloworld.ps1` file will exist under the

-`$HOME\clouddrive` directory that mounts your Azure Files share.

-## Use custom profile

-You can customize your PowerShell environment, by creating PowerShell profiles - `profile.ps1` (or

-`Microsoft.PowerShell_profile.ps1`). Save it under `$profile.CurrentUserAllHosts` (or

-`$profile.CurrentUserCurrentHost`), so that it can be loaded in every PowerShell in Cloud Shell

-session.

-For how to create a profile, refer to [About Profiles][04].

-## Use Git

-To clone a Git repo in Cloud Shell, you need to create a [personal access token][05] and use it as

-the username. Once you have your token, clone the repository as follows:

-```azurepowershell-interactive

-git clone https://<your-access-token>@github.com/username/repo.git

-```

-## Exit the shell

-Type `exit` to terminate the session.

-<!-- link references -->

-[01]: /powershell/scripting/whats-new/unix-support

-[02]: /powershell/scripting/whats-new/what-s-new-in-powershell-72

-[03]: ../virtual-machines/linux/quick-create-powershell.md

-[04]: /powershell/module/microsoft.powershell.core/about/about_profiles

-[05]: https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/

-[06]: https://portal.azure.com/

-[07]: https://www.powershellgallery.com/

-[08]: media/quickstart-powershell/environment-ps.png

-[09]: media/quickstart-powershell/shell-icon.png

-[11]: troubleshooting.md#troubleshooting-remote-management-of-azure-vms

-description: Learn how to use the Bash command line in your browser with Azure Cloud Shell.

-# Quickstart for Bash in Azure Cloud Shell

-This document details how to use Bash in Azure Cloud Shell in the [Azure portal][03].

-> [!NOTE]

-> A [PowerShell in Azure Cloud Shell][09] Quickstart is also available.

- ![Screenshot showing how to start Azure Cloud Shell in the Azure portal.][05]

-1. Select a subscription to create a storage account and Microsoft Azure Files share.

-1. Select "Create storage"

-> [!TIP]

-> You are automatically authenticated for Azure CLI in every session.

-be registered to your subscription. Use the following commands to register the Microsoft.CloudShell

-RP namespace in your subscription:

-```azurecli-interactive

-### Create a resource group

-Create a new resource group in WestUS named "MyRG".

-az group create --location westus --name MyRG

-### Create a Linux VM

-Create an Ubuntu VM in your new resource group. The Azure CLI will create SSH keys and set up the VM

-with them.

-az vm create -n myVM -g MyRG --image UbuntuLTS --generate-ssh-keys

-> [!NOTE]

-> Using `--generate-ssh-keys` instructs Azure CLI to create and set up public and private keys in

-> your VM and `$Home` directory. By default keys are placed in Cloud Shell at

-> `/home/<user>/.ssh/id_rsa` and `/home/<user>/.ssh/id_rsa.pub`. Your `.ssh` folder is persisted in

-> your attached file share's 5-GB image used to persist `$Home`.

-Your username on this VM will be your username used in Cloud Shell ($User@Azure:).

-### SSH into your Linux VM

-1. Search for your VM name in the Azure portal search bar.

-1. Select **Connect** to get your VM name and public IP address.

- ![Screenshot showing how to connect to a Linux VM using SSH.][06]

-1. SSH into your VM with the `ssh` cmd.

- ```bash

- ssh username@ipaddress

- ```

-Upon establishing the SSH connection, you should see the Ubuntu welcome prompt.

-![Screenshot showing the Ubuntu initialization and welcome prompt after you establish an SSH connection.][07]

-## Cleaning up

-1. Exit your ssh session.

- ```

- exit

- ```

-1. Delete your resource group and any resources within it.

- ```azurecli-interactive

- az group delete -n MyRG

- ```

-[04]: media/quickstart/env-selector.png

-[05]: media/quickstart/shell-icon.png

-[06]: medi-copy.png

-[07]: media/quickstart/ubuntu-welcome.png

-[08]: persisting-shell-storage.md

-[09]: quickstart-powershell.md

-# Image description generation

-#### [Version 3.2](#tab/3-2)

-#### [Version 4.0](#tab/4-0)

-```json

-{

- "metadata":

- {

- "width": 239,

- "height": 300

- },

- "descriptionResult":

- {

- "values":

- [

- {

- "text": "a city with tall buildings",

- "confidence": 0.3551448881626129

- }

- ]

- }

-}

-```

-#### [Version 3.2](#tab/3-2)

-#### [Version 4.0](#tab/4-0)

-The image description feature is part of the [Analyze Image](https://aka.ms/vision-4-0-ref) API. You can call this API using REST. Include `Description` in the **features** query parameter. Then, when you get the full JSON response, parse the string for the contents of the `"description"` section.

-#### [Version 3.2](#tab/3-2)

-#### [Version 4.0](#tab/4-0)

-The Computer Vision smart-cropping utility takes one or more aspect ratios in the range [0.75, 1.80] and returns the bounding box coordinates (in pixels) of the region(s) identified. Your app can then crop and return the image using those coordinates.

-> [!IMPORTANT]

-> This feature uses face detection to help determine important regions in the image. The detection does not involve distinguishing one face from another face, predicting or classifying facial attributes, or creating a facial template (a unique set of numbers generated from an image that represents the distinctive features of a face).

-## Examples

-The generated bounding box can vary widely depending on what you specify for aspect ratio, as shown in the following images.

-| Aspect ratio | Bounding box |

-|-|--|

-| original | :::image type="content" source="Images/cropped-original.png" alt-text="Photo of a man with a dog at a table."::: |

-| 0.75 | :::image type="content" source="Images/cropped-075-bb.png" alt-text="Photo of a man with a dog at a table. A 0.75 ratio bounding box is drawn."::: |

-| 1.00 | :::image type="content" source="Images/cropped-1-0-bb.png" alt-text="Photo of a man with a dog at a table. A 1.00 ratio bounding box is drawn."::: |

-| 1.50 | :::image type="content" source="Images/cropped-150-bb.png" alt-text="Photo of a man with a dog at a table. A 1.50 ratio bounding box is drawn."::: |

-#### [Version 3.2](#tab/3-2)

-#### [Version 4.0](#tab/4-0)

-The smart cropping feature is available through the [Analyze](https://aka.ms/vision-4-0-ref) API. You can call this API using REST. Include `SmartCrops` in the **visualFeatures** query parameter. Also include a **smartcrops-aspect-ratios** query parameter, and set it to a decimal value for the aspect ratio you want (defined as width / height). Multiple aspect ratio values should be comma-separated.

-#### [Version 3.2](#tab/3-2)

-#### [Version 4.0](#tab/4-0)

-```json

-{

- "metadata":

- {

- "width": 1260,

- "height": 473

- },

- "objectsResult":

- {

- "values":

- [

- {

- "name": "kitchen appliance",

- "confidence": 0.501,

- "boundingBox": {"x":730,"y":66,"w":135,"h":85}

- },

- {

- "name": "computer keyboard",

- "confidence": 0.51,

- "boundingBox": {"x":523,"y":377,"w":185,"h":46}

- },

- {

- "name": "Laptop",

- "confidence": 0.85,

- "boundingBox": {"x":471,"y":218,"w":289,"h":226}

- },

- {

- "name": "person",

- "confidence": 0.855,

- "boundingBox": {"x":654,"y":0,"w":584,"h":473}

- }

- ]

- }

-}

-```

-#### [Version 3.2](#tab/3-2)

-#### [Version 4.0](#tab/4-0)

-The object detection feature is part of the [Analyze Image](https://aka.ms/vision-4-0-ref) API. You can call this API using REST. Include `Objects` in the **features** query parameter. Then, when you get the full JSON response, parse the string for the contents of the `"objects"` section.

-description: Extract text from in-the-wild and non-document images with a fast and synchronous Computer Vision API.

-# OCR for images

-> For extracting text from PDF, Office, and HTML documents and document images, use the [Form Recognizer Read OCR model](../../applied-ai-services/form-recognizer/concept-read.md) optimized for text-heavy digital and scanned documents with an asynchronous API that makes it easy to power your intelliegnt document processing scenarios.

->

-The new Computer Vision v4.0 Image Analysis REST API preview offers the ability to extract printed or handwritten text from images in a unified performance-enhanced synchronous API that makes it easy to get all image insights including OCR results in a single API operation. The Read OCR engine is built on top of multiple deep learning models supported by universal script-based models for [global language support](./language-support.md).

-## Use the V4.0 REST API preview

-The text extraction feature is part of the [v4.0 Analyze Image REST API](https://aka.ms/vision-4-0-ref). Include `Read` in the **features** query parameter. Then, when you get the full JSON response, parse the string for the contents of the `"readResult"` section.

-For an example, copy the following command into a text editor and replace the `<key>` with your API key and optionally, your API endpoint URL. Then open a command prompt window and run the command.

-```bash

- curl.exe -H "Ocp-Apim-Subscription-Key: <key>" -H "Content-Type: application/json" "https://westcentralus.api.cognitive.microsoft.com/computervision/imageanalysis:analyze?features=Read&model-version=latest&language=en&api-version=2022-10-12-preview" -d "{'url':'https://upload.wikimedia.org/wikipedia/commons/thumb/3/3c/Salto_del_Angel-Canaima-Venezuela08.JPG/800px-Salto_del_Angel-Canaima-Venezuela08.JPG'}"

-

-```

-## Text extraction output

-The following JSON response illustrates what the v4.0 Analyze Image API returns when extracting text from the given image.

-Follow the v4.0 REST API sections in the [Image Analysis quickstart](./quickstarts-sdk/image-analysis-client-library.md) to extract text from an image using the Analyze API.

-# People detection (preview)

-The following JSON response illustrates what the Analyze API returns when describing the example image based on its visual features.

-

- "metadata":

- {

- "width": 1260,

- "height": 473

- },

- "peopleResult":

- {

- "values":

- [

- {

- "boundingBox":

- {

- "x": 660,

- "y": 0,

- "w": 582,

- "h": 473

- },

- "confidence": 0.9680353999137878

- }

- ]

- }

-The people detection feature is part of the [Analyze Image](https://aka.ms/vision-4-0-ref) API. You can call this API using REST. Include `People` in the **visualFeatures** query parameter. Then, when you get the full JSON response, parse the string for the contents of the `"people"` section.

-Learn the related concept of [Face detection](concept-face-detection.md).

-#### [Version 3.2](#tab/3-2)

-#### [Version 4.0](#tab/4-0)

-```json

-{

- "metadata":

- {

- "width": 300,

- "height": 200

- },

- "tagsResult":

- {

- "values":

- [

- {

- "name": "grass",

- "confidence": 0.9960499405860901

- },

- {

- "name": "outdoor",

- "confidence": 0.9956876635551453

- },

- {

- "name": "building",

- "confidence": 0.9893627166748047

- },

- {

- "name": "property",

- "confidence": 0.9853052496910095

- },

- {

- "name": "plant",

- "confidence": 0.9791355729103088

- },

- {

- "name": "sky",

- "confidence": 0.976455569267273

- },

- {

- "name": "home",

- "confidence": 0.9732913374900818

- },

- {

- "name": "house",

- "confidence": 0.9726771116256714

- },

- {

- "name": "real estate",

- "confidence": 0.972320556640625

- },

- {

- "name": "yard",

- "confidence": 0.9480281472206116

- },

- {

- "name": "siding",

- "confidence": 0.945357620716095

- },

- {

- "name": "porch",

- "confidence": 0.9410697221755981

- },

- {

- "name": "cottage",

- "confidence": 0.9143695831298828

- },

- {

- "name": "tree",

- "confidence": 0.9111745357513428

- },

- {

- "name": "farmhouse",

- "confidence": 0.8988940119743347

- },

- {

- "name": "window",

- "confidence": 0.894851803779602

- },

- {

- "name": "lawn",

- "confidence": 0.894050121307373

- },

- {

- "name": "backyard",

- "confidence": 0.8931854963302612

- },

- {

- "name": "garden buildings",

- "confidence": 0.8859137296676636

- },

- {

- "name": "roof",

- "confidence": 0.8695330619812012

- },

- {

- "name": "driveway",

- "confidence": 0.8670969009399414

- },

- {

- "name": "land lot",

- "confidence": 0.856428861618042

- },

- {

- "name": "landscaping",

- "confidence": 0.8540748357772827

- }

- ]

- }

-}

-```

-#### [Version 3.2](#tab/3-2)

-#### [Version 4.0](#tab/4-0)

-The tagging feature is part of the [Analyze Image](https://aka.ms/vision-4-0-ref) API. You can call this API using REST. Include `Tags` in the **features** query parameter. Then, when you get the full JSON response, parse the string for the contents of the `"tags"` section.

-`https://{endpoint}/computervision/imageanalysis:analyze?api-version=2022-10-12-preview&features=Tags`

-`https://{endpoint}/computervision/imageanalysis:analyze?api-version=2022-10-12-preview&features=Tags&language=en`

-## Image Analysis features

-You can analyze images to provide insights about their visual features and characteristics. All of the features in the list below are provided by the [Analyze Image](https://westcentralus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) API. Follow a [quickstart](./quickstarts-sdk/image-analysis-client-library.md) to get started.

-### Extract text from images (preview)

-Version 4.0 preview of Image Analysis offers the ability to extract text from images. Compared with the async Computer Vision 3.2 GA Read, the new version offers the familiar Read OCR engine in a unified performance-enhanced synchronous API that makes it easy to get all image insights including OCR in a single API operation. [Extract text from images](concept-ocr.md)

-### Detect people in images (preview)

-### Tag visual features

-Identify and tag visual features in an image, from a set of thousands of recognizable objects, living things, scenery, and actions. When the tags are ambiguous or not common knowledge, the API response provides hints to clarify the context of the tag. Tagging isn't limited to the main subject, such as a person in the foreground, but also includes the setting (indoor or outdoor), furniture, tools, plants, animals, accessories, gadgets, and so on. [Tag visual features](concept-tagging-images.md)

-Object detection is similar to tagging, but the API returns the bounding box coordinates for each tag applied. For example, if an image contains a dog, cat and person, the Detect operation will list those objects together with their coordinates in the image. You can use this functionality to process further relationships between the objects in an image. It also lets you know when there are multiple instances of the same tag in an image. [Detect objects](concept-object-detection.md)

-### Detect brands

-Identify commercial brands in images or videos from a database of thousands of global logos. You can use this feature, for example, to discover which brands are most popular on social media or most prevalent in media product placement. [Detect brands](concept-brand-detection.md)

-### Categorize an image

-Identify and categorize an entire image, using a [category taxonomy](Category-Taxonomy.md) with parent/child hereditary hierarchies. Categories can be used alone, or with our new tagging models.<br/>Currently, English is the only supported language for tagging and categorizing images. [Categorize an image](concept-categorizing-images.md)

-### Describe an image

-Generate a description of an entire image in human-readable language, using complete sentences. Computer Vision's algorithms generate various descriptions based on the objects identified in the image. The descriptions are each evaluated and a confidence score generated. A list is then returned ordered from highest confidence score to lowest. [Describe an image](concept-describing-images.md)

-### Detect faces

-### Detect image types

-### Detect domain-specific content

-### Detect the color scheme

-### Get the area of interest / smart crop

-Analyze the contents of an image to return the coordinates of the *area of interest* that matches a specified aspect ratio. Computer Vision returns the bounding box coordinates of the region, so the calling application can modify the original image as desired. [Generate a thumbnail](concept-generating-thumbnails.md)

-### Moderate content in images

-You can use Computer Vision to [detect adult content](concept-detecting-adult-content.md) in an image and return confidence scores for different classifications. The threshold for flagging content can be set on a sliding scale to accommodate your preferences.

-## Image requirements

-#### [Version 3.2](#tab/3-2)

-Image Analysis works on images that meet the following requirements:

-In this overview, you will learn about the benefits and capabilities of intent recognition. The Cognitive Services Speech SDK provides two ways to recognize intents, both described below. An intent is something the user wants to do: book a flight, check the weather, or make a call. Using intent recognition, your applications, tools, and devices can determine what the user wants to initiate or do based on options you define in the Intent Recognizer or LUIS.

-The Speech SDK provides an embedded pattern matcher that you can use to recognize intents in a very strict way. This is useful for when you need a quick offline solution. This works especially well when the user is going to be trained in some way or can be expected to use specific phrases to trigger intents. For example: "Go to floor seven", or "Turn on the lamp" etc. It is recommended to start here and if it no longer meets your needs, switch to using LUIS or a combination of the two.

-| Personally Identifiable Information (PII) detection | `2020-07-01`, `2021-01-15*` |

-| Text Analytics for health | `2021-05-15`, `2022-03-01*`, `2022-08-15-preview**` |

-New configs are being released every few months. So, training configs expiration of any publicly available config is **six months** after its release. If you have assigned a trained model to a deployment, this deployment expires after **twelve months** from the training config expiration. If your models are about to expire, you can retrain and redeploy your models with the latest training configuration version.

-After training config version expires, API calls will return an error when called or used if called with an expired config version. By default, training requests will use the latest available training config version. To change the config version, use `trainingConfigVersion` when submitting a training job and assign the version you want.

-You can train and deploy a custom AI model from the date of training config version release, up until the **Training config expiration** date. After this date, you will have to use another supported training config version for submitting any training or deployment jobs.

-If you're using the [Language Studio](https://aka.ms/languageStudio) for building your project you will be using the latest API version available. If you need to use another API version this is only available directly through APIs.

-Use the table below to find which API versions are supported by each feature:

-* <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesTextAnalytics" title="Create a Language resource" target="_blank">A Language resource </a>

- * (optional) A trained model if you're using a custom capability such as [custom NER](../custom-named-entity-recognition/overview.md), [custom text classification](../custom-text-classification/overview.md), or [conversational language understanding](../conversational-language-understanding/overview.md).

- * You will need the key and endpoint from your Language resource to authenticate your Power Automate flow.

-2. From the left side menu, select **My flows** and create a **Automated cloud flow**

-3. Enter a name your flow. For example `Languageflow`.

-4. Start by selecting **Manually trigger flow**.

-5. To add a Language service connector, search for **Azure Language**.

-6. For this tutorial, you will create a flow that extracts named entities from text. Search for **Named entity recognition**, and select the connector.

-7. Add endpoint and key for your Language resource, which will be used for authentication. You can find your key and endpoint by navigating to your resource in the [Azure portal](https://portal.azure.com), and selecting **Keys and endpoint** from the left navigation menu.

-8. Once you have your key and endpoint, add it to the connector in Power Automate.

-9. Add the data in the connector

-9. From the top navigation menu, save the flow and select **Test the flow**. In the window that appears, select **Test**.

-10. After the flow runs, you will see the response in the **outputs** field.

-When [creating](../quickstarts/create-communication-resource.md) an Azure Communication Services resource, you specify a **geography** (not an Azure data center). All chat messages, and resource data stored by Communication Services at rest will be retained in that geography, in a data center selected internally by Communication Services. Data may transit or be processed in other geographies. These global endpoints are necessary to provide a high-performance, low-latency experience to end-users no matter their location.

-Any Event Grid system topic configured with Azure Communication Services will be created in a global location. To support reliable delivery, a global Event Grid system topic may store the event data in any Microsoft data center. When you configure Event Grid with Azure Communication Services, you're delivering your event data to Event Grid, which is an Azure resource under your control. While Azure Communication Services may be configured to utilize Azure Event Grid, you're responsible for managing your Event Grid resource and the data stored within it.

-Azure Communication Services maintains a directory of identities, use the [DeleteIdentity](/rest/api/communication/communication-identity/delete?tabs=HTTP) API to remove them. Deleting an identity will revoke all associated access tokens and delete their chat messages. For more information on how to remove an identity [see this page](../quickstarts/identity/access-tokens.md).

-Chat threads and messages are retained until explicitly deleted. Use [Chat APIs](/rest/api/communication/chat/chatthread) to get, list, update, and delete messages.

-Azure Communication Services will feed into Azure Monitor logging data for understanding operational health and utilization of the service. Some of these logs include Communication Service identities and phone numbers as field data. To delete any potentially personal data [use these procedures for Azure Monitor](../../azure-monitor/logs/personal-data-mgmt.md). You may also want to configure [the default retention period for Azure Monitor](../../azure-monitor/logs/data-retention-archive.md).

-Azure Monitor collects metric data from your container app at regular interval to help you gain insights into the performance and health of your container app.

-> [Set up alerts in Azure Container Apps](alerts.md)

-description: This quickstart shows how to create an Azure Cosmos DB database, container, and items by using the Azure portal.

-> * [Azure portal](quickstart-portal.md)

-> * [.NET](quickstart-dotnet.md)

-> * [Java](quickstart-java.md)

-> * [Node.js](quickstart-nodejs.md)

-> * [Python](quickstart-python.md)

-Azure Cosmos DB is Microsoft's globally distributed multi-model database service. You can use Azure Cosmos DB to quickly create and query key/value databases, document databases, and graph databases, all of which benefit from the global distribution and horizontal scale capabilities at the core of Azure Cosmos DB.

-This quickstart demonstrates how to use the Azure portal to create an Azure Cosmos DB [API for NoSQL](../introduction.md) account, create a document database, and container, and add data to the container. Without a credit card or an Azure subscription, you can set up a free [Try Azure Cosmos DB account](https://aka.ms/trycosmosdb)

-An Azure subscription or free Azure Cosmos DB trial account

-## <a id="create-container-database"></a>Add a database and a container

-1. Select **Data Explorer** from the left navigation on your Azure Cosmos DB account page, and then select **New Container**.

- You may need to scroll right to see the **Add Container** window.

- :::image type="content" source="./media/create-cosmosdb-resources-portal/add-database-container.png" alt-text="The Azure portal Data Explorer, Add Container pane":::

-1. In the **Add container** pane, enter the settings for the new container.

- |Setting|Suggested value|Description

- |**Database ID**|ToDoList|Enter *ToDoList* as the name for the new database. Database names must contain from 1 through 255 characters, and they cannot contain `/, \\, #, ?`, or a trailing space. Check the **Share throughput across containers** option, it allows you to share the throughput provisioned on the database across all the containers within the database. This option also helps with cost savings. |

- | **Database throughput**| You can provision **Autoscale** or **Manual** throughput. Manual throughput allows you to scale RU/s yourself whereas autoscale throughput allows the system to scale RU/s based on usage. Select **Manual** for this example. <br><br> Leave the throughput at 400 request units per second (RU/s). If you want to reduce latency, you can scale up the throughput later by estimating the required RU/s with the [capacity calculator](estimate-ru-with-capacity-planner.md).<br><br>**Note**: This setting is not available when creating a new container in a serverless account. |

- |**Container ID**|Items|Enter *Items* as the name for your new container. Container IDs have the same character requirements as database names.|

- Don't add **Unique keys** or turn on **Analytical store** for this example. Unique keys let you add a layer of data integrity to the database by ensuring the uniqueness of one or more values per partition key. For more information, see [Unique keys in Azure Cosmos DB.](../unique-keys.md) [Analytical store](../analytical-store-introduction.md) is used to enable large-scale analytics against operational data without any impact to your transactional workloads.

-1. In **Data Explorer**, expand the **ToDoList** database, and expand the **Items** container. Next, select **Items**, and then select **New Item**.

-

- :::image type="content" source="./media/quickstart-portal/azure-cosmosdb-new-document.png" alt-text="Create new documents in Data Explorer in the Azure portal":::

-

- ```json

- {

- "id": "1",

- "category": "personal",

- "name": "groceries",

- "description": "Pick up apples and strawberries.",

- "isComplete": false

- }

- ```

-

- :::image type="content" source="./media/quickstart-portal/azure-cosmosdb-save-document.png" alt-text="Copy in json data and select Save in Data Explorer in the Azure portal":::

-

-* Go to your Azure Cosmos DB account.

-* Open **Data Explorer**, right click on the database that you want to delete and select **Delete Database**.

-* Enter the Database ID/database name to confirm the delete operation.

-In this quickstart, you learned how to create an Azure Cosmos DB account, create a database and container using the Data Explorer. You can now import additional data to your Azure Cosmos DB account.

-Trying to do capacity planning for a migration to Azure Cosmos DB? You can use information about your existing database cluster for capacity planning.

-* If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

-* If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)

-description: This article explains how to use group and filter options in Cost Management.

-# Group and filter options in Cost analysis

-The following table lists some of the most common grouping and filtering options available in Cost analysis and when you should use them.

-| **Charge type** | Break down usage, purchase, refund, and unused reservation costs. | Reservation purchases and refunds are available only when using actual costs and not when using amortized costs. Unused reservation costs are available only when looking at amortized costs. |

-| **Frequency** | Break down usage-based, one-time, and recurring costs. | |

-| **Resource type** | Break down costs by resource type. | Purchases and classic services don't have an Azure Resource Manager resource type and will show as **others**, **classic services**, or **No resource type**. |

-In Cost Management, the PublisherType field indicates whether charges are for Microsoft, Marketplace, or AWS (if you have a [Cross Cloud connector](aws-integration-set-up-configure.md) configured) products.

-What's changing?

-Effective 14 October 2021, the PublisherType field with the value "Azure" will be updated to ΓÇ£MicrosoftΓÇ¥ for all customers with a [Microsoft Customer Agreement](../understand/review-customer-agreement-bill.md#check-access-to-a-microsoft-customer-agreement). This change is being made to accommodate upcoming enhancements to support Microsoft products other than Azure like Microsoft 365 and Dynamics 365.

-Values of ΓÇ£MarketplaceΓÇ¥ and ΓÇ£AWSΓÇ¥ will remain unchanged.

-This change doesn't affect customers with an Enterprise Agreement or pay-as-you-go offers.

-For any Cost Management data that you've downloaded before 14 October 2021, you'll need to consider the older ΓÇ£AzureΓÇ¥ and the new ΓÇ£MicrosoftΓÇ¥ PublisherType field values. The data could have been downloaded through exports, usage details, or from Cost Management.

-If you use Cost Management + Billing REST API calls that filter the PublisherType field by the value ΓÇ£AzureΓÇ¥, you'll need to address the change and filter by the new value ΓÇ£MicrosoftΓÇ¥ after 14 October 2021. Afterward, if you make any API calls with a filter for Publisher type = ΓÇ£AzureΓÇ¥, data won't be returned.

-In the **Create budget** window, make sure that the scope shown is correct. Choose any filters that you want to add. Filters allow you to create budgets on specific costs, such as resource groups in a subscription or a service like virtual machines. Any filter you can use in cost analysis can also be applied to a budget.