+1. For this quickstart, you run both the **TaskWebApp** and **TaskService** projects at the same time. Right-click the **B2C-WebAPI-DotNet** solution in Solution Explorer, and then select **Configure StartUp Projects...**.

+Historically, IT staff has relied on manual methods to create, update, and delete employees. They've used methods such as uploading CSV files or custom scripts to sync employee data. These provisioning processes are error prone, insecure, and hard to manage.

+- **New employee hiring:** Adding an employee to the cloud HR app automatically creates a user in Active Directory and Azure AD. Adding a user account includes the option to write back the email address and username attributes to the cloud HR app.

+- Syncing users who are joining, moving, and leaving. The sync happens between one or more Active Directory forests, domains, and OUs based only on change information detected in the cloud HR app.

+- **Manage risk:** Automate changes based on employee status or group membership to increase security. This automation ensures that user identities and access to key apps update automatically. For example, an update in the HR app when a user transitions or leaves the organization flows in automatically.

+You also need a valid Azure AD Premium P1 or higher subscription license for every user that is sourced from the cloud HR app and provisioned to either Active Directory or Azure AD. Any improper number of licenses owned in the cloud HR app might lead to errors during user provisioning.

+Communication is critical to the success of any new service. Proactively communicate with your users about when and how their experience is changing. Let them know how to gain support if they experience issues.

+This topology supports business requirements where attribute mapping and provisioning logic differ based on user type (employee/contractor), user location or user's business unit. You can also use this topology to delegate the administration and maintenance of inbound user provisioning based on division or country.

+With this expression, if the Municipality value is Dallas, Austin, Seattle, or London, the user account is created in the corresponding OU. If there's no match, then the account is created in the default OU.

+SSPR is a simple means for IT administrators to enable users to reset their passwords or unlock their accounts. You can provision the **Mobile Number** attribute from the cloud HR app to Active Directory and sync it with Azure AD. After the **Mobile Number** attribute is in Azure AD, you can enable SSPR for the user's account. Then on day one, the new user can use the registered and verified mobile number for authentication. Refer to the [SSPR documentation](../authentication/howto-sspr-authenticationdata.md) for details on how to prepopulate authentication contact information.

+|HR rehires an employee into a new role.|Behavior depends on how the cloud HR app is configured to generate employee IDs:</br>- If the old employee ID is used for a rehired employee, the connector enables the existing Active Directory account for the user.</br>- If the rehired employee gets a new employee ID, the connector creates a new Active Directory account for the user.|

+For authorization approaches that rely on information about the authenticated entity, an application evaluates information exchanged during authentication. For example, by using the information that was provided within a [security token](./security-tokens.md). For information not contained in a security token, an application might make extra calls to external resources.

+- For an example of configuring simple authentication-based authorization, see [Configure your App Service or Azure Functions app to use Azure AD login](../../app-service/configure-authentication-provider-aad.md).

+Allows you to securely access Azure AD protected resources from external apps and services without needing to manage secrets (for supported scenarios). For more information, see [workload identity federation](workload-identity-federation.md).

+});

+> > | `scopes` | Contains the scopes being requested (that is, `[ "user.read" ]` for Microsoft Graph or `[ "<Application ID URL>/scope" ]` for custom web APIs (`api://<Application ID>/access_as_user`)) |

+> > | `scopes` | Contains the scopes being requested (that is, `[ "user.read" ]` for Microsoft Graph or `[ "<Application ID URL>/scope" ]` for custom web APIs (`api://<Application ID>/access_as_user`)) |

+- You've provided a way for the tenant admin to consent for the application; see [Administrator consent](../manage-apps/user-admin-consent-overview.md#admin-consent).

+| `tenant_id` | String | Yes | Required only when `"type":"AzureADMyOrg"`. Optional for other `type` values. This can be a tenant domain such as `contoso.com`, or a tenant ID such as `72f988bf-86f1-41af-91ab-2d7cd011db46` |

+logging.getLogger("msal").addHandler(AzureLogHandler(connection_string='InstrumentationKey={0}'.format(APP_INSIGHTS_KEY)))

+> > | `scopes` | Contains the scopes being requested (that is, `[ "user.read" ]` for Microsoft Graph or `[ "<Application ID URL>/scope" ]` for custom web APIs (`api://<Application ID>/access_as_user`)) |

+1. Your application can send application-specific parameters (such as subdomain URL where the user originated or anything like branding information) in the state parameter. When using a state parameter, guard against CSRF protection as specified in [section 10.12 of RFC 6749](https://tools.ietf.org/html/rfc6749#section-10.12).

+[RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]

+ })

+ .AddDownstreamWebApi("MyApi", Configuration.GetSection("MyApiScope"))

+If the web app needs to call another API resource, repeat the `.AddDownstreamWebApi()` method with the relevant scope as shown in the following snippet:

+```csharp

+using Microsoft.Identity.Web;

+// ...

+builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)

+ .AddMicrosoftIdentityWebApi(Configuration, "AzureAd")

+ .EnableTokenAcquisitionToCallDownstreamApi()

+ .AddDownstreamWebApi("MyApi", Configuration.GetSection("MyApiScope"))

+ .AddDownstreamWebApi("MyApi2", Configuration.GetSection("MyApi2Scope"))

+ .AddInMemoryTokenCaches();

+// ...

+```

+Note that `.EnableTokenAcquisitionToCallDownstreamApi` is called without any parameter, which means that the access token will be acquired just in time as the controller requests the token by specifying the scope.

+The scope can also be passed in when calling `.EnableTokenAcquisitionToCallDownstreamApi`, which would make the web app acquire the token during the initial user login itself. The token will then be pulled from the cache when controller requests it.

+ public void onError(MsalException exception){

+ mSingleAccountApp.getCurrentAccountAsync(new ISingleAccountPublicClientApplication.CurrentAccountCallback())

+This article describes low-level protocol details required only when manually crafting and issuing raw HTTP requests to execute the flow, which we do **not** recommend. Instead, use a [Microsoft-built and supported authentication library](reference-v2-libraries.md) to get security tokens and call protected web APIs in your apps.

+If you attempt to use the authorization code flow without setting up CORS for your redirect URI, you'll see this error in the console:

+| `response_mode` | recommended | Specifies how the identity platform should return the requested token to your app. <br/><br/>Supported values:<br/><br/>- `query`: Default when requesting an access token. Provides the code as a query string parameter on your redirect URI. The `query` parameter isn't supported when requesting an ID token by using the implicit flow. <br/>- `fragment`: Default when requesting an ID token by using the implicit flow. Also supported if requesting *only* a code.<br/>- `form_post`: Executes a POST containing the code to your redirect URI. Supported when requesting a code.<br/><br/> |

+| `error` | An error code string that can be used to classify types of errors, and to react to errors. This part of the error is provided so that the app can react appropriately to the error, but doesn't explain in depth why an error occurred. |

+| `invalid_resource` | The target resource is invalid because it doesn't exist, Azure AD can't find it, or it's not correctly configured. | This error indicates the resource, if it exists, hasn't been configured in the tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. |

+| `client_secret` | required for confidential web apps | The application secret that you created in the app registration portal for your app. Don't use the application secret in a native app or single page app because a `client_secret` can't be reliably stored on devices or web pages. It's required for web apps and web APIs, which can store the `client_secret` securely on the server side. Like all parameters here, the client secret must be URL-encoded before being sent. This step is done by the SDK. For more information on URI encoding, see the [URI Generic Syntax specification](https://tools.ietf.org/html/rfc3986#page-12). The Basic auth pattern of instead providing credentials in the Authorization header, per [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) is also supported. |

+Now that you have successfully acquired an `access_token`, you can use the token in requests to web APIs by including it in the `Authorization` header:

+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]

+> 1. Make sure you've installed [Node.js](https://nodejs.org/en/download/).

+> 1. Unzip the sample, `cd` into the folder that contains `package.json`, then run the following commands:

+> 1. Open your browser, visit `http://locahost:3000`, select **Sign-in** link, then follow the prompts.

+>This information last updated on April 17th, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Microsoft Teams Essentials (AAD Identity) | TEAMS_ESSENTIALS_AAD | 3ab6abff-666f-4424-bfb7-f0bc274ec7bc | EXCHANGE_S_DESKLESS (4a82b400-a79f-41a4-b4e2-e94f5787b113)<br/>FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>ONEDRIVE_BASIC_P2 (4495894f-534f-41ca-9d3b-0ebf1220a423)<br/>MCOIMP (afc06cb0-b4f4-4473-8286-d644f70d8faf) | Exchange Online Kiosk (4a82b400-a79f-41a4-b4e2-e94f5787b113)<br/>Microsoft Forms (Plan E1) (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>OneDrive for Business (Basic 2) (4495894f-534f-41ca-9d3b-0ebf1220a423)<br/>Skype for Business Online (Plan 1) (afc06cb0-b4f4-4473-8286-d644f70d8faf) |

+5. Under **Target domains**, enter the name of one of the domains that you want to block. For multiple domains, enter each domain on a new line. For example:

+ :::image type="content" source="media/allow-deny-list/DenyListSettings.PNG" alt-text="Screenshot showing the deny option with added domains.":::

+5. Under **Target domains**, enter the name of one of the domains that you want to allow. For multiple domains, enter each domain on a new line. For example:

+ :::image type="content" source="media/allow-deny-list/AllowlistSettings.PNG" alt-text="Screenshot showing the allow option with added domains.":::

+- [Cross-tenant access settings](cross-tenant-access-settings-b2b-collaboration.md)

+- [External collaboration settings](external-collaboration-settings-configure.md).

+| **2** | The resource tenant identifies the user as an external email one-time passcode (OTP) user and sends an email with the OTP to the user.|

+Organizations can enforce Conditional Access policies for external B2B collaboration and B2B direct connect users in the same way that theyΓÇÖre enabled for full-time employees and members of the organization. With the introduction of cross-tenant access settings, you can also trust MFA and device claims from external Azure AD organizations. This section describes important considerations for applying Conditional Access to users outside of your organization.

+- **Other external users** - Applies to any users who don't fall into the categories above, but who aren't considered internal members of your organization, meaning they don't authenticate internally via Azure AD, and the user object created in the resource Azure AD directory doesn't have a UserType of Member.

+Authentication strength is a Conditional Access control that lets you define a specific combination of multifactor authentication (MFA) methods that an external user must complete accessing your resources. This control is especially useful for restricting external access to sensitive apps in your organization because you can enforce specific authentication methods, such as a phishing-resistant method, for external users.

+When creating Conditional Access policies for external users, you can evaluate a policy based on the device attributes of a registered device in Azure AD. By using the *filter for devices* condition, you can target specific devices using the supported operators and properties and the other available assignment conditions in your Conditional Access policies.

+Three permission classifications are supported: "Low", "Medium" (preview), and "High" (preview). Currently, only delegated permissions that don't require admin consent can be classified.

+- One of the following roles: Global Administrator, Application Administrator, or Cloud Application Administrator

+1. Choose the tab for the permission classification you'd like to update.

+1. Choose **Add permissions** to classify another permission.

+Connect-AzureAD

+ PermissionId = $delegatedPermission.Id

+ PermissionName = $delegatedPermission.Value

+ Classification = "Low"

+ $classifications = Get-MgServicePrincipalDelegatedPermissionClassification -ServicePrincipalId $api.Id

+- [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md)

+#### Symptom - Users fail to provision with error "AzureActiveDirectoryForbidden"

+Users in scope fail to provision. The provisioning logs details include the following error message:

+```

+The provisioning service was forbidden from performing an operation on Azure Active Directory, which is unusual.

+A simultaneous change to the target object may have occurred, in which case, the operation might succeed when it is retried.

+Alternatively, the target of the operation, or one of its properties, may be mastered on-premises, in which case,

+the provisioning service is not permitted to update it, and the corresponding source entry should be removed from the provisioning service's scope.

+Otherwise, authorizations may have been customized in such a way as to prevent the provisioning service from modifying the target object or one of its properties;

+if so, then, again, the corresponding source entry should be removed from scope.

+This operation was retried 0 times.

+```

+**Cause**

+This error indicates the Guest invite settings in the target tenant are configured with the most restrictive setting: "No one in the organization can invite guest users including admins (most restrictive)".

+**Solution**

+Change the Guest invite settings in the target tenant to a less restrictive setting. For more information, see [Configure external collaboration settings](../external-identities/external-collaboration-settings-configure.md).

+ * `RiskyServicePrincipals`

+ * `ServicePrincipalRiskEvents`

+1. The following logs are in preview but still visible in Azure AD. At this time, selecting these options will not add new logs to your workspace unless your organization was included in the preview.

+

+ 

+ 

+ 

+ 

+ 

+ 

+1. In AWS home page, search for **IAM** and click it.

+ 

+1. Go to **Access management** -> **Identity Providers** and click **Add provider** button.

+ 

+1. In the **Add an Identity provider** page, perform the following steps:

+ 

+ a. For **Provider type**, select **SAML**.

+ b. For **Provider name**, type a provider name (for example: *WAAD*).

+ c. To upload your downloaded **metadata file** from the Azure portal, select **Choose file**.

+ d. Click **Add provider**.

+1. Select **Roles** > **Create role**.

+ 

+1. On the **Create role** page, perform the following steps:

+ 

+ a. Choose **Trusted entity type**, select **SAML 2.0 federation**.

+ b. Under **SAML 2.0 based provider**, select the **SAML provider** you created previously (for example: *WAAD*).

+ d. Select **Next**.

+1. On the **Permissions policies** dialog box, attach the appropriate policy, per your organization. Then select **Next**.

+ 

+1. On the **Review** dialog box, perform the following steps:

+ 

+ b. In **Description**, enter the role description.

+ d. Create as many roles as needed and map them to the identity provider.

+1. Use AWS service account credentials for fetching the roles from the AWS account in Azure AD user provisioning. For this, open the AWS console home.

+1. In the IAM section, select **Policies** and click **Create policy**.

+ 

+1. Create your own policy to fetch all the roles from AWS accounts.

+ 

+ c. Click **Next: Tags**.

+1. You can also add the required tags in the below page and click **Next: Review**.

+ 

+1. Define the new policy.

+ 

+1. Create a new user account in the AWS IAM service.

+ a. In the AWS IAM console, select **Users** and click **Add users**.

+ 

+ b. In the **Specify user details** section, enter the user name as **AzureADRoleManager** and select **Next**.

+ 

+ c. Create a new policy for this user.

+ 

+ d. Select **Attach existing policies directly**.

+ e. Search for the newly created policy in the filter section **AzureAD_SSOUserRole_Policy**.

+ f. Select the policy, and then select **Next**.

+1. Review your choices and select **Create user**.

+1. To download the user credentials of a user, enable the console access in **Security credentials** tab.

+ 

+1. Enter these credentials into the Azure AD user provisioning section to fetch the roles from the AWS console.

+ 

+ 

+ 

+ 

+* AWS Single-Account Access provisioning integration cannot be used in the AWS China regions.

+ storageClassName: azureblob-nfs-premium

+ storageClassName: azureblob-fuse-premium

+ Title: Configure Azure CNI Overlay networking in Azure Kubernetes Service (AKS)

+With Azure CNI Overlay, the cluster nodes are deployed into an Azure Virtual Network (VNet) subnet, whereas pods are assigned IP addresses from a private CIDR logically different from the VNet hosting the nodes. Pod and node traffic within the cluster use an Overlay network, and Network Address Translation (using the node's IP address) is used to reach resources outside the cluster. This solution saves a significant amount of VNet IP addresses and enables you to seamlessly scale your cluster to very large sizes. An added advantage is that the private CIDR can be reused in different AKS clusters, truly extending the IP space available for containerized applications in AKS.

+## Overview of Overlay networking

+In Overlay networking, only the Kubernetes cluster nodes are assigned IPs from a subnet. Pods receive IPs from a private CIDR that is provided at the time of cluster creation. Each node is assigned a `/24` address space carved out from the same CIDR. Additional nodes that are created when you scale out a cluster automatically receive `/24` address spaces from the same CIDR. Azure CNI assigns IPs to pods from this `/24` space.

+A separate routing domain is created in the Azure Networking stack for the pod's private CIDR space, which creates an Overlay network for direct communication between pods. There is no need to provision custom routes on the cluster subnet or use an encapsulation method to tunnel traffic between pods. This provides connectivity performance between pods on par with VMs in a VNet.

+Communication with endpoints outside the cluster, such as on-premises and peered VNets, happens using the node IP through Network Address Translation. Azure CNI translates the source IP (Overlay IP of the pod) of the traffic to the primary IP address of the VM, which enables the Azure Networking stack to route the traffic to the destination. Endpoints outside the cluster can't connect to a pod directly. You will have to publish the pod's application as a Kubernetes Load Balancer service to make it reachable on the VNet.

+Outbound (egress) connectivity to the internet for Overlay pods can be provided using a [Standard SKU Load Balancer](./egress-outboundtype.md#outbound-type-of-loadbalancer) or [Managed NAT Gateway](./nat-gateway.md). You can also control egress traffic by directing it to a firewall using [User Defined Routes on the cluster subnet](./egress-outboundtype.md#outbound-type-of-userdefinedrouting).

+| OS platforms supported | Linux and Windows Server 2022(Preview) | Linux only |

+- **Cluster Nodes**: When setting up your AKS cluster, make sure your VNet subnet has enough room to grow for future scaling. Keep in mind that clusters can't scale across subnets, but you can always add new node pools in another subnet within the same VNet for extra space. Note that a `/24`subnet can fit up to 251 nodes since the first three IP addresses are reserved for management tasks.

+- **Pods**: The Overlay solution assigns a `/24` address space for pods on every node from the private CIDR that you specify during cluster creation. The `/24` size is fixed and can't be increased or decreased. You can run up to 250 pods on a node. When planning the pod address space, ensure that the private CIDR is large enough to provide `/24` address spaces for new nodes to support future cluster expansion.

+Azure CNI offers two IP addressing options for pods - the traditional configuration that assigns VNet IPs to pods, and Overlay networking. The choice of which option to use for your AKS cluster is a balance between flexibility and advanced configuration needs. The following considerations help outline when each network model may be the most appropriate.

+Use Overlay networking when:

+- You can't use Application Gateway as an Ingress Controller (AGIC) for an Overlay cluster.

+- Windows support is still in Preview

+ - Windows Server 2019 node pools are **not** supported for Overlay

+ - Traffic from host network pods is not able to reach Windows Overlay pods.

+- Sovereign Clouds are not supported

+- Virtual Machine Scale Sets (VMAS) are not supported for Overlay

+- Dualstack networking is not supported in Overlay

+- You can't use [DCsv2-series](/azure/virtual-machines/dcv2-series) virtual machines in node pools. To meet Confidential Computing requirements, consider using [DCasv5 or DCadsv5-series confidential VMs](/azure/virtual-machines/dcasv5-dcadsv5-series) instead.

+## Set up Overlay clusters

+>[!NOTE]

+> You must have CLI version 2.47.0 or later to use the `--network-plugin-mode` argument. For Windows, you must have the latest aks-preview Azure CLI extension installed and can follow the instructions below.

+Create a cluster with Azure CNI Overlay. Use the argument `--network-plugin-mode` to specify that this is an overlay cluster. If the pod CIDR is not specified then AKS assigns a default space, viz. 10.244.0.0/16. Replace the values for the variables `clusterName`, `resourceGroup`, and `location`.

+```azurecli-interactive

+clusterName="myOverlayCluster"

+resourceGroup="myResourceGroup"

+location="westcentralus"

+az aks create -n $clusterName -g $resourceGroup --location $location --network-plugin azure --network-plugin-mode overlay --pod-cidr 192.168.0.0/16

+```

+## Install the aks-preview Azure CLI extension - Windows only

+## Upgrade an existing cluster to CNI Overlay - Preview

+> [!NOTE]

+> The upgrade capability is still in preview and requires the preview AKS Azure CLI extension.

+The upgrade process will trigger each node pool to be re-imaged simultaneously (i.e. upgrading each node pool separately to Overlay is not supported). Any disruptions to cluster networking will be similar to a node image upgrade or Kubernetes version upgrade where each node in a node pool is re-imaged.

+> Due to the limitation around Windows Overlay pods incorrectly SNATing packets from host network pods, this has a more detrimental effect for clusters upgrading to Overlay.

+While nodes are being upgraded to use the CNI Overlay feature, pods that are on nodes which haven't been upgraded yet will not be able to communicate with pods on Windows nodes that have been upgraded to Overlay. In other words, Overlay Windows pods will not be able to reply to any traffic from pods still running with an IP from the node subnet.

+This network disruption will only occur during the upgrade. Once the migration to Overlay has completed for all node pools, all Overlay pods will be able to communicate successfully with the Windows pods.

+> The upgrade completion doesn't change the existing limitation that host network pods **cannot** communicate with Windows Overlay pods.

+- *Does AKS configure CPU or memory limits on the Cilium daemonset?*

+ No, AKS does not configure CPU or memory limits on the Cilium daemonset because Cilium is a critical system component for pod networking and network policy enforcement.

+* The Azure Disk CSI driver has a per-node volume limit. The volume count changes based on the size of the node/node pool. Run the [kubectl get][kubectl-get] command to determine the number of volumes that can be allocated per node:

+ * Premium disks are backed by SSD-based high-performance, low-latency disks. They're ideal for VMs running production workloads. When you use the Azure Disk CSI driver on AKS, you can also use the `managed-csi` storage class, which is backed by Standard SSD locally redundant storage (LRS).

+ ```yaml

+ kind: Pod

+ apiVersion: v1

+ metadata:

+ name: mypod

+ spec:

+ containers:

+ - name: mypod

+ cpu: 100m

+ memory: 128Mi

+ - mountPath: "/mnt/azure"

+ name: volume

+ volumes:

+ - name: volume

+ persistentVolumeClaim:

+ claimName: azure-managed-disk

+ ```

+To create an AKS cluster with CSI driver support, see [Enable CSI driver on AKS](csi-storage-drivers.md). This article describes how to use the Azure Disk CSI driver version 1.

+> Azure Disk CSI driver v2 (preview) improves scalability and reduces pod failover latency. It uses shared disks to provision attachment replicas on multiple cluster nodes and integrates with the pod scheduler to ensure a node with an attachment replica is chosen on pod failover. Azure Disk CSI driver v2 (preview) also provides the ability to fine tune performance. If you're interested in participating in the preview, submit a request: [https://aka.ms/DiskCSIv2Preview](https://aka.ms/DiskCSIv2Preview). This preview version is provided without a service level agreement, and you can occasionally expect breaking changes while in preview. The preview version isn't recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Azure Disk CSI driver features

+In addition to in-tree driver features, Azure Disk CSI driver supports the following features:

+> Depending on the VM SKU that's being used, the Azure Disk CSI driver might have a per-node volume limit. For some powerful VMs (for example, 16 cores), the limit is 64 volumes per node. To identify the limit per VM SKU, review the **Max data disks** column for each VM SKU offered. For a list of VM SKUs offered and their corresponding detailed capacity limits, see [General purpose virtual machine sizes][general-purpose-machine-sizes].

+When you use the Azure Disk CSI driver on AKS, there are two more built-in `StorageClasses` that use the Azure Disk CSI storage driver. The other CSI storage classes are created with the cluster alongside the in-tree default storage classes.

+The Azure Disk CSI driver supports creating [snapshots of persistent volumes](https://kubernetes-csi.github.io/docs/snapshot-restore-feature.html). As part of this capability, the driver can perform either *full* or [*incremental* snapshots](../virtual-machines/disks-incremental-snapshots.md) depending on the value set in the `incremental` parameter (by default, it's true).

+> [!NOTE]

+> Before proceeding, ensure that the application is not writing data to the source disk.

+The Azure Disk CSI driver supports Windows nodes and containers. If you want to use Windows containers, follow the [Windows containers quickstart][aks-quickstart-cli] to add a Windows node pool.

+## Azure File CSI driver new features

+In addition to the original in-tree driver features, Azure File CSI driver supports the following new features:

+When you use storage CSI drivers on AKS, there are two more built-in `StorageClasses` that uses the Azure File CSI storage drivers. The other CSI storage classes are created with the cluster alongside the in-tree default storage classes.

+The Azure File CSI driver supports creating [snapshots of persistent volumes](https://kubernetes-csi.github.io/docs/snapshot-restore-feature.html) and the underlying file shares.

+ storageClassName: azurefile-csi-nfs

+The Azure File CSI driver also supports Windows nodes and containers. To use Windows containers, follow the [Windows containers quickstart](./learn/quick-windows-container-deploy-cli.md) to add a Windows node pool.

+[azure-private-endpoint-dns]: ../private-link/private-endpoint-dns.md#azure-services-dns-zone-configuration

+ Title: Optimize Costs in Azure Kubernetes Service (AKS)

+description: Recommendations for optimizing costs in Azure Kubernetes Service (AKS).

+# Optimize costs in Azure Kubernetes Service (AKS)

+Cost optimization is about understanding your different configuration options and recommended best practices to reduce unnecessary expenses and improve operational efficiencies. Before you use this article, you should see the [cost optimization section](/azure/architecture/framework/services/compute/azure-kubernetes-service/azure-kubernetes-service#cost-optimization) in the Azure Well-Architected Framework.

+When discussing cost optimization with Azure Kubernetes Service, it's important to distinguish between *cost of cluster resources* and *cost of workload resources*. Cluster resources are a shared responsibility between the cluster admin and their resource provider, while workload resources are the domain of a developer. Azure Kubernetes Service has considerations and recommendations for both of these roles.

+## Design checklist

+> [!div class="checklist"]

+> - **Cluster architecture:** Use appropriate VM SKU per node pool and reserved instances where long-term capacity is expected.

+> - **Cluster and workload architectures:** Use appropriate managed disk tier and size.

+> - **Cluster architecture:** Review performance metrics, starting with CPU, memory, storage, and network, to identify cost optimization opportunities by cluster, nodes, and namespace.

+> - **Cluster and workload architecture:** Use autoscale features to scale in when workloads are less active.

+## Recommendations

+Explore the following table of recommendations to optimize your AKS configuration for cost.

+| Recommendation | Benefit |

+|-|--|

+|**Cluster architecture**: Utilize AKS cluster pre-set configurations. |From the Azure portal, the **cluster preset configurations** option helps offload this initial challenge by providing a set of recommended configurations that are cost-conscious and performant regardless of environment. Mission critical applications may require more sophisticated VM instances, while small development and test clusters may benefit from the lighter-weight, preset options where availability, Azure Monitor, Azure Policy, and other features are turned off by default. The **Dev/Test** and **Cost-optimized** pre-sets help remove unnecessary added costs.|

+|**Cluster architecture:** Consider using [ephemeral OS disks](cluster-configuration.md#ephemeral-os).|Ephemeral OS disks provide lower read/write latency, along with faster node scaling and cluster upgrades. Containers aren't designed to have local state persisted to the managed OS disk, and this behavior offers limited value to AKS. AKS defaults to an ephemeral OS disk if you chose the right VM series and the OS disk can fit in the VM cache or temporary storage SSD.|

+|**Cluster and workload architectures:** Use the [Start and Stop feature](start-stop-cluster.md) in Azure Kubernetes Services (AKS).|The AKS Stop and Start cluster feature allows AKS customers to pause an AKS cluster, saving time and cost. The stop and start feature keeps cluster configurations in place and customers can pick up where they left off without reconfiguring the clusters.|

+|**Workload architecture:** Consider using [Azure Spot VMs](spot-node-pool.md) for workloads that can handle interruptions, early terminations, and evictions.|For example, workloads such as batch processing jobs, development and testing environments, and large compute workloads may be good candidates for you to schedule on a spot node pool. Using spot VMs for nodes with your AKS cluster allows you to take advantage of unused capacity in Azure at a significant cost savings.|

+|**Cluster architecture:** Enforce [resource quotas](operator-best-practices-scheduler.md) at the namespace level.|Resource quotas provide a way to reserve and limit resources across a development team or project. These quotas are defined on a namespace and can be used to set quotas on compute resources, storage resources, and object counts. When you define resource quotas, all pods created in the namespace must provide limits or requests in their pod specifications.|

+|**Cluster architecture:** Sign up for [Azure Reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md). | If you properly planned for capacity, your workload is predictable and exists for an extended period of time, sign up for [Azure Reserved Instances](../virtual-machines/prepay-reserved-vm-instances.md) to further reduce your resource costs.|

+|**Cluster architecture:** Use Kubernetes [Resource Quotas](operator-best-practices-scheduler.md#enforce-resource-quotas). | Resource quotas can be used to limit resource consumption for each namespace in your cluster, and by extension resource utilization for the Azure service.|

+|**Cluster and workload architectures:** Cost management using monitoring and observability tools. | OpenCost on AKS introduces a new community-driven [specification](https://github.com/opencost/opencost/blob/develop/spec/opencost-specv01.md) and implementation to bring greater visibility into current and historic Kubernetes spend and resource allocation. OpenCost, born out of [Kubecost](https://www.kubecost.com/), is an open-source, vendor-neutral [CNCF sandbox project](https://www.cncf.io/sandbox-projects/) that recently became a [FinOps Certified Solution](https://www.finops.org/certifications/finops-certified-solution/). Customer specific prices are now included using the [Azure Consumption Price Sheet API](/rest/api/consumption/price-sheet), ensuring accurate cost reporting that accounts for consumption and savings plan discounts. For out-of-cluster analysis or to ingest allocation data into an existing BI pipeline, you can export a CSV with daily infrastructure cost breakdown by Kubernetes constructs (namespace, controller, service, pod, job and more) to your Azure Storage Account or local storage with minimal configuration. CSV also includes resource utilization metrics for CPU, GPU, memory, load balancers, and persistent volumes. For in-cluster visualization, OpenCost UI enables real-time cost drill down by Kubernetes constructs. Alternatively, directly query the OpenCost API to access cost allocation data. For more information on Azure specific integration, see [OpenCost docs](https://www.opencost.io/docs).|

+|**Cluster architecture:** Improve cluster operations efficiency.|Managing multiple clusters increases operational overhead for engineers. [AKS auto upgrade](auto-upgrade-cluster.md) and [AKS Node Auto-Repair](node-auto-repair.md) helps improve day-2 operations. Learn more about [best practices for AKS Operators](operator-best-practices-cluster-isolation.md).|

+## Next steps

+- Explore and analyze costs with [Cost analysis](../cost-management-billing/costs/quick-acm-cost-analysis.md).

+- [Azure Advisor recommendations](../advisor/advisor-cost-recommendations.md) for cost can highlight the over-provisioned services and ways to lower cost.

+# Use dual-stack kubenet networking in Azure Kubernetes Service (AKS)

+* In Mariner node pools, service objects are only supported with `externalTrafficPolicy: Local`.

+> * Azure Load Balancer sends health probes to IPv6 destinations from a link-local address. In Mariner node pools, this traffic cannot be routed to a pod and thus traffic flowing to IPv6 services deployed with `externalTrafficPolicy: Cluster` will fail. IPv6 services MUST be deployed with `externalTrafficPolicy: Local`, which causes `kube-proxy` to respond to the probe on the node, in order to function.

+kubectl expose deployment nginx --name=nginx-ipv4 --port=80 --type=LoadBalancer'

+kubectl expose deployment nginx --name=nginx-ipv6 --port=80 --type=LoadBalancer --overrides='{"spec":{"ipFamilies": ["IPv6"]}}'

+ externalTrafficPolicy: Cluster

+ externalTrafficPolicy: Cluster

+* Using the virtual machine scale set (VMSS) API to scale down nodes in the cluster to zero will deallocate the nodes, causing the cluster to go down and unrecoverable.

+In some cases, if you are planning to run Windows-based workloads on an AKS cluster, you should consider deploying a Linux node pool for the following reasons:

+- If you are planning to run Windows and Linux workloads, you can deploy a Windows and Linux node pool on the same AKS cluster to run the workloads side by side.

+- When deploying infrastructure-related components based on Linux, such as Ngix and others, these workloads require a Linux node pool alongside your Windows node pools. For development and test scenarios, you can use control plane nodes. For production workloads, we recommend deploying separate Linux node pools for performance and reliability.

+In this article, you learn how to use a single API Management instance for internal and external consumers and make it act as a single front end for both on-premises and cloud APIs. You'll create an API Management instance of the newer single-tenant version 2 (stv2) type. You'll also understand how to expose only a subset of your APIs for external consumption by using routing functionality available in Application Gateway. In the example, the APIs are highlighted in green.

+1. Create a network security group (NSG) and NSG rules for the Application Gateway subnet.

+

+ ```

+

+1. Create a network security group (NSG) and NSG rules for the API Management subnet. [API Management stv2 requires several specific NSG rules](api-management-using-with-internal-vnet.md#enable-vnet-connection).

+ ```powershell

+ $apimRule1 = New-AzNetworkSecurityRuleConfig -Name APIM-Management -Description "APIM inbound" `

+ -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix ApiManagement `

+ -SourcePortRange * -DestinationAddressPrefix VirtualNetwork -DestinationPortRange 3443

+ $apimRule2 = New-AzNetworkSecurityRuleConfig -Name AllowAppGatewayToAPIM -Description "Allows inbound App Gateway traffic to APIM" `

+ -Access Allow -Protocol Tcp -Direction Inbound -Priority 110 -SourceAddressPrefix "10.0.0.0/24" `

+ -SourcePortRange * -DestinationAddressPrefix "10.0.1.0/24" -DestinationPortRange 443

+ $apimRule3 = New-AzNetworkSecurityRuleConfig -Name AllowAzureLoadBalancer -Description "Allows inbound Azure Infrastructure Load Balancer traffic to APIM" `

+ -Access Allow -Protocol Tcp -Direction Inbound -Priority 120 -SourceAddressPrefix AzureLoadBalancer `

+ -SourcePortRange * -DestinationAddressPrefix "10.0.1.0/24" -DestinationPortRange 6390

+ $apimRule4 = New-AzNetworkSecurityRuleConfig -Name AllowKeyVault -Description "Allows outbound traffic to Azure Key Vault" `

+ -Access Allow -Protocol Tcp -Direction Outbound -Priority 100 -SourceAddressPrefix "10.0.1.0/24" `

+ -SourcePortRange * -DestinationAddressPrefix AzureKeyVault -DestinationPortRange 443

+ "NSG-APIM" -SecurityRules $apimRule1, $apimRule2, $apimRule3, $apimRule4

+1. API Management stv2 requires a public IP with a `DomainNameLabel`:

+ ```powershell

+ $apimPublicIpAddressId = New-AzPublicIpAddress -ResourceGroupName $resGroupName -name "pip-apim" -location $location `

+ -AllocationMethod Static -Sku Standard -Force -DomainNameLabel "apim-contoso"

+ ```

+ $domain = "contoso.net"

+ $apimAdminEmail = "admin@contoso.net" # Administrator's email address

+

+ $apimService = New-AzApiManagement -ResourceGroupName $resGroupName -Location $location -Name $apimServiceName -Organization $apimOrganization `

+ -AdminEmail $apimAdminEmail -VirtualNetwork $apimVirtualNetwork -VpnType "Internal" -Sku "Developer" -PublicIpAddressId $apimPublicIpAddressId.Id

+ $gatewayHostname = "api.$domain" # API gateway host

+ $portalHostname = "portal.$domain" # API developer portal host

+ $managementHostname = "management.$domain" # API management endpoint host

+ $myZone = New-AzPrivateDnsZone -Name $domain -ResourceGroupName $resGroupName

+ $link = New-AzPrivateDnsVirtualNetworkLink -ZoneName $domain `

+ New-AzPrivateDnsRecordSet -Name api -RecordType A -ZoneName $domain `

+ New-AzPrivateDnsRecordSet -Name portal -RecordType A -ZoneName $domain `

+ New-AzPrivateDnsRecordSet -Name management -RecordType A -ZoneName $domain `

+ -name "pip-appgateway" -location $location -AllocationMethod Static -Sku Standard

+ -BackendHttpSettings $apimPoolGatewaySetting -Priority 10

+ -BackendHttpSettings $apimPoolPortalSetting -Priority 20

+ -BackendHttpSettings $apimPoolManagementSetting -Priority 30

+A best practice is to always use the environment variables `%SystemDrive%` and `%ResourceDrive%` instead of hard-coded file paths. The root path returned from these two environment variables has shifted over time from `d:\` to `c:\`. However, older applications hard-coded with file path references to `d:\` will continue to work because the App Service platform automatically remaps `d:\` to instead point at `c:\`. As noted above, it is highly recommended to always use the environment variables when building file paths and avoid confusion over platform changes to the default root file path.

+- **Isolated**: The **Isolated** and **IsolatedV2** tiers run dedicated Azure VMs on dedicated Azure Virtual Networks. It provides network isolation on top of compute isolation to your apps. It provides the maximum scale-out capabilities.

+provides Microsoft created and managed initiative definitions, known as *built-ins*, for the

+### April 2023

+- **App Service apps that use Java should use the latest 'Java version'**

+ - Rename of policy to "App Service apps that use Java should use a specified 'Java version'"

+ - Update policy so that it requires a version specification before assignment

+- **App Service apps that use Python should use the latest 'Python version'**

+ - Rename of policy to "App Service apps that use Python should use a specified 'Python version'"

+ - Update policy so that it requires a version specification before assignment

+- **Function apps that use Java should use the latest 'Java version'**

+ - Rename of policy to "Function apps that use Java should use a specified 'Java version'"

+ - Update policy so that it requires a version specification before assignment

+- **Function apps that use Python should use the latest 'Python version'**

+ - Rename of policy to "Function apps that use Python should use a specified 'Python version'"

+ - Update policy so that it requires a version specification before assignment

+- **App Service apps that use PHP should use the latest 'PHP version'**

+ - Rename of policy to "App Service apps that use PHP should use a specified 'PHP version'"

+ - Update policy so that it requires a version specification before assignment

+- **App Service app slots that use Python should use a specified 'Python version'**

+ - New policy created

+- **Function app slots that use Python should use a specified 'Python version'**

+ - New policy created

+- **App Service app slots that use PHP should use a specified 'PHP version'**

+ - New policy created

+- **App Service app slots that use Java should use a specified 'Java version'**

+ - New policy created

+- **Function app slots that use Java should use a specified 'Java version'**

+ - New policy created

+ - Replaced by "App Service apps should disable public network access" to support *Deny* effect

+* **Azure Database for PostgreSQL**: A Postgres database and server were created for the app hosted on App Service to connect to. The required admin user, network and connection settings were also configured.

+> [Configure Python app](configure-language-python.md)

+| Windows Server 2022 (Datacenter)| |

+When creating a private endpoint, you must specify the App Configuration store to which it connects. If you enable the geo-replication for an App Configuration store, you can connect to all replicas of the store using the same private endpoint. If you have multiple App Configuration stores, you need a separate private endpoint for each store.

+If you are using a custom DNS server on your network, clients must be able to resolve the fully qualified domain name (FQDN) for the service endpoint to the private endpoint IP address. Configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for `[Your-store-name].privatelink.azconfig.io` (or `[Your-store-name]-[replica-name].privatelink.azconfig.io` for a replica if the geo-replication is enabled) with the private endpoint IP address.

+## Logging and monitoring

+Logs are output upon configuration refresh and contain detailed information on key-values retrieved from your App Configuration store and configuration changes made to your application.

+- A default `ILoggerFactory` is added automatically when `services.AddAzureAppConfiguration()` is invoked. The App Configuration provider uses this `ILoggerFactory` to create an instance of `ILogger`, which outputs these logs. ASP.NET Core uses `ILogger` for logging by default, so you don't need to make additional code changes to enable logging for the App Configuration provider.

+- Logs are output at different log levels. The default level is `Information`.

+ | Log Level | Description |

+ |||

+ | Debug | Logs include the key and label of key-values your application monitors for changes from your App Configuration store. The information also includes whether the key-value has changed compared with what your application has already loaded. Enable logs at this level to troubleshoot your application if a configuration change didn't happen as expected. |

+ | Information | Logs include the keys of configuration settings updated during a configuration refresh. Values of configuration settings are omitted from the log to avoid leaking sensitive data. You can monitor logs at this level to ensure your application picks up expected configuration changes. |

+ | Warning | Logs include failures and exceptions that occurred during configuration refresh. Occasional occurrences can be ignored because the configuration provider will continue using the cached data and attempt to refresh the configuration next time. You can monitor logs at this level for repetitive warnings that may indicate potential issues. For example, you rotated the connection string but forgot to update your application. |

+ You can enable logging at the `Debug` log level by adding the following example to your `appsettings.json` file. This example applies to all other log levels as well.

+ ```json

+ "Logging": {

+ "LogLevel": {

+ "Microsoft.Extensions.Configuration.AzureAppConfiguration": "Debug"

+ }

+ }

+ ```

+- The logging category is `Microsoft.Extensions.Configuration.AzureAppConfiguration.Refresh`, which appears before each log. Here are some example logs at each log level:

+ ```console

+ dbug: Microsoft.Extensions.Configuration.AzureAppConfiguration.Refresh[0]

+ Key-value read from App Configuration. Change:'Modified' Key:'ExampleKey' Label:'ExampleLabel' Endpoint:'https://examplestore.azconfig.io'

+ info: Microsoft.Extensions.Configuration.AzureAppConfiguration.Refresh[0]

+ Setting updated. Key:'ExampleKey'

+ warn: Microsoft.Extensions.Configuration.AzureAppConfiguration.Refresh[0]

+ A refresh operation failed while resolving a Key Vault reference.

+ Key vault error. ErrorCode:'SecretNotFound' Key:'ExampleKey' Label:'ExampleLabel' Etag:'6LaqgBQM9C_Do2XyZa2gAIfj_ArpT52-xWwDSLb2hDo' SecretIdentifier:'https://examplevault.vault.azure.net/secrets/ExampleSecret'

+ ```

+Using `ILogger` is the preferred method in ASP.NET applications and is prioritized as the logging source if an instance of `ILoggerFactory` is present. However, if `ILoggerFactory` is not available, logs can alternatively be enabled and configured through the [instructions for .NET Core apps](./enable-dynamic-configuration-dotnet-core.md#logging-and-monitoring). For more information, see [logging in .NET Core and ASP.NET Core](/aspnet/core/fundamentals/logging).

+> [!NOTE]

+> Logging is available if you use version **6.0.0** or later of any of the following packages.

+> - `Microsoft.Extensions.Configuration.AzureAppConfiguration`

+> - `Microsoft.Azure.AppConfiguration.AspNetCore`

+> - `Microsoft.Azure.AppConfiguration.Functions.Worker`

+## Logging and monitoring

+Logs are output upon configuration refresh and contain detailed information on key-values retrieved from your App Configuration store and configuration changes made to your application. If you have an ASP.NET Core application, see these instructions for [Logging and Monitoring in ASP.NET Core](./enable-dynamic-configuration-aspnet-core.md#logging-and-monitoring). Otherwise, you can enable logging using the instructions for [logging with the Azure SDK](/dotnet/azure/sdk/logging).

+- Logs are output at different event levels. The default level is `Informational`.

+ | Event Level | Description |

+ |||

+ | Verbose | Logs include the key and label of key-values your application monitors for changes from your App Configuration store. The information also includes whether the key-value has changed compared with what your application has already loaded. Enable logs at this level to troubleshoot your application if a configuration change didn't happen as expected. |

+ | Informational | Logs include the keys of configuration settings updated during a configuration refresh. Values of configuration settings are omitted from the log to avoid leaking sensitive data. You can monitor logs at this level to ensure your application picks up expected configuration changes. |

+ | Warning | Logs include failures and exceptions that occurred during configuration refresh. Occasional occurrences can be ignored because the configuration provider will continue using the cached data and attempt to refresh the configuration next time. You can monitor logs at this level for repetitive warnings that may indicate potential issues. For example, you rotated the connection string but forgot to update your application. |

+ You can enable logging at the `Verbose` event level by specifying the `EventLevel.Verbose` parameter, as done in the following example. These instructions apply to all other event levels as well. This example also enables logs for only the `Microsoft-Extensions-Configuration-AzureAppConfiguration-Refresh` category.

+ ```csharp

+ using var listener = new AzureEventSourceListener((eventData, text) =>

+ {

+ if (eventData.EventSource.Name == "Microsoft-Extensions-Configuration-AzureAppConfiguration-Refresh")

+ {

+ Console.WriteLine("[{1}] {0}: {2}", eventData.EventSource.Name, eventData.Level, text);

+ }

+ }, EventLevel.Verbose);

+ ```

+- The logging category is `Microsoft-Extensions-Configuration-AzureAppConfiguration-Refresh`, which appears before each log. Here are some example logs at each event level:

+ ```console

+ [Verbose] Microsoft-Extensions-Configuration-AzureAppConfiguration-Refresh:

+ Key-value read from App Configuration. Change:'Modified' Key:'ExampleKey' Label:'ExampleLabel' Endpoint:'https://examplestore.azconfig.io'

+ [Informational] Microsoft-Extensions-Configuration-AzureAppConfiguration-Refresh:

+ Setting updated. Key:'ExampleKey'

+ [Warning] Microsoft-Extensions-Configuration-AzureAppConfiguration-Refresh:

+ A refresh operation failed while resolving a Key Vault reference.

+ Key vault error. ErrorCode:'SecretNotFound' Key:'ExampleKey' Label:'ExampleLabel' Etag:'6LaqgBQM9C_Do2XyZa2gAIfj_ArpT52-xWwDSLb2hDo' SecretIdentifier:'https://examplevault.vault.azure.net/secrets/ExampleSecret'

+ ```

+> [!NOTE]

+> Logging is available if you use version **6.0.0** or later of any of the following packages.

+> - `Microsoft.Extensions.Configuration.AzureAppConfiguration`

+> - `Microsoft.Azure.AppConfiguration.AspNetCore`

+> - `Microsoft.Azure.AppConfiguration.Functions.Worker`

+### 1.7.3 (April 2023)

+Flux version: [Release v0.41.2](https://github.com/fluxcd/flux2/releases/tag/v0.41.2)

+- source-controller: v0.36.1

+- kustomize-controller: v0.35.1

+- helm-controller: v0.31.2

+- notification-controller: v0.33.0

+- image-automation-controller: v0.31.0

+- image-reflector-controller: v0.26.1

+Changes made for this version:

+- Upgrades Flux to [v0.41.2](https://github.com/fluxcd/flux2/releases/tag/v0.41.2)

+- Fixes issue causing resources that were deployed as part of Flux configuration to persist even when the configuration was deleted with prune flag set to `true`

+- Kubelet identity support for image-reflector-controller by [installing the microsoft.flux extension in a cluster with kubelet identity enabled](troubleshooting.md#flux-v2installing-the-microsoftflux-extension-in-a-cluster-with-kubelet-identity-enabled)

+- Fixed an issue that could cause the guest configuration service (gc_service) to repeatedly crash and restart on Linux systems

+Azure Arc supports the following Windows and Linux operating systems. Only x86-64 (64-bit) architectures are supported. The Azure Connected Machine agent does not run on x86 (32-bit) or ARM-based architectures.

+* CBL-Mariner 1.0, 2.0

+This guide is an introduction to developing Azure Functions using JavaScript or TypeScript. The article assumes that you have already read the [Azure Functions developer guide](functions-reference.md).

+The required folder structure for a JavaScript project looks like the following example:

+<project_root>/

+ | - .vscode/

+ | - node_modules/

+ | - myFirstFunction/

+ | - mySecondFunction/

+ | - .funcignore

+ | - local.settings.json

+The main project folder, *<project_root>*, can contain the following files:

+- **.vscode/**: (Optional) Contains the stored Visual Studio Code configuration. To learn more, see [Visual Studio Code settings](https://code.visualstudio.com/docs/getstarted/settings).

+- **myFirstFunction/function.json**: Contains configuration for the function's trigger, inputs, and outputs. The name of the directory determines the name of your function.

+- **myFirstFunction/index.js**: Stores your function code. To change this default file path, see [using scriptFile](#using-scriptfile).

+- **.funcignore**: (Optional) Declares files that shouldn't get published to Azure. Usually, this file contains *.vscode/* to ignore your editor setting, *test/* to ignore test cases, and *local.settings.json* to prevent local app settings being published.

+- **host.json**: Contains configuration options that affect all functions in a function app instance. This file does get published to Azure. Not all options are supported when running locally. To learn more, see [host.json](functions-host-json.md).

+- **local.settings.json**: Used to store app settings and connection strings when it's running locally. This file doesn't get published to Azure. To learn more, see [local.settings.file](functions-develop-local.md#local-settings-file).

+- **package.json**: Contains configuration options like a list of package dependencies, the main entrypoint, and scripts.

+ | - node_modules/

+- **.vscode/**: (Optional) Contains the stored Visual Studio Code configuration. To learn more, see [Visual Studio Code settings](https://code.visualstudio.com/docs/getstarted/settings).

+- **src/functions/**: The default location for all functions and their related triggers and bindings.

+- **test/**: (Optional) Contains the test cases of your function app.

+- **.funcignore**: (Optional) Declares files that shouldn't get published to Azure. Usually, this file contains *.vscode/* to ignore your editor setting, *test/* to ignore test cases, and *local.settings.json* to prevent local app settings being published.

+- **host.json**: Contains configuration options that affect all functions in a function app instance. This file does get published to Azure. Not all options are supported when running locally. To learn more, see [host.json](functions-host-json.md).

+- **local.settings.json**: Used to store app settings and connection strings when it's running locally. This file doesn't get published to Azure. To learn more, see [local.settings.file](functions-develop-local.md#local-settings-file).

+- **package.json**: Contains configuration options like a list of package dependencies, the main entrypoint, and scripts.

+<a name="exporting-an-async-function"></a>

+<a name="exporting-a-function"></a>

+## Registering a function

+The v3 model registers a function based on the existence of two files. First, you need a `function.json` file located in a folder one level down from the root of your app. The name of the folder determines the function's name and the file contains configuration for your function's inputs/outputs. Second, you need a JavaScript file containing your code. By default, the model looks for an `index.js` file in the same folder as your `function.json`. Your code must export a function using [`module.exports`](https://nodejs.org/api/modules.html#modules_module_exports) (or [`exports`](https://nodejs.org/api/modules.html#modules_exports)). To customize the file location or export name of your function, see [configuring your function's entry point](functions-reference-node.md#configure-function-entry-point).

+The function you export should always be declared as an [`async function`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Statements/async_function) in the v3 model. You can export a synchronous function, but then you must call [`context.done()`](#contextdone) to signal that your function is completed, which is deprecated and not recommended.

+Your function is passed an [invocation `context`](#invocation-context) as the first argument and your [inputs](#inputs) as the remaining arguments.

+The following example is a simple function that logs that it was triggered and responds with `Hello, world!`:

+```json

+{

+ "bindings": [

+ {

+ "type": "httpTrigger",

+ "direction": "in",

+ "name": "req",

+ "authLevel": "anonymous",

+ "methods": [

+ "get",

+ "post"

+ ]

+ },

+ {

+ "type": "http",

+ "direction": "out",

+ "name": "res"

+ }

+ ]

+}

+```

+module.exports = async function (context, request) {

+ context.log('Http function was triggered.');

+ context.res = { body: 'Hello, world!' };

+The programming model loads your functions based on the `main` field in your `package.json`. This field can be set to a single file like `src/index.js` or a [glob pattern](https://wikipedia.org/wiki/Glob_(programming)) specifying multiple files like `src/functions/*.js`.

+In order to register a function, you must import the `app` object from the `@azure/functions` npm module and call the method specific to your trigger type. The first argument when registering a function is the function name. The second argument is an `options` object specifying configuration for your trigger, your handler, and any other inputs or outputs. In some cases where trigger configuration isn't necessary, you can pass the handler directly as the second argument instead of an `options` object.

+Registering a function can be done from any file in your project, as long as that file is loaded (directly or indirectly) based on the `main` field in your `package.json` file. The function should be registered at a global scope because you can't register functions once executions have started.

+The following example is a simple function that logs that it was triggered and responds with `Hello, world!`:

+const { app } = require('@azure/functions');

+app.http('httpTrigger1', {

+ methods: ['POST', 'GET'],

+ handler: async (request, context) => {

+ context.log('Http function was triggered.');

+ return { body: 'Hello, world!' };

+ }

+});

+<a name="bindings"></a>

+## Inputs and outputs

+Your function is required to have exactly one primary input called the trigger. It may also have secondary inputs and/or outputs. Inputs and outputs are configured in your `function.json` files and are also referred to as [bindings](./functions-triggers-bindings.md).

+Inputs are bindings with `direction` set to `in`. The main difference between a trigger and a secondary input is that the `type` for a trigger ends in `Trigger`, for example type [`blobTrigger`](./functions-bindings-storage-blob-trigger.md) vs type [`blob`](./functions-bindings-storage-blob-input.md). Most functions only use a trigger, and not many secondary input types are supported.

+Inputs can be accessed in several ways:

+- **_[Recommended]_ As arguments passed to your function:** Use the arguments in the same order that they're defined in `function.json`. The `name` property defined in `function.json` doesn't need to match the name of your argument, although it's recommended for the sake of organization.

+ ```javascript

+ module.exports = async function (context, myTrigger, myInput, myOtherInput) { ... };

+ ```

+- **As properties of [`context.bindings`](#contextbindings):** Use the key matching the `name` property defined in `function.json`.

+ ```javascript

+ module.exports = async function (context) {

+ context.log("This is myTrigger: " + context.bindings.myTrigger);

+ context.log("This is myInput: " + context.bindings.myInput);

+ context.log("This is myOtherInput: " + context.bindings.myOtherInput);

+ };

+ ```

+<a name="returning-from-the-function"></a>

+Outputs are bindings with `direction` set to `out` and can be set in several ways:

+- **_[Recommended for single output]_ Return the value directly:** If you're using an async function, you can return the value directly. You must change the `name` property of the output binding to `$return` in `function.json` like in the following example:

+ ```json

+ {

+ "name": "$return",

+ "type": "http",

+ "direction": "out"

+ }

+ ```

+ ```javascript

+ module.exports = async function (context, request) {

+ return {

+ body: "Hello, world!"

+ };

+ }

+ ```

+- **_[Recommended for multiple outputs]_ Return an object containing all outputs:** If you're using an async function, you can return an object with a property matching the name of each binding in your `function.json`. The following example uses output bindings named "httpResponse" and "queueOutput":

+ ```json

+ {

+ "name": "httpResponse",

+ "type": "http",

+ "direction": "out"

+ },

+ {

+ "name": "queueOutput",

+ "type": "queue",

+ "direction": "out",

+ "queueName": "helloworldqueue",

+ "connection": "storage_APPSETTING"

+ }

+ ```

+ ```javascript

+ module.exports = async function (context, request) {

+ let message = 'Hello, world!';

+ return {

+ httpResponse: {

+ body: message

+ },

+ queueOutput: message

+ };

+ };

+ ```

+- **Set values on `context.bindings`:** If you're not using an async function or you don't want to use the previous options, you can set values directly on `context.bindings`, where the key matches the name of the binding. The following example uses output bindings named "httpResponse" and "queueOutput":

+ ```json

+ {

+ "name": "httpResponse",

+ "type": "http",

+ "direction": "out"

+ },

+ {

+ "name": "queueOutput",

+ "type": "queue",

+ "direction": "out",

+ "queueName": "helloworldqueue",

+ "connection": "storage_APPSETTING"

+ }

+ ```

+ ```javascript

+ module.exports = async function (context, request) {

+ let message = 'Hello, world!';

+ context.bindings.httpResponse = {

+ body: message

+ };

+ context.bindings.queueOutput = message;

+ };

+ ```

+### Bindings data type

+You can use the `dataType` property on an input binding to change the type of your input, however it has some limitations:

+- In Node.js, only `string` and `binary` are supported (`stream` isn't)

+- For HTTP inputs, the `dataType` property is ignored. Instead, use properties on the `request` object to get the body in your desired format. For more information, see [HTTP request](#http-request).

+In the following example of a [storage queue trigger](./functions-bindings-storage-queue-trigger.md), the default type of `myQueueItem` is a `string`, but if you set `dataType` to `binary`, the type changes to a Node.js `Buffer`.

+```json

+{

+ "name": "myQueueItem",

+ "type": "queueTrigger",

+ "direction": "in",

+ "queueName": "helloworldqueue",

+ "connection": "storage_APPSETTING",

+ "dataType": "binary"

+}

+```

+```javascript

+const { Buffer } = require('node:buffer');

+module.exports = async function (context, myQueueItem) {

+ if (typeof myQueueItem === 'string') {

+ context.log('myQueueItem is a string');

+ } else if (Buffer.isBuffer(myQueueItem)) {

+ context.log('myQueueItem is a buffer');

+};

+Your function is required to have exactly one primary input called the trigger. It may also have secondary inputs, a primary output called the return output, and/or secondary outputs. Inputs and outputs are also referred to as [bindings](./functions-triggers-bindings.md) outside the context of the Node.js programming model. Before v4 of the model, these bindings were configured in `function.json` files.

+The return output is optional, and in some cases configured by default. For example, an HTTP trigger registered with `app.http` is configured to return an HTTP response output automatically. For most output types, you specify the return configuration on the `options` argument with the help of the `output` object exported from the `@azure/functions` module. During execution, you set this output by returning it from your handler.

+The following example uses a [timer trigger](./functions-bindings-timer.md) and a [storage queue output](./functions-bindings-storage-queue-output.md):

+The following example is a function triggered by a [storage queue](./functions-bindings-storage-queue-trigger.md), with an extra [storage blob input](./functions-bindings-storage-blob-input.md) that is copied to an extra [storage blob output](./functions-bindings-storage-blob-output.md). The queue message should be the name of a file and replaces `{queueTrigger}` as the blob name to be copied, with the help of a [binding expression](./functions-bindings-expressions-patterns.md).

+The following example is a simple HTTP triggered function using generic methods instead of type-specific methods.

+<a name="context-object"></a>

+## Invocation context

+Each invocation of your function is passed an invocation `context` object, used to read inputs, set outputs, write to logs, and read various metadata. In the v3 model, the context object is always the first argument passed to your handler.

+The `context` object has the following properties:

+| Property | Description |

+| | |

+| **`invocationId`** | The ID of the current function invocation. |

+| **`executionContext`** | See [execution context](#contextexecutioncontext). |

+| **`bindings`** | See [bindings](#contextbindings). |

+| **`bindingData`** | Metadata about the trigger input for this invocation, not including the value itself. For example, an [event hub trigger](./functions-bindings-event-hubs-trigger.md) has an `enqueuedTimeUtc` property. |

+| **`traceContext`** | The context for distributed tracing. For more information, see [`Trace Context`](https://www.w3.org/TR/trace-context/). |

+| **`bindingDefinitions`** | The configuration of your inputs and outputs, as defined in `function.json`. |

+| **`req`** | See [HTTP request](#http-request). |

+| **`res`** | See [HTTP response](#http-response). |

+### context.executionContext

+The `context.executionContext` object has the following properties:

+| Property | Description |

+| | |

+| **`invocationId`** | The ID of the current function invocation. |

+| **`functionName`** | The name of the function that is being invoked. The name of the folder containing the `function.json` file determines the name of the function. |

+| **`functionDirectory`** | The folder containing the `function.json` file. |

+| **`retryContext`** | See [retry context](#contextexecutioncontextretrycontext). |

+#### context.executionContext.retryContext

+The `context.executionContext.retryContext` object has the following properties:

+| Property | Description |

+| | |

+| **`retryCount`** | A number representing the current retry attempt. |

+| **`maxRetryCount`** | Maximum number of times an execution is retried. A value of `-1` means to retry indefinitely. |

+| **`exception`** | Exception that caused the retry. |

+<a name="contextbindings-property"></a>

+### context.bindings

+The `context.bindings` object is used to read inputs or set outputs. The following example is a [storage queue trigger](./functions-bindings-storage-queue-trigger.md), which uses `context.bindings` to copy a [storage blob input](./functions-bindings-storage-blob-input.md) to a [storage blob output](./functions-bindings-storage-blob-output.md). The queue message's content replaces `{queueTrigger}` as the file name to be copied, with the help of a [binding expression](./functions-bindings-expressions-patterns.md).

+ "name": "myQueueItem",

+ "type": "queueTrigger",

+ "direction": "in",

+ "connection": "storage_APPSETTING",

+ "queueName": "helloworldqueue"

+ "name": "myInput",

+ "type": "blob",

+ "direction": "in",

+ "connection": "storage_APPSETTING",

+ "path": "helloworld/{queueTrigger}"

+},

+{

+ "name": "myOutput",

+ "type": "blob",

+ "direction": "out",

+ "connection": "storage_APPSETTING",

+ "path": "helloworld/{queueTrigger}-copy"

+module.exports = async function (context, myQueueItem) {

+ const blobValue = context.bindings.myInput;

+ context.bindings.myOutput = blobValue;

+};

+<a name="contextdone-method"></a>

+### context.done

+The `context.done` method is deprecated. Before async functions were supported, you would signal your function is done by calling `context.done()`:

+```javascript

+module.exports = function (context, request) {

+ context.log("this pattern is now deprecated");

+ context.done();

+};

+```

+Now, it's recommended to remove the call to `context.done()` and mark your function as async so that it returns a promise (even if you don't `await` anything). As soon as your function finishes (in other words, the returned promise resolves), the v3 model knows your function is done.

+module.exports = async function (context, request) {

+ context.log("you don't need context.done or an awaited call")

+Each invocation of your function is passed an invocation `context` object, with information about your invocation and methods used for logging. In the v4 model, the `context` object is typically the second argument passed to your handler.

+The `InvocationContext` class has the following properties:

+| Property | Description |

+| | |

+| **`invocationId`** | The ID of the current function invocation. |

+| **`functionName`** | The name of the function. |

+| **`extraInputs`** | Used to get the values of extra inputs. For more information, see [extra inputs and outputs](#extra-inputs-and-outputs). |

+| **`extraOutputs`** | Used to set the values of extra outputs. For more information, see [extra inputs and outputs](#extra-inputs-and-outputs). |

+| **`retryContext`** | See [retry context](#retry-context). |

+| **`traceContext`** | The context for distributed tracing. For more information, see [`Trace Context`](https://www.w3.org/TR/trace-context/). |

+| **`triggerMetadata`** | Metadata about the trigger input for this invocation, not including the value itself. For example, an [event hub trigger](./functions-bindings-event-hubs-trigger.md) has an `enqueuedTimeUtc` property. |

+| **`options`** | The options used when registering the function, after they've been validated and with defaults explicitly specified. |

+### Retry context

+The `retryContext` object has the following properties:

+| Property | Description |

+| | |

+| **`retryCount`** | A number representing the current retry attempt. |

+| **`maxRetryCount`** | Maximum number of times an execution is retried. A value of `-1` means to retry indefinitely. |

+| **`exception`** | Exception that caused the retry. |

+For more information, see [`retry-policies`](./functions-bindings-errors.md#retry-policies).

+<a name="contextlog-method"></a>

+<a name="write-trace-output-to-logs"></a>

+## Logging

+In Azure Functions, it's recommended to use `context.log()` to write logs. Azure Functions integrates with Azure Application Insights to better capture your function app logs. Application Insights, part of Azure Monitor, provides facilities for collection, visual rendering, and analysis of both application logs and your trace outputs. To learn more, see [monitoring Azure Functions](functions-monitoring.md).

+> [!NOTE]

+> If you use the alternative Node.js `console.log` method, those logs are tracked at the app-level and will *not* be associated with any specific function. It is *highly recommended* to use `context` for logging instead of `console` so that all logs are associated with a specific function.

+The following example writes a log at the default "information" level, including the invocation ID:

+context.log(`Something has happened. Invocation ID: "${context.invocationId}"`);

+<a name="trace-levels"></a>

+### Log levels

+In addition to the default `context.log` method, the following methods are available that let you write logs at specific levels:

+| Method | Description |

+| | - |

+| **`context.log.error()`** | Writes an error-level event to the logs. |

+| **`context.log.warn()`** | Writes a warning-level event to the logs. |

+| **`context.log.info()`** | Writes an information-level event to the logs. |

+| **`context.log.verbose()`** | Writes a trace-level event to the logs. |

+| Method | Description |

+| | - |

+| **`context.trace()`** | Writes a trace-level event to the logs. |

+| **`context.debug()`** | Writes a debug-level event to the logs. |

+| **`context.info()`** | Writes an information-level event to the logs. |

+| **`context.warn()`** | Writes a warning-level event to the logs. |

+| **`context.error()`** | Writes an error-level event to the logs. |

+<a name="configure-the-trace-level-for-logging"></a>

+### Configure log level

+Azure Functions lets you define the threshold level to be used when tracking and viewing logs. To set the threshold, use the `logging.logLevel` property in the `host.json` file. This property lets you define a default level applied to all functions, or a threshold for each individual function. To learn more, see [How to configure monitoring for Azure Functions](configure-monitoring.md).

+module.exports = async function (context, request) {

+<a name="http-triggers-and-bindings"></a>

+## HTTP triggers

+HTTP and webhook triggers use request and response objects to represent HTTP messages.

+HTTP and webhook triggers use `HttpRequest` and `HttpResponse` objects to represent HTTP messages. The classes represent a subset of the [fetch standard](https://developer.mozilla.org/docs/Web/API/fetch), using Node.js's [`undici`](https://undici.nodejs.org/) package.

+<a name="request-object"></a>

+<a name="accessing-the-request-and-response"></a>

+### HTTP Request

+The request can be accessed in several ways:

+- **As the second argument to your function:**

+ module.exports = async function (context, request) {

+ context.log(`Http function processed request for url "${request.url}"`);

+- **From the `context.req` property:**

+ module.exports = async function (context, request) {

+ context.log(`Http function processed request for url "${context.req.url}"`);

+- **From the named input bindings:** This option works the same as any non HTTP binding. The binding name in `function.json` must match the key on `context.bindings`, or "request1" in the following example:

+ "name": "request1",

+ "type": "httpTrigger",

+ "direction": "in",

+ "authLevel": "anonymous",

+ "methods": [

+ "get",

+ "post"

+ ]

+ ```

+ module.exports = async function (context, request) {

+ context.log(`Http function processed request for url "${context.bindings.request1.url}"`);

+The `HttpRequest` object has the following properties:

+| Property | Type | Description |

+| - | | -- |

+| **`method`** | `string` | HTTP request method used to invoke this function. |

+| **`url`** | `string` | Request URL. |

+| **`headers`** | `Record<string, string>` | HTTP request headers. This object is case sensitive. It's recommended to use `request.getHeader('header-name')` instead, which is case insensitive. |

+| **`query`** | `Record<string, string>` | Query string parameter keys and values from the URL. |

+| **`params`** | `Record<string, string>` | Route parameter keys and values. |

+| **`user`** | `HttpRequestUser | null` | Object representing logged-in user, either through Functions authentication, SWA Authentication, or null when no such user is logged in. |

+| **`body`** | `Buffer | string | any` | If the media type is "application/octet-stream" or "multipart/*", `body` is a Buffer. If the value is a JSON parse-able string, `body` is the parsed object. Otherwise, `body` is a string. |

+| **`rawBody`** | `Buffer | string` | If the media type is "application/octet-stream" or "multipart/*", `rawBody` is a Buffer. Otherwise, `rawBody` is a string. The only difference between `body` and `rawBody` is that `rawBody` doesn't JSON parse a string body. |

+| **`bufferBody`** | `Buffer` | The body as a buffer. |

+The request can be accessed as the first argument to your handler for an HTTP triggered function.

+| **`method`** | `string` | HTTP request method used to invoke this function. |

+| **`url`** | `string` | Request URL. |

+| **`headers`** | [`Headers`](https://developer.mozilla.org/docs/Web/API/Headers) | HTTP request headers. |

+| **`query`** | [`URLSearchParams`](https://developer.mozilla.org/docs/Web/API/URLSearchParams) | Query string parameter keys and values from the URL. |

+| **`params`** | `Record<string, string>` | Route parameter keys and values. |

+| **`body`** | [`ReadableStream | null`](https://developer.mozilla.org/docs/Web/API/ReadableStream) | Body as a readable stream. |

+| **`bodyUsed`** | `boolean` | A boolean indicating if the body has been read from already. |

+<a name="response-object"></a>

+### HTTP Response

+The response can be set in several ways:

+- **Set the `context.res` property:**

+ ```javascript

+ module.exports = async function (context, request) {

+ context.res = { body: `Hello, world!` };

+ ```

+- **Return the response:** If your function is async and you set the binding name to `$return` in your `function.json`, you can return the response directly instead of setting it on `context`.

+ ```json

+ {

+ "type": "http",

+ "direction": "out",

+ "name": "$return"

+ }

+ ```

+ ```javascript

+ module.exports = async function (context, request) {

+ return { body: `Hello, world!` };

+ ```

+- **Set the named output binding:** This option works the same as any non HTTP binding. The binding name in `function.json` must match the key on `context.bindings`, or "response1" in the following example:

+ ```json

+ {

+ "type": "http",

+ "direction": "out",

+ "name": "response1"

+ }

+ ```

+ ```javascript

+ module.exports = async function (context, request) {

+ context.bindings.response1 = { body: `Hello, world!` };

+ ```

+- **Call `context.res.send()`:** This option is deprecated. It implicitly calls `context.done()` and can't be used in an async function.

+ ```javascript

+ module.exports = function (context, request) {

+ context.res.send(`Hello, world!`);

+ ```

+If you create a new object when setting the response, that object must match the `HttpResponseSimple` interface, which has the following properties:

+| Property | Type | Description |

+| -- | - | -- |

+| **`headers`** | `Record<string, string>` (optional) | HTTP response headers. |

+| **`cookies`** | `Cookie[]` (optional) | HTTP response cookies. |

+| **`body`** | `any` (optional) | HTTP response body. |

+| **`statusCode`** | `number` (optional) | HTTP response status code. If not set, defaults to `200`. |

+| **`status`** | `number` (optional) | The same as `statusCode`. This property is ignored if `statusCode` is set. |

+You can also modify the `context.res` object without overwriting it. The default `context.res` object uses the `HttpResponseFull` interface, which supports the following methods in addition to the `HttpResponseSimple` properties:

+| Method | Description |

+| -- | -- |

+| **`status()`** | Sets the status. |

+| **`setHeader()`** | Sets a header field. NOTE: `res.set()` and `res.header()` are also supported and do the same thing. |

+| **`getHeader()`** | Get a header field. NOTE: `res.get()` is also supported and does the same thing. |

+| **`removeHeader()`** | Removes a header. |

+| **`type()`** | Sets the "content-type" header. |

+| **`send()`** | This method is deprecated. It sets the body and calls `context.done()` to indicate a sync function is finished. NOTE: `res.end()` is also supported and does the same thing. |

+| **`sendStatus()`** | This method is deprecated. It sets the status code and calls `context.done()` to indicate a sync function is finished. |

+| **`json()`** | This method is deprecated. It sets the "content-type" to "application/json", sets the body, and calls `context.done()` to indicate a sync function is finished. |

+The response can be set in several ways:

+- **As a simple interface with type `HttpResponseInit`:** This option is the most concise way of returning responses.

+ | **`body`** | `BodyInit` (optional) | HTTP response body as one of [`ArrayBuffer`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer), [`AsyncIterable<Uint8Array>`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array), [`Blob`](https://developer.mozilla.org/docs/Web/API/Blob), [`FormData`](https://developer.mozilla.org/docs/Web/API/FormData), [`Iterable<Uint8Array>`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array), [`NodeJS.ArrayBufferView`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer), [`URLSearchParams`](https://developer.mozilla.org/docs/Web/API/URLSearchParams), `null`, or `string`. |

+ | **`jsonBody`** | `any` (optional) | A JSON-serializable HTTP Response body. If set, the `HttpResponseInit.body` property is ignored in favor of this property. |

+ | **`headers`** | [`HeadersInit`](https://developer.mozilla.org/docs/Web/API/Headers) (optional) | HTTP response headers. |

+ | **`cookies`** | `Cookie[]` (optional) | HTTP response cookies. |

+- **As a class with type `HttpResponse`:** This option provides helper methods for reading and modifying various parts of the response like the headers.

+ | **`status`** | `number` | HTTP response status code. |

+ | **`headers`** | [`Headers`](https://developer.mozilla.org/docs/Web/API/Headers) | HTTP response headers. |

+ | **`cookies`** | `Cookie[]` | HTTP response cookies. |

+ | **`body`** | [`ReadableStream | null`](https://developer.mozilla.org/docs/Web/API/ReadableStream) | Body as a readable stream. |

+ | **`bodyUsed`** | `boolean` | A boolean indicating if the body has been read from already. |

+This scaling behavior is sufficient for many Node.js applications. For CPU-bound applications, you can improve performance further by using multiple language worker processes. You can increase the number of worker processes per host from the default of 1 up to a max of 10 by using the [FUNCTIONS_WORKER_PROCESS_COUNT](functions-app-settings.md#functions_worker_process_count) application setting. Azure Functions then tries to evenly distribute simultaneous function invocations across these workers. This behavior makes it less likely that a CPU-intensive function blocks other functions from running. The setting applies to each host that Azure Functions creates when scaling out your application to meet demand.

+> [!WARNING]

+> Use the `FUNCTIONS_WORKER_PROCESS_COUNT` setting with caution. Multiple processes running in the same instance can lead to unpredictable behavior and increase function load times. If you use this setting, it's *highly recommended* to offset these downsides by [running from a package file](./run-functions-from-deployment-package.md).

+<a name="access-environment-variables-in-code"></a>

+Environment variables can be useful for operational secrets (connection strings, keys, endpoints, etc.) or environmental settings such as profiling variables. You can add environment variables in both your local and cloud environments and access them through `process.env` in your function code.

+The following example logs the `WEBSITE_SITE_NAME` environment variable:

+```javascript

+module.exports = async function (context) {

+ context.log(`WEBSITE_SITE_NAME: ${process.env["WEBSITE_SITE_NAME"]}`);

+}

+```

+```javascript

+async function timerTrigger1(myTimer, context) {

+ context.log(`WEBSITE_SITE_NAME: ${process.env["WEBSITE_SITE_NAME"]}`);

+}

+```

+ "CUSTOM_ENV_VAR_1": "hello",

+ "CUSTOM_ENV_VAR_2": "world"

+### Worker environment variables

+There are several Functions environment variables specific to Node.js:

+#### languageWorkers__node__arguments

+This setting allows you to specify custom arguments when starting your Node.js process. It's most often used locally to start the worker in debug mode, but can also be used in Azure if you need custom arguments.

+> [!WARNING]

+> If possible, avoid using `languageWorkers__node__arguments` in Azure because it can have a negative effect on cold start times. Rather than using pre-warmed workers, the runtime has to start a new worker from scratch with your custom arguments.

+#### logging__logLevel__Worker

+This setting adjusts the default log level for Node.js-specific worker logs. By default, only warning or error logs are shown, but you can set it to `information` or `debug` to help diagnose issues with the Node.js worker. For more information, see [configuring log levels](./configure-monitoring.md#configure-log-levels).

+async function httpTrigger1(context, request) {

+async function httpTrigger1(request, context) {

+<project_root>/

+ | - node_modules/

+ | - myFirstFunction/

+ | - lib/

+ | - host.json

+The `function.json` for `myFirstFunction` should include a `scriptFile` property pointing to the file with the exported function to run.

+In the v3 model, a function must be exported using `module.exports` in order to be found and run. By default, the function that executes when triggered is the only export from that file, the export named `run`, or the export named `index`. The following example sets `entryPoint` in `function.json` to a custom value, "logHello":

+ "entryPoint": "logHello",

+async function logHello(context) {

+ context.log('Hello, world!');

+module.exports = { logHello };

+It's recommended to use VS Code for local debugging, which starts your Node.js process in debug mode automatically and attaches to the process for you. For more information, see [run the function locally](./create-first-function-vs-code-node.md#run-the-function-locally).

+If you're using a different tool for debugging or want to start your Node.js process in debug mode manually, add `"languageWorkers__node__arguments": "--inspect"` under `Values` in your [local.settings.json](./functions-develop-local.md#local-settings-file). The `--inspect` argument tells Node.js to listen for a debug client, on port 9229 by default. For more information, see the [Node.js debugging guide](https://nodejs.org/en/docs/guides/debugging-getting-started).

+<a name="considerations-for-javascript-functions"></a>

+## Recommendations

+This section describes several impactful patterns for Node.js apps that we recommend you follow.

+<a name="cold-start"></a>

+### Run from a package file

+When you develop Azure Functions in the serverless hosting model, cold starts are a reality. *Cold start* refers to the first time your function app starts after a period of inactivity, taking longer to start up. For JavaScript apps with large dependency trees in particular, cold start can be significant. To speed up the cold start process, [run your functions as a package file](run-functions-from-deployment-package.md) when possible. Many deployment methods use this model by default, but if you're experiencing large cold starts you should check to make sure you're running this way.

+<a name="connection-limits"></a>

+### Use a single static client

+When you use a service-specific client in an Azure Functions application, don't create a new client with every function invocation because you can hit connection limits. Instead, create a single, static client in the global scope. For more information, see [managing connections in Azure Functions](manage-connections.md).

+ - Unexpected behavior, such as missing logs from `context.log`, caused by asynchronous calls that aren't properly awaited.

+In the following example, the asynchronous method `fs.readFile` is invoked with an error-first callback function as its second parameter. This code causes both of the issues previously mentioned. An exception that isn't explicitly caught in the correct scope can crash the entire process (issue #1). Calling the deprecated `context.done()` method outside of the scope of the callback can signal the function is finished before the file is read (issue #2). In this example, calling `context.done()` too early results in missing log entries starting with `Data from file:`.

+Use the `async` and `await` keywords to help avoid both of these issues. Most APIs in the Node.js ecosystem have been converted to support promises in some form. For example, starting in v14, Node.js provides an `fs/promises` API to replace the `fs` callback API.

+In the following example, any unhandled exceptions thrown during the function execution only fail the individual invocation that raised the exception. The `await` keyword means that steps following `readFile` only execute after it's complete. With `async` and `await`, you also don't need to call the `context.done()` callback.

+const fs = require('fs/promises');

+ data = await fs.readFile('./hello.txt');

+- [Best practices for Azure Functions](functions-best-practices.md)

+- [Azure Functions developer reference](functions-reference.md)

+- [Azure Functions triggers and bindings](functions-triggers-bindings.md)

+ Title: Manage your Azure Maps account's pricing tier

+You can manage the pricing tier of your Azure Maps account through the Azure portal. You can also view or change your account's pricing tier after you create an [Azure account].

+Get more information about [choosing the right pricing tier in Azure Maps].

+> [!NOTE]

+> Switching to Gen 1 pricing tier is not available for Gen 2 Azure Maps Creator customers. Gen 1 Azure Maps Creator will be deprecated on 8/6/2021.

+After you create your Azure Maps account, you can upgrade or downgrade the pricing tier for your Azure Maps account. To upgrade or downgrade, navigate to the **Pricing Tier** option in the settings menu. Select the pricing tier from drop down list. Note ΓÇô current pricing tier is the default selection. Select the **Save** button to save your chosen pricing tier option.

+> [!div class="nextstepaction"]

+> [View usage metrics]

+[Azure account]: https://azure.microsoft.com/free/?WT.mc_id=A261C142F

+[View usage metrics]: how-to-view-api-usage.md

+[choosing the right pricing tier in Azure Maps]: choose-pricing-tier.md

+ Title: Request real-time and forecasted weather data using Azure Maps Weather services

+Azure Maps [Weather services] are a set of RESTful APIs that allows developers to integrate highly dynamic historical, real-time, and forecasted weather data and visualizations into their solutions.

+This article demonstrates how to request both real-time and forecasted weather data:

+* Request real-time (current) weather data using the [Get Current Conditions API].

+* Request severe weather alerts using the [Get Severe Weather Alerts API].

+* Request daily forecasts using the [Get Daily Forecast API].

+* Request hourly forecasts using the [Get Hourly Forecast API].

+* Request minute by minute forecasts using the [Get Minute Forecast API].

+ >The [Get Minute Forecast API] requires a Gen 1 (S1) or Gen 2 pricing tier. All other APIs require an S0 pricing tier key.

+This tutorial uses the [Postman] application, but you may choose a different API development environment.

+The [Get Current Conditions API] returns detailed weather conditions such as precipitation, temperature, and wind for a given coordinate location. Also, observations from the past 6 or 24 hours for a particular location can be retrieved. The response includes details like observation date and time, description of weather conditions, weather icon, precipitation indicator flags, and temperature. RealFeelΓäó Temperature and ultraviolet(UV) index are also returned.

+In this example, you use the [Get Current Conditions API] to retrieve current weather conditions at coordinates located in Seattle, WA.

+3. Select the blue **Send** button. The response body contains current weather information.

+Azure Maps [Get Severe Weather Alerts API] returns the severe weather alerts that are available worldwide from both official Government Meteorological Agencies and leading global to regional weather alert providers. The service returns details like alert type, category, level. The service also returns detailed descriptions about the active severe alerts for the requested location, such as hurricanes, thunderstorms, lightning, heat waves or forest fires. As an example, logistics managers can visualize severe weather conditions on a map, along with business locations and planned routes, and coordinate further with drivers and local workers.

+In this example, you use the [Get Severe Weather Alerts API] to retrieve current weather conditions at coordinates located in Cheyenne, WY.

+3. Select the blue **Send** button. If there are no severe weather alerts, the response body contains an empty `results[]` array. If there are severe weather alerts, the response body contains something like the following JSON response:

+The [Get Daily Forecast API] returns detailed daily weather forecast such as temperature and wind. The request can specify how many days to return: 1, 5, 10, 15, 25, or 45 days for a given coordinate location. The response includes details such as temperature, wind, precipitation, air quality, and UV index. In this example, we request for five days by setting `duration=5`.

+In this example, you use the [Get Daily Forecast API] to retrieve the five-day weather forecast for coordinates located in Seattle, WA.

+3. Select the blue **Send** button. The response body contains the five-day weather forecast data. For the sake of brevity, the following JSON response shows the forecast for the first day.

+The [Get Hourly Forecast API] returns detailed weather forecast by the hour for the next 1, 12, 24 (1 day), 72 (3 days), 120 (5 days), and 240 hours (10 days) for the given coordinate location. The API returns details such as temperature, humidity, wind, precipitation, and UV index.

+In this example, you use the [Get Hourly Forecast API] to retrieve the hourly weather forecast for the next 12 hours at coordinates located in Seattle, WA.

+3. Select the blue **Send** button. The response body contains weather forecast data for the next 12 hours. For the sake of brevity, the following JSON response shows the forecast for the first hour.

+ The [Get Minute Forecast API] returns minute-by-minute forecasts for a given location for the next 120 minutes. Users can request weather forecasts in intervals of 1, 5 and 15 minutes. The response includes details such as the type of precipitation (including rain, snow, or a mixture of both), start time, and precipitation intensity value (dBZ).

+In this example, you use the [Get Minute Forecast API] to retrieve the minute-by-minute weather forecast at coordinates located in Seattle, WA. The weather forecast is given for the next 120 minutes. Our query requests that the forecast is given at 15-minute intervals, but you can adjust the parameter to be either 1 or 5 minutes.

+3. Select the blue **Send** button. The response body contains weather forecast data for the next 120 minutes, in 15-minute intervals.

+> [Weather service concepts]

+> [Weather services]

+[Get Current Conditions API]: /rest/api/maps/weather/getcurrentconditions

+[Get Daily Forecast API]: /rest/api/maps/weather/getdailyforecast

+[Get Hourly Forecast API]: /rest/api/maps/weather/gethourlyforecast

+[Get Minute Forecast API]: /rest/api/maps/weather/getminuteforecast

+[Get Severe Weather Alerts API]: /rest/api/maps/weather/getsevereweatheralerts

+[Postman]: https://www.postman.com/

+[Weather service concepts]: weather-services-concepts.md

+[Weather services]: /rest/api/maps/weather

+Managed identities are only available when running on an Azure environment. As such, you must configure a service principal through an Azure AD application registration for the daemon application.

+If you have already created your application registration, go to [Assign delegated API permissions](#assign-delegated-api-permissions).

+5. Copy the secret and store it securely in a service such as Azure Key Vault. Also, use the secret in the [Request token with Managed Identity](#request-a-token-with-managed-identity) section of this article.

+This article uses the [Postman](https://www.postman.com/) application to create the token request, but you can use a different API development environment.

+Azure Monitor autoscaling allows you to scale the number of running instances in or out, based on telemetry data or metrics. Scaling can be based on any metric, even metrics from a different resource. For example, scale a Virtual Machine Scale Set based on the amount of traffic on a firewall.

+This article describes metrics that are commonly used to trigger scale events.

+Azure autoscale supports many resource types. For more information about supported resources, see [autoscale supported resources](./autoscale-overview.md#supported-services-for-autoscale).

+For all resources, you can get a list of the available metrics using the PowerShell or Azure CLI

+```azurepowershell

+Get-AzMetricDefinition -ResourceId <resource_id>

+```

+```azurecli

+az monitor metrics list-definitions --resource <resource_id>

+```

+## Compute metrics for Resource Manager-based VMs

+By default, Azure Resource Manager-based virtual machines and Virtual Machine Scale Sets emit basic (host-level) metrics. In addition, when you configure diagnostics data collection for an Azure VM and Virtual Machine Scale Sets, the Azure Diagnostics extension also emits guest-OS performance counters. These counters are commonly known as "guest-OS metrics." You use all these metrics in autoscale rules.

+If you're using Virtual Machine Scale Sets and you don't see a particular metric listed, it's likely *disabled* in your Diagnostics extension.

+The following host-level metrics are emitted by default for Azure VM and Virtual Machine Scale Sets in both Windows and Linux instances. These metrics describe your Azure VM but are collected from the Azure VM host rather than via agent installed on the guest VM. You can use these metrics in autoscaling rules.

+- [Host metrics for Resource Manager-based Windows and Linux Virtual Machine Scale Sets](../essentials/metrics-supported.md#microsoftcomputevirtualmachinescalesets)

+When you create a VM in Azure, diagnostics is enabled by using the Diagnostics extension. The Diagnostics extension emits a set of metrics taken from inside of the VM. This means you can autoscale using metrics that aren't emitted by default.

+for Web Apps, you can alert on or scale by these metrics.

+Configure this setting in the Azure portal in the **Settings** pane. For Virtual Machine Scale Sets, you can update the autoscale setting in the Resource Manager template to use `metricName` as `ApproximateMessageCount` and pass the ID of the storage queue as `metricResourceUri`.

+You can scale by Azure Service Bus queue length, which is the number of messages in the Service Bus queue. Service Bus queue length is a special metric, and the threshold is the number of messages per instance. For example, if there are two instances, and if the threshold is set to 100, scaling occurs when the total number of messages in the queue is 200. That amount can be 100 messages per instance, 120 plus 80, or any other combination that adds up to 200 or more.

+For Virtual Machine Scale Sets, you can update the autoscale setting in the Resource Manager template to use `metricName` as `ApproximateMessageCount` and pass the ID of the storage queue as `metricResourceUri`.

+> For Service Bus, the resource group concept doesn't exist. Azure Resource Manager creates a default resource group per region. The resource group is usually in the Default-ServiceBus-[region] format. Examples are Default-ServiceBus-EastUS, Default-ServiceBus-WestUS, and Default-ServiceBus-AustraliaEast.

+> [!NOTE]

+> Although you can create the Prometheus alert in a resource group different from the target resource, you should use the same resource group.

+ `workspace("00000000-0000-0000-0000-000000000000").Update | count`

+ workspace("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/ContosoAzureHQ/providers/Microsoft.OperationalInsights/workspaces/contosoretail-it").Update | count

+ `app("00000000-0000-0000-0000-000000000000").requests | count`

+ app("/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/Fabrikam/providers/microsoft.insights/components/fabrikamapp").requests | count

+union

+ Update,

+ workspace("").Update, workspace("00000000-0000-0000-0000-000000000000").Update

+app('00000000-0000-0000-0000-000000000000').requests,

+app('00000000-0000-0000-0000-000000000001').requests,

+app('00000000-0000-0000-0000-000000000002').requests,

+app('00000000-0000-0000-0000-000000000003').requests,

+app('00000000-0000-0000-0000-000000000004').requests

+| parse SourceApp with * '(' applicationId ')' *

+| summarize count() by applicationId, bin(timestamp, 1h)

+* See [snapshots](snapshot-debugger-data.md?toc=/azure/azure-monitor/toc.json#view-snapshots-in-the-portal) in the Azure portal.

+ Title: View Application Insights Snapshot Debugger data

+description: View snapshots collected by the Snapshot Debugger in either the Azure portal or Visual Studio

+reviewer: cweining

+# View Application Insights Snapshot Debugger data

+Snapshots appear on [**Exceptions**](../app/asp-net-exceptions.md) in the Application Insights pane of the Azure portal.

+You can view debug snapshots in the portal to see the call stack and inspect variables at each call stack frame. To get a more powerful debugging experience with source code, open snapshots with Visual Studio Enterprise. You can also [set SnapPoints to interactively take snapshots](/visualstudio/debugger/debug-live-azure-applications) without waiting for an exception.

+## View Snapshots in the Portal

+After an exception has occurred in your application and a snapshot has been created, you should have snapshots to view in the Azure portal within 5 to 10 minutes. To view snapshots, in the **Failure** pane, either:

+* Select the **Operations** button when viewing the **Operations** tab, or

+* Select the **Exceptions** button when viewing the **Exceptions** tab.

+Select an operation or exception in the right pane to open the **End-to-End Transaction Details** pane, then select the exception event. If a snapshot is available for the given exception, an **Open Debug Snapshot** button appears on the right pane with details for the [exception](../app/asp-net-exceptions.md).

+In the Debug Snapshot view, you see a call stack and a variables pane. When you select frames of the call stack in the call stack pane, you can view local variables and parameters for that function call in the variables pane.

+Snapshots might include sensitive information. By default, you can only view snapshots if you've been assigned the `Application Insights Snapshot Debugger` role.

+## View Snapshots in Visual Studio 2017 Enterprise or above

+1. Click the **Download Snapshot** button to download a `.diagsession` file, which can be opened by Visual Studio Enterprise.

+1. To open the `.diagsession` file, you need to have the Snapshot Debugger Visual Studio component installed. The Snapshot Debugger component is a required component of the ASP.NET workload in Visual Studio and can be selected from the Individual Component list in the Visual Studio installer. If you're using a version of Visual Studio before Visual Studio 2017 version 15.5, you'll need to install the extension from the [Visual Studio Marketplace](https://aka.ms/snapshotdebugger).

+1. After you open the snapshot file, the Minidump Debugging page in Visual Studio appears. Click **Debug Managed Code** to start debugging the snapshot. The snapshot opens to the line of code where the exception was thrown so that you can debug the current state of the process.

+ :::image type="content" source="./media/snapshot-debugger/open-snapshot-visual-studio.png" alt-text="Screenshot showing the debug snapshot in Visual Studio.":::

+The downloaded snapshot includes any symbol files that were found on your web application server. These symbol files are required to associate snapshot data with source code. For App Service apps, make sure to enable symbol deployment when you publish your web apps.

+## Next steps

+Enable the Snapshot Debugger in your:

+- [App Service](./snapshot-debugger-app-service.md)

+- [Function App](./snapshot-debugger-function-app.md)

+- [Virtual machine or other Azure service](./snapshot-debugger-vm.md)

+* [View snapshots](snapshot-debugger-data.md?toc=/azure/azure-monitor/toc.json#view-snapshots-in-the-portal) in the Azure portal.

+For the latest updates and bug fixes [consult the release notes](./snapshot-debugger.md#release-notes-for-microsoftapplicationinsightssnapshotcollector).

+- See [snapshots](snapshot-debugger-data.md?toc=/azure/azure-monitor/toc.json#view-snapshots-in-the-portal) in the Azure portal.

+- Monitors system-generated logs from your web app.

+- Collects snapshots on your top-throwing exceptions.

+- Provides information you need to diagnose issues in production.

+To use the Snapshot Debugger, you simply:

+1. Include the [Snapshot collector NuGet package](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) in your application

+1. Configure collection parameters in [`ApplicationInsights.config`](../app/configuration-with-applicationinsights-config.md).

+## How snapshots work

+The Snapshot Debugger is implemented as an [Application Insights Telemetry Processor](../app/configuration-with-applicationinsights-config.md#telemetry-processors-aspnet). When your application runs, the Snapshot Debugger Telemetry Processor is added to your application's system-generated logs pipeline.

+Each time your application calls [TrackException](../app/asp-net-exceptions.md#exceptions), the Snapshot Debugger computes a Problem ID from the type of exception being thrown and the throwing method.

+Each time your application calls `TrackException`, a counter is incremented for the appropriate Problem ID. When the counter reaches the `ThresholdForSnapshotting` value, the Problem ID is added to a Collection Plan.

+The Snapshot Debugger also monitors exceptions as they're thrown by subscribing to the [AppDomain.CurrentDomain.FirstChanceException](/dotnet/api/system.appdomain.firstchanceexception) event. When that event fires, the Problem ID of the exception is computed and compared against the Problem IDs in the Collection Plan.

+If there's a match, then a snapshot of the running process is created. The snapshot is assigned a unique identifier and the exception is stamped with that identifier. After the `FirstChanceException` handler returns, the thrown exception is processed as normal. Eventually, the exception reaches the `TrackException` method again where it, along with the snapshot identifier, is reported to Application Insights.

+The main process continues to run and serve traffic to users with little interruption. Meanwhile, the snapshot is handed off to the Snapshot Uploader process. The Snapshot Uploader creates a minidump and uploads it to Application Insights along with any relevant symbol (*.pdb*) files.

+> [!TIP]

+> * A process snapshot is a suspended clone of the running process.

+> * Creating the snapshot takes about 10 to 20 milliseconds.

+> * The default value for `ThresholdForSnapshotting` is 1. This is also the minimum value. Therefore, your app has to trigger the same exception **twice** before a snapshot is created.

+> * Set `IsEnabledInDeveloperMode` to true if you want to generate snapshots while debugging in Visual Studio.

+> * The snapshot creation rate is limited by the `SnapshotsPerTenMinutesLimit` setting. By default, the limit is one snapshot every ten minutes.

+> * No more than 50 snapshots per day may be uploaded.

+## Supported applications and environments

+### Applications

+.NET Core versions prior to LTS are out of support and not recommended.

+### Environments

+If you've enabled Snapshot Debugger but aren't seeing snapshots, check the [Troubleshooting guide](snapshot-debugger-troubleshoot.md).

+## Required permissions

+Access to snapshots is protected by Azure role-based access control (Azure RBAC). To inspect a snapshot, you must first be added to the [Application Insights Snapshot Debugger](../../role-based-access-control/role-assignments-portal.md) role. Subscription owners can assign this role to individual users or groups for the target **Application Insights Snapshot**.

+## Release notes for `Microsoft.ApplicationInsights.SnapshotCollector`

+This article contains the releases notes for the Microsoft.ApplicationInsights.SnapshotCollector NuGet package for .NET applications, which is used by the Application Insights Snapshot Debugger.

+[Learn](./snapshot-debugger.md) more about the Application Insights Snapshot Debugger for .NET applications.

+For bug reports and feedback, [open an issue on GitHub](https://github.com/microsoft/ApplicationInsights-SnapshotCollector)

+### [1.4.3](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.4.3)

+A point release to address user-reported bugs.

+#### Bug fixes

+- Fix [Hide the IDMS dependency from dependency tracker.](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/17)

+- Fix [ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor.](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/19)

+<br>Snapshot Collector used via SDK is not supported when Interop feature is enabled. [See more not supported scenarios.](snapshot-debugger-troubleshoot.md#not-supported-scenarios)

+### [1.4.2](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.4.2)

+A point release to address a user-reported bug.

+#### Bug fixes

+- Fix [ArgumentException: Delegates must be of the same type.](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/16)

+### [1.4.1](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.4.1)

+A point release to revert a breaking change introduced in 1.4.0.

+#### Bug fixes

+- Fix [Method not found in WebJobs](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/15)

+### [1.4.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.4.0)

+Address multiple improvements and added support for Azure Active Directory (Azure AD) authentication for Application Insights ingestion.

+#### Changes

+- Snapshot Collector package size reduced by 60%. From 10.34 MB to 4.11 MB.

+- Target netstandard2.0 only in Snapshot Collector.

+- Bump Application Insights SDK dependency to 2.15.0.

+- Add back MinidumpWithThreadInfo when writing dumps.

+- Add CompatibilityVersion to improve synchronization between Snapshot Collector agent and uploader on breaking changes.

+- Change SnapshotUploader LogFile naming algorithm to avoid excessive file I/O in App Service.

+- Add pid, role name, and process start time to uploaded blob metadata.

+- Use System.Diagnostics.Process where possible in Snapshot Collector and Snapshot Uploader.

+#### New features

+- Add Azure Active Directory authentication to SnapshotCollector. Learn more about Azure AD authentication in Application Insights [here](../app/azure-ad-authentication.md).

+### [1.3.7.5](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.7.5)

+A point release to backport a fix from 1.4.0-pre.

+#### Bug fixes

+- Fix [ObjectDisposedException on shutdown](https://github.com/microsoft/ApplicationInsights-dotnet/issues/2097).

+### [1.3.7.4](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.7.4)

+A point release to address a problem discovered in testing Azure App Service's codeless attach scenario.

+#### Changes

+- The netcoreapp3.0 target now depends on Microsoft.ApplicationInsights.AspNetCore >= 2.1.1 (previously >= 2.1.2).

+### [1.3.7.3](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.7.3)

+A point release to address a couple of high-impact issues.

+#### Bug fixes

+- Fixed PDB discovery in the wwwroot/bin folder, which was broken when we changed the symbol search algorithm in 1.3.6.

+- Fixed noisy ExtractWasCalledMultipleTimesException in telemetry.

+### [1.3.7](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.7)

+#### Changes

+- The netcoreapp2.0 target of SnapshotCollector depends on Microsoft.ApplicationInsights.AspNetCore >= 2.1.1 (again). This reverts behavior to how it was before 1.3.5. We tried to upgrade it in 1.3.6, but it broke some Azure App Service scenarios.

+#### New features

+- Snapshot Collector reads and parses the ConnectionString from the APPLICATIONINSIGHTS_CONNECTION_STRING environment variable or from the TelemetryConfiguration. Primarily, this is used to set the endpoint for connecting to the Snapshot service. For more information, see the [Connection strings documentation](../app/sdk-connection-string.md).

+#### Bug fixes

+- Switched to using HttpClient for all targets except net45 because WebRequest was failing in some environments due to an incompatible SecurityProtocol (requires TLS 1.2).

+### [1.3.6](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.6)

+#### Changes

+- SnapshotCollector now depends on Microsoft.ApplicationInsights >= 2.5.1 for all target frameworks. This may be a breaking change if your application depends on an older version of the Microsoft.ApplicationInsights SDK.

+- Remove support for TLS 1.0 and 1.1 in Snapshot Uploader.

+- Period of PDB scans now defaults 24 hours instead of 15 minutes. Configurable via PdbRescanInterval on SnapshotCollectorConfiguration.

+- PDB scan searches top-level folders only, instead of recursive. This may be a breaking change if your symbols are in subfolders of the binary folder.

+#### New features

+- Log rotation in SnapshotUploader to avoid filling the logs folder with old files.

+- Deoptimization support (via ReJIT on attach) for .NET Core 3.0 applications.

+- Add symbols to NuGet package.

+- Set additional metadata when uploading minidumps.

+- Added an Initialized property to SnapshotCollectorTelemetryProcessor. It's a CancellationToken, which will be canceled when the Snapshot Collector is completely initialized and connected to the service endpoint.

+- Snapshots can now be captured for exceptions in dynamically generated methods. For example, the compiled expression trees generated by Entity Framework queries.

+#### Bug fixes

+- AmbiguousMatchException loading Snapshot Collector due to Status Monitor.

+- GetSnapshotCollector extension method now searches all TelemetrySinks.

+- Don't start the Snapshot Uploader on unsupported platforms.

+- Handle InvalidOperationException when deoptimizing dynamic methods (for example, Entity Framework)

+### [1.3.5](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.5)

+- Add support for Sovereign clouds (Older versions won't work in sovereign clouds)

+- Adding snapshot collector made easier by using AddSnapshotCollector(). More information can be found [here](./snapshot-debugger-app-service.md).

+- Use FISMA MD5 setting for verifying blob blocks. This avoids the default .NET MD5 crypto algorithm, which is unavailable when the OS is set to FIPS-compliant mode.

+- Ignore .NET Framework frames when deoptimizing function calls. This behavior can be controlled by the DeoptimizeIgnoredModules configuration setting.

+- Add `DeoptimizeMethodCount` configuration setting that allows deoptimization of more than one function call. More information here

+### [1.3.4](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.4)

+- Allow structured Instrumentation Keys.

+- Increase SnapshotUploader robustness - continue startup even if old uploader logs can't be moved.

+- Re-enabled reporting additional telemetry when SnapshotUploader.exe exits immediately (was disabled in 1.3.3).

+- Simplify internal telemetry.

+- _Experimental feature_: Snappoint collection plans: Add "snapshotOnFirstOccurence". More information available [here](https://gist.github.com/alexaloni/5b4d069d17de0dabe384ea30e3f21dfe).

+### [1.3.3](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.3)

+- Fixed bug that was causing SnapshotUploader.exe to stop responding and not upload snapshots for .NET Core apps.

+### [1.3.2](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.2)

+- _Experimental feature_: Snappoint collection plans. More information available [here](https://gist.github.com/alexaloni/5b4d069d17de0dabe384ea30e3f21dfe).

+- SnapshotUploader.exe will exit when the runtime unloads the AppDomain from which SnapshotCollector is loaded, instead of waiting for the process to exit. This improves the collector reliability when hosted in IIS.

+- Add configuration to allow multiple SnapshotCollector instances that are using the same Instrumentation Key to share the same SnapshotUploader process: ShareUploaderProcess (defaults to `true`).

+- Report additional telemetry when SnapshotUploader.exe exits immediately.

+- Reduced the number of support files SnapshotUploader.exe needs to write to disk.

+### [1.3.1](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.1)

+- Remove support for collecting snapshots with the RtlCloneUserProcess API and only support PssCaptureSnapshots API.

+- Increase the default limit on how many snapshots can be captured in 10 minutes from 1 to 3.

+- Allow SnapshotUploader.exe to negotiate TLS 1.1 and 1.2

+- Report additional telemetry when SnapshotUploader logs a warning or an error

+- Stop taking snapshots when the backend service reports the daily quota was reached (50 snapshots per day)

+- Add extra check in SnapshotUploader.exe to not allow two instances to run in the same time.

+### [1.3.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.0)

+#### Changes

+- For applications targeting .NET Framework, Snapshot Collector now depends on Microsoft.ApplicationInsights version 2.3.0 or above.

+It used to be 2.2.0 or above.

+We believe this won't be an issue for most applications, but let us know if this change prevents you from using the latest Snapshot Collector.

+- Use exponential back-off delays in the Snapshot Uploader when retrying failed uploads.

+- Use ServerTelemetryChannel (if available) for more reliable reporting of telemetry.

+- Use 'SdkInternalOperationsMonitor' on the initial connection to the Snapshot Debugger service so that it's ignored by dependency tracking.

+- Improve telemetry around initial connection to the Snapshot Debugger service.

+- Report additional telemetry for:

+ - Azure App Service version.

+ - Azure compute instances.

+ - Containers.

+ - Azure Function app.

+#### Bug fixes

+- When the problem counter reset interval is set to 24 days, interpret that as 24 hours.

+- Fixed a bug where the Snapshot Uploader would stop processing new snapshots if there was an exception while disposing a snapshot.

+### [1.2.3](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.2.3)

+- Fix strong-name signing with Snapshot Uploader binaries.

+### [1.2.2](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.2.2)

+#### Changes

+- The files needed for SnapshotUploader(64).exe are now embedded as resources in the main DLL. That means the SnapshotCollectorFiles folder is no longer created, simplifying build and deployment and reducing clutter in Solution Explorer. Take care when upgrading to review the changes in your `.csproj` file. The `Microsoft.ApplicationInsights.SnapshotCollector.targets` file is no longer needed.

+- Telemetry is logged to your Application Insights resource even if ProvideAnonymousTelemetry is set to false. This is so we can implement a health check feature in the Azure portal. ProvideAnonymousTelemetry affects only the telemetry sent to Microsoft for product support and improvement.

+- When the TempFolder or ShadowCopyFolder are redirected to environment variables, keep the collector idle until those environment variables are set.

+- For applications that connect to the Internet via a proxy server, Snapshot Collector will now autodetect any proxy settings and pass them on to SnapshotUploader.exe.

+- Lower the priority of the SnapshotUplaoder process (where possible). This priority can be overridden via the IsLowPrioirtySnapshotUploader option.

+- Added a GetSnapshotCollector extension method on TelemetryConfiguration for scenarios where you want to configure the Snapshot Collector programmatically.

+- Set the Application Insights SDK version (instead of the application version) in customer-facing telemetry.

+- Send the first heartbeat event after two minutes.

+#### Bug fixes

+- Fix NullReferenceException when exceptions have null or immutable Data dictionaries.

+- In the uploader, retry PDB matching a few times if we get a sharing violation.

+- Fix duplicate telemetry when more than one thread calls into the telemetry pipeline at startup.

+### [1.2.1](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.2.1)

+#### Changes

+- XML Doc comment files are now included in the NuGet package.

+- Added an ExcludeFromSnapshotting extension method on `System.Exception` for scenarios where you know you have a noisy exception and want to avoid creating snapshots for it.

+- Added an IsEnabledWhenProfiling configuration property, defaults to true. This is a change from previous versions where snapshot creation was temporarily disabled if the Application Insights Profiler was performing a detailed collection. The old behavior can be recovered by setting this property to false.

+#### Bug fixes

+- Sign SnapshotUploader64.exe properly.

+- Protect against double-initialization of the telemetry processor.

+- Prevent double logging of telemetry in apps with multiple pipelines.

+- Fix a bug with the expiration time of a collection plan, which could prevent snapshots after 24 hours.

+### [1.2.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.2.0)

+The biggest change in this version (hence the move to a new minor version number) is a rewrite of the snapshot creation and handling pipeline. In previous versions, this functionality was implemented in native code (ProductionBreakpoints*.dll and SnapshotHolder*.exe). The new implementation is all managed code with P/Invokes. For this first version using the new pipeline, we haven't strayed far from the original behavior. The new implementation allows for better error reporting and sets us up for future improvements.

+#### Other changes in this version

+- MinidumpUploader.exe has been renamed to SnapshotUploader.exe (or SnapshotUploader64.exe).

+- Added timing telemetry to DeOptimize/ReOptimize requests.

+- Added gzip compression for minidump uploads.

+- Fixed a problem where PDBs were locked preventing site upgrade.

+- Log the original folder name (SnapshotCollectorFiles) when shadow-copying.

+- Adjust memory limits for 64-bit processes to prevent site restarts due to OOM.

+- Fix an issue where snapshots were still collected even after disabling.

+- Log heartbeat events to customer's AI resource.

+- Improve snapshot speed by removing "Source" from Problem ID.

+### [1.1.2](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.1.2)

+#### Changes

+- Augmented usage telemetry

+- Detect and report .NET version and OS

+- Detect and report additional Azure Environments (Cloud Service, Service Fabric)

+- Record and report exception metrics (number of 1st chance exceptions and number of TrackException calls) in Heartbeat telemetry.

+#### Bug fixes

+- Correct handling of SqlException where the inner exception (Win32Exception) isn't thrown.

+- Trim trailing spaces on symbol folders, which caused an incorrect parse of command-line arguments to the MinidumpUploader.

+- Prevent infinite retry of failed connections to the Snapshot Debugger agent's endpoint.

+### [1.1.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.1.0)

+#### Changes

+- Added host memory protection. This feature reduces the impact on the host machine's memory.

+- Improve the Azure portal snapshot viewing experience.

+Snapshot-Debugger|[Release notes for Microsoft.ApplicationInsights.SnapshotCollector](./snapshot-debugger/snapshot-debugger.md#release-notes-for-microsoftapplicationinsightssnapshotcollector)|Removing the TSG from the Azure Monitor TOC and adding to the support TOC.|

+|[Use predictive autoscale to scale out before load demands in Virtual Machine Scale Sets (preview)](autoscale/autoscale-predictive.md)|Predictive autoscale (preview) is now available in all regions.|

+3. To customize the information displayed for the resource groups, select **Edit columns**. The following screenshot shows the additional columns you could add to the display:

+FIRSTNAME=$1

+LASTNAME=$2

+OUTPUT="{\"name\":{\"displayName\":\"$FIRSTNAME $LASTNAME\",\"firstName\":\"$FIRSTNAME\",\"lastName\":\"$LASTNAME\"}}"

+echo $OUTPUT | jq -r '.name.displayName'

+ mkdir create_web_app

+ cd create_web_app

+The _create_web_app_ folder is the folder where the template is stored. The `pwd` command shows the folder path. The path is where you save the template to in the following procedure.

+Instead of creating the templates, you can download the templates and save them to the _create_web_app_ folder.

+1. Change directory to the _create_web_app_ folder in your local repository.

+1. Browse to your GitHub repository from a browser. The URL is `https://github.com/[YourAccountName]/[YourGitHubRepository]`. You shall see the _create_web_app_ folder and the two files inside the folder.

+* Create a GitHub repository, and save the templates to the _create_web_app_ folder in the repository.

+ Title: Disable local (access key) authentication with Azure SignalR Service

+description: This article provides information about how to disable access key authentication and use only Azure AD authentication with Azure SignalR Service.

+# Disable local (access key) authentication with Azure SignalR Service

+There are two ways to authenticate to Azure SignalR Service resources: Azure Active Directory (Azure AD) and Access Key. Azure AD provides superior security and ease of use over access key. With Azure AD, thereΓÇÖs no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Azure AD with your Azure SignalR Service resources when possible.

+> [!IMPORTANT]

+> Disabling local authentication can have following influences.

+> - The current set of access keys will be permanently deleted.

+> - Tokens signed with current set of access keys will become unavailable.

+## Use Azure portal

+In this section, you will learn how to use the Azure portal to disable local authentication.

+1. Navigate to your SignalR Service resource in the [Azure portal](https://portal.azure.com).

+2. in the **Settings** section of the menu sidebar, select **Keys** tab.

+3. Select **Disabled** for local authentication.

+4. Click **Save** button.

+

+## Use Azure Resource Manager template

+You can disable local authentication by setting `disableLocalAuth` property to true as shown in the following Azure Resource Manager template.

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "resource_name": {

+ "defaultValue": "test-for-disable-aad",

+ "type": "String"

+ }

+ },

+ "variables": {},

+ "resources": [

+ {

+ "type": "Microsoft.SignalRService/SignalR",

+ "apiVersion": "2022-08-01-preview",

+ "name": "[parameters('resource_name')]",

+ "location": "eastus",

+ "sku": {

+ "name": "Premium_P1",

+ "tier": "Premium",

+ "size": "P1",

+ "capacity": 1

+ },

+ "kind": "SignalR",

+ "properties": {

+ "tls": {

+ "clientCertEnabled": false

+ },

+ "features": [

+ {

+ "flag": "ServiceMode",

+ "value": "Default",

+ "properties": {}

+ },

+ {

+ "flag": "EnableConnectivityLogs",

+ "value": "True",

+ "properties": {}

+ }

+ ],

+ "cors": {

+ "allowedOrigins": [

+ "*"

+ ]

+ },

+ "serverless": {

+ "connectionTimeoutInSeconds": 30

+ },

+ "upstream": {},

+ "networkACLs": {

+ "defaultAction": "Deny",

+ "publicNetwork": {

+ "allow": [

+ "ServerConnection",

+ "ClientConnection",

+ "RESTAPI",

+ "Trace"

+ ]

+ },

+ "privateEndpoints": []

+ },

+ "publicNetworkAccess": "Enabled",

+ "disableLocalAuth": true,

+ "disableAadAuth": false

+ }

+ }

+ ]

+}

+```

+## Use Azure Policy

+You can assign the [Azure SignalR Service should have local authentication methods disabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff70eecba-335d-4bbc-81d5-5b17b03d498f) Azure policy to an Azure subscription or a resource group to enforce disabling of local authentication for all SignalR resources in the subscription or the resource group.

+

+## Next steps

+See the following docs to learn about authentication methods.

+- [Overview of Azure AD for SignalR](signalr-concept-authorize-azure-active-directory.md)

+- [Authenticate with Azure applications](./signalr-howto-authorize-application.md)

+- [Authenticate with managed identities](./signalr-howto-authorize-managed-identity.md)

+> [!IMPORTANT]

+> Disabling local authentication can have following influences.

+> - The current set of access keys will be permanently deleted.

+> - Tokens signed with access keys will no longer be available.

+- [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role)

+To learn how to use only Azure AD authentication, see

+- [Disable local authentication](./howto-disable-local-auth.md)

+ 

+

+

+

+- [Disable local authentication](./howto-disable-local-auth.md)

+ 

+- [Disable local authentication](./howto-disable-local-auth.md)

+1. Edit *index/index.js* and replace the contents with the following code:

+Azure Functions requires a storage account to work. You can install and run the [Azure Storage Emulator](../storage/common/storage-use-azurite.md). **Or** you can update the setting to use your real storage account with the following command:

+You're almost done now. The last step is to set the SignalR Service connection string in Azure Function app settings.

+ Title: Azure Video Indexer emotions detection overview

+description: This article gives an overview of an Azure Video Indexer emotions detection.

+# Emotions detection

+Emotion detection is an Azure Video Indexer AI feature that automatically detects emotions a video's transcript lines. Each sentence can either be detected as "Anger", "Fear", "Joy", "Neutral", and "Sad". The model works on text only (labeling emotions in video transcripts.) This model doesn't infer the emotional state of people, may not perform where input is ambiguous or unclear, like sarcastic remarks. Thus, the model shouldn't be used for things like assessing employee performance or the emotional state of a person.

+The model doesn't have context of the input data, which can impact its accuracy. To increase the accuracy, it's recommended for the input data to be in a clear and unambiguous format.

+## Prerequisites

+Review [Transparency Note overview](/legal/azure-video-indexer/transparency-note?context=/azure/azure-video-indexer/context/context)

+## General principles

+There are many things you need to consider when deciding how to use and implement an AI-powered feature:

+- Will this feature perform well in my scenario? Before deploying emotions detection into your scenario, test how it performs using real-life data and make sure it can deliver the accuracy you need.

+- Are we equipped to identify and respond to errors? AI-powered products and features won't be 100% accurate, so consider how you'll identify and respond to any errors that may occur.

+## View the insight

+When working on the website the insights are displayed in the **Insights** tab. They can also be generated in a categorized list in a JSON file that includes the id, type, and a list of instances it appeared at, with their time and confidence.

+To display the instances in a JSON file, do the following:

+1. Select Download -> Insights (JSON).

+1. Copy the text and paste it into an online JSON viewer.

+```json

+"emotions": [

+ {

+ "id": 1,

+ "type": "Sad",

+ "instances": [

+ {

+ "confidence": 0.5518,

+ "adjustedStart": "0:00:00",

+ "adjustedEnd": "0:00:05.75",

+ "start": "0:00:00",

+ "end": "0:00:05.75"

+ },

+```

+To download the JSON file via the API, use theΓÇ»[Azure Video Indexer developer portal](https://api-portal.videoindexer.ai/).

+> [!NOTE]

+> Emotions detection is language independent, however if the transcript is not in English, it is first being translated to English and only then the model is applied. This may cause a reduced accuracy in emotions detection for non English languages.

+## Emotions detection components

+During the emotions detection procedure, the transcript of the video is processed, as follows:

+|Component |Definition |

+|||

+|Source language |The user uploads the source file for indexing. |

+|Transcription API |The audio file is sent to Cognitive Services and the translated transcribed output is returned. If a language has been specified, it is processed. |

+|Emotions detection |Each sentence is sent to the emotions detection model. The model produces the confidence level of each emotion. If the confidence level exceeds a specific threshold, and there is no ambiguity between positive and negative emotions, the emotion is detected. In any other case, the sentence is labeled as neutral.|

+|Confidence level |The estimated confidence level of the detected emotions is calculated as a range of 0 to 1. The confidence score represents the certainty in the accuracy of the result. For example, an 82% certainty is represented as an 0.82 score. |

+## Example use cases

+* Personalization of keywords to match customer interests, for example websites about England posting promotions about English movies or festivals.

+* Deep-searching archives for insights on specific keywords to create feature stories about companies, personas or technologies, for example by a news agency.

+## Considerations and limitations when choosing a use case

+Below are some considerations to keep in mind when using emotions detection:

+* When uploading a file always use high quality audio and video content.

+When used responsibly and carefully emotions detection is a valuable tool for many industries. To respect the privacy and safety of others, and to comply with local and global regulations, we recommend the following:  

+* Always respect an individual’s right to privacy, and only ingest media for lawful and justifiable purposes.  

+Don't purposely disclose inappropriate media showing young children or family members of celebrities or other content that may be detrimental or pose a threat to an individual’s personal freedom.  

+* Commit to respecting and promoting human rights in the design and deployment of your analyzed media.  

+* When using 3rd party materials, be aware of any existing copyrights or permissions required before distributing content derived from them.ΓÇ»

+* Always seek legal advice when using media from unknown sources.ΓÇ»

+* Always obtain appropriate legal and professional advice to ensure that your uploaded media is secured and have adequate controls to preserve the integrity of your content and to prevent unauthorized access.    

+* Provide a feedback channel that allows users and individuals to report issues with the service.  

+* Be aware of any applicable laws or regulations that exist in your area regarding processing, analyzing, and sharing media containing people.ΓÇ»

+* Keep a human in the loop. Don't use any solution as a replacement for human oversight and decision-making.  

+* Fully examine and review the potential of any AI model you're using to understand its capabilities and limitations.ΓÇ»

+## Next steps

+### Learn More about Responsible AI

+- [Microsoft Responsible AI principles](https://www.microsoft.com/ai/responsible-ai?activetab=pivot1%3aprimaryr6)

+- [Microsoft Responsible AI resources](https://www.microsoft.com/ai/responsible-ai-resources)

+- [Microsoft Azure Learning courses on Responsible AI](/training/paths/responsible-ai-business-principles/)

+- [Microsoft Global Human Rights Statement](https://www.microsoft.com/corporate-responsibility/human-rights-statement?activetab=pivot_1:primaryr5)

+### Contact us

+`visupport@microsoft.com`

+## Azure Video Indexer insights

+View some other Azure Video Insights:

+- [Audio effects detection](audio-effects-detection.md)

+- [Face detection](face-detection.md)

+- [OCR](ocr.md)

+- [Keywords extraction](keywords.md)

+- [Transcription, Translation & Language identification](transcription-translation-lid.md)

+- [Named entities](named-entities.md)

+- [Observed people tracking & matched persons](observed-matched-people.md)

+- [Topics inference](topics-inference.md)

+|InsightΓÇ» |The information and knowledge derived from the processing and analysis of video and audio files that generate different types of insights and can include detected objects, people, faces, keyframes and translations or transcriptions. |

+### Limitations of observed people tracing

+It's important to note the limitations of observed people tracing, to avoid or mitigate the effects of false negatives (missed detections) and limited detail.

+* People are generally not detected if they appear small (minimum person height is 100 pixels).

+* Maximum frame size is FHD

+* Low quality video (for example, dark lighting conditions) may impact the detection results.

+* The recommended frame rate at least 30 FPS.

+* Recommended video input should contain up to 10 people in a single frame. The feature could work with more people in a single frame, but the detection result retrieves up to 10 people in a frame with the detection highest confidence.

+* People with similar clothes: (for example, people wear uniforms, players in sport games) could be detected as the same person with the same ID number.

+* Obstruction ΓÇô there maybe errors where there are obstructions (scene/self or obstructions by other people).

+* Pose: The tracks may be split due to different poses (back/front)

+### Other considerations

+For more information, see [Considerations and limitations when choosing a use case](observed-matched-people.md#considerations-and-limitations-when-choosing-a-use-case).

+## April 2023

+## Observed people tracing improvements

+For more information, see [Considerations and limitations when choosing a use case](observed-matched-people.md#considerations-and-limitations-when-choosing-a-use-case).

+**HCX Run commands**

+Azure VMware Solution provides you with private clouds that contain VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. Azure VMware Solution is available in Azure Commercial and in Public Preview in Azure Government.The minimum initial deployment is three hosts, but more hosts can be added, up to a maximum of 16 hosts per cluster. All provisioned private clouds have VMware vCenter Server, VMware vSAN, VMware vSphere, and VMware NSX-T Data Center. As a result, you can migrate workloads from your on-premises environments, deploy new virtual machines (VMs), and consume Azure services from your private clouds. For information about the SLA, see the [Azure service-level agreements](https://azure.microsoft.com/support/legal/sla/azure-vmware/v1_1/) page.

+ The new node sizes increase memory and storage options to optimize your workloads. The gains in performance enable you to do more per server, break storage bottlenecks, and lower transaction costs of latency-sensitive workloads. The availability of the new nodes allows for large latency-sensitive services to be hosted efficiently on the Azure VMware Solution infrastructure.

+2. Use the slider to select the number of hosts and then select **Save**.

+2. Select the cluster you want to scale, select **More** (...), then select **Edit**.

+3. Click **Add Host** to add a host to the cluster. Repeat that to reach the desired number of hosts, and then select **Save**.

+ :::image type="content" source="media/tutorial-scale-private-cloud/ss5-add-hosts-to-cluster.png" alt-text="Screenshot showing how to add additional hosts to an existing cluster." lightbox="media/tutorial-scale-private-cloud/ss5-add-hosts-to-cluster.png" border="true":::

+ >[!NOTE]

+ >The hosts will be added to the cluster in parallel.

+The Azure Web PubSub Service allows for the authorization of requests to Web PubSub resources by using Azure Active Directory (Azure AD).

+By utilizing role-based access control (RBAC) within Azure AD, permissions can be granted to a security principal^{[<a href="#security-principal">1</a>]}. Azure AD authenticates this security principal and returns an OAuth 2.0 token, which Web PubSub resources can then use to authorize a request.

+Using Azure AD for authorization of Web PubSub requests offers improved security and ease of use compared to Access Key authorization. Microsoft recommends utilizing Azure AD authorization with Web PubSub resources when possible to ensure access with the minimum necessary privileges.

+Authentication is necessary to access a Web PubSub resource when using Azure AD. This authentication involves two steps:

+1. First, Azure authenticates the security principal and issues an OAuth 2.0 token.

+2. Second, the token is added to the request to the Web PubSub resource. The Web PubSub service uses the token to check if the service principal has the access to the resource.

+The negotiation server/Function App shares an access key with the Web PubSub resource, enabling the Web PubSub service to authenticate client connection requests using client tokens generated by the access key.

+However, access key is often disabled when using Azure AD to improve security.

+To address this issue, we have developed a REST API that generates a client token. This token can be used to connect to the Azure Web PubSub service.

+To use this API, the negotiation server must first obtain an **Azure AD Token** from Azure to authenticate itself. The server can then call the Web PubSub Auth API with the **Azure AD Token** to retrieve a **Client Token**. The **Client Token** is then returned to the client, who can use it to connect to the Azure Web PubSub service.

+Before assigning an Azure RBAC role to a security principal, it's important to identify the appropriate level of access that the principal should have. It's recommended to grant the role with the narrowest possible scope. Resources located underneath inherit Azure RBAC roles with broader scopes.

+ This role is the most common used for building an upstream server.

+ It's used when you'd like to write a monitoring tool that calling **ONLY** Web PubSub data-plane **READONLY** REST APIs.

+To learn how to create an Azure application and use Azure AD auth, see

+To learn how to configure a managed identity and use Azure AD auth, see

+- [What is Azure role-based access control](../role-based-access-control/overview.md)

+- [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role)

+To learn how to use only Azure AD authentication, see

+- [Disable local authentication](./howto-disable-local-auth.md)

+ 

+

+

+

+ 

+ 

+ 

+- [Disable local authentication](./howto-disable-local-auth.md)

+ 

+ 

+ 

+ 

+- [Authorize request to Web PubSub resources with Azure AD from Azure applications](howto-authorize-from-application.md)

+- [Disable local authentication](./howto-disable-local-auth.md)

+ Title: Disable local (access key) authentication with Azure Web PubSub Service

+description: This article provides information about how to disable access key authentication and use only Azure AD authentication with Azure Web PubSub Service.

+# Disable local (access key) authentication with Azure Web PubSub Service

+There are two ways to authenticate to Azure Web PubSub Service resources: Azure Active Directory (Azure AD) and Access Key. Azure AD provides superior security and ease of use over access key. With Azure AD, thereΓÇÖs no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Azure AD with your Azure Web PubSub Service resources when possible.

+> [!IMPORTANT]

+> Disabling local authentication can have following influences.

+> - The current set of access keys will be permanently deleted.

+> - Tokens signed with current set of access keys will become unavailable.

+> - Signature will **NOT** be attached in the upstream request header. Please visit *[how to validate access token](./howto-use-managed-identity.md#validate-access-tokens)* to learn how to validate requests via Azure AD token.

+## Use Azure portal

+In this section, you will learn how to use the Azure portal to disable local authentication.

+1. Navigate to your Web PubSub Service resource in the [Azure portal](https://portal.azure.com).

+2. in the **Settings** section of the menu sidebar, select **Keys** tab.

+3. Select **Disabled** for local authentication.

+4. Click **Save** button.

+

+## Use Azure Resource Manager template

+You can disable local authentication by setting `disableLocalAuth` property to true as shown in the following Azure Resource Manager template.

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "resource_name": {

+ "defaultValue": "test-for-disable-aad",

+ "type": "String"

+ }

+ },

+ "variables": {},

+ "resources": [

+ {

+ "type": "Microsoft.SignalRService/WebPubSub",

+ "apiVersion": "2022-08-01-preview",

+ "name": "[parameters('resource_name')]",

+ "location": "eastus",

+ "sku": {

+ "name": "Premium_P1",

+ "tier": "Premium",

+ "size": "P1",

+ "capacity": 1

+ },

+ "properties": {

+ "tls": {

+ "clientCertEnabled": false

+ },

+ "networkACLs": {

+ "defaultAction": "Deny",

+ "publicNetwork": {

+ "allow": [

+ "ServerConnection",

+ "ClientConnection",

+ "RESTAPI",

+ "Trace"

+ ]

+ },

+ "privateEndpoints": []

+ },

+ "publicNetworkAccess": "Enabled",

+ "disableLocalAuth": true,

+ "disableAadAuth": false

+ }

+ }

+ ]

+}

+```

+## Use Azure Policy

+You can assign the [Azure Web PubSub Service should have local authentication methods disabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb66ab71c-582d-4330-adfd-ac162e78691e) Azure policy to an Azure subscription or a resource group to enforce disabling of local authentication for all Web PubSub resources in the subscription or the resource group.

+

+## Next steps

+See the following docs to learn about authentication methods.

+- [Overview of Azure AD for Web PubSub](concept-azure-ad-authorization.md)

+- [Authenticate with Azure applications](./howto-authorize-from-application.md)

+- [Authenticate with managed identities](./howto-authorize-from-managed-identity.md)

+AKS backup also integrates directly with Backup center to help you manage the protection of all your AKS clusters centrally along with all other backup supported workloads. The Backup center is a single pane of glass for all your backup requirements, such as monitoring jobs and state of backups and restores, ensuring compliance and governance, analyzing backup usage, and performing operations pertaining to back up and restore of data.

+**Choose a vault type**:

+# [Recovery Services vaults](#tab/recovery-services-vaults)

+1. Go to your *vault*, and then select **Diagnostic Settings** > **+ Add Diagnostic Setting**.

+1. Provide a name to the *diagnostics setting*.

+1. Select the **Send to Log Analytics** checkbox, and then select a *Log Analytics workspace*.

+1. Select **Resource specific** in the toggle, and select the following five events: **CoreAzureBackup**, **AddonAzureBackupJobs**, **AddonAzureBackupPolicy**, **AddonAzureBackupStorage**, and **AddonAzureBackupProtectedInstance**.

+

+# [Backup vaults](#tab/backup-vaults)

+1. Go to your *vault*, and then select **Diagnostic Settings** > **+ Add Diagnostic Setting**.

+2. Provide a name to the *diagnostics setting*.

+3. Select the **Send to Log Analytics** checkbox, and then select a *Log Analytics workspace*.

+4. Select the following events: **CoreAzureBackup**, **AddonAzureBackupJobs**, **AddonAzureBackupPolicy**, and **AddonAzureBackupProtectedInstance**.

+5. Select **Save**.

+

+> The six events, namely, *CoreAzureBackup*, *AddonAzureBackupJobs*, *AddonAzureBackupAlerts*, *AddonAzureBackupPolicy*, *AddonAzureBackupStorage*, and *AddonAzureBackupProtectedInstance*, are supported *only* in the resource-specific mode for Recovery Services vaults in [Backup reports](configure-reports.md). *If you try to send data for these six events in Azure diagnostics mode, no data will appear in Backup reports.*

+>

+> *AddonAzureBackupAlerts* refers to the alerts being generated by the classic alerts solution. As classic alerts solution is on deprecation path in favour of Azure Monitor-based alers, we recommend you not to select the event *AddonAzureBackupAlerts* when configuring diagnostics settings. To send the fired Azure Monitor-based alerts to a destination of your choice, you can create an alert processing rule and action group that routes these alerts to a logic app, webhook, or runbook that in turn sends these alerts to the required destination.

+>

+> For Backup vaults, since information on the frontend size and backup storage consumed are already included in the *CoreAzureBackup* and *AddonAzureBackupProtectedInstances* events (to aid query performance), the *AddonAzureBackupStorage event* isn't applicable for Backup vault, to avoid creation of redundant tables.

+Traditionally, for Recovery Services vaults, all backup-related diagnostics data for a vault was contained in a single event called AzureBackupReport. The six events described here are, in essence, a decomposition of all the data contained in AzureBackupReport.

+Currently, we continue to support the *AzureBackupReport* event for Recovery Services vaults, backward compatibility in cases where you've existing custom queries on this event. For example, custom log alerts and custom visualizations. *We recommend that you move to the [new events](#diagnostics-events-available-for-azure-backup-users) as early as possible*. The new events:

+> [!NOTE]

+> For Backup vaults, all diagnostics events are sent to the resource-specific tables only; so, you don't need to do any migration for Backup vaults. The following section is specific to Recovery services vaults.

+The default graphs give you Kusto queries for basic scenarios on which you can build alerts. You can also modify the queries to fetch the data you want to be alerted on. Paste the following sample Kusto queries on the **Logs** page, and then create alerts on the queries.

+Recovery Services vaults and Backup vaults send data to a common set of tables that are listed in this article. However, there are slight differences in the schema for Recovery Services vaults and Backup vaults ([learn more](backup-azure-monitoring-built-in-monitor.md)). So, this section is split into multiple sub-sections that helps you to use the right queries depending on which workload or vault types you want to query.

+#### Queries common across Recovery Services vaults and Backup vaults

+#### Queries specific to Recovery Services vault workloads

+#### Queries specific to Backup vault workloads

+- All successful Azure PostgreSQL backup jobs

+ ````Kusto

+ AddonAzureBackupJobs

+ | where JobOperation=="Backup"

+ | summarize arg_max(TimeGenerated,*) by JobUniqueId

+ | where DatasourceType == "Microsoft.DBforPostgreSQL/servers/databases"

+ | where JobStatus=="Completed"

+ ````

+- All successful Azure Disk restore jobs

+ ````Kusto

+ AddonAzureBackupJobs

+ | where JobOperation == "Restore"

+ | summarize arg_max(TimeGenerated,*) by JobUniqueId

+ | where DatasourceType == "Microsoft.Compute/disks"

+ | where JobStatus=="Completed"

+ ````

+- Backup Storage Consumed per Backup Item

+ ````Kusto

+ CoreAzureBackup

+ | where OperationName == "BackupItem"

+ | summarize arg_max(TimeGenerated, *) by BackupItemUniqueId

+ | project BackupItemUniqueId, BackupItemFriendlyName, StorageConsumedInMBs

+ ````

+## Differences in schema for Recovery Services vaults and Backup vaults

+Recovery Services vaults and Backup vaults send data to a common set of tables that are listed in this article. However, there are slight differences in the schema for Recovery Services vaults and Backup vaults.

+- One of the main reasons for this difference is that for Backup vaults, Azure Backup service does a 'flattening' of schemas to reduce the number of joins needed in queries, hence improving query performance. For example, if you are looking to write a query that lists all Backup vault jobs along with the friendly name of the datasource, and friendly name of the vault, you can get all of this information fro the AddonAzureBackupJobs table (without needing to do a join with CoreAzureBackup to get the datasource and vault names). Flattened schemas are currently supported only for Backup vaults and not yet for Recovery Services vaults.

+- Apart from the above, there are also certain scenarios that are currently applicable for Recovery Services vaults only (for example, fields related to DPM workloads). This also leads to some differences in the schema between Backup vaults and Recovery Services vaults.

+To understand which fields are specific to a particular vault type, and which fields are common across vault types, refer to the **Applicable Resource Types** column provided in the below sections. For more information on how to write queries on these tables for Recovery Services vaults and Backup vaults, see the [sample queries](./backup-azure-monitoring-use-azuremonitor.md#sample-kusto-queries).

+| **Field** | **Data Type** | **Applicable Resource Types** | **Description** |

+| | - | | |

+| ResourceId | Text | Recovery Services vault, Backup vault | Resource identifier for data being collected. For example, Recovery Services vault resource ID. |

+| OperationName | Text | Recovery Services vault, Backup vault | This field represents the name of the current operation - BackupItem, BackupItemAssociation, or ProtectedContainer. |

+| Category | Text | Recovery Services vault, Backup vault | This field represents the category of diagnostics data pushed to Azure Monitor logs. For example, CoreAzureBackup. |

+| AgentVersion | Text | Recovery Services vault | Version number of Agent Backup or the Protection Agent (in the case of SC DPM and MABS) |

+| AzureBackupAgentVersion | Text | Recovery Services vault | Version of the Azure Backup Agent on the Backup Management Server |

+| AzureDataCenter | Text | Recovery Services vault, Backup vault | Data center where the vault is located |

+| BackupItemAppVersion | Text | Recovery Services vault | Application version of the backup item |

+| BackupItemFriendlyName | Text | Recovery Services vault, Backup vault | Friendly name of the backup item |

+| BackupItemName | Text | Recovery Services vault, Backup vault | Name of the backup item |

+| BackupItemProtectionState | Text | Recovery Services vault, Backup vault | Protection State of the Backup Item |

+| BackupItemFrontEndSize | Text | Recovery Services vault, Backup vault | Front-end size (in MBs) of the backup item |

+| BackupItemType | Text | Recovery Services vault, Backup vault | Type of backup item. For example: VM, FileFolder |

+| BackupItemUniqueId | Text | Recovery Services vault, Backup vault | Unique identifier of the backup item |

+| BackupManagementServerType | Text | Recovery Services vault | Type of the Backup Management Server, as in MABS, SC DPM |

+| BackupManagementServerUniqueId | Text | Recovery Services vault | Field to uniquely identify the Backup Management Server |

+| BackupManagementType | Text | Recovery Services vault | Provider type for server doing backup job. For example, IaaSVM, FileFolder |

+| BackupManagementServerName | Text | Recovery Services vault | Name of the Backup Management Server |

+| BackupManagementServerOSVersion | Text | Recovery Services vault | OS version of the Backup Management Server |

+| BackupManagementServerVersion | Text | Recovery Services vault | Version of the Backup Management Server |

+| LatestRecoveryPointLocation | Text | Recovery Services vault | Location of the latest recovery point for the backup item |

+| LatestRecoveryPointTime | DateTime | Recovery Services vault | Date time of the latest recovery point for the backup item |

+| OldestRecoveryPointLocation | Text | Recovery Services vault | Location of the oldest recovery point for the backup item |

+| OldestRecoveryPointTime | DateTime | Recovery Services vault | Date time of the latest recovery point for the backup item |

+| PolicyUniqueId | Text | Recovery Services vault, Backup vault | Unique ID to identify the policy |

+| ProtectedContainerFriendlyName | Text | Recovery Services vault | Friendly name of the protected server |

+| ProtectedContainerLocation | Text | Recovery Services vault | Whether the Protected Container is located On-premises or in Azure |

+| ProtectedContainerName | Text | Recovery Services vault | Name of the Protected Container |

+| ProtectedContainerOSType | Text | Recovery Services vault | OS Type of the Protected Container |

+| ProtectedContainerOSVersion | Text | Recovery Services vault | OS Version of the Protected Container |

+| ProtectedContainerProtectionState | Text | Recovery Services vault | Protection State of the Protected Container |

+| ProtectedContainerType | Text | Recovery Services vault | Whether the Protected Container is a server, or a container |

+| ProtectedContainerUniqueId | Text | Recovery Services vault | Unique ID used to identify the protected container for everything except VMs backed up using DPM, MABS |

+| ProtectedContainerWorkloadType | Text | Recovery Services vault | Type of the Protected Container backed up. For example, IaaSVMContainer |

+| ProtectionGroupName | Text | Recovery Services vault | Name of the Protection Group the Backup Item is protected in, for SC DPM, and MABS, if applicable |

+| ResourceGroupName | Text | Recovery Services vault, Backup vault| Resource group of the resource (for example, Recovery Services vault) for data being collected |

+| SchemaVersion | Text | Recovery Services vault, Backup vault | This field denotes the current version of the schema. It is **V2** |

+| SecondaryBackupProtectionState | Text | Recovery Services vault | Whether secondary protection is enabled for the backup item |

+| State | Text | Recovery Services vault | State of the backup item object. For example, Active, Deleted |

+| StorageReplicationType | Text | Recovery Services vault, Backup vault | Type of storage replication for the vault. For example, GeoRedundant |

+| SubscriptionId | Text | Recovery Services vault, Backup vault | Subscription identifier of the resource (for example, Recovery Services vault) for which data is collected |

+| VaultName | Text | Recovery Services vault, Backup vault | Name of the vault |

+| VaultTags | Text | Recovery Services vault, Backup vault | Tags associated with the vault resource |

+| VaultUniqueId | Text | Recovery Services vault, Backup vault | Unique Identifier of the vault |

+| SourceSystem | Text | Recovery Services vault, Backup vault | Source system of the current data - Azure |

+| DatasourceSetFriendlyName | Text | Backup vault | Friendly name of the parent resource of the datasource (wherever applicable). For example, for an Azure PostgreSQL database, this field will contain the friendly name of the PostgreSQL server |

+| DatasourceSetResourceId | Text | Backup vault | Azure Resource Manager (ARM) ID of the parent resource of the datasource (wherever applicable). For example, for an Azure PostgreSQL database, this field will contain the ARM ID of the PostgreSQL server |

+| DatasourceSetType | Text | Backup vault | Type of the DatasourceSet, for example, Microsoft.Compute/disks |

+| DatasourceFriendlyName | Text | Backup vault | Friendly name of the datasource being backed up |

+| DatasourceResourceId | Text | Backup vault | Azure Resource Manager (ARM) ID of the datasource being backed up |

+| DatasourceType | Text | Backup vault | Type of the datasource being backed up, for example, Microsoft.DBforPostgreSQL/servers/databases |

+| BillingGroupUniqueId | Text | Backup vault | Unique ID of the billing group associated with the backup item |

+| BillingGroupFriendlyName | Text | Backup vault | Friendly name of the billing group associated with the backup item |

+| DatasourceResourceGroupName | Text | Backup vault | Resource group of the datasource being backed up |

+| DatasourceSubscriptionId | Text | Backup vault | Subscription ID of the datasource being backed up |

+| BackupItemId | Text | Backup vault | Azure Resource Manager (ARM) ID of the backup item |

+| StorageConsumedInMBs | Text | Backup vault | Backup storage consumed by the backup item |

+| VaultType | Text | Backup vault | Type of vault. For Backup vaults, the value is Microsoft.DataProtection/backupVaults. For Recovery Services vaults, this field is currently empty |

+| PolicyName | Text | Backup vault | Name of the policy associated with the backup item |

+| PolicyId | Text | Backup vault | Azure Resource Manager (ARM) ID of the policy associated with the backup item |

+> [!NOTE]

+> AddonAzureBackupAlerts refers to the alerts being generated by the classic alerts solution. As classic alerts solution is on deprecation path in favour of Azure Monitor based alers, we recommend you not to select this event AddonAzureBackupAlerts when configuring diagnostics settings. To send the fired Azure Monitor based alerts to a destination of your choice, you can create an alert processing rule and action group that routes these alerts to a logic app, webhook, or runbook that in turn sends these alerts to the required destination.

+| **Field** | **Data Type** | **Applicable Resource Types** | **Description** |

+| -- | - | | |

+| ResourceId | Text | Recovery Services vault | Unique identifier for the resource about which data is collected. For example, a Recovery Services vault resource ID |

+| OperationName | Text | Recovery Services vault | Name of the current operation. For example, Alert |

+| Category | Text | Recovery Services vault | Category of diagnostics data pushed to Azure Monitor logs - AddonAzureBackupAlerts |

+| AlertCode | Text | Recovery Services vault | Code to uniquely identify an alert type |

+| AlertConsolidationStatus | Text | Recovery Services vault | Identify if the alert is a consolidated alert or not |

+| AlertOccurrenceDateTime | DateTime | Recovery Services vault | Date and time when the alert was created |

+| AlertRaisedOn | Text | Recovery Services vault | Type of entity the alert is raised on |

+| AlertSeverity | Text | Recovery Services vault | Severity of the alert. For example, Critical |

+| AlertStatus | Text | Recovery Services vault | Status of the alert. For example, Active |

+| AlertTimeToResolveInMinutes | Number | Recovery Services vault | Time taken to resolve an alert. Blank for active alerts. |

+| AlertType | Text | Recovery Services vault | Type of alert. For example, Backup |

+| AlertUniqueId | Text | Recovery Services vault | Unique identifier of the generated alert |

+| BackupItemUniqueId | Text | Recovery Services vault | Unique identifier of the backup item associated with the alert |

+| BackupManagementServerUniqueId | Text | Recovery Services vault | Field to uniquely identify the Backup Management Server the Backup Item is protected through, if applicable |

+| BackupManagementType | Text | Recovery Services vault | Provider type for server doing backup job, for example, IaaSVM, FileFolder |

+| CountOfAlertsConsolidated | Number | Recovery Services vault | Number of alerts consolidated if it's a consolidated alert |

+| ProtectedContainerUniqueId | Text | Recovery Services vault | Unique identifier of the protected server associated with the alert |

+| RecommendedAction | Text | Recovery Services vault | Action recommended to resolving the alert |

+| SchemaVersion | Text | Recovery Services vault | Current version of the schema, for example **V2** |

+| State | Text | Recovery Services vault | Current state of the alert object, for example, Active, Deleted |

+| StorageUniqueId | Text | Recovery Services vault | Unique ID used to identify the storage entity |

+| VaultUniqueId | Text | Recovery Services vault | Unique ID used to identify the vault related to the alert |

+| SourceSystem | Text | Recovery Services vault | Source system of the current data - Azure |

+| **Field** | **Data Type** | **Applicable Resource Types** | **Description** |

+| | - | -- | - |

+| ResourceId | Text | Recovery Services vault, Backup vault | Unique identifier for the resource about which data is collected. For example, a Recovery Services vault resource ID |

+| OperationName | Text | Recovery Services vault, Backup vault | Name of the operation, for example ProtectedInstance |

+| Category | Text | Recovery Services vault, Backup vault | Category of diagnostics data pushed to Azure Monitor logs - AddonAzureBackupProtectedInstance |

+| BackupItemUniqueId | Text | Recovery Services vault | Unique ID of the backup item |

+| BackupManagementServerUniqueId | Text | Recovery Services vault | Field to uniquely identify the Backup Management Server the Backup Item is protected through, if applicable |

+| BackupManagementType | Text | Recovery Services vault | Provider type for server doing backup job, for example, IaaSVM, FileFolder |

+| ProtectedContainerUniqueId | Text | Recovery Services vault | Unique ID to identify the protected container the job is run on |

+| ProtectedInstanceCount | Integer | Recovery Services vault, Backup vault | Count of Protected Instances for the associated billing entity on that date-time |

+| SchemaVersion | Text | Recovery Services vault, Backup vault | Current version of the schema, for example **V2** |

+| State | Text | Recovery Services vault | State of the backup item object, for example, Active, Deleted |

+| VaultUniqueId | Text | Recovery Services vault, Backup vault | Unique identifier of the protected vault associated with the protected instance |

+| SourceSystem | Text | Recovery Services vault, Backup vault | Source system of the current data - Azure |

+| BillingGroupFriendlyName | Text | Backup vault | Friendly name of the billing group (unit at which billing information is calculated) |

+| BillingGroupUniqueId | Text | Backup vault | Unique ID of the billing group (unit at which billing information is calculated) |

+| StorageConsumedInMBs | Double | Backup vault | Current value of backup storage consumed by the billing group |

+| VaultTags | Text | Backup vault | Tags of the vault associated with the billing group |

+| AzureDataCenter | Text | Backup vault | Location of the vault associated with the billing group |

+| VaultType | Text | Backup vault | Type of the vault associated with the billing group. For Backup vaults, the value is Microsoft.DataProtection/backupVaults. For Recovery Services vaults, this field is currently empty |

+| StorageReplicationType | Text | Backup vault | Type of storage replication for the vault. For example, LocallyRedundant |

+| SubscriptionId | Text | Backup vault | Subscription ID of the billing group |

+| ResourceGroupName | Text | Backup vault | Resource Group of the billing group |

+| VaultName | Text | Backup vault | Name of the vault associated with the billing group |

+| DatasourceType | Text | Backup vault | Type of the datasource being backed up, for example, Microsoft.DBforPostgreSQL/servers/databases |

+| BillingGroupType | Text | Backup vault | Type of the billing group, used to denote the unit at which billing information is calculated. For example, in the case of Azure PostgreSQL backup, protected instances and storage consumed are calculated at the server (DatasourceSet) level so the value is DatasourceSet in this scenario |

+| SourceSizeInMBs | Double | Backup vault | Frontend size of the billing group |

+| BillingGroupResourceGroupName | Text | Backup vault | Resource group in which the billing group exists |

+| **Field** | **Data Type** | **Applicable Resource Types** | **Description** |

+| | - | | |

+| ResourceId | Text | Recovery Services vault, Backup vault | Resource identifier for data being collected. For example, Recovery Services vault resource ID |

+| OperationName | Text | Recovery Services vault, Backup vault | This field represents name of the current operation - Job |

+| Category | Text | Recovery Services vault, Backup vault | This field represents category of diagnostics data pushed to Azure Monitor logs - AddonAzureBackupJobs |

+| AdhocOrScheduledJob | Text | Recovery Services vault, Backup vault | Field to specify if the job is Ad Hoc or Scheduled |

+| BackupItemUniqueId | Text | Recovery Services vault, Backup vault | Unique ID used to identify the backup item related to the storage entity |

+| BackupManagementServerUniqueId | Text | Recovery Services vault | Unique ID used to identify the backup management server related to the storage entity |

+| BackupManagementType | Text | Recovery Services vault | Provider type for performing backup, for example, IaaS VM, File-Folder to which this job belongs. |

+| DataTransferredInMB | Number | Recovery Services vault | Data transferred in MB for this job |

+| JobDurationInSecs | Number | Recovery Services vault, Backup vault | Total job duration in seconds |

+| JobFailureCode | Text | Recovery Services vault, Backup vault | Failure Code string because of which job failure happened |

+| JobOperation | Text | Recovery Services vault, Backup vault | Operation for which job, is run for example, Backup, Restore, Configure Backup |

+| JobOperationSubType | Text | Recovery Services vault, Backup vault | Sub Type of the Job Operation. For example, 'Log', in the case of Log Backup Job |

+| JobStartDateTime | DateTime | Recovery Services vault, Backup vault | Date and time when job started running |

+| JobStatus | Text | Recovery Services vault, Backup vault | Status of the finished job, for example, Completed, Failed |

+| JobUniqueId | Text | Recovery Services vault, Backup vault | Unique ID to identify the job |

+| ProtectedContainerUniqueId | Text | Recovery Services vault | Unique identifier of the protected server associated with the job |

+| RecoveryJobDestination | Text | Recovery Services vault | Destination of a recovery job, where the data is recovered |

+| RecoveryJobRPDateTime | DateTime | Recovery Services vault | The date, time when the recovery point that's being recovered was created |

+| RecoveryJobLocation | Text | Recovery Services vault, Backup vault | The location where the recovery point that's being recovered was stored |

+| RecoveryLocationType | Text | Recovery Services vault | Type of the Recovery Location |

+| SchemaVersion | Text | Recovery Services vault, Backup vault | Current version of the schema, for example **V2** |

+| State | Text | Recovery Services vault | Current state of the job object, for example, Active, Deleted |

+| VaultUniqueId | Text | Recovery Services vault, Backup vault | Unique identifier of the protected vault associated with the job |

+| SourceSystem | Text | Recovery Services vault, Backup vault | Source system of the current data - Azure |

+| DatasourceSetFriendlyName | Text | Backup vault | Friendly name of the datasource being backed up |

+| DatasouceSetResourceId | Text | Backup vault | Azure Resource Manager (ARM) ID of the parent resource of the datasource (wherever applicable). For example, for an Azure PostgreSQL database, this field will contain the ARM ID of the PostgreSQL server |

+| DatasourceSetType | Text | Backup vault | Type of the datasource being backed up, for example, Microsoft.DBforPostgreSQL/servers/databases |

+| DatasourceResourceId | Text | Backup vault | Azure Resource Manager (ARM) ID of the datasource being backed up |

+| DatasourceType | Text | Backup vault | Type of the datasource being backed up, for example, Microsoft.DBforPostgreSQL/servers/databases |

+| DatasourceFriendlyName | Text | Backup vault | Friendly name of the datasource being backed up |

+| SubscriptionId | Text | Backup vault | Subscription id of the vault |

+| ResourceGroupName | Text | Backup vault | Resource Group of the vault |

+| VaultName | Text | Backup vault | Name of the vault |

+| VaultTags | Text | Backup vault | Tags of the vault |

+| StorageReplicationType | Text | Backup vault | Type of storage replication for the vault. For example, GeoRedundant |

+| AzureDataCenter | Text | Backup vault | Location of the vault |

+| BackupItemId | Text | Backup vault | Azure Resource Manager (ARM) ID of the backup item associated with the job |

+| BackupItemFriendlyName | Text | Backup vault | Friendly name of the backup item associated with the job |

+| **Field** | **Data Type** | **Applicable resource types** | **Description** |

+| - | -- | - | -- |

+| ResourceId | Text | Recovery Services vault, Backup vault | Unique identifier for the resource about which data is collected. For example, a Recovery Services vault resource ID |

+| OperationName | Text | Recovery Services vault, Backup vault | Name of the operation, for example, Policy or PolicyAssociation |

+| Category | Text | Recovery Services vault, Backup vault | Category of diagnostics data pushed to Azure Monitor logs - AddonAzureBackupPolicy |

+| BackupDaysOfTheWeek | Text | Recovery Services vault, Backup vault | Days of the week when backups have been scheduled |

+| BackupFrequency | Text | Recovery Services vault | Frequency with which backups are run. For example, daily, weekly |

+| BackupManagementType | Text | Recovery Services vault | Provider type for server doing backup job. For example, IaaSVM, FileFolder |

+| BackupManagementServerUniqueId | Text | Recovery Services vault | Field to uniquely identify the Backup Management Server the Backup Item is protected through, if applicable |

+| BackupTimes | Text | Recovery Services vault | Date and time when backups are scheduled |

+| DailyRetentionDuration | Integer | Recovery Services vault | Total retention duration in days for configured backups |

+| DailyRetentionTimes | Text | Recovery Services vault | Date and time when daily retention was configured |

+| DiffBackupDaysOfTheWeek | Text | Recovery Services vault | Days of the week for Differential backups for SQL/HANA in Azure VM Backup |

+| DiffBackupFormat | Text | Recovery Services vault | Format for Differential backups for SQL/HANA in Azure VM backup |

+| DiffBackupRetentionDuration | Integer | Recovery Services vault | Retention duration for Differential backups for SQL/HANA in Azure VM Backup |

+| DiffBackupTime | Time | Recovery Services vault | Time for Differential backups for SQL/HANA in Azure VM Backup |

+| LogBackupFrequency | Integer | Recovery Services vault | Frequency for Log backups for SQL |

+| LogBackupRetentionDuration | Integer | Recovery Services vault | Retention duration for Log backups for SQL in Azure VM Backup |

+| MonthlyRetentionDaysOfTheMonth | Text | Recovery Services vault, Backup vault | Weeks of the month when monthly retention is configured. For example, First, Last |

+| MonthlyRetentionDaysOfTheWeek | Text | Recovery Services vault, Backup vault | Days of the week selected for monthly retention |

+| MonthlyRetentionDuration | Text | Recovery Services vault, Backup vault | Total retention duration in months for configured backups |

+| MonthlyRetentionFormat | Text | Recovery Services vault, Backup vault | Type of configuration for monthly retention. For example, daily for day based, weekly for week based |

+| MonthlyRetentionTimes | Text | Recovery Services vault, Backup vault | Date and time when monthly retention is configured |

+| MonthlyRetentionWeeksOfTheMonth | Text | Recovery Services vault, Backup vault | Weeks of the month when monthly retention is configured. For example, First, Last |

+| PolicyName | Text | Recovery Services vault, Backup vault | Name of the policy defined |

+| PolicyUniqueId | Text | Recovery Services vault, Backup vault | Unique ID to identify the policy |

+| PolicyTimeZone | Text | Recovery Services vault, Backup vault | Timezone in which the Policy Time Fields are specified in the logs |

+| RetentionDuration | Text | Recovery Services vault | Retention duration for configured backups |

+| RetentionType | Text | Recovery Services vault | Type of retention |

+| SchemaVersion | Text | Recovery Services vault, Backup vault | This field denotes current version of the schema, it is **V2** |

+| State | Text | Recovery Services vault | Current state of the policy object. For example, Active, Deleted |

+| SynchronisationFrequencyPerDay | Whole Number | Recovery Services vault | Number of times in a day a file backup is synchronized for SC DPM and MABS |

+| VaultUniqueId | Text | Recovery Services vault, Backup vault | Unique ID of the vault that this policy belongs to |

+| WeeklyRetentionDaysOfTheWeek | Text | Recovery Services vault, Backup vault | Days of the week selected for weekly retention |

+| WeeklyRetentionDuration | Decimal Number | Recovery Services vault, Backup vault | Total weekly retention duration in weeks for configured backups |

+| WeeklyRetentionTimes | Text | Recovery Services vault, Backup vault | Date and time when weekly retention is configured |

+| YearlyRetentionDaysOfTheMonth | Text | Recovery Services vault, Backup vault | Dates of the month selected for yearly retention |

+| YearlyRetentionDaysOfTheWeek | Text | Recovery Services vault, Backup vault | Days of the week selected for yearly retention |

+| YearlyRetentionDuration | Decimal Number | Recovery Services vault, Backup vault | Total retention duration in years for configured backups |

+| YearlyRetentionFormat | Text | Recovery Services vault, Backup vault | Type of configuration for yearly retention, for example, daily for day based, weekly for week based |

+| YearlyRetentionMonthsOfTheYear | Text | Recovery Services vault, Backup vault | Months of the year selected for yearly retention |

+| YearlyRetentionTimes | Text | Recovery Services vault, Backup vault | Date and time when yearly retention is configured |

+| YearlyRetentionWeeksOfTheMonth | Text | Recovery Services vault, Backup vault | Weeks of the month selected for yearly retention |

+| SourceSystem | Text | Recovery Services vault, Backup vault | Source system of the current data - Azure |

+| PolicySubType | Text | Recovery Services vault | Subtype of the policy, for example, Standard or Enhanced |

+| BackupIntervalInHours | Integer | Recovery Services vault, Backup vault | Interval of time between successive backup jobs. Applicable for Azure VM and Azure Disk backup |

+| ScheduleWindowDuration | Integer | Recovery Services vault | Duration of the daily window in which backups can be run. Applicable for enhanced policy for Azure VM backup |

+| ScheduleWindowStartTime | DateTime | Recovery Services vault | Start time of the daily window in which backups can be run. Applicable for enhanced policy for Azure VM backup |

+| FullBackupDaysOfTheWeek | String | Backup vault | Days of the week when full backup runs. Currently applicable for Azure PostgreSQL backup |

+| FullBackupFrequency | String | Backup vault | Frequency of full backup. Currently applicable for Azure PostgreSQL backup | |

+| FullBackupTimes | String | Backup vault | Time of the day at which full backup is taken. Currently applicable for Azure PostgreSQL backup | |

+| IncrementalBackupDaysOfTheWeek | String | Backup vault | Days of the week when incremental backup runs. Currently applicable for Azure Disk backup |

+| IncrementalBackupFrequency | String | Backup vault | Frequency of incremental backup. Currently applicable for Azure Disk backup |

+| IncrementalBackupTimes | String | Backup vault | Time of the day at which incremental backup is taken. Currently applicable for Azure Disk backup | |

+| PolicyId | String | Backup vault | Azure Resource Manager (ARM) ID of the backup policy |

+| SnapshotTierDailyRetentionDuration | Integer | Backup vault | Retention duration in days for daily snapshots. Applicable for Azure Blob and Azure Disk backup |

+| SnapshotTierWeeklyRetentionDuration | Integer | Backup vault | Retention duration in weeks for weekly snapshots. Applicable for Azure Blob and Azure Disk backup |

+| SnapshotTierMonthlyRetentionDuration | Integer | Backup vault | Retention duration in months for monthly snapshots. Applicable for Azure Blob and Azure Disk backup |

+| SnapshotTierYearlyRetentionDuration | Integer | Backup vault | Retention duration in years for yearly snapshots. Applicable for Azure Blob and Azure Disk backup |

+| StandardTierDefaultRetentionDuration | Integer | Backup vault | Default retention duration in the standard tier in days. Applicable for Azure PostgreSQL backup |

+| SnapshotTierDefaultRetentionDuration | Integer | Backup vault | Default retention duration in the snapshot tier in days. Applicable for Azure Blob and Azure Disk backup |

+| DatasourceType | String | Backup vault | Datasource type of the backup policy |

+| VaultTags | String | Backup vault | Tags of the vault associated with the backup policy |

+| AzureDataCenter | String | Backup vault | Location of the vault associated with the backup policy |

+| VaultType | String | Backup vault | Type of the vault associated with the backup policy. For Backup vaults, the value is Microsoft.DataProtection/backupVaults. For Recovery Services vaults, this field is currently empty |

+| StorageReplicationType | String | Backup vault | Storage replication type of the vault associated with the backup policy |

+| SubscriptionId | String | Backup vault | Subscription ID of the vault associated with the backup policy |

+| ResourceGroupName | String | Backup vault | Resource group of the vault associated with the backup policy |

+| VaultName | String | Backup vault | Name of the vault associated with the backup policy |

+| **Field** | **Data Type** | **Applicable Resource Types** | **Description** |

+| | - | -|-- |

+| ResourceId | Text | Recovery Services vault | Resource identifier for data being collected. For example, Recovery Services vault resource ID |

+| OperationName | Text | Recovery Services vault | This field represents name of the current operation - Storage or StorageAssociation |

+| Category | Text | Recovery Services vault | This field represents category of diagnostics data pushed to Azure Monitor logs - AddonAzureBackupStorage |

+| BackupItemUniqueId | Text | Recovery Services vault | Unique ID used to identify the backup item for VMs backed up using DPM, MABS |

+| BackupManagementServerUniqueId | Text | Recovery Services vault | Field to uniquely identify the Backup Management Server the Backup Item is protected through, if applicable |

+| BackupManagementType | Text | Recovery Services vault | Provider type for server doing backup job. For example, IaaSVM, FileFolder |

+| PreferredWorkloadOnVolume | Text | Recovery Services vault | Workload for which this volume is the preferred storage |

+| ProtectedContainerUniqueId | Text | Recovery Services vault | Unique identifier of the protected container associated with the backup item |

+| SchemaVersion | Text | Recovery Services vault | Version of the schema. For example, **V2** |

+| State | Text | Recovery Services vault | State of the backup item object. For example, Active, Deleted |

+| StorageAllocatedInMBs | Number | Recovery Services vault | Size of storage allocated by the corresponding backup item in the corresponding storage of type Disk |

+| StorageConsumedInMBs | Number | Recovery Services vault | Size of storage consumed by the corresponding backup item in the corresponding storage |

+| StorageName | Text | Recovery Services vault | Name of storage entity. For example, E:\ |

+| StorageTotalSizeInGBs | Text | Recovery Services vault | Total size of storage, in GB, consumed by storage entity |

+| StorageType | Text | Recovery Services vault | Type of Storage, for example Cloud, Volume, Disk |

+| StorageUniqueId | Text | Recovery Services vault | Unique ID used to identify the storage entity |

+| VaultUniqueId | Text | Recovery Services vault | Unique ID used to identify the vault related to the storage entity |

+| VolumeFriendlyName | Text | Recovery Services vault | Friendly name of the storage volume |

+| SourceSystem | Text | Recovery Services vault | Source system of the current data - Azure |

+**Choose a vault type**:

+# [Recovery Services vaults](#tab/recovery-services-vaults)

+# [Backup vaults](#tab/backup-vaults)

+| **Table Name / Category** | **Supported Operation Names** | **Description** |

+| - | |-- |

+| CoreAzureBackup | BackupItem | Represents a record containing all details of a given backup item, such as ID, name, type, etc. |

+| CoreAzureBackup | Vault | Represents a record containing all details of a given vault eg. ID, name, tags, location etc. |

+| AddonAzureBackupJobs | Job | Represents a record containing all details of a given job. For example, job operation, start time, status etc. |

+| AddonAzureBackupProtectedInstance | ProtectedInstance | Represents a record containing the protected instance count for each container or backup item. For Azure VM backup, the protected instance count is available at the backup item level, for other workloads it is available at the protected container level. |

+| AddonAzureBackupPolicy | Policy | Represents a record containing all details of a backup and retention policy. For example, ID, name, retention settings, etc. |

+sudo pvs -o +vguuid

+```output

+```output

+sudo vgimportclone -n rootvg_new /dev/sdm2

+sudo vgimportclone -n APPVg_2 /dev/sdg /dev/sdh

+sudo vgdisplay -a

+sudo vgchange ΓÇôa y <volume-group-name>

+sudo lvdisplay <volume-group-name>

+sudo mount <LV path from the lvdisplay cmd results> </mountpath>

+sudo mdadm ΓÇôdetail ΓÇôscan

+sudo mount [RAID Disk Path] [/mountpath]

+ - For Ubuntu/Debian:

+ ```bash

+ sudo systemctl restart walinuxagent

+ ```

+

+ - For other distributions:

+ ```bash

+ sudo systemctl restart waagent

+ ```

+ ```bash

+ nslookup download.microsoft.com

+ ```

+ ```bash

+ ping download.microsoft.com

+ ```

+

+ ```bash

+ nslookup download.microsoft.com

+ ```

+ ```bash

+ ping download.microsoft.com

+ ```

+ ```bash

+ lsblk -f

+ ```

+- [Recover files and folders from Azure virtual machine backup](backup-azure-restore-files-from-vm.md)

+| Insights | View Backup Reports | Azure Virtual Machine <br><br> SQL in Azure Virtual Machine <br><br> SAP HANA in Azure Virtual Machine <br><br> Azure Files <br><br> System Center Data Protection Manager <br><br> Azure Backup Agent (MARS) <br><br> Azure Backup Server (MABS) <br><br> Azure Blobs <br><br> Azure Disks <br><br> Azure Database for PostgreSQL Server | See [supported scenarios for Backup Reports](./configure-reports.md#supported-scenarios). |

+> [!NOTE]

+> Support for Backup vault workloads (Azure Database for PostgreSQL Server, Azure Blobs, Azure Disks) is added to the logic app templates in April 2023. So, if you've deployed these logic apps on an earlier date, you'll have to redeploy these using the above steps if you want to see data for Backup vault workloads in your email reports.

+### Scenario 3: Error in authorizing Microsoft 365 API connection

+When attempting to authorize the Microsoft 365 API connection, you might see an error of the form _Test connection failed. Error 'REST API is not yet supported for this mailbox. This error can occur for sandbox (test) accounts or for accounts that are on a dedicated (on-premises) mail server._

+[Learn more about Backup Reports](./configure-reports.md)

+Azure Backup provides a set of functions, called system functions or solution functions that are available by default in your Log Analytics (LA) workspaces.

+* **Simpler queries**: Using functions helps you reduce the number of joins needed in your queries. By default, the functions return ΓÇÿflattenedΓÇÖ schemas that incorporate all information pertaining to the entity (backup instance, job, vault, and so on) being queried. For example, if you need to get a list of successful backup jobs by backup item name and its associated container, a simple call to the **_AzureBackup_getJobs()** function will give you all of this information for each job. On the other hand, querying the raw tables directly would require you to perform multiple joins between [AddonAzureBackupJobs](./backup-azure-reports-data-model.md#addonazurebackupjobs) and [CoreAzureBackup](./backup-azure-reports-data-model.md#coreazurebackup) tables.

+* **Smoother transition from the legacy diagnostics event**: Using system functions helps you transition smoothly from the [legacy diagnostics event](./backup-azure-diagnostic-events.md#legacy-event) (AzureBackupReport in AzureDiagnostics mode) to the [resource-specific events](./backup-azure-diagnostic-events.md#diagnostics-events-available-for-azure-backup-users). All the system functions provided by Azure Backup allows you to specify a parameter that lets you choose whether the function should query data only from the resource-specific tables, or query data from both the legacy table and the resource-specific tables (with deduplication of records).

+| **Parameter Name** | **Description** | **Required?** | **Example value** | **Data type** |

+| -- | - | | -- | -- |

+| RangeStart | Use this parameter along with RangeEnd parameter only if you need to fetch all vault-related records in the time period from RangeStart to RangeEnd. By default, the value of RangeStart and RangeEnd are null, which will make the function retrieve only the latest record for each vault. | N | "2021-03-03 00:00:00" | DateTime |

+| RangeEnd | Use this parameter along with RangeStart parameter only if you need to fetch all vault-related records in the time period from RangeStart to RangeEnd. By default, the value of RangeStart and RangeEnd are null, which will make the function retrieve only the latest record for each vault. | N |"2021-03-10 00:00:00"| DateTime |

+| VaultSubscriptionList | Use this parameter to filter the output of the function for a certain set of subscriptions where backup data exists. Specifying a comma-separated list of subscription IDs as a parameter to this function helps you retrieve only those vaults that are in the specified subscriptions. By default, the value of this parameter is '*', which makes the function search for records across all subscriptions. | N | "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111"| String |

+| VaultLocationList | Use this parameter to filter the output of the function for a certain set of regions where backup data exists. Specifying a comma-separated list of regions as a parameter to this function helps you retrieve only those vaults that are in the specified regions. By default, the value of this parameter is '*', which makes the function search for records across all regions. | N | `eastus,westus`| String |

+| VaultList |Use this parameter to filter the output of the function for a certain set of vaults. Specifying a comma-separated list of vault names as a parameter to this function helps you retrieve records pertaining only to the specified vaults. By default, the value of this parameter is '*', which makes the function search for records across all vaults. | N |`vault1,vault2,vault3`| String |

+| VaultTypeList | Use this parameter to filter the output of the function to records pertaining to a particular vault type. By default, the value of this parameter is '*', which makes the function search for both Recovery Services vaults and Backup vaults. | N | "Microsoft.RecoveryServices/vaults"| String |

+| ExcludeLegacyEvent | Use this parameter to choose whether to query data in the legacy AzureDiagnostics table or not. If the value of this parameter is false, the function queries data from both the AzureDiagnostics table and the Resource specific tables. If the value of this parameter is true, the function queries data from only the Resource specific tables. Default value is true. | N | true | Boolean |

+| **Field Name** | **Description** | **Data type** |

+| -- | | |

+| UniqueId | Primary key denoting unique ID of the vault | String |

+| Id | Azure Resource Manager (ARM) ID of the vault | String |

+| Name | Name of the vault | String |

+| SubscriptionId | ID of the subscription in which the vault exists | String |

+| Location | Location in which the vault exists | String |

+| VaultStore_StorageReplicationType | Storage Replication Type associated with the vault | String |

+| Tags | Tags of the vault | String |

+| TimeGenerated | Timestamp of the record | DateTime |

+| Type | Type of the vault, for example, "Microsoft.RecoveryServices/vaults" or "Microsoft.DataProtection/backupVaults"| String |

+| **Parameter Name** | **Description** | **Required?** | **Example value** | **Data type** |

+| -- | - | | -- | -- |

+| RangeStart | Use this parameter along with the RangeStart parameter only if you need to fetch all policy-related records in the time period from RangeStart to RangeEnd. By default, the value of RangeStart and RangeEnd are null, which will make the function retrieve only the latest record for each policy. | N | "2021-03-03 00:00:00" | DateTime |

+| RangeEnd | Use this parameter along with RangeStart parameter only if you need to fetch all policy-related records in the time period from RangeStart to RangeEnd. By default, the value of RangeStart and RangeEnd are null, which will make the function retrieve only the latest record for each policy. | N |"2021-03-10 00:00:00"| DateTime |

+| VaultSubscriptionList | Use this parameter to filter the output of the function for a certain set of subscriptions where backup data exists. Specifying a comma-separated list of subscription IDs as a parameter to this function helps you retrieve only those policies that are in the specified subscriptions. By default, the value of this parameter is '*', which makes the function search for records across all subscriptions. | N | "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111"| String |

+| VaultLocationList | Use this parameter to filter the output of the function for a certain set of regions where backup data exists. Specifying a comma-separated list of regions as a parameter to this function helps you retrieve only those policies that are in the specified regions. By default, the value of this parameter is '*', which makes the function search for records across all regions. | N | `eastus,westus`| String |

+| VaultList |Use this parameter to filter the output of the function for a certain set of vaults. Specifying a comma-separated list of vault names as a parameter to this function helps you retrieve records of policies pertaining only to the specified vaults. By default, the value of this parameter is '*', which makes the function search for records of policies across all vaults. | N |`vault1,vault2,vault3`| String |

+| VaultTypeList | Use this parameter to filter the output of the function to records pertaining to a particular vault type. By default, the value of this parameter is '*', which makes the function search for both Recovery Services vaults and Backup vaults. | N | "Microsoft.RecoveryServices/vaults"| String |

+| ExcludeLegacyEvent | Use this parameter to choose whether to query data in the legacy AzureDiagnostics table or not. If the value of this parameter is false, the function queries data from both the AzureDiagnostics table and the Resource specific tables. If the value of this parameter is true, the function queries data from only the Resource specific tables. Default value is true. | N | true | Boolean |

+| BackupSolutionList | Use this parameter to filter the output of the function for a certain set of backup solutions used in your Azure environment. For example, if you specify `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM` as the value of this parameter, the function only returns records that are related to items backed up using Azure Virtual Machine backup, SQL in Azure VM backup or DPM to Azure backup. By default, the value of this parameter is '*', which makes the function return records pertaining to all backup solutions that are supported by Backup Reports (supported values are "Azure Virtual Machine Backup", "SQL in Azure VM Backup", "SAP HANA in Azure VM Backup", "Azure Storage (Azure Files) Backup", "Azure Backup Agent", "DPM", "Azure Backup Server", "Azure Database for PostgreSQL Server Backup", "Azure Blob Backup", "Azure Disk Backup" or a comma-separated combination of any of these values). | N | `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM,Azure Backup Agent` | String |

+| **Field Name** | **Description** | **Data type **

+| -- | | |

+| UniqueId | Primary key denoting unique ID of the policy | String |

+| Id | Azure Resource Manager (ARM) ID of the policy | String |

+| Name | Name of the policy | String |

+| TimeZone | Timezone in which the policy is defined | String |

+| Backup Solution | Backup Solution that the policy is associated with. For example, Azure VM Backup, SQL in Azure VM Backup, and so on. | String |

+| TimeGenerated | Timestamp of the record | Datetime |

+| VaultUniqueId | Foreign key that refers to the vault associated with the policy | String |

+| VaultResourceId | Azure Resource Manager (ARM) ID of the vault associated with the policy | String |

+| VaultName | Name of the vault associated with the policy | String |

+| VaultTags | Tags of the vault associated with the policy | String |

+| VaultLocation | Location of the vault associated with the policy | String |

+| VaultSubscriptionId | Subscription ID of the vault associated with the policy | String |

+| VaultStore_StorageReplicationType | Storage Replication Type of the vault associated with the policy | String |

+| VaultType | Type of the vault, for example, "Microsoft.RecoveryServices/vaults" or "Microsoft.DataProtection/backupVaults" | String |

+| ExtendedProperties | Additional properties of the policy | Dynamic |

+| **Parameter Name** | **Description** | **Required?** | **Example value** | **Data type ** |

+| -- | - | | -- | -- |

+| RangeStart | Use this parameter along with RangeEnd parameter to retrieve the list of all jobs that started in the time period from RangeStart to RangeEnd. | Y | "2021-03-03 00:00:00" | DateTime |

+| RangeEnd | Use this parameter along with RangeStart parameter to retrieve the list of all jobs that started in the time period from RangeStart to RangeEnd. | Y |"2021-03-10 00:00:00" | DateTime |

+| VaultSubscriptionList | Use this parameter to filter the output of the function for a certain set of subscriptions where backup data exists. Specifying a comma-separated list of subscription IDs as a parameter to this function helps you retrieve only those jobs that are associated with vaults in the specified subscriptions. By default, the value of this parameter is '*', which makes the function search for records across all subscriptions. | N | "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111"| String |

+| VaultLocationList | Use this parameter to filter the output of the function for a certain set of regions where backup data exists. Specifying a comma-separated list of regions as a parameter to this function helps you retrieve only those jobs that are associated with vaults in the specified regions. By default, the value of this parameter is '*', which makes the function search for records across all regions. | N | `eastus,westus`| String |

+| VaultList | Use this parameter to filter the output of the function for a certain set of vaults. Specifying a comma-separated list of vault names as a parameter to this function helps you retrieve jobs pertaining only to the specified vaults. By default, the value of this parameter is '*', which makes the function search for jobs across all vaults. | N |`vault1,vault2,vault3` | String |

+| VaultTypeList | Use this parameter to filter the output of the function to records pertaining to a particular vault type. By default, the value of this parameter is '*', which makes the function search for both Recovery Services vaults and Backup vaults. | N | "Microsoft.RecoveryServices/vaults"| String |

+| ExcludeLegacyEvent | Use this parameter to choose whether to query data in the legacy AzureDiagnostics table or not. If the value of this parameter is false, the function queries data from both the AzureDiagnostics table and the Resource specific tables. If the value of this parameter is true, the function queries data from only the Resource specific tables. Default value is true. | N | true | Boolean |

+| BackupSolutionList | Use this parameter to filter the output of the function for a certain set of backup solutions used in your Azure environment. For example, if you specify `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM` as the value of this parameter, the function only returns records that are related to items backed up using Azure Virtual Machine backup, SQL in Azure VM backup or DPM to Azure backup. By default, the value of this parameter is '*', which makes the function return records pertaining to all backup solutions that are supported by Backup Reports (supported values are "Azure Virtual Machine Backup", "SQL in Azure VM Backup", "SAP HANA in Azure VM Backup", "Azure Storage (Azure Files) Backup", "Azure Backup Agent", "DPM", "Azure Backup Server", "Azure Database for PostgreSQL Server Backup", "Azure Blob Backup", "Azure Disk Backup" or a comma-separated combination of any of these values). | N | `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM,Azure Backup Agent` | String |

+| JobOperationList | Use this parameter to filter the output of the function for a specific type of job. For example, Backup or Restore. By default, the value of this parameter is "*", which makes the function search for both Backup and Restore jobs. | N | "Backup" | String |

+| JobStatusList | Use this parameter to filter the output of the function for a specific job status. For example, Completed, Failed, and so on. By default, the value of this parameter is "*", which makes the function search for all jobs irrespective of status. | N | `Failed,CompletedWithWarnings` | String |

+| JobFailureCodeList | Use this parameter to filter the output of the function for a specific failure code. By default, the value of this parameter is "*", which makes the function search for all jobs irrespective of failure code. | N | "Success" | String |

+| DatasourceSetName | Use this parameter to filter the output of the function to a particular parent resource. For example, to return SQL in Azure VM backup instances belonging to the virtual machine "testvm", specify _testvm_ as the value of this parameter. By default, the value is "*", which makes the function search for records across all backup instances. | N | "testvm" | String |

+| BackupInstanceName | Use this parameter to search for jobs on a particular backup instance by name. By default, the value is "*", which makes the function search for records across all backup instances. | N | "testvm" | String |

+| ExcludeLog | Use this parameter to exclude log jobs from being returned by the function (helps in query performance). By default, the value of this parameter is true, which makes the function exclude log jobs. | N | true | Boolean |

+| **Field Name** | **Description** | **Data type ** |

+| -- | | |

+| UniqueId | Primary key denoting unique ID of the job | String |

+| OperationCategory | Category of the operation being performed. For example, Backup, Restore | String |

+| Operation | Details of the operation being performed. For example, Log (for log backup) | String |

+| Status | Status of the job. For example, Completed, Failed, CompletedWithWarnings | String |

+| ErrorTitle | Failure code of the job | String |

+| StartTime | Date and time at which the job started | DateTime |

+| DurationInSecs | Duration of the job in seconds | Double |

+| DataTransferredInMBs | Data transferred by the job in MBs. Currently, this field is only supported for Recovery Services vault workloads | Double |

+| RestoreJobRPDateTime | The date and time when the recovery point that's being recovered was created. Currently, this field is only supported for Recovery Services vault workloads | DateTime |

+| RestoreJobRPLocation | The location where the recovery point that's being recovered was stored | String |

+| BackupInstanceUniqueId | Foreign key that refers to the backup instance associated with the job | String |

+| BackupInstanceId | Azure Resource Manager (ARM) ID of the backup instance associated with the job | String |

+| BackupInstanceFriendlyName | Name of the backup instance associated with the job | String |

+| DatasourceResourceId | Azure Resource Manager (ARM) ID of the underlying datasource associated with the job. For example, Azure Resource Manager (ARM) ID of the VM | String |

+| DatasourceFriendlyName | Friendly name of the underlying datasource associated with the job | String |

+| DatasourceType | Type of the datasource associated with the job. For example "Microsoft.Compute/virtualMachines" | String |

+| BackupSolution | Backup Solution that the job is associated with. For example, Azure VM Backup, SQL in Azure VM Backup, and so on. | String |

+| DatasourceSetResourceId | Azure Resource Manager (ARM) ID of the parent resource of the datasource (wherever applicable). For example, for a SQL in Azure VM datasource, this field will contain the Azure Resource Manager (ARM) ID of the VM in which the SQL Database exists | String |

+| DatasourceSetType | Type of the parent resource of the datasource (wherever applicable). For example, for an SAP HANA in Azure VM datasource, this field will be Microsoft.Compute/virtualMachines since the parent resource is an Azure VM | String |

+| VaultResourceId | Azure Resource Manager (ARM) ID of the vault associated with the job | String |

+| VaultUniqueId | Foreign key that refers to the vault associated with the job | String |

+| VaultName | Name of the vault associated with the job | String |

+| VaultTags | Tags of the vault associated with the job | String |

+| VaultSubscriptionId | Subscription ID of the vault associated with the job | String |

+| VaultLocation | Location of the vault associated with the job | String |

+| VaultStore_StorageReplicationType | Storage Replication Type of the vault associated with the job | String |

+| VaultType | Type of the vault, for example, "Microsoft.RecoveryServices/vaults" or "Microsoft.DataProtection/backupVaults" | String |

+| TimeGenerated | Timestamp of the record | DateTime|

+| **Parameter Name** | **Description** | **Required?** | **Example value** | **Data type ** |

+| -- | - | | -- | -- |

+| RangeStart | Use this parameter along with RangeEnd parameter only if you need to fetch all backup instance-related records in the time period from RangeStart to RangeEnd. By default, the value of RangeStart and RangeEnd are null, which will make the function retrieve only the latest record for each backup instance. | N | "2021-03-03 00:00:00" | DataTime |

+| RangeEnd | Use this parameter along with RangeStart parameter only if you need to fetch all backup instance-related records in the time period from RangeStart to RangeEnd. By default, the value of RangeStart and RangeEnd are null, which will make the function retrieve only the latest record for each backup instance. | N |"2021-03-10 00:00:00"| DateTime |

+| VaultSubscriptionList | Use this parameter to filter the output of the function for a certain set of subscriptions where backup data exists. Specifying a comma-separated list of subscription IDs as a parameter to this function helps you retrieve only those backup instances that are in the specified subscriptions. By default, the value of this parameter is '*', which makes the function search for records across all subscriptions. | N | "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111" | String |

+| VaultLocationList | Use this parameter to filter the output of the function for a certain set of regions where backup data exists. Specifying a comma-separated list of regions as a parameter to this function helps you retrieve only those backup instances that are in the specified regions. By default, the value of this parameter is '*', which makes the function search for records across all regions. | N | `eastus,westus` | String |

+| VaultList |Use this parameter to filter the output of the function for a certain set of vaults. Specifying a comma-separated list of vault names as a parameter to this function helps you retrieve records of backup instances pertaining only to the specified vaults. By default, the value of this parameter is '*', which makes the function search for records of backup instances across all vaults. | N |`vault1,vault2,vault3` | String |

+| VaultTypeList | Use this parameter to filter the output of the function to records pertaining to a particular vault type. By default, the value of this parameter is '*', which makes the function search for both Recovery Services vaults and Backup vaults. | N | "Microsoft.RecoveryServices/vaults" | String |

+| ExcludeLegacyEvent | Use this parameter to choose whether to query data in the legacy AzureDiagnostics table or not. If the value of this parameter is false, the function queries data from both the AzureDiagnostics table and the Resource specific tables. If the value of this parameter is true, the function queries data from only the Resource specific tables. Default value is true. | N | true | Boolean |

+| BackupSolutionList | Use this parameter to filter the output of the function for a certain set of backup solutions used in your Azure environment. For example, if you specify `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM` as the value of this parameter, the function only returns records that are related to items backed up using Azure Virtual Machine backup, SQL in Azure VM backup or DPM to Azure backup. By default, the value of this parameter is '*', which makes the function return records pertaining to all backup solutions that are supported by Backup Reports (supported values are "Azure Virtual Machine Backup", "SQL in Azure VM Backup", "SAP HANA in Azure VM Backup", "Azure Storage (Azure Files) Backup", "Azure Backup Agent", "DPM", "Azure Backup Server", "Azure Database for PostgreSQL Server Backup", "Azure Blob Backup", "Azure Disk Backup" or a comma-separated combination of any of these values). | N | `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM,Azure Backup Agent` | String |

+| ProtectionInfoList | Use this parameter to choose whether to include only those backup instances that are actively protected, or to also include those instances for which protection has been stopped and instances for which initial backup is pending. For Recovery services vault workloads, supported values are "Protected", "ProtectionStopped", "InitialBackupPending" or a comma-separated combination of any of these values. For Backup vault workloads, supported values are "Protected", "ConfiguringProtection", "ConfiguringProtectionFailed", "UpdatingProtection", "ProtectionError", "ProtectionStopped" or a comma-separated combination of any of these values. By default, the value is "*", which makes the function search for all backup instances irrespective of protection details. | N | "Protected" | String |

+| DatasourceSetName | Use this parameter to filter the output of the function to a particular parent resource. For example, to return SQL in Azure VM backup instances belonging to the virtual machine "testvm", specify _testvm_ as the value of this parameter. By default, the value is "*", which makes the function search for records across all backup instances. | N | "testvm" | String |

+| BackupInstanceName | Use this parameter to search for a particular backup instance by name. By default, the value is "*", which makes the function search for all backup instances. | N | "testvm" | String |

+| DisplayAllFields | Use this parameter to choose whether to retrieve only a subset of the fields returned by the function. If the value of this parameter is false, the function eliminates storage and retention point related information from the output of the function. This is useful if you are using this function as an intermediate step in a larger query and need to optimize the performance of the query by eliminating columns which you do not require for analysis. By default, the value of this parameter is true, which makes the function return all fields pertaining to the backup instance. | N | true | Boolean |

+| **Field Name** | **Description** | **Data type** |

+| -- | | |

+| UniqueId | Primary key denoting unique ID of the backup instance | String |

+| Id | Azure Resource Manager (ARM) ID of the backup instance | String |

+| FriendlyName | Friendly name of the backup instance | String |

+| ProtectionInfo | Information about the protection settings of the backup instance. For example, protection is configured, protection stopped, initial backup pending | String |

+| LatestRecoveryPoint | Date and time of the latest recovery point associated with the backup instance. Currently, this field is only supported for Recovery Services vault workloads. | DateTime |

+| OldestRecoveryPoint | Date and time of the oldest recovery point associated with the backup instance. Currently, this field is only supported for Recovery Services vault workloads. | DateTime |

+| SourceSizeInMBs | Frontend size of the backup instance in MBs | Double |

+| VaultStore_StorageConsumptionInMBs | Total cloud storage consumed by the backup instance in the vault-standard tier | Double |

+| DataSourceFriendlyName | Friendly name of the datasource corresponding to the backup instance | String |

+| BackupSolution | Backup Solution that the backup instance is associated with. For example, Azure VM Backup, SQL in Azure VM Backup, and so on. | String |

+| DatasourceType | Type of the datasource corresponding to the backup instance. For example "Microsoft.Compute/virtualMachines" | String |

+| DatasourceResourceId | Azure Resource Manager (ARM) ID of the underlying datasource corresponding to the backup instance. For example, Azure Resource Manager (ARM) ID of the VM | String |

+| DatasourceSetFriendlyName | Friendly name of the parent resource of the datasource (wherever applicable). For example, for a SQL in Azure VM datasource, this field will contain the name of the VM in which the SQL Database exists | String |

+| DatasourceSetFriendlyName | Friendly name of the parent resource of the datasource (wherever applicable). For example, for a SQL in Azure VM datasource, this field will contain the name of the VM in which the SQL Database exists | String |

+| DatasourceSetResourceId | Azure Resource Manager (ARM) ID of the parent resource of the datasource (wherever applicable). For example, for a SQL in Azure VM datasource, this field will contain the Azure Resource Manager (ARM) ID of the VM in which the SQL Database exists | String |

+| DatasourceSetType | Type of the parent resource of the datasource (wherever applicable). For example, for an SAP HANA in Azure VM datasource, this field will be Microsoft.Compute/virtualMachines since the parent resource is an Azure VM | String |

+| PolicyName | Name of the policy associated with the backup instance | String |

+| PolicyUniqueId | Foreign key that refers to the policy associated with the backup instance | String |

+| PolicyId | Azure Resource Manager (ARM) ID of the policy associated with the backup instance | String |

+| VaultResourceId | Azure Resource Manager (ARM) ID of the vault associated with the backup instance | String |

+| VaultUniqueId | Foreign key which refers to the vault associated with the backup instance | String |

+| VaultName | Name of the vault associated with the backup instance | String |

+| VaultTags | Tags of the vault associated with the backup instance | String |

+| VaultSubscriptionId | Subscription ID of the vault associated with the backup instance | String |

+| VaultLocation | Location of the vault associated with the backup instance | String |

+| VaultStore_StorageReplicationType | Storage Replication Type of the vault associated with the backup instance | String |

+| VaultType | Type of the vault, which is "Microsoft.RecoveryServices/vaults" or "Microsoft.DataProtection/backupVaults" | String |

+| TimeGenerated | Timestamp of the record | DateTime |

+| **Parameter Name** | **Description** | **Required?** | **Example value** | **Date type**

+| -- | - | | -- | -- |

+| RangeStart | Use this parameter along with RangeEnd parameter only if you need to fetch all billing group related records in the time period from RangeStart to RangeEnd. By default, the value of RangeStart and RangeEnd are null, which will make the function retrieve only the latest record for each billing group. | N | "2021-03-03 00:00:00" | DateTime |

+| RangeEnd | Use this parameter along with RangeStart parameter only if you need to fetch all billing group related records in the time period from RangeStart to RangeEnd. By default, the value of RangeStart and RangeEnd are null, which will make the function retrieve only the latest record for each billing group. | N |"2021-03-10 00:00:00"| DateTime |

+| VaultSubscriptionList | Use this parameter to filter the output of the function for a certain set of subscriptions where backup data exists. Specifying a comma-separated list of subscription IDs as a parameter to this function helps you retrieve only those billing groups that are in the specified subscriptions. By default, the value of this parameter is '*', which makes the function search for records across all subscriptions. | N | "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111" | String |

+| VaultLocationList | Use this parameter to filter the output of the function for a certain set of regions where backup data exists. Specifying a comma-separated list of regions as a parameter to this function helps you retrieve only those billing groups that are in the specified regions. By default, the value of this parameter is '*', which makes the function search for records across all regions. | N | `eastus,westus` | String |

+| VaultList |Use this parameter to filter the output of the function for a certain set of vaults. Specifying a comma-separated list of vault names as a parameter to this function helps you retrieve records of backup instances pertaining only to the specified vaults. By default, the value of this parameter is '*', which makes the function search for records of billing groups across all vaults. | N | `vault1,vault2,vault3` | String |

+| VaultTypeList | Use this parameter to filter the output of the function to records pertaining to a particular vault type. By default, the value of this parameter is '*', which makes the function search for both Recovery Services vaults and Backup vaults. | N | "Microsoft.RecoveryServices/vaults" | String |

+| ExcludeLegacyEvent | Use this parameter to choose whether to query data in the legacy AzureDiagnostics table or not. If the value of this parameter is false, the function queries data from both the AzureDiagnostics table and the Resource specific tables. If the value of this parameter is true, the function queries data from only the Resource specific tables. Default value is true. | N | true | Boolean |

+| BackupSolutionList | Use this parameter to filter the output of the function for a certain set of backup solutions used in your Azure environment. For example, if you specify `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM` as the value of this parameter, the function only returns records that are related to items backed up using Azure Virtual Machine backup, SQL in Azure VM backup or DPM to Azure backup. By default, the value of this parameter is '*', which makes the function return records pertaining to all backup solutions that are supported by Backup Reports (supported values are "Azure Virtual Machine Backup", "SQL in Azure VM Backup", "SAP HANA in Azure VM Backup", "Azure Storage (Azure Files) Backup", "Azure Backup Agent", "DPM", "Azure Backup Server", "Azure Database for PostgreSQL Server Backup", "Azure Blob Backup", "Azure Disk Backup" or a comma-separated combination of any of these values). | N | `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM,Azure Backup Agent` | String |

+| BillingGroupName | Use this parameter to search for a particular billing group by name. By default, the value is "*", which makes the function search for all billing groups. | N | "testvm" | String |

+| **Field Name** | **Description** | **Data type** |

+| -- | | |

+| UniqueId | Primary key denoting unique ID of the billing group | String |

+| FriendlyName | Friendly name of the billing group | String |

+| Name | Name of the billing group | String |

+| Type | Type of billing group. For example, ProtectedContainer or BackupItem | String |

+| SourceSizeInMBs | Frontend size of the billing group in MBs | Double |

+| VaultStore_StorageConsumptionInMBs | Total cloud storage consumed by the billing group in the vault-standard tier | Double |

+| BackupSolution | Backup Solution that the billing group is associated with. For example, Azure VM Backup, SQL in Azure VM Backup, and so on. | String |

+| VaultResourceId | Azure Resource Manager (ARM) ID of the vault associated with the billing group | String |

+| VaultUniqueId | Foreign key which refers to the vault associated with the billing group | String |

+| VaultName | Name of the vault associated with the billing group | String |

+| VaultTags | Tags of the vault associated with the billing group | String |

+| VaultSubscriptionId | Subscription ID of the vault associated with the billing group | String |

+| VaultLocation | Location of the vault associated with the billing group | String |

+| VaultStore_StorageReplicationType | Storage Replication Type of the vault associated with the billing group | String |

+| VaultType | Type of the vault, for example, "Microsoft.RecoveryServices/vaults" or "Microsoft.DataProtection/backupVaults" | String |

+| TimeGenerated | Timestamp of the record | DateTime |

+| ExtendedProperties | Additional properties of the billing group | Dynamic |

+This function returns historical records for each backup instance, allowing you to view key daily, weekly and monthly trends related to the backup instance count and storage consumption, at multiple levels of granularity.

+| **Parameter Name** | **Description** | **Required?** | **Example value** | **Data type** |

+| -- | - | | -- | -- |

+| RangeStart | Use this parameter along with RangeEnd parameter to retrieve all backup instance related records in the time period from RangeStart to RangeEnd. | Y | "2021-03-03 00:00:00" | DateTime |

+| RangeEnd | Use this parameter along with RangeStart parameter to retrieve all backup instance related records in the time period from RangeStart to RangeEnd. | Y |"2021-03-10 00:00:00" | DateTime |

+| VaultSubscriptionList | Use this parameter to filter the output of the function for a certain set of subscriptions where backup data exists. Specifying a comma-separated list of subscription IDs as a parameter to this function helps you retrieve only those backup instances that are in the specified subscriptions. By default, the value of this parameter is '*', which makes the function search for records across all subscriptions. | N | "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111"| String |

+| VaultLocationList | Use this parameter to filter the output of the function for a certain set of regions where backup data exists. Specifying a comma-separated list of regions as a parameter to this function helps you retrieve only those backup instances that are in the specified regions. By default, the value of this parameter is '*', which makes the function search for records across all regions. | N | `eastus,westus` | String |

+| VaultList |Use this parameter to filter the output of the function for a certain set of vaults. Specifying a comma-separated list of vault names as a parameter to this function helps you retrieve records of backup instances pertaining only to the specified vaults. By default, the value of this parameter is '*', which makes the function search for records of backup instances across all vaults. | N |`vault1,vault2,vault3` | String |

+| VaultTypeList | Use this parameter to filter the output of the function to records pertaining to a particular vault type. By default, the value of this parameter is '*', which makes the function search for both Recovery Services vaults and Backup vaults. | N | "Microsoft.RecoveryServices/vaults" | String |

+| ExcludeLegacyEvent | Use this parameter to choose whether to query data in the legacy AzureDiagnostics table or not. If the value of this parameter is false, the function queries data from both the AzureDiagnostics table and the Resource specific tables. If the value of this parameter is true, the function queries data from only the Resource specific tables. Default value is true. | N | true | Boolean |

+| BackupSolutionList | Use this parameter to filter the output of the function for a certain set of backup solutions used in your Azure environment. For example, if you specify `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM` as the value of this parameter, the function only returns records that are related to items backed up using Azure Virtual Machine backup, SQL in Azure VM backup or DPM to Azure backup. By default, the value of this parameter is '*', which makes the function return records pertaining to all backup solutions that are supported by Backup Reports (supported values are "Azure Virtual Machine Backup", "SQL in Azure VM Backup", "SAP HANA in Azure VM Backup", "Azure Storage (Azure Files) Backup", "Azure Backup Agent", "DPM", "Azure Backup Server", "Azure Database for PostgreSQL Server Backup", "Azure Blob Backup", "Azure Disk Backup" or a comma-separated combination of any of these values). | N | `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM,Azure Backup Agent` | String |

+| ProtectionInfoList | Use this parameter to choose whether to include only those backup instances that are actively protected, or to also include those instances for which protection has been stopped and instances for which initial backup is pending. For Recovery services vault workloads, supported values are "Protected", "ProtectionStopped", "InitialBackupPending" or a comma-separated combination of any of these values. For Backup vault workloads, supported values are "Protected", "ConfiguringProtection", "ConfiguringProtectionFailed", "UpdatingProtection", "ProtectionError", "ProtectionStopped" or a comma-separated combination of any of these values. By default, the value is "*", which makes the function search for all backup instances irrespective of protection details. | N | "Protected" | String |

+| DatasourceSetName | Use this parameter to filter the output of the function to a particular parent resource. For example, to return SQL in Azure VM backup instances belonging to the virtual machine "testvm", specify _testvm_ as the value of this parameter. By default, the value is "*", which makes the function search for records across all backup instances. | N | "testvm" | String |

+| BackupInstanceName | Use this parameter to search for a particular backup instance by name. By default, the value is "*", which makes the function search for all backup instances. | N | "testvm" | String |

+| DisplayAllFields | Use this parameter to choose whether to retrieve only a subset of the fields returned by the function. If the value of this parameter is false, the function eliminates storage and retention point related information from the output of the function. This is useful if you are using this function as an intermediate step in a larger query and need to optimize the performance of the query by eliminating columns which you do not require for analysis. By default, the value of this parameter is true, which makes the function return all fields pertaining to the backup instance. | N | true | Boolean |

+| AggregationType | Use this parameter to specify the time granularity at which data should be retrieved. If the value of this parameter is "Daily", the function returns a record per backup instance per day, allowing you to analyze daily trends of storage consumption and backup instance count. If the value of this parameter is "Weekly", the function returns a record per backup instance per week, allowing you to analyze weekly trends. Similarly, you can specify "Monthly" to analyze monthly trends. Default value is "Daily". If you are viewing data across larger time ranges, it is recommended to use "Weekly" or "Monthly" for better query performance and ease of trend analysis. | N | "Weekly" | String |

+| **Field Name** | **Description** | **Data type** |

+| -- | | |

+| UniqueId | Primary key denoting unique ID of the backup instance | String|

+| Id | Azure Resource Manager (ARM) ID of the backup instance | String |

+| FriendlyName | Friendly name of the backup instance | String |

+| ProtectionInfo | Information about the protection settings of the backup instance. For example, protection is configured, protection stopped, initial backup pending | String |

+| LatestRecoveryPoint | Date and time of the latest recovery point associated with the backup instance. Currently, this field is only supported for Recovery Services vault workloads | DateTime |

+| OldestRecoveryPoint | Date and time of the oldest recovery point associated with the backup instance | Currently, this field is only supported for Recovery Services vault workloads |

+| SourceSizeInMBs | Frontend size of the backup instance in MBs | Double |

+| VaultStore_StorageConsumptionInMBs | Total cloud storage consumed by the backup instance in the vault-standard tier | Double |

+| DataSourceFriendlyName | Friendly name of the datasource corresponding to the backup instance | String |

+| BackupSolution | Backup Solution that the backup instance is associated with. For example, Azure VM Backup, SQL in Azure VM Backup, and so on. | String |

+| DatasourceType | Type of the datasource corresponding to the backup instance. For example "Microsoft.Compute/virtualMachines" | String |

+| DatasourceResourceId | Azure Resource Manager (ARM) ID of the underlying datasource corresponding to the backup instance. For example, Azure Resource Manager (ARM) ID of the VM | String |

+| DatasourceSetFriendlyName | Friendly name of the parent resource of the datasource (wherever applicable). For example, for a SQL in Azure VM datasource, this field will contain the name of the VM in which the SQL Database exists | String |

+| DatasourceSetResourceId | Azure Resource Manager (ARM) ID of the parent resource of the datasource (wherever applicable). For example, for a SQL in Azure VM datasource, this field will contain the Azure Resource Manager (ARM) ID of the VM in which the SQL Database exists | String |

+| DatasourceSetType | Type of the parent resource of the datasource (wherever applicable). For example, for an SAP HANA in Azure VM datasource, this field will be Microsoft.Compute/virtualMachines since the parent resource is an Azure VM | String |

+| PolicyName | Name of the policy associated with the backup instance | String |

+| PolicyUniqueId | Foreign key that refers to the policy associated with the backup instance | String |

+| PolicyId | Azure Resource Manager (ARM) ID of the policy associated with the backup instance | String |

+| VaultResourceId | Azure Resource Manager (ARM) ID of the vault associated with the backup instance | String |

+| VaultUniqueId | Foreign key which refers to the vault associated with the backup instance | String |

+| VaultName | Name of the vault associated with the backup instance | String |

+| VaultTags | Tags of the vault associated with the backup instance | String |

+| VaultSubscriptionId | Subscription ID of the vault associated with the backup instance | String |

+| VaultLocation | Location of the vault associated with the backup instance | String |

+| VaultStore_StorageReplicationType | Storage Replication Type of the vault associated with the backup instance | String |

+| VaultType | Type of the vault, for example, "Microsoft.RecoveryServices/vaults" or "Microsoft.DataProtection/backupVaults" | String |

+| TimeGenerated | Timestamp of the record | DateTime |

+| **Parameter Name** | **Description** | **Required?** | **Example value** | **Data type** |

+| -- | - | | -- | -- |

+| RangeStart | Use this parameter along with RangeEnd parameter to retrieve all billing group related records in the time period from RangeStart to RangeEnd. | Y | "2021-03-03 00:00:00" | DateTime |

+| RangeEnd | Use this parameter along with RangeStart parameter to retrieve all billing group related records in the time period from RangeStart to RangeEnd. | Y |"2021-03-10 00:00:00" | DateTime |

+| VaultSubscriptionList | Use this parameter to filter the output of the function for a certain set of subscriptions where backup data exists. Specifying a comma-separated list of subscription IDs as a parameter to this function helps you retrieve only those billing groups that are in the specified subscriptions. By default, the value of this parameter is '*', which makes the function search for records across all subscriptions. | N | "00000000-0000-0000-0000-000000000000,11111111-1111-1111-1111-111111111111" | String |

+| VaultLocationList | Use this parameter to filter the output of the function for a certain set of regions where backup data exists. Specifying a comma-separated list of regions as a parameter to this function helps you retrieve only those billing groups that are in the specified regions. By default, the value of this parameter is '*', which makes the function search for records across all regions. | N | `eastus,westus` | String |

+| VaultList | Use this parameter to filter the output of the function for a certain set of vaults. Specifying a comma-separated list of vault names as a parameter to this function helps you retrieve records of backup instances pertaining only to the specified vaults. By default, the value of this parameter is '*', which makes the function search for records of billing groups across all vaults. | N |`vault1,vault2,vault3` | String |

+| VaultTypeList | Use this parameter to filter the output of the function to records pertaining to a particular vault type. By default, the value of this parameter is '*', which makes the function search for both Recovery Services vaults and Backup vaults. | N | "Microsoft.RecoveryServices/vaults" | String |

+| ExcludeLegacyEvent | Use this parameter to choose whether to query data in the legacy AzureDiagnostics table or not. If the value of this parameter is false, the function queries data from both the AzureDiagnostics table and the Resource specific tables. If the value of this parameter is true, the function queries data from only the Resource specific tables. Default value is true. | N | true | Boolean |

+| BackupSolutionList | Use this parameter to filter the output of the function for a certain set of backup solutions used in your Azure environment. For example, if you specify `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM` as the value of this parameter, the function only returns records that are related to items backed up using Azure Virtual Machine backup, SQL in Azure VM backup or DPM to Azure backup. By default, the value of this parameter is '*', which makes the function return records pertaining to all backup solutions that are supported by Backup Reports (supported values are "Azure Virtual Machine Backup", "SQL in Azure VM Backup", "SAP HANA in Azure VM Backup", "Azure Storage (Azure Files) Backup", "Azure Backup Agent", "DPM", "Azure Backup Server", "Azure Database for PostgreSQL Server Backup", "Azure Blob Backup", "Azure Disk Backup" or a comma-separated combination of any of these values). | N | `Azure Virtual Machine Backup,SQL in Azure VM Backup,DPM,Azure Backup Agent` | String |

+| BillingGroupName | Use this parameter to search for a particular billing group by name. By default, the value is "*", which makes the function search for all billing groups. | N | "testvm" | String |

+| AggregationType | Use this parameter to specify the time granularity at which data should be retrieved. If the value of this parameter is "Daily", the function returns a record per billing group per day, allowing you to analyze daily trends of storage consumption and frontend size. If the value of this parameter is "Weekly", the function returns a record per backup instance per week, allowing you to analyze weekly trends. Similarly, you can specify "Monthly" to analyze monthly trends. Default value is "Daily". If you are viewing data across larger time ranges, it is recommended to use "Weekly" or "Monthly" for better query performance and ease of trend analysis. | N | "Weekly" | String |

+| **Field Name** | **Description** | **Data type** |

+| -- | | |

+| UniqueId | Primary key denoting unique ID of the billing group | String |

+| FriendlyName | Friendly name of the billing group | String |

+| Name | Name of the billing group | String |

+| Type | Type of billing group. For example, ProtectedContainer or BackupItem | String |

+| SourceSizeInMBs | Frontend size of the billing group in MBs | Double |

+| VaultStore_StorageConsumptionInMBs | Total cloud storage consumed by the billing group in the vault-standard tier | Double |

+| BackupSolution | Backup Solution that the billing group is associated with. For example, Azure VM Backup, SQL in Azure VM Backup, and so on. | String |

+| VaultResourceId | Azure Resource Manager (ARM) ID of the vault associated with the billing group | String |

+| VaultUniqueId | Foreign key which refers to the vault associated with the billing group | String |

+| VaultName | Name of the vault associated with the billing group | String |

+| VaultTags | Tags of the vault associated with the billing group | String |

+| VaultSubscriptionId | Subscription ID of the vault associated with the billing group | String |

+| VaultLocation | Location of the vault associated with the billing group | String |

+| VaultStore_StorageReplicationType | Storage Replication Type of the vault associated with the billing group | String |

+| VaultType | Type of the vault, for example, "Microsoft.RecoveryServices/vaults" or "Microsoft.DataProtection/backupVaults" | String |

+| TimeGenerated | Timestamp of the record | DateTime |

+| ExtendedProperties | Additional properties of the billing group | Dynamic |

+- Backup reports are supported for Azure VMs, SQL in Azure VMs, SAP HANA in Azure VMs, Microsoft Azure Recovery Services (MARS) agent, Microsoft Azure Backup Server (MABS), System Center Data Protection Manager (DPM), Azure Database for PostgreSQL Server, Azure Blobs and Azure Disks. For Azure File share backup, data is displayed for records created on or after June 1, 2020.

+ >[!Note]

+ >Depending on the complexity of queries and the volume of data processed, it's possible that you might see errors when selecting a large number of workspaces that are less than 100, in some cases. We recommend that you limit the number of workspaces being queried at a time.

+Azure Resource Manager resources, such as Recovery Services vaults, record information about scheduled operations and user-triggered operations as diagnostics data. To configure diagnostics settings for your vaults, follow these steps:

+**Choose a vault type**:

+# [Recovery Services vaults](#tab/recovery-services-vaults)

+Azure Backup also provides a built-in Azure Policy definition, which automates the configuration of diagnostics settings for all Recovery Services vaults in a given scope. To learn how to use this policy, see [Configure vault diagnostics settings at scale](./azure-policy-configure-diagnostics.md).

+# [Backup vaults](#tab/backup-vaults)

+In the monitoring section of your Backup vault, select **Diagnostics settings** and specify the target for the Backup vault's diagnostic data.

+After you've configured your vaults to send data to Log Analytics, view your Backup reports by going to the Backup center and selecting **Backup Reports**. Select the relevant workspace(s) on the **Get started** tab.

+

+>- For Azure File, Azure Blob and Azure Disk workloads, storage consumed shows as *zero*. This is because field refers to the storage consumed in the vault, and for Azure File, Azure Blob, and Azure Disk; only the snapshot-based backup solution is currently supported in the reports.

+>- For DPM workloads, users might see a slight difference (of the order of 20 MB per DPM server) between the usage values shown in the reports as compared to the aggregate usage value as shown on the Recovery Services vault **Overview** tab. This difference is accounted for by the fact that every DPM server being registered for backup has an associated 'metadata' datasource, which isn't surfaced as an artifact for reporting.

+> [!NOTE]

+> For Azure Database for PostgreSQL, Azure Blob, and Azure Disk workloads, data transferred field is currently not available in the *Jobs* table.

+Once you've identified an inactive resource, you can investigate the issue further by navigating to the backup item dashboard or the Azure resource pane for that resource (wherever applicable). Depending on your scenario, you can choose to either stop backup for the machine (if it doesn't exist anymore) and delete unnecessary backups, which save costs, or you can fix issues in the machine to ensure that backups are taken reliably.

+> [!NOTE]

+> For Azure Database for PostgreSQL, Azure Blob, and Azure Disk workloads, Inactive Resources view is currently not supported.

+> [!NOTE]

+> For backup instances that are using the vault-standard tier, the Retention Optimizations grid takes into consideration the retention duration in the vault-standard tier. For backup instances that aren't using the vault tier (for example, items protected by Azure Disk Backup solution), the grid takes into consideration the snapshot tier retention.

+- Offline backup based on Azure Data Box

+## Offline backup based on Azure Data Box

+This option is supported by Microsoft Azure Backup Server (MABS), System Center Data Protection Manager (DPM) DPM-A, and the MARS Agent. This option takes advantage of [Azure Data Box](https://azure.microsoft.com/services/databox/) to ship Microsoft-proprietary, secure, and tamper-resistant transfer appliances with USB connectors to your datacenter or remote office. Backup data is directly written onto these devices. This option saves the effort required to procure your own Azure-compatible disks and connectors or to provision temporary storage as a staging location. Microsoft also handles the end-to-end transfer logistics, which you can track through the Azure portal.

+| Azure Backup deployment models | MARS Agent, MABS, DPM-A | MARS Agent, MABS, DPM-A |

+Remove-AzResource -ResourceId /subscriptions/{subscriptionID}/providers/Microsoft.CognitiveServices/locations/{location}/resourceGroups/{resourceGroup}/deletedAccounts/{resourceName} -ApiVersion 2021-04-30

+* [Create a new resource using an ARM template](create-account-resource-manager-template.md)

+| Chat with Teams Interoperability | Send and receive text messages | ✔️ |

+| | Send and receive rich text messages | ✔️ |

+| | Send and receive typing indicators | ✔️ |

+| | [Receive inline images](../../../tutorials/chat-interop/meeting-interop-features-inline-image.md) | ✔️** |

+| | Receive read receipts | ❌ |

+| | Receive shared files | ❌ |

+**Inline image support is currently in public preview and is available in the Chat SDK for JavaScript only. Preview APIs and SDKs are provided without a service-level agreement. We recommend that you don't use them for production workloads. Some features might not be supported, or they might have constrained capabilities. For more information, review [Supplemental Terms of Use for Microsoft Azure Previews.](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)

+**If the Teams external user sends a message with images uploaded via "Upload from this device" menu or via drag-and-drop (such as dragging images directly to the send box) in the Teams, then these scenarios would be covered under the file sharing capability, which is currently not supported.

+Firefox desktop browser support is now available in public preview. Known issues are:

+### iOS Chrome Known Issues

+iOS Chrome browser support is now available in public preview. Known issues are:

+- No outgoing and incoming audio when switching browser to background or locking the device

+- No incoming/outgoing audio coming from bluetooth headset. When a user connects bluetooth headset in the middle of ACS call, the audio still comes out from the speaker until the user locks and unlocks the phone. We have seen this issue on older iOS versions (15.6, 15.7), and it is not reproducible on iOS 16.

+There is a related [Chromium](https://bugs.chromium.org/p/chromium/issues/detail?id=1402250) bug that causes this issue, the issue can be mitigated by reconnecting the PeerConnection. We've added this workaround since SDK 1.9.1 (stable) and SDK 1.10.0 (beta)

+On Android Chrome, if a user joins ACS call several times, the incoming audio can also disappear. The user is not able to hear the audio from other participants until the page is refreshed. We've fixed this issue in SDK 1.10.1-beta.1, and improved the audio resource usage.

+On Android Chrome, if a user is on an ACS call and puts the browser into background for one minute. The microphone will lose access and the other participants in the call won't hear the audio from the user. Once the user brings the browser to foreground, microphone is available again. Related chromium bugs [here](https://bugs.chromium.org/p/chromium/issues/detail?id=1027446) and [here](https://bugs.chromium.org/p/webrtc/issues/detail?id=10940)

+On iOS, for example, while on an ACS call, if a PSTN call comes in, then a microphoneMutedUnexepectedly bad UFD will be raised and audio will stop flowing in the ACS call and the call will be marked as muted. Once the PSTN call is over, the user will have to go and unmute the ACS call for audio to start flowing again in the ACS call. In the case of Android Chrome when a PSTN call comes in, audio will stop flowing in the ACS call and the ACS call will not be marked as muted. In this case, there is no microphoneMutedUnexepectedly UFD event. Once the PSTN call is finished, Android Chrome will regain audio automatically and audio will start flowing normally again in the ACS call.

+| iOS | ✔️ | ✔️ | ❌ | ❌ | ✔️ |

+ Title: Enable Inline Image Support in your Chat app

+description: In this tutorial, you'll learn how to enable inline image interoperability with the Azure Communication Chat SDK

+# Tutorial: Enable inline interoperability features in your Chat app

+## Add inline image support

+The Chat SDK is designed to work with Microsoft Teams seamlessly. Specifically, Chat SDK provides a solution to receive inline images sent by users from Microsoft Teams. Currently this feature is only available in the Chat SDK for JavaScript.

+## Next steps

+For more information, see the following articles:

+- Learn more about other [supported interoperability features](../../concepts/interop/guest/capabilities.md)

+- Check out our [chat hero sample](../../samples/chat-hero-sample.md)

+- Learn more about [how chat works](../../concepts/chat/concepts.md)

+This tutorial describes concepts for virtual appointment applications. After completing this tutorial and the associated [Sample Builder](https://aka.ms/acs-sample-builder), you'll understand common use cases that a virtual appointments application delivers, the Microsoft technologies that can help you build those uses cases, and have built a sample application integrating Microsoft 365 and Azure that you can use to demo and explore further.

+| *Consumer*| Be reminded of an appointment | Bookings | Bookings | ACS SMS |

+2. Consumer gets an appointment reminder through SMS and Email.

+5. The users communicate with each other using voice, video, and text chat in a meeting. Specifically, Teams chat interoperability enables Teams user to send inline images directly to ACS users seamlessly.

+In this section, weΓÇÖre going to use a Sample Builder tool to deploy a Microsoft 365 + Azure hybrid virtual appointments application to an Azure subscription. This application is a desktop and mobile friendly browser experience, with code that you can use to explore and for production.

+Make sure online meeting is enabled in the calendar by going to https://outlook.office.com/bookings/services.

+After walking through the ARM template, you can **Go to resource group**.

+Consumers want to jump directly to the virtual appointment from the scheduling reminders they receive from Bookings. In Bookings, you can provide a URL prefix that is used in reminders. If your prefix is `https://<YOUR URL>/VISIT`, Bookings point users to `https://<YOUR URL>/VISIT?MEETINGURL=<MEETING URL>.`

+The Sample BuilderΓÇÖs consumer experience doesn't authenticate the end user, but provides [Azure Communication Services user access tokens](../quickstarts/identity/access-tokens.md) to any random visitor. That isnΓÇÖt realistic for most scenarios, and you want to implement an authentication scheme.

+> to work, but you *must* use the current Dataverse connector for new workflows. At that time, a timeline for the shutdown date for the legacy actions and triggers will be announced.

+ | **CassandraRequests** | Cassandra | Logs user-initiated requests from the front end to serve requests to Azure Cosmos DB for Cassandra. When you enable this category, make sure to disable DataPlaneRequests. | `operationName`, `requestCharge`, `piiCommandText` |

+Here's an example diagram showing how a tag is inherited. *Note that inherited tags are applied to child resource usage records and not the resources themselves.*

+ Title: Release notes for Microsoft Azure Data Manager for Agriculture Preview #Required; page title is displayed in search results. Include the brand.

+description: This article provides release notes for Azure Data Manager for Agriculture Preview releases, improvements, bug fixes, and known issues. #Required; article description that is displayed in search results.

+# Release Notes for Azure Data Manager for Agriculture Preview

+Azure Data Manager for Agriculture Preview is updated on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

+- The latest releases

+- Known issues

+- Bug fixes

+- Deprecated functionality

+- Plans for changes

+ We'll provide information on latest releases, bug fixes, & deprecated functionality for Azure Data Manager for Agriculture Preview monthly.

+> [!NOTE]

+> Microsoft Azure Data Manager for Agriculture is currently in preview. For legal terms that apply to features that are in beta, in preview, or otherwise not yet released into general availability, see [**Supplemental Terms of Use for Microsoft Azure Previews**](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). See Azure Data Manager for Agriculture specific terms of use [**here**](supplemental-terms-azure-data-manager-for-agriculture.md).

+>

+> Microsoft Azure Data Manager for Agriculture requires registration and is available to only approved customers and partners during the preview period. To request access to Microsoft Data Manager for Agriculture during the preview period, use this [**form**](https://aka.ms/agridatamanager).

+## March 2023

+### Key Announcement: Preview Release

+Azure Data Manager for Agriculture is now available in preview. See our blog post [here](https://azure.microsoft.com/blog/announcing-microsoft-azure-data-manager-for-agriculture-accelerating-innovation-across-the-agriculture-value-chain/).

+### Audit logs

+In Azure Data Manager for Agriculture Preview, you can monitor how and when your resources are accessed, and by whom. You can also debug reasons for failure for data-plane requests. [Audit Logs](how-to-set-up-audit-logs.md) are now available for your use.

+### Private links

+You can connect to Azure Data Manager for Agriculture service from your virtual network via a private endpoint, which is a set of private IP addresses in a subnet within the virtual network. You can then limit access to your Azure Data Manager for Agriculture Preview instance over these private IP addresses. [Private Links](how-to-set-up-private-links.md) are now available for your use.

+### BYOL for satellite imagery

+To support scalable ingestion of geometry-clipped imagery, we've partnered with Sentinel Hub by Sinergise to provide a seamless bring your own license (BYOL) experience. Read more about our satellite connector [here](concepts-ingest-satellite-imagery.md).

+## Next steps

+* See the Hierarchy Model and learn how to create and organize your agriculture data [here](./concepts-hierarchy-model.md).

+* Understand our APIs [here](/rest/api/data-manager-for-agri).

+Using shared memory for modules also requires a different way. For example, you can use the Host IPC mode for shared memory access between Live Video Analytics and Inference solutions as described in [Deploy Live Video Analytics on Azure Stack Edge](/previous-versions/azure/azure-video-analyzer/video-analyzer-docs/articles/azure-video-analyzer/video-analyzer-docs/overview).

+| **Detected suspicious use of FTP -s Switch** | Analysis of process creation data from the %{Compromised Host} detected the use of the FTP "-s:filename" switch. This switch is used to specify an FTP script file for the client to run. Malware or malicious processes are known to use this FTP switch (-s:filename) to point to a script file, which is configured to connect to a remote FTP server and download more malicious binaries. | - | Medium |

+| **Detected suspicious use of Pcalua.exe to launch executable code** | Analysis of host data on %{Compromised Host} detected the use of pcalua.exe to launch executable code. Pcalua.exe is component of the Microsoft Windows "Program Compatibility Assistant", which detects compatibility issues during the installation or execution of a program. Attackers are known to abuse functionality of legitimate Windows system tools to perform malicious actions, for example using pcalua.exe with the -a switch to launch malicious executables either locally or from remote shares. | - | Medium |

+| **Possible credential dumping detected [seen multiple times]** | Analysis of host data has detected use of native windows tool (for example, sqldumper.exe) being used in a way that allows to extract credentials from memory. Attackers often use these techniques to extract credentials that they then further use for lateral movement and privilege escalation. This behavior was seen [x] times today on the following machines: [Machine names] | - | Medium |

+| **Suspect integrity level indicative of RDP hijacking** | Analysis of host data has detected the tscon.exe running with SYSTEM privileges - this can be indicative of an attacker abusing this binary in order to switch context to any other logged on user on this host; it's a known attacker technique to compromise more user accounts and move laterally across a network. | - | Medium |

+| **Suspicious WindowPosition registry value detected** | Analysis of host data on %{Compromised Host} detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in nonvisible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000 | - | Low |

+| **PHP file in upload folder**<br>(AppServices_PhpInUploadFolder) | Azure App Service activity log indicates an access to a suspicious PHP page located in the upload folder.<br>This type of folder doesn't usually contain PHP files. The existence of this type of file might indicate an exploitation taking advantage of arbitrary file upload vulnerabilities.<br>(Applies to: App Service on Windows and App Service on Linux) | Execution | Medium |

+| **Suspicious access to possibly vulnerable web page detected**<br>(AppServices_ScanSensitivePage) | Azure App Service activity log indicates a web page that seems to be sensitive was accessed. This suspicious activity originated from a source IP address whose access pattern resembles that of a web scanner.<br>This activity is often associated with an attempt by an attacker to scan your network to try to gain access to sensitive or vulnerable web pages.<br>(Applies to: App Service on Windows and App Service on Linux) | - | Low |

+| **Abnormal Kubernetes service account operation detected**<br>(K8S_ServiceAccountRareOperation) | Kubernetes audit log analysis detected abnormal behavior by a service account in your Kubernetes cluster. The service account was used for an operation, which isn't common for this service account. While this activity can be legitimate, such behavior might indicate that the service account is being used for malicious purposes. | Lateral Movement, Credential Access | Medium |

+| **Detected suspicious use of the nohup command**<br>(K8S.NODE_SuspectNohup) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious use of the nohup command. Attackers have been seen using the command nohup to run hidden files from a temporary directory to allow their executables to run in the background. It's rare to see this command run on hidden files located in a temporary directory. | Persistence, DefenseEvasion | Medium |

+| **Kubernetes events deleted**<br>(K8S_DeleteEvents) ^{[2](#footnote2)} ^{[3](#footnote3)} | Defender for Cloud detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes that contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster. | Defense Evasion | Low |

+| **New container in the kube-system namespace detected**<br>(K8S_KubeSystemContainer) ^{[3](#footnote3)} | Kubernetes audit log analysis detected a new container in the kube-system namespace that isn't among the containers that normally run in this namespace. The kube-system namespaces shouldn't contain user resources. Attackers can use this namespace for hiding malicious components. | Persistence | Low |

+| **PREVIEW - Suspicious creation of compute resources detected**<br>(ARM_SuspiciousComputeCreation) | Microsoft Defender for Resource Manager identified a suspicious creation of compute resources in your subscription utilizing Virtual Machines/Azure Scale Set. The identified operations are designed to allow administrators to efficiently manage their environments by deploying new resources when needed. While this activity may be legitimate, a threat actor might utilize such operations to conduct crypto mining.<br> The activity is deemed suspicious as the compute resources scale is higher than previously observed in the subscription. <br> This can indicate that the principal is compromised and is being used with malicious intent. | Impact | Medium |

+| **SQL injection: potential data exfiltration**<br>(CosmosDB_SqlInjection.DataExfiltration) | A suspicious SQL statement was used to query a container in this Azure Cosmos DB account. <br><br> The injected statement might have succeeded in exfiltrating data that the threat actor isn't authorized to access. <br><br> Due to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks on Azure Cosmos DB accounts can't work. However, the variation used in this attack may work and threat actors can exfiltrate data. | Exfiltration | Medium |

+| **Unusual application accessed a key vault**<br>(KV_AppAnomaly) | A key vault has been accessed by a service principal that doesn't normally access it. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations. | Credential Access | Medium |

+| **Unusual user-application pair accessed a key vault**<br>(KV_UserAppAnomaly) | A key vault has been accessed by a user-service principal pair that doesn't normally access it. This anomalous access pattern may be legitimate activity, but it could be an indication that a threat actor has gained access to the key vault in an attempt to access the secrets contained within it. We recommend further investigations. | Credential Access | Medium |

+| Managed database with excessive internet exposure allows basic (local user/password) authentication (Preview) | Database can be accessed through the internet from any public IP and allows authentication using username and password (basic authentication mechanism) which exposes the DB to brute force attacks. |

+| Internet exposed VM has high severity vulnerabilities and a hosted database installed (Preview) | An attacker with network access to the DB machine can exploit the vulnerabilities and gain remote code execution.

+|Managed database with excessive internet exposure allows basic (local user/password) authentication (Preview) | Database can be accessed through the internet from any public IP and allows authentication using username and password (basic authentication mechanism) which exposes the DB to brute force attacks. |

+- [Cloud security explorer](how-to-manage-cloud-security-explorer.md)

+- Existing plan status shows as ΓÇ£PartialΓÇ¥ rather than ΓÇ£FullΓÇ¥ if one or more extensions aren't turned on.

+What permissions do I need to view/edit data sensitivity settings? | You need one of these permissions: Global Administrator, Compliance Administrator, Compliance Data Administrator, Security Administrator, Security Operator.

+### Discovering AWS S3 buckets

+- The CloudFormation template creates a new role in AWS IAM, to allow permission for the Defender for Cloud scanner to access data in the S3 buckets.

+- Don't forget to: [review the requirements](concept-data-security-posture-prepare.md#discovering-aws-s3-buckets) for AWS discovery, and [required permissions](concept-data-security-posture-prepare.md#whats-supported).

+## October 2022

+Updates in October include:

+- [Announcing the Microsoft cloud security benchmark](#announcing-the-microsoft-cloud-security-benchmark)

+- [Attack path analysis and contextual security capabilities in Defender for Cloud (Preview)](#attack-path-analysis-and-contextual-security-capabilities-in-defender-for-cloud-preview)

+- [Agentless scanning for Azure and AWS machines (Preview)](#agentless-scanning-for-azure-and-aws-machines-preview)

+- [Defender for DevOps (Preview)](#defender-for-devops-preview)

+- [Regulatory Compliance Dashboard now supports manual control management and detailed information on Microsoft's compliance status](#regulatory-compliance-dashboard-now-supports-manual-control-management-and-detailed-information-on-microsofts-compliance-status)

+- [Auto-provisioning has been renamed to Settings & monitoring and has an updated experience](#auto-provisioning-has-been-renamed-to-settings--monitoring-and-has-an-updated-experience)

+- [Defender Cloud Security Posture Management (CSPM) (Preview)](#defender-cloud-security-posture-management-cspm)

+- [MITRE ATT&CK framework mapping is now available also for AWS and GCP security recommendations](#mitre-attck-framework-mapping-is-now-available-also-for-aws-and-gcp-security-recommendations)

+- [Defender for Containers now supports vulnerability assessment for Elastic Container Registry (Preview)](#defender-for-containers-now-supports-vulnerability-assessment-for-elastic-container-registry-preview)

+### Announcing the Microsoft cloud security benchmark

+The [Microsoft cloud security benchmark](/security/benchmark/azure/introduction) (MCSB) is a new framework defining fundamental cloud security principles based on common industry standards and compliance frameworks. Together with detailed technical guidance for implementing these best practices across cloud platforms. MCSB is replacing the Azure Security Benchmark. MCSB provides prescriptive details for how to implement its cloud-agnostic security recommendations on multiple cloud service platforms, initially covering Azure and AWS.

+You can now monitor your cloud security compliance posture per cloud in a single, integrated dashboard. You can see MCSB as the default compliance standard when you navigate to Defender for Cloud's regulatory compliance dashboard.

+Microsoft cloud security benchmark is automatically assigned to your Azure subscriptions and AWS accounts when you onboard Defender for Cloud.

+Learn more about the [Microsoft cloud security benchmark](concept-regulatory-compliance.md).

+### Attack path analysis and contextual security capabilities in Defender for Cloud (Preview)

+The new cloud security graph, attack path analysis and contextual cloud security capabilities are now available in Defender for Cloud in preview.

+One of the biggest challenges that security teams face today is the number of security issues they face on a daily basis. There are numerous security issues that need to be resolved and never enough resources to address them all.

+Defender for Cloud's new cloud security graph and attack path analysis capabilities gives security teams the ability to assess the risk behind each security issue. Security teams can also identify the highest risk issues that need to be resolved soonest. Defender for Cloud works with security teams to reduce the risk of an affectful breach to their environment in the most effective way.

+Learn more about the new [cloud security graph, attack path analysis, and the cloud security explorer](concept-attack-path.md).

+### Agentless scanning for Azure and AWS machines (Preview)

+Until now, Defender for Cloud based its posture assessments for VMs on agent-based solutions. To help customers maximize coverage and reduce onboarding and management friction, we're releasing agentless scanning for VMs to preview.

+With agentless scanning for VMs, you get wide visibility on installed software and software CVEs. You get the visibility without the challenges of agent installation and maintenance, network connectivity requirements, and performance affect on your workloads. The analysis is powered by Microsoft Defender vulnerability management.

+Agentless vulnerability scanning is available in both Defender Cloud Security Posture Management (CSPM) and in [Defender for Servers P2](defender-for-servers-introduction.md), with native support for AWS and Azure VMs.

+- Learn more about [agentless scanning](concept-agentless-data-collection.md).

+- Find out how to enable [agentless vulnerability assessment](enable-vulnerability-assessment-agentless.md).

+### Defender for DevOps (Preview)

+Microsoft Defender for Cloud enables comprehensive visibility, posture management, and threat protection across hybrid and multicloud environments including Azure, AWS, Google, and on-premises resources.

+Now, the new Defender for DevOps plan integrates source code management systems, like GitHub and Azure DevOps, into Defender for Cloud. With this new integration, we're empowering security teams to protect their resources from code to cloud.

+Defender for DevOps allows you to gain visibility into and manage your connected developer environments and code resources. Currently, you can connect [Azure DevOps](quickstart-onboard-devops.md) and [GitHub](quickstart-onboard-github.md) systems to Defender for Cloud and onboard DevOps repositories to Inventory and the new DevOps Security page. It provides security teams with a high-level overview of the discovered security issues that exist within them in a unified DevOps Security page.

+Security teams can now configure pull request annotations to help developers address secret scanning findings in Azure DevOps directly on their pull requests.

+You can configure the Microsoft Security DevOps tools on Azure Pipelines and GitHub workflows to enable the following security scans:

+| Name | Language | License |

+|--|--|--|

+| [Bandit](https://github.com/PyCQA/bandit) | Python | [Apache License 2.0](https://github.com/PyCQA/bandit/blob/main/LICENSE) |

+| [BinSkim](https://github.com/Microsoft/binskim) | Binary ΓÇô Windows, ELF | [MIT License](https://github.com/microsoft/binskim/blob/main/LICENSE) |

+| [ESlint](https://github.com/eslint/eslint) | JavaScript | [MIT License](https://github.com/microsoft/binskim/blob/main/LICENSE) |

+| [CredScan](https://secdevtools.azurewebsites.net/helpcredscan.html) (Azure DevOps Only) | Credential Scanner (also known as CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files common types: default passwords, SQL connection strings, Certificates with private keys| Not Open Source |

+| [Template Analyze](https://github.com/Azure/template-analyzer) | ARM template, Bicep file | [MIT License](https://github.com/microsoft/binskim/blob/main/LICENSE) |

+| [Terrascan](https://github.com/tenable/terrascan) | Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloud Formation | [Apache License 2.0](https://github.com/tenable/terrascan/blob/master/LICENSE) |

+| [Trivy](https://github.com/aquasecurity/trivy) | Container images, file systems, git repositories | [Apache License 2.0](https://github.com/tenable/terrascan/blob/master/LICENSE) |

+The following new recommendations are now available for DevOps:

+| Recommendation | Description | Severity |

+|--|--|--|

+| (Preview) [Code repositories should have code scanning findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsWithRulesBlade/assessmentKey/c68a8c2a-6ed4-454b-9e37-4b7654f2165f/showSecurityCenterCommandBar~/false) | Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it's highly recommended to remediate these vulnerabilities. (No related policy) | Medium |

+| (Preview) [Code repositories should have secret scanning findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsWithRulesBlade/assessmentKey/4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27/showSecurityCenterCommandBar~/false) | Defender for DevOps has found a secret in code repositories.  This should be remediated immediately to prevent a security breach.  Secrets found in repositories can be leaked or discovered by adversaries, leading to compromise of an application or service. For Azure DevOps, the Microsoft Security DevOps CredScan tool only scans builds on which it has been configured to run. Therefore, results may not reflect the complete status of secrets in your repositories. (No related policy) | High |

+| (Preview) [Code repositories should have Dependabot scanning findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/822425e3-827f-4f35-bc33-33749257f851/showSecurityCenterCommandBar~/false) | Defender for DevOps has found vulnerabilities in code repositories. To improve the security posture of the repositories, it's highly recommended to remediate these vulnerabilities. (No related policy) | Medium |

+| (Preview) [Code repositories should have infrastructure as code scanning findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/2ebc815f-7bc7-4573-994d-e1cc46fb4a35/showSecurityCenterCommandBar~/false) | (Preview) Code repositories should have infrastructure as code scanning findings resolved | Medium |

+| (Preview) [GitHub repositories should have code scanning enabled](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6672df26-ff2e-4282-83c3-e2f20571bd11/showSecurityCenterCommandBar~/false) | GitHub uses code scanning to analyze code in order to find security vulnerabilities and errors in code. Code scanning can be used to find, triage, and prioritize fixes for existing problems in your code. Code scanning can also prevent developers from introducing new problems. Scans can be scheduled for specific days and times, or scans can be triggered when a specific event occurs in the repository, such as a push. If code scanning finds a potential vulnerability or error in code, GitHub displays an alert in the repository. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project. (No related policy) | Medium |

+| (Preview) [GitHub repositories should have secret scanning enabled](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/1a600c61-6443-4ab4-bd28-7a6b6fb4691d/showSecurityCenterCommandBar~/false) | GitHub scans repositories for known types of secrets, to prevent fraudulent use of secrets that were accidentally committed to repositories. Secret scanning will scan the entire Git history on all branches present in the GitHub repository for any secrets. Examples of secrets are tokens and private keys that a service provider can issue for authentication. If a secret is checked into a repository, anyone who has read access to the repository can use the secret to access the external service with those privileges. Secrets should be stored in a dedicated, secure location outside the repository for the project. (No related policy) | High |

+| (Preview) [GitHub repositories should have Dependabot scanning enabled](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/92643c1f-1a95-4b68-bbd2-5117f92d6e35/showSecurityCenterCommandBar~/false) | GitHub sends Dependabot alerts when it detects vulnerabilities in code dependencies that affect repositories. A vulnerability is a problem in a project's code that could be exploited to damage the confidentiality, integrity, or availability of the project or other projects that use its code. Vulnerabilities vary in type, severity, and method of attack. When code depends on a package that has a security vulnerability, this vulnerable dependency can cause a range of problems. (No related policy) | Medium |

+The Defender for DevOps recommendations replaced the deprecated vulnerability scanner for CI/CD workflows that was included in Defender for Containers.

+Learn more about [Defender for DevOps](defender-for-devops-introduction.md)

+### Regulatory Compliance dashboard now supports manual control management and detailed information on Microsoft's compliance status

+The compliance dashboard in Defender for Cloud is a key tool for customers to help them understand and track their compliance status. Customers can continuously monitor environments in accordance with requirements from many different standards and regulations.

+Now, you can fully manage your compliance posture by manually attesting to operational and non-technical controls. You can now provide evidence of compliance for controls that aren't automated. Together with the automated assessments, you can now generate a full report of compliance within a selected scope, addressing the entire set of controls for a given standard.

+In addition, with richer control information and in-depth details and evidence for Microsoft's compliance status, you now have all of the information required for audits at your fingertips.

+Some of the new benefits include:

+- **Manual customer actions** provide a mechanism for manually attesting compliance with non-automated controls. Including the ability to link evidence, set a compliance date and expiration date.

+- Richer control details for supported standards that showcase **Microsoft actions** and **manual customer actions** in addition to the already existing automated customer actions.

+- Microsoft actions provide transparency into MicrosoftΓÇÖs compliance status that includes audit assessment procedures, test results, and Microsoft responses to deviations.

+- **Compliance offerings** provide a central location to check Azure, Dynamics 365, and Power Platform products and their respective regulatory compliance certifications.

+Learn more on how to [Improve your regulatory compliance](regulatory-compliance-dashboard.md) with Defender for Cloud.

+### Auto-provisioning has been renamed to Settings & monitoring and has an updated experience

+We've renamed the Auto-provisioning page to **Settings & monitoring**.

+Auto-provisioning was meant to allow at-scale enablement of prerequisites, which are needed by Defender for Cloud's advanced features and capabilities. To better support our expanded capabilities, we're launching a new experience with the following changes:

+**The Defender for Cloud's plans page now includes**:

+- When you enable a Defender plan that requires monitoring components, those components are enabled for automatic provisioning with default settings. These settings can optionally be edited at any time.

+- You can access the monitoring component settings for each Defender plan from the Defender plan page.

+- The Defender plans page clearly indicates whether all the monitoring components are in place for each Defender plan, or if your monitoring coverage is incomplete.

+**The Settings & monitoring page**:

+- Each monitoring component indicates the Defender plans to which it's related.

+Learn more about [managing your monitoring settings](monitoring-components.md).

+### Defender Cloud Security Posture Management (CSPM)

+One of Microsoft Defender for Cloud's main pillars for cloud security is Cloud Security Posture Management (CSPM). CSPM provides you with hardening guidance that helps you efficiently and effectively improve your security. CSPM also gives you visibility into your current security situation.

+We're announcing a new Defender plan: Defender CSPM. This plan enhances the security capabilities of Defender for Cloud and includes the following new and expanded features:

+- Continuous assessment of the security configuration of your cloud resources

+- Security recommendations to fix misconfigurations and weaknesses

+- Secure score

+- Governance

+- Regulatory compliance

+- Cloud security graph

+- Attack path analysis

+- Agentless scanning for machines

+Learn more about the [Defender CSPM plan](concept-cloud-security-posture-management.md).

+### MITRE ATT&CK framework mapping is now available also for AWS and GCP security recommendations

+For security analysts, itΓÇÖs essential to identify the potential risks associated with security recommendations and understand the attack vectors, so that they can efficiently prioritize their tasks.

+Defender for Cloud makes prioritization easier by mapping the Azure, AWS and GCP security recommendations against the MITRE ATT&CK framework. The MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations, allowing customers to strengthen the secure configuration of their environments.

+The MITRE ATT&CK framework has been integrated in three ways:

+- Recommendations map to MITRE ATT&CK tactics and techniques.

+- Query MITRE ATT&CK tactics and techniques on recommendations using the Azure Resource Graph.

+### Defender for Containers now supports vulnerability assessment for Elastic Container Registry (Preview)

+Microsoft Defender for Containers now provides agentless vulnerability assessment scanning for Elastic Container Registry (ECR) in Amazon AWS. Expanding on coverage for multicloud environments, building on the release earlier this year of advanced threat protection and Kubernetes environment hardening for AWS and Google GCP. The agentless model creates AWS resources in your accounts to scan your images without extracting images out of your AWS accounts and with no footprint on your workload.

+Agentless vulnerability assessment scanning for images in ECR repositories helps reduce the attack surface of your containerized estate by continuously scanning images to identify and manage container vulnerabilities. With this new release, Defender for Cloud scans container images after they're pushed to the repository and continually reassess the ECR container images in the registry. The findings are available in Microsoft Defender for Cloud as recommendations, and you can use Defender for Cloud's built-in automated workflows to take action on the findings, such as opening a ticket for fixing a high severity vulnerability in an image.

+Learn more about [vulnerability assessment for Amazon ECR images](defender-for-containers-vulnerability-assessment-elastic.md).

+- [Deprecation of App Service language monitoring policies](#deprecation-of-app-service-language-monitoring-policies)

+These recommendations replace `Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources` which detected Azure Disk Encryption and the policy `Virtual machines and virtual machine scale sets should have encryption at host enabled` which detected EncryptionAtHost. ADE and EncryptionAtHost provide comparable encryption at rest coverage, and we recommend enabling one of them on every virtual machine. The new recommendations detect whether either ADE or EncryptionAtHost are enabled and only warn if neither are enabled. We also warn if ADE is enabled on some, but not all disks of a VM (this condition isn't applicable to EncryptionAtHost).

+The new recommendations require [Azure Automanage Machine Configuration](https://aka.ms/gcpol).

+- [(Preview) Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f3dc5edcd-002d-444c-b216-e123bbfa37c0)

+- [(Preview) Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fca88aadc-6e2b-416c-9de2-5a0f01d1693f)

+### Deprecation of App Service language monitoring policies

+The following App Service language monitoring policies have been deprecated due to their ability to generate false negatives and because they don't provide better security. You should always ensure you're using a language version without any known vulnerabilities.

+| Policy name | Policy ID |

+|--|--|

+| [App Service apps that use Java should use the latest 'Java version'](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F496223c3-ad65-4ecd-878a-bae78737e9ed) | 496223c3-ad65-4ecd-878a-bae78737e9ed |

+| [App Service apps that use Python should use the latest 'Python version'](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7008174a-fd10-4ef0-817e-fc820a951d73) | 7008174a-fd10-4ef0-817e-fc820a951d73 |

+| [Function apps that use Java should use the latest 'Java version'](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc) | 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc |

+| [Function apps that use Python should use the latest 'Python version'](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7238174a-fd10-4ef0-817e-fc820a951d73) | 7238174a-fd10-4ef0-817e-fc820a951d73 |

+| [App Service apps that use PHP should use the latest 'PHP version'](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7261b898-8a84-4db8-9e04-18527132abb3)| 7261b898-8a84-4db8-9e04-18527132abb3 |

+Customers can use alternative built-in policies to monitor any specified language version for their App Services.

+These policies are no longer available in Defender for Cloud's built-in recommendations. You can [add them as custom recommendations](create-custom-recommendations.md) to have Defender for Cloud monitor them.

+- [New alert in Defender for Resource Manager](#new-alert-in-defender-for-resource-manager)

+### New alert in Defender for Resource Manager

+Defender for Resource Manager has the following new alert:

+| Alert (alert type) | Description | MITRE tactics | Severity |

+|||:-:||

+| **PREVIEW - Suspicious creation of compute resources detected**<br>(ARM_SuspiciousComputeCreation) | Microsoft Defender for Resource Manager identified a suspicious creation of compute resources in your subscription utilizing Virtual Machines/Azure Scale Set. The identified operations are designed to allow administrators to efficiently manage their environments by deploying new resources when needed. While this activity may be legitimate, a threat actor might utilize such operations to conduct crypto mining.<br> The activity is deemed suspicious as the compute resources scale is higher than previously observed in the subscription. <br> This can indicate that the principal is compromised and is being used with malicious intent. | Impact | Medium |

+You can see a list of all of the [alerts available for Resource Manager](alerts-reference.md#alerts-resourcemanager).

+This article describes the workflow automation feature of Microsoft Defender for Cloud. This feature can trigger consumption logic apps on security alerts, recommendations, and changes to regulatory compliance. For example, you might want Defender for Cloud to email a specific user when an alert occurs. You'll also learn how to create logic apps using [Azure Logic Apps](../logic-apps/logic-apps-overview.md).

+|Required roles and permissions:|**Security admin role** or **Owner** on the resource group<br>Must also have write permissions for the target resource<br><br>To work with Azure Logic Apps workflows, you must also have the following Logic Apps roles/permissions:<br> - [Logic App Operator](../role-based-access-control/built-in-roles.md#logic-app-operator) permissions are required or Logic App read/trigger access (this role can't create or edit logic apps; only *run* existing ones)<br> - [Logic App Contributor](../role-based-access-control/built-in-roles.md#logic-app-contributor) permissions are required for logic app creation and modification<br>If you want to use Logic Apps connectors, you may need other credentials to sign in to their respective services (for example, your Outlook/Teams/Slack instances)|

+ 1. The triggers that will initiate this automatic workflow. For example, you might want your logic app to run when a security alert that contains "SQL" is generated.

+ 1. The consumption logic app that will run when your trigger conditions are met.

+1. From the Actions section, select **visit the Logic Apps page** to begin the logic app creation process.

+ :::image type="content" source="media/workflow-automation/visit-logic.png" alt-text="Screenshot that shows the actions section of the add workflow automation screen and the link to visit Azure Logic Apps." border="true":::

+ :::image type="content" source="media/workflow-automation/logic-apps-create-new.png" alt-text="Screenshot of the screen to create a logic app." lightbox="media/workflow-automation/logic-apps-create-new.png":::

+1. After you've defined your logic app, return to the workflow automation definition pane ("Add workflow automation"). Select **Refresh** to ensure your new logic app is available for selection.

+1. Select your logic app and save the automation. The logic app dropdown only shows those with supporting Defender for Cloud connectors mentioned above.

+## Manually trigger a logic app

+You can also run logic apps manually when viewing any security alert or recommendation.

+To manually run a logic app, open an alert, or a recommendation and select **Trigger logic app**:

+[](media/workflow-automation/manually-trigger-logic-app.png#lightbox)

+To view the raw event schemas of the security alerts or recommendations events passed to the logic app, visit the [Workflow automation data types schemas](https://aka.ms/ASCAutomationSchemas). This can be useful in cases where you aren't using Defender for Cloud's built-in Logic Apps connectors mentioned above, but instead are using the generic HTTP connector - you could use the event JSON schema to manually parse it as you see fit.

+When preparing your environment for BCDR scenarios, where the target resource is experiencing an outage or other disaster, it's the organization's responsibility to prevent data loss by establishing backups according to the guidelines from Azure Event Hubs, Log Analytics workspace, and Logic Apps.

+In this article, you learned about creating logic apps, automating their execution in Defender for Cloud, and running them manually. For more information, see the following documentation:

+> [Install the Microsoft Defender for IoT solution](iot-advanced-threat-monitoring.md)

+The **Device inventory** page on the Azure portal now includes a network location indication for your devices, to help focus your device inventory on the devices within your IoT/OT scope. 

+See and filter which devices are defined as *local* or *routed*, according to your configured subnets. The **Network location** filter is on by default. Add the **Network location** column by editing the columns in the device inventory.

+ 

+Configure your subnets either on the Azure portal or on your OT sensor. For more information, see:

+- [Manage your device inventory from the Azure portal](how-to-manage-device-inventory-for-organizations.md)

+- [Configure OT sensor settings from the Azure portal](configure-sensor-settings-portal.md#subnet)

+- [Define OT and IoT subnets on the OT sensor](how-to-control-what-traffic-is-monitored.md#define-ot-and-iot-subnets)

+You can also exercise the control plane APIs by interacting with Azure Digital Twins through the [Azure portal](https://portal.azure.com) and [CLI](/cli/azure/dt).

+You can also exercise the data plane APIs by interacting with Azure Digital Twins through the [CLI](/cli/azure/dt).

+The following filters require that the user manually enters the value with which they want to search. This list is organized according to the number of applicable operators for each filter, then alphabetically.

+| ASN | Autonomous System Number is a network identification for transporting data on the Internet between Internet routers. An ASN associates any public IP blocks tied to it where hosts are located. | 12345 | `Equals` `Not Equals` `In` `Not In` `Empty` `Not Empty` |

+The following filters require that the user manually enters the value with which they want to search. This list is organized by the number of applicable operators for each filter, then alphabetically. Many of these values are case-sensitive.

+Microsoft has preemptively configured the attack surfaces of many organizations, mapping their initial attack surface by discovering infrastructure thatΓÇÖs connected to known assets. It's recommended that all users search for their organizationΓÇÖs attack surface before creating a custom attack surface and running other discoveries. This process enables users to quickly access their inventory as Defender EASM refreshes the data, adding more assets and recent context to your Attack Surface.

+At this point, the discovery runs in the background. If you selected a pre-configured Attack Surface from the list of available organizations, you will be redirected to the Dashboard Overview screen where you can view insights into your organizationΓÇÖs infrastructure in Preview Mode. Review these dashboard insights to become familiar with your Attack Surface as you wait for additional assets to be discovered and populated in your inventory. Read the [Understanding dashboards](understanding-dashboards.md) article for more information on how to derive insights from these dashboards.

+Custom discoveries are organized into Discovery Groups. They're independent seed clusters that comprise a single discovery run and operate on their own recurrence schedules. Users can elect to organize their Discovery Groups to delineate assets in whatever way best benefits their company and workflows. Common options include organizing by responsible team/business unit, brands or subsidiaries.

+ Alternatively, users can manually input their seeds. Defender EASM accepts domains, IP blocks, hosts, email contacts, ASNs, and WhoIs organizations as seed values. You can also specify entities to exclude from asset discovery to ensure they aren't added to your inventory if detected. For example, this is useful for organizations that have subsidiaries that will likely be connected to their central infrastructure, but don't belong to your organization.

+You are then taken back to the main Discovery page that displays your Discovery Groups. Once your discovery run is complete, you can see new assets added to your Approved Inventory.

+The following filters provide a drop-down list of options to select. The available values are predefined.

+The following filters require that the user manually enters the value with which they want to search. This list is organized according to the number of applicable operators for each filter, then alphabetically. Note that many values are case-sensitive.

+The following filters provide a drop-down list of options to select. The available values are predefined.

+| IPv4 | Indicates that the host resolves to a 32-bit number notated in four octets (for example, 192.168.92.73). | true / false | `Equals` `Not Equals` |

+The following filters require that the user manually enters the value with which they want to search. This list is organized according to the number of applicable operators for each filter, then alphabetically. Note that many values are case-sensitive.

+| ASN | Autonomous System Number is a network identification for transporting data on the Internet between Internet routers. An ASN is associated to any public IP blocks tied to it where hosts are located. | 12345 | `Equals` `Not Equals` `In` `Not In` `Empty` `Not Empty` |

+| Attribute Type | Services running on the asset. These services can include IP addresses trackers. | address, AdblockPlusAcceptableAdsSignature | `Equals` `Not Equals` `Starts with` `Does not start with` `In` `Not in` `Starts with in` `Does not start with in` `Contains` `Does Not Contain` `Contains In` `Does Not Contain In` `Empty` `Not Empty` |

+The following filters provide a drop-down list of options to select. The available values are predefined.

+The following filters require that the user manually enters the value with which they want to search. This list is organized according to the number of applicable operators for each filter, then alphabetically.

+| ASN | Autonomous System Number is a network identification for transporting data on the Internet between Internet routers. An ASN is associated to any public IP blocks tied to it where hosts are located. | 12345 | `Equals` `Not Equals` `In` `Not In` `Empty` `Not Empty` |

+The following filters provide a drop-down list of options to select. The available values are predefined.

+| IPv6 | Indicates that the host resolves to an IP comprised of 128-bit hexadecimal digits noted in eight 4-digit groups. | true / false | |

+| Response Code | Other detected responses codes when attempting to access the asset. | 400 | |

+| Error | Error message when retrieving a page. | It's recommended that users use the ΓÇ£containsΓÇ¥ operator to find errors that match a specific keyword (e.g. ΓÇ¥script errorΓÇ¥). | |

+- [Using and managing discovery](using-and-managing-discovery.md)

+Microsoft has pre-emptively configured the attack surfaces of many organizations, mapping their initial attack surface by discovering infrastructure thatΓÇÖs connected to known assets. It's recommended that all users search for their organizationΓÇÖs attack surface before creating a custom attack surface and running other discoveries. This process enables users to quickly access their inventory as Defender EASM refreshes the data, adding additional assets and recent context to your Attack Surface.

+At this point, the discovery runs in the background. If you selected a preconfigured Attack Surface from the list of available organizations, you will be redirected to the Dashboard Overview screen where you can view insights into your organizationΓÇÖs infrastructure in Preview Mode. Review these dashboard insights to become familiar with your Attack Surface as you wait for more assets to be discovered and populated in your inventory. See the [Understanding dashboards](understanding-dashboards.md) article for more information on how to derive insights from these dashboards.

+If you notice any missing assets or have other entities to manage that may not be discovered through infrastructure that is clearly linked to your organization, elect to run customized discoveries to detect these outlier assets.

+Custom discoveries are ideal for organizations that require deeper visibility into infrastructure that may not be immediately linked to their primary seed assets. By submitting a larger list of known assets to operate as discovery seeds, the discovery engine returns a wider pool of assets. Custom discovery can also help organizations find disparate infrastructure that may relate to independent business units and acquired companies.

+ :::image type="content" source="media/Discovery_7.png" alt-text="Screenshot of pre-baked attack surface selection page.":::

+ Alternatively, users can manually input their seeds. Defender EASM accepts organization names, domains, IP blocks, hosts, email contacts, ASNs, and WhoIs organizations as seed values. You can also specify entities to exclude from asset discovery to ensure they aren't added to your inventory if detected. For example, exclusions are useful for organizations that have subsidiaries that will likely be connected to their central infrastructure, but do not belong to your organization.

+ You'll then be taken back to the main Discovery page that displays your Discovery Groups. Once your discovery run is complete, you'll see new assets added to your Approved Inventory.

+Run history is organized by the seed assets scanned during the discovery run. To see a list of the applicable seeds, click ΓÇ£DetailsΓÇ¥. This action opens a right-hand pane that lists all the seeds and exclusions by kind and name.

+Similarly, you can click the ΓÇ£ExclusionsΓÇ¥ tab to see a list of entities that have been excluded from the discovery group. This means that these assets will not be used as discovery seeds or added to your inventory. It's important to note that exclusions only impact future discovery runs for an individual discovery group. The ΓÇ£type" field displays the category of the excluded entity. The source name is the value that was inputted in the appropriate type box when creating the discovery group. The final column shows a list of discovery groups where this exclusion is present; each value is clickable, taking you to the details page for that discovery group.

+|Severity |Each signature has an associated severity level and assigned priority that indicates the probability that the signature is an actual attack.<br>- **Low (priority 1)**: An abnormal event is one that doesn't normally occur on a network or Informational events are logged. Probability of attack is low.<br>- **Medium (priority 2)**: The signature indicates an attack of a suspicious nature. The administrator should investigate further.<br>- **High (priority 3)**: The attack signatures indicate that an attack of a severe nature is being launched. There's little probability that the packets have a legitimate purpose.|

+[Differences between Windows PowerShell 5.1 and PowerShell (core) 7.x](/powershell/gallery/how-to/working-with-local-psrepositories)

+[sudo command](https://www.sudo.ws/docs/man/sudo.man/).

+LINES_TO_INCLUDE_BEFORE_MATCH=0

+LINES_TO_INCLUDE_AFTER_MATCH=10

+LOGPATH=/var/lib/GuestConfig/gc_agent_logs/gc_agent.log

+egrep -B $LINES_TO_INCLUDE_BEFORE_MATCH -A $LINES_TO_INCLUDE_AFTER_MATCH 'DSCEngine|DSCManagedEngine' $LOGPATH | tail

+> Using customer-managed keys in the Brazil South, East Asia, and Southeast Asia Azure regions requires an Enterprise Application ID generated by Microsoft. You can request Enterprise Application ID by creating a one-time support ticket through the Azure portal. After receiving the Application ID, follow [the instructions to register the application](/azure/cosmos-db/how-to-setup-cross-tenant-customer-managed-keys?tabs=azure-portal#the-customer-grants-the-service-providers-app-access-to-the-key-in-the-key-vault).

+The FHIR destination mapping controls how the normalized data extracted from a device message is mapped into a FHIR observation.

+Once device data is transformed into a normalized data model, the normalized data is collected for transformation to a [FHIR Observation](https://www.hl7.org/fhir/observation.html). If the Observation type is [SampledData](https://www.hl7.org/fhir/datatypes.html#SampledData), the data is grouped according to device identifier, measurement type, and time period (time period can be either 1 hour or 24 hours). The output of this grouping is sent for conversion into a single [FHIR Observation](https://www.hl7.org/fhir/observation.html) that represents the time period for that data type. For other Observation types ([Quantity](https://www.hl7.org/fhir/datatypes.html#Quantity), [CodeableConcept](https://www.hl7.org/fhir/datatypes.html#CodeableConcept) and [string](https://www.hl7.org/fhir/datatypes.html#string)) data isn't grouped, but instead each measurement is transformed into a single Observation representing a point in time.

+In this section, you'll prepare a development environment that's used to build the [Azure IoT Device SDK for C](https://github.com/Azure/azure-iot-sdk-c). The sample code attempts to provision the device during the device's boot sequence.

+1. In a Windows command prompt, run the following commands to clone the latest release of the [Azure IoT Device SDK for C](https://github.com/Azure/azure-iot-sdk-c) GitHub repository. Replace `<release-tag>` with the tag you copied in the previous step, for example: `lts_01_2023`.

+2. Clone the [Azure IoT SDK for Node.js](https://github.com/Azure/azure-iot-sdk-node) GitHub repository using the following command:

+2. Clone the [Azure IoT Device SDK for Python](https://github.com/Azure/azure-iot-sdk-python/tree/v2) GitHub repository using the following command:

+ ```cmd

+ git clone -b v2 https://github.com/Azure/azure-iot-sdk-python.git --recursive

+ ```

+ >[!NOTE]

+ >The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md).

+2. Clone the [Azure IoT SDK for Java](https://github.com/Azure/azure-iot-sdk-java) GitHub repository using the following command:

+ cd .\azure-iot-sdk-csharp\provisioning\device\samples\how to guides\SymmetricKeySample

+ D:\azure-iot-sdk-csharp\provisioning\device\samples\how to guides\SymmetricKeySample>dotnet run --i 0ne00000A0A --r sn-007-888-abc-mac-a1-b2-c3-d4-e5-f6 --p sbDDeEzRuEuGKag+kQKV+T1QGakRtHpsERLP0yPjwR93TrpEgEh/Y07CXstfha6dhIPWvdD1nRxK5T0KGKA+nQ==

+ cd azure-iot-sdk-java\provisioning\provisioning-device-client-samples\provisioning-symmetrickey-individual-sample

+3. Clone the [Azure IoT Device SDK for C](https://github.com/Azure/azure-iot-sdk-c) on both VMs. Use the tag you found in the previous step as the value for the `-b` parameter, for example: `lts_01_2023`.

+5. Open a command prompt or Git Bash shell. Run the following commands to clone the latest release of the [Azure IoT Device SDK for C](https://github.com/Azure/azure-iot-sdk-c) GitHub repository. Replace `<release-tag>` with the tag you copied in the previous step, for example: `lts_01_2023`.

+2. Clone the [Azure IoT SDK for Node.js](https://github.com/Azure/azure-iot-sdk-node) GitHub repository using the following command:

+2. Clone the [Azure IoT SDK for Python](https://github.com/Azure/azure-iot-sdk-python/tree/v2) GitHub repository using the following command:

+ ```cmd

+ git clone -b v2 https://github.com/Azure/azure-iot-sdk-python.git --recursive

+ ```

+ >[!NOTE]

+ >The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md).

+2. Clone the [Azure IoT SDK for Java](https://github.com/Azure/azure-iot-sdk-java) GitHub repository using the following command:

+ cd '.\azure-iot-sdk-csharp\provisioning\device\samples\how to guides\SymmetricKeySample\'

+ D:\azure-iot-sdk-csharp\provisioning\device\samples\how to guides\SymmetricKeySample>dotnet run --i 0ne00000A0A --r symm-key-csharp-device-01 --p sbDDeEzRuEuGKag+kQKV+T1QGakRtHpsERLP0yPjwR93TrpEgEh/Y07CXstfha6dhIPWvdD1nRxK5T0KGKA+nQ==

+ cd azure-iot-sdk-java\provisioning\provisioning-device-client-samples\provisioning-symmetrickey-individual-sample

+5. Open a command prompt or Git Bash shell. Run the following commands to clone the latest release of the [Azure IoT Device SDK for C](https://github.com/Azure/azure-iot-sdk-c) GitHub repository. Replace `<release-tag>` with the tag you copied in the previous step, for example: `lts_01_2023`.

+ cd '.\azure-iot-sdk-csharp\provisioning\device\samples\how to guides\TpmSample\'

+ cd '.\azure-iot-sdk-csharp\provisioning\device\samples\how to guides\TpmSample\'

+4. In your Windows command prompt, run the following commands to clone the latest release of the [Azure IoT Device SDK for C](https://github.com/Azure/azure-iot-sdk-c) GitHub repository. Replace `<release-tag>` with the tag you copied in the previous step, for example: `lts_01_2023`.

+In your Windows command prompt, clone the [Azure IoT SDK for Node.js](https://github.com/Azure/azure-iot-sdk-node) GitHub repository using the following command:

+In your Windows command prompt, clone the [Azure IoT Device SDK for Python](https://github.com/Azure/azure-iot-sdk-python/tree/v2) GitHub repository using the following command:

+git clone -b v2 https://github.com/Azure/azure-iot-sdk-python.git --recursive

+>[!NOTE]

+>The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md).

+1. In your Windows command prompt, clone the [Azure IoT Samples for Java](https://github.com/Azure/azure-iot-sdk-java) GitHub repository using the following command:

+3. In your Windows command prompt, change to the X509Sample directory. This directory is located in the *.\azure-iot-sdk-csharp\provisioning\device\samples\getting started\X509Sample* directory off the directory where you cloned the samples on your computer.

+ cd .\azure-iot-sdk-java\provisioning\provisioning-device-client-samples\provisioning-X509-sample

+ 1. Open the file `.\src\main\java\samples\com\microsoft\azure\sdk\iot\ProvisioningX509Sample.java` in your favorite editor.

+ cd azure-iot-sdk-java\provisioning\provisioning-service-client-samples\service-enrollment-sample

+1. From the *azure-iot-sdk-java\provisioning\provisioning-service-client-samples\service-enrollment-sample* folder in your command prompt, run the following command to build the sample:

+ cd azure-iot-sdk-java\provisioning\provisioning-service-client-samples\service-enrollment-group-sample

+1. From the *azure-iot-sdk-java\provisioning\provisioning-service-client-samples\service-enrollment-group-sample* folder in your command prompt, run the following command to build the sample:

+3. Open a command prompt or Git Bash shell. Run the following commands to clone the latest release of the [Azure IoT Device SDK for C](https://github.com/Azure/azure-iot-sdk-c) GitHub repository. Use the tag you found in the previous step as the value for the `-b` parameter, for example: `lts_01_2023`.

+4. In your Windows command prompt, run the following commands to clone the latest release of the [Azure IoT Device SDK for C](https://github.com/Azure/azure-iot-sdk-c) GitHub repository. Replace `<release-tag>` with the tag you copied in the previous step, for example: `lts_01_2023`.

+In your Windows command prompt, clone the [Azure IoT SDK for Node.js](https://github.com/Azure/azure-iot-sdk-node) GitHub repository using the following command:

+In your Windows command prompt, clone the [Azure IoT Device SDK for Python](https://github.com/Azure/azure-iot-sdk-python/tree/v2) GitHub repository using the following command:

+git clone -b v2 https://github.com/Azure/azure-iot-sdk-python.git --recursive

+>[!NOTE]

+>The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md).

+1. In your Windows command prompt, clone the [Azure IoT Samples for Java](https://github.com/Azure/azure-iot-sdk-java) GitHub repository using the following command:

+3. In your Windows command prompt, change to the X509Sample directory. This directory is located in the *.\azure-iot-sdk-csharp\provisioning\device\samples\getting started\X509Sample* directory off the directory where you cloned the samples on your computer.

+ cd .\azure-iot-sdk-java\provisioning\provisioning-device-client-samples\provisioning-X509-sample

+ 1. Open the file `.\src\main\java\samples\com\microsoft\azure\sdk\iot\ProvisioningX509Sample.java` in your favorite editor.

+For a list of the available service APIs, see [Service SDKs](iot-sdks.md#iot-hub-service-sdks).

+### Embedded device SDKs

+## IoT Hub service SDKs

+## IoT Hub management SDKs

+## DPS device SDKs

+### DPS embedded device SDKs

+## DPS service SDKs

+## DPS management SDKs

+## Azure Digital Twins control plane APIs

+## Azure Digital Twins data plane APIs

+STORAGE_ACCOUNT_NAME=""

+STORAGE_ACCOUNT_KEY=""

+FILESHARE_NAME=""

+MOUNT_DIRECTORY="prm-mnt"

+sudo mkdir /$MOUNT_DIRECTORY/$FILESHARE_NAME

+if [ ! -f "/etc/smbcredentials/$STORAGE_ACCOUNT_NAME.cred" ]; then

+ sudo bash -c "echo ""username=$STORAGE_ACCOUNT_NAME"" >> /etc/smbcredentials/$STORAGE_ACCOUNT_NAME.cred"

+ sudo bash -c "echo ""password=$STORAGE_ACCOUNT_KEY"" >> /etc/smbcredentials/$STORAGE_ACCOUNT_NAME.cred"

+sudo chmod 600 /etc/smbcredentials/$STORAGE_ACCOUNT_NAME.cred

+sudo bash -c "echo ""//$STORAGE_ACCOUNT_NAME.file.core.windows.net/$FILESHARE_NAME /$MOUNT_DIRECTORY/$FILESHARE_NAME cifs nofail,vers=3.0,credentials=/etc/smbcredentials/$STORAGE_ACCOUNT_NAME.cred,dir_mode=0777,file_mode=0777,serverino"" >> /etc/fstab"

+sudo mount -t cifs //$STORAGE_ACCOUNT_NAME.file.core.windows.net/$FILESHARE_NAME /$MOUNT_DIRECTORY/$FILESHARE_NAME -o vers=3.0,credentials=/etc/smbcredentials/$STORAGE_ACCOUNT_NAME.cred,dir_mode=0777,file_mode=0777,serverino

+STORAGE_ACCOUNT_NAME=""

+STORAGE_ACCOUNT_IP=""

+STORAGE_ACCOUNT_KEY=""

+FILESHARE_NAME=""

+MOUNT_DIRECTORY="prm-mnt"

+sudo mkdir /$MOUNT_DIRECTORY/$FILESHARE_NAME

+if [ ! -f "/etc/smbcredentials/$STORAGE_ACCOUNT_NAME.cred" ]; then

+ sudo bash -c "echo ""username=$STORAGE_ACCOUNT_NAME"" >> /etc/smbcredentials/$STORAGE_ACCOUNT_NAME.cred"

+ sudo bash -c "echo ""password=$STORAGE_ACCOUNT_KEY"" >> /etc/smbcredentials/$STORAGE_ACCOUNT_NAME.cred"

+sudo bash -c "echo ""//$STORAGE_ACCOUNT_IP/$FILESHARE_NAME /$MOUNT_DIRECTORY/$fileshare_name cifs nofail,vers=3.0,credentials=/etc/smbcredentials/$STORAGE_ACCOUNT_NAME.cred,dir_mode=0777,file_mode=0777,serverino"" >> /etc/fstab"

+sudo mount -t cifs //$STORAGE_ACCOUNT_NAME.file.core.windows.net/$FILESHARE_NAME /$MOUNT_DIRECTORY/$FILESHARE_NAME -o vers=3.0,credentials=/etc/smbcredentials/$STORAGE_ACCOUNT_NAME.cred,dir_mode=0777,file_mode=0777,serverino

+ VOLUME_NAME=$1

+ CAPACITY_POOL_IP_ADDR=0.0.0.0 # IP address of capacity pool

+ MOUNT_DIRECTORY="prm-mnt"

+ sudo mkdir -p /$MOUNT_DIRECTORY

+ sudo mkdir /$MOUNT_DIRECTORY/$FOLDER_NAME

+ sudo mount -t nfs -o rw,hard,rsize=65536,wsize=65536,vers=3,tcp $CAPACITY_POOL_IP_ADDR:/$VOLUME_NAME /$MOUNT_DIRECTORY/$VOLUME_NAME

+ sudo bash -c "echo ""$CAPACITY_POOL_IP_ADDR:/$VOLUME_NAME /$MOUNT_DIRECTORY/$VOLUME_NAME nfs bg,rw,hard,noatime,nolock,rsize=65536,wsize=65536,vers=3,tcp,_netdev 0 0"" >> /etc/fstab"

+ Title: Create maps for data transformation

+description: Create maps to transform data between schemas in Azure Logic Apps using Visual Studio Code.

+ms.suite: integration

+# As a developer, I want to transform data in Azure Logic Apps by creating a map between schemas with Visual Studio Code.

+# Create maps to transform data in Azure Logic Apps with Visual Studio Code (preview)

+> [!IMPORTANT]

+> This capability is in preview and is subject to the

+> [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+To exchange messages that have different XML or JSON formats in an Azure Logic Apps workflow, you have to transform the data from one format to another, especially if you have gaps between the source and target schema structures. Data transformation helps you bridge those gaps. For this task, you need to create a map that defines the transformation between data elements in the source and target schemas.

+To visually create and edit a map, you can use Visual Studio Code with the Data Mapper extension within the context of a Standard logic app project. The Data Mapper tool provides a unified experience for XSLT mapping and transformation using drag and drop gestures, a prebuilt functions library for creating expressions, and a way to manually test the maps that you create and use in your workflows.

+After you create your map, you can directly call that map from a workflow in your logic app project or from a workflow in the Azure portal. For this task, add the **Data Mapper Operations** action named **Transform using Data Mapper XSLT** to your workflow. To use this action in the Azure portal, add the map to either of the following resources:

+- An integration account for a Consumption or Standard logic app resource

+- The Standard logic app resource itself

+This how-to guide shows how to complete the following tasks:

+- Create a blank data map.

+- Specify the source and target schemas to use.

+- Navigate the map.

+- Select the target and source elements to map.

+- Create a direct mapping between elements.

+- Create a complex mapping between elements.

+- Create a loop between arrays.

+- Crete an if condition between elements.

+- Save the map.

+- Test the map.

+- Call the map from a workflow in your logic app project.

+## Limitations

+- The Data Mapper extension currently works only in Visual Studio Code running on Windows operating systems.

+- The Data Mapper tool is currently available only in Visual Studio Code, not the Azure portal, and only from within Standard logic app projects, not Consumption logic app projects.

+- To call maps created with the Data Mapper tool, you can only use the **Data Mapper Operations** action named **Transform using Data Mapper XSLT**. [For maps created by any other tool, use the **XML Operations** action named **Transform XML**](logic-apps-enterprise-integration-transform.md).

+- The Data Mapper tool's **Code view** pane is currently read only.

+- The map layout and item position are currently automatic and read only.

+## Known issues

+The Data Mapper extension currently works only with schemas in flat folder-structured projects.

+## Prerequisites

+- [Same prerequisites for using Visual Studio Code and the Azure Logic Apps (Standard) extension](create-single-tenant-workflows-visual-studio-code.md#prerequisites) to create Standard logic app workflows.

+- The latest **Azure Logic Apps - Data Mapper** extension. You can download and install this extension from inside Visual Studio Code through the Marketplace, or you can find this extension externally on the [Marketplace website](https://marketplace.visualstudio.com/vscode).

+- The source and target schema files that describe the data types to transform. These files can have either the following formats:

+ - An XML schema definition file with the .xsd file extension

+ - A JavaScript Object Notation file with the .json file extension

+- A Standard logic app project that includes a stateful or stateless workflow with at least a trigger. If you don't have a project, follow these steps in Visual Studio Code:

+ 1. [Connect to your Azure account](create-single-tenant-workflows-visual-studio-code.md#connect-azure-account), if you haven't already.

+ 1. [Create a local folder, a local Standard logic app project, and a stateful or stateless workflow](create-single-tenant-workflows-visual-studio-code.md#create-project). During workflow creation, select **Open in current window**.

+ After you create your logic app project, in your project's root folder, open the **local.settings.json** file, and add the following values:

+ - `"FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated"`

+ - `"AzureWebJobsFeatureFlags": "EnableMultiLanguageWorker"`

+- Sample input data if you want to test the map and check that the transformation works as you expect.

+## Create a data map

+1. On the Visual Studio Code left menu, select the **Azure** icon.

+1. In the **Azure** pane, under the **Data Mapper** section, select **Create new data map**.

+ 

+1. Provide a name for your data map.

+1. Specify your source and target schemas by following these steps:

+ 1. On the map surface, select **Add a source schema**.

+ 

+ 1. On the **Configure** pane that opens, select **Add new** > **Browse**.

+ 1. Find and select your source schema file, and then select **Add**.

+ If your source schema doesn't appear in the **Open** window, from the file type list, change **XSD File (\*.xsd)** to **All Files (\*.\*)**.

+ The map surface now shows the data types from the source schema. For the examples in this guide,

+ 1. On the map surface, select **Add a target schema**.

+ 1. On the **Configure** pane that opens, select **Add new** > **Browse**.

+ 1. Find and select your target schema file, and then select **Add**.

+ If your target schema doesn't appear in the **Open** window, from the file type list, change **XSD File (\*.xsd)** to **All Files (\*.\*)**.

+ The map surface now shows data types from the target schema.

+ Alternatively, you can also add your source and target schema files locally to your logic app project in the **Artifacts** **Schemas** folder, so that they appear in Visual Studio Code. In this case, you can specify your source and target schema in the Data Mapper tool on the **Configure** pane by selecting **Select existing**, rather than **Add new**.

+ When you're done, your map looks similar to the following example:

+ 

+The following table describes the possible data types that might appear in a schema:

+| Symbol | Type | More info |

+|--||--|

+|  | Array | Contains items or repeating item nodes |

+|  | Binary | |

+|  | Bool | True or false only |

+|  | Complex | An XML object with children properties, similar to the Object JSON type |

+|  | DateTime | |

+|  | Decimal | |

+|  | Integer | Whole numbers only |

+|  | Null | Not a data type, but appears when an error or an invalid type exists |

+|  | Number | A JSON integer or decimal |

+|  | Object | A JSON object with children properties, similar to the Complex XML type |

+|  | String | |

+<a name="navigate-map"></a>

+## Navigate the map

+To move around the map, you have the following options:

+- To pan around, drag your pointer around the map surface. Or, press and hold the mouse wheel, while you move the mouse or trackball.

+- After you move one level down into the map, in the map's lower left corner, a navigation bar appears where you can select from the following options:

+ 

+ | Option | Alternative gesture |

+ |--||

+ | **Zoom out** | On the map surface, press SHIFT + double select. <br>-or- <br>Scroll down with the mouse wheel. |

+ | **Zoom in** | On the map surface, double select. <br>-or- <br>Scroll up with the mouse wheel. |

+ | **Zoom to fit** | None |

+ | **Show (Hide) mini-map** | None |

+- To move up one level on the map, on the breadcrumb path at the top of the map, select a previous level.

+<a name="select-elements"></a>

+## Select target and source elements to map

+1. On the map surface, starting from the right side, in the target schema area, select the target element that you want to map. If the element you want is a child of a parent element, find and expand the parent first.

+1. Now, on the left side, from the source schema area, select **Select element**.

+1. In the **Source schema** window that appears, select one or more source elements to show on the map.

+ - To include a parent and direct children, open the parent's shortcut menu, and select **Add children**.

+ - To include a parent and all the children for that parent, including any sub-parents, open the top-level parent's shortcut menu, and select **Add children (recursive)**.

+1. When you're done, you can close the source schema window. You can always add more source elements later. On the map, in the upper left corner, select **Show source schema** ().

+<a name="create-direct-mapping"></a>

+## Create a direct mapping between elements

+For a straightforward transformation between elements with the same type in the source and target schemas, follow these steps:

+1. To review what happens in code while you create the mapping, in the map's upper right corner, select **Show code**.

+1. If you haven't already, on the map, [select the target elements and then the source elements that you want to map](#select-elements).

+1. Move your pointer over the source element so that both a circle and a plus sign (**+**) appear.

+ 

+1. Drag a line to the target element so that the line connects to the circle that appears.

+ 

+ You've now created a direct mapping between both elements.

+ 

+ The code view window reflects the mapping relationship that you created:

+ 

+> [!NOTE]

+>

+> If you create a mapping between elements where their data types don't match, a warning appears on the target element, for example:

+>

+> 

+<a name="create-complex-mapping"></a>

+## Create a complex mapping between elements

+For a more complex transformation between elements in the source and target schemas, such as elements that you want to combine or that have different data types, you can use one or more functions to perform tasks for that transformation.

+The following table lists the available function groups and *example* functions that you can use:

+| Group | Example functions |

+|-|-|

+| Collection | Average, Count, Direct Access, Index, Join, Maximum, Minimum, Sum |

+| Conversion | To date, To integer, To number, To string |

+| Date and time | Add days |

+| Logical comparison | Equal, Exists, Greater, Greater or equal, If, If else, Is nil, Is null, Is number, Is string, Less, Less or equal, Logical AND, Logical NOT, Logical OR, Not equal |

+| Math | Absolute, Add, Arctangent, Ceiling, Cosine, Divide, Exponential, Exponential (base 10), Floor, Integer divide, Log, Log (base 10), Module, Multiply, Power, Round, Sine, Square root, Subtract, Tangent |

+| String | Code points to string, Concat, Contains, Ends with, Length, Lowercase, Name, Regular expression matches, Regular expression replace, Replace, Starts with, String to code-points, Substring, Substring after, Substring before, Trim, Trim left, Trim right, Uppercase |

+| Utility | Copy, Error, Format date-time, Format number |

+On the map, the function's label looks like the following example and is color-coded based on the function group. To the function name's left side, a symbol for the function appears. To the function name's right side, a symbol for the function output's data type appears.

+

+### Add a function without a mapping relationship

+The example in this section transforms the source element type from String type to DateTime type, which matches the target element type. The example uses the **To date** function, which takes a single input.

+1. To review what happens in code while you create the mapping, in the map's upper right corner, select **Show code**.

+1. If you haven't already, on the map, [select the target elements and then the source elements that you want to map](#select-elements).

+1. In the map's upper left corner, select **Show functions** ().

+ 

+1. From the functions list that opens, find and select the function that you want to use, which adds the function to the map. If the function doesn't appear visible on the map, try zooming out on the map surface.

+ This example selects the **To date** function.

+ 

+ > [!NOTE]

+ >

+ > If no mapping line exists or is selected when you add a function to the map, the function

+ > appears on the map, but disconnected from any elements or other functions, for example:

+ >

+ > 

+ >

+1. Expand the function shape to display the function's details and connection points. To expand the function shape, select inside the shape.

+1. Connect the function to the source and target elements.

+ 1. Drag and draw a line between the source elements and the function's left edge. You can start either from the source elements or from the function.

+ 

+ 1. Drag and draw a line between the function's right edge and the target element. You can start either from the target element or from the function.

+ 

+1. On the function's **Properties** tab, confirm or edit the input to use.

+ 

+ For some data types, such as arrays, the scope for the transformation might also appear available. This scope is usually the immediate element, such as an array, but in some scenarios, the scope might exist beyond the immediate element.

+ The code view window reflects the mapping relationship that you created:

+ 

+For example, to iterate through array items, see [Create a loop between arrays](#loop-through-array). To perform a task when an element's value meets a condition, see [Add a condition between elements](#add-condition).

+### Add a function to an existing mapping relationship

+When a mapping relationship already exists between source and target elements, you can add the function by following these steps:

+1. On the map, select the line for the mapping that you created.

+1. Move your pointer over the selected line, and select the plus sign (**+**) that appears.

+1. From the functions list that opens, find and select the function that you want to use.

+ The function appears on the map and is automatically connected between the source and target elements.

+### Add a function with multiple inputs

+The example in this section concatenates multiple source element types so that you can map the results to the target element type. The example uses the **Concat** function, which takes multiple inputs.

+1. To review what happens in code while you create the mapping, in the map's upper right corner, select **Show code**.

+1. If you haven't already, on the map, [select the target elements and then the source elements that you want to map](#select-elements).

+1. In the map's upper left corner, select **Show functions** ().

+ 

+1. From the functions list that opens, find and select the function that you want to use, which adds the function to the map. If the function doesn't appear visible on the map, try zooming out on the map surface.

+ This example selects the **Concat** function:

+ 

+ > [!NOTE]

+ >

+ > If no mapping line exists or is selected when you add a function to the map, the function

+ > appears on the map, but disconnected from any elements or other functions. If the function

+ > requires configuration, a red dot appears in the function's upper right corner, for example:

+ >

+ > 

+1. Expand the function shape to display the function's details and connection points. To expand the function shape, select inside the shape.

+1. In the function information pane, on the **Properties** tab, under **Inputs**, select the source data elements to use as the inputs.

+ This example selects the **FirstName** and **LastName** source elements as the function inputs, which automatically add the respective connections on the map.

+ 

+1. To complete the mapping drag and draw a line between the function's right edge and the target element. You can start either from the target element or from the function.

+ 

+ The code view window reflects the mapping relationship that you created:

+ 

+<a name="loop-through-array"></a>

+## Create a loop between arrays

+If your source and target schemas include arrays, you can create a loop mapping relationship that iterates through the items in those arrays. The example in this section loops through an Employee source array and a Person target array.

+1. To review what happens in code while you create the mapping, in the map's upper right corner, select **Show code**.

+1. On the map, in the target schema area, [select the target array element and target array item elements that you want to map](#select-elements).

+1. On the map, in the target schema area, expand the target array element and array items.

+1. In the source schema area, add the source array element and array item elements to the map.

+1. [Create a direct mapping between the source and target elements](#create-direct-mapping).

+ 

+ When you first create a mapping relationship between a matching pair of array items, a mapping relationship is automatically created at the parent array level.

+ 

+ The code view window reflects the mapping relationship that you created:

+ 

+1. Continue mapping the other array elements.

+ 

+<a name="add-condition"></a>

+## Set up a condition and task to perform between elements

+To add a mapping relationship that evaluates a condition and performs a task when the condition is met, you can use multiple functions, such as the **If** function, a comparison function such as **Greater**, and the task to perform such as **Multiply**.

+The example in this section calculates a discount to apply when the purchase quantity exceeds 20 items by using the following functions:

+- **Greater**: Check whether item quantity is greater than 20.

+- **If**: Check whether the **Greater** function returns true.

+- **Multiply**: Calculate the discount by multiplying the item price by 10% and the item quantity.

+1. To review what happens in code while you create the mapping, in the map's upper right corner, select **Show code**.

+1. If you haven't already, on the map, [select the target elements and then the source elements that you want to map](#select-elements).

+ This example selects the following elements:

+ 

+1. In the map's upper left corner, select **Show functions** ().

+1. Add the following functions to the map: **Greater**, **If**, and **Multiply**

+1. Expand all the function shapes to show the function details and connection points.

+1. Connect the source elements, functions, and target elements as follows:

+ * The source schema's **ItemPrice** element to the target schema's **ItemPrice** element

+ * The source schema's **ItemQuantity** element to the **Greater** function's **Value** field

+ * The **Greater** function's output to the **If** function's **Condition** field

+ * The source schema's **ItemPrice** element to the **Multiply** function's **Multiplicand 0*** field

+ * The **Multiply** function's output to the **If** function's **Value** field

+ * The **If** function's output to the target schema's **ItemDiscount** element

+ > [!NOTE]

+ >

+ > In the **If** function, the word **ANY** appears to the right of the function name,

+ > indicating that you can assign the output value to anything.

+1. In the following functions, on the **Properties** tab, specify the following values:

+ | Function | Input parameter and value |

+ |-||

+ | **Greater** | - **Value** #1: The source element named **ItemQuantity** <br>- **Value** #2: **20** |

+ | **Multiply** | - **Multiplicand** #1: The source element named **ItemPrice** <br>- **Multiplicand** #2: **.10** |

+ | **If** | - **Condition**: **is-greater-than(ItemQuantity,20)** <br>- **Value**: **multiply(ItemPrice, .10)** |

+ The following map shows the finished example:

+ 

+ The code view window reflects the mapping relationship that you created:

+ 

+## Save your map

+When you're done, on the map toolbar, select **Save**.

+Visual Studio Code saves your map as the following artifacts:

+- A **<*your-map-name*>.yml** file in the **Artifacts** > **MapDefinitions** project folder

+- An **<*your-map-name*>.xslt** file in the **Artifacts** > **Maps** project folder

+## Test your map

+To confirm that the transformation works as you expect, you'll need sample input data.

+1. On your map toolbar, select **Test**.

+1. On the **Test map** pane, in the **Input** window, paste your sample input data, and then select **Test**.

+ The test pane switches to the **Output** tab and shows the test's status code and response body.

+## Call your map from a workflow in your project

+1. On the Visual Studio Code left menu, select **Explorer** (files icon) to view your logic app project structure.

+1. Expand the folder that has your workflow name. From the **workflow.json** file's shortcut menu, select **Open Designer**.

+1. On the workflow designer, either after the step or between the steps where you want to perform the transformation, select the plus sign (**+**) > **Add an action**.

+1. On the **Add an action** pane, in the search box, enter **data mapper**. Select the **Data Mapper Operations** action named **Transform using Data Mapper XSLT**.

+1. In the action information box, specify the **Content** value, and leave **Map Source** set to **Logic App**. From the **Map Name** list, select the map file (.xslt) that you want to use.

+To use the same **Transform using Data Mapper XSLT** action in the Azure portal, add the map to either of the following resources:

+- An integration account for a Consumption or Standard logic app resource

+- The Standard logic app resource itself

+## Next steps

+- For data transformations using B2B operations in Azure Logic Apps, see [Add maps for transformations in workflows with Azure Logic Apps](logic-apps-enterprise-integration-maps.md)

+> * __Some features of studio will fail to access your data__. This problem happens when the _data is stored on a service that is secured behind the VNet_. For example, an Azure Storage Account. To resolve this problem, add your client device's IP address to the [Azure Storage Account's firewall](../storage/common/storage-network-security.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#grant-access-from-an-internet-ip-range).

+ :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/online/ncd/sklearn-diabetes/environment/conda.yaml":::

+> [!IMPORTANT]

+> While this is a supported configuration for Azure Machine Learning, Microsoft doesn't recommend it. The data in the Azure Storage Account behind the virtual network can be exposed on the public workspace. You should verify this configuration with your security team before using it in production.

+ OR

+Microsoft Sentinel can automatically create a workspace for you if you're OK with a public endpoint. In this configuration, the security operations center (SOC) analysts and system administrators connect to notebooks in your workspace through Sentinel.

+* To use Azure Machine Learning, you must have an Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/) today.

+ > [!IMPORTANT]

+ > * Each managed online endpoint deployment has it's own independent Azure Machine Learning managed VNet. If the endpoint has multiple deployments, each deployment has it's own managed VNet.

+ > * We do not support peering between a deployment's managed VNet and your client VNet. For secure access to resources needed by the deployment, we use private endpoints to communicate with the resources.

+To create the resources, use the following Azure CLI commands. To create a resource group. Replace `<my-resource-group>` and `<my-location>` with the desired values.

+When your Azure Machine Learning workspace is configured with a private endpoint, deploying to Azure Container Instances in a VNet isn't supported. Instead, consider using a [Managed online endpoint with network isolation](how-to-secure-online-endpoint.md).

+ If you've [installed the Machine Learning extension v2 for Azure CLI](how-to-configure-cli.md), you can use the `az ml workspace show` command to show the workspace information. The v1 extension doesn't return this information.

+## Public access to workspace

+> [!IMPORTANT]

+> While this is a supported configuration for Azure Machine Learning, Microsoft doesn't recommend it. You should verify this configuration with your security team before using it in production.

+In some cases, you may need to allow access to the workspace from the public network (without connecting through the VNet using the methods detailed the [Securely connect to your workspace](#securely-connect-to-your-workspace) section). Access over the public internet is secured using TLS.

+To enable public network access to the workspace, use the following steps:

+1. [Enable public access](how-to-configure-private-link.md#enable-public-access) to the workspace after configuring the workspace's private endpoint.

+1. [Configure the Azure Storage firewall](../storage/common/storage-network-security.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#grant-access-from-an-internet-ip-range) to allow communication with the IP address of clients that connect over the public internet. You may need to change the allowed IP address if the clients don't have a static IP. For example, if one of your Data Scientists is working from home and can't establish a VPN connection to the VNet.

+ :::code language="yaml" source="~/azureml-examples-main//sdk/python/using-mlflow/deploy/environment/conda.yaml" highlight="7-8" range="1-12":::

+[!Notebook-python[] (~/azureml-examples-main/tutorials/e2e-ds-experience/e2e-ml-workflow.ipynb?name=conda.yaml)]

+> [!NOTE]

+> OVA templates are not available for soverign clouds.

+|Dsv4|Standard_D8s_v4|8|32|

+|Dsv4|Standard_D16s_v4|16|64|

+|Dsv4|Standard_D32s_v4|32|128|

+|Dsv5|Standard_D8s_v5|8|32|

+|Dsv5|Standard_D16s_v5|16|64|

+|Dsv5|Standard_D32s_v5|32|128|

+|Dasv4|Standard_D8as_v4|8|32|

+|Dasv4|Standard_D16as_v4|16|64|

+|Dasv4|Standard_D32as_v4|32|128|

+|Dasv5|Standard_D8as_v5|8|32|

+|Dasv5|Standard_D16as_v5|16|64|

+|Dasv5|Standard_D32as_v5|32|128|

+|Easv4|Standard_E4as_v4|4|32|

+|Easv4|Standard_E8as_v4|8|64|

+|Easv4|Standard_E16as_v4|16|128|

+|Easv4|Standard_E20as_v4|20|160|

+|Easv4|Standard_E32as_v4|32|256|

+|Easv4|Standard_E48as_v4|48|384|

+|Easv4|Standard_E64as_v4|64|512|

+|Easv4|Standard_E96as_v4|96|672|

+|Easv5|Standard_E8as_v5|8|64|

+|Easv5|Standard_E16as_v5|16|128|

+|Easv5|Standard_E20as_v5|20|160|

+|Easv5|Standard_E32as_v5|32|256|

+|Easv5|Standard_E48as_v5|48|384|

+|Easv5|Standard_E64as_v5|64|512|

+|Easv5|Standard_E96as_v5|96|672|

+|Esv4|Standard_E8s_v4|8|64|

+|Esv4|Standard_E16s_v4|16|128|

+|Esv4|Standard_E20s_v4|20|160|

+|Esv4|Standard_E32s_v4|32|256|

+|Esv4|Standard_E48s_v4|48|384|

+|Esv4|Standard_E64s_v4|64|504|

+|Esv5|Standard_E8s_v5|8|64|

+|Esv5|Standard_E16s_v5|16|128|

+|Esv5|Standard_E20s_v5|20|160|

+|Esv5|Standard_E32s_v5|32|256|

+|Esv5|Standard_E48s_v5|48|384|

+|Esv5|Standard_E64s_v5|64|512|

+|Esv5|Standard_E96s_v5|96|672|

+|Mms*|Standard_M128ms|128|3892|

+\*Standard_M128ms' does not support encryption at host

+|Dasv4|Standard_D64as_v4|64|256|

+|Dasv4|Standard_D96as_v4|96|384|

+|Dasv5|Standard_D4as_v5|4|16|

+|Dasv5|Standard_D8as_v5|8|32|

+|Dasv5|Standard_D16as_v5|16|64|

+|Dasv5|Standard_D32as_v5|32|128|

+|Dasv5|Standard_D64as_v5|64|256|

+|Dasv5|Standard_D96as_v5|96|384|

+|Dsv2|Standard_D2s_v3|2|8|

+|Dsv4|Standard_D4s_v4|4|16|

+|Dsv4|Standard_D8s_v4|8|32|

+|Dsv4|Standard_D16s_v4|16|64|

+|Dsv4|Standard_D32s_v4|32|128|

+|Dsv4|Standard_D64s_v4|64|256|

+|Dsv4|Standard_D96s_v4|96|384|

+|Dsv5|Standard_D4s_v5|4|16|

+|Dsv5|Standard_D8s_v5|8|32|

+|Dsv5|Standard_D16s_v5|16|64|

+|Dsv5|Standard_D32s_v5|32|128|

+|Dsv5|Standard_D64s_v5|64|256|

+|Dsv5|Standard_D96s_v5|96|384|

+|Easv4|Standard_E4as_v4|4|32|

+|Easv4|Standard_E8as_v4|8|64|

+|Easv4|Standard_E16as_v4|16|128|

+|Easv4|Standard_E20as_v4|20|160|

+|Easv4|Standard_E32as_v4|32|256|

+|Easv4|Standard_E48as_v4|48|384|

+|Easv4|Standard_E64as_v4|64|512|

+|Easv4|Standard_E96as_v4|96|672|

+|Easv5|Standard_E8as_v5|8|64|

+|Easv5|Standard_E16as_v5|16|128|

+|Easv5|Standard_E20as_v5|20|160|

+|Easv5|Standard_E32as_v5|32|256|

+|Easv5|Standard_E48as_v5|48|384|

+|Easv5|Standard_E64as_v5|64|512|

+|Easv5|Standard_E96as_v5|96|672|

+|Esv4|Standard_E2s_v4|2|16|

+|Esv4|Standard_E4s_v4|4|32|

+|Esv4|Standard_E8s_v4|8|64|

+|Esv4|Standard_E16s_v4|16|128|

+|Esv4|Standard_E20s_v4|20|160|

+|Esv4|Standard_E32s_v4|32|256|

+|Esv4|Standard_E48s_v4|48|384|

+|Esv4|Standard_E64s_v4|64|504|

+|Esv4|Standard_E96s_v4|96|672|

+|Esv5|Standard_E2s_v5|2|16|

+|Esv5|Standard_E4s_v5|4|32|

+|Esv5|Standard_E8s_v5|8|64|

+|Esv5|Standard_E16s_v5|16|128|

+|Esv5|Standard_E20s_v5|20|160|

+|Esv5|Standard_E32s_v5|32|256|

+|Esv5|Standard_E48s_v5|48|384|

+|Esv5|Standard_E64s_v5|64|512|

+|Esv5|Standard_E96s_v5|96|672|

+|Edsv5|Standard_E96ds_v5|96|672|

+|Mms*|Standard_M128ms|128|3892|

+\*Standard_M128ms' does not support encryption at host

+|L48s_v2|Standard_L48s_v2|48|384|

+|L64s_v2|Standard_L64s_v2|64|512|

+|L8s_v3|Standard_L8s_v3|8|64|

+|L16s_v3|Standard_L16s_v3|16|128|

+|L32s_v3|Standard_L32s_v3|32|256|

+|L48s_v3|Standard_L48s_v3|48|384|

+|L64s_v3|Standard_L64s_v3|64|512|

+<!--

+-->

+| LOCATION | The Azure Region where the Cluster is deployed |

+> [!TIP]

+> To check the status of the `az networkcloud cluster deploy` command, it can be executed using the `--debug` flag.

+> This will allow you to obtain the `Azure-AsyncOperation` or `Location` header used to query the `operationStatuses` resource.

+> See the section [Cluster Deploy Failed](#cluster-deploy-failed) for more detailed steps.

+> Optionally, the command can run asynchronously using the `--no-wait` flag.

+### Cluster Deploy with hardware validation

+During a Cluster deploy process, one of the steps executed is hardware validation.

+The hardware validation procedure runs various test and checks against the machines

+provided through the Cluster's rack definition. Based on the results of these checks

+and any user skipped machines, a determination is done on whether sufficient nodes

+passed and/or are available to meet the thresholds necessary for deployment to continue.

+#### Cluster Deploy Action with skipping specific bare-metal-machine

+A parameter can be passed in to the deploy command that represents the names of

+bare metal machines in the cluster that should be skipped during hardware validation.

+Nodes skipped aren't validated and aren't added to the node pool.

+Additionally, nodes skipped don't count against the total used by threshold calculations.

+```azurecli

+az networkcloud cluster deploy \

+ --name "$CLUSTER_NAME" \

+ --resource-group "$CLUSTER_RESOURCE_GROUP" \

+ --subscription "$SUBSCRIPTION_ID" \

+ --skip-validations-for-machines "$COMPX_SVRY_SERVER_NAME"

+```

+#### Cluster Deploy failed

+To track the status of an asynchronous operation, run with a `--debug` flag enabled.

+When `--debug` is specified, the progress of the request can be monitored.

+The operation status URL can be found by examining the debug output looking for the

+`Azure-AsyncOperation` or `Location` header on the HTTP response to the creation request.

+The headers can provide the `OPERATION_ID` field used in the HTTP API call.

+```azurecli

+OPERATION_ID="12312312-1231-1231-1231-123123123123*99399E995..."

+az rest -m GET -u "https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/providers/Microsoft.NetworkCloud/locations/${LOCATION}/operationStatuses/${OPERATION_ID}?api-version=2022-12-12-preview"

+```

+The output is similar to the JSON struct example. When the error code is

+`HardwareValidationThresholdFailed`, then the error message contains a list of bare

+metal machine(s) that failed the hardware validation (for example, `COMP0_SVR0_SERVER_NAME`,

+`COMP1_SVR1_SERVER_NAME`). These names can be used to parse the logs for further details.

+```json

+{

+ "endTime": "2023-03-24T14:56:59.0510455Z",

+ "error": {

+ "code": "HardwareValidationThresholdFailed",

+ "message": "HardwareValidationThresholdFailed error hardware validation threshold for cluster layout plan is not met for cluster $CLUSTER_NAME in namespace nc-system with listed failed devices $COMP0_SVR0_SERVER_NAME, $COMP1_SVR1_SERVER_NAME"

+ },

+ "id": "/subscriptions/$SUBSCRIPTION_ID/providers/Microsoft.NetworkCloud/locations/$LOCATION/operationStatuses/12312312-1231-1231-1231-123123123123*99399E995...",

+ "name": "12312312-1231-1231-1231-123123123123*99399E995...",

+ "resourceId": "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$CLUSTER_RESOURCE_GROUP/providers/Microsoft.NetworkCloud/clusters/$CLUSTER_NAME",

+ "startTime": "2023-03-24T14:56:26.6442125Z",

+ "status": "Failed"

+}

+```

+See the article [Tracking Asynchronous Operations Using Azure CLI](./howto-track-async-operations-cli.md) for another example.

+- STAC APIs are used to discover the geospatial data in your Catalog. These APIs are based on STAC specifications and understand the STAC metadata defined and indexed in the STAC Catalog database (PostgreSQL server).

+|STAC API|Provides a RESTful endpoint that enables search of STAC Items, specified in OpenAPI.|

+| Brazil South | :heavy_check_mark: (v3 only) | :heavy_check_mark: | :heavy_check_mark: | :x: |

+| Storage | ~3.75 TB |

+ Title: Default service and allow-all SIM policy

+description: Information on the default service and allow-all SIM policy that can be created as part of deploying a private mobile network.

+# Default service and allow-all SIM policy

+You're given the option of creating a default service and allow-all SIM policy when you first create a private mobile network using the instructions in [Deploy a private mobile network through Azure Private 5G Core - Azure portal](how-to-guide-deploy-a-private-mobile-network-azure-portal.md).

+- The allow-all SIM policy is automatically assigned to all SIMs you provision as part of creating the private mobile network, and applies the default service to these SIMs.

+The following sections provide the settings for the default service and allow-all SIM policy. You can use these to decide whether they're suitable for the initial deployment of your private mobile network. If you need more information on any of these settings, see [Collect the required information for a service](collect-required-information-for-service.md) and [Collect the required information for a SIM policy](collect-required-information-for-sim-policy.md).

+The following tables provide the settings for the allow-all SIM policy and its associated network scope.

+|The SIM policy name. | *allow-all-policy* |

+Once you've decided whether the default service and allow-all SIM policy are suitable, you can start deploying your private mobile network.

+- The default service and allow-all SIM policy (as described in [Default service and allow-all SIM policy](default-service-sim-policy.md)).

+ - A **SIM Policy** resource representing the allow-all SIM policy.

+- The default service and allow-all SIM policy (as described in [Default service and allow-all SIM policy](default-service-sim-policy.md)).

+- The default service and allow-all SIM policy (as described in [Default service and allow-all SIM policy](default-service-sim-policy.md)).

+ - If you decided you want to use the default service and allow-all SIM policy, identify the name of the data network to which you want to assign the policy.

+In this step, you'll create the Mobile Network resource representing your private mobile network as a whole. You can also provision one or more SIMs, and / or create the default service and allow-all SIM policy.

+ 1. If you want to use the default service and allow-all SIM policy, set **Do you wish to create a basic, allow-all SIM policy and assign it to these SIMs?** to **Yes**, and then enter the name of the data network into the **Data network name** field that appears.

+ - **Service**, **SIM Policy**, and **Data Network** resources (if you decided to use the default service and allow-all SIM policy).

+>[!IMPORTANT]

+>To learn more about availability zones support and available services in your region, contact your Microsoft sales or customer representative.

+>[!IMPORTANT]

+>To learn more about your region's architecture, please contact your Microsoft sales or customer representative.

+- A **User-assigned managed identity** which has **Azure Center for SAP solutions service role** access on the Compute resource group and **Reader** role access on the Virtual Network resource group of the SAP system. Azure Center for SAP solutions service uses this identity to discover your SAP system resources and register the system as a VIS resource.

+When you register an existing SAP system as a VIS, Azure Center for SAP solutions service needs a **User-assigned managed identity** which has **Azure Center for SAP solutions service role** access on the Compute (VMs, Disks, Load balancers) resource group and **Reader** role access on the Virtual Network resource group of the SAP system. Before you register an SAP system with Azure Center for SAP solutions, either [create a new user-assigned managed identity or update role access for an existing managed identity](#setup-user-assigned-managed-identity).

+1. [Assign **Azure Center for SAP solutions service role**](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#manage-access-to-user-assigned-managed-identities) role access to the user-assigned managed identity on the resource group(s) which have the Virtual Machines, Disks and Load Balancers of the SAP system and **Reader** role on the resource group(s) which have the Virtual Network components of the SAP system.

+ 1. For **Managed identity name**, select a **User-assigned managed identity** which has **Azure Center for SAP solutions service role** and **Reader** role access to the [respective resources of this SAP system.](#enable-resource-permissions)

+In this how-to guide, you learn to create a Linux OS provider for *Azure Monitor for SAP solutions* resources.

+ yum install firewalld -y

+### Setting up cron job to start Node exporter on VM restart

+1. If the target virtual machine is restarted/stopped, node exporter is also stopped, and needs to be manually started again to continue monitoring.

+1. Run `sudo crontab -e` command to open cron file.

+2. Add the command `@reboot cd /path/to/node/exporter && nohup ./node_exporter &` at the end of cron file. This starts node exporter on VM reboot.

+```shell

+# if you do not have a crontab file already, create one by running the command: sudo crontab -e

+sudo crontab -l > crontab_new

+echo "@reboot cd /path/to/node/exporter && nohup ./node_exporter &" >> crontab_new

+sudo crontab crontab_new

+sudo rm crontab_new

+```

+2. In Azure **Search**, select **Azure Monitor for SAP solutions**.

+3. On the **Basics** tab, provide the required values.

+ 1. **Workload Region** is the region where the monitoring resources are created, make sure to select a region that is same as your virtual network.

+ 2. **Service Region** is where proxy resource gets created which manages monitoring resources deployed in the workload region. Service region is automatically selected based on your Workload Region selection.

+ 3. For **Virtual Network** field select a virtual network, which has connectivity to your SAP systems.

+ 4. For the **Subnet** field, select a subnet that has connectivity to your SAP systems. You can use an existing subnet or create a new subnet. Make sure that you select a subnet, which is an **IPv4/25 block or larger**.

+ 5. For **Log Analytics Workspace**, you can use an existing Log Analytics workspace or create a new one. If you create a new workspace, it will be created inside the managed resource group along with other monitoring resources.

+ 6. When entering **managed resource group** name, make sure to use a unique name. This name is used to create a resource group, which will contain all the monitoring resources. Managed Resource Group name cannot be changed once the resource is created.

+ <br/>

+4. On the **Providers** tab, you can start creating providers along with the monitoring resource. You can also create providers later by navigating to the **Providers** tab in the Azure Monitor for SAP solutions resource.

+5. On the **Tags** tab, you can add tags to the monitoring resource. Make sure to add all the mandatory tags in case you have a tag policy in place.

+6. On the **Review + create** tab, review the details and click **Create**.

+ 

+ When you're selecting a virtual network, ensure that the systems you want to monitor are reachable from within that virtual network.

+ filter f_oms_filter {match("CEF\|ASA" ) ;};destination oms_destination {tcp("127.0.0.1" port(25226));};

+Microsoft Sentinel is currently aligned to The MITRE ATT&CK framework, version 11.

+- [MITRE ATT&CK for Industrial Control Systems](https://www.mitre.org/news-insights/news-release/mitre-releases-framework-cyber-attacks-industrial-control-systems)

+1. No more than 50 rules can be defined per customer at this time.

+| Audit Event | _Im_AuditEvent |

+## Parser hierarchy and naming

+The unifying parser name is `_Im_<schema>` for built-in parsers and `im<schema>` for workspace deployed parsers, where `<schema>` stands for the specific schema it serves. Source-specific parsers can also be used independently. Use `_Im_<schema>_<source>` for built-in parsers and `vim<schema><source>` for workspace deployed parsers. For example, in an Infoblox-specific workbook, use the `_Im_Dns_InfobloxNIOS` source-specific parser. You can find a list of source-specific parsers in the [ASIM parsers list](normalization-parsers-list.md).

+>[!TIP]

+> A corresponding set of parsers that use `_ASim_<schema>` and `ASim<Schema>` are also available. Theses parsers do not support filtering parameters and are provided to help mitigate the [Time picker set to a custom range](normalization-known-issues.md#time-picker-set-to-a-custom-range) issue. Use those parsers only interactively in the logs screen, but not elsewhere, for example in analytic rules or workbooks. This parsers may not be removed when the issue is resolves.

+As a mitigation, the code must read the error and halt any retries of the message for at least 10 seconds. Since the error can happen across pieces of the customer application, it is expected that each piece independently executes the [retry logic](/azure/architecture/best-practices/retry-service-specific#service-bus). The code can reduce the probability of being throttled by enabling partitioning on a namespace, queue or topic.

+The Service Bus Premium SKU supports [availability zones](../availability-zones/az-overview.md), providing fault-isolated locations within the same Azure region. Service Bus manages three copies of the messaging store (1 primary and 2 secondary). Service Bus keeps all three copies in sync for data and management operations. If the primary copy fails, one of the secondary copies is promoted to primary with no perceived downtime. If the applications see transient disconnects from Service Bus, the [retry logic](/azure/architecture/best-practices/retry-service-specific#service-bus) in the SDK will automatically reconnect to Service Bus.

+> - Azure Service Bus doesn't retry an operation in case of an exception when the operation is in a transaction scope.

+> - For retry guidance specific to Azure Service Bus, see [Retry guidance for Service Bus](/azure/architecture/best-practices/retry-service-specific#service-bus).

+Express entities that don't commit any message data to storage are not supported in the **Premium** tier. Dedicated resources provided significant throughput improvement while ensuring that data is persisted, as is expected from any enterprise messaging system.

+During migration, any of your express entities in your Standard namespace will be created on the Premium namespace as a non-express entity.

+If you utilize Azure Resource Manager (ARM) templates, please ensure that you remove the 'enableExpress' flag from the deployment configuration so that your automated workflows execute without errors.

+The Service Bus **premium** tier supports [availability Zones](../availability-zones/az-overview.md), providing fault-isolated locations within the same Azure region. Service Bus manages three copies of messaging store (1 primary and 2 secondary). Service Bus keeps all three copies in sync for data and management operations. If the primary copy fails, one of the secondary copies is promoted to primary with no perceived downtime. If applications see transient disconnects from Service Bus, the [retry logic](/azure/architecture/best-practices/retry-service-specific#service-bus) in the SDK will automatically reconnect to Service Bus.

+> Throttling does not lead to loss of data. Applications leveraging the Service Bus SDK can utilize the default [retry policy](/azure/architecture/best-practices/retry-service-specific#service-bus) to ensure that the data is eventually accepted by Service Bus.

+| Bad Request | 40000 | Sub code=40000. The property *'property name'* can't be set when creating a Queue because the namespace *'namespace name'* is using the 'Basic' Tier. This operation is only supported in 'Standard' or 'Premium' tier. | On Azure Service Bus Basic Tier, the below properties can't be set or updated - <ul> <li> RequiresDuplicateDetection </li> <li> AutoDeleteOnIdle </li> <li>RequiresSession</li> <li>DefaultMessageTimeToLive </li> <li> DuplicateDetectionHistoryTimeWindow </li> <li> EnableExpress (not supported in Premium too)</li> <li> ForwardTo </li> <li> Topics </li> </ul> | Consider upgrading from Basic to Standard or Premium tier to use this functionality. |

+| Bad Request | 40400 | Sub code=40400. The auto forwarding destination entity doesn't exist. | The destination for the autoforwarding destination entity doesn't exist. | The destination entity (queue or topic), must exist before the source is created. [Retry](/azure/architecture/best-practices/retry-service-specific#service-bus) after creating the destination entity. |

+With shared resources, it's important to enforce some sort of fair usage across various Service Bus namespaces that share those resources. Throttling ensures that any spike in a single workload doesn't cause other workloads on the same resources to be throttled. As mentioned later in the article, there's no risk in being throttled because the client SDKs (and other Azure PaaS offerings) have the default [retry policy](/azure/architecture/best-practices/retry-service-specific#service-bus) built into them. Any throttled requests will be retried with exponential backoff and will eventually go through when the credits are replenished.

+However, when a request is throttled, the service is implying that it can't accept and process the request right now because of resource limitations. It **does not** imply any sort of data loss because Service Bus simply hasn't looked at the request. In this case, relying on the default [retry policy](/azure/architecture/best-practices/retry-service-specific#service-bus) of the Service Bus SDK ensures that the request is eventually processed.

+If the application code uses SDK, the [retry policy](/azure/architecture/best-practices/retry-service-specific#service-bus) is already built in and active. The application will reconnect without significant impact to the application/workflow.

+ --runtime-version Java_17 \

+ --runtime-version Java_17 \

+ curl https://start.spring.io/starter.tgz -d dependencies=web,azure-keyvault -d baseDir=springapp -d bootVersion=2.7.9 -d javaVersion=17 -d type=maven-project | tar -xzvf -

+ public void run(String... args) throws Exception {

+

+ > [!NOTE]

+ > Creating a second storage account isn't necessary. These instructions are meant to show an example of how to access storage accounts that belong to different forests. If you only have one storage account, you can ignore the second storage account setup instructions.

+

+For single VMs, you can't update custom data in the VM model. But for Virtual Machine Scale Sets, you can update custom data. For more information, see [Modify a Scale Set](../virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set.md#how-to-update-global-scale-set-properties). When you update custom data in the model for a Virtual Machine Scale Set:

+description: Learn how to use an Azure Resource Manager template to create and deploy an Ubuntu Linux virtual machine with this quickstart.

+# Quickstart: Create an Ubuntu Linux virtual machine by using an ARM template

+**Applies to:** :heavy_check_mark: Linux VMs

+If your environment meets the prerequisites and you're familiar with ARM templates, select the **Deploy to Azure** button. The template opens in the Azure portal.

+For more information on this template, see [Deploy a simple Ubuntu Linux VM 18.04-LTS](https://azure.microsoft.com/resources/templates/vm-simple-linux/).

+- [Microsoft.Network/virtualNetworks/subnets](/azure/templates/Microsoft.Network/virtualNetworks/subnets): create a subnet.

+- [Microsoft.Storage/storageAccounts](/azure/templates/Microsoft.Storage/storageAccounts): create a storage account.

+- [Microsoft.Network/networkInterfaces](/azure/templates/Microsoft.Network/networkInterfaces): create a NIC.

+- [Microsoft.Network/networkSecurityGroups](/azure/templates/Microsoft.Network/networkSecurityGroups): create a network security group.

+- [Microsoft.Network/virtualNetworks](/azure/templates/Microsoft.Network/virtualNetworks): create a virtual network.

+- [Microsoft.Network/publicIPAddresses](/azure/templates/Microsoft.Network/publicIPAddresses): create a public IP address.

+- [Microsoft.Compute/virtualMachines](/azure/templates/Microsoft.Compute/virtualMachines): create a virtual machine.

+ - **Resource group**: select an existing resource group from the drop-down, or select **Create new**, enter a unique name for the resource group, and select **OK**.

+ - **Region**: select a region. For example, **Central US**.

+ - **Authentication type**: You can choose between an SSH key or a password.

+You can use the Azure portal to check on the VM and other resource that were created. After the deployment is finished, select **Resource groups** to see the VM and other resources.

+1. On the page for the resource group, select **Delete resource group**.

+In this quickstart, you deployed a virtual machine by using an ARM template. To learn more about Azure virtual machines, continue to the tutorial for Linux VMs.

+> [Create and Manage Linux VMs with the Azure CLI](./tutorial-manage-vm.md)

+1. For **Image**, select `Ubuntu 18.04 LTS`.

+1. Under **Service**, select **HTTP** and then select **Add** at the bottom of the page.

+Additionally, you can follow the [Deploy Elastic on Azure Virtual Machines](https://learn.microsoft.com/training/modules/deploy-elastic-azure-virtual-machines/) module for a more guided tutorial on deploying Elastic on Azure Virtual Machines.

+>To publish a community gallery, you'll need to enable the preview feature using the azure CLI: `az feature register --name CommunityGalleries --namespace Microsoft.Compute` or PowerShell: `Register-AzProviderFeature -FeatureName "CommunityGalleries" -ProviderNamespace "Microsoft.Compute"`. For more information on enabling preview features and checking the status, see [Set up preview features in your Azure subscription](../azure-resource-manager/management/preview-features.md). Creating VMs from community gallery images is open to all Azure users.

+description: Learn how to generate and store SSH keys, before creating a VM, with the Azure CLI for connecting to Linux VMs.

+You can create SSH keys before creating a VM and store them in Azure. Each newly created SSH key is also stored locally.

+For more information, see [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure](./linux/create-ssh-keys-detailed.md).

+For more information on how to create and use SSH keys with Linux VMs, see [Use SSH keys to connect to Linux VMs](./linux/ssh-from-windows.md).

+You can upload a public SSH key to store in Azure.

+To learn more about how to use SSH keys with Azure VMs, see [Use SSH keys to connect to Linux VMs](./linux/ssh-from-windows.md).