- `https://scep-test93635307549127448334.msappproxy.net/certsrv/mscep/mscep.dll`

- * For Configuration Manager, go to the certificate registration point and adjust the URL. This URL is what devices call out to and present their challenge.

- * For Intune standalone, either edit or create a new SCEP policy and add the new URL.

-If the sign-in was done by phone app notification, under **authenticationAppDeivceDetails** the **clientApp** field returns **microsoftAuthenticator** or **Outlook**.

-# Microsoft Enterprise SSO plug-in for Apple devices (preview)

-> [!IMPORTANT]

-> This feature is in public preview. This preview is provided without a service-level agreement. For more information, see [Supplemental terms of use for Microsoft Azure public previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-description: Learn how to run a sample React SPA to sign in users

-# Portal quickstart for React SPA

-> In this quickstart, you download and run a code sample that demonstrates how a React single-page application (SPA) can sign in users with Azure AD CIAM.

-> 1. Open your browser, visit `http://locahost:3000`, select **Sign-in** link, then follow the prompts.

-* **Password change**: After a user changes their password, the PRT obtained with the previous password is invalidated by Azure AD. Password change results in the user getting a new PRT. This invalidation can happen in two different ways:

->This information last updated on April 17th, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

-| Microsoft Teams Audio Conferencing select dial-out | Microsoft_Teams_Audio_Conferencing_select_dial_out | 1c27243e-fb4d-42b1-ae8c-fe25c9616588 | MCOMEETBASIC (9974d6cf-cd24-4ba2-921c-e2aa687da846) | Microsoft Teams Audio Conferencing with dial-out to select geographies (9974d6cf-cd24-4ba2-921c-e2aa687da846) |

-As a user who is assigned any of the limited administrator directory roles, you can use the Azure portal to invite B2B collaboration users. You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of *Guest*. The guest user must then redeem their invitation to access resources. An invitation of a user does not expire.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a user who is assigned a limited administrator directory role or the Guest Inviter role.

-2. Search for and select **Azure Active Directory** from any page.

-3. Under **Manage**, select **Users**.

-4. Select **New user** > **Invite external user**. (Or, if you're using the legacy experience, select **New guest user**).

-5. On the **New user** page, select **Invite user** and then add the guest user's information.

- 

- - **Name.** The first and last name of the guest user.

- - **Email address (required)**. The email address of the guest user.

- - **Personal message (optional)** Include a personal welcome message to the guest user.

- - **Groups**: You can add the guest user to one or more existing groups, or you can do it later.

- - **Roles**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role by selecting **User** next to **Roles**. [Learn more](../../role-based-access-control/role-assignments-external-users.md) about Azure roles for external guest users.

-6. Select **Invite** to automatically send the invitation to the guest user.

-

-After you send the invitation, the user account is automatically added to the directory as a guest.

- 

-The user is added to your directory with a user principal name (UPN) in the format *emailaddress*#EXT#\@*domain*, for example, *john_contoso.com#EXT#\@fabrikam.onmicrosoft.com*, where fabrikam.onmicrosoft.com is the organization from which you sent the invitations. ([Learn more about B2B collaboration user properties](user-properties.md).)

-If you need to manually add B2B collaboration users to a group, follow these steps:

-7. Do one of the following:

-8. Do one of the following:

-## Resend invitations to guest users

-If a guest user hasn't yet redeemed their invitation, you can resend the invitation email.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.

-2. Search for and select **Azure Active Directory** from any page.

-3. Under **Manage**, select **Users**.

-4. In the list, select the user's name to open their user profile.

-5. Under **My Feed**, in the **B2B collaboration** tile, select the **Manage (resend invitation / reset status** link.

-6. If the user hasn't yet accepted the invitation, Select the **Yes** option to resend.

- 

-7. In the confirmation message, select **Yes** to confirm that you want to send the user a new email invitation for redeeming their guest account. An invitation URL will be generated and sent to the user.

-## Add a new guest user in Azure AD

-1. Sign in to the [Azure portal](https://portal.azure.com/) with an account that's been assigned the Global administrator, Guest, inviter, or User administrator role.

-1. Under **Azure services**, select **Azure Active Directory** (or use the search box to find and select **Azure Active Directory**).

- :::image type="content" source="media/quickstart-add-users-portal/azure-active-directory-service.png" alt-text="Screenshot showing where to select the Azure Active Directory service.":::

-1. Under **Manage**, select **Users**.

- :::image type="content" source="media/quickstart-add-users-portal/quickstart-users-portal-user.png" alt-text="Screenshot showing where to select the Users option.":::

-1. Under **New user** select **Invite external user**.

- :::image type="content" source="media/quickstart-add-users-portal/new-guest-user.png" alt-text="Screenshot showing where to select the New guest user option.":::

-1. On the **New user** page, select **Invite user** and then add the guest user's information.

- - **Name.** The first and last name of the guest user.

- - **Email address (required)**. The email address of the guest user.

- - **Personal message (optional)** Include a personal welcome message to the guest user.

- - **Groups**: You can add the guest user to one or more existing groups, or you can do it later.

- - **Roles**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role.

- :::image type="content" source="media/quickstart-add-users-portal/invite-user.png" alt-text="Screenshot showing the new user page.":::

-1. Select **Invite** to automatically send the invitation to the guest user. A notification appears in the upper right with the message **Successfully invited user**.

- -InviteRedirectUrl "http://myapps.microsoft.com" `

-description: Listing of trusted certificates used in Azure

-# Certificate authorities used by Azure Active Directory

-> [!IMPORTANT]

-> The information in this page is relevant only to entities that explicitly specify a list of acceptable Certificate Authorities (CAs). This practice, known as certificate pinning, should be avoided unless there are no other options.

-Any entity trying to access Azure Active Directory (Azure AD) identity services via the TLS/SSL protocols will be presented with certificates from the CAs listed below. If the entity trusts those CAs, it may use the certificates to verify the identity and legitimacy of the identity services and establish secure connections.

-Certificate Authorities can be classified into root CAs and intermediate CAs. Typically, root CAs have one or more associated intermediate CAs. This article lists the root CAs used by Azure AD identity services and the intermediate CAs associated with each of those roots. For each CA, we include Uniform Resource Identifiers (URIs) to download the associated Authority Information Access (AIA) and the Certificate Revocation List Distribution Point (CDP) files. When appropriate, we also provide a URI to the Online Certificate Status Protocol (OCSP) endpoint.

-## CAs used in Azure Public and Azure US Government clouds

-Different services may use different root or intermediate CAs. Therefore all entries listed below may be required.

-### DigiCert Global Root G2

-| Root CA| Serial Number| Issue Date Expiration Date| SHA1 Thumbprint| URIs |

-| - |- |-|-|-|-|

-| DigiCert Global Root G2| 033af1e6a711a 9a0bb2864b11d09fae5| August 1, 2013 <br>January 15, 2038| df3c24f9bfd666761b268 073fe06d1cc8d4f82a4| [AIA](http://cacerts.digicert.com/DigiCertGlobalRootG2.crt)<br>[CDP](http://crl3.digicert.com/DigiCertGlobalRootG2.crl) |

-#### Associated Intermediate CAs

-| Issuing and Intermediate CA| Serial Number| Issue Date Expiration Date| SHA1 Thumbprint| URIs |

-| - | - | - | - | - |

-| Microsoft Azure TLS Issuing CA 01| 0aafa6c5ca63c45141 ea3be1f7c75317| July 29, 2020<br>June 27, 2024| 2f2877c5d778c31e0f29c 7e371df5471bd673173| [AIA](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2001%20-%20xsign.crt)<br>[CDP](https://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20TLS%20Issuing%20CA%2001.crl)|

-|Microsoft Azure TLS Issuing CA 02| 0c6ae97cced59983 8690a00a9ea53214| July 29, 2020<br>June 27, 2024| e7eea674ca718e3befd 90858e09f8372ad0ae2aa| [AIA](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2002%20-%20xsign.crt)<br>[CDP](https://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20TLS%20Issuing%20CA%2002.crl) |

-| Microsoft Azure TLS Issuing CA 05| 0d7bede97d8209967a 52631b8bdd18bd| July 29, 2020<br>June 27, 2024| 6c3af02e7f269aa73a fd0eff2a88a4a1f04ed1e5| [AIA](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2005%20-%20xsign.crt)<br>[CDP](https://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20TLS%20Issuing%20CA%2005.crl) |

-| Microsoft Azure TLS Issuing CA 06| 02e79171fb8021e93fe 2d983834c50c0| July 29, 2020<br>June 27, 2024| 30e01761ab97e59a06b 41ef20af6f2de7ef4f7b0| [AIA](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2006.cer)<br>[CDP](https://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20TLS%20Issuing%20CA%2006.crl) |

- ### Baltimore CyberTrust Root

-| Root CA| Serial Number| Issue Date Expiration Date| SHA1 Thumbprint| URIs |

-| - | - | - | - | - |

-| Baltimore CyberTrust Root| 020000b9| May 12, 2000<br>May 12, 2025| d4de20d05e66fc53fe 1a50882c78db2852cae474|<br>[CDP](http://crl3.digicert.com/Omniroot2025.crl)<br>[OCSP](http://ocsp.digicert.com/) |

-#### Associated Intermediate CAs

-| Issuing and Intermediate CA| Serial Number| Issue Date Expiration Date| SHA1 Thumbprint| URIs |

-| - | - | - | - | - |

-| Microsoft RSA TLS CA 01| 703d7a8f0ebf55aaa 59f98eaf4a206004eb2516a| July 21, 2020<br>October 8, 2024| 417e225037fbfaa4f9 5761d5ae729e1aea7e3a42| [AIA](https://www.microsoft.com/pki/mscorp/Microsoft%20RSA%20TLS%20CA%2001.crt)<br>[CDP](https://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20RSA%20TLS%20CA%2001.crl)<br>[OCSP](http://ocsp.msocsp.com/) |

-| Microsoft RSA TLS CA 02| b0c2d2d13cdd56cdaa 6ab6e2c04440be4a429c75| July 21, 2020<br>May 20, 2024| 54d9d20239080c32316ed 9ff980a48988f4adf2d| [AIA](https://www.microsoft.com/pki/mscorp/Microsoft%20RSA%20TLS%20CA%2002.crt)<br>[CDP](https://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20RSA%20TLS%20CA%2002.crl)<br>[OCSP](http://ocsp.msocsp.com/) |

- ### DigiCert Global Root CA

-| Root CA| Serial Number| Issue Date Expiration Date| SHA1 Thumbprint| URIs |

-| - | - | - | - | - |

-| DigiCert Global Root CA| 083be056904246 b1a1756ac95991c74a| November 9, 2006<br>November 9, 2031| a8985d3a65e5e5c4b2d7 d66d40c6dd2fb19c5436| [CDP](http://crl3.digicert.com/DigiCertGlobalRootCA.crl)<br>[OCSP](http://ocsp.digicert.com/) |

-#### Associated Intermediate CAs

-| Issuing and Intermediate CA| Serial Number| Issue Date Expiration Date| SHA1 Thumbprint| URIs |

-| - | - | - | - | - |

-| DigiCert SHA2 Secure Server CA| 01fda3eb6eca75c 888438b724bcfbc91| March 8, 2013 March 8, 2023| 1fb86b1168ec743154062 e8c9cc5b171a4b7ccb4| [AIA](http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt)<br>[CDP](http://crl3.digicert.com/ssca-sha2-g6.crl)<br>[OCSP](http://ocsp.digicert.com/) |

-| DigiCert SHA2 Secure Server CA |02742eaa17ca8e21 c717bb1ffcfd0ca0 |September 22, 2020<br>September 22, 2030|626d44e704d1ceabe3bf 0d53397464ac8080142c|[AIA](http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt)<br>[CDP](http://crl3.digicert.com/DigiCertSHA2SecureServerCA.crl)<br>[OCSP](http://ocsp.digicert.com/)|

-## CAs used in Azure China 21Vianet cloud

-### DigiCert Global Root CA

-| Root CA| Serial Number| Issue Date Expiration Date| SHA1 Thumbprint| URIs |

-| - | - | - | - | - |

-| DigiCert Global Root CA| 083be056904246b 1a1756ac95991c74a| Nov. 9, 2006<br>Nov. 9, 2031| a8985d3a65e5e5c4b2d7 d66d40c6dd2fb19c5436| [CDP](http://ocsp.digicert.com/)<br>[OCSP](http://crl3.digicert.com/DigiCertGlobalRootCA.crl) |

-#### Associated Intermediate CA

-| Issuing and Intermediate CA| Serial Number| Issue Date Expiration Date| SHA1 Thumbprint| URIs |

-| - | - | - | - | - | - |

-| DigiCert Basic RSA CN CA G2| 02f7e1f982bad 009aff47dc95741b2f6| March 4, 2020<br>March 4, 2030| 4d1fa5d1fb1ac3917c08e 43f65015e6aea571179| [AIA](http://cacerts.digicert.cn/DigiCertBasicRSACNCAG2.crt)<br>[CDP](http://crl.digicert.cn/DigiCertBasicRSACNCAG2.crl)<br>[OCSP](http://ocsp.digicert.cn/) |

-## Next Steps

-[Learn about Microsoft 365 Encryption chains](/microsoft-365/compliance/encryption-office-365-certificate-chains)

-1. **Background image** and **page background color**: The entire space behind the sign-in box.

-If you utilize Conditional Access or Identity Protection, and have IPv6 enabled on any of your devices, you likely must take action to avoid impacting your users. For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to deprioritize IPv4 in any Azure AD features or services. We'll continue to share additional guidance on IPv6 enablement in Azure AD at this link: [IPv6 support in Azure Active Directory](https://learn.microsoft.com/troubleshoot/azure/active-directory/azure-ad-ipv6-support)

-For more information about Microsoft cloud settings for B2B collaboration., see: [Microsoft cloud settings](../external-identities/cross-tenant-access-overview.md#microsoft-cloud-settings).

-## October 2022

-### General Availability - Upgrade Azure AD Provisioning agent to the latest version (version number: 1.1.977.0)

-**Type:** Plan for change

-**Service category:** Provisioning

-**Product capability:** Azure AD Connect Cloud Sync

-Microsoft stops support for Azure AD provisioning agent with versions 1.1.818.0 and below starting Feb 1,2023. If you're using Azure AD cloud sync, make sure you have the latest version of the agent. You can view info about the agent release history [here](../app-provisioning/provisioning-agent-release-version-history.md). You can download the latest version [here](https://download.msappproxy.net/Subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/Connector/provisioningAgentInstaller)

-You can find out which version of the agent you're using as follows:

-1. Going to the domain server that you have the agent installed

-1. Right-click on the Microsoft Azure AD Connect Provisioning Agent app

-1. Select on ΓÇ£DetailsΓÇ¥ tab and you can find the version number there

-> [!NOTE]

-> Azure Active Directory (AD) Connect follows the [Modern Lifecycle Policy](/lifecycle/policies/modern). Changes for products and services under the Modern Lifecycle Policy may be more frequent and require customers to be alert for forthcoming modifications to their product or service.

-Product governed by the Modern Policy follow a [continuous support and servicing model](/lifecycle/overview/product-end-of-support-overview). Customers must take the latest update to remain supported. For products and services governed by the Modern Lifecycle Policy, Microsoft's policy is to provide a minimum 30 days' notification when customers are required to take action in order to avoid significant degradation to the normal use of the product or service.

-### General Availability - Add multiple domains to the same SAML/Ws-Fed based identity provider configuration for your external users

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** B2B/B2C

-An IT admin can now add multiple domains to a single SAML/WS-Fed identity provider configuration to invite users from multiple domains to authenticate from the same identity provider endpoint. For more information, see: [Federation with SAML/WS-Fed identity providers for guest users](../external-identities/direct-federation.md).

-### General Availability - Limits on the number of configured API permissions for an application registration enforced starting in October 2022

-**Type:** Plan for change

-**Service category:** Other

-**Product capability:** Developer Experience

-In the end of October, the total number of required permissions for any single application registration must not exceed 400 permissions across all APIs. Applications exceeding the limit are unable to increase the number of permissions configured for. The existing limit on the number of distinct APIs for permissions required remains unchanged and may not exceed 50 APIs.

-In the Azure portal, the required permissions list is under API Permissions within specific applications in the application registration menu. When using Microsoft Graph or Microsoft Graph PowerShell, the required permissions list is in the requiredResourceAccess property of an [application](/graph/api/resources/application) entity. For more information, see: [Validation differences by supported account types (signInAudience)](../develop/supported-accounts-validation.md).

-### Public Preview - Conditional access Authentication strengths

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** User Authentication

-We're announcing Public preview of Authentication strength, a Conditional Access control that allows administrators to specify which authentication methods can be used to access a resource. For more information, see: [Conditional Access authentication strength (preview)](../authentication/concept-authentication-strengths.md). You can use custom authentication strengths to restrict access by requiring specific FIDO2 keys using the Authenticator Attestation GUIDs (AAGUIDs), and apply this through conditional access policies. For more information, see: [FIDO2 security key advanced options](../authentication/concept-authentication-strengths.md#fido2-security-key-advanced-options).

-### Public Preview - Conditional access authentication strengths for external identities

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** B2B/B2C

-You can now require your business partner (B2B) guests across all Microsoft clouds to use specific authentication methods to access your resources with **Conditional Access Authentication Strength policies**. For more information, see: [Conditional Access: Require an authentication strength for external users](../conditional-access/howto-conditional-access-policy-authentication-strength-external.md).

-### Generally Availability - Windows Hello for Business, Cloud Kerberos Trust deployment

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, weΓÇÖve made Windows Hello for Business easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Hybrid Cloud Kerberos Trust Deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).

-### General Availability - Device-based conditional access on Linux Desktops

-**Type:** New feature

-**Service category:** Conditional Access

-**Product capability:** SSO

-This feature empowers users on Linux clients to register their devices with Azure AD, enroll into Intune management, and satisfy device-based Conditional Access policies when accessing their corporate resources.

-For more information, see:

-[Azure AD registered devices](../devices/concept-azure-ad-register.md).

-[Plan your Azure Active Directory device deployment](../devices/plan-device-deployment.md)

-### General Availability - Deprecation of Azure Active Directory Multi-Factor Authentication.

-**Type:** Deprecated

-**Service category:** MFA

-**Product capability:** Identity Security & Protection

-Beginning September 30, 2024, Azure Active Directory Multi-Factor Authentication Server deployments will no longer service multi-factor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services, and to remain in a supported state, organizations should migrate their usersΓÇÖ authentication data to the cloud-based Azure Active Directory Multi-Factor Authentication service using the latest Migration Utility included in the most recent Azure Active Directory Multi-Factor Authentication Server update. For more information, see: [Migrate from MFA Server to Azure AD Multi-Factor Authentication](../authentication/how-to-migrate-mfa-server-to-azure-mfa.md).

-### Public Preview - Lifecycle Workflows is now available

-**Type:** New feature

-**Service category:** Lifecycle Workflows

-**Product capability:** Identity Governance

-We're excited to announce the public preview of Lifecycle Workflows, a new Identity Governance capability that allows customers to extend the user provisioning process, and adds enterprise grade user lifecycle management capabilities, in Azure AD to modernize your identity lifecycle management process. With Lifecycle Workflows, you can:

-For more information, see: [What are Lifecycle Workflows? (Public Preview)](../governance/what-are-lifecycle-workflows.md).

-### Public Preview - User-to-Group Affiliation recommendation for group Access Reviews

-**Type:** New feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-This feature provides Machine Learning based recommendations to the reviewers of Azure AD Access Reviews to make the review experience easier and more accurate. The recommendation detects user affiliation with other users within the group, and applies the scoring mechanism we built by computing the userΓÇÖs average distance with other users in the group. For more information, see: [Review recommendations for Access reviews](../governance/review-recommendations-access-reviews.md).

-### General Availability - Group assignment for SuccessFactors Writeback application

-**Type:** New feature

-**Service category:** Provisioning

-**Product capability:** Outbound to SaaS Applications

-When configuring writeback of attributes from Azure AD to SAP SuccessFactors Employee Central, you can now specify the scope of users using Azure AD group assignment. For more information, see: [Tutorial: Configure attribute write-back from Azure AD to SAP SuccessFactors](../saas-apps/sap-successfactors-writeback-tutorial.md).

-### General Availability - Number Matching for Microsoft Authenticator notifications

-**Type:** New feature

-**Service category:** Microsoft Authenticator App

-**Product capability:** User Authentication

-To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving an MFA notification in the Microsoft Authenticator app. We've also refreshed the Azure portal admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update we have also added the highly requested ability for admins to exclude user groups from each feature.

-The number matching feature greatly up-levels the security posture of the Microsoft Authenticator app and protects organizations from MFA fatigue attacks. We highly encourage our customers to adopt this feature applying the rollout controls we have built. Number Matching will begin to be enabled for all users of the Microsoft Authenticator app starting February 27 2023.

-For more information, see: [How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy](../authentication/how-to-mfa-number-match.md).

-### General Availability - Additional context in Microsoft Authenticator notifications

-**Type:** New feature

-**Service category:** Microsoft Authenticator App

-**Product capability:** User Authentication

-Reduce accidental approvals by showing users additional context in Microsoft Authenticator app notifications. Customers can enhance notifications with the following steps:

-The feature is available for both MFA and Password-less Phone Sign-in notifications and greatly increases the security posture of the Microsoft Authenticator app. We've also refreshed the Azure portal Admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update, we've also added the highly requested ability for admins to exclude user groups from certain features.

-We highly encourage our customers to adopt these critical security features to reduce accidental approvals of Authenticator notifications by end users.

-For more information, see: [How to use additional context in Microsoft Authenticator notifications - Authentication methods policy](../authentication/how-to-mfa-additional-context.md).

-### New Federated Apps available in Azure AD Application gallery - October 2022

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In October 2022 we've added the following 15 new applications in our App gallery with Federation support:

-[Unifii](https://www.unifii.com.au/), [WaitWell Staff App](https://waitwell.c)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

-For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

-### Public preview - New provisioning connectors in the Azure AD Application Gallery - October 2022

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-For example, you might use StatusContinuesFirstDayOfWork instead of StatusHireDate for Workday. In this instance your expression would be:

- `FormatDateTime([StatusContinuesFirstDayOfWork], , "yyyy-MM-ddzzz", "yyyyMMddHHmmss.fZ")`

- For more information, see [Conditional Access: Cloud apps, actions, and authentication context](../conditional-access/concept-conditional-access-cloud-apps.md).

-[Privileged Identity Management role activation](../privileged-identity-management/pim-how-to-change-default-settings.md) can also be assigned Conditional Access policies. This capability allows for policy enforcement only when a user activates a role, providing the most comprehensive protection. Protected actions are enforced only when a user takes an action that requires permissions with Conditional Access policy assigned to it. Protected actions allows for high impact permissions to be protected, independent of a user role. Privileged Identity Management role activation and protected actions can be used together, for the strongest coverage.

- Configure a Conditional Access authentication context and an associated Conditional Access policy. Protected actions use an authentication context, which allows policy enforcement for fine-grain resources in a service, like Azure AD permissions. A good policy to start with is to require passwordless MFA and exclude an emergency account. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#authentication-context)

-In this tutorial, you'll learn how to integrate Contentkalender with Azure Active Directory (Azure AD). When you integrate Contentkalender with Azure AD, you can:

- a. In the **Identifier** text box, type one of the following URLs:

-

- | **Identifier** |

- ||

- | `https://login.contentkalender.nl` |

- | `https://contentkalender-acc.bettywebblocks.com/` (only for testing purposes)|

- b. In the **Reply URL** text box, type one of the following URLs:

- | **Reply URL** |

- |--|

- | `https://login.contentkalender.nl/sso/saml/callback` |

- | `https://contentkalender-acc.bettywebblocks.com/sso/saml/callback` (only for testing purposes)|

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with FCM HUB

-In this tutorial, you'll learn how to integrate FCM HUB with Azure Active Directory (Azure AD). When you integrate FCM HUB with Azure AD, you can:

- - **Signing Option**: Sign SAML response

-In this article, you learn how to integrate HashiCorp Cloud Platform (HCP) with Azure Active Directory (Azure AD). HashiCorp Cloud platform hosting managed services of the developer tools created by HashiCorp, such Terraform, Vault, Boundary, and Consul. When you integrate HashiCorp Cloud Platform (HCP) with Azure AD, you can:

-* HashiCorp Cloud Platform (HCP) single sign-on (SSO) enabled subscription.

- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [HashiCorp Cloud Platform (HCP) Client support team](mailto:support@hashicorp.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-To configure single sign-on on **HashiCorp Cloud Platform (HCP)** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [HashiCorp Cloud Platform (HCP) support team](mailto:support@hashicorp.com). They set this setting to have the SAML SSO connection set properly on both sides.

-### Create HashiCorp Cloud Platform (HCP) test user

-In this section, you create a user called Britta Simon at HashiCorp Cloud Platform (HCP). Work with [HashiCorp Cloud Platform (HCP) support team](mailto:support@hashicorp.com) to add the users in the HashiCorp Cloud Platform (HCP) platform. Users must be created and activated before you use single sign-on.

-In this section, you test your Azure AD single sign-on configuration with following options.

-* Click on **Test this application** in Azure portal. This will redirect to HashiCorp Cloud Platform (HCP) Sign-on URL where you can initiate the login flow.

-* Go to HashiCorp Cloud Platform (HCP) Sign-on URL directly and initiate the login flow from there.

-* You can use Microsoft My Apps. When you select the HashiCorp Cloud Platform (HCP) tile in the My Apps, this will redirect to HashiCorp Cloud Platform (HCP) Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-2. On the Home page, click **System**.

- 

-3. Navigate to **Security**.

- 

-4. Click **SSO Profiles**.

- 

-5. On the right side of the page, click on **Add logo**.

- 

-6. On the **Profile Details** bar, click on **Import SAML Meta logo**.

- 

-7. On the Pop-up page in the **URL** text box, paste the **App Federation Metadata Url**, which you have copied from Azure portal and click **Process**.

- 

- 

- 

- 

-> If you need to create a user manually, contact [Hornbill Client support team](https://www.hornbill.com/support/?request/).

-1. In the **Add email addess(es)** box, enter the email address of the user in the format brittasimon\@contoso.com, and then select **Next**.

- d. If you wish to configure the application in **SP** initiated mode, then perform the following step:

- In the **Sign on URL** textbox, type the URL:

- `https://paadt.360factors.com/predict360/login.do`.

- > You will get the **Service Provider metadata file** from the [Predict360 SSO support team](mailto:support@360factors.com). If the **Identifier** and **Reply URL** values do not get auto populated, then fill in the values manually according to your requirement.

-## Configure Predict360 SSO SSO

-To configure single sign-on on **Predict360 SSO** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Predict360 SSO support team](mailto:support@360factors.com). They set this setting to have the SAML SSO connection set properly on both sides.

- 

-1. Your Workday application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **nameidentifier** is mapped with **user.userprincipalname**. Workday application expects **nameidentifier** to be mapped with **user.mail**, **UPN**, etc., so you need to edit the attribute mapping by clicking on **Edit** icon and change the attribute mapping.

- 

- 

- 

- 

-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been setup for this app, you see "Default Access" role selected.

- 

- 

- 

- d. Click on **OK** and then **Done**.

-1. After clicking **Done**, a new row will be added in the **SAML Identity Providers** and then you can add the below steps for the newly created row.

- 

- g Select **Do Not Deflate SP-initiated Authentication Request**.

-1. Perform the following steps in the below image.

- 

- a. In the **Service Provider ID (Will be Deprecated)** textbox, type **http://www.workday.com**.

- b. In the **IDP SSO Service URL (Will be Deprecated)** textbox, type **Login URL** value.

- c. Select **Do Not Deflate SP-initiated Authentication Request (Will be Deprecated)**.

- d. For **Authentication Request Signature Method**, select **SHA256**.

- e. Click **OK**.

- 

- 

-Now, with this latest update, customers can adjust the default look back period to get recommendations based on 14, 21,30, 60, or even 90 days of use. The configuration can be applied at the subscription level. This is especially useful when the workloads have biweekly or monthly peaks (such as with payroll applications).

-## Storage class driver dynamic disks parameters

-|Name | Meaning | Available Value | Mandatory | Default value

-| | | | |

-|skuName | Azure Disks storage account type (alias: `storageAccountType`)| `Standard_LRS`, `Premium_LRS`, `StandardSSD_LRS`, `UltraSSD_LRS`, `Premium_ZRS`, `StandardSSD_ZRS`, `PremiumV2_LRS` (`PremiumV2_LRS` only supports `None` caching mode) | No | `StandardSSD_LRS`|

-|fsType | File System Type | `ext4`, `ext3`, `ext2`, `xfs`, `btrfs` for Linux, `ntfs` for Windows | No | `ext4` for Linux, `ntfs` for Windows|

-|cachingMode | [Azure Data Disk Host Cache Setting](../virtual-machines/windows/premium-storage-performance.md#disk-caching) | `None`, `ReadOnly`, `ReadWrite` | No | `ReadOnly`|

-|location | Specify Azure region where Azure Disks will be created | `eastus`, `westus`, etc. | No | If empty, driver will use the same location name as current AKS cluster|

-|resourceGroup | Specify the resource group where the Azure Disks will be created | Existing resource group name | No | If empty, driver will use the same resource group name as current AKS cluster|

-|DiskIOPSReadWrite | [UltraSSD disk](../virtual-machines/linux/disks-ultra-ssd.md) IOPS Capability (minimum: 2 IOPS/GiB ) | 100~160000 | No | `500`|

-|DiskMBpsReadWrite | [UltraSSD disk](../virtual-machines/linux/disks-ultra-ssd.md) Throughput Capability(minimum: 0.032/GiB) | 1~2000 | No | `100`|

-|LogicalSectorSize | Logical sector size in bytes for Ultra disk. Supported values are 512 ad 4096. 4096 is the default. | `512`, `4096` | No | `4096`|

-|tags | Azure Disk [tags](../azure-resource-manager/management/tag-resources.md) | Tag format: `key1=val1,key2=val2` | No | ""|

-|diskEncryptionSetID | ResourceId of the disk encryption set to use for [enabling encryption at rest](../virtual-machines/windows/disk-encryption.md) | format: `/subscriptions/{subs-id}/resourceGroups/{rg-name}/providers/Microsoft.Compute/diskEncryptionSets/{diskEncryptionSet-name}` | No | ""|

-|diskEncryptionType | Encryption type of the disk encryption set. | `EncryptionAtRestWithCustomerKey`(by default), `EncryptionAtRestWithPlatformAndCustomerKeys` | No | ""|

-|writeAcceleratorEnabled | [Write Accelerator on Azure Disks](../virtual-machines/windows/how-to-enable-write-accelerator.md) | `true`, `false` | No | ""|

-|networkAccessPolicy | NetworkAccessPolicy property to prevent generation of the SAS URI for a disk or a snapshot | `AllowAll`, `DenyAll`, `AllowPrivate` | No | `AllowAll`|

-|diskAccessID | Azure Resource ID of the DiskAccess resource to use private endpoints on disks | | No | ``|

-|enableBursting | [Enable on-demand bursting](../virtual-machines/disk-bursting.md) beyond the provisioned performance target of the disk. On-demand bursting should only be applied to Premium disk and when the disk size > 512 GB. Ultra and shared disk isn't supported. Bursting is disabled by default. | `true`, `false` | No | `false`|

-|useragent | User agent used for [customer usage attribution](../marketplace/azure-partner-customer-usage-attribution.md)| | No | Generated Useragent formatted `driverName/driverVersion compiler/version (OS-ARCH)`|

-|enableAsyncAttach | Allow multiple disk attach operations (in batch) on one node in parallel.<br> While this parameter can speed up disk attachment, you may encounter Azure API throttling limit when there are large number of volume attachments. | `true`, `false` | No | `false`|

-|subscriptionID | Specify Azure subscription ID where the Azure Disks is created. | Azure subscription ID | No | If not empty, `resourceGroup` must be provided.|

-## Storage class driver dynamic parameters

-|Name | Meaning | Available Value | Mandatory | Default value

-| | | | |

-|skuName | Azure Files storage account type (alias: `storageAccountType`)| `Standard_LRS`, `Standard_ZRS`, `Standard_GRS`, `Standard_RAGRS`, `Standard_RAGZRS`,`Premium_LRS`, `Premium_ZRS` | No | `StandardSSD_LRS`<br> Minimum file share size for Premium account type is 100 GiB.<br> ZRS account type is supported in limited regions.<br> NFS file share only supports Premium account type.|

-|location | Specify Azure region where Azure storage account will be created. | For example, `eastus`. | No | If empty, driver uses the same location name as current AKS cluster.|

-|resourceGroup | Specify the resource group where the Azure Disks will be created. | Existing resource group name | No | If empty, driver uses the same resource group name as current AKS cluster.|

-|shareName | Specify Azure file share name | Existing or new Azure file share name. | No | If empty, driver generates an Azure file share name. |

-|shareNamePrefix | Specify Azure file share name prefix created by driver. | Share name can only contain lowercase letters, numbers, hyphens, and length should be fewer than 21 characters. | No |

-|folderName | Specify folder name in Azure file share. | Existing folder name in Azure file share. | No | If folder name does not exist in file share, mount will fail. |

-|shareAccessTier | [Access tier for file share][storage-tiers] | General purpose v2 account can choose between `TransactionOptimized` (default), `Hot`, and `Cool`. Premium storage account type for file shares only. | No | Empty. Use default setting for different storage account types.|

-|server | Specify Azure storage account server address | Existing server address, for example `accountname.privatelink.file.core.windows.net`. | No | If empty, driver uses default `accountname.file.core.windows.net` or other sovereign cloud account address. |

-|disableDeleteRetentionPolicy | Specify whether disable DeleteRetentionPolicy for storage account created by driver. | `true` or `false` | No | `false` |

-|allowBlobPublicAccess | Allow or disallow public access to all blobs or containers for storage account created by driver. | `true` or `false` | No | `false` |

-|requireInfraEncryption | Specify whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest for storage account created by driver. | `true` or `false` | No | `false` |

-|networkEndpointType | Specify network endpoint type for the storage account created by driver. If `privateEndpoint` is specified, a private endpoint will be created for the storage account. For other cases, a service endpoint will be created by default. | "",`privateEndpoint`| No | "" |

-|storageEndpointSuffix | Specify Azure storage endpoint suffix. | `core.windows.net`, `core.chinacloudapi.cn`, etc. | No | If empty, driver uses default storage endpoint suffix according to cloud environment. For example, `core.windows.net`. |

-|tags | [tags][tag-resources] are created in new storage account. | Tag format: 'foo=aaa,bar=bbb' | No | "" |

-|matchTags | Match tags when driver tries to find a suitable storage account. | `true` or `false` | No | `false` |

-| | **Following parameters are only for SMB protocol** | | |

-|subscriptionID | Specify Azure subscription ID where Azure file share is created. | Azure subscription ID | No | If not empty, `resourceGroup` must be provided. |

-|storeAccountKey | Specify whether to store account key to Kubernetes secret. | `true` or `false`<br>`false` means driver leverages kubelet identity to get account key. | No | `true` |

-|secretName | Specify secret name to store account key. | | No |

-|secretNamespace | Specify the namespace of secret to store account key. <br><br> **Note:** <br> If `secretNamespace` isn't specified, the secret is created in the same namespace as the pod. | `default`,`kube-system`, etc | No | Pvc namespace, for example `csi.storage.k8s.io/pvc/namespace` |

-|useDataPlaneAPI | Specify whether to use [data plane API][data-plane-api] for file share create/delete/resize. This could solve the SRP API throttling issue because the data plane API has almost no limit, while it would fail when there is firewall or Vnet setting on storage account. | `true` or `false` | No | `false` |

-| | **Following parameters are only for NFS protocol** | | |

-|rootSquashType | Specify root squashing behavior on the share. The default is `NoRootSquash` | `AllSquash`, `NoRootSquash`, `RootSquash` | No |

-|mountPermissions | Mounted folder permissions. The default is `0777`. If set to `0`, driver doesn't perform `chmod` after mount | `0777` | No |

-| | **Following parameters are only for vnet setting, e.g. NFS, private endpoint** | | |

-|vnetResourceGroup | Specify Vnet resource group where virtual network is defined. | Existing resource group name. | No | If empty, driver uses the `vnetResourceGroup` value in Azure cloud config file. |

-|vnetName | Virtual network name | Existing virtual network name. | No | If empty, driver uses the `vnetName` value in Azure cloud config file. |

-|subnetName | Subnet name | Existing subnet name of the agent node. | No | If empty, driver uses the `subnetName` value in Azure cloud config file. |

-|fsGroupChangePolicy | Indicates how volume's ownership is changed by the driver. Pod `securityContext.fsGroupChangePolicy` is ignored. | `OnRootMismatch` (default), `Always`, `None` | No | `OnRootMismatch`|

-As a secure service, Azure Kubernetes Service (AKS) complies with SOC, ISO, PCI DSS, and HIPAA standards. This article covers the security OS configuration applied to Ubuntu imaged used by AKS. This security configuration is based on the Azure Linux security baseline which aligns with CIS benchmark. For more information about AKS security, see Security concepts for applications and clusters in Azure Kubernetes Service (AKS). For more information about AKS security, see [Security concepts for applications and clusters in Azure Kubernetes Service (AKS)](./concepts-security.md). For more information on the CIS benchmark, see [Center for Internet Security (CIS) Benchmarks][cis-benchmarks]. For more information on the Azure security baselines for Linux, see [Linux security baseline][linux-security-baseline].

-* *Potential Operation Impact* - Recommendation was not applied because it would have a negative effect on the service.

-| 1.4.1 | Ensure permissions on bootloader config are not overridden | Fail | |

-| 1.8.4 | Ensure XDCMP is not enabled | Pass ||

-| 2.1.2 | Ensure X Window System is not installed | Pass ||

-| 2.1.3 | Ensure Avahi Server is not installed | Pass ||

-| 2.1.4 | Ensure CUPS is not installed | Pass ||

-| 2.1.5 | Ensure DHCP Server is not installed | Pass ||

-| 2.1.6 | Ensure LDAP server is not installed | Pass ||

-| 2.1.7 | Ensure NFS is not installed | Pass ||

-| 2.1.8 | Ensure DNS Server is not installed | Pass ||

-| 2.1.9 | Ensure FTP Server is not installed | Pass ||

-| 2.1.10 | Ensure HTTP server is not installed | Pass ||

-| 2.1.11 | Ensure IMAP and POP3 server are not installed | Pass ||

-| 2.1.12 | Ensure Samba is not installed | Pass ||

-| 2.1.13 | Ensure HTTP Proxy Server is not installed | Pass ||

-| 2.1.14 | Ensure SNMP Server is not installed | Pass ||

-| 2.1.16 | Ensure rsync service is not installed | Fail | |

-| 2.1.17 | Ensure NIS Server is not installed | Pass ||

-| 2.2.1 | Ensure NIS Client is not installed | Pass ||

-| 2.2.2 | Ensure rsh client is not installed | Pass ||

-| 2.2.3 | Ensure talk client is not installed | Pass ||

-| 2.2.4 | Ensure telnet client is not installed | Fail | |

-| 2.2.5 | Ensure LDAP client is not installed | Pass ||

-| 2.2.6 | Ensure RPC is not installed | Fail | Potential Operational Impact |

-| 3.3.1 | Ensure source routed packets are not accepted | Pass ||

-| 3.3.2 | Ensure ICMP redirects are not accepted | Pass ||

-| 3.3.3 | Ensure secure ICMP redirects are not accepted | Pass ||

-| 3.3.9 | Ensure IPv6 router advertisements are not accepted | Pass ||

-| 6.2.2 | Ensure password fields are not empty | Pass ||

-| 6.2.7 | Ensure users' dot files are not group or world writable | Pass ||

-[linux-security-baseline]: ../governance/policy/samples/guest-configuration-baseline-linux.md

-* **High performance**: Since pod are assigned VNet IPs, they have direct connectivity to other cluster pod and resources in the VNet. The solution supports very large clusters without any degradation in performance.

-* **Separate VNet policies for pods**: Since pods have a separate subnet, you can configure separate VNet policies for them that are different from node policies. This enables many useful scenarios such as allowing internet connectivity only for pods and not for nodes, fixing the source IP for pod in a node pool using a VNet Network NAT, and using NSGs to filter traffic between node pools.

-## Monitor IP subnet usage

-Azure CNI provides the capability to monitor IP subnet usage. To enable IP subnet usage monitoring, follow the steps below:

-### Get the YAML file

-1. Download or grep the file named container-azm-ms-agentconfig.yaml from [GitHub][github].

-2. Find azure_subnet_ip_usage in integrations. Set `enabled` to `true`.

-3. Save the file.

-### Get the AKS credentials

-Set the variables for subscription, resource group and cluster. Consider the following as examples:

-```azurepowershell

- $s="subscriptionId"

- $rg="resourceGroup"

- $c="ClusterName"

- az account set -s $s

- az aks get-credentials -n $c -g $rg

-```

-### Apply the config

-1. Open terminal in the folder the downloaded container-azm-ms-agentconfig.yaml file is saved.

-2. First, apply the config using the command: `kubectl apply -f container-azm-ms-agentconfig.yaml`

-3. This will restart the pod and after 5-10 minutes, the metrics will be visible.

-4. To view the metrics on the cluster, go to Workbooks on the cluster page in the Azure portal, and find the workbook named "Subnet IP Usage". Your view will look similar to the following:

- :::image type="content" source="media/Azure-cni/ip-subnet-usage.png" alt-text="A diagram of the Azure portal's workbook blade is shown, and metrics for an AKS cluster's subnet IP usage are displayed.":::

-AKS now supports aborting a long running operation, which is now generally available. This feature allows you to take back control and run another operation seamlessly. This design is supported using the [Azure REST API](/rest/api/azure/) or the [Azure CLI](/cli/azure/).

-Learn more about [Container insights](../azure-monitor/containers/container-insights-overview.md) to understand how it helps you monitor the performance and health of your Kubernetes cluster and container workloads.

-In an AKS cluster, your Kubernetes nodes run as Azure virtual machines (VMs). These Linux-based VMs use an Ubuntu or Mariner image, with the OS configured to automatically check for updates every day. If security or kernel updates are available, they are automatically downloaded and installed.

-Unattended upgrades apply updates to the Linux node OS, but the image used to create nodes for your cluster remains unchanged. If a new Linux node is added to your cluster, the original image is used to create the node. This new node will receive all the security and kernel updates available during the automatic check every day but will remain unpatched until all checks and restarts are complete.

-Alternatively, you can use node image upgrade to check for and update node images used by your cluster. For more details on node image upgrade, see [Azure Kubernetes Service (AKS) node image upgrade][node-image-upgrade].

-There is an additional process in AKS that lets you *upgrade* a cluster. An upgrade is typically to move to a newer version of Kubernetes, not just apply node security updates. An AKS upgrade performs the following actions:

-You can also configure additional parameters for `kured`, such as integration with Prometheus or Slack. For more information about additional configuration parameters, see the [kured Helm chart][kured-install].

-When one of the replicas in the DaemonSet has detected that a node reboot is required, a lock is placed on the node through the Kubernetes API. This lock prevents additional pods being scheduled on the node. The lock also indicates that only one node should be rebooted at a time. With the node cordoned off, running pods are drained from the node, and the node is rebooted.

-Once the update process is complete, you can view the status of the nodes using the [kubectl get nodes][kubectl-get-nodes] command with the `--output wide` parameter. This additional output lets you see a difference in *KERNEL-VERSION* of the underlying nodes, as shown in the following example output. The *aks-nodepool1-28993262-0* was updated in a previous step and shows kernel version *4.15.0-1039-azure*. The node *aks-nodepool1-28993262-1* that hasn't been updated shows kernel version *4.15.0-1037-azure*.

-| [WSDL specification)](import-soap-api.md) | ✔️ | ✔️ | ✔️ |

-| [Synthetic GraphQL](graphql-apis-overview.md)| ✔️ | ✔️ | ❌ |

-API Management also allows *standalone* subscriptions, which are not associated with a developer account. This feature proves useful in scenarios similar to several developers or teams sharing a subscription.

-| Correlation protocol | | Specifies the protocol used to correlate telemetry sent by multiple components to Application Insights. Default: Legacy <br/><br/>For information, see [Telemetry correlation in Application Insights](../azure-monitor/app/correlation.md). |

-* GraphQL subscription support in synthetic GraphQL APIs is currently in preview

-| [Set response cache duration](./set-cache-duration.md) | Demonstrates how to set response cache duration using maxAge value in Cache-Control header sent by the backend. |

-# Virtual Network NAT gateway integration

-NAT gateway is a fully managed, highly resilient service, which can be associated with one or more subnets and ensures that all outbound Internet-facing traffic will be routed through the gateway. With App Service, there are two important scenarios that you can use NAT gateway for.

-For more information and pricing. Go to the [NAT gateway overview](../../virtual-network/nat-gateway/nat-overview.md).

-> * Using NAT gateway with App Service is dependent on virtual network integration, and therefore a supported App Service plan pricing tier is required.

-> * When using NAT gateway together with App Service, all traffic to Azure Storage must be using private endpoint or service endpoint.

-> * NAT gateway cannot be used together with App Service Environment v1 or v2.

-Set up NAT gateway through the portal:

-## Scaling NAT gateway

-The same NAT gateway can be used across multiple subnets in the same Virtual Network allowing a NAT gateway to be used across multiple apps and App Service plans.

-NAT gateway supports both public IP addresses and public IP prefixes. A NAT gateway can support up to 16 IP addresses across individual IP addresses and prefixes. Each IP address allocates 64,512 ports (SNAT ports) allowing up to 1M available ports. Learn more in the [Scaling section](../../virtual-network/nat-gateway/nat-gateway-resource.md#scalability) of NAT gateway.

-For more information on the NAT gateway, see [NAT gateway documentation](../../virtual-network/nat-gateway/nat-overview.md).

-> [Connect to Azure DB for PostgreSQL with Java](../postgresql/connect-java.md)

-When you start a runbook on a user Hybrid Runbook Worker, you specify the group that it runs on. Each worker in the group polls Azure Automation to see if any jobs are available. If a job is available, the first worker to get the job takes it. The processing time of the jobs queue depends on the hybrid worker hardware profile and load. You can't specify a particular worker. Hybrid worker works on a polling mechanism (every 30 secs) and follows an order of first-come, first-serve. Depending on when a job was pushed, whichever hybrid worker pings the Automation service picks up the job. A single hybrid worker can generally pick up four jobs per ping (that is, every 30 seconds). If your rate of pushing jobs is higher than four per 30 seconds, then there's a high possibility another hybrid worker in the Hybrid Runbook Worker group picked up the job.

-Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. These assets are protected in Azure Automation using multiple levels of encryption. Based on the top-level key used for the encryption, there are two models for encryption:

-You can install the Azure Key Vault Secrets Provider extension on your connected cluster in the Azure portal, by using Azure CLI, or by deploying ARM template.

-You should see output similar to this example. Note that it may take several minutes before the secrets provider Helm chart is deployed to the cluster.

-Next, specify the Azure Key Vault to use with your connected cluster. If you don't already have one, create a new Key Vault by using the following commands. Keep in mind that the name of your Key Vault must be globally unique.

-Next, run the following command

-```Bash

-| rotationPollInterval | 2m | If `enableSecretRotation` is `true`, specifies the secret rotation poll interval duration. This duration can be adjusted based on how frequently the mounted contents for all pods and Kubernetes secrets need to be resynced to the latest. |

-The [C# library](functions-dotnet-class-library.md) uses the [SqlTrigger](https://github.com/Azure/azure-functions-sql-extension/blob/main/src/TriggerBinding/SqlTriggerAttribute.cs) attribute to declare the SQL trigger on the function, which has the following properties:

-Users can set up the Click Analytics Autocollection plug-in via npm.

-### npm setup

-Install the npm package:

-```bash

-npm install --save @microsoft/applicationinsights-clickanalytics-js @microsoft/applicationinsights-web

-```

-```js

-import { ApplicationInsights } from '@microsoft/applicationinsights-web';

-import { ClickAnalyticsPlugin } from '@microsoft/applicationinsights-clickanalytics-js';

-const clickPluginInstance = new ClickAnalyticsPlugin();

-// Click Analytics configuration

-const clickPluginConfig = {

- autoCapture: true

-};

-// Application Insights Configuration

-const configObj = {

- connectionString: "YOUR CONNECTION STRING",

- extensions: [clickPluginInstance],

- extensionConfig: {

- [clickPluginInstance.identifier]: clickPluginConfig

- },

-};

-const appInsights = new ApplicationInsights({ config: configObj });

-appInsights.loadAppInsights();

-```

-## Snippet setup

-## Configuration

-| pageTags | String | Null | Page tags. |

-## Enable correlation

-Correlation generates and sends data that enables distributed tracing and powers the [application map](../app/app-map.md), [end-to-end transaction view](../app/app-map.md#go-to-details), and other diagnostic tools.

-JavaScript correlation is turned off by default to minimize the telemetry we send by default. To enable correlation, see the [JavaScript client-side correlation documentation](./javascript.md#enable-distributed-tracing).

-> For help with configuring your application's JVM args, see [Tips for updating your JVM args](./java-standalone-arguments.md).

-

-If you develop a Spring Boot application, you can optionally replace the JVM argument by a programmatic configuration. For more information, see [Using Azure Monitor Application Insights with Spring Boot](./java-spring-boot.md).

-> By default 16 IP's are allocated from subnet to each node. This cannot be modified to be less than 16. For instructions on how to enable subnet IP usage metrics, see [Monitor IP Subnet Usage](../../aks/configure-azure-cni.md#monitor-ip-subnet-usage).

-| Resource Name | Human readable name of the app (Also known as "component name") | app("fabrikamapp") |

-| Qualified Name | Full name of the app in the form: "subscriptionName/resourceGroup/componentName" | app('AI-Prototype/Fabrikam/fabrikamapp') |

-| ID | GUID of the app | app("988ba129-363e-4415-8fe7-8cbab5447518") |

-| Azure Resource ID | Identifier for the Azure resource |app("/subscriptions/7293b69-db12-44fc-9a66-9c2005c3051d/resourcegroups/Fabrikam/providers/microsoft.insights/components/fabrikamapp") |

-* Identifying an application by its name assumes that it is unique across all accessible subscriptions. If you have multiple applications with the specified name, the query will fail because of the ambiguity. In this case you must use one of the other identifiers.

-app("fabrikamapp").requests | count

-app("AI-Prototype/Fabrikam/fabrikamapp").requests | count

-```

-```Kusto

-app("b438b4f6-912a-46d5-9cb1-b44069212ab4").requests | count

-```

-```Kusto

-app("/subscriptions/7293b69-db12-44fc-9a66-9c2005c3051d/resourcegroups/Fabrikam/providers/microsoft.insights/components/fabrikamapp").requests | count

-(workspace("myworkspace").Heartbeat | where Computer contains "Con"),

-(app("myapplication").requests | where cloud_RoleInstance contains "Con")

-(workspace("myworkspace").Heartbeat), (app("myapplication").requests)

-| where TimeGenerated between(todatetime("2018-02-08 15:00:00") .. todatetime("2018-12-08 15:05:00"))

-You can identify an application in Application Insights with the `app(Identifier)` expression. The `Identifier` argument specifies the app by using one of the following names or IDs:

-Pay particular attention to queries that are used for recurrent and bursty usage, such as dashboards, alerts, Azure Logic Apps, and Power BI. The impact of an ineffective query in these cases is substantial.

-> - Cross workspace queries having an explicit identifier: workspace ID, or workspace Resource Manager resource ID, consume less resources and are more performant. See [Create a log query across multiple workspaces](./cross-workspace-query.md#identify-workspace-resources)

-# Save a query in Azure Monitor Log Analytics (preview)

-| Resource Name | Human readable name of the workspace (also known as "component name") | workspace("contosoretail") |

-| Qualified Name | Full name of the workspace in the form: "subscriptionName/resourceGroup/componentName" | workspace('Contoso/ContosoResource/ContosoWorkspace') |

-| ID | GUID of the workspace | workspace("b438b3f6-912a-46d5-9db1-b42069242ab4") |

-| Azure Resource ID | Identifier for the Azure resource | workspace("/subscriptions/e4227-645-44e-9c67-3b84b5982/resourcegroups/ContosoAzureHQ/providers/Microsoft.OperationalInsights/workspaces/contosoretail") |

-workspace("contosoretail").Update | count

-workspace("b438b4f6-912a-46d5-9cb1-b44069212ab4").Update | count

-```

-```Kusto

-workspace("/subscriptions/e427267-5645-4c4e-9c67-3b84b59a6982/resourcegroups/ContosoAzureHQ/providers/Microsoft.OperationalInsights/workspaces/contosoretail").Event | count

-(workspace("myworkspace").Heartbeat | where Computer contains "Con"),

-(app("myapplication").requests | where cloud_RoleInstance contains "Con")

-(workspace("myworkspace").Heartbeat), (app("myapplication").requests)

-| where TimeGenerated between(todatetime("2018-02-08 15:00:00") .. todatetime("2018-12-08 15:05:00"))

-For general Snapshot Debugger troubleshooting, refer to the [Snapshot Debugger Troubleshoot documentation](/troubleshoot/azure/azure-monitor/app-insights/snapshot-debugger-troubleshoot.md).

-You can also use the resourceGroup function to apply tags from the resource group to a resource. For more information, see [Apply tags from resource group](../management/tag-resources.md#apply-tags-from-resource-group).

-You can apply tags to a resource during deployment. Tags help you logically organize your deployed resources. For examples of the different ways you can specify the tags, see [ARM template tags](../management/tag-resources.md#arm-templates).

-You need to provide several parameters to the deployment command for the managed application. You can use a JSON formatted string or create a JSON file. In this example, we use a JSON formatted string. The PowerShell escape character for the quote marks is the backslash (`\`) character. The backslash is also used for line continuation so that commands can use multiple lines.

-For readability, the completed JSON string uses the backtick for line continuation. The values are stored in the `params` variable that's used in the deployment command. The parameters in the JSON string are required to deploy the managed resources.

-You can apply tags to resource groups and resources to logically organize your assets. For information, see [Using tags to organize your Azure resources](tag-resources.md#azure-cli).

-You can apply tags to resource groups and resources to logically organize your assets. For information, see [Using tags to organize your Azure resources](tag-resources.md#portal).

-You can apply tags to resource groups and resources to logically organize your assets. For information, see [Using tags to organize your Azure resources](tag-resources.md#powershell).

-Tagging helps organizing your resource group and resources logically. For information, see [Using tags to organize your Azure resources](tag-resources.md#azure-cli).

-For information, see [Using tags to organize your Azure resources](tag-resources.md#portal).

-Tagging helps organizing your resource group and resources logically. For information, see [Using tags to organize your Azure resources](tag-resources.md#powershell).

-description: Shows how to apply tags to organize Azure resources for billing and managing.

-Tags are metadata elements that you apply to your Azure resources. They're key-value pairs that help you identify resources based on settings that are relevant to your organization. If you want to track the deployment environment for your resources, add a key named Environment. To identify the resources deployed to production, give them a value of Production. Fully formed, the key-value pair becomes, Environment = Production.

-## PowerShell

-### Apply tags

-Azure PowerShell offers two commands to apply tags: [New-AzTag](/powershell/module/az.resources/new-aztag) and [Update-AzTag](/powershell/module/az.resources/update-aztag). You need to have the `Az.Resources` module 1.12.0 version or later. You can check your version with `Get-InstalledModule -Name Az.Resources`. You can install that module or [install Azure PowerShell](/powershell/azure/install-az-ps) version 3.6.1 or later.

-The `New-AzTag` replaces all tags on the resource, resource group, or subscription. When you call the command, pass the resource ID of the entity you want to tag.

-The following example applies a set of tags to a storage account:

-```azurepowershell-interactive

-$tags = @{"Dept"="Finance"; "Status"="Normal"}

-$resource = Get-AzResource -Name demoStorage -ResourceGroup demoGroup

-New-AzTag -ResourceId $resource.id -Tag $tags

-```

-When the command completes, notice that the resource has two tags.

-```output

-Properties :

- Name Value

- ====== =======

- Dept Finance

- Status Normal

-```

-If you run the command again, but this time with different tags, notice that the earlier tags disappear.

-```azurepowershell-interactive

-$tags = @{"Team"="Compliance"; "Environment"="Production"}

-New-AzTag -ResourceId $resource.id -Tag $tags

-```

-```output

-Properties :

- Name Value

- =========== ==========

- Environment Production

- Team Compliance

-```

-To add tags to a resource that already has tags, use `Update-AzTag`. Set the `-Operation` parameter to `Merge`.

-```azurepowershell-interactive

-$tags = @{"Dept"="Finance"; "Status"="Normal"}

-Update-AzTag -ResourceId $resource.id -Tag $tags -Operation Merge

-```

-Notice that the existing tags grow with the addition of the two new tags.

-```output

-Properties :

- Name Value

- =========== ==========

- Status Normal

- Dept Finance

- Team Compliance

- Environment Production

-```

-Each tag name can have only one value. If you provide a new value for a tag, it replaces the old value even if you use the merge operation. The following example changes the `Status` tag from _Normal_ to _Green_.

-```azurepowershell-interactive

-$tags = @{"Status"="Green"}

-Update-AzTag -ResourceId $resource.id -Tag $tags -Operation Merge

-```

-```output

-Properties :

- Name Value

- =========== ==========

- Status Green

- Dept Finance

- Team Compliance

- Environment Production

-```

-When you set the `-Operation` parameter to `Replace`, the new set of tags replaces the existing tags.

-```azurepowershell-interactive

-$tags = @{"Project"="ECommerce"; "CostCenter"="00123"; "Team"="Web"}

-Update-AzTag -ResourceId $resource.id -Tag $tags -Operation Replace

-```

-Only the new tags remain on the resource.

-```output

-Properties :

- Name Value

- ========== =========

- CostCenter 00123

- Team Web

- Project ECommerce

-```

-The same commands also work with resource groups or subscriptions. Pass them in the identifier of the resource group or subscription you want to tag.

-To add a new set of tags to a resource group, use:

-```azurepowershell-interactive

-$tags = @{"Dept"="Finance"; "Status"="Normal"}

-$resourceGroup = Get-AzResourceGroup -Name demoGroup

-New-AzTag -ResourceId $resourceGroup.ResourceId -tag $tags

-```

-To update the tags for a resource group, use:

-```azurepowershell-interactive

-$tags = @{"CostCenter"="00123"; "Environment"="Production"}

-$resourceGroup = Get-AzResourceGroup -Name demoGroup

-Update-AzTag -ResourceId $resourceGroup.ResourceId -Tag $tags -Operation Merge

-```

-To add a new set of tags to a subscription, use:

-```azurepowershell-interactive

-$tags = @{"CostCenter"="00123"; "Environment"="Dev"}

-$subscription = (Get-AzSubscription -SubscriptionName "Example Subscription").Id

-New-AzTag -ResourceId "/subscriptions/$subscription" -Tag $tags

-```

-To update the tags for a subscription, use:

-```azurepowershell-interactive

-$tags = @{"Team"="Web Apps"}

-$subscription = (Get-AzSubscription -SubscriptionName "Example Subscription").Id

-Update-AzTag -ResourceId "/subscriptions/$subscription" -Tag $tags -Operation Merge

-```

-You may have more than one resource with the same name in a resource group. In that case, you can set each resource with the following commands:

-```azurepowershell-interactive

-$resource = Get-AzResource -ResourceName sqlDatabase1 -ResourceGroupName examplegroup

-$resource | ForEach-Object { Update-AzTag -Tag @{ "Dept"="IT"; "Environment"="Test" } -ResourceId $_.ResourceId -Operation Merge }

-```

-### List tags

-To get the tags for a resource, resource group, or subscription, use the [Get-AzTag](/powershell/module/az.resources/get-aztag) command and pass the resource ID of the entity.

-To see the tags for a resource, use:

-```azurepowershell-interactive

-$resource = Get-AzResource -Name demoStorage -ResourceGroup demoGroup

-Get-AzTag -ResourceId $resource.id

-```

-To see the tags for a resource group, use:

-```azurepowershell-interactive

-$resourceGroup = Get-AzResourceGroup -Name demoGroup

-Get-AzTag -ResourceId $resourceGroup.ResourceId

-```

-To see the tags for a subscription, use:

-```azurepowershell-interactive

-$subscription = (Get-AzSubscription -SubscriptionName "Example Subscription").Id

-Get-AzTag -ResourceId "/subscriptions/$subscription"

-```

-### List by tag

-To get resources that have a specific tag name and value, use:

-```azurepowershell-interactive

-(Get-AzResource -Tag @{ "CostCenter"="00123"}).Name

-```

-To get resources that have a specific tag name with any tag value, use:

-```azurepowershell-interactive

-(Get-AzResource -TagName "Dept").Name

-```

-To get resource groups that have a specific tag name and value, use:

-```azurepowershell-interactive

-(Get-AzResourceGroup -Tag @{ "CostCenter"="00123" }).ResourceGroupName

-```

-### Remove tags

-To remove specific tags, use `Update-AzTag` and set `-Operation` to `Delete`. Pass the resource IDs of the tags you want to delete.

-```azurepowershell-interactive

-$removeTags = @{"Project"="ECommerce"; "Team"="Web"}

-Update-AzTag -ResourceId $resource.id -Tag $removeTags -Operation Delete

-```

-The specified tags are removed.

-```output

-Properties :

- Name Value

- ========== =====

- CostCenter 00123

-```

-To remove all tags, use the [Remove-AzTag](/powershell/module/az.resources/remove-aztag) command.

-```azurepowershell-interactive

-$subscription = (Get-AzSubscription -SubscriptionName "Example Subscription").Id

-Remove-AzTag -ResourceId "/subscriptions/$subscription"

-```

-## Azure CLI

-### Apply tags

-Azure CLI offers two commands to apply tags: [az tag create](/cli/azure/tag#az-tag-create) and [az tag update](/cli/azure/tag#az-tag-update). You need to have the Azure CLI 2.10.0 version or later. You can check your version with `az version`. To update or install it, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-The `az tag create` replaces all tags on the resource, resource group, or subscription. When you call the command, pass the resource ID of the entity you want to tag.

-The following example applies a set of tags to a storage account:

-```azurecli-interactive

-resource=$(az resource show -g demoGroup -n demoStorage --resource-type Microsoft.Storage/storageAccounts --query "id" --output tsv)

-az tag create --resource-id $resource --tags Dept=Finance Status=Normal

-```

-When the command completes, notice that the resource has two tags.

-```output

-"properties": {

- "tags": {

- "Dept": "Finance",

- "Status": "Normal"

- }

-},

-```

-If you run the command again, but this time with different tags, notice that the earlier tags disappear.

-```azurecli-interactive

-az tag create --resource-id $resource --tags Team=Compliance Environment=Production

-```

-```output

-"properties": {

- "tags": {

- "Environment": "Production",

- "Team": "Compliance"

- }

-},

-```

-To add tags to a resource that already has tags, use `az tag update`. Set the `--operation` parameter to `Merge`.

-```azurecli-interactive

-az tag update --resource-id $resource --operation Merge --tags Dept=Finance Status=Normal

-```

-Notice that the existing tags grow with the addition of the two new tags.

-```output

-"properties": {

- "tags": {

- "Dept": "Finance",

- "Environment": "Production",

- "Status": "Normal",

- "Team": "Compliance"

- }

-},

-```

-Each tag name can have only one value. If you provide a new value for a tag, the new tag replaces the old value, even if you use the merge operation. The following example changes the `Status` tag from _Normal_ to _Green_.

-```azurecli-interactive

-az tag update --resource-id $resource --operation Merge --tags Status=Green

-```

-```output

-"properties": {

- "tags": {

- "Dept": "Finance",

- "Environment": "Production",

- "Status": "Green",

- "Team": "Compliance"

- }

-},

-```

-When you set the `--operation` parameter to `Replace`, the new set of tags replaces the existing tags.

-```azurecli-interactive

-az tag update --resource-id $resource --operation Replace --tags Project=ECommerce CostCenter=00123 Team=Web

-```

-Only the new tags remain on the resource.

-```output

-"properties": {

- "tags": {

- "CostCenter": "00123",

- "Project": "ECommerce",

- "Team": "Web"

- }

-},

-```

-The same commands also work with resource groups or subscriptions. Pass them in the identifier of the resource group or subscription you want to tag.

-To add a new set of tags to a resource group, use:

-```azurecli-interactive

-group=$(az group show -n demoGroup --query id --output tsv)

-az tag create --resource-id $group --tags Dept=Finance Status=Normal

-```

-To update the tags for a resource group, use:

-```azurecli-interactive

-az tag update --resource-id $group --operation Merge --tags CostCenter=00123 Environment=Production

-```

-To add a new set of tags to a subscription, use:

-```azurecli-interactive

-sub=$(az account show --subscription "Demo Subscription" --query id --output tsv)

-az tag create --resource-id /subscriptions/$sub --tags CostCenter=00123 Environment=Dev

-```

-To update the tags for a subscription, use:

-```azurecli-interactive

-az tag update --resource-id /subscriptions/$sub --operation Merge --tags Team="Web Apps"

-```

-### List tags

-To get the tags for a resource, resource group, or subscription, use the [az tag list](/cli/azure/tag#az-tag-list) command and pass the resource ID of the entity.

-To see the tags for a resource, use:

-```azurecli-interactive

-resource=$(az resource show -g demoGroup -n demoStorage --resource-type Microsoft.Storage/storageAccounts --query "id" --output tsv)

-az tag list --resource-id $resource

-```

-To see the tags for a resource group, use:

-```azurecli-interactive

-group=$(az group show -n demoGroup --query id --output tsv)

-az tag list --resource-id $group

-```

-To see the tags for a subscription, use:

-```azurecli-interactive

-sub=$(az account show --subscription "Demo Subscription" --query id --output tsv)

-az tag list --resource-id /subscriptions/$sub

-```

-### List by tag

-To get resources that have a specific tag name and value, use:

-```azurecli-interactive

-az resource list --tag CostCenter=00123 --query [].name

-```

-To get resources that have a specific tag name with any tag value, use:

-```azurecli-interactive

-az resource list --tag Team --query [].name

-```

-To get resource groups that have a specific tag name and value, use:

-```azurecli-interactive

-az group list --tag Dept=Finance

-```

-### Remove tags

-To remove specific tags, use `az tag update` and set `--operation` to `Delete`. Pass the resource ID of the tags you want to delete.

-```azurecli-interactive

-az tag update --resource-id $resource --operation Delete --tags Project=ECommerce Team=Web

-```

-You've removed the specified tags.

-```output

-"properties": {

- "tags": {

- "CostCenter": "00123"

- }

-},

-```

-To remove all tags, use the [az tag delete](/cli/azure/tag#az-tag-delete) command.

-```azurecli-interactive

-az tag delete --resource-id $resource

-```

-### Handling spaces

-If your tag names or values include spaces, enclose them in quotation marks.

-```azurecli-interactive

-az tag update --resource-id $group --operation Merge --tags "Cost Center"=Finance-1222 Location="West US"

-```

-## ARM templates

-You can tag resources, resource groups, and subscriptions during deployment with an ARM template.

-> [!NOTE]

-> The tags you apply through an ARM template or Bicep file overwrite any existing tags.

-### Apply values

-The following example deploys a storage account with three tags. Two of the tags (`Dept` and `Environment`) are set to literal values. One tag (`LastDeployed`) is set to a parameter that defaults to the current date.

-# [JSON](#tab/json)

-```json

-{

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "utcShort": {

- "type": "string",

- "defaultValue": "[utcNow('d')]"

- },

- "location": {

- "type": "string",

- "defaultValue": "[resourceGroup().location]"

- }

- },

- "resources": [

- {

- "type": "Microsoft.Storage/storageAccounts",

- "apiVersion": "2021-04-01",

- "name": "[concat('storage', uniqueString(resourceGroup().id))]",

- "location": "[parameters('location')]",

- "sku": {

- "name": "Standard_LRS"

- },

- "kind": "Storage",

- "tags": {

- "Dept": "Finance",

- "Environment": "Production",

- "LastDeployed": "[parameters('utcShort')]"

- },

- "properties": {}

- }

- ]

-}

-```

-# [Bicep](#tab/bicep)

-```Bicep

-param location string = resourceGroup().location

-param utcShort string = utcNow('d')

-resource stgAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = {

- name: 'storage${uniqueString(resourceGroup().id)}'

- location: location

- sku: {

- name: 'Standard_LRS'

- }

- kind: 'Storage'

- tags: {

- Dept: 'Finance'

- Environment: 'Production'

- LastDeployed: utcShort

- }

-}

-```

-### Apply an object

-You can define an object parameter that stores several tags and apply that object to the tag element. This approach provides more flexibility than the previous example because the object can have different properties. Each property in the object becomes a separate tag for the resource. The following example has a parameter named `tagValues` that's applied to the tag element.

-# [JSON](#tab/json)

-```json

-{

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "location": {

- "type": "string",

- "defaultValue": "[resourceGroup().location]"

- },

- "tagValues": {

- "type": "object",

- "defaultValue": {

- "Dept": "Finance",

- "Environment": "Production"

- }

- }

- },

- "resources": [

- {

- "type": "Microsoft.Storage/storageAccounts",

- "apiVersion": "2021-04-01",

- "name": "[concat('storage', uniqueString(resourceGroup().id))]",

- "location": "[parameters('location')]",

- "sku": {

- "name": "Standard_LRS"

- },

- "kind": "Storage",

- "tags": "[parameters('tagValues')]",

- "properties": {}

- }

- ]

-}

-```

-# [Bicep](#tab/bicep)

-```Bicep

-param location string = resourceGroup().location

-param tagValues object = {

- Dept: 'Finance'

- Environment: 'Production'

-}

-resource stgAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = {

- name: 'storage${uniqueString(resourceGroup().id)}'

- location: location

- sku: {

- name: 'Standard_LRS'

- }

- kind: 'Storage'

- tags: tagValues

-}

-```

-### Apply a JSON string

-To store many values in a single tag, apply a JSON string that represents the values. The entire JSON string is stored as one tag that can't exceed 256 characters. The following example has a single tag named `CostCenter` that contains several values from a JSON string:

-# [JSON](#tab/json)

-```json

-{

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "location": {

- "type": "string",

- "defaultValue": "[resourceGroup().location]"

- }

- },

- "resources": [

- {

- "type": "Microsoft.Storage/storageAccounts",

- "apiVersion": "2021-04-01",

- "name": "[concat('storage', uniqueString(resourceGroup().id))]",

- "location": "[parameters('location')]",

- "sku": {

- "name": "Standard_LRS"

- },

- "kind": "Storage",

- "tags": {

- "CostCenter": "{\"Dept\":\"Finance\",\"Environment\":\"Production\"}"

- },

- "properties": {}

- }

- ]

-}

-```

-# [Bicep](#tab/bicep)

-```Bicep

-param location string = resourceGroup().location

-resource stgAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = {

- name: 'storage${uniqueString(resourceGroup().id)}'

- location: location

- sku: {

- name: 'Standard_LRS'

- }

- kind: 'Storage'

- tags: {

- CostCenter: '{"Dept":"Finance","Environment":"Production"}'

- }

-}

-```

-### Apply tags from resource group

-To apply tags from a resource group to a resource, use the [resourceGroup()](../templates/template-functions-resource.md#resourcegroup) function. When you get the tag value, use the `tags[tag-name]` syntax instead of the `tags.tag-name` syntax, because some characters aren't parsed correctly in the dot notation.

-# [JSON](#tab/json)

-```json

-{

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "location": {

- "type": "string",

- "defaultValue": "[resourceGroup().location]"

- }

- },

- "resources": [

- {

- "type": "Microsoft.Storage/storageAccounts",

- "apiVersion": "2021-04-01",

- "name": "[concat('storage', uniqueString(resourceGroup().id))]",

- "location": "[parameters('location')]",

- "sku": {

- "name": "Standard_LRS"

- },

- "kind": "Storage",

- "tags": {

- "Dept": "[resourceGroup().tags['Dept']]",

- "Environment": "[resourceGroup().tags['Environment']]"

- },

- "properties": {}

- }

- ]

-}

-```

-# [Bicep](#tab/bicep)

-```Bicep

-param location string = resourceGroup().location

-resource stgAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = {

- name: 'storage${uniqueString(resourceGroup().id)}'

- location: location

- sku: {

- name: 'Standard_LRS'

- }

- kind: 'Storage'

- tags: {

- Dept: resourceGroup().tags['Dept']

- Environment: resourceGroup().tags['Environment']

- }

-}

-```

-### Apply tags to resource groups or subscriptions

-You can add tags to a resource group or subscription by deploying the `Microsoft.Resources/tags` resource type. You can apply the tags to the target resource group or subscription you want to deploy. Each time you deploy the template you replace any previous tags.

-# [JSON](#tab/json)

-```json

-{

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "tagName": {

- "type": "string",

- "defaultValue": "TeamName"

- },

- "tagValue": {

- "type": "string",

- "defaultValue": "AppTeam1"

- }

- },

- "resources": [

- {

- "type": "Microsoft.Resources/tags",

- "name": "default",

- "apiVersion": "2021-04-01",

- "properties": {

- "tags": {

- "[parameters('tagName')]": "[parameters('tagValue')]"

- }

- }

- }

- ]

-}

-```

-# [Bicep](#tab/bicep)

-```Bicep

-param tagName string = 'TeamName'

-param tagValue string = 'AppTeam1'

-resource applyTags 'Microsoft.Resources/tags@2021-04-01' = {

- name: 'default'

- properties: {

- tags: {

- '${tagName}': tagValue

- }

- }

-}

-```

-To apply the tags to a resource group, use either Azure PowerShell or Azure CLI. Deploy to the resource group that you want to tag.

-```azurepowershell-interactive

-New-AzResourceGroupDeployment -ResourceGroupName exampleGroup -TemplateFile https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/tags.json

-```

-```azurecli-interactive

-az deployment group create --resource-group exampleGroup --template-uri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/tags.json

-```

-To apply the tags to a subscription, use either PowerShell or Azure CLI. Deploy to the subscription that you want to tag.

-```azurepowershell-interactive

-New-AzSubscriptionDeployment -name tagresourcegroup -Location westus2 -TemplateUri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/tags.json

-```

-```azurecli-interactive

-az deployment sub create --name tagresourcegroup --location westus2 --template-uri https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/azure-resource-manager/tags.json

-```

-For more information about subscription deployments, see [Create resource groups and resources at the subscription level](../templates/deploy-to-subscription.md).

-The following template adds the tags from an object to either a resource group or subscription.

-# [JSON](#tab/json)

-```json

-{

- "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "tags": {

- "type": "object",

- "defaultValue": {

- "TeamName": "AppTeam1",

- "Dept": "Finance",

- "Environment": "Production"

- }

- }

- },

- "resources": [

- {

- "type": "Microsoft.Resources/tags",

- "apiVersion": "2021-04-01",

- "name": "default",

- "properties": {

- "tags": "[parameters('tags')]"

- }

- }

- ]

-}

-```

-# [Bicep](#tab/bicep)

-```Bicep

-targetScope = 'subscription'

-param tagObject object = {

- TeamName: 'AppTeam1'

- Dept: 'Finance'

- Environment: 'Production'

-}

-resource applyTags 'Microsoft.Resources/tags@2021-04-01' = {

- name: 'default'

- properties: {

- tags: tagObject

- }

-}

-```

-## Portal

-## REST API

-To work with tags through the Azure REST API, use:

-* [Tags - Create Or Update At Scope](/rest/api/resources/tags/createorupdateatscope) (PUT operation)

-* [Tags - Update At Scope](/rest/api/resources/tags/updateatscope) (PATCH operation)

-* [Tags - Get At Scope](/rest/api/resources/tags/getatscope) (GET operation)

-* [Tags - Delete At Scope](/rest/api/resources/tags/deleteatscope) (DELETE operation)

-## SDKs

-For examples of applying tags with SDKs, see:

-* [.NET](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/resourcemanager/Azure.ResourceManager/samples/Sample2_ManagingResourceGroups.md)

-* [Java](https://github.com/Azure-Samples/resources-java-manage-resource-group/blob/master/src/main/java/com/azure/resourcemanager/resources/samples/ManageResourceGroup.java)

-* [JavaScript](https://github.com/Azure-Samples/azure-sdk-for-js-samples/blob/main/samples/resources/resources_example.ts)

-* [Python](https://github.com/MicrosoftDocs/samples/tree/main/Azure-Samples/azure-samples-python-management/resources)

-You can apply tags to a resource during deployment. Tags help you logically organize your deployed resources. For examples of the different ways you can specify the tags, see [ARM template tags](../management/tag-resources.md#arm-templates).

-You can also use the `resourceGroup` function to apply tags from the resource group to a resource. For more information, see [Apply tags from resource group](../management/tag-resources.md#apply-tags-from-resource-group).

-After data retention policy is defiend for a database and the underlying table, a background time timer task runs to remove any obsolete records from the table enabled for data retention. Identification of matching rows and their removal from the table occur transparently, in the background task that is scheduled and run by the system. Age condition for the table rows is checked based on the column used as the `filter_column` in the table definition. If retention period, for example, is set to one week, table rows eligible for cleanup satisfy either of the following condition:

- - Clean up runs with a default 5 seconds lock timeout setting. If the locks cannot be acquired on the tables within the timeout window, the table is skipped in the current run and will be retried in the next iteration.

-| When first logging into the vSphere Client, the **Cluster-n: vSAN health alarms are suppressed** alert is active | 2021 | This should be considered an informational message, since Microsoft manages the service. Select the **Reset to Green** link to clear it. | 2021 |

-**HCX Run commands**

-Introducing run commands for HCX on Azure VMware solutions. You can use these run commands to restart HCX cloud manager in your Azure VMware solution private cloud. Additionally, you can also scale HCX cloud manager using run commands. To learn how to use run commands for HCX, see [Use HCX Run commands](use-hcx-run-commands.md).

-The AV36P is now available in the West US Region.ΓÇ» This node size is used for memory and storage workloads by offering increased Memory and NVME based SSDs.ΓÇ»

-You can use customer-managed keys to bring and manage your master encryption keys to encrypt van. Azure Key Vault allows you to store your privately managed keys securely to access your Azure VMware Solution data.

-HCX cloud manager in Azure VMware Solution can now be accessible over a public IP address. You can pair HCX sites and create a service mesh from on-premises to Azure VMware Solution private cloud using Public IP.

-HCX with public IP is especially useful in cases where On-premises sites aren't connected to Azure via Express Route or VPN. HCX service mesh appliances can be configured with public IPs to avoid lower tunnel MTUs due to double encapsulation if a VPN is used for on-premises to cloud connections. For more information, please see [Enable HCX over the internet](./enable-hcx-access-over-internet.md)

-All new Azure VMware Solution private clouds in regions (Germany West Central, Australia East, Central US and UK West), are now deployed with VMware vCenter Server version 7.0 Update 3c and ESXi version 7.0 Update 3c.

-Azure VMware Solution (AVS) has completed maintenance activities to address critical vulnerabilities in Apache Log4j. The fixes documented in the VMware security advisory [VMSA-2021-0028.6](https://www.vmware.com/security/advisories/VMSA-2021-0028.html) to address CVE-2021-44228 and CVE-2021-45046 have been applied to these AVS managed VMware products: vCenter Server, NSX-T Data Center, SRM and HCX. We strongly encourage customers to apply the fixes to on-premises HCX connector appliances.

- We also recommend customers to review the security advisory and apply the fixes for other affected VMware products or workloads.

- If you need any assistance or have questions, [contact us](https://portal.azure.com/#home).

-VMware has announced a security advisory [VMSA-2021-0028](https://www.vmware.com/security/advisories/VMSA-2021-0028.html), addressing a critical vulnerability in Apache Log4j identified by CVE-2021-44228. Azure VMware Solution is actively monitoring this issue. We're addressing this issue by applying VMware recommended workarounds or patches for AVS managed VMware components as they become available.

- Note that you may experience intermittent connectivity to these components when we apply a fix. We strongly recommend that you read the advisory and patch or apply the recommended workarounds for other VMware products you may have deployed in Azure VMware Solution. If you need any assistance or have questions, [contact us](https://portal.azure.com).

-All new Azure VMware Solution private clouds are now deployed with ESXi version ESXi670-202103001 (Build number: 17700523). ESXi hosts in existing private clouds have been patched to this version. For more information on this ESXi version, see [VMware ESXi 6.7, Patch Release ESXi670-202103001](https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202103001.html).

-All new Azure VMware Solution private clouds are now deployed with NSX-T Data Center version [!INCLUDE [nsxt-version](includes/nsxt-version.md)]. NSX-T Data Center version in existing private clouds will be upgraded through September 2021 to NSX-T Data Center [!INCLUDE [nsxt-version](includes/nsxt-version.md)] release.

-description: Use HCX Run Commands in Azure VMware Solution

-# Use HCX Run Commands

-In this article, you learn how to use HCX run commands. Use run commands to perform operations that would normally require elevated privileges through a collection of PowerShell cmdlets. This document outlines the available HCX run commands and how to use them.

-This article describes two HCX commands: **Restart HCX Manager** and **Scale HCX Manager**.

-## Restart HCX Manager

-This Command checks for active HCX migrations and replications. If none are found, it restarts the HCX cloud manager (HCX VM's guest OS).

-1. Navigate to the run Command panel in an Azure VMware private cloud on the Azure portal.

- **Scenario 2**: The HCX Manager is powered off and the customer would like to power it back on.

-1. Wait for command to finish. It may take few minutes for the HCX appliance to come online.

-## Scale HCX manager

-Use the Scale HCX manager run command to increase the resource allocation of your HCX Manager virtual machine to 8 vCPUs and 24-GB RAM from the default setting of 4 vCPUs and 12-GB RAM, ensuring scalability.

-**Scenario**: Mobility Optimize Networking (MON) requires HCX Scalability. For more details on [MON scaling](https://kb.vmware.com/s/article/88401)ΓÇ»

-> HCX cloud manager will be rebooted during this operation, and this may affect any ongoing migration processes.

-1. Navigate to the run Command panel on in an AVS private cloud on the Azure portal.

-1. Agree to restart HCX by toggling ``AgreeToRestartHCX`` to **True**.

- > HCX cloud manager will be unavailable during the scaling.

-To learn more about run commands, see [Run commands](concepts-run-command.md)

-description: This quickstart shows how to create a Batch account and run a Batch job with the Azure CLI.

-# Quickstart: Run your first Batch job with the Azure CLI

-Get started with Azure Batch by using the Azure CLI to create a Batch account, a pool of compute nodes (virtual machines), and a job that runs tasks on the pool. Each sample task runs a basic command on one of the pool nodes.

-The Azure CLI is used to create and manage Azure resources from the command line or in scripts. After completing this quickstart, you will understand the key concepts of the Batch service and be ready to try Batch with more realistic workloads at larger scale.

-## Create a resource group

-Create a resource group with the [az group create](/cli/azure/group#az-group-create) command. An Azure resource group is a logical container into which Azure resources are deployed and managed.

-The following example creates a resource group named *QuickstartBatch-rg* in the *eastus2* location.

- --name QuickstartBatch-rg \

-You can link an Azure Storage account with your Batch account. Although not required for this quickstart, the storage account is useful to deploy applications and store input and output data for most real-world workloads. Create a storage account in your resource group with the [az storage account create](/cli/azure/storage/account#az-storage-account-create) command.

- --resource-group QuickstartBatch-rg \

- --name mystorageaccount \

-Create a Batch account with the [az batch account create](/cli/azure/batch/account#az-batch-account-create) command. You need an account to create compute resources (pools of compute nodes) and Batch jobs.

-The following example creates a Batch account named *mybatchaccount* in *QuickstartBatch-rg*, and links the storage account you created.

- --storage-account mystorageaccount \

- --resource-group QuickstartBatch-rg \

-To create and manage compute pools and jobs, you need to authenticate with Batch. Log in to the account with the [az batch account login](/cli/azure/batch/account#az-batch-account-login) command. After you log in, your `az batch` commands use this account context.

- --resource-group QuickstartBatch-rg \

-Now that you have a Batch account, create a sample pool of Linux compute nodes using the [az batch pool create](/cli/azure/batch/pool#az-batch-pool-create) command. The following example creates a pool named *mypool* of two *Standard_A1_v2* nodes running Ubuntu 18.04 LTS. The suggested node size offers a good balance of performance versus cost for this quick example.

- --id mypool --vm-size Standard_A1_v2 \

- --image canonical:ubuntuserver:18.04-LTS \

- --node-agent-sku-id "batch.node.ubuntu 18.04"

-Batch creates the pool immediately, but it takes a few minutes to allocate and start the compute nodes. During this time, the pool is in the `resizing` state. To see the status of the pool, run the [az batch pool show](/cli/azure/batch/pool#az-batch-pool-show) command. This command shows all the properties of the pool, and you can query for specific properties. The following command gets the allocation state of the pool:

-az batch pool show --pool-id mypool \

-Continue the following steps to create a job and tasks while the pool state is changing. The pool is ready to run tasks when the allocation state is `steady` and all the nodes are running.

-Now that you have a pool, create a job to run on it. A Batch job is a logical group for one or more tasks. A job includes settings common to the tasks, such as priority and the pool to run tasks on. Create a Batch job by using the [az batch job create](/cli/azure/batch/job#az-batch-job-create) command. The following example creates a job *myjob* on the pool *mypool*. Initially the job has no tasks.

- --id myjob \

- --pool-id mypool

-## Create tasks

-Now use the [az batch task create](/cli/azure/batch/task#az-batch-task-create) command to create some tasks to run in the job. In this example, you create four identical tasks. Each task runs a `command-line` to display the Batch environment variables on a compute node, and then waits 90 seconds. When you use Batch, this command line is where you specify your app or script. Batch provides several ways to deploy apps and scripts to compute nodes.

-The following Bash script creates four parallel tasks (*mytask1* to *mytask4*).

- --task-id mytask$i \

- --job-id myjob \

-The command output shows settings for each of the tasks. Batch distributes the tasks to the compute nodes.

-After you create a task, Batch queues it to run on the pool. Once a node is available to run it, the task runs.

-Use the [az batch task show](/cli/azure/batch/task#az-batch-task-show) command to view the status of the Batch tasks. The following example shows details about *mytask1* running on one of the pool nodes.

- --job-id myjob \

- --task-id mytask1

-The command output includes many details, but take note of the `exitCode` of the task command line and the `nodeId`. An `exitCode` of 0 indicates that the task command line completed successfully. The `nodeId` indicates the ID of the pool node on which the task ran.

-To list the files created by a task on a compute node, use the [az batch task file list](/cli/azure/batch/task) command. The following command lists the files created by *mytask1*:

- --job-id myjob \

- --task-id mytask1 \

-Output is similar to the following:

-```

-Name URL Is Directory Content Length

-stdout.txt https://mybatchaccount.eastus2.batch.azure.com/jobs/myjob/tasks/mytask1/files/stdout.txt False 695

-certs https://mybatchaccount.eastus2.batch.azure.com/jobs/myjob/tasks/mytask1/files/certs True

-wd https://mybatchaccount.eastus2.batch.azure.com/jobs/myjob/tasks/mytask1/files/wd True

-stderr.txt https://mybatchaccount.eastus2.batch.azure.com/jobs/myjob/tasks/mytask1/files/stderr.txt False 0

-To download one of the output files to a local directory, use the [az batch task file download](/cli/azure/batch/task) command. In this example, task output is in `stdout.txt`.

- --job-id myjob \

- --task-id mytask1 \

-You can view the contents of `stdout.txt` in a text editor. The contents show the Azure Batch environment variables that are set on the node. When you create your own Batch jobs, you can reference these environment variables in task command lines, and in the apps and scripts run by the command lines. For example:

-```

-AZ_BATCH_TASK_DIR=/mnt/batch/tasks/workitems/myjob/job-1/mytask1

-AZ_BATCH_CERTIFICATES_DIR=/mnt/batch/tasks/workitems/myjob/job-1/mytask1/certs

-AZ_BATCH_TASK_WORKING_DIR=/mnt/batch/tasks/workitems/myjob/job-1/mytask1/wd

-AZ_BATCH_JOB_ID=myjobl

-AZ_BATCH_POOL_ID=mypool

-AZ_BATCH_TASK_ID=mytask1

-If you want to continue with Batch tutorials and samples, use the Batch account and linked storage account created in this quickstart. There is no charge for the Batch account itself.

-You are charged for pools while the nodes are running, even if no jobs are scheduled. When you no longer need a pool, delete it with the [az batch pool delete](/cli/azure/batch/pool#az-batch-pool-delete) command. When you delete the pool, all task output on the nodes is deleted.

-az batch pool delete --pool-id mypool

-When no longer needed, you can use the [az group delete](/cli/azure/group#az-group-delete) command to remove the resource group, Batch account, pools, and all related resources. Delete the resources as follows:

-az group delete --name QuickstartBatch-rg

-In this quickstart, you created a Batch account, a Batch pool, and a Batch job. The job ran sample tasks, and you viewed output created on one of the nodes. Now that you understand the key concepts of the Batch service, you are ready to try Batch with more realistic workloads at larger scale. To learn more about Azure Batch, continue to the Azure Batch tutorials.

-> [Azure Batch tutorials](./tutorial-parallel-dotnet.md)

-description: This quickstart shows how to use the Azure portal to create a Batch account, a pool of compute nodes, and a job that runs basic tasks on the pool.

-# Quickstart: Run your first Batch job in the Azure portal

-Get started with Azure Batch by using the Azure portal to create a Batch account, a pool of compute nodes (virtual machines), and a job that runs tasks on the pool.

-After completing this quickstart, you'll understand the [key concepts of the Batch service](batch-service-workflow-features.md) and be ready to try Batch with more realistic workloads at larger scale.

-## Create a Batch account

-Follow these steps to create a sample Batch account for test purposes. You need a Batch account to create pools and jobs. You can also link an Azure storage account with the Batch account. Although not required for this quickstart, the storage account is useful to deploy applications and store input and output data for most real-world workloads.

-1. In the [Azure portal](https://portal.azure.com), select **Create a resource**.

-1. Type "batch service" in the search box, then select **Batch Service**.

- :::image type="content" source="media/quick-create-portal/marketplace-batch.png" alt-text="Screenshot of Batch Service in the Azure Marketplace.":::

-1. Select **Create**.

-1. In the **Resource group** field, select **Create new** and enter a name for your resource group.

-1. Enter a value for **Account name**. This name must be unique within the Azure **Location** selected. It can contain only lowercase letters and numbers, and it must be between 3-24 characters.

-1. Optionally, under **Storage account**, you can specify a storage account. Click **Select a storage account**, then select an existing storage account or create a new one.

-1. Leave the other settings as is. Select **Review + create**, then select **Create** to create the Batch account.

-When the **Deployment succeeded** message appears, go to the Batch account that you created.

-Now that you have a Batch account, create a sample pool of Windows compute nodes for test purposes. The pool in this quickstart consists of two nodes running a Windows Server 2019 image from the Azure Marketplace.

-1. In the Batch account, select **Pools** > **Add**.

-1. Enter a **Pool ID** called *mypool*.

-1. In **Operating System**, use the following settings (you can explore other options).

-

- |Setting |Value |

- |||

- |**Image Type**|Marketplace|

- |**Publisher** |microsoftwindowsserver|

- |**Offer** |windowsserver|

- |**Sku** |2019-datacenter-core-smalldisk|

-1. Scroll down to enter **Node Size** and **Scale** settings. The suggested node size offers a good balance of performance versus cost for this quick example.

-

- |Setting |Value |

- |||

- |**Node pricing tier** |Standard_A1_v2|

- |**Target dedicated nodes** |2|

-1. Keep the defaults for remaining settings, and select **OK** to create the pool.

-Batch creates the pool immediately, but it takes a few minutes to allocate and start the compute nodes. During this time, the pool's **Allocation state** is **Resizing**. You can go ahead and create a job and tasks while the pool is resizing.

-After a few minutes, the allocation state changes to **Steady**, and the nodes start. To check the state of the nodes, select the pool and then select **Nodes**. When a node's state is **Idle**, it is ready to run tasks.

-Now that you have a pool, create a job to run on it. A Batch job is a logical group of one or more tasks. A job includes settings common to the tasks, such as priority and the pool to run tasks on. The job won't have tasks until you create them.

-1. In the Batch account view, select **Jobs** > **Add**.

-1. Enter a **Job ID** called *myjob*.

-1. In **Pool**, select *mypool*.

-1. Keep the defaults for the remaining settings, and select **OK**.

-Now, select the job to open the **Tasks** page. This is where you'll create sample tasks to run in the job. Typically, you create multiple tasks that Batch queues and distributes to run on the compute nodes. In this example, you create two identical tasks. Each task runs a command line to display the Batch environment variables on a compute node, and then waits 90 seconds.

-When you use Batch, the command line is where you specify your app or script. Batch provides several ways to deploy apps and scripts to compute nodes.

-To create the first task:

-1. Select **Add**.

-1. Enter a **Task ID** called *mytask*.

-1. In **Command line**, enter `cmd /c "set AZ_BATCH & timeout /t 90 > NUL"`. Keep the defaults for the remaining settings, and select **Submit**.

-Repeat the steps above to create a second task. Enter a different **Task ID** such as *mytask2*, but use the same command line.

-After you create a task, Batch queues it to run on the pool. When a node is available to run it, the task runs. In our example, if the first task is still running on one node, Batch will start the second task on the other node in the pool.

-The example tasks you created will complete in a couple of minutes. To view the output of a completed task, select the task, then select the file `stdout.txt` to view the standard output of the task. The contents are similar to the following example:

-The contents show the Azure Batch environment variables that are set on the node. When you create your own Batch jobs and tasks, you can reference these environment variables in task command lines, and in the apps and scripts run by the command lines.

-If you want to continue with Batch tutorials and samples, you can keep using the Batch account and linked storage account created in this quickstart. There is no charge for the Batch account itself.

-You are charged for the pool while the nodes are running, even if no jobs are scheduled. When you no longer need the pool, delete it. In the account view, select **Pools** and the name of the pool. Then select **Delete**. After you delete the pool, all task output on the nodes is deleted.

-When no longer needed, delete the resource group, Batch account, and all related resources. To do so, select the resource group for the Batch account and select **Delete resource group**.

-In this quickstart, you created a Batch account, a Batch pool, and a Batch job. The job ran sample tasks, and you viewed output created on one of the nodes. Now that you understand the key concepts of the Batch service, you are ready to try Batch with more realistic workloads at larger scale. To learn more about Azure Batch, continue to the Azure Batch tutorials.

-description: In this quickstart, you run an Azure Batch sample job and tasks using the Batch Python client library. Learn the key concepts of the Batch service.

-# Quickstart: Use Python API to run an Azure Batch job

-Get started with Azure Batch by using the Python API to run an Azure Batch job from an app. The app uploads input data files to Azure Storage and creates a pool of Batch compute nodes (virtual machines). It then creates a job that runs tasks to process each input file in the pool using a basic command.

-After completing this quickstart, you'll understand key concepts of the Batch service and be ready to try Batch with more realistic workloads at larger scale.

-

-## Sign in to Azure

-Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).

-## Download the sample

-[Download or clone the sample app](https://github.com/Azure-Samples/batch-python-quickstart) from GitHub. To clone the sample app repo with a Git client, use the following command:

-```bash

-git clone https://github.com/Azure-Samples/batch-python-quickstart.git

-```

-Go to the directory that contains the Python script `python_quickstart_client.py`.

-In your Python development environment, install the required packages using `pip`.

-```bash

-pip install -r requirements.txt

-```

-Open the file `config.py`. Update the Batch and storage account credential strings with the values you obtained for your accounts. For example:

-```Python

-BATCH_ACCOUNT_NAME = 'mybatchaccount'

-BATCH_ACCOUNT_KEY = 'xxxxxxxxxxxxxxxxE+yXrRvJAqT9BlXwwo1CwF+SwAYOxxxxxxxxxxxxxxxx43pXi/gdiATkvbpLRl3x14pcEQ=='

-BATCH_ACCOUNT_URL = 'https://mybatchaccount.mybatchregion.batch.azure.com'

-STORAGE_ACCOUNT_NAME = 'mystorageaccount'

-STORAGE_ACCOUNT_KEY = 'xxxxxxxxxxxxxxxxy4/xxxxxxxxxxxxxxxxfwpbIC5aAWA8wDu+AFXZB827Mt9lybZB1nUcQbQiUrkPtilK5BQ=='

-## Run the app

-To see the Batch workflow in action, run the script:

-After running the script, review the code to learn what each part of the application does.

-When you run the sample application, the console output is similar to the following. During execution, you experience a pause at `Monitoring all tasks for 'Completed' state, timeout in 00:30:00...` while the pool's compute nodes are started. Tasks are queued to run as soon as the first compute node is running. Go to your Batch account in the [Azure portal](https://portal.azure.com) to monitor the pool, compute nodes, job, and tasks in your Batch account.

-Sample start: 11/26/2018 4:02:54 PM

-After tasks complete, you see output similar to the following for each task:

-Batch processing began with mainframe computers and punch cards. Today it still plays a central role in business, engineering, science, and other pursuits that require running lots of automated tasks....

-...

-Typical execution time is approximately 3 minutes when you run the application in its default configuration. Initial pool setup takes the most time.

-The Python app in this quickstart does the following:

-See the file `python_quickstart_client.py` and the following sections for details.

-### Preliminaries

-To interact with a storage account, the app creates a [BlobServiceClient](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient) object.

-```python

-blob_service_client = BlobServiceClient(

- account_url=f"https://{config.STORAGE_ACCOUNT_NAME}.{config.STORAGE_ACCOUNT_DOMAIN}/",

- credential=config.STORAGE_ACCOUNT_KEY

- )

-```

-The app uses the `blob_service_client` reference to create a container in the storage account and to upload data files to the container. The files in storage are defined as Batch [ResourceFile](/python/api/azure-batch/azure.batch.models.resourcefile) objects that Batch can later download to compute nodes.

-```python

-input_file_paths = [os.path.join(sys.path[0], 'taskdata0.txt'),

- os.path.join(sys.path[0], 'taskdata1.txt'),

- os.path.join(sys.path[0], 'taskdata2.txt')]

-input_files = [

- upload_file_to_container(blob_service_client, input_container_name, file_path)

- for file_path in input_file_paths]

-```

-The app creates a [BatchServiceClient](/python/api/azure.batch.batchserviceclient) object to create and manage pools, jobs, and tasks in the Batch service. The Batch client in the sample uses shared key authentication. Batch also supports Azure Active Directory authentication.

-```python

-credentials = SharedKeyCredentials(config.BATCH_ACCOUNT_NAME,

- config.BATCH_ACCOUNT_KEY)

- batch_client = BatchServiceClient(

- credentials,

- batch_url=config.BATCH_ACCOUNT_URL)

-```

-To create a Batch pool, the app uses the [PoolAddParameter](/python/api/azure-batch/azure.batch.models.pooladdparameter) class to set the number of nodes, VM size, and a pool configuration. Here, a [VirtualMachineConfiguration](/python/api/azure-batch/azure.batch.models.virtualmachineconfiguration) object specifies an [ImageReference](/python/api/azure-batch/azure.batch.models.imagereference) to an Ubuntu Server 20.04 LTS image published in the Azure Marketplace. Batch supports a wide range of Linux and Windows Server images in the Azure Marketplace, as well as custom VM images.

-The number of nodes (`POOL_NODE_COUNT`) and VM size (`POOL_VM_SIZE`) are defined constants. The sample by default creates a pool of 2 size *Standard_DS1_v2* nodes. The size suggested offers a good balance of performance versus cost for this quick example.

-The [pool.add](/python/api/azure-batch/azure.batch.operations.pooloperations) method submits the pool to the Batch service.

-A Batch job is a logical grouping of one or more tasks. A job includes settings common to the tasks, such as priority and the pool to run tasks on. The app uses the [JobAddParameter](/python/api/azure-batch/azure.batch.models.jobaddparameter) class to create a job on your pool. The [job.add](/python/api/azure-batch/azure.batch.operations.joboperations) method adds a job to the specified Batch account. Initially the job has no tasks.

-The app creates a list of task objects using the [TaskAddParameter](/python/api/azure-batch/azure.batch.models.taskaddparameter) class. Each task processes an input `resource_files` object using a `command_line` parameter. In the sample, the command line runs the Bash shell `cat` command to display the text file. This command is a simple example for demonstration purposes. When you use Batch, the command line is where you specify your app or script. Batch provides a number of ways to deploy apps and scripts to compute nodes.

-Then, the app adds tasks to the job with the [task.add_collection](/python/api/azure-batch/azure.batch.operations.taskoperations) method, which queues them to run on the compute nodes.

-The app monitors task state to make sure the tasks complete. Then, the app displays the `stdout.txt` file generated by each completed task. When the task runs successfully, the output of the task command is written to `stdout.txt`:

-The app automatically deletes the storage container it creates, and gives you the option to delete the Batch pool and job. You are charged for the pool while the nodes are running, even if no jobs are scheduled. When you no longer need the pool, delete it. When you delete the pool, all task output on the nodes is deleted.

-When no longer needed, delete the resource group, Batch account, and storage account. To do so in the Azure portal, select the resource group for the Batch account and select **Delete resource group**.

-In this quickstart, you ran a small app built using the Batch Python API to create a Batch pool and a Batch job. The job ran sample tasks, and downloaded output created on the nodes. Now that you understand the key concepts of the Batch service, you are ready to try Batch with more realistic workloads at larger scale. To learn more about Azure Batch, and walk through a parallel workload with a real-world application, continue to the Batch Python tutorial.

-description: Tutorial - Transcode media files in parallel with ffmpeg in Azure Batch using the Batch .NET client library

-Use Azure Batch to run large-scale parallel and high-performance computing (HPC) batch jobs efficiently in Azure. This tutorial walks through a C# example of running a parallel workload using Batch. You learn a common Batch application workflow and how to interact programmatically with Batch and Storage resources. You learn how to:

-> * Add an application package to your Batch account

-> * Authenticate with Batch and Storage accounts

-> * Upload input files to Storage

-> * Create a pool of compute nodes to run an application

-> * Create a job and tasks to process input files

-> * Monitor task execution

-> * Retrieve output files

-In this tutorial, you convert MP4 media files in parallel to MP3 format using the [ffmpeg](https://ffmpeg.org/) open-source tool.

-* [Visual Studio 2017 or later](https://www.visualstudio.com/vs), or [.NET Core 2.1 SDK](https://dotnet.microsoft.com/download/dotnet/2.1) for Linux, macOS, or Windows.

-* A Batch account and a linked Azure Storage account. To create these accounts, see the Batch quickstarts using the [Azure portal](quick-create-portal.md) or [Azure CLI](quick-create-cli.md).

-* Download the appropriate version of ffmpeg for your use case to your local computer. This tutorial and the related sample app use the [Windows 64-bit version of ffmpeg 4.3.1](https://github.com/GyanD/codexffmpeg/releases/tag/4.3.1-2020-11-08). For this tutorial, you only need the zip file. You do not need to unzip the file or install it locally.

-Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).

-1. In the Azure portal, click **More services** > **Batch accounts**, and click the name of your Batch account.

-3. Click **Applications** > **Add**.

-4. For **Application id** enter *ffmpeg*, and a package version of *4.3.1*. Select the ffmpeg zip file you downloaded previously, and then click **OK**. The ffmpeg application package is added to your Batch account.

-

-## Download and run the sample

-### Download the sample

-Navigate to the directory that contains the Visual Studio solution file `BatchDotNetFfmpegTutorial.sln`.

-Open the solution file in Visual Studio, and update the credential strings in `Program.cs` with the values you obtained for your accounts. For example:

-private const string BatchAccountName = "mybatchaccount";

-private const string BatchAccountUrl = "https://mybatchaccount.mybatchregion.batch.azure.com";

-private const string StorageAccountName = "mystorageaccount";

-* Right-click the solution in Solution Explorer and click **Build Solution**.

-* Confirm the restoration of any NuGet packages, if you're prompted. If you need to download missing packages, ensure the [NuGet Package Manager](https://docs.nuget.org/consume/installing-nuget) is installed.

-Then run it. When you run the sample application, the console output is similar to the following. During execution, you experience a pause at `Monitoring all tasks for 'Completed' state, timeout in 00:30:00...` while the pool's compute nodes are started.

-Go to your Batch account in the Azure portal to monitor the pool, compute nodes, job, and tasks. For example, to see a heat map of the compute nodes in your pool, click **Pools** > *WinFFmpegPool*.

-

-Typical execution time is approximately **10 minutes** when you run the application in its default configuration. Pool creation takes the most time.

-The following sections break down the sample application into the steps that it performs to process a workload in the Batch service. Refer to the file `Program.cs` in the solution while you read the rest of this article, since not every line of code in the sample is discussed.

-Then, files are uploaded to the input container from the local `InputFiles` folder. The files in storage are defined as Batch [ResourceFile](/dotnet/api/microsoft.azure.batch.resourcefile) objects that Batch can later download to compute nodes.

-Two methods in `Program.cs` are involved in uploading the files:

-* `UploadFilesToContainerAsync`: Returns a collection of ResourceFile objects and internally calls `UploadResourceFileToContainerAsync` to upload each file that is passed in the `inputFilePaths` parameter.

-* `UploadResourceFileToContainerAsync`: Uploads each file as a blob to the input container. After uploading the file, it obtains a shared access signature (SAS) for the blob and returns a ResourceFile object to represent it.

->Be sure you check your node quotas. See [Batch service quotas and limits](batch-quota-limit.md#increase-a-quota) for instructions on how to create a quota request."

-Replace the executable's file path with the name of the version that you downloaded. This sample code uses the example `ffmpeg-4.3.1-2020-09-21-full_build`.

-> * Add an application package to your Batch account

-> * Authenticate with Batch and Storage accounts

-> * Upload input files to Storage

-> * Create a pool of compute nodes to run an application

-> * Create a job and tasks to process input files

-> * Monitor task execution

-> * Retrieve output files

-For more examples of using the .NET API to schedule and process Batch workloads, see the samples on GitHub.

-> [!div class="nextstepaction"]

-> [Batch C# samples](https://github.com/Azure-Samples/azure-batch-samples/tree/master/CSharp)

-description: Tutorial - Process media files in parallel with ffmpeg in Azure Batch using the Batch Python client library

-Use Azure Batch to run large-scale parallel and high-performance computing (HPC) batch jobs efficiently in Azure. This tutorial walks through a Python example of running a parallel workload using Batch. You learn a common Batch application workflow and how to interact programmatically with Batch and Storage resources. You learn how to:

-> * Authenticate with Batch and Storage accounts

-> * Upload input files to Storage

-> * Create a pool of compute nodes to run an application

-> * Create a job and tasks to process input files

-> * Monitor task execution

-> * Retrieve output files

-In this tutorial, you convert MP4 media files in parallel to MP3 format using the [ffmpeg](https://ffmpeg.org/) open-source tool.

-* [Python version 3.7+](https://www.python.org/downloads/)

-* [pip](https://pip.pypa.io/en/stable/installing/) package manager

-* An Azure Batch account and a linked Azure Storage account. To create these accounts, see the Batch quickstarts using the [Azure portal](quick-create-portal.md) or [Azure CLI](quick-create-cli.md).

-Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).

-## Download and run the sample

-### Download the sample

-Navigate to the directory that contains the file `batch_python_tutorial_ffmpeg.py`.

-Open the file `config.py`. Update the Batch and storage account credential strings with the values unique to your accounts. For example:

-_BATCH_ACCOUNT_NAME = 'mybatchaccount'

-_BATCH_ACCOUNT_URL = 'https://mybatchaccount.mybatchregion.batch.azure.com'

-Go to your Batch account in the Azure portal to monitor the pool, compute nodes, job, and tasks. For example, to see a heat map of the compute nodes in your pool, click **Pools** > *LinuxFFmpegPool*.

-

-Typical execution time is approximately **5 minutes** when you run the application in its default configuration. Pool creation takes the most time.

-The app uses the `blob_client` reference create a storage container for the input MP4 files and a container for the task output. Then, it calls the `upload_file_to_container` function to upload MP4 files in the local `InputFiles` directory to the container. The files in storage are defined as Batch [ResourceFile](/python/api/azure-batch/azure.batch.models.resourcefile) objects that Batch can later download to compute nodes.

-The number of nodes and VM size are set using defined constants. Batch supports dedicated nodes and [Spot nodes](batch-spot-vms.md), and you can use either or both in your pools. Dedicated nodes are reserved for your pool. Spot nodes are offered at a reduced price from surplus VM capacity in Azure. Spot nodes become unavailable if Azure does not have enough capacity. The sample by default creates a pool containing only 5 Spot nodes in size *Standard_A1_v2*.

-When no longer needed, delete the resource group, Batch account, and storage account. To do so in the Azure portal, select the resource group for the Batch account and click **Delete resource group**.

-> * Authenticate with Batch and Storage accounts

-> * Upload input files to Storage

-> * Create a pool of compute nodes to run an application

-> * Create a job and tasks to process input files

-> * Monitor task execution

-> * Retrieve output files

-For more examples of using the Python API to schedule and process Batch workloads, see the samples on GitHub.

-> [!div class="nextstepaction"]

-> [Batch Python samples](https://github.com/Azure/azure-batch-samples/tree/master/Python/Batch)

-# How to translate behind IP firewalls with Translator

-Translator can translate behind firewalls using either domain-name or IP filtering. Domain-name filtering is the preferred method. If you still require IP filtering, we suggest you to get the [IP addresses details using service tag](../../virtual-network/service-tags-overview.md#service-tags-on-premises). Translator is under the **CognitiveServicesManagement** service tag.

-We **do not recommend** running Microsoft Translator from behind a specific IP filtered firewall. The setup is likely to break in the future without notice.

-To force the request to be handled within a specific geography, use the desired geographical endpoint. All requests are processed among the datacenters within the geography.

-|Global (non-regional)| api.cognitive.microsofttranslator.com|Closest available datacenter|

-¹ Customers with a resource located in Switzerland North or Switzerland West can ensure that their Text API requests are served within Switzerland. To ensure that requests are handled in Switzerland, create the Translator resource in the 'Resource region' 'Switzerland North' or 'Switzerland West', then use the resource's custom endpoint in your API requests. For example: If you create a Translator resource in Azure portal with 'Resource region' as 'Switzerland North' and your resource name is 'my-swiss-n', then your custom endpoint is "https://my-swiss-n.cognitiveservices.azure.com". And a sample request to translate is:

-² Custom Translator isn't currently available in Switzerland.

-### Secret key

-|Ocp-Apim-ResourceId| The value is the Resource ID for your Translator resource instance.</br><ul><li>You'll find the Resource ID in the Azure portal at **Translator Resource → Properties**. </li><li>Resource ID format: </br>/subscriptions/<**subscriptionId**>/resourceGroups/<**resourceGroupName**>/providers/Microsoft.CognitiveServices/accounts/<**resourceName**>/</li></ul>|

- * `code`: A server-defined error code.

- * `message`: A string giving a human-readable representation of the error.

-description: Learn about the data formats accepted by custom text analytics for health.

-# Accepted data formats in custom text analytics for health

-Use this article to learn about formatting your data to be imported into custom text analytics for health.

-If you are trying to [import your data](../how-to/create-project.md#import-project) into custom Text Analytics for health, it has to follow a specific format. If you don't have data to import, you can [create your project](../how-to/create-project.md) and use the Language Studio to [label your documents](../how-to/label-data.md).

-Your Labels file should be in the `json` format below to be used when importing your labels into a project.

-```json

-{

- "projectFileVersion": "{API-VERSION}",

- "stringIndexType": "Utf16CodeUnit",

- "metadata": {

- "projectName": "{PROJECT-NAME}",

- "projectKind": "CustomHealthcare",

- "description": "Trying out custom Text Analytics for health",

- "language": "{LANGUAGE-CODE}",

- "multilingual": true,

- "storageInputContainerName": "{CONTAINER-NAME}",

- "settings": {}

- },

- "assets": {

- "projectKind": "CustomHealthcare",

- "entities": [

- {

- "category": "Entity1",

- "compositionSetting": "{COMPOSITION-SETTING}",

- "list": {

- "sublists": [

- {

- "listKey": "One",

- "synonyms": [

- {

- "language": "en",

- "values": [

- "EntityNumberOne",

- "FirstEntity"

- ]

- }

- ]

- }

- ]

- }

- },

- {

- "category": "Entity2"

- },

- {

- "category": "MedicationName",

- "list": {

- "sublists": [

- {

- "listKey": "research drugs",

- "synonyms": [

- {

- "language": "en",

- "values": [

- "rdrug a",

- "rdrug b"

- ]

- }

- ]

- }

- ]

- }

- "prebuilts": "MedicationName"

- }

- ],

- "documents": [

- {

- "location": "{DOCUMENT-NAME}",

- "language": "{LANGUAGE-CODE}",

- "dataset": "{DATASET}",

- "entities": [

- {

- "regionOffset": 0,

- "regionLength": 500,

- "labels": [

- {

- "category": "Entity1",

- "offset": 25,

- "length": 10

- },

- {

- "category": "Entity2",

- "offset": 120,

- "length": 8

- }

- ]

- }

- ]

- },

- {

- "location": "{DOCUMENT-NAME}",

- "language": "{LANGUAGE-CODE}",

- "dataset": "{DATASET}",

- "entities": [

- {

- "regionOffset": 0,

- "regionLength": 100,

- "labels": [

- {

- "category": "Entity2",

- "offset": 20,

- "length": 5

- }

- ]

- }

- ]

- }

- ]

- }

-}

-```

-|Key |Placeholder |Value | Example |

-|||-|--|

-| `multilingual` | `true`| A boolean value that enables you to have documents in multiple languages in your dataset and when your model is deployed you can query the model in any supported language (not necessarily included in your training documents). See [language support](../language-support.md#) to learn more about multilingual support. | `true`|

-|`projectName`|`{PROJECT-NAME}`|Project name|`myproject`|

-| `storageInputContainerName` |`{CONTAINER-NAME}`|Container name|`mycontainer`|

-| `entities` | | Array containing all the entity types you have in the project. These are the entity types that will be extracted from your documents into.| |

-| `category` | | The name of the entity type, which can be user defined for new entity definitions, or predefined for prebuilt entities. For more information, see the entity naming rules below.| |

-|`compositionSetting`|`{COMPOSITION-SETTING}`|Rule that defines how to manage multiple components in your entity. Options are `combineComponents` or `separateComponents`. |`combineComponents`|

-| `list` | | Array containing all the sublists you have in the project for a specific entity. Lists can be added to prebuilt entities or new entities with learned components.| |

-|`sublists`|`[]`|Array containing sublists. Each sublist is a key and its associated values.|`[]`|

-| `listKey`| `One` | A normalized value for the list of synonyms to map back to in prediction. | `One` |

-|`synonyms`|`[]`|Array containing all the synonyms|synonym|

-| `language` | `{LANGUAGE-CODE}` | A string specifying the language code for the synonym in your sublist. If your project is a multilingual project and you want to support your list of synonyms for all the languages in your project, you have to explicitly add your synonyms to each language. See [Language support](../language-support.md) for more information about supported language codes. |`en`|

-| `values`| `"EntityNumberone"`, `"FirstEntity"` | A list of comma separated strings that will be matched exactly for extraction and map to the list key. | `"EntityNumberone"`, `"FirstEntity"` |

-| `prebuilts` | `MedicationName` | The name of the prebuilt component populating the prebuilt entity. [Prebuilt entities](../../text-analytics-for-health/concepts/health-entity-categories.md) are automatically loaded into your project by default but you can extend them with list components in your labels file. | `MedicationName` |

-| `documents` | | Array containing all the documents in your project and list of the entities labeled within each document. | [] |

-| `location` | `{DOCUMENT-NAME}` | The location of the documents in the storage container. Since all the documents are in the root of the container this should be the document name.|`doc1.txt`|

-| `dataset` | `{DATASET}` | The test set to which this file goes to when split before training. Learn more about data splitting [here](../how-to/train-model.md#data-splitting). Possible values for this field are `Train` and `Test`. |`Train`|

-| `regionOffset` | | The inclusive character position of the start of the text. |`0`|

-| `regionLength` | | The length of the bounding box in terms of UTF16 characters. Training only considers the data in this region. |`500`|

-| `category` | | The type of entity associated with the span of text specified. | `Entity1`|

-| `offset` | | The start position for the entity text. | `25`|

-| `length` | | The length of the entity in terms of UTF16 characters. | `20`|

-| `language` | `{LANGUAGE-CODE}` | A string specifying the language code for the document used in your project. If your project is a multilingual project, choose the language code of the majority of the documents. See [Language support](../language-support.md) for more information about supported language codes. |`en`|

-## Entity naming rules

-1. [Prebuilt entity names](../../text-analytics-for-health/concepts/health-entity-categories.md) are predefined. They must be populated with a prebuilt component and it must match the entity name.

-2. New user defined entities (entities with learned components or labeled text) can't use prebuilt entity names.

-3. New user defined entities can't be populated with prebuilt components as prebuilt components must match their associated entities names and have no labeled data assigned to them in the documents array.

-## Next steps

-* You can import your labeled data into your project directly. Learn how to [import project](../how-to/create-project.md#import-project)

-* See the [how-to article](../how-to/label-data.md) more information about labeling your data.

-* When you're done labeling your data, you can [train your model](../how-to/train-model.md).

-description: Learn how custom Text Analytics for health extracts entities from text

-# Entity components in custom text analytics for health

-In custom Text Analytics for health, entities are relevant pieces of information that are extracted from your unstructured input text. An entity can be extracted by different methods. They can be learned through context, matched from a list, or detected by a prebuilt recognized entity. Every entity in your project is composed of one or more of these methods, which are defined as your entity's components. When an entity is defined by more than one component, their predictions can overlap. You can determine the behavior of an entity prediction when its components overlap by using a fixed set of options in the **Entity options**.

-## Component types

-An entity component determines a way you can extract the entity. An entity can contain one component, which would determine the only method that would be used to extract the entity, or multiple components to expand the ways in which the entity is defined and extracted.

-The [Text Analytics for health entities](../../text-analytics-for-health/concepts/health-entity-categories.md) are automatically loaded into your project as entities with prebuilt components. You can define list components for entities with prebuilt components but you can't add learned components. Similarly, you can create new entities with learned and list components, but you can't populate them with additional prebuilt components.

-### Learned component

-The learned component uses the entity tags you label your text with to train a machine learned model. The model learns to predict where the entity is, based on the context within the text. Your labels provide examples of where the entity is expected to be present in text, based on the meaning of the words around it and as the words that were labeled. This component is only defined if you add labels to your data for the entity. If you do not label any data, it will not have a learned component.

-The Text Analytics for health entities, which by default have prebuilt components can't be extended with learned components, meaning they do not require or accept further labeling to function.

-### List component

-The list component represents a fixed, closed set of related words along with their synonyms. The component performs an exact text match against the list of values you provide as synonyms. Each synonym belongs to a "list key", which can be used as the normalized, standard value for the synonym that will return in the output if the list component is matched. List keys are **not** used for matching.

-In multilingual projects, you can specify a different set of synonyms for each language. While using the prediction API, you can specify the language in the input request, which will only match the synonyms associated to that language.

-### Prebuilt component

-The [Text Analytics for health entities](../../text-analytics-for-health/concepts/health-entity-categories.md) are automatically loaded into your project as entities with prebuilt components. You can define list components for entities with prebuilt components but you cannot add learned components. Similarly, you can create new entities with learned and list components, but you cannot populate them with additional prebuilt components. Entities with prebuilt components are pretrained and can extract information relating to their categories without any labels.

-## Entity options

-When multiple components are defined for an entity, their predictions may overlap. When an overlap occurs, each entity's final prediction is determined by one of the following options.

-### Combine components

-Combine components as one entity when they overlap by taking the union of all the components.

-Use this to combine all components when they overlap. When components are combined, you get all the extra information thatΓÇÖs tied to a list or prebuilt component when they are present.

-#### Example

-Suppose you have an entity called Software that has a list component, which contains ΓÇ£Proseware OSΓÇ¥ as an entry. In your input data, you have ΓÇ£I want to buy Proseware OS 9ΓÇ¥ with ΓÇ£Proseware OS 9ΓÇ¥ tagged as Software:

-By using combine components, the entity will return with the full context as ΓÇ£Proseware OS 9ΓÇ¥ along with the key from the list component:

-Suppose you had the same utterance but only ΓÇ£OS 9ΓÇ¥ was predicted by the learned component:

-With combine components, the entity will still return as ΓÇ£Proseware OS 9ΓÇ¥ with the key from the list component:

-### Don't combine components

-Each overlapping component will return as a separate instance of the entity. Apply your own logic after prediction with this option.

-#### Example

-Suppose you have an entity called Software that has a list component, which contains ΓÇ£Proseware DesktopΓÇ¥ as an entry. In your labeled data, you have ΓÇ£I want to buy Proseware Desktop ProΓÇ¥ with ΓÇ£Proseware Desktop ProΓÇ¥ labeled as Software:

-When you do not combine components, the entity will return twice:

-## How to use components and options

-Components give you the flexibility to define your entity in more than one way. When you combine components, you make sure that each component is represented and you reduce the number of entities returned in your predictions.

-A common practice is to extend a prebuilt component with a list of values that the prebuilt might not support. For example, if you have a **Medication Name** entity, which has a `Medication.Name` prebuilt component added to it, the entity may not predict all the medication names specific to your domain. You can use a list component to extend the values of the Medication Name entity and thereby extending the prebuilt with your own values of Medication Names.

-Other times you may be interested in extracting an entity through context such as a **medical device**. You would label for the learned component of the medical device to learn _where_ a medical device is based on its position within the sentence. You may also have a list of medical devices that you already know before hand that you'd like to always extract. Combining both components in one entity allows you to get both options for the entity.

-When you do not combine components, you allow every component to act as an independent entity extractor. One way of using this option is to separate the entities extracted from a list to the ones extracted through the learned or prebuilt components to handle and treat them differently.

-## Next steps

-* [Entities with prebuilt components](../../text-analytics-for-health/concepts/health-entity-categories.md)

-description: Learn about evaluation metrics in custom Text Analytics for health

-# Evaluation metrics for custom Text Analytics for health models

-Your [dataset is split](../how-to/train-model.md#data-splitting) into two parts: a set for training, and a set for testing. The training set is used to train the model, while the testing set is used as a test for model after training to calculate the model performance and evaluation. The testing set is not introduced to the model through the training process, to make sure that the model is tested on new data.

-Model evaluation is triggered automatically after training is completed successfully. The evaluation process starts by using the trained model to predict user defined entities for documents in the test set, and compares them with the provided data labels (which establishes a baseline of truth). The results are returned so you can review the modelΓÇÖs performance. User defined entities are **included** in the evaluation factoring in Learned and List components; Text Analytics for health prebuilt entities are **not** factored in the model evaluation. For evaluation, custom Text Analytics for health uses the following metrics:

-* **Precision**: Measures how precise/accurate your model is. It is the ratio between the correctly identified positives (true positives) and all identified positives. The precision metric reveals how many of the predicted entities are correctly labeled.

- `Precision = #True_Positive / (#True_Positive + #False_Positive)`

-* **Recall**: Measures the model's ability to predict actual positive classes. It is the ratio between the predicted true positives and what was actually tagged. The recall metric reveals how many of the predicted entities are correct.

- `Recall = #True_Positive / (#True_Positive + #False_Negatives)`

-* **F1 score**: The F1 score is a function of Precision and Recall. It's needed when you seek a balance between Precision and Recall.

- `F1 Score = 2 * Precision * Recall / (Precision + Recall)` <br>

->[!NOTE]

-> Precision, recall and F1 score are calculated for each entity separately (*entity-level* evaluation) and for the model collectively (*model-level* evaluation).

-## Model-level and entity-level evaluation metrics

-Precision, recall, and F1 score are calculated for each entity separately (entity-level evaluation) and for the model collectively (model-level evaluation).

-The definitions of precision, recall, and evaluation are the same for both entity-level and model-level evaluations. However, the counts for *True Positives*, *False Positives*, and *False Negatives* differ can differ. For example, consider the following text.

-### Example

-*The first party of this contract is John Smith, resident of 5678 Main Rd., City of Frederick, state of Nebraska. And the second party is Forrest Ray, resident of 123-345 Integer Rd., City of Corona, state of New Mexico. There is also Fannie Thomas resident of 7890 River Road, city of Colorado Springs, State of Colorado.*

-The model extracting entities from this text could have the following predictions:

-| Entity | Predicted as | Actual type |

-|--|--|--|

-| John Smith | Person | Person |

-| Frederick | Person | City |

-| Forrest | City | Person |

-| Fannie Thomas | Person | Person |

-| Colorado Springs | City | City |

-### Entity-level evaluation for the *person* entity

-The model would have the following entity-level evaluation, for the *person* entity:

-| Key | Count | Explanation |

-|--|--|--|

-| True Positive | 2 | *John Smith* and *Fannie Thomas* were correctly predicted as *person*. |

-| False Positive | 1 | *Frederick* was incorrectly predicted as *person* while it should have been *city*. |

-| False Negative | 1 | *Forrest* was incorrectly predicted as *city* while it should have been *person*. |

-* **Precision**: `#True_Positive / (#True_Positive + #False_Positive)` = `2 / (2 + 1) = 0.67`

-* **Recall**: `#True_Positive / (#True_Positive + #False_Negatives)` = `2 / (2 + 1) = 0.67`

-* **F1 Score**: `2 * Precision * Recall / (Precision + Recall)` = `(2 * 0.67 * 0.67) / (0.67 + 0.67) = 0.67`

-### Entity-level evaluation for the *city* entity

-The model would have the following entity-level evaluation, for the *city* entity:

-| Key | Count | Explanation |

-|--|--|--|

-| True Positive | 1 | *Colorado Springs* was correctly predicted as *city*. |

-| False Positive | 1 | *Forrest* was incorrectly predicted as *city* while it should have been *person*. |

-| False Negative | 1 | *Frederick* was incorrectly predicted as *person* while it should have been *city*. |

-* **Precision** = `#True_Positive / (#True_Positive + #False_Positive)` = `1 / (1 + 1) = 0.5`

-* **Recall** = `#True_Positive / (#True_Positive + #False_Negatives)` = `1 / (1 + 1) = 0.5`

-* **F1 Score** = `2 * Precision * Recall / (Precision + Recall)` = `(2 * 0.5 * 0.5) / (0.5 + 0.5) = 0.5`

-### Model-level evaluation for the collective model

-The model would have the following evaluation for the model in its entirety:

-| Key | Count | Explanation |

-|--|--|--|

-| True Positive | 3 | *John Smith* and *Fannie Thomas* were correctly predicted as *person*. *Colorado Springs* was correctly predicted as *city*. This is the sum of true positives for all entities. |

-| False Positive | 2 | *Forrest* was incorrectly predicted as *city* while it should have been *person*. *Frederick* was incorrectly predicted as *person* while it should have been *city*. This is the sum of false positives for all entities. |

-| False Negative | 2 | *Forrest* was incorrectly predicted as *city* while it should have been *person*. *Frederick* was incorrectly predicted as *person* while it should have been *city*. This is the sum of false negatives for all entities. |

-* **Precision** = `#True_Positive / (#True_Positive + #False_Positive)` = `3 / (3 + 2) = 0.6`

-* **Recall** = `#True_Positive / (#True_Positive + #False_Negatives)` = `3 / (3 + 2) = 0.6`

-* **F1 Score** = `2 * Precision * Recall / (Precision + Recall)` = `(2 * 0.6 * 0.6) / (0.6 + 0.6) = 0.6`

-## Interpreting entity-level evaluation metrics

-So what does it actually mean to have high precision or high recall for a certain entity?

-| Recall | Precision | Interpretation |

-|--|--|--|

-| High | High | This entity is handled well by the model. |

-| Low | High | The model cannot always extract this entity, but when it does it is with high confidence. |

-| High | Low | The model extracts this entity well, however it is with low confidence as it is sometimes extracted as another type. |

-| Low | Low | This entity type is poorly handled by the model, because it is not usually extracted. When it is, it is not with high confidence. |

-## Guidance

-After you trained your model, you will see some guidance and recommendation on how to improve the model. It's recommended to have a model covering all points in the guidance section.

-* Training set has enough data: When an entity type has fewer than 15 labeled instances in the training data, it can lead to lower accuracy due to the model not being adequately trained on these cases. In this case, consider adding more labeled data in the training set. You can check the *data distribution* tab for more guidance.

-* All entity types are present in test set: When the testing data lacks labeled instances for an entity type, the modelΓÇÖs test performance may become less comprehensive due to untested scenarios. You can check the *test set data distribution* tab for more guidance.

-* Entity types are balanced within training and test sets: When sampling bias causes an inaccurate representation of an entity typeΓÇÖs frequency, it can lead to lower accuracy due to the model expecting that entity type to occur too often or too little. You can check the *data distribution* tab for more guidance.

-* Entity types are evenly distributed between training and test sets: When the mix of entity types doesnΓÇÖt match between training and test sets, it can lead to lower testing accuracy due to the model being trained differently from how itΓÇÖs being tested. You can check the *data distribution* tab for more guidance.

-* Unclear distinction between entity types in training set: When the training data is similar for multiple entity types, it can lead to lower accuracy because the entity types may be frequently misclassified as each other. Review the following entity types and consider merging them if theyΓÇÖre similar. Otherwise, add more examples to better distinguish them from each other. You can check the *confusion matrix* tab for more guidance.

-## Confusion matrix

-A Confusion matrix is an N x N matrix used for model performance evaluation, where N is the number of entities.

-The matrix compares the expected labels with the ones predicted by the model.

-This gives a holistic view of how well the model is performing and what kinds of errors it is making.

-You can use the Confusion matrix to identify entities that are too close to each other and often get mistaken (ambiguity). In this case consider merging these entity types together. If that isn't possible, consider adding more tagged examples of both entities to help the model differentiate between them.

-The highlighted diagonal in the image below is the correctly predicted entities, where the predicted tag is the same as the actual tag.

-You can calculate the entity-level and model-level evaluation metrics from the confusion matrix:

-* The values in the diagonal are the *True Positive* values of each entity.

-* The sum of the values in the entity rows (excluding the diagonal) is the *false positive* of the model.

-* The sum of the values in the entity columns (excluding the diagonal) is the *false Negative* of the model.

-Similarly,

-* The *true positive* of the model is the sum of *true Positives* for all entities.

-* The *false positive* of the model is the sum of *false positives* for all entities.

-* The *false Negative* of the model is the sum of *false negatives* for all entities.

-## Next steps

-* [Custom text analytics for health overview](../overview.md)

-* [View a model's performance in Language Studio](../how-to/view-model-evaluation.md)

-* [Train a model](../how-to/train-model.md)

-description: Learn how to send a request for custom text analytics for health.

-# Send queries to your custom Text Analytics for health model

-After the deployment is added successfully, you can query the deployment to extract entities from your text based on the model you assigned to the deployment.

-You can query the deployment programmatically using the [Prediction API](https://aka.ms/ct-runtime-api).

-## Test deployed model

-You can use Language Studio to submit the custom Text Analytics for health task and visualize the results.

-## Send a custom text analytics for health request to your model

-# [Language Studio](#tab/language-studio)

-# [REST API](#tab/rest-api)

-First you will need to get your resource key and endpoint:

-### Submit a custom Text Analytics for health task

-### Get task results

-## Next steps

-* [Custom text analytics for health](../overview.md)

-description: Learn about the steps for using Azure resources with custom text analytics for health.

-# How to create custom Text Analytics for health project

-Use this article to learn how to set up the requirements for starting with custom text analytics for health and create a project.

-## Prerequisites

-Before you start using custom text analytics for health, you need:

-* An Azure subscription - [Create one for free](https://azure.microsoft.com/free/cognitive-services).

-## Create a Language resource

-Before you start using custom text analytics for health, you'll need an Azure Language resource. It's recommended to create your Language resource and connect a storage account to it in the Azure portal. Creating a resource in the Azure portal lets you create an Azure storage account at the same time, with all of the required permissions preconfigured. You can also read further in the article to learn how to use a pre-existing resource, and configure it to work with custom text analytics for health.

-You also will need an Azure storage account where you will upload your `.txt` documents that will be used to train a model to extract entities.

-> [!NOTE]

-> * You need to have an **owner** role assigned on the resource group to create a Language resource.

-> * If you will connect a pre-existing storage account, you should have an owner role assigned to it.

-## Create Language resource and connect storage account

-You can create a resource in the following ways:

-* The Azure portal

-* Language Studio

-* PowerShell

-> [!Note]

-> You shouldn't move the storage account to a different resource group or subscription once it's linked with the Language resource.

-> [!NOTE]

-> * The process of connecting a storage account to your Language resource is irreversible, it cannot be disconnected later.

-> * You can only connect your language resource to one storage account.

-## Using a pre-existing Language resource

-## Create a custom Text Analytics for health project

-Once your resource and storage container are configured, create a new custom text analytics for health project. A project is a work area for building your custom AI models based on your data. Your project can only be accessed by you and others who have access to the Azure resource being used. If you have labeled data, you can use it to get started by [importing a project](#import-project).

-### [Language Studio](#tab/language-studio)

-### [REST APIs](#tab/rest-api)

-## Import project

-If you have already labeled data, you can use it to get started with the service. Make sure that your labeled data follows the [accepted data formats](../concepts/data-formats.md).

-### [Language Studio](#tab/language-studio)

-### [REST APIs](#tab/rest-api)

-## Get project details

-### [Language Studio](#tab/language-studio)

-### [REST APIs](#tab/rest-api)

-## Delete project

-### [Language Studio](#tab/language-studio)

-### [REST APIs](#tab/rest-api)

-## Next steps

-* You should have an idea of the [project schema](design-schema.md) you will use to label your data.

-* After you define your schema, you can start [labeling your data](label-data.md), which will be used for model training, evaluation, and finally making predictions.

-description: Learn about deploying a model for custom Text Analytics for health.

-# Deploy a custom text analytics for health model

-Once you're satisfied with how your model performs, it's ready to be deployed and used to recognize entities in text. Deploying a model makes it available for use through the [prediction API](https://aka.ms/ct-runtime-swagger).

-## Prerequisites

-* A successfully [created project](create-project.md) with a configured Azure storage account.

-* Text data that has [been uploaded](design-schema.md#data-preparation) to your storage account.

-* [Labeled data](label-data.md) and a successfully [trained model](train-model.md).

-* Reviewed the [model evaluation details](view-model-evaluation.md) to determine how your model is performing.

-For more information, see [project development lifecycle](../overview.md#project-development-lifecycle).

-## Deploy model

-After you've reviewed your model's performance and decided it can be used in your environment, you need to assign it to a deployment. Assigning the model to a deployment makes it available for use through the [prediction API](https://aka.ms/ct-runtime-swagger). It is recommended to create a deployment named *production* to which you assign the best model you have built so far and use it in your system. You can create another deployment called *staging* to which you can assign the model you're currently working on to be able to test it. You can have a maximum of 10 deployments in your project.

-# [Language Studio](#tab/language-studio)

-

-# [REST APIs](#tab/rest-api)

-### Submit deployment job

-### Get deployment job status

-## Swap deployments

-After you are done testing a model assigned to one deployment and you want to assign this model to another deployment you can swap these two deployments. Swapping deployments involves taking the model assigned to the first deployment, and assigning it to the second deployment. Then taking the model assigned to second deployment, and assigning it to the first deployment. You can use this process to swap your *production* and *staging* deployments when you want to take the model assigned to *staging* and assign it to *production*.

-# [Language Studio](#tab/language-studio)

-# [REST APIs](#tab/rest-api)

-## Delete deployment

-# [Language Studio](#tab/language-studio)

-# [REST APIs](#tab/rest-api)

-## Assign deployment resources

-You can [deploy your project to multiple regions](../../concepts/custom-features/multi-region-deployment.md) by assigning different Language resources that exist in different regions.

-# [Language Studio](#tab/language-studio)

-# [REST APIs](#tab/rest-api)

-## Unassign deployment resources

-When unassigning or removing a deployment resource from a project, you will also delete all the deployments that have been deployed to that resource's region.

-# [Language Studio](#tab/language-studio)

-# [REST APIs](#tab/rest-api)

-## Next steps

-After you have a deployment, you can use it to [extract entities](call-api.md) from text.

-description: Learn about how to select and prepare data, to be successful in creating custom TA4H projects.

-# How to prepare data and define a schema for custom Text Analytics for health

-In order to create a custom TA4H model, you will need quality data to train it. This article covers how you should select and prepare your data, along with defining a schema. Defining the schema is the first step in [project development lifecycle](../overview.md#project-development-lifecycle), and it entailing defining the entity types or categories that you need your model to extract from the text at runtime.

-## Schema design

-Custom Text Analytics for health allows you to extend and customize the Text Analytics for health entity map. The first step of the process is building your schema, which allows you to define the new entity types or categories that you need your model to extract from text in addition to the Text Analytics for health existing entities at runtime.

-* Review documents in your dataset to be familiar with their format and structure.

-* Identify the entities you want to extract from the data.

- For example, if you are extracting entities from support emails, you might need to extract "Customer name", "Product name", "Request date", and "Contact information".

-* Avoid entity types ambiguity.

- **Ambiguity** happens when entity types you select are similar to each other. The more ambiguous your schema the more labeled data you will need to differentiate between different entity types.

- For example, if you are extracting data from a legal contract, to extract "Name of first party" and "Name of second party" you will need to add more examples to overcome ambiguity since the names of both parties look similar. Avoid ambiguity as it saves time, effort, and yields better results.

-* Avoid complex entities. Complex entities can be difficult to pick out precisely from text, consider breaking it down into multiple entities.

- For example, extracting "Address" would be challenging if it's not broken down to smaller entities. There are so many variations of how addresses appear, it would take large number of labeled entities to teach the model to extract an address, as a whole, without breaking it down. However, if you replace "Address" with "Street Name", "PO Box", "City", "State" and "Zip", the model will require fewer labels per entity.

-## Add entities

-To add entities to your project:

-1. Move to **Entities** pivot from the top of the page.

-2. [Text Analytics for health entities](../../text-analytics-for-health/concepts/health-entity-categories.md) are automatically loaded into your project. To add additional entity categories, select **Add** from the top menu. You will be prompted to type in a name before completing creating the entity.

-3. After creating an entity, you'll be routed to the entity details page where you can define the composition settings for this entity.

-4. Entities are defined by [entity components](../concepts/entity-components.md): learned, list or prebuilt. Text Analytics for health entities are by default populated with the prebuilt component and cannot have learned components. Your newly defined entities can be populated with the learned component once you add labels for them in your data but cannot be populated with the prebuilt component.

-5. You can add a [list](../concepts/entity-components.md#list-component) component to any of your entities.

-

-### Add list component

-To add a **list** component, select **Add new list**. You can add multiple lists to each entity.

-1. To create a new list, in the *Enter value* text box enter this is the normalized value that will be returned when any of the synonyms values is extracted.

-2. For multilingual projects, from the *language* drop-down menu, select the language of the synonyms list and start typing in your synonyms and hit enter after each one. It is recommended to have synonyms lists in multiple languages.

- <!--:::image type="content" source="../media/add-list-component.png" alt-text="A screenshot showing a list component in Language Studio." lightbox="../media/add-list-component.png":::-->

-

-### Define entity options

-Change to the **Entity options** pivot in the entity details page. When multiple components are defined for an entity, their predictions may overlap. When an overlap occurs, each entity's final prediction is determined based on the [entity option](../concepts/entity-components.md#entity-options) you select in this step. Select the one that you want to apply to this entity and click on the **Save** button at the top.

- <!--:::image type="content" source="../media/entity-options.png" alt-text="A screenshot showing an entity option in Language Studio." lightbox="../media/entity-options.png":::-->

-After you create your entities, you can come back and edit them. You can **Edit entity components** or **delete** them by selecting this option from the top menu.

-## Data selection

-The quality of data you train your model with affects model performance greatly.

-* Use real-life data that reflects your domain's problem space to effectively train your model. You can use synthetic data to accelerate the initial model training process, but it will likely differ from your real-life data and make your model less effective when used.

-* Balance your data distribution as much as possible without deviating far from the distribution in real-life. For example, if you are training your model to extract entities from legal documents that may come in many different formats and languages, you should provide examples that exemplify the diversity as you would expect to see in real life.

-* Use diverse data whenever possible to avoid overfitting your model. Less diversity in training data may lead to your model learning spurious correlations that may not exist in real-life data.

-

-* Avoid duplicate documents in your data. Duplicate data has a negative effect on the training process, model metrics, and model performance.

-* Consider where your data comes from. If you are collecting data from one person, department, or part of your scenario, you are likely missing diversity that may be important for your model to learn about.

-> [!NOTE]

-> If your documents are in multiple languages, select the **enable multi-lingual** option during [project creation](../quickstart.md) and set the **language** option to the language of the majority of your documents.

-## Data preparation

-As a prerequisite for creating a project, your training data needs to be uploaded to a blob container in your storage account. You can create and upload training documents from Azure directly, or through using the Azure Storage Explorer tool. Using the Azure Storage Explorer tool allows you to upload more data quickly.

-* [Create and upload documents from Azure](../../../../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container)

-* [Create and upload documents using Azure Storage Explorer](../../../../vs-azure-tools-storage-explorer-blobs.md)

-You can only use `.txt` documents. If your data is in other format, you can use [CLUtils parse command](https://github.com/microsoft/CognitiveServicesLanguageUtilities/blob/main/CustomTextAnalytics.CLUtils/Solution/CogSLanguageUtilities.ViewLayer.CliCommands/Commands/ParseCommand/README.md) to change your document format.

-You can upload an annotated dataset, or you can upload an unannotated one and [label your data](../how-to/label-data.md) in Language studio.

-

-## Test set

-When defining the testing set, make sure to include example documents that are not present in the training set. Defining the testing set is an important step to calculate the [model performance](view-model-evaluation.md#model-details). Also, make sure that the testing set includes documents that represent all entities used in your project.

-## Next steps

-If you haven't already, create a custom Text Analytics for health project. If it's your first time using custom Text Analytics for health, consider following the [quickstart](../quickstart.md) to create an example project. You can also see the [how-to article](../how-to/create-project.md) for more details on what you need to create a project.

-description: Learn how to save and recover your custom Text Analytics for health models.

-# Back up and recover your custom Text Analytics for health models

-When you create a Language resource, you specify a region for it to be created in. From then on, your resource and all of the operations related to it take place in the specified Azure server region. It's rare, but not impossible, to encounter a network issue that affects an entire region. If your solution needs to always be available, then you should design it to fail over into another region. This requires two Azure Language resources in different regions and synchronizing custom models across them.

-If your app or business depends on the use of a custom Text Analytics for health model, we recommend that you create a replica of your project in an additional supported region. If a regional outage occurs, you can then access your model in the other fail-over region where you replicated your project.

-Replicating a project means that you export your project metadata and assets, and import them into a new project. This only makes a copy of your project settings and tagged data. You still need to [train](./train-model.md) and [deploy](./deploy-model.md) the models to be available for use with [prediction APIs](https://aka.ms/ct-runtime-swagger).

-In this article, you will learn to how to use the export and import APIs to replicate your project from one resource to another existing in different supported geographical regions, guidance on keeping your projects in sync and changes needed to your runtime consumption.

-## Prerequisites

-* Two Azure Language resources in different Azure regions. [Create your resources](./create-project.md#create-a-language-resource) and connect them to an Azure storage account. It's recommended that you connect each of your Language resources to different storage accounts. Each storage account should be located in the same respective regions that your separate Language resources are in. You can follow the [quickstart](../quickstart.md?pivots=rest-api#create-a-new-azure-language-resource-and-azure-storage-account) to create an additional Language resource and storage account.

-## Get your resource keys endpoint

-Use the following steps to get the keys and endpoint of your primary and secondary resources. These will be used in the following steps.

-> [!TIP]

-> Keep a note of keys and endpoints for both primary and secondary resources as well as the primary and secondary container names. Use these values to replace the following placeholders:

-`{PRIMARY-ENDPOINT}`, `{PRIMARY-RESOURCE-KEY}`, `{PRIMARY-CONTAINER-NAME}`, `{SECONDARY-ENDPOINT}`, `{SECONDARY-RESOURCE-KEY}`, and `{SECONDARY-CONTAINER-NAME}`.

-> Also take note of your project name, your model name and your deployment name. Use these values to replace the following placeholders: `{PROJECT-NAME}`, `{MODEL-NAME}` and `{DEPLOYMENT-NAME}`.

-## Export your primary project assets

-Start by exporting the project assets from the project in your primary resource.

-### Submit export job

-Replace the placeholders in the following request with your `{PRIMARY-ENDPOINT}` and `{PRIMARY-RESOURCE-KEY}` that you obtained in the first step.

-### Get export job status

-Replace the placeholders in the following request with your `{PRIMARY-ENDPOINT}` and `{PRIMARY-RESOURCE-KEY}` that you obtained in the first step.

-Copy the response body as you will use it as the body for the next import job.

-## Import to a new project

-Now go ahead and import the exported project assets in your new project in the secondary region so you can replicate it.

-### Submit import job

-Replace the placeholders in the following request with your `{SECONDARY-ENDPOINT}`, `{SECONDARY-RESOURCE-KEY}`, and `{SECONDARY-CONTAINER-NAME}` that you obtained in the first step.

-### Get import job status

-Replace the placeholders in the following request with your `{SECONDARY-ENDPOINT}` and `{SECONDARY-RESOURCE-KEY}` that you obtained in the first step.

-## Train your model

-After importing your project, you only have copied the project's assets and metadata and assets. You still need to train your model, which will incur usage on your account.

-### Submit training job

-Replace the placeholders in the following request with your `{SECONDARY-ENDPOINT}` and `{SECONDARY-RESOURCE-KEY}` that you obtained in the first step.

-### Get training status

-Replace the placeholders in the following request with your `{SECONDARY-ENDPOINT}` and `{SECONDARY-RESOURCE-KEY}` that you obtained in the first step.

-## Deploy your model

-This is the step where you make your trained model available form consumption via the [runtime prediction API](https://aka.ms/ct-runtime-swagger).

-> [!TIP]

-> Use the same deployment name as your primary project for easier maintenance and minimal changes to your system to handle redirecting your traffic.

-### Submit deployment job

-Replace the placeholders in the following request with your `{SECONDARY-ENDPOINT}` and `{SECONDARY-RESOURCE-KEY}` that you obtained in the first step.

-### Get the deployment status

-Replace the placeholders in the following request with your `{SECONDARY-ENDPOINT}` and `{SECONDARY-RESOURCE-KEY}` that you obtained in the first step.

-## Changes in calling the runtime

-Within your system, at the step where you call [runtime prediction API](https://aka.ms/ct-runtime-swagger) check for the response code returned from the submit task API. If you observe a **consistent** failure in submitting the request, this could indicate an outage in your primary region. Failure once doesn't mean an outage, it may be transient issue. Retry submitting the job through the secondary resource you have created. For the second request use your `{SECONDARY-ENDPOINT}` and `{SECONDARY-RESOURCE-KEY}`, if you have followed the steps above, `{PROJECT-NAME}` and `{DEPLOYMENT-NAME}` would be the same so no changes are required to the request body.

-In case you revert to using your secondary resource you will observe slight increase in latency because of the difference in regions where your model is deployed.

-## Check if your projects are out of sync

-Maintaining the freshness of both projects is an important part of the process. You need to frequently check if any updates were made to your primary project so that you move them over to your secondary project. This way if your primary region fails and you move into the secondary region you should expect similar model performance since it already contains the latest updates. Setting the frequency of checking if your projects are in sync is an important choice. We recommend that you do this check daily in order to guarantee the freshness of data in your secondary model.

-### Get project details

-Use the following url to get your project details, one of the keys returned in the body indicates the last modified date of the project.

-Repeat the following step twice, one for your primary project and another for your secondary project and compare the timestamp returned for both of them to check if they are out of sync.

- [!INCLUDE [get project details](../includes/rest-api/get-project-details.md)]

-Repeat the same steps for your replicated project using `{SECONDARY-ENDPOINT}` and `{SECONDARY-RESOURCE-KEY}`. Compare the returned `lastModifiedDateTime` from both projects. If your primary project was modified sooner than your secondary one, you need to repeat the steps of [exporting](#export-your-primary-project-assets), [importing](#import-to-a-new-project), [training](#train-your-model) and [deploying](#deploy-your-model).

-## Next steps

-In this article, you have learned how to use the export and import APIs to replicate your project to a secondary Language resource in other region. Next, explore the API reference docs to see what else you can do with authoring APIs.

-* [Authoring REST API reference](https://aka.ms/ct-authoring-swagger)

-* [Runtime prediction REST API reference](https://aka.ms/ct-runtime-swagger)

-description: Learn how to label your data for use with custom Text Analytics for health.

-# Label your data using the Language Studio

-Data labeling is a crucial step in development lifecycle. In this step, you label your documents with the new entities you defined in your schema to populate their learned components. This data will be used in the next step when training your model so that your model can learn from the labeled data to know which entities to extract. If you already have labeled data, you can directly [import](create-project.md#import-project) it into your project, but you need to make sure that your data follows the [accepted data format](../concepts/data-formats.md). See [create project](create-project.md#import-project) to learn more about importing labeled data into your project. If your data isn't labeled already, you can label it in the [Language Studio](https://aka.ms/languageStudio).

-## Prerequisites

-Before you can label your data, you need:

-* A successfully [created project](create-project.md) with a configured Azure blob storage account

-* Text data that [has been uploaded](design-schema.md#data-preparation) to your storage account.

-See the [project development lifecycle](../overview.md#project-development-lifecycle) for more information.

-## Data labeling guidelines

-After preparing your data, designing your schema and creating your project, you will need to label your data. Labeling your data is important so your model knows which words will be associated with the entity types you need to extract. When you label your data in [Language Studio](https://aka.ms/languageStudio) (or import labeled data), these labels are stored in the JSON document in your storage container that you have connected to this project.

-As you label your data, keep in mind:

-* You can't add labels for Text Analytics for health entities as they're pretrained prebuilt entities. You can only add labels to new entity categories that you defined during schema definition.

-If you want to improve the recall for a prebuilt entity, you can extend it by adding a list component while you are [defining your schema](design-schema.md).

-* In general, more labeled data leads to better results, provided the data is labeled accurately.

-* The precision, consistency and completeness of your labeled data are key factors to determining model performance.

- * **Label precisely**: Label each entity to its right type always. Only include what you want extracted, avoid unnecessary data in your labels.

- * **Label consistently**: The same entity should have the same label across all the documents.

- * **Label completely**: Label all the instances of the entity in all your documents.

- > [!NOTE]

- > There is no fixed number of labels that can guarantee your model will perform the best. Model performance is dependent on possible ambiguity in your schema, and the quality of your labeled data. Nevertheless, we recommend having around 50 labeled instances per entity type.

-## Label your data

-Use the following steps to label your data:

-1. Go to your project page in [Language Studio](https://aka.ms/languageStudio).

-2. From the left side menu, select **Data labeling**. You can find a list of all documents in your storage container.

- <!--:::image type="content" source="../media/tagging-files-view.png" alt-text="A screenshot showing the Language Studio screen for labeling data." lightbox="../media/tagging-files-view.png":::-->

- >[!TIP]

- > You can use the filters in top menu to view the unlabeled documents so that you can start labeling them.

- > You can also use the filters to view the documents that are labeled with a specific entity type.

-3. Change to a single document view from the left side in the top menu or select a specific document to start labeling. You can find a list of all `.txt` documents available in your project to the left. You can use the **Back** and **Next** button from the bottom of the page to navigate through your documents.

- > [!NOTE]

- > If you enabled multiple languages for your project, you will find a **Language** dropdown in the top menu, which lets you select the language of each document. Hebrew is not supported with multi-lingual projects.

-4. In the right side pane, you can use the **Add entity type** button to add additional entities to your project that you missed during schema definition.

- <!--:::image type="content" source="../media/tag-1.png" alt-text="A screenshot showing complete data labeling." lightbox="../media/tag-1.png":::-->

-5. You have two options to label your document:

-

- |Option |Description |

- |||

- |Label using a brush | Select the brush icon next to an entity type in the right pane, then highlight the text in the document you want to annotate with this entity type. |

- |Label using a menu | Highlight the word you want to label as an entity, and a menu will appear. Select the entity type you want to assign for this entity. |

-

- The below screenshot shows labeling using a brush.

-

- :::image type="content" source="../media/tag-options.png" alt-text="A screenshot showing the labeling options offered in Custom NER." lightbox="../media/tag-options.png":::

-

-6. In the right side pane under the **Labels** pivot you can find all the entity types in your project and the count of labeled instances per each. The prebuilt entities will be shown for reference but you will not be able to label for these prebuilt entities as they are pretrained.

-7. In the bottom section of the right side pane you can add the current document you are viewing to the training set or the testing set. By default all the documents are added to your training set. See [training and testing sets](train-model.md#data-splitting) for information on how they are used for model training and evaluation.

- > [!TIP]

- > If you are planning on using **Automatic** data splitting, use the default option of assigning all the documents into your training set.

-7. Under the **Distribution** pivot you can view the distribution across training and testing sets. You have two options for viewing:

- * *Total instances* where you can view count of all labeled instances of a specific entity type.

- * *Documents with at least one label* where each document is counted if it contains at least one labeled instance of this entity.

-

-7. When you're labeling, your changes are synced periodically, if they have not been saved yet you will find a warning at the top of your page. If you want to save manually, click on **Save labels** button at the bottom of the page.

-## Remove labels

-To remove a label

-1. Select the entity you want to remove a label from.

-2. Scroll through the menu that appears, and select **Remove label**.

-## Delete entities

-You cannot delete any of the Text Analytics for health pretrained entities because they have a prebuilt component. You are only permitted to delete newly defined entity categories. To delete an entity, select the delete icon next to the entity you want to remove. Deleting an entity removes all its labeled instances from your dataset.

-## Next steps

-After you've labeled your data, you can begin [training a model](train-model.md) that will learn based on your data.

-description: Learn about how to train your model for custom Text Analytics for health.

-# Train your custom Text Analytics for health model

-Training is the process where the model learns from your [labeled data](label-data.md). After training is completed, you'll be able to view the [model's performance](view-model-evaluation.md) to determine if you need to improve your model.

-To train a model, you start a training job and only successfully completed jobs create a model. Training jobs expire after seven days, which means you won't be able to retrieve the job details after this time. If your training job completed successfully and a model was created, the model won't be affected. You can only have one training job running at a time, and you can't start other jobs in the same project.

-The training times can be anywhere from a few minutes when dealing with few documents, up to several hours depending on the dataset size and the complexity of your schema.

-## Prerequisites

-* A successfully [created project](create-project.md) with a configured Azure blob storage account

-* Text data that [has been uploaded](design-schema.md#data-preparation) to your storage account.

-* [Labeled data](label-data.md)

-See the [project development lifecycle](../overview.md#project-development-lifecycle) for more information.

-## Data splitting

-Before you start the training process, labeled documents in your project are divided into a training set and a testing set. Each one of them serves a different function.

-The **training set** is used in training the model, this is the set from which the model learns the labeled entities and what spans of text are to be extracted as entities.

-The **testing set** is a blind set that is not introduced to the model during training but only during evaluation.

-After model training is completed successfully, the model is used to make predictions from the documents in the testing and based on these predictions [evaluation metrics](../concepts/evaluation-metrics.md) are calculated. Model training and evaluation are only for newly defined entities with learned components; therefore, Text Analytics for health entities are excluded from model training and evaluation due to them being entities with prebuilt components. It's recommended to make sure that all your labeled entities are adequately represented in both the training and testing set.

-Custom Text Analytics for health supports two methods for data splitting:

-* **Automatically splitting the testing set from training data**:The system splits your labeled data between the training and testing sets, according to the percentages you choose. The recommended percentage split is 80% for training and 20% for testing.

- > [!NOTE]

- > If you choose the **Automatically splitting the testing set from training data** option, only the data assigned to training set will be split according to the percentages provided.

-* **Use a manual split of training and testing data**: This method enables users to define which labeled documents should belong to which set. This step is only enabled if you have added documents to your testing set during [data labeling](label-data.md).

-## Train model

-# [Language studio](#tab/Language-studio)

-# [REST APIs](#tab/REST-APIs)

-### Start training job

-### Get training job status

-Training could take sometime depending on the size of your training data and complexity of your schema. You can use the following request to keep polling the status of the training job until it's successfully completed.

- [!INCLUDE [get training model status](../includes/rest-api/get-training-status.md)]

-### Cancel training job

-# [Language Studio](#tab/language-studio)

-# [REST APIs](#tab/rest-api)

-## Next steps

-After training is completed, you'll be able to view the [model's performance](view-model-evaluation.md) to optionally improve your model if needed. Once you're satisfied with your model, you can deploy it, making it available to use for [extracting entities](call-api.md) from text.

-description: Learn how to evaluate and score your Custom Text Analytics for health model

-# View a custom text analytics for health model's evaluation and details

-After your model has finished training, you can view the model performance and see the extracted entities for the documents in the test set.

-> [!NOTE]

-> Using the **Automatically split the testing set from training data** option may result in different model evaluation result every time you train a new model, as the test set is selected randomly from the data. To make sure that the evaluation is calculated on the same test set every time you train a model, make sure to use the **Use a manual split of training and testing data** option when starting a training job and define your **Test** documents when [labeling data](label-data.md).

-## Prerequisites

-Before viewing model evaluation, you need:

-* A successfully [created project](create-project.md) with a configured Azure blob storage account.

-* Text data that [has been uploaded](design-schema.md#data-preparation) to your storage account.

-* [Labeled data](label-data.md)

-* A [successfully trained model](train-model.md)

-## Model details

-There are several metrics you can use to evaluate your mode. See the [performance metrics](../concepts/evaluation-metrics.md) article for more information on the model details described in this article.

-### [Language studio](#tab/language-studio)

-### [REST APIs](#tab/rest-api)

-## Load or export model data

-### [Language studio](#tab/Language-studio)

-### [REST APIs](#tab/REST-APIs)

-## Delete model

-### [Language studio](#tab/language-studio)

-### [REST APIs](#tab/rest-api)

-## Next steps

-* [Deploy your model](deploy-model.md)

-* Learn about the [metrics used in evaluation](../concepts/evaluation-metrics.md).

-description: Learn about the languages and regions supported by custom Text Analytics for health

-# Language support for custom text analytics for health

-Use this article to learn about the languages currently supported by custom Text Analytics for health.

-## Multilingual option

-With custom Text Analytics for health, you can train a model in one language and use it to extract entities from documents other languages. This feature saves you the trouble of building separate projects for each language and instead combining your datasets in a single project, making it easy to scale your projects to multiple languages. You can train your project entirely with English documents, and query it in: French, German, Italian, and others. You can enable the multilingual option as part of the project creation process or later through the project settings.

-You aren't expected to add the same number of documents for every language. You should build the majority of your project in one language, and only add a few documents in languages you observe aren't performing well. If you create a project that is primarily in English, and start testing it in French, German, and Spanish, you might observe that German doesn't perform as well as the other two languages. In that case, consider adding 5% of your original English documents in German, train a new model and test in German again. In the [data labeling](how-to/label-data.md) page in Language Studio, you can select the language of the document you're adding. You should see better results for German queries. The more labeled documents you add, the more likely the results are going to get better. When you add data in another language, you shouldn't expect it to negatively affect other languages.

-Hebrew is not supported in multilingual projects. If the primary language of the project is Hebrew, you will not be able to add training data in other languages, or query the model with other languages. Similarly, if the primary language of the project is not Hebrew, you will not be able to add training data in Hebrew, or query the model in Hebrew.

-## Language support

-Custom Text Analytics for health supports `.txt` files in the following languages:

-| Language | Language code |

-| | |

-| English | `en` |

-| French | `fr` |

-| German | `de` |

-| Spanish | `es` |

-| Italian | `it` |

-| Portuguese (Portugal) | `pt-pt` |

-| Hebrew | `he` |

-## Next steps

-* [Custom Text Analytics for health overview](overview.md)

-* [Service limits](reference/service-limits.md)

-description: Customize an AI model to label and extract healthcare information from documents using Azure Cognitive Services.

-# What is custom Text Analytics for health?

-Custom Text Analytics for health is one of the custom features offered by [Azure Cognitive Service for Language](../overview.md). It is a cloud-based API service that applies machine-learning intelligence to enable you to build custom models on top of [Text Analytics for health](../text-analytics-for-health/overview.md) for custom healthcare entity recognition tasks.

-Custom Text Analytics for health enables users to build custom AI models to extract healthcare specific entities from unstructured text, such as clinical notes and reports. By creating a custom Text Analytics for health project, developers can iteratively define new vocabulary, label data, train, evaluate, and improve model performance before making it available for consumption. The quality of the labeled data greatly impacts model performance. To simplify building and customizing your model, the service offers a web portal that can be accessed through the [Language studio](https://aka.ms/languageStudio). You can easily get started with the service by following the steps in this [quickstart](quickstart.md).

-

-This documentation contains the following article types:

-* [Quickstarts](quickstart.md) are getting-started instructions to guide you through creating making requests to the service.

-* [Concepts](concepts/evaluation-metrics.md) provide explanations of the service functionality and features.

-* [How-to guides](how-to/label-data.md) contain instructions for using the service in more specific or customized ways.

-## Example usage scenarios

-Similarly to Text Analytics for health, custom Text Analytics for health can be used in multiple [scenarios](../text-analytics-for-health/overview.md#example-use-cases) across a variety of healthcare industries. However, the main usage of this feature is to provide a layer of customization on top of Text Analytics for health to extend its existing entity map.

-## Project development lifecycle

-Using custom Text Analytics for health typically involves several different steps.

-* **Define your schema**: Know your data and define the new entities you want extracted on top of the existing Text Analytics for health entity map. Avoid ambiguity.

-* **Label your data**: Labeling data is a key factor in determining model performance. Label precisely, consistently and completely.

- * **Label precisely**: Label each entity to its right type always. Only include what you want extracted, avoid unnecessary data in your labels.

- * **Label consistently**: The same entity should have the same label across all the files.

- * **Label completely**: Label all the instances of the entity in all your files.

-* **Train the model**: Your model starts learning from your labeled data.

-* **View the model's performance**: After training is completed, view the model's evaluation details, its performance and guidance on how to improve it.

-* **Deploy the model**: Deploying a model makes it available for use via an API.

-* **Extract entities**: Use your custom models for entity extraction tasks.

-## Reference documentation and code samples

-As you use custom Text Analytics for health, see the following reference documentation for Azure Cognitive Services for Language:

-|APIs| Reference documentation|

-||||

-|REST APIs (Authoring) | [REST API documentation](/rest/api/language/2022-10-01-preview/text-analysis-authoring) |

-|REST APIs (Runtime) | [REST API documentation](/rest/api/language/2022-10-01-preview/text-analysis-runtime/submit-job) |

-## Responsible AI

-An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the [transparency note for Text Analytics for health](/legal/cognitive-services/language-service/transparency-note-health?context=/azure/cognitive-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information:

-## Next steps

-* Use the [quickstart article](quickstart.md) to start using custom Text Analytics for health.

-* As you go through the project development lifecycle, review the glossary to learn more about the terms used throughout the documentation for this feature.

-* Remember to view the [service limits](reference/service-limits.md) for information such as [regional availability](reference/service-limits.md#regional-availability).

-description: Quickly start building an AI model to categorize and extract information from healthcare unstructured text.

-zone_pivot_groups: usage-custom-language-features

-# Quickstart: custom Text Analytics for health

-Use this article to get started with creating a custom Text Analytics for health project where you can train custom models on top of Text Analytics for health for custom entity recognition. A model is artificial intelligence software that's trained to do a certain task. For this system, the models extract healthcare related named entities and are trained by learning from labeled data.

-In this article, we use Language Studio to demonstrate key concepts of custom Text Analytics for health. As an example weΓÇÖll build a custom Text Analytics for health model to extract the Facility or treatment location from short discharge notes.

-## Next steps

-* [Text analytics for health overview](./overview.md)

-After you've created entity extraction model, you can:

-* [Use the runtime API to extract entities](how-to/call-api.md)

-When you start to create your own custom Text Analytics for health projects, use the how-to articles to learn more about data labeling, training and consuming your model in greater detail:

-* [Data selection and schema design](how-to/design-schema.md)

-* [Tag data](how-to/label-data.md)

-* [Train a model](how-to/train-model.md)

-* [Model evaluation](how-to/view-model-evaluation.md)

-description: Learn about definitions used in custom Text Analytics for health

-# Terms and definitions used in custom Text Analytics for health

-Use this article to learn about some of the definitions and terms you may encounter when using Custom Text Analytics for health

-## Entity

-Entities are words in input data that describe information relating to a specific category or concept. If your entity is complex and you would like your model to identify specific parts, you can break your entity into subentities. For example, you might want your model to predict an address, but also the subentities of street, city, state, and zipcode.

-## F1 score

-The F1 score is a function of Precision and Recall. It's needed when you seek a balance between [precision](#precision) and [recall](#recall).

-## Prebuilt entity component

-Prebuilt entity components represent pretrained entity components that belong to the [Text Analytics for health entity map](../../text-analytics-for-health/concepts/health-entity-categories.md). These entities are automatically loaded into your project as entities with prebuilt components. You can define list components for entities with prebuilt components but you cannot add learned components. Similarly, you can create new entities with learned and list components, but you cannot populate them with additional prebuilt components.

-## Learned entity component

-The learned entity component uses the entity tags you label your text with to train a machine learned model. The model learns to predict where the entity is, based on the context within the text. Your labels provide examples of where the entity is expected to be present in text, based on the meaning of the words around it and as the words that were labeled. This component is only defined if you add labels by labeling your data for the entity. If you do not label any data with the entity, it will not have a learned component. Learned components cannot be added to entities with prebuilt components.

-## List entity component

-A list entity component represents a fixed, closed set of related words along with their synonyms. List entities are exact matches, unlike machined learned entities.

-The entity will be predicted if a word in the list entity is included in the list. For example, if you have a list entity called "clinics" and you have the words "clinic a, clinic b, clinic c" in the list, then the size entity will be predicted for all instances of the input data where "clinic a, clinic b, clinic c" are used regardless of the context. List components can be added to all entities regardless of whether they are prebuilt or newly defined.

-## Model

-A model is an object that's trained to do a certain task, in this case custom Text Analytics for health models perform all the features of Text Analytics for health in addition to custom entity extraction for the user's defined entities. Models are trained by providing labeled data to learn from so they can later be used to understand context from the input text.

-* **Model evaluation** is the process that happens right after training to know how well does your model perform.

-* **Deployment** is the process of assigning your model to a deployment to make it available for use via the [prediction API](https://aka.ms/ct-runtime-swagger).

-## Overfitting

-Overfitting happens when the model is fixated on the specific examples and is not able to generalize well.

-## Precision

-Measures how precise/accurate your model is. It's the ratio between the correctly identified positives (true positives) and all identified positives. The precision metric reveals how many of the predicted entities are correctly labeled.

-## Project

-A project is a work area for building your custom ML models based on your data. Your project can only be accessed by you and others who have access to the Azure resource being used.

-## Recall

-Measures the model's ability to predict actual positive entities. It's the ratio between the predicted true positives and what was actually labeled. The recall metric reveals how many of the predicted entities are correct.

-## Schema

-Schema is defined as the combination of entities within your project. Schema design is a crucial part of your project's success. When creating a schema, you want think about what are the new entities should you add to your project to extend the existing [Text Analytics for health entity map](../../text-analytics-for-health/concepts/health-entity-categories.md) and which new vocabulary should you add to the prebuilt entities using list components to enhance their recall. For example, adding a new entity for patient name or extending the prebuilt entity "Medication Name" with a new research drug (Ex: research drug A).

-## Training data

-Training data is the set of information that is needed to train a model.

-## Next steps

-* [Data and service limits](service-limits.md).

-description: Learn about the data and service limits when using Custom Text Analytics for health.

-# Custom Text Analytics for health service limits

-Use this article to learn about the data and service limits when using custom Text Analytics for health.

-## Language resource limits

-* Your Language resource has to be created in one of the [supported regions](#regional-availability).

-* Your resource must be one of the supported pricing tiers:

-

- |Tier|Description|Limit|

- |--|--|--|

- |S |Paid tier|You can have unlimited Language S tier resources per subscription. |

-

-

-* You can only connect one storage account per resource. This process is irreversible. If you connect a storage account to your resource, you cannot unlink it later. Learn more about [connecting a storage account](../how-to/create-project.md#create-language-resource-and-connect-storage-account)

-* You can have up to 500 projects per resource.

-* Project names have to be unique within the same resource across all custom features.

-## Regional availability

-Custom Text Analytics for health is only available in some Azure regions since it is a preview service. Some regions may be available for **both authoring and prediction**, while other regions may be for **prediction only**. Language resources in authoring regions allow you to create, edit, train, and deploy your projects. Language resources in prediction regions allow you to get predictions from a deployment.

-| Region | Authoring | Prediction |

-|--|--|-|

-| East US | Γ£ô | Γ£ô |

-| UK South | Γ£ô | Γ£ô |

-| North Europe | Γ£ô | Γ£ô |

-## API limits

-|Item|Request type| Maximum limit|

-|:-|:-|:-|

-|Authoring API|POST|10 per minute|

-|Authoring API|GET|100 per minute|

-|Prediction API|GET/POST|1,000 per minute|

-|Document size|--|125,000 characters. You can send up to 20 documents as long as they collectively do not exceed 125,000 characters|

-> [!TIP]

-> If you need to send larger files than the limit allows, you can break the text into smaller chunks of text before sending them to the API. You use can the [chunk command from CLUtils](https://github.com/microsoft/CognitiveServicesLanguageUtilities/blob/main/CustomTextAnalytics.CLUtils/Solution/CogSLanguageUtilities.ViewLayer.CliCommands/Commands/ChunkCommand/README.md) for this process.

-## Quota limits

-|Pricing tier |Item |Limit |

-| | | |

-|S|Training time| Unlimited, free |

-|S|Prediction Calls| 5,000 text records for free per language resource|

-## Document limits

-* You can only use `.txt`. files. If your data is in another format, you can use the [CLUtils parse command](https://github.com/microsoft/CognitiveServicesLanguageUtilities/blob/main/CustomTextAnalytics.CLUtils/Solution/CogSLanguageUtilities.ViewLayer.CliCommands/Commands/ParseCommand/README.md) to open your document and extract the text.

-* All files uploaded in your container must contain data. Empty files are not allowed for training.

-* All files should be available at the root of your container.

-## Data limits

-The following limits are observed for authoring.

-|Item|Lower Limit| Upper Limit |

-| | | |

-|Documents count | 10 | 100,000 |

-|Document length in characters | 1 | 128,000 characters; approximately 28,000 words or 56 pages. |

-|Count of entity types | 1 | 200 |

-|Entity length in characters | 1 | 500 |

-|Count of trained models per project| 0 | 10 |

-|Count of deployments per project| 0 | 10 |

-## Naming limits

-| Item | Limits |

-|--|--|

-| Project name | You can only use letters `(a-z, A-Z)`, and numbers `(0-9)` , symbols `_ . -`, with no spaces. Maximum allowed length is 50 characters. |

-| Model name | You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and symbols `_ . -`. Maximum allowed length is 50 characters. |

-| Deployment name | You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and symbols `_ . -`. Maximum allowed length is 50 characters. |

-| Entity name| You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and all symbols except ":", `$ & % * ( ) + ~ # / ?`. Maximum allowed length is 50 characters. See the supported [data format](../concepts/data-formats.md#entity-naming-rules) for more information on entity names when importing a labels file. |

-| Document name | You can only use letters `(a-z, A-Z)`, and numbers `(0-9)` with no spaces. |

-## Next steps

-* [Custom text analytics for health overview](../overview.md)

-### Custom text analytics for health

- :::column span="":::

- :::image type="content" source="text-analytics-for-health/media/call-api/health-named-entity-recognition.png" alt-text="A screenshot of a custom text analytics for health example." lightbox="text-analytics-for-health/media/call-api/health-named-entity-recognition.png":::

- :::column-end:::

- :::column span="":::

- [Custom text analytics for health](./custom-text-analytics-for-health/overview.md) is a custom feature that extract healthcare specific entities from unstructured text, using a model you create.

- :::column-end:::

-| Extract medical information from clinical/medical documents using a model that's trained on your data. | Unstructured text | [Custom text analytics for health](./custom-text-analytics-for-health/overview.md) | |

-* [Custom Text analytics for health](./custom-text-analytics-for-health/overview.md) is available in public preview, which enables you to build custom AI models to extract healthcare specific entities from unstructured text

-| gpt-35-turbo³ (ChatGPT) (preview) | East US, South Central US | N/A | 4,096 | Sep 2021 |

-The Fine-tunes API allows customers to create their own fine-tuned version of the OpenAI models based on the training data that you've uploaded to the service via the Files APIs. The trained fine-tuned models are stored in Azure Storage in the same region, encrypted at rest and logically isolated with their Azure subscription and API credentials. Fine-tuned models and deployments can be deleted by the user by calling the [DELETE API operation](./how-to/fine-tuning.md?pivots=programming-language-python#delete-your-model-deployment).

-* [Learn more about Azure Key Vault](../../key-vault/general/overview.md)

-| OpenAI resources per region | 2 |

-**Inline image support is currently in public preview and is available in the Chat SDK for JavaScript only. Preview APIs and SDKs are provided without a service-level agreement. We recommend that you don't use them for production workloads. Some features might not be supported, or they might have constrained capabilities. For more information, review [Supplemental Terms of Use for Microsoft Azure Previews.](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)

-**If the Teams external user sends a message with images uploaded via "Upload from this device" menu or via drag-and-drop (such as dragging images directly to the send box) in the Teams, then these scenarios would be covered under the file sharing capability, which is currently not supported.

-docker login myregistry.azurecr.io --username 00000000-0000-0000-0000-000000000000 --password $TOKEN

- "digest": "sha256:7ca0e0ae50c95155dbb0e380f37d7471e98d2232ed9e31eece9f9fb9078f2728",

- "tags": [

- "latest"

- ],

- "timestamp": "2018-07-11T21:38:35.9170967Z"

- },

- {

- "digest": "sha256:d2bdc0c22d78cde155f53b4092111d7e13fe28ebf87a945f94b19c248000ceec",

- "tags": [],

- "timestamp": "2018-07-11T21:32:21.1400513Z"

-As you can see in the output of the last step in the sequence, there is now an orphaned manifest whose `"tags"` property is an empty list. This manifest still exists within the registry, along with any unique layer data that it references. **To delete such orphaned images and their layer data, you must delete by manifest digest**.

-> Please note that "from the beginning" means that all data and all transactions since the container creation are availble for CDC, including deletes and updates. To ingest and process deletes and updates, you have to use specific settings in your CDC processes in Azure Synapse or Azure Data Factory. These settings are turned off by default. For more information, click [here](get-started-change-data-capture.md)

-## Control plane operations

-You can [create and manage your Azure Cosmos DB account](how-to-manage-database-account.md) using the Azure portal, Azure PowerShell, Azure CLI, and Azure Resource Manager templates. The following table lists the limits per subscription, account, and number of operations.

-| Maximum number of regional failovers | 10/hour by default. ┬╣ ┬▓ |

-┬▓ Regional failovers only apply to single region writes accounts. Multi-region write accounts don't require or have any limits on changing the write region.

-| Maximum number of databases per account | 500 |

-| Maximum number of containers per database with shared throughput |25 |

-| Maximum number of containers per account | 500 |

-| Maximum number of databases per account | 100 |

-| Maximum number of containers per account | 100 |

-Azure Cosmos DB supports execution of triggers during writes. The service supports a maximum of one pre-trigger and one post-trigger per write operation.

-## Metadata request limits

-Azure Cosmos DB maintains system metadata for each account. This metadata allows you to enumerate collections, databases, other Azure Cosmos DB resources, and their configurations for free of charge.

-| Resource | Limit |

-| | |

-|Maximum collection create rate per minute| 100|

-|Maximum Database create rate per minute| 100|

-|Maximum provisioned throughput update rate per minute| 5|

-|Maximum throughput supported by an account for metadata operations | 240 RU/s |

-| Idle connection timeout for server side connection closure ┬╣ | 30 minutes |

-┬╣ We recommend that client applications set the idle connection timeout in the driver settings to 2-3 minutes because the [default timeout for Azure LoadBalancer is 4 minutes](../load-balancer/load-balancer-tcp-idle-timeout.md). This timeout ensures that an intermediate load balancer idle doesn't close connections between the client machine and Azure Cosmos DB.

-## Optional - Disable analytical store in a SQL API container

-Analytical store can be disabled in SQL API containers using Azure CLI or PowerShell, by setting `analytical TTL` to `0`.

-> Please note that disabling analytical store is not available for MongoDB API collections.

-This article describes how to manage various tasks on an Azure Cosmos DB account by using the Azure portal.

-> Azure Cosmos DB can also be managed with other Azure management clients including [Azure PowerShell](manage-with-powershell.md), [Azure CLI](sql/manage-with-cli.md), [Azure Resource Manager templates](./manage-with-templates.md), and [Bicep](sql/manage-with-bicep.md).

-> This permission model covers only database operations that involve reading and writing data. It does *not* cover any kind of management operations on management resources, for example:

->

-> - Replace Container Throughput

-They don't* fetch any of the data that you've stored in your account.

-# Pre-migration steps for data migrations from MongoDB to Azure Cosmos DB for MongoDB

-1. [Discover your existing MongoDB resources and create a data estate spreadsheet to track them](#pre-migration-discovery)

-2. [Assess the readiness of your existing MongoDB resources for data migration](#pre-migration-assessment)

-3. [Map your existing MongoDB resources to new Azure Cosmos DB resources](#pre-migration-mapping)

-4. [Plan the logistics of migration process end-to-end, before you kick off the full-scale data migration](#execution-logistics)

-The [Database Migration Assistant](https://github.com/AzureCosmosDB/Cosmos-DB-Migration-Assistant-for-API-for-MongoDB)(DMA) assists you with the [Discovery](#programmatic-discovery-using-the-database-migration-assistant) and [Assessment](#programmatic-assessment-using-the-database-migration-assistant) stages of the planning.

-## Pre-migration discovery

-The first pre-migration step is resource discovery. In this step, you need to create a **data estate migration spreadsheet**.

-* This sheet contains a comprehensive list of the existing resources (databases or collections) in your MongoDB data estate.

-* The purpose of this spreadsheet is to enhance your productivity and help you to plan migration from end-to-end.

-* You're recommended to extend this document and use it as a tracking document throughout the migration process.

-### Programmatic discovery using the Database Migration Assistant

-You may use the [Database Migration Assistant](https://github.com/AzureCosmosDB/Cosmos-DB-Migration-Assistant-for-API-for-MongoDB) (DMA) to assist you with the discovery stage and create the data estate migration sheet programmatically.

-It's easy to [setup and run DMA](https://github.com/AzureCosmosDB/Cosmos-DB-Migration-Assistant-for-API-for-MongoDB#how-to-run-the-dma) through an Azure Data Studio client. It can be run from any machine connected to your source MongoDB environment.

-You can use either one of the following DMA output files as the data estate migration spreadsheet:

-* `workload_database_details.csv` - Gives a database-level view of the source workload. Columns in file are: Database Name, Collection count, Document Count, Average Document Size, Data Size, Index Count and Index Size.

-* `workload_collection_details.csv` - Gives a collection-level view of the source workload. Columns in file are: Database Name, Collection Name, Doc Count, Average Document Size, Data size, Index Count, Index Size and Index definitions.

-Here's a sample database-level migration spreadsheet created by DMA:

-| DB Name | Collection Count | Doc Count | Avg Doc Size | Data Size | Index Count | Index Size |

-| | | | | | | |

-| `bookstoretest` | 2 | 192200 | 4144 | 796572532 | 7 | 260636672 |

-| `cosmosbookstore` | 1 | 96604 | 4145 | 400497620 | 1 | 1814528 |

-| `geo` | 2 | 25554 | 252 | 6446542 | 2 | 266240 |

-| `kagglemeta` | 2 | 87934912 | 190 | 16725184704 | 2 | 891363328 |

-| `pe_orig` | 2 | 57703820 | 668 | 38561434711 | 2 | 861605888 |

-| `portugeseelection` | 2 | 30230038 | 687 | 20782985862 | 1 | 450932736 |

-| `sample_mflix` | 5 | 75583 | 691 | 52300763 | 5 | 798720 |

-| `test` | 1 | 22 | 545 | 12003 | 0 | 0 |

-| `testcol` | 26 | 46 | 88 | 4082 | 32 | 589824 |

-| `testhav` | 3 | 2 | 528 | 1057 | 3 | 36864 |

-| **TOTAL:** | **46** | **176258781** | | **72.01 GB** | | **2.3 GB** |

-### Manual discovery

-Alternately, you may refer to the sample spreadsheet in this guide and create a similar document yourself.

-## Pre-migration assessment

-Second, as a prelude to planning your migration, assess the readiness of resources in your data estate for migration.

-Assessment involves finding out whether you're using the [features and syntax that are supported](./feature-support-42.md). It also includes making sure you're adhering to the [limits and quotas](../concepts-limits.md#per-account-limits). The aim of this stage is to create a list of incompatibilities and warnings, if any. After you have the assessment results, you can try to address the findings during rest of the migration planning.

-### Programmatic assessment using the Database Migration Assistant

-[Database Migration Assistant](https://github.com/AzureCosmosDB/Cosmos-DB-Migration-Assistant-for-API-for-MongoDB) (DMA) also assists you with the assessment stage of pre-migration planning.

-Refer to the section [Programmatic discovery using the Database Migration Assistant](#programmatic-discovery-using-the-database-migration-assistant) to know how to setup and run DMA.

-The DMA notebook runs a few assessment rules against the resource list it gathers from source MongoDB. The assessment result lists the required and recommended changes needed to proceed with the migration.

-The results are printed as an output in the DMA notebook and saved to a CSV file - `assessment_result.csv`.

-> Database Migration Assistant is a preliminary utility meant to assist you with the pre-migration steps. It does not perform an end-to-end assessment.

-> In addition to running the DMA, we also recommend you to go through [the supported features and syntax](./feature-support-42.md), [Azure Cosmos DB limits and quotas](../concepts-limits.md#per-account-limits) in detail, as well as perform a proof-of-concept prior to the actual migration.

-| MetadataRequests (Metadata Requests) |Count (Count) | Count of metadata requests. Azure Cosmos DB maintains system metadata container for each account, that allows you to enumerate collections, databases, etc., and their configurations, free of charge. | DatabaseName, CollectionName, Region, StatusCode| All| |Used to monitor throttles due to metadata requests.|

-| **resourceTokenPermissionId** | **resourceTokenPermissionId_s** | This property indicates the resource token permission Id that you have specified. To learn more about permissions, see the [Secure access to your data](./secure-access-to-data.md#permissions) article. |

-When an Azure Cosmos DB SDK on Direct mode is performing an operation, it needs to resolve which backend replica to connect to. The first step is knowing which physical partition should the operation go to, and for that, the SDK obtains the container information that includes the [partition key definition](../partitioning-overview.md#choose-partitionkey) from a Gateway node. It also needs the routing information that contains the replicas' TCP addresses. The routing information is available also from Gateway nodes and both are considered [metadata](../concepts-limits.md#metadata-request-limits). Once the SDK obtains the routing information, it can proceed to open the TCP connections to the replicas belonging to the target physical partition and execute the operations.

-By default, connections are permanently maintained to benefit the performance of future operations (opening a connection has computational overhead). There might be some scenarios where you might want to close connections that are unused for some time understanding that this might affect future operations slightly. For the .NET SDK this configuration is set by [CosmosClientOptions.IdleTcpConnectionTimeout](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.idletcpconnectiontimeout), and for the Java SDK you can customize using [DirectConnectionConfig.setIdleConnectionTimeout](/java/api/com.azure.cosmos.directconnectionconfig.setidleconnectiontimeout). It isn't recommended to set these configurations to low values as it might cause connections to be frequently closed and effect overall performance.

-There's a system-reserved RU limit for these operations, so increasing the provisioned RU/s of the database or container will have no impact and isn't recommended. See [limits on metadata operations](../concepts-limits.md#metadata-request-limits).

-description: Learn how a reservation discount is applied to Azure Database for PostgreSQL Single servers.

-# How a reservation discount is applied to Azure Database for PostgreSQL Single server

-After you buy an Azure Database for PostgreSQL Single server reserved capacity, the reservation discount is automatically applied to PostgreSQL Single servers databases that match the attributes and quantity of the reservation. A reservation covers only the compute costs of your Azure Database for PostgreSQL Single server. You're charged for storage and networking at the normal rates.

-## How reservation discount is applied

-A reservation discount is ***use-it-or-lose-it***. So, if you don't have matching resources for any hour, then you lose a reservation quantity for that hour. You can't carry forward unused reserved hours.

-When you shut down a resource, the reservation discount automatically applies to another matching resource in the specified scope. If no matching resources are found in the specified scope, then the reserved hours are lost.

-Stopped resources are billed and continue to use reservation hours. Deallocate or delete resources or scale-in other resources to use your available reservation hours with other workloads.

-## Discount applied to Azure Database for PostgreSQL Single server

-The Azure Database for PostgreSQL Single server reserved capacity discount is applied to running your PostgreSQL Single server on an hourly basis. The reservation that you buy is matched to the compute usage emitted by the running Azure Database for PostgreSQL Single server. For PostgreSQL Single servers that don't run the full hour, the reservation is automatically applied to other Azure Database for PostgreSQL Single server matching the reservation attributes. The discount can apply to Azure Database for PostgreSQL Single servers that are running concurrently. If you don't have a PostgreSQL Single server that run for the full hour that matches the reservation attributes, you don't get the full benefit of the reservation discount for that hour.

-The following examples show how the Azure Database for PostgreSQL Single server reserved capacity discount applies depending on the number of cores you bought, and when they're running.

-* **Example 1**: You buy an Azure Database for PostgreSQL Single server reserved capacity for an 8 vCore. If you are running a 16 vCore Azure Database for PostgreSQL Single server that matches the rest of the attributes of the reservation, you're charged the pay-as-you-go price for 8 vCore of your PostgreSQL Single server compute usage and you get the reservation discount for one hour of 8 vCore PostgreSQL Single server compute usage.</br>

-For the rest of these examples, assume that the Azure Database for PostgreSQL Single server reserved capacity you buy is for a 16 vCore Azure Database for PostgreSQL Single server and the rest of the reservation attributes match the running PostgreSQL Single servers.

-* **Example 2**: You run two Azure Database for PostgreSQL Single servers with 8 vCore each for an hour. The 16 vCore reservation discount is applied to compute usage for both the 8 vCore Azure Database for PostgreSQL Single server.

-* **Example 3**: You run one 16 vCore Azure Database for PostgreSQL Single server from 1 pm to 1:30 pm. You run another 16 vCore Azure Database for PostgreSQL Single server from 1:30 to 2 pm. Both are covered by the reservation discount.

-* **Example 4**: You run one 16 vCore Azure Database for PostgreSQL Single server from 1 pm to 1:45 pm. You run another 16 vCore Azure Database for PostgreSQL Single server from 1:30 to 2 pm. You're charged the pay-as-you-go price for the 15-minute overlap. The reservation discount applies to the compute usage for the rest of the time.

-To understand and view the application of your Azure Reservations in billing usage reports, see [Understand Azure reservation usage](./understand-reserved-instance-usage-ea.md).

-## Next steps

-If you have questions or need help, [create a support request](https://go.microsoft.com/fwlink/?linkid=2083458).

-The new centralized Azure Hybrid Benefit (preview) experience in the Azure portal supports SQL Server license assignments at the account level or at a particular subscription level. When the assignment is created at the account level, Azure Hybrid Benefit discounts are automatically applied to SQL resources in all subscriptions in the account up to the license count specified in the assignment.

-> [!IMPORTANT]

-> Centrally-managed Azure Hybrid Benefit is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-1. Select **Add** and then in the list, select **Azure Hybrid Benefit (Preview)**.

-1. On the next screen, select **Begin to assign licenses**.

- :::image type="content" source="./media/create-sql-license-assignments/get-started-centralized.png" alt-text="Screenshot showing Add SQL hybrid benefit selection" lightbox="./media/create-sql-license-assignments/get-started-centralized.png" :::

-1. Choose a scope and then enter the license count to use for each SQL Server edition. If you don't have any licenses to assign for a specific edition, enter zero.

- > [!NOTE]

- > You are accountable to determine that the entries that you make in the scope-level managed license experience are accurate and will satisfy your licensing obligations. The license usage information is shown to assist you as you make your license assignments. However, the information shown could be incomplete or inaccurate due to various factors.

- >

- > If the number of licenses that you enter is less than what you are currently using, you'll see a warning message stating _You've entered fewer licenses than you're currently using for Azure Hybrid Benefit in this scope. Your bill for this scope will increase._

-1. Optionally, select the **Usage details** tab to view your current Azure Hybrid Benefit usage enabled at the resource scope.

- :::image type="content" source="./media/create-sql-license-assignments/select-assignment-scope-edition-usage.png" alt-text="Screenshot showing Usage tab details." lightbox="./media/create-sql-license-assignments/select-assignment-scope-edition-usage.png" :::

-1. Optionally, change the default license assignment name. The review date is automatically set to a year ahead and can't be changed. Its purpose is to remind you to periodically review your license assignments.

-1. Select the **By selecting &quot;Apply&quot;** attestation option to confirm that you have authority to apply Azure Hybrid Benefit, enough SQL Server licenses, and that you'll maintain the licenses as long as they're assigned.

-1. Select **Apply** and then select **Yes.**

-If a license assignment's usage is 100%, then it's likely some resources within the scope are incurring pay-as-you-go charges for SQL Server. We recommend that you use the license assignment experience again to review how much usage is being covered or not by assigned licenses. Afterward, go through the same process as before, including consulting your procurement or software asset management department, confirming that more licenses are available, and assigning the licenses.

-This article provides details about how centrally managing Azure Hybrid Benefit for SQL Server at a scope-level works. The process starts with an administrator assigning licenses to subscription or a billing account scope.

-Each resource reports its usage once an hour using the appropriate full price or pay-as-you-go meters. Internally in Azure, the Usage Application engine evaluates the available NCLs and applies them for that hour. For a given hour of vCore resource consumption, the pay-as-you-go meters are switched to the corresponding Azure Hybrid Benefit meter with a zero ($0) price if there's enough unutilized NCLs in the selected scope.

-The following diagram shows the discounting process when there's enough unutilized NCLs to discount the entire vCore consumption by all the SQL resources for the hour.

-Prices shown in the following image are for example purposes only.

-When the vCore consumption by the SQL resources in the scope exceeds the number of unutilized NCLs, the excess vCore consumption is billed using the appropriate pay-as-you-go meter. The following diagram shows the discounting process when the vCore consumption exceeds the number of unutilized NCLs.

-Prices shown in the following image are for example purposes only.

-# What is centrally managed Azure Hybrid Benefit?

-At a high level, here's how it works:

-1. Under **Cost Management + Billing** in the Azure portal, you (the billing administrator) choose the scope and the number of qualifying licenses that you want to assign to cover the resources in the scope.

- :::image type="content" source="./media/overview-azure-hybrid-benefit-scope/set-scope-assign-licenses.png" alt-text="Screenshot showing setting a scope and assigning licenses." lightbox="./media/overview-azure-hybrid-benefit-scope/set-scope-assign-licenses.png" :::

-In the previous example, detected usage for 108 normalized core licenses is needed to cover all eligible Azure SQL resources. Detected usage for individual resources was 56 normalized core licenses. For the example, we showed 60 standard core licenses plus 12 Enterprise core licenses (12 * 4 = 48). So 60 + 48 = 108. Normalized core license values are covered in more detail in the following section, [How licenses apply to Azure resources](#how-licenses-apply-to-azure-resources).

-Enabling centralized management of Azure Hybrid Benefit of for SQL Server at a subscription or account scope level is currently in preview. It's available to enterprise customers and to customers that buy directly from Azure.com with a Microsoft Customer Agreement. We hope to extend the capability to Windows Server and more customers.

-To explain how it works further, the term _normalized core license_ or NCL is used. In alignment with the rule, one SQL Server Standard core license produces one NCL. One SQL Server Enterprise core license produces four NCLs. For example, if you assign four SQL Server Enterprise core licenses and seven SQL Server Standard core licenses, your total coverage and Azure Hybrid Benefit discounting power is equal to 23 NCLs (4\*4+7\*1).

-The following table summarizes how many NCLs you need to fully discount the SQL Server license cost for different resource types. Scope-level management of Azure Hybrid Benefit strictly applies the rules in the product terms, summarized as follows.

-| **Azure Data Service** | **Service tier** | **Required number of NCLs** |

-┬▓ *Subject to a minimum of four vCores per Virtual Machine, which translates to four NCL if Standard edition is used, and 16 NCL if Enterprise edition is used.*

-We recommend that you establish a proactive rhythm when centrally managing Azure Hybrid Benefit, similar to the following tasks and order.

- - If usage is 100%, you might be using resources beyond the number of licenses assigned. Return to the [Create license assignment experience](create-sql-license-assignments.md) and review the usage that Azure shows. Then assign more available licenses to the scope for more coverage.

-> The script includes support for normalized core licenses (NCL).

-> Managing Azure Hybrid Benefit centrally at a scope-level is currently in public preview and limited to enterprise customers and customers buying directly from Azure.com with a Microsoft Customer Agreement.

-1. You review Azure resource usage data from recent months and you talk to others in Contoso. You determine that 2000 SQL Server Enterprise Edition and 750 SQL Server Standard Edition core licenses, or 8750 normalized core licenses, are needed to cover expected Azure SQL usage for the next year. Expected usage also includes migrating workloads (1500 SQL Server Enterprise Edition + 750 SQL Server Standard Edition = 6750 normalized) and net new Azure SQL workloads (another 500 SQL Server Enterprise Edition or 2000 normalized core licenses).

- - You determine that there are 1800 SQL Server Enterprise Edition licenses and 2000 SQL Server Standard Edition licenses available to assign to Azure. The available licenses equal 9200 normalized core licenses. That's a little more than the 8750 needed (2000 x 4 + 750 = 8750).

-1. Then, you assign the 1800 SQL Server Enterprise Edition and 2000 SQL Server Standard Edition to Azure. That action results in 9200 normalized core licenses that the system can apply to Azure SQL resources as they run each hour. Assigning more licenses than are required now provides a buffer if usage grows faster than you expect.

-The flatten transformation contains the following configuration settings

-Select an array to unroll. The output data will have one row per item in each array. If the unroll by array in the input row is null or empty, there will be one output row with unrolled values as null.

-Choose the level of the hierarchy that you would like expand.

-To get started, create a Data Factory SAP CDC linked service, an SAP CDC source dataset, and a pipeline with a mapping data flow activity in which you use the SAP CDC source dataset. To extract the data from SAP, a self-hosted integration runtime is required that you install on an on-premises computer or on a virtual machine (VM). An on-premises computer has a line of sight to your SAP source systems and to your SLT server. The Data Factory data flow activity runs on a serverless Azure Databricks or Apache Spark cluster, or on an Azure integration runtime.

-Follow the steps provided in <a href="https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app#register-an-application" target="_blank">App Registration</a> **until the Step 8** to generate the following information:

-Follow the steps provided in <a href="https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret" target="_blank">Add a client secret</a> to generate **Client Secret** and copy the client secret generated.

-1. **Consent** ΓÇô Since the partnerΓÇÖs app resides in a different tenant and the customer wants the partner to access certain APIs in their Data Manager for Agriculture instance, the customers are required to call a specific endpoint (https://login.microsoft.com/common/adminconsent/clientId=[client_id]) and replace the [client_id] with the partnersΓÇÖ app ID. This enables the customersΓÇÖ Azure Active Directory to recognize this APP ID whenever they use it for role assignment.

-1. Prepare the second node. Configure the network on the second node the same way you configured it on the first node. Get the authentication token on this node.

-1. Prepare the second node. Configure the network on the second node the same way you configured it on the first node. Get the authentication token on this node.

-This article lists the attack paths, connections, and insights used in Defender for Cloud Security Posture Management (CSPM).

-| Attack Path Display Name | Attack Path Description |

-### AWS Instances

-| Attack Path Display Name | Attack Path Description |

-| Attack Path Display Name | Attack Path Description |

-| Attack Path Display Name | Attack Path Description |

-| Attack Path Display Name | Attack Path Description |

-| Attack Path Display Name | Attack Path Description |

-This section lists all of the cloud security graph components (connections and insights) that can be used in queries with the [cloud security explorer](concept-attack-path.md).

-## How does the Sensitive Data Discovery work?

-Sensitive Data Threat Detection is powered by the Sensitive Data Discovery engine, an agentless engine that uses a smart sampling method to find resources with sensitive data.

-Upon enablement, the Sensitive Data Discovery engine initiates an automatic scanning process across all supported storage accounts. Results are typically generated within 24 hours. Additionally, newly created storage accounts under protected subscriptions will be scanned within six hours of their creation. Recurring scans are scheduled to occur weekly after the enablement date. This is the same Sensitive Data Discovery engine used for sensitive data discovery in Defender CSPM.

-Sensitive data threat detection is available for Blob storage accounts, including: Standard general-purpose V1, Standard general-purpose V2, Azure Data Lake Storage Gen2 and Premium block blobs. Learn more about the [availability of Defender for Storage features](defender-for-storage-introduction.md#availability).

-To enable sensitive data threat detection at subscription and storage account levels, you need Owner roles (subscription owner/storage account owner) or specific roles with corresponding data actions.

-Learn more about the [roles and permissions](support-matrix-defender-for-storage.md) required for sensitive data threat detection.

-Sensitive data threat detection is enabled by default when you enable Defender for Storage. You can [enable it or disable it](../storage/common/azure-defender-storage-configure.md) in the Azure portal or with other at-scale methods at no additional cost.

-Sensitive Data Threat Detection capability will help you to prioritize security incidents, allowing security teams to prioritize these incidents and respond on time. Defender for Storage alerts will include findings of sensitivity scanning and indications of operations that have been performed on resources containing sensitive data.

-In the alertΓÇÖs Extended Properties, you can find sensitivity scanning findings for a **blob container**:ΓÇ»

-When you enable sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) default list of Microsoft Purview. This will affect the alerts you receive from Defender for Storage and storage or containers that are found to contain these SITs are marked as containing sensitive data.

-In this article, you learned about Microsoft Defender for Storage.

-| :::image type="content" source="media/secure-score-security-controls/environment.png" alt-text="Screenshot of the environment section of the security posture page."::: | Shows the total number of subscriptions, accounts and projects that affect your overall score. It also shows how many unhealthy resources and how many recommendations exist in your environments. |

- :::image type="content" source="./media/tutorial-security-policy/default-assignment-screen.png" alt-text="Screenshot showing the edit default assignment screen." lightbox="/media/tutorial-security-policy/default-assignment-screen.png":::

-| [New Azure Active Directory authentication-related recommendations for Azure Data Services](#new-azure-active-directory-authentication-related-recommendations-for-azure-data-services) | April 2023 |

-We're announcing the full deprecation of support of [`PCI DSS`](/azure/compliance/offerings/offering-pci-dss) standard/initiative in Azure China 21Vianet.

-### Deprecation of legacy compliance standards across cloud environments

-**Estimated date for change: April 2023**

-We're announcing the full deprecation of support of [`PCI DSS`](/azure/compliance/offerings/offering-pci-dss) standard/initiative in Azure China 21Vianet.

-Legacy PCI DSS v3.2.1 and legacy SOC TSP are set to be fully deprecated and replaced by [SOC 2 Type 2](/azure/compliance/offerings/offering-soc-2) initiative and [`PCI DSS v4`](/azure/compliance/offerings/offering-pci-dss) initiative.

-Learn how to [Customize the set of standards in your regulatory compliance dashboard](update-regulatory-compliance-packages.md).

-### New Azure Active Directory authentication-related recommendations for Azure Data Services

-**Estimated date for change: April 2023**

-| Recommendation Name | Recommendation Description | Policy |

-|--|--|--|

-| Azure SQL Managed Instance authentication mode should be Azure Active Directory Only | Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate | [Azure SQL Managed Instance should have Azure Active Directory Only Authentication enabled](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f78215662-041e-49ed-a9dd-5385911b3a1f) |

-| Azure Synapse Workspace authentication mode should be Azure Active Directory Only | Azure Active Directory only authentication methods improves security by ensuring that Synapse Workspaces exclusively require Azure AD identities for authentication. Learn more at: https://aka.ms/Synapse | [Synapse Workspaces should use only Azure Active Directory identities for authentication](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f2158ddbe-fefa-408e-b43f-d4faef8ff3b8) |

-| Azure Database for MySQL should have an Azure Active Directory administrator provisioned | Provision an Azure AD administrator for your Azure Database for MySQL to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Based on policy: [An Azure Active Directory administrator should be provisioned for MySQL servers](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f146412e9-005c-472b-9e48-c87b72ac229e) |

-| Azure Database for PostgreSQL should have an Azure Active Directory administrator provisioned | Provision an Azure AD administrator for your Azure Database for PostgreSQL to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Based on policy: [An Azure Active Directory administrator should be provisioned for PostgreSQL servers](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fb4dec045-250a-48c2-b5cc-e0c4eec8b5b4) |

-| Date and Time | Date and time that the syslog server machine received the information. |

-| Date and time | Date and time that sensor sent the information |

-| Date and time | Date and time that the syslog server machine received the information. |