-> Dynamic consent can be convenient, but presents a big challenge for permissions that require admin consent, since the admin consent experience doesn't know about those permissions at consent time. If you require admin privileged permissions or if your app uses dynamic consent, you must register all of the permissions in the Azure portal (not just the subset of permissions that require admin consent). This enables tenant admins to consent on behalf of all their users.

-[Admin consent done on behalf of an organization](#requesting-consent-for-an-entire-tenant) still requires the static permissions registered for the app. Set those permissions for apps in the app registration portal if you need an admin to give consent on behalf of the entire organization. This reduces the cycles required by the organization admin to set up the application.

-Organizations can now improve the security of Windows virtual machines (VMs) in Azure by integrating with Azure Active Directory (AD) authentication. You can now use Azure AD as a core authentication platform to RDP into a **Windows Server 2019 Datacenter edition** and later or **Windows 10 1809** and later. Additionally, you will be able to centrally control and enforce Azure RBAC and Conditional Access policies that allow or deny access to the VMs. This article shows you how to create and configure a Windows VM and login with Azure AD based authentication.

-> Once you enable this capability, your Windows VMs in Azure will be Azure AD joined. You cannot join it to other domain like on-premises AD or Azure AD DS. If you need to do so, you will need to disconnect the VM from your Azure AD tenant by uninstalling the extension.

-For Azure China

-To use Azure AD login for Windows VM in Azure, you need to first enable Azure AD login option for your Windows VM and then you need to configure Azure role assignments for users who are authorized to login in to the VM.

-There are multiple ways you can enable Azure AD login for your Windows VM:

- 1. Click **Windows Server** and choose **Windows Server 2019 Datacenter** from Select a software plan dropdown.

- 1. Click on **Create**.

-1. On the "Management" tab, enable the option to **Login with AAD credentials** under the Azure Active Directory section from Off to **On**.

-1. Make sure **System assigned managed identity** under the Identity section is set to **On**. This action should happen automatically once you enable Login with Azure AD credentials.

-1. Go through the rest of the experience of creating a virtual machine. You will have to create an administrator username and password for the VM.

-If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0.31 or later. Run az --version to find the version. If you need to install or upgrade, see the article [Install Azure CLI](/cli/azure/install-azure-cli).

-Now that you have created the VM, you need to configure Azure RBAC policy to determine who can log in to the VM. Two Azure roles are used to authorize VM login:

-The following example uses [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. The username of your active Azure account is obtained with [az account show](/cli/azure/account#az-account-show), and the scope is set to the VM created in a previous step with [az vm show](/cli/azure/vm#az-vm-show). The scope could also be assigned at a resource group or subscription level, and normal Azure RBAC inheritance permissions apply. For more information, see [Log in to a Linux virtual machine in Azure using Azure Active Directory authentication](../../virtual-machines/linux/login-using-aad.md).

-``` AzureCLI

-> If your AAD domain and logon username domain do not match, you must specify the object ID of your user account with the `--assignee-object-id`, not just the username for `--assignee`. You can obtain the object ID for your user account with [az ad user list](/cli/azure/ad/user#az-ad-user-list).

-You are now signed in to the Windows Server 2019 Azure virtual machine with the role permissions as assigned, such as VM User or VM Administrator.

-Use Azure Policy to ensure Azure AD login is enabled for your new and existing Windows virtual machines and assess compliance of your environment at scale on your Azure Policy compliance dashboard. With this capability, you can use many levels of enforcement: you can flag new and existing Windows VMs within your environment that do not have Azure AD login enabled. You can also use Azure Policy to deploy the Azure AD extension on new Windows VMs that do not have Azure AD login enabled, as well as remediate existing Windows VMs to the same standard. In addition to these capabilities, you can also use Azure Policy to detect and flag Windows VMs that have non-approved local accounts created on their machines. To learn more, review [Azure Policy](../../governance/policy/overview.md).

-"

-If AADLoginForWindows extension fails with certain error code, you can perform the following steps:

- - RDP to the VM as a local administrator and verify the endpoint returns valid Tenant ID by running this command from an elevated PowerShell window on the VM:

-1. The VM admin attempts to install the AADLoginForWindows extension, but a system assigned managed identity has not enabled the VM first. Navigate to the Identity blade of the VM. From the System assigned tab, verify Status is toggled to On.

-This Exit code translates to `DSREG_AUTOJOIN_DISC_FAILED` because the extension is not able to reach the `https://enterpriseregistration.windows.net` endpoint.

-The AADLoginForWindows extension is only intended to be installed on Windows Server 2019 or Windows 10 (Build 1809 or later). Ensure the version of Windows is supported. If the build of Windows is not supported, uninstall the VM Extension.

-Also, RDP Sign-in using Azure AD accounts is captured in Event viewer under the `AAD\Operational` event logs.

-Verify that the Windows 10 or newer PC you are using to initiate the remote desktop connection is one that is either Azure AD joined, or hybrid Azure AD joined to the same Azure AD directory where your VM is joined to. For more information about device identity, see the article [What is a device identity](./overview.md).

-Verify that the AADLoginForWindows extension was not uninstalled after the Azure AD join finished.

-Verify that the user doesn't have a temporary password. If the user has just been created, or if the user password has just been reset, the user's password is temporary and must be changed on the next sign-in. Temporary passwords cannot be used to log in to a remote desktop connection.

-To resolve the issue, log in to the user account in a web browser, for instance by opening the [Azure portal](https://portal.azure.com) in a private browsing window. If you are prompted to change the password, set a new password and connect to the remote desktop connection with that new password.

-If you have configured a Conditional Access policy that requires multi-factor authentication (MFA) before you can access the resource, then you need to ensure that the Windows 10 or newer PC initiating the remote desktop connection to your VM signs in using a strong authentication method such as Windows Hello. If you do not use a strong authentication method for your remote desktop connection, you will see the previous error.

-If you have not deployed Windows Hello for Business and if that is not an option for now, you can exclude MFA requirement by configuring Conditional Access policy that excludes "**Azure Windows VM Sign-In**" app from the list of cloud apps that require MFA. To learn more about Windows Hello for Business, see [Windows Hello for Business Overview](/windows/security/identity-protection/hello-for-business/hello-identity-verification).

-> External admin takeover is not supported cross cloud boundaries (ex. Azure Commercial to Azure Government). In these scenarios it is recommended to perform External admin takeover into another Azure Commercial tenant, and then delete the domain from this tenant so you may verify succesfully into the destination Azure Government tenant.

-#### Sample Labeling tool

-#### Sample Labeling tool

-#### Sample Labeling tool

-#### Sample Labeling tool

-**Redis-benchmark** documentation can be [found here](https://redis.io/topics/benchmarks).

-Alert queries start from [querying the log data in Log Analytics](alerts-log.md#create-a-log-alert-rule-in-the-azure-portal) that indicates the issue. You can use the [alert query examples topic](../logs/queries.md) to understand what you can discover. You may also [get started on writing your own query](../logs/log-analytics-tutorial.md).

-## Overview

-## Create a log alert rule in the Azure portal

-1. Write a query that will find the log events for which you want to create an alert. You can use the [alert query examples topic](../logs/queries.md) to understand what you can discover or [get started on writing your own query](../logs/log-analytics-tutorial.md). Also, [learn how to create optimized alert queries](alerts-log-query.md).

-1. When validation passes and you have reviewed the settings, click the **Create** button.

-> This article describes how to manage alert rules created in the latest UI or using an API version later than `2018-04-16`. See [View and manage alert rules created in previous versions](alerts-manage-alerts-previous-version.md) for information about how to view and manage alert rules created in the previous UI.

- 

-## The alerts page

-The **Alerts** page summarizes all your alert instances across Azure. You can modify the results by selecting filters such as **time range**, **subscription**, **alert condition**, **severity**, and more. You can select an alert instance to open the **Alert Details** page and see more details about the specific alert instance.

-The Alerts page provides a summary of the alerts created in the last 24 hours. You can filter the list by the subscription or any of the filter parameters at the top of the page. The page displays the total alerts for each severity. Select a severity to filter the alerts by that severity.

-description: This article shows you how to connect your ITSM products/services with Secure Export in Azure Monitor to centrally monitor and manage ITSM work items.

-# Connect Azure to ITSM tools by using Secure Export

-This article shows you how to configure the connection between your IT Service Management (ITSM) product or service by using Secure Export.

-Secure Export is an updated version of [IT Service Management Connector (ITSMC)](./itsmc-overview.md). Both versions allow you to create work items in an ITSM tool when Azure Monitor sends alerts. The functionality includes metric, log, and Activity Log alerts.

-ITSMC uses username and password credentials. Secure Export has stronger authentication because it uses Azure Active Directory (Azure AD). Azure AD is Microsoft's cloud-based identity and access management service. It helps users sign in and access internal or external resources. Using Azure AD with ITSM helps to identify Azure alerts (through the Azure AD application ID) that were sent to the external system.

-## Secure Export architecture

-The Secure Export architecture introduces the following new capabilities:

-## Secure Export data flow

-The steps of the Secure Export data flow are:

-1. Azure Monitor sends an alert that's configured to use Secure Export.

-## Benefits of Secure Export

-* **Alerts resolved in the ITSM tool**: Metric alerts implement "fired" and "resolved" states. When the condition is met, the alert state is "fired." When condition is not met anymore, the alert state is "resolved." In ITSMC, alerts can't be resolved automatically. With Secure Export, the resolved state flows to the ITSM tool and so is updated automatically.

-* **[Common alert schema](./alerts-common-schema.md)**: In ITSMC, the schema of the alert payload differs based on the alert type. In Secure Export, there's a common schema for all alert types. This common schema contains the CI for all alert types. All alert types will be able to bind their CI with the CMDB.

-description: This article shows you how to configure Azure in order to connect your ITSM products/services with Secure Export in Azure Monitor to centrally monitor and manage ITSM work items.

-# Configure Azure to connect ITSM tools using Secure Export

-This article provides information about how to configure the Azure in order to use "Secure Export".

-In order to use "Secure Export", follow these steps:

- Secure Export supports connections with the following ITSM tools:

-1. Get the URI for the secure export definition.

-* [ServiceNow Secure Export Configuration](./itsmc-secure-webhook-connections-servicenow.md)

-* [BMC Secure Export Configuration](./itsmc-secure-webhook-connections-bmc.md)

-The following ITSM products/services are supported. Select the product to view detailed information about how to connect the product to ITSMC.

-> [!NOTE]

-> We propose our Cherwell and Provance customers to use [Webhook action](./action-groups.md#webhook) to Cherwell and Provance endpoint as another solution to the integration.

-## IP ranges for ITSM partners connections

-In order to list the ITSM IP addresses in order to allow ITSM connections from partners ITSM tools, we recommend the to list the whole public IP range of Azure region where their LogAnalytics workspace belongs. [details here](https://www.microsoft.com/en-us/download/details.aspx?id=56519)

-IT Service Management Connector (ITSMC) allows you to connect Azure to a supported IT Service Management (ITSM) product or service.

-Azure services like Azure Log Analytics and Azure Monitor provide tools to detect, analyze, and troubleshoot problems with your Azure and non-Azure resources. But the work items related to an issue typically reside in an ITSM product or service. ITSMC provides a bi-directional connection between Azure and ITSM tools to help you resolve issues faster.

-## Configuration steps

-ITSMC supports connections with the following ITSM tools:

- >[!NOTE]

-> As of 1-Oct-2020 Cherwell and Provance ITSM integrations with Azure Alert will no longer be enabled for new customers. New ITSM Connections will not be supported.

-> Existing ITSM connections will be supported.

-With ITSMC, you can:

-You can start using ITSMC by completing the following steps:

-1. [Setup your ITSM Environment to accept alerts from Azure.](./itsmc-connections.md)

-1. [Configure Azure ITSM Solution](./itsmc-definition.md#add-it-service-management-connector)

-1. [Configure Azure ITSM connector for your ITSM environment.](./itsmc-definition.md#create-an-itsm-connection)

-1. [Configure Action Group to leverage ITSM connector.](./itsmc-definition.md#define-a-template)

-description: This article shows you how to connect your ITSM products/services with BMC on Secure Export in Azure Monitor.

-The following sections provide details about how to connect your BMC Helix product and Secure Export in Azure.

-1. Use the following procedure in the BMC Helix environment in order to get the URI for the secure export:

-description: This article shows you how to connect your ITSM products/services with ServiceNow on Secure Export in Azure Monitor.

-The following sections provide details about how to connect your ServiceNow product and Secure Export in Azure.

-1. Use the link https://(instance name).service-now.com/api/sn_em_connector/em/inbound_event?source=azuremonitor the URI for the secure export definition.

-* [ServiceNow](./itsmc-connections-servicenow.md)

-* [System Center Service Manager](./itsmc-connections-scsm.md)

-* [Cherwell](./itsmc-connections-cherwell.md)

-* [Provance](./itsmc-connections-provance.md)

-> [!IMPORTANT]

-> [Connection Strings](./sdk-connection-string.md?tabs=net) are recommended over instrumentation keys. New Azure regions require using connection strings instead of instrumentation keys. Connection strings identify the appropriate endpoint for your Application Insights resource which provides the fastest way to ingest your telemetry for alerting and reporting. You will need to copy the connection string and add it to your application's code or to an environment variable.

-> [!IMPORTANT]

-> [Connection Strings](./sdk-connection-string.md) are recommended over instrumentation keys. New Azure regions **require** the use of connection strings instead of instrumentation keys. Connection string identifies the resource that you want to associate your telemetry data with. It also allows you to modify the endpoints your resource will use as a destination for your telemetry. You will need to copy the connection string and add it to your application's code or to an environment variable.

-> [!NOTE]

-> [Connection strings](./sdk-connection-string.md?tabs=net) are the new preferred method of setting custom endpoints within Application Insights.

-> [!IMPORTANT]

-> [Connection Strings](./sdk-connection-string.md?tabs=java) are recommended over instrumentation keys. New Azure regions **require** the use of connection strings instead of instrumentation keys. Connection string identifies the resource that you want to associate your telemetry data with. It also allows you to modify the endpoints your resource will use as a destination for your telemetry. You will need to copy the connection string and add it to your application's code or to an environment variable.

-In the query language, you can specify different [render options](https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/render-operator). By default, the API does not return information about the type of visualization. To include a specific visualization, include this header:

-> | managedInstances | global | 1-63 | Lowercase letters, numbers, and hyphens.<br><br> Can't start or end with hyphen. CanΓÇÖt have hyphen twice in both third and fourth place.<br><br> Can't have any special characters, such as `@`. |

-> | servers | global | 1-63 | Lowercase letters, numbers, and hyphens.<br><br>Can't start or end with hyphen. CanΓÇÖt have hyphen twice in both third and fourth place. |

-> | servers / failoverGroups | global | 1-63 | Lowercase letters, numbers, and hyphens.<br><br>Can't start or end with hyphen. |

-|SQL Server (in Azure) | Open both inbound and outbound traffic on port 5022 for the network firewall to the entire subnet of SQL Managed Instance. If necessary, do the same on the Windows firewall. Create a network security group (NSG) rule in the virtual network that hosts the VM to allow communication on port 5022. |

-|SQL Server (outside Azure) | Open both inbound and outbound traffic on port 5022 for the network firewall to the entire subnet of SQL Managed Instance. If necessary, do the same on the Windows firewall. |

-# Configure RHEL7/CentOS7 for C++

-To use the Speech SDK for C++ development on Red Hat Enterprise Linux (RHEL) 7 x64 and CentOS 7 x64, update the C++ compiler and the shared C++ runtime library on your system.

-1. Create an Azure Communication Services resource. For details, see [Create an Azure Communication Services resource](../../quickstarts/create-communication-resource.md). You'll need to **record your resource endpoint and key** for this quickstart.

-2. Provide the resource endpoint and the key belonging to the Azure Communication Services resource that you want to connect with.

-Try the [Sample App](https://github.com/Azure/communication-preview/tree/master/samples/AzureBotService-Sample-App), which showcases a 1:1 chat between the end user and chat bot, and uses BotFramework's WebChat UI component.

-| <input type="checkbox"/> | Parallel Queries | The Cosmos DB SDK supports [running queries in parallel](performance-tips-dotnet-sdk-v3-sql.md#sdk-usage) for better latency and throughput on your queries. We recommend setting the `MaxConcurrency` property within the `QueryRequestsOptions` to the number of partitions you have. If you are not aware of the number of partitions, start by using `int.MaxValue` which will give you the best latency. Then decrease the number until it fits the resource restrictions of the environment to avoid high CPU issues. Also, set the `MaxBufferedItemCount` to the expected number of results returned to limit the number of pre-fetched results. |

-| <input type="checkbox"/> | Parallel Queries | The Cosmos DB SDK supports [running queries in parallel](performance-tips-java-sdk-v4-sql.md#sdk-usage) for better latency and throughput on your queries. We recommend setting the `maxDegreeOfParallelism` property within the `CosmosQueryRequestsOptions` to the number of partitions you have. If you aren't aware of the number of partitions, set the value to `-1` that will give you the best latency. Also, set the `maxBufferedItemCount` to the expected number of results returned to limit the number of pre-fetched results. |

-**For query-intensive workloads, use Windows 64-bit instead of Linux or Windows 32-bit host processing**

-We recommend Windows 64-bit host processing for improved performance. The SQL SDK includes a native ServiceInterop.dll to parse and optimize queries locally. ServiceInterop.dll is supported only on the Windows x64 platform.

-For Linux and other unsupported platforms where ServiceInterop.dll isn't available, an additional network call is made to the gateway to get the optimized query.

-The four application types listed here use 32-bit host processing by default. To change host processing to 64-bit processing for your application type, do the following:

-> [!NOTE]

-> By default, new Visual Studio projects are set to **Any CPU**. We recommend that you set your project to **x64** so it doesn't switch to **x86**. A project that's set to **Any CPU** can easily switch to **x86** if an x86-only dependency is added.<br/>

-> The ServiceInterop.dll file needs to be in the folder that the SDK DLL is being executed from. This should be a concern only if you manually copy DLLs or have custom build or deployment systems.

-

-**Tune parallel queries for partitioned collections**

-SQL .NET SDK supports parallel queries, which enable you to query a partitioned container in parallel. For more information, see [code samples](https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/Microsoft.Azure.Cosmos.Samples/Usage/Queries/Program.cs) related to working with the SDKs. Parallel queries are designed to provide better query latency and throughput than their serial counterpart.

-Parallel queries provide two parameters that you can tune to fit your requirements:

- Parallel query works by querying multiple partitions in parallel. But data from an individual partition is fetched serially with respect to the query. Setting `MaxConcurrency` in [SDK V3](https://github.com/Azure/azure-cosmos-dotnet-v3) to the number of partitions has the best chance of achieving the most performant query, provided all other system conditions remain the same. If you don't know the number of partitions, you can set the degree of parallelism to a high number. The system will choose the minimum (number of partitions, user provided input) as the degree of parallelism.

- Parallel queries produce the most benefit if the data is evenly distributed across all partitions with respect to the query. If the partitioned collection is partitioned so that all or most of the data returned by a query is concentrated in a few partitions (one partition is the worst case), those partitions will bottleneck the performance of the query.

-

- Parallel query is designed to pre-fetch results while the current batch of results is being processed by the client. This pre-fetching helps improve the overall latency of a query. The `MaxBufferedItemCount` parameter limits the number of pre-fetched results. Set `MaxBufferedItemCount` to the expected number of results returned (or a higher number) to allow the query to receive the maximum benefit from pre-fetching.

- Pre-fetching works the same way regardless of the degree of parallelism, and there's a single buffer for the data from all partitions.

-**Implement backoff at RetryAfter intervals**

-During performance testing, you should increase load until a small rate of requests are throttled. If requests are throttled, the client application should back off throttling for the server-specified retry interval. Respecting the backoff helps ensure that you'll spend a minimal amount of time waiting between retries.

-For more information, see [RetryAfter](/dotnet/api/microsoft.azure.cosmos.cosmosexception.retryafter#Microsoft_Azure_Cosmos_CosmosException_RetryAfter).

-

-There's a mechanism for logging additional diagnostics information and troubleshooting latency issues, as shown in the following sample. You can log the diagnostics string for requests that have a higher read latency. The captured diagnostics string will help you understand how many times you received a *429* error for a given request.

-```csharp

-ItemResponse<Book> readItemResponse = await this.cosmosContainer.ReadItemAsync<Book>("ItemId", new PartitionKey("PartitionKeyValue"));

-readItemResponse.Diagnostics.ToString();

-```

-* **Tuning parallel queries for partitioned collections**

-Azure Cosmos DB Java SDK v4 supports parallel queries, which enable you to query a partitioned collection in parallel. For more information, see [code samples](https://github.com/Azure-Samples/azure-cosmos-java-sql-api-samples) related to working with Azure Cosmos DB Java SDK v4. Parallel queries are designed to improve query latency and throughput over their serial counterpart.

-* ***Tuning setMaxDegreeOfParallelism\:***

-

-Parallel queries work by querying multiple partitions in parallel. However, data from an individual partitioned collection is fetched serially with respect to the query. So, use setMaxDegreeOfParallelism to set the number of partitions that has the maximum chance of achieving the most performant query, provided all other system conditions remain the same. If you don't know the number of partitions, you can use setMaxDegreeOfParallelism to set a high number, and the system chooses the minimum (number of partitions, user provided input) as the maximum degree of parallelism.

-It is important to note that parallel queries produce the best benefits if the data is evenly distributed across all partitions with respect to the query. If the partitioned collection is partitioned such a way that all or a majority of the data returned by a query is concentrated in a few partitions (one partition in worst case), then the performance of the query would be bottlenecked by those partitions.

-* ***Tuning setMaxBufferedItemCount\:***

-

-Parallel query is designed to pre-fetch results while the current batch of results is being processed by the client. The pre-fetching helps in overall latency improvement of a query. setMaxBufferedItemCount limits the number of pre-fetched results. Setting setMaxBufferedItemCount to the expected number of results returned (or a higher number) enables the query to receive maximum benefit from pre-fetching.

-Pre-fetching works the same way irrespective of the MaxDegreeOfParallelism, and there is a single buffer for the data from all partitions.

-* **Tune the page size for queries/read feeds for better performance**

-When performing a bulk read of documents by using read feed functionality (for example, *readItems*) or when issuing a SQL query (*queryItems*), the results are returned in a segmented fashion if the result set is too large. By default, results are returned in chunks of 100 items or 1 MB, whichever limit is hit first.

-Suppose that your application issues a query to Azure Cosmos DB, and suppose that your application requires the full set of query results in order to complete its task. To reduce the number of network round trips required to retrieve all applicable results, you can increase the page size by adjusting the [x-ms-max-item-count](/rest/api/cosmos-db/common-cosmosdb-rest-request-headers) request header field.

-* For single-partition queries, adjusting the [x-ms-max-item-count](/rest/api/cosmos-db/common-cosmosdb-rest-request-headers) field value to -1 (no limit on page size) maximizes latency by minimizing the number of query response pages: either the full result set will return in a single page, or if the query takes longer than the timeout interval, then the full result set will be returned in the minimum number of pages possible. This saves on multiples of the request round-trip time.

-

-* For cross-partition queries, setting the [x-ms-max-item-count](/rest/api/cosmos-db/common-cosmosdb-rest-request-headers) field to -1 and removing the page size limit risks overwhelming the SDK with unmanageable page sizes. In the cross-partition case we recommend raising the page size limit up to some large but finite value, perhaps 1000, to reduce latency.

-

-In some applications, you may not require the full set of query results. In cases where you need to display only a few results, for example, if your user interface or application API returns only 10 results at a time, you can also decrease the page size to 10 to reduce the throughput consumed for reads and queries.

-You may also set the preferred page size argument of the *byPage* method, rather than modifying the REST header field directly. Keep in mind that [x-ms-max-item-count](/rest/api/cosmos-db/common-cosmosdb-rest-request-headers) or the preferred page size argument of *byPage* are only setting an upper limit on page size, not an absolute requirement; so for a variety of reason you may see Azure Cosmos DB return pages which are smaller than your preferred page size.

-**For query-intensive workloads, use Windows 64-bit instead of Linux or Windows 32-bit host processing**

-We recommend Windows 64-bit host processing for improved performance. The SQL SDK includes a native ServiceInterop.dll to parse and optimize queries locally. ServiceInterop.dll is supported only on the Windows x64 platform. For Linux and other unsupported platforms where ServiceInterop.dll isn't available, an additional network call is made to the gateway to get the optimized query. The following types of applications use 32-bit host processing by default. To change host processing to 64-bit processing, follow these steps, based on the type of your application:

-> [!NOTE]

-> By default, new Visual Studio projects are set to **Any CPU**. We recommend that you set your project to **x64** so it doesn't switch to **x86**. A project set to **Any CPU** can easily switch to **x86** if an x86-only dependency is added.<br/>

-> ServiceInterop.dll needs to be in the folder that the SDK DLL is being executed from. This should be a concern only if you manually copy DLLs or have custom build/deployment systems.

-

-**Tune parallel queries for partitioned collections**

-SQL .NET SDK 1.9.0 and later support parallel queries, which enable you to query a partitioned collection in parallel. For more information, see [code samples](https://github.com/Azure/azure-cosmos-dotnet-v2/blob/master/samples/code-samples/Queries/Program.cs) related to working with the SDKs. Parallel queries are designed to provide better query latency and throughput than their serial counterpart. Parallel queries provide two parameters that you can tune to fit your requirements:

-***Tuning degree of parallelism***

-Parallel query works by querying multiple partitions in parallel. But data from an individual partition is fetched serially with respect to the query. Setting `MaxDegreeOfParallelism` in [SDK V2](sql-api-sdk-dotnet.md) to the number of partitions has the best chance of achieving the most performant query, provided all other system conditions remain the same. If you don't know the number of partitions, you can set the degree of parallelism to a high number. The system will choose the minimum (number of partitions, user provided input) as the degree of parallelism.

-Parallel queries produce the most benefit if the data is evenly distributed across all partitions with respect to the query. If the partitioned collection is partitioned so that all or most of the data returned by a query is concentrated in a few partitions (one partition is the worst case), those partitions will bottleneck the performance of the query.

-***Tuning MaxBufferedItemCount***

-

-Parallel query is designed to pre-fetch results while the current batch of results is being processed by the client. This pre-fetching helps improve the overall latency of a query. The `MaxBufferedItemCount` parameter limits the number of pre-fetched results. Set `MaxBufferedItemCount` to the expected number of results returned (or a higher number) to allow the query to receive the maximum benefit from pre-fetching.

-Pre-fetching works the same way regardless of the degree of parallelism, and there's a single buffer for the data from all partitions.

-**Tune the page size for queries/read feeds for better performance**

-When you do a bulk read of documents by using read feed functionality (for example, `ReadDocumentFeedAsync`) or when you issue a SQL query, the results are returned in a segmented fashion if the result set is too large. By default, results are returned in chunks of 100 items or 1 MB, whichever limit is hit first.

-To reduce the number of network round trips required to retrieve all applicable results, you can increase the page size by using [x-ms-max-item-count](/rest/api/cosmos-db/common-cosmosdb-rest-request-headers) to request as many as 1,000 headers. When you need to display only a few results, for example, if your user interface or application API returns only 10 results at a time, you can also decrease the page size to 10 to reduce the throughput consumed for reads and queries.

-> [!NOTE]

-> The `maxItemCount` property shouldn't be used just for pagination. Its main use is to improve the performance of queries by reducing the maximum number of items returned in a single page.

-You can also set the page size by using the available Azure Cosmos DB SDKs. The [MaxItemCount](/dotnet/api/microsoft.azure.documents.client.feedoptions.maxitemcount) property in `FeedOptions` allows you to set the maximum number of items to be returned in the enumeration operation. When `maxItemCount` is set to -1, the SDK automatically finds the optimal value, depending on the document size. For example:

-

-```csharp

-IQueryable<dynamic> authorResults = client.CreateDocumentQuery(documentCollection.SelfLink, "SELECT p.Author FROM Pages p WHERE p.Title = 'About Seattle'", new FeedOptions { MaxItemCount = 1000 });

-```

-

-When a query is executed, the resulting data is sent within a TCP packet. If you specify too low a value for `maxItemCount`, the number of trips required to send the data within the TCP packet is high, which affects performance. So if you're not sure what value to set for the `maxItemCount` property, it's best to set it to -1 and let the SDK choose the default value.

- logger.info("Query Item diagnostics through handler : {}",

-CosmosDatabaseResponse cosmosDatabaseResponse = databaseResponseMono.block();

-

-CosmosDiagnostics diagnostics = cosmosDatabaseResponse.getDiagnostics();

-logger.info("Create database diagnostics : {}", diagnostics);

-CosmosContainerResponse cosmosContainerResponse = containerResponseMono.block();

-CosmosDiagnostics diagnostics = cosmosContainerResponse.getDiagnostics();

-logger.info("Create container diagnostics : {}", diagnostics);

-CosmosItemResponse<Family> itemResponse = itemResponseMono.block();

-CosmosDiagnostics diagnostics = itemResponse.getDiagnostics();

-logger.info("Create item diagnostics : {}", diagnostics);

-CosmosItemResponse<Family> familyCosmosItemResponse = itemResponseMono.block();

-CosmosDiagnostics diagnostics = familyCosmosItemResponse.getDiagnostics();

-logger.info("Read item diagnostics : {}", diagnostics);

- logger.info("Query Item diagnostics through handler : {}",

-filteredFamilies.byPage().toIterable().forEach(familyFeedResponse -> {

- logger.info("Query item diagnostics through iterableByPage : {}",

-});

- :::image type="content" source="./media/review-security-recommendations/recommendation-details-page.png" alt-text="Recommendation details page." lightbox="./media/review-security-recommendations/recommendation-details-page-expanded.png":::

- :::image type="content" source="media/review-security-recommendations/download-csv.png" alt-text="Screenshot showing you where to select the Download CSV report from.":::

- > [!NOTE]

- > Don't alter the password recovery file. It's a signed file, and will not work if tampered with.

- > [!NOTE]

- > Don't alter the password recovery file. It's a signed file and won't work if you tamper with it.

-description: Learn how to troubleshoot issues that occur when applying artifacts in an Azure DevTest Labs virtual machine.

-# Troubleshoot issues when applying artifacts in an Azure DevTest Labs virtual machine

-Applying artifacts on a virtual machine can fail for various reasons. This article guides you through some of the methods to help identify possible causes.

-If you need more help at any point in this article, you can contact the Azure DevTest Labs (DTL) experts on the [MSDN Azure and Stack Overflow forums](https://azure.microsoft.com/support/forums/). You can also file an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/) and select Get Support.

-> [!NOTE]

-> This article applies to both Windows and non-Windows virtual machines. While there are some differences, they will be called out explicitly in this article.

-## Quick troubleshooting steps

-Check that the VM is running. DevTest Labs requires the VM to be running and that the [Microsoft Azure Virtual Machine Agent (VM Agent)](../virtual-machines/extensions/agent-windows.md) is installed and ready.

-> [!TIP]

-> In the **Azure portal**, navigate to the **Manage artifacts** page for the VM to see if the VM is ready for applying artifacts. You see a message at the very top of that page.

->

-> Using **Azure PowerShell**, inspect the flag **canApplyArtifacts**, which is returned only when you expand on a GET operation. See the following example command:

-## Ways to troubleshoot

-You can troubleshoot VMs created using DevTest Labs and the Resource Manager deployment model by using one of the following methods:

-> [!TIP]

-> For more information on how to review artifact execution within a VM, see [Diagnose artifact failures in the lab](devtest-lab-troubleshoot-artifact-failure.md).

-## Symptoms, causes, and potential resolutions

-### Artifact appears to stop responding

-An artifact appears to stop responding until a pre-defined timeout period expires, and the artifact is marked as **Failed**.

-When an artifact appears to stop responding, first determine where it's stuck. An artifact can be blocked at any of the following steps during execution:

- - You can access the activity log from the lab VM page navigation bar. When you select it, you see an entry for either **applying artifacts to virtual machine** (if the apply artifacts operation was triggered directly) or **Add or modify virtual machines** (if the applying artifacts operation was part of the VM creation process).

- - Look for errors under these entries. Sometimes, the error won't be tagged, so you'll have to investigate each entry.

- - When investigating the details of each entry, make sure to review the contents of the JSON payload. You may see an error at the bottom of that document.

- - A PowerShell script has **mandatory parameters**, but one fails to pass a value to it, either because you allow the user to leave it blank, or because you donΓÇÖt have a default value for the property in the artifactfile.json definition file. The script will stop responding because it's awaiting user input.

- - A PowerShell script **requires user input** as part of execution. Scripts must be written to work silently without requiring any user intervention.

-### To verify if the artifact appears to stop responding because of the script

-1. Sign in to the virtual machine in question.

-2. Copy the script locally in the virtual machine or locate it on the virtual machine under `C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\<version>`. It's the location where the artifact scripts are downloaded.

-3. Using an elevated command prompt, execute the script locally, providing the same parameter values used to cause the issue.

-4. Determine if the script suffers from any unwanted behavior. If so, either request an update to the artifact (if it is from the public repo); or, make the corrections yourself (if it is from your private repo).

-> [!TIP]

-> You can correct issues with artifacts hosted in our [public repo](https://github.com/Azure/azure-devtestlab) and submit the changes for our review and approval. See the **Contributions** section in the [README.md](https://github.com/Azure/azure-devtestlab/blob/master/Artifacts/README.md) document.

->

-> For information about writing your own artifacts, see [AUTHORING.md](https://github.com/Azure/azure-devtestlab/blob/master/Artifacts/AUTHORING.md) document.

-### To verify if the artifact appears to stop responding because of the VM Agent:

-1. Sign in to the virtual machine in question.

-2. Using File Explorer navigate to **C:\WindowsAzure\logs**.

-3. Locate and open file **WaAppAgent.log**.

-4. Look for entries that show when the VM Agent starts and when it's finishing initialization: the first sent heartbeat. Favor newer entries or specifically the ones around the time period for which you experience the issue.

- ```

- [00000006] [11/14/2019 05:52:13.44] [INFO] WindowsAzureGuestAgent starting. Version 2.7.41491.949

- ...

- [00000006] [11/14/2019 05:52:31.77] [WARN] Waiting for OOBE to Complete ...

- ...

- [00000006] [11/14/2019 06:02:30.43] [WARN] Waiting for OOBE to Complete ...

- [00000006] [11/14/2019 06:02:33.43] [INFO] StateExecutor initialization completed.

- [00000020] [11/14/2019 06:02:33.43] [HEART] WindowsAzureGuestAgent Heartbeat.

- ```

- In this example, the VM Agent start time took 10 minutes and 20 seconds because a heartbeat was sent. The cause in this case was the OOBE service taking a long time to start.

-> [!TIP]

-> For general information about Azure extensions, see [Azure virtual machine extensions and features](../virtual-machines/extensions/overview.md).

-## Storage errors

-DevTest Labs requires access to the labΓÇÖs storage account that is created to cache artifacts. When DevTest Labs applies an artifact, it will read the artifact configuration and its files from the configured repositories. By default, DevTest Labs configures access to the **public artifact repo**.

-Depending on how a VM is configured, it may not have direct access to this repo. By design, DevTest Labs caches the artifacts in a storage account that's created when the lab first initializes.

-If access to this storage account is blocked in any way, as when traffic is blocked from the VM to the Azure Storage service, you may see an error similar to the following one:

-```shell

-CSE Error: Failed to download all specified files. Exiting. Exception: Microsoft.WindowsAzure.Storage.StorageException: The remote server returned an error: (403) Forbidden. > System.Net.WebException: The remote server returned an error: (403) Forbidden.

-```

-The above error would appear in the **Deployment Message** section in the **Artifact results** page under **Manage artifacts**. It will also appear in the **Activity Logs** under the resource group of the virtual machine in question.

-### To ensure communication to the Azure Storage service isn't being blocked:

- 1. Navigate to the labΓÇÖs resource group.

- 2. Locate the resource of type **storage account**, whose name matches the convention.

- 3. Navigate to the storage account page called **Firewalls and virtual networks**.

- 4. Ensure that it's set to **All networks**. If the **Selected networks** option is selected, then ensure that the labΓÇÖs virtual networks used to create VMs are added to the list.

-For more in-depth troubleshooting, see [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md).

-> [!TIP]

-> **Verify network security group rules**. Use [IP flow verify](../network-watcher/diagnose-vm-network-traffic-filtering-problem.md#use-ip-flow-verify) to confirm that a rule in a network security group is blocking traffic to or from a virtual machine. You can also review effective security group rules to ensure inbound **Allow** NSG rule exists. For more information, see [Using effective security rules to troubleshoot VM traffic flow](../virtual-network/diagnose-network-traffic-filter-problem.md).

-## Other sources of error

-There are other infrequent possible sources of error. Make sure to evaluate each to see if it applies to your case. Here's one of them:

-If you don't see your problem here or you can't resolve your issue, try one of the following channels for support:

-* Get answers from Azure experts through [Azure Forums](https://azure.microsoft.com/support/forums/).

-* Connect with [@AzureSupport](https://twitter.com/azuresupport), the official Microsoft Azure account for improving customer experience. Azure Support connects the Azure community to answers, support, and experts.

-* File an Azure support incident. Go to the [Azure support site](https://azure.microsoft.com/support/options/), and select **Get Support**.

-description: DevTest Labs provide information that you can use to diagnose an artifact failure. This article shows you how to troubleshoot artifact failures.

-# Diagnose artifact failures in the lab

-After you have created an artifact, you can check to see whether it succeeded or failed. Artifact logs in Azure DevTest Labs provide information that you can use to diagnose an artifact failure. You have a couple of options for viewing the artifact log information for a Windows VM:

-* In the Azure portal

-* In the VM

-> [!NOTE]

-> To ensure that failures are correctly identified and explained, it's important that the artifact has the proper structure. For information about how to correctly construct an artifact, see [Create custom artifacts](devtest-lab-artifact-author.md). To see an example of a properly structured artifact, check out the [Test parameter types](https://github.com/Azure/azure-devtestlab/tree/master/Artifacts/windows-test-paramtypes) artifact.

-## Troubleshoot artifact failures by using the Azure portal

-1. In the Azure portal, in your list of resources, select your lab.

-2. Choose the Windows VM that includes the artifact that you want to investigate.

-3. In the left panel, under **GENERAL**, select **Artifacts**. A list of artifacts associated with that VM appears. The name of the artifact and the artifact status are indicated.

- 

-4. Select an artifact that shows a **Failed** status. The artifact opens. An extension message that includes details about the failure of the artifact is displayed.

- 

-## Troubleshoot artifact failures from within the virtual machine

-1. Sign in to the VM that contains the artifact you want to diagnose.

-2. Go to C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\\*1.9*\Status, where *1.9* is the Azure Custom Script Extension version number.

- 

-3. Open the **status** file.

-For instructions on finding the log files on a **Linux** VM, see the following article: [Use the Azure Custom Script Extension Version 2 with Linux virtual machines](../virtual-machines/extensions/custom-script-linux.md#troubleshooting)

-## Related blog posts

-* [Join a VM to an existing Active Directory domain by using a Resource Manager template in DevTest Labs](https://www.visualstudiogeeks.com/blog/DevOps/Join-a-VM-to-existing-AD-domain-using-ARM-template-AzureDevTestLabs)

-## Next steps

-* Learn how to [add a Git repository to a lab](devtest-lab-add-artifact-repo.md).

-DevTest Labs creates environments by using preconfigured Azure Resource Manager (ARM) templates from Git repositories. Keeping the ARM templates under source control promotes consistent environment deployment and management.

-You can also create or configure your own ARM environment templates, store them in private Git repositories, and connect those repositories to labs. For more information, see [Use Azure Resource Manager (ARM) templates in Azure DevTest Labs](devtest-lab-use-arm-and-powershell-for-lab-resources.md).

-### Existing virtual network

-### Nested templates

-is enrolled in Azure Security Center, the resource provider is registered

-

->

-> input_containers[c] {

-> c := input.review.object.spec.initContainers[_]

-To link a custom Regulatory Compliance initiative to your Azure Security Center dashboard, see

-[Azure Security Center - Using custom security policies](../../../security-center/custom-security-policies.md).

- - Monitor missing Endpoint Protection in Azure Security Center

- [More details](/azure/devops/pipelines/release/deploy-using-approvals.md#configure-gate).

-| AND | `&`, `+` | `wifi + luxury` | Specifies terms that a match must contain. In the example, the query engine will look for documents containing both `wifi` and `luxury`. The plus character (`+`) is used for required terms. For example, `+wifi +luxury` stipulates that both terms must appear somewhere in the field of a single document.|

-| OR | `|` | `wifi | luxury` | Finds a match when either term is found. In the example, the query engine will return match on documents containing either `wifi` or `luxury` or both. Because OR is the default conjunction operator, you could also leave it out, such that `wifi luxury` is the equivalent of `wifi | luxury`.|

-| NOT | `!`, `-` | `wifi ΓÇôluxury` | Returns matches on documents that exclude the term. For example, `wifi ΓÇôluxury` will search for documents that have the `wifi` term but not `luxury`. <br/><br/>The `searchMode` parameter on a query request controls whether a term with the NOT operator is ANDed or ORed with other terms in the query (assuming there's no `+` or `|` operator on the other terms). Valid values include `any` or `all`. <br/><br/>`searchMode=any` increases the recall of queries by including more results, and by default `-` will be interpreted as "OR NOT". For example, `wifi -luxury` will match documents that either contain the term `wifi` or those that don't contain the term `luxury`. <br/><br/>`searchMode=all` increases the precision of queries by including fewer results, and by default - will be interpreted as "AND NOT". For example, `wifi -luxury` will match documents that contain the term `wifi` and don't contain the term "luxury". This is arguably a more intuitive behavior for the `-` operator. Therefore, you should consider using `searchMode=all` instead of `searchMode=any` if you want to optimize searches for precision instead of recall, *and* Your users frequently use the `-` operator in searches.<br/><br/>When deciding on a `searchMode` setting, consider the user interaction patterns for queries in various applications. Users who are searching for information are more likely to include an operator in a query, as opposed to e-commerce sites that have more built-in navigation structures. |

-| `-` | `pool ΓÇô ocean` | A NOT operation returns matches on documents that exclude the term. </p>To get the expected behavior on a NOT expression, consider setting `"searchMode=all"` on the request. Otherwise, under the default of `"searchMode=any"`, you will get matches on `pool`, plus matches on all documents that do not contain `ocean`, which could be a lot of documents. The "searchMode" parameter on a query request controls whether a term with the NOT operator is ANDed or ORed with other terms in the query (assuming there is no `+` or `|` operator on the other terms). Using `"searchMode=all"` increases the precision of queries by including fewer results, and by default - will be interpreted as "AND NOT". </p>When deciding on a "searchMode" setting, consider the user interaction patterns for queries in various applications. Users who are searching for information are more likely to include an operator in a query, as opposed to e-commerce sites that have more built-in navigation structures. |

-You can set up Site Recovery alerts based on Azure Monitor data. [Learn more](../azure-monitor/alerts/alerts-log.md#create-a-log-alert-rule-in-the-azure-portal) about setting up log alerts.

-In this how-to article, you learned how to manage containers in Azure blob storage. To learn more about working with blob storage by using Azure CLI, explore Azure CLI samples for Blob storage.

-By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.

-> Making changes to network rules can impact your applications' ability to connect to Azure Storage. Setting the default network rule to **deny** blocks all access to the data unless specific network rules that **grant** access are also applied. Be sure to grant access to any allowed networks using network rules before you change the default rule to deny access.

-### Managing default network access rules

-You can manage default network access rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

-#### [Portal](#tab/azure-portal)

-2. Select on the settings menu called **Networking**.

-3. To deny access by default, choose to allow access from **Selected networks**. To allow traffic from all networks, choose to allow access from **All networks**.

-#### [PowerShell](#tab/azure-powershell)

-2. Display the status of the default rule for the storage account.

- ```powershell

- (Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").DefaultAction

- ```

-3. Set the default rule to deny network access by default.

- ```powershell

- Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Deny

- ```

-4. Set the default rule to allow network access by default.

- ```powershell

- Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Allow

- ```

-#### [Azure CLI](#tab/azure-cli)

-2. Display the status of the default rule for the storage account.

- ```azurecli

- az storage account show --resource-group "myresourcegroup" --name "mystorageaccount" --query networkRuleSet.defaultAction

- ```

-3. Set the default rule to deny network access by default.

- ```azurecli

- az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny

- ```

-4. Set the default rule to allow network access by default.

- ```azurecli

- az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Allow

- ```

-For more information about the Parquet file type, read the [Parquet documentation](https://parquet.apache.org/documentation/latest/).

-| Standard_DC1s_v3 | 1 | 8 | N/A | 4 | 2 | 4 |

-| Standard_DC2s_v3 | 2 | 16 | N/A | 8 | 2 | 8 |

-| Standard_DC4s_v3 | 4 | 32 | N/A | 16 | 4 | 16 |

-| Standard_DC8s_v3 | 8 | 64 | N/A | 32 | 8 | 32 |

-| Standard_DC16s_v3 | 16 | 128 | N/A | 32 | 8 | 64 |

-| Standard_DC24s_v3 | 24 | 192 | N/A | 32 | 8 | 128 |

-| Standard_DC32s_v3 | 32 | 256 | N/A | 32 | 8 | 192 |

-| Standard_DC48s_v3 | 48 | 384 | N/A | 32 | 8 | 256 |