- "objectId": "11111111-0000-0000-0000-000000000000",

- "objectId": "11111111-0000-0000-0000-000000000000",

-Azure AD B2C's [Go-Local add-on](data-residency.md#go-local-add-on) enables you to create Azure AD B2C tenant within the country you choose when you [create your Azure AD B2C](tutorial-create-tenant.md). *Go-Local* refers to MicrosoftΓÇÖs commitment to allow some customers to configure some services to store their data at rest in the Geo of the customerΓÇÖs choice, typically a country. This feature isn't available in all countries.

-| [Go-Local add-on](data-residency.md#go-local-add-on) | Preview | Azure AD B2C's [Go-Local add-on](data-residency.md#go-local-add-on) enables you to create Azure AD B2C tenant within the country you choose when you [create your Azure AD B2C](tutorial-create-tenant.md). |

-If you enable [Go-Local add-on](#go-local-add-on), you can store your data exclusively in a specific country.

-To find the exact location where your data is located per region or country, refer to [where Azure Active Directory data is located](https://aka.ms/aaddatamap)service.

-*Go-Local* refers to MicrosoftΓÇÖs commitment to allow some customers to configure some services to store their data at rest in the Geo of the customerΓÇÖs choice, typically a country. Go-Local is as way fulfilling corporate policies and compliance requirements. You choose the country where you want to store your data when you [create your Azure AD B2C](tutorial-create-tenant.md).

-At the moment, the following countries have the local data residence option:

- - For **Location**, select your country from the list. If the country you select has a [Go-Local add-on](data-residency.md#go-local-add-on) option, such as Japan or Australia, and you want to store your data exclusively within that country, select the **Store Azure AD Core Store data, components and service data in the location selected above** checkbox. Go-Local add-on is a paid add-on whose charge is added to your Azure AD B2C Premium P1 or P2 licenses charges, see [Billing model](billing.md#about-go-local-add-on). You can't change the data residency region after you create your Azure AD B2C tenant.

- 1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM application endpoint is hosted on.

- 6. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolveable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim 

-to communicate with the Active Directory domains. If you want to use a non-GMSA service account for provisioning, you can [skip GMSA configuration](../cloud-sync/how-to-manage-registry-options.md#skip-gmsa-configuration) and specify your service account during configuration.

-For example: In the diagram below, the provisioning apps are setup for each geographic region: North America (NA), Europe, Middle East and Africa (EMEA) and Asia Pacific (APAC). Depending on the location, users are provisioned to the respective AD domain. Delegated administration of the provisioning app is possible so that *EMEA administrators* can independently manage the provisioning configuration of users belonging to the EMEA region.

-For example: In the diagram below, the provisioning apps are setup for each geographic region: North America (NA), Europe, Middle East and Africa (EMEA) and Asia Pacific (APAC). Depending on the location, users are provisioned to the respective AD domain. Cross-domain manager references and forest-wide lookup is handled by enabling referral chasing on the provisioning agent.

-For example: In the diagram below, a single provisioning app manages users present in three different child domains grouped by region: North America (NA), Europe, Middle East and Africa (EMEA) and Asia Pacific (APAC). The attribute mapping for *parentDistinguishedName* is used to dynamically create a user in the appropriate child domain. Cross-domain manager references and forest-wide lookup is handled by enabling referral chasing on the provisioning agent.

-## Skip GMSA configuration

-With agent version 1.1.281.0+, by default, when you run the agent configuration wizard, you are prompted to setup [Group Managed Service Account (GMSA)](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview). The GMSA setup by the wizard is used at runtime for all sync and provisioning operations.

-If you are upgrading from a prior version of the agent and have setup a custom service account with delegated OU-level permissions specific to your Active Directory topology, you may want to skip/postpone GMSA configuration and plan for this change.

-> [!NOTE]

-> This guidance specifically applies to customers who have configured HR (Workday/SuccessFactors) inbound provisioning with agent versions prior to 1.1.281.0 and have setup a custom service account for agent operations. In the long run, we recommend switching to GMSA as a best practice.

-In this scenario, you can still upgrade the agent binaries and skip the GMSA configuration using the following steps:

-1. Log on as Administrator on the Windows server running the Azure AD Connect Provisioning Agent.

-1. Run the agent installer to install the new agent binaries. Close the agent configuration wizard which opens up automatically after the installation is successful.

-1. Use the *Run* menu item to open the registry editor (regedit.exe)

-1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent**

-1. Right-click and select "New -> DWORD Value"

-1. Provide the name:

- `UseCredentials`

-1. Double-click on the **Value Name** and enter the value data as `1`.

- > [!div class="mx-imgBorder"]

- > 

-1. Restart the Azure AD Connect Provisioning Service from the *Services* console.

-1. If you have deployed multiple provisioning agents, apply this registry change to all agents for consistency.

-1. From the desktop short cut, run the agent configuration wizard. The wizard will skip the GMSA configuration.

-1. Select the types of [guest or external users](../external-identities/authentication-conditional-access.md#assigning-conditional-access-policies-to-external-user-types-preview) you want to apply the policy to.

- .AddDownstreamApi("MyApi", Configuration.GetSection("GraphBeta"))

-### Assigning Conditional Access policies to external user types (preview)

-> [!NOTE]

-> This section describes a preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-You also have the ability to apply authentication strength to the different types of [guest or external users](#assigning-conditional-access-policies-to-external-user-types-preview) that you collaborate or connect with. This means you can enforce authentication strength requirements that are unique to your B2B collaboration, B2B direct connect, and other external access scenarios.

-1. On the **Users and groups** page, choose **Select users and groups**, and then choose **Guest or external users**. You can assign the policy to different [external user types](authentication-conditional-access.md#assigning-conditional-access-policies-to-external-user-types-preview), built-in [directory roles](../conditional-access/concept-conditional-access-users-groups.md#include-users), or users and groups.

-Today, your organization requires a slew of applications (apps) for users to get work done. You likely continue to add, develop, or retire apps every day. Users access these applications from a vast range of corporate and personal devices, and locations. They open apps in many ways, including:

-

-### Manage risk

-Safeguarding your apps requires that you have a full view of all the risk factors. Migrating your apps to Azure AD consolidates your security solutions. With it you can:

-Your organization may have multiple Identity Access Management (IAM) solutions in place. Migrating to one Azure AD infrastructure is an opportunity to reduce dependencies on IAM licenses (on-premises or in the cloud) and infrastructure costs. In cases where you may have already paid for Azure AD via Microsoft 365 licenses, there's no reason to pay the added cost of another IAM solution.

-With Azure AD, you can reduce infrastructure costs by providing secure remote access to on-premises apps using [Azure AD Application Proxy](../app-proxy/application-proxy.md).

- - Faster onboarding of new applications from the Azure AD app gallery.

- - [Automate provisioning](../app-provisioning/user-provisioning.md) of user accounts (in [Azure AD Gallery](https://azuremarketplace.microsoft.com/marketplace/apps/category/azure-active-directory-apps))based on Azure AD identities

- - Access all your apps from MyApps panel in the [Azure portal](https://portal.azure.com/)

- - Using Azure AD Lifecycle workflows automate onboarding or offboarding, which was previously done with scripts.

-To comply with regulatory requirements, enforce corporate access policies and monitor user access to applications and associated data using integrated audit tools and APIs. With Azure AD, you can monitor application sign-ins through reports that use [Security Incident and Event Monitoring (SIEM) tools](../reports-monitoring/plan-monitoring-and-reporting.md). You can access the reports from the portal or APIs, and programmatically audit who has access to your applications and remove access to inactive users via access reviews.

-Application migration is a team effort, and you need to ensure that you have all the vital positions filled. Support from senior business leaders is important. Ensure that you involve the right set of executive sponsors, business decision-makers, and subject matter experts (SMEs.)

-| **Identity Architect / Azure AD App Administrator** | They're responsible for the following:<br /> - design the solution in cooperation with stakeholders<br /> - document the solution design and operational procedures for handoff to the operations team<br /> - manage the pre-production and production environments |

-Based on the communication strategy that you have chosen for the app you may want to remind users of the pending downtime. You should also verify that there are no recent changes or business impacts that would require to postpone the deployment.

-In the following table you find the minimum suggested communication to keep your stakeholders informed:

-There are two main categories of users of your apps and resources that Azure AD supports.

-The following are our customer and partnerΓÇÖs success stories, and suggested best practices:

-The first decision point in an application migration is which apps to migrate, which if any should remain, and which apps to deprecate. There is always an opportunity to deprecate the apps that you won't use in your organization. There are several ways to find apps in your organization. While discovering apps, ensure you include in-development and planned apps. Use Azure AD for authentication in all future apps.

-Using Active Directory Federation Services (AD FS) to gather a correct app inventory:

-For other identity providers (such as Okta or Ping), you can use their tools to export the application inventory.

- - You can find all the apps running on Microsoft IIS from the Windows command line using [AppCmd.exe](/iis/get-started/getting-started-with-iis/getting-started-with-appcmdexe#working-with-sites-applications-virtual-directories-and-application-pools).

- - Use [Applications](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#application-entity) and [Service Principals](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#serviceprincipal-entity) to get your information on web apps and app instance in a directory in Azure AD.

-### Using manual processes

-Once you have taken the automated approaches described in this article, you have a good handle on your applications. However, you might consider doing the following to ensure you have good coverage across all user access areas:

-We recommend you search and add applications from the [Azure AD app gallery](https://azuremarketplace.microsoft.com/marketplace/apps/category/azure-active-directory-apps). If you donΓÇÖt find them in the gallery, you can still add custom SAML or OIDC apps to Azure AD.

-Start by extending these apps into the cloud through our [Secure Hybrid Access (SHA) partner integrations](secure-hybrid-access.md) with application delivery controllers that you might have deployed already.

-You usually develop LoB apps for your organizationΓÇÖs in-house use. If you have new apps in the pipeline, we recommend using the [Microsoft Identity Platform](../develop/v2-overview.md) to implement OpenID Connect.

- - What systems those apps connect to

- - From where and on what devices users access them

- - Whether they'll be migrated, deprecated, or connected with [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md).

-> [!NOTE]

-> You can download the [Application Discovery Worksheet](https://download.microsoft.com/download/2/8/3/283F995C-5169-43A0-B81D-B0ED539FB3DD/Application%20Discovery%20worksheet.xlsx) to record the applications that you want to migrate to Azure AD authentication.

-Classifying the migration of your apps is an important exercise. Not every app needs to be migrated and transitioned at the same time. Once you have collected information about each of the apps, you can rationalize which apps should be migrated first and which may take added time.

-Once you have determined values for business criticality and usage, you can then determine the **application lifespan**, and create a matrix of priority. See one such matrix below:

-In a scenario where you may not have experience using Azure AD and Identity services, consider moving your **lowest priority apps** to Azure AD first. This minimizes your business impact, and you can build momentum. Once you have successfully moved these apps and have gained the stakeholderΓÇÖs confidence, you can continue to migrate the other apps.

-If there is no clear priority, you should consider moving the apps that are in the [Azure AD Gallery](https://azuremarketplace.microsoft.com/marketplace/apps/category/azure-active-directory-apps) first and support multiple identity providers because they are easier to integrate. It is likely that these apps are the **highest-priority apps** in your organization. To help integrate your SaaS applications with Azure AD, we have developed a collection of [tutorials](../saas-apps/tutorial-list.md) that walk you through configuration.

-When you have a deadline to migrate the apps, these highest priority apps bucket takes the major workload. You can eventually select the lower priority apps as they won't change the cost even though you have moved the deadline.

-Once you have classified your application and documented the details, then be sure to gain business owner buy-in to your planned migration strategy.

-Many SaaS app vendors charge for changing the SSO connection. Check with them and plan for this.

-Business critical and universally used applications may need a group of pilot users to test the app in the pilot stage. Once you have tested an app in the pre-production or pilot environment, ensure that app business owners sign off on performance prior to the migration of the app and all users to production use of Azure AD for authentication.

-Before you initiate the migration process, take time to fully consider the security posture you wish to develop for your corporate identity system. This is based on gathering these valuable sets of information: **Identities, devices, and locations that are accessing your data.**

-### Who is accessing your data?

-There are two main categories of users of your apps and resources that Azure AD supports:

-You can define groups for these users and populate these groups in diverse ways. You may choose that an administrator must manually add members into a group, or you can enable self-service group membership. Rules can be established that automatically add members into groups based on the specified criteria using [dynamic groups](../enterprise-users/groups-dynamic-membership.md).

-External users may also refer to customers. [Azure AD B2C](../../active-directory-b2c/overview.md), a separate product supports customer authentication. However, it is outside the scope of this paper.

-You are successful in this phase when you:

- - Have fully documented the apps you intend to migrate

- - Have prioritized apps based on business criticality, usage volume, and lifespan

-Once you have gained business buy-in, the next step is to start migrating these apps to Azure AD authentication.

-Use the tools and guidance below to follow the precise steps needed to migrate your applications to Azure AD:

-During the process of the migration, your app may already have a test environment used during regular deployments. You can continue to use this environment for migration testing. If a test environment is not currently available, you may be able to set one up using Azure App Service or Azure Virtual Machines, depending on the architecture of the application. You may choose to set up a separate test Azure AD tenant to use as you develop your app configurations. This tenant will start in a clean state and won't be configured to sync with any system.

-Once you have migrated the apps, go to the [Azure portal](https://portal.azure.com/) to test if the migration was a success. Follow the instructions below:

-| **OAuth / OpenID Connect** | Select **Enterprise applications &gt; Permissions** and ensure you have consented to the application to be used in your organization in the user settings for your app. |

-You can test each app by logging in with a test user and make sure all functionality is the same as prior to the migration. If you determine during testing that users will need to update their [MFA](../authentication/howto-mfa-userstates.md) or [SSPR](../authentication/tutorial-enable-sspr.md)settings, or you are adding this functionality during the migration, be sure to add that to your end-user communication plan. See [MFA](https://aka.ms/mfatemplates) and [SSPR](https://aka.ms/ssprtemplates) end-user communication templates.

-You are successful in this phase when you have:

-Once you have migrated the apps, you can enrich your userΓÇÖs experience in many ways

-You can guide your users on how to discover their apps:

-### Make apps accessible

-#### Let users access apps from their mobile devices

-Users can access the MyApps portal with Intune-managed browser on their [iOS](./hide-application-from-user-portal.md) 7.0 or later or [Android](./hide-application-from-user-portal.md) devices.

-Users can download an Intune-managed browser:

-#### Let users open their apps from a browser extension

-Users can [download the MyApps Secure Sign-in Extension](https://www.microsoft.com/p/my-apps-secure-sign-in-extension/9pc9sckkzk84?rtc=1&activetab=pivot%3Aoverviewtab) in [Chrome,](https://chrome.google.com/webstore/detail/my-apps-secure-sign-in-ex/ggjhpefgjjfobnfoldnjipclpcfbgbhl) or [Microsoft Edge](https://www.microsoft.com/p/my-apps-secure-sign-in-extension/9pc9sckkzk84?rtc=1&activetab=pivot%3Aoverviewtab) and can launch apps right from their browser bar to:

-#### Let users open their apps from Office.com

-Users can go to [Office.com](https://www.office.com/) to **search for their apps and have their most-recently-used apps appear** for them right from where they do work.

-* Region and Country should be passed as 2 or 3 letter code and not full name.

- a. In the **Identifier** textbox, type the value:

- `urn:auth0:easymetrics:ups-saml-sso`

- b. In the **Reply URL** textbox, type the URL:

- `https://easymetrics.auth0.com/login/callback?connection=ups-saml-sso&organization=org_T8ro1Kth3Gleygg5`

- c. In the **Sign on URL** textbox, type the URL:

- `https://azureapp.gcp-easymetrics.com`

-Once you configure Easy Metrics Auth0 Connector you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

-*Applies to: applications and user-assigned managed identities (public preview)*

-*Applies to: user-assigned managed identities (public preview)*

-*Applies to: applications and user-assigned managed identities (public preview)*

-*Applies to: applications and user-assigned managed identities (public preview)*

-*Applies to: applications and user-assigned managed identities (public preview)*

-*Applies to: user-assigned managed identities (public preview)*

-*Applies to: applications and user-assigned managed identities (public preview)*

-The following table describes limits on requests to the user-assigned managed identities (public preview) REST APIS. If you exceed a throttling limit, you receive an HTTP 429 error.

-description: Access Azure AD protected resources from a service running in Google Cloud without using secrets or certificates. Use workload identity federation to set up a trust relationship between an app in Azure AD and an identity in Google Cloud. The workload running in Google Cloud can get an access token from Microsoft identity platform and access Azure AD protected resources.

-#Customer intent: As an application developer, I want to create a trust relationship with a Google Cloud identity so my service in Google Cloud can access Azure AD protected resources without managing secrets.

-# Access Azure AD protected resources from an app in Google Cloud

-Software workloads running in Google Cloud need an Azure Active Directory (Azure AD) application to authenticate and access Azure AD protected resources. A common practice is to configure that application with credentials (a secret or certificate). The credentials are used by a Google Cloud workload to request an access token from Microsoft identity platform. These credentials pose a security risk and have to be stored securely and rotated regularly. You also run the risk of service downtime if the credentials expire.

-[Workload identity federation](workload-identity-federation.md) allows you to access Azure AD protected resources from services running in Google Cloud without needing to manage secrets. Instead, you can configure your Azure AD application to trust a token issued by Google and exchange it for an access token from Microsoft identity platform.

-## Create an app registration in Azure AD

-[Create an app registration](/azure/active-directory/develop/quickstart-register-app) in Azure AD.

-Take note of the *object ID* of the app (not the application (client) ID) which you need in the following steps. Go to the [list of registered applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) in the Azure portal, select your app registration, and find the **Object ID** in **Overview**->**Essentials**.

-## Grant your app permissions to resources

-Grant your app the permissions necessary to access the Azure AD protected resources targeted by your software workload running in Google Cloud. For example, [assign the Storage Blob Data Contributor role](../../storage/blobs/assign-azure-role-data-access.md) to your app if your application needs to read, write, and delete blob data in [Azure Storage](../../storage/blobs/storage-blobs-introduction.md).

-## Set up an identity in Google Cloud

-You need an identity in Google Cloud that can be associated with your Azure AD application. A [service account](https://cloud.google.com/iam/docs/service-accounts), for example, used by an application or compute workload. You can either use the default service account of your Cloud project or create a dedicated service account.

-Each service account has a unique ID. When you visit the **IAM & Admin** page in the Google Cloud console, click on **Service Accounts**. Select the service account you plan to use, and copy its **Unique ID**.

-Tokens issued by Google to the service account will have this **Unique ID** as the *subject* claim.

-The *issuer* claim in the tokens will be `https://accounts.google.com`.

-You need these claim values to configure a trust relationship with an Azure AD application, which allows your application to trust tokens issued by Google to your service account.

-## Configure an Azure AD app to trust a Google Cloud identity

-Configure a federated identity credential on your Azure AD application to set up the trust relationship.

-The most important fields for creating the federated identity credential are:

-The following command configures a federated identity credential:

-# [Azure CLI](#tab/azure-cli)

-```azurecli-interactive

-az ad app federated-credential create --id 41be38fd-caac-4354-aa1e-1fdb20e43bfa --parameters credential.json

-("credential.json" contains the following content)

-{

- "name": "GcpFederation",

- "issuer": "https://accounts.google.com",

- "subject": "112633961854638529490",

- "description": "Test GCP federation",

- "audiences": [

- "api://AzureADTokenExchange"

- ]

-}

-```

-# [Azure PowerShell](#tab/azure-powershell)

-```azurepowershell-interactive

-New-AzADappfederatedidentitycredential -ApplicationObjectId $appObjectId -Audience api://AzureADTokenExchange -Issuer 'https://accounts.google.com' -name 'GcpFederation' -Subject '112633961854638529490'

-```

-For more information and examples, see [Create a federated identity credential](workload-identity-federation-create-trust.md).

-## Exchange a Google token for an access token

-Now that you have configured the Azure AD application to trust the Google service account, you are ready to get a token from Google and exchange it for an access token from Microsoft identity platform. This code runs in an application deployed to Google Cloud and running, for example, on [App Engine](https://cloud.google.com/appengine/docs/standard/).

-### Get an ID token for your Google service account

-As mentioned earlier, Google cloud resources such as App Engine automatically use the default service account of your Cloud project. You can also configure the app to use a different service account when you deploy your service. Your service can [request an ID token](https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature) for that service account from the metadata server that handles such requests. With this approach, you don't need any keys for your service account: these are all managed by Google.

-# [TypeScript](#tab/typescript)

-HereΓÇÖs an example in TypeScript of how to request an ID token from the Google metadata server:

-```typescript

-async function getGoogleIDToken() {

- const headers = new Headers();

- headers.append("Metadata-Flavor", "Google ");

- let aadAudience = "api://AzureADTokenExchange";

- const endpoint="http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience="+ aadAudience;

- const options = {

- method: "GET",

- headers: headers,

- };

- return fetch(endpoint, options);

-}

-```

-# [C#](#tab/csharp)

-HereΓÇÖs an example in C# of how to request an ID token from the Google metadata server:

-```csharp

-private string getGoogleIdToken()

-{

- const string endpoint = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=api://AzureADTokenExchange";

-

- var httpWebRequest = (HttpWebRequest)WebRequest.Create(endpoint);

- //httpWebRequest.ContentType = "application/json";

- httpWebRequest.Accept = "*/*";

- httpWebRequest.Method = "GET";

- httpWebRequest.Headers.Add("Metadata-Flavor", "Google ");

- var httpResponse = (HttpWebResponse)httpWebRequest.GetResponse();

- using (var streamReader = new StreamReader(httpResponse.GetResponseStream()))

- {

- string result = streamReader.ReadToEnd();

- return result;

- }

-}

-```

-# [Java](#tab/java)

-HereΓÇÖs an example in Java of how to request an ID token from the Google metadata server:

-```java

-private String getGoogleIdToken() throws IOException {

- final String endpoint = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=api://AzureADTokenExchange";

- URL url = new URL(endpoint);

- HttpURLConnection httpUrlConnection = (HttpURLConnection) url.openConnection();

-

- httpUrlConnection.setRequestMethod("GET");

- httpUrlConnection.setRequestProperty("Metadata-Flavor", "Google ");

- InputStream inputStream = httpUrlConnection.getInputStream();

- InputStreamReader inputStreamReader = new InputStreamReader(inputStream);

- BufferedReader bufferedReader = new BufferedReader(inputStreamReader);

- StringBuffer content = new StringBuffer();

- String inputLine;

- while ((inputLine = bufferedReader.readLine()) != null)

- content.append(inputLine);

- bufferedReader.close();

- return content.toString();

-}

-```

-> [!IMPORTANT]

-> The *audience* here needs to match the *audiences* value you configured on your Azure AD application when [creating the federated identity credential](#configure-an-azure-ad-app-to-trust-a-google-cloud-identity).

-### Exchange the identity token for an Azure AD access token

-Now that your app running in Google Cloud has an identity token from Google, exchange it for an access token from Microsoft identity platform. Use the [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview) to pass the Google token as a client assertion. The following MSAL versions support client assertions:

-Using MSAL, you write a token class (implementing the `TokenCredential` interface) exchange the ID token. The token class is used to with different client libraries to access Azure AD protected resources.

-# [TypeScript](#tab/typescript)

-The following TypeScript sample code snippet implements the `TokenCredential` interface, gets an ID token from Google (using the `getGoogleIDToken` method previously defined), and exchanges the ID token for an access token.

-```typescript

-const msal = require("@azure/msal-node");

-import {TokenCredential, GetTokenOptions, AccessToken} from "@azure/core-auth"

-class ClientAssertionCredential implements TokenCredential {

- constructor(clientID:string, tenantID:string, aadAuthority:string) {

- this.clientID = clientID;

- this.tenantID = tenantID;

- this.aadAuthority = aadAuthority; // https://login.microsoftonline.com/

- }

-

- async getToken(scope: string | string[], _options?: GetTokenOptions):Promise<AccessToken> {

- var scopes:string[] = [];

- if (typeof scope === "string") {

- scopes[0]=scope;

- } else if (Array.isArray(scope)) {

- scopes = scope;

- }

- // Get the ID token from Google.

- return getGoogleIDToken() // calling this directly just for clarity,

- let aadAudience = "api://AzureADTokenExchange"

- const jwt = axios({

- url: "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience="

- + aadAudience,

- method: "GET",

- headers: {

- "Metadata-Flavor": "Google"

- }}).then(response => {

- console.log("AXIOS RESPONSE");

- return response.data;

- });

- return jwt;

- .then(function(aadToken) {

- // return in form expected by TokenCredential.getToken

- let returnToken = {

- token: aadToken.accessToken,

- expiresOnTimestamp: aadToken.expiresOn.getTime(),

- };

- return (returnToken);

- })

- .catch(function(error) {

- // error stuff

- });

- }

- }

-export default ClientAssertionCredential;

-```

-# [C#](#tab/csharp)

-The following C# sample code snippet implements the `TokenCredential` interface, gets an ID token from Google (using the `getGoogleIDToken` method previously defined), and exchanges the ID token for an access token.

-```csharp

-using System;

-using System.Threading.Tasks;

-using Microsoft.Identity.Client;

-using Azure.Core;

-using System.Threading;

-using System.Net;

-using System.IO;

-public class ClientAssertionCredential:TokenCredential

-{

- private readonly string clientID;

- private readonly string tenantID;

- private readonly string aadAuthority;

-

- public ClientAssertionCredential(string clientID, string tenantID, string aadAuthority)

- {

- this.clientID = clientID;

- this.tenantID = tenantID;

- this.aadAuthority = aadAuthority; // https://login.microsoftonline.com/

- }

- public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken = default) {

- return GetTokenImplAsync(false, requestContext, cancellationToken).GetAwaiter().GetResult();

- }

- public override async ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken = default)

- {

- return await GetTokenImplAsync(true, requestContext, cancellationToken).ConfigureAwait(false);

- }

- private async ValueTask<AccessToken> GetTokenImplAsync(bool async, TokenRequestContext requestContext, CancellationToken cancellationToken)

- {

- // calling this directly just for clarity, this should be a callback

- string idToken = getGoogleIdToken();

-

- try

- {

- // pass token as a client assertion to the confidential client app

- var app = ConfidentialClientApplicationBuilder.Create(this.clientID)

- .WithClientAssertion(idToken)

- .Build();

- var authResult = app.AcquireTokenForClient(requestContext.Scopes)

- .WithAuthority(this.aadAuthority + this.tenantID)

- .ExecuteAsync();

- AccessToken token = new AccessToken(authResult.Result.AccessToken, authResult.Result.ExpiresOn);

-

- return token;

- }

- catch (Exception ex)

- {

- throw (ex);

- }

- }

-}

-```

-# [Java](#tab/java)

-The following Java sample code snippet implements the `TokenCredential` interface, gets an ID token from Google (using the `getGoogleIDToken` method previously defined), and exchanges the ID token for an access token.

-```java

-import java.io.Exception;

-import java.time.Instant;

-import java.time.OffsetDateTime;

-import java.time.ZoneOffset;

-import java.util.HashSet;

-import java.util.Set;

-import com.azure.core.credential.AccessToken;

-import com.azure.core.credential.TokenCredential;

-import com.azure.core.credential.TokenRequestContext;

-import com.microsoft.aad.msal4j.ClientCredentialFactory;

-import com.microsoft.aad.msal4j.ClientCredentialParameters;

-import com.microsoft.aad.msal4j.ConfidentialClientApplication;

-import com.microsoft.aad.msal4j.IClientCredential;

-import com.microsoft.aad.msal4j.IAuthenticationResult;

-import reactor.core.publisher.Mono;

-public class ClientAssertionCredential implements TokenCredential {

- private String clientID;

- private String tenantID;

- private String aadAuthority;

- public ClientAssertionCredential(String clientID, String tenantID, String aadAuthority)

- {

- this.clientID = clientID;

- this.tenantID = tenantID;

- this.aadAuthority = aadAuthority; // https://login.microsoftonline.com/

- }

- @Override

- public Mono<AccessToken> getToken(TokenRequestContext requestContext) {

- try {

- // Get the ID token from Google

- String idToken = getGoogleIdToken(); // calling this directly just for clarity, this should be a callback

-

- IClientCredential clientCredential = ClientCredentialFactory.createFromClientAssertion(idToken);

- String authority = String.format("%s%s", aadAuthority, tenantID);

- ConfidentialClientApplication app = ConfidentialClientApplication

- .builder(clientID, clientCredential)

- .authority(aadAuthority)

- .build();

- Set<String> scopes = new HashSet<String>(requestContext.getScopes());

- ClientCredentialParameters clientCredentialParam = ClientCredentialParameters

- .builder(scopes)

- .build();

- IAuthenticationResult authResult = app.acquireToken(clientCredentialParam).get();

- Instant expiresOnInstant = authResult.expiresOnDate().toInstant();

- OffsetDateTime expiresOn = OffsetDateTime.ofInstant(expiresOnInstant, ZoneOffset.UTC);

- AccessToken accessToken = new AccessToken(authResult.accessToken(), expiresOn);

- return Mono.just(accessToken);

- } catch (Exception ex) {

- return Mono.error(ex);

- }

- }

-}

-```

-## Access Azure AD protected resources

-Your application running in Google Cloud now has an access token issued by Microsoft identity platform. Use the access token to access the Azure AD protected resources that your Azure AD app has permissions to access. As an example, here's how you can access Azure Blob storage using the `ClientAssertionCredential` token class and the Azure Blob Storage client library. When you make requests to the `BlobServiceClient` to access storage, the `BlobServiceClient` calls the `getToken` method on the `ClientAssertionCredential` object to get a fresh ID token and exchange it for an access token.

-# [TypeScript](#tab/typescript)

-The following TypeScript example initializes a new `ClientAssertionCredential` object and then creates a new `BlobServiceClient` object.

-```typescript

-const { BlobServiceClient } = require("@azure/storage-blob");

-var storageUrl = "https://<storageaccount>.blob.core.windows.net";

-var clientID:any = "<client-id>";

-var tenantID:any = "<tenant-id>";

-var aadAuthority:any = "https://login.microsoftonline.com/";

-var credential = new ClientAssertionCredential(clientID,

- tenantID,

- aadAuthority);

-

-const blobServiceClient = new BlobServiceClient(storageUrl, credential);

-// write code to access Blob storage

-```

-# [C#](#tab/csharp)

-```csharp

-string clientID = "<client-id>";

-string tenantID = "<tenant-id>";

-string authority = "https://login.microsoftonline.com/";

-string storageUrl = "https://<storageaccount>.blob.core.windows.net";

-var credential = new ClientAssertionCredential(clientID,

- tenantID,

- authority);

-BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri(storageUrl), credential);

-// write code to access Blob storage

-```

-# [Java](#tab/java)

-```java

-String clientID = "<client-id>";

-String tenantID = "<tenant-id>";

-String authority = "https://login.microsoftonline.com/";

-String storageUrl = "https://<storageaccount>.blob.core.windows.net";

-ClientAssertionCredential credential = new ClientAssertionCredential(clientID, tenantID, authority);

-BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()

- .endpoint(storageUrl)

- .credential(credential)

- .buildClient();

-// write code to access Blob storage

-```

-## Next steps

-Learn more about [workload identity federation](workload-identity-federation.md).

-# Configure a user-assigned managed identity to trust an external identity provider (preview)

-> Enable or disable OIDC Issuer changes the current service account token issuer to a new value, which can cause down time and restarts the API server. If your application pods using a service token remain in a failed state after you enable or disable the OIDC Issuer, we recommend you manually restart the pods.

-[secure-pod-network-traffic]: use-network-policies.md

- --public-network-access 0.0.0.0 \

-References to Key Vaults in other Azure subscriptions is supported, but must be configured via ARM Template, Azure PowerShell, CLI, Bicep, etc. Cross-subscription key vault configuration is not supported by Application Gateway via Azure Portal today.

-1. For **Virtual networks**, select **+ Add existing virtual networks**, and then add the virtual network and subnet for your Application Gateway instance. During the process, also configure the `Microsoft.KeyVault` service endpoint by selecting its checkbox.

-|**Arkas Logistics** | [**Arkas Logistics**](http://www.arkaslojistik.com.tr/) is operates under the umbrella of Arkas Holding, T├╝rkiye's leading holding institution and operating in 23 countries. During the COVID-19 crisis, the company has been able to provide outstanding, complete logistical services thanks to its focus on contactless operation and digitalization steps. Form Recognizer powers a solution that maintains the continuity of the supply chain and allows for uninterrupted service. ||

-Azure Cache for Redis can be used as a distributed data or content cache, a session store, a message broker, and more. It can be deployed as a standalone. Or, it can be deployed along with other Azure database services, such as Azure SQL or Azure Cosmos DB.

-| [Scaling](cache-how-to-scale.md) |Γ£ö|Γ£ö|Γ£ö|-|-|

-| [Geo-replication](cache-how-to-geo-replication.md) |-|-|Γ£ö|Γ£ö|Γ£ö|

-> The Enterprise Flash tier currently supports only the RedisJSON and RediSearch modules in preview.

-Azure Maps supports three ways to authenticate requests: Shared Key authentication, [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) authentication, and Shared Access Signature (SAS) Token authentication. This article explains authentication methods to help guide your implementation of Azure Maps services. The article also describes other account controls such as disabling local authentication for Azure Policy and Cross-Origin Resource Sharing (CORS).

-> To improve secure communication with Azure Maps, we now support Transport Layer Security (TLS) 1.2, and we're retiring support for TLS 1.0 and 1.1. If you currently use TLS 1.x, evaluate your TLS 1.2 readiness and develop a migration plan with the testing described in [Solving the TLS 1.0 Problem](/security/solving-tls1-problem).

-For information about viewing your keys in the Azure portal, see [Manage authentication](./how-to-manage-authentication.md#view-authentication-details).

-> Primary and Secondary keys should be treated as sensitive data. The shared key is used to authenticate all Azure Maps REST APIs. Users who use a shared key should abstract the API key away, either through environment variables or secure secret storage, where it can be managed centrally.

-Azure Maps generates a _unique identifier_ (client ID) for each Azure Maps account. You can request tokens from Azure AD when you combine this client ID with additional parameters.

-For more information about how to configure Azure AD and request tokens for Azure Maps, see [Manage authentication in Azure Maps](./how-to-manage-authentication.md).

-For general information about authenticating with Azure AD, see [Authentication vs. authorization](../active-directory/develop/authentication-vs-authorization.md).

-[Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) provide Azure services with an automatically managed application based security principal that can authenticate with Azure AD. With Azure role-based access control (Azure RBAC), the managed identity security principal can be authorized to access Azure Maps services. Some examples of managed identities include: Azure App Service, Azure Functions, and Azure Virtual Machines. For a list of managed identities, see [Azure services that can use managed identities to access other services](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md). For more information on managed identities, see [Manage authentication in Azure Maps](./how-to-manage-authentication.md).

-Applications will authenticate with the Azure AD tenant using one or more supported scenarios provided by Azure AD. Each Azure AD application scenario represents different requirements based on business needs. Some applications may require user sign-in experiences and other applications may require an application sign-in experience. For more information, see [Authentication flows and application scenarios](../active-directory/develop/authentication-flows-app-scenarios.md).

-| x-ms-client-id | 30d7cc….9f55 |

-| Authorization | Bearer eyJ0e….HNIVN |

-> [!NOTE]

-Authorization: Bearer eyJ0e….HNIVN

-For information about viewing your client ID, see [View authentication details](./how-to-manage-authentication.md#view-authentication-details).

-If you're new to Azure RBAC, [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) overview provides Principal types are granted a set of permissions, also known as a role definition. A role definition provides permissions to REST API actions. Azure Maps supports access to all principal types for [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) including: individual Azure AD users, groups, applications, Azure resources, and Azure managed identities. Applying access to one or more Azure Maps accounts is known as a scope. A role assignment is created when a principal, role definition, and scope are applied.

-When you configure Azure RBAC, you choose a security principal and apply it to a role assignment. To learn how to add role assignments on the Azure portal, see [Assign Azure roles](../role-based-access-control/role-assignments-portal.md).

-| Azure Maps Data Contributor | Provides access to mutable Azure Maps REST APIs. Mutability is defined by the actions: write and delete. |

-| Azure Maps service | Azure Maps Role Definition |

-| : | :-- |

-| [Data](/rest/api/maps/data) | Azure Maps Data Contributor |

-| [Creator](/rest/api/maps-creator/) | Azure Maps Data Contributor |

-| [Spatial](/rest/api/maps/spatial) | Azure Maps Data Contributor |

-| Batch [Search](/rest/api/maps/search) and [Route](/rest/api/maps/route) | Azure Maps Data Contributor |

-For information about viewing your Azure RBAC settings, see [How to configure Azure RBAC for Azure Maps](./how-to-manage-authentication.md).

-One aspect of application security is the principle of least privilege, the practice of limiting access rights to only those needed to do the job at hand. To accomplish this, create custom role definitions that support use cases, which require further granularity to access control. To create a custom role definition, select specific data actions to include or exclude for the definition.

-The custom role definition can then be used in a role assignment for any security principal. To learn more about Azure custom role definitions, see [Azure custom roles](../role-based-access-control/custom-roles.md).

-| Scenario | Custom Role Data Action(s) |

-| :- | : |

-| A public facing or interactive sign-in web page with base map tiles and no other REST APIs. | `Microsoft.Maps/accounts/services/render/read` |

-| An application, which only requires reverse geocoding and no other REST APIs. | `Microsoft.Maps/accounts/services/search/read` |

-| A role for a security principal, which requests a reading of Azure Maps Creator based map data and base map tile REST APIs. | `Microsoft.Maps/accounts/services/data/read`, `Microsoft.Maps/accounts/services/render/read` |

-| A role for a security principal, which requires reading, writing, and deleting of Creator based map data. This can be defined as a map data editor role, but doesn't allow access to other REST APIs like base map tiles. | `Microsoft.Maps/accounts/services/data/read`, `Microsoft.Maps/accounts/services/data/write`, `Microsoft.Maps/accounts/services/data/delete` |

-When creating a role assignment, it's defined within the Azure resource hierarchy. At the top of the hierarchy is a [management group](../governance/management-groups/overview.md) and the lowest is an Azure resource, like an Azure Maps account.

-Azure Maps accounts support the standard Azure property in the [Management API](/rest/api/maps-management/) for `Microsoft.Maps/accounts` called `disableLocalAuth`. When `true`, all authentication to the Azure Maps data-plane REST API is disabled, except [Azure AD authentication](./azure-maps-authentication.md#azure-ad-authentication). This is configured using Azure Policy to control distribution and management of shared keys and SAS tokens. For more information, see [What is Azure Policy?](../governance/policy/overview.md).

-Disabling local authentication doesn't take effect immediately. Allow a few minutes for the service to block future authentication requests. To re-enable local authentication, set the property to `false` and after a few minutes local authentication will resume.

-Shared access signature (SAS) tokens are authentication tokens created using the JSON Web token (JWT) format and are cryptographically signed to prove authentication for an application to the Azure Maps REST API. A SAS token is created by first integrating a [user-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) with an Azure Maps account in your Azure subscription. The user-assigned managed identity is given authorization to the Azure Maps account through Azure RBAC using one of the built-in or custom role definitions.

-SAS tokens are immutable. This means that once a token is created, the SAS token is valid until the expiry has been met and the configuration of the allowed regions, rate limits, and user-assigned managed identity can't be changed. Read more below on [understanding access control](./azure-maps-authentication.md#understand-sas-token-access-control) for SAS token revocation and changes to access control.

-By specifying a maximum rate limit on the token (`maxRatePerSecond`), the excess rate won't be billed to the account allowing you to set an upper limit of billable transactions for the account, when using the token. However, the application will receive client error responses with `429 (TooManyRequests)` for all transactions once that limit it reached. It's the responsibility of the application to manage retry and distribution of SAS tokens. There's no limit on how many SAS tokens can be created for an account. To allow for an increase or decrease in an existing token's limit; a new SAS token must be created. The old SAS token is still valid until its expiration.

-These are estimates, actual rate limits vary slightly based on Azure Maps ability to enforce consistency within a span of time. However, this allows for preventive control of billing cost.

-The first table shows one token that has a maximum request per second of 500, and then actual usage of the application was 500 request per second for a duration of 60 seconds. **Search service - Non-Batch Reverse** has a rate limit of 250, meaning of the total 30,000 requests made in the 60 seconds; 15,000 of those requests will be billable transactions. The remaining requests will result in status code `429 (TooManyRequests)`.

-| token | 500 | 500 | 60 | ~15,000 |

-SAS tokens use RBAC to control access to the REST API. When you create a SAS token, the prerequisite managed identity on the Map Account is assigned an Azure RBAC role that grants access to specific REST API actions. See [Picking a role definition](./azure-maps-authentication.md#picking-a-role-definition) to determine which API should be allowed by the application.

-If you want to assign temporary access and remove access for before the SAS token expires, you'll want to revoke the token. Other reasons to revoke access may be if the token is distributed with `Azure Maps Data Contributor` role assignment unintentionally and anyone with the SAS token may be able to read and write data to Azure Maps REST APIs that may expose sensitive data or unexpected financial cost from usage.

-First, you should [Create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#create-a-user-assigned-managed-identity) in the same location as the Azure Maps account.

-Once a managed identity is created, you can create or update the Azure Maps account and attach it. See [Manage your Azure Maps account](./how-to-manage-account-keys.md) for more information.

-After the account has been successfully created or updated with the managed identity; assign role-based access control for the managed identity to an Azure Maps data role at the account scope. This enables the managed identity to be given access to the Azure Maps REST API for your map account.

-Next, you'll need to create a SAS token using the Azure Management SDK tooling, List SAS operation on Account Management API, or the Azure portal Shared Access Signature page of the Map account resource.

-| Parameter Name | Example Value | Description |

-| : | :-- | :- |

-| signingKey | `primaryKey` | Required, the string enum value for the signingKey either `primaryKey` or `secondaryKey` is used to create the signature of the SAS. |

-| principalId | `<GUID>` | Required, the principalId is the Object (principal) ID of the user-assigned managed identity attached to the map account. |

-| regions | `[ "eastus", "westus2", "westcentralus" ]` | Optional, the default value is `null`. The regions control which regions the SAS token can be used in the Azure Maps REST [data-plane](../azure-resource-manager/management/control-plane-and-data-plane.md) API. Omitting regions parameter will allow the SAS token to be used without any constraints. When used in combination with an Azure Maps data-plane geographic endpoint like `us.atlas.microsoft.com` and `eu.atlas.microsoft.com` will allow the application to control usage with-in the specified geography. This allows prevention of usage in other geographies. |

-| maxRatePerSecond | 500 | Required, the specified approximate maximum request per second which the SAS token is granted. Once the limit is reached, additional throughput will be rate limited with HTTP status code `429 (TooManyRequests)`. |

-| start | `2021-05-24T10:42:03.1567373Z` | Required, a UTC date that specifies the date and time the token becomes active. |

-| expiry | `2021-05-24T11:42:03.1567373Z` | Required, a UTC date that specifies the date and time the token expires. The duration between start and expiry can't be more than 365 days. |

-[CORS](https://fetch.spec.whatwg.org/#http-cors-protocol) is an HTTP protocol that enables a web application running under one domain to access resources in another domain. Web browsers implement a security restriction known as [same-origin policy](https://www.w3.org/Security/wiki/Same_Origin_Policy) that prevents a web page from calling APIs in a different domain; CORS provides a secure way to allow one domain (the origin domain) to call APIs in another domain. Using the Azure Maps account resource, you can configure which origins are allowed to access the Azure Maps REST API from your applications.

-The preflight request is done not only as a security measure to ensure that the server understands the method and headers that will be sent in the actual request and that the server knows and trusts the source of the request, but it also queries the CORS restrictions that have been established for the map account. The web browser (or other user agent) sends an OPTIONS request that includes the request headers, method and origin domain. The map account service tries to fetch any CORS rules if account authentication is possible through the CORS preflight protocol.

-If authentication isn't possible, the maps service evaluates pre-configured set of CORS rules that specify which origin domains, request methods, and request headers may be specified on an actual request against the maps service. By default, a maps account is configured to allow all origins to enable seamless integration into web browsers.

-The service will respond to the preflight request with the required Access-Control headers if the following criteria are met:

-The service will reject preflight requests if the following conditions occur:

-1. If the OPTIONS request doesnΓÇÖt contain the required CORS headers (the Origin and Access-Control-Request-Method headers), the service will respond with status code `400 (Bad request)`.

-1. If authentication was successful on preflight request and no CORS rule matches the preflight request, the service will respond with status code `403 (Forbidden)`. This may occur if the CORS rule is configured to accept an origin that doesn't match the current browser client origin request header.

-Once the preflight request is accepted and the response is returned, the browser will dispatch the actual request against the map service. The browser will deny the actual request immediately if the preflight request is rejected.

-The actual request is treated as a normal request against the map service. The presence of the `Origin` header indicates that the request is a CORS request and the service will then validate against the CORS rules. If a match is found, the Access-Control headers are added to the response and sent back to the client. If a match isn't found, the response will return a `403 (Forbidden)` indicating a CORS origin error.

-When creating or updating an existing Map account, the Map account properties can specify the allowed origins to be configured. You can set a CORS rule on the Azure Maps account properties through Azure Maps Management SDK, Azure Maps Management REST API, and portal. Once you set the CORS rule for the service, then a properly authorized request made to the service from a different domain will be evaluated to determine whether it's allowed according to the rule you've specified. See an example below:

-You can remove CORS manually in the Azure portal, or programmatically using the Azure Maps SDK, Azure Maps management REST API or an [ARM template](../azure-resource-manager/templates/overview.md).

-See [Azure Maps pricing](https://azure.microsoft.com/pricing/details/azure-maps) for additional information on billing transactions and other Azure Maps pricing information.

-> [Authentication and authorization best practices](authentication-best-practices.md)

-> [Manage authentication in Azure Maps](./how-to-manage-authentication.md)

-To learn more about authenticating the Azure Maps Map Control with Azure AD, see:

-> [Use the Azure Maps Map Control](./how-to-use-map-control.md)

-Azure Maps does not have any maximum daily limits on the number of requests that can be made, however there are limits to the maximum number of queries per second (QPS).

-Below are the QPS usage limits for each Azure Maps service by Pricing Tier.

-When QPS limits are reached, an HTTP 429 error will be returned. If you are using the Gen 2 or Gen 1 S1 pricing tiers, you can create an Azure Maps *Technical* Support Request in the [Azure portal](https://portal.azure.com/) to increase a specific QPS limit if needed. QPS limits for the Gen 1 S0 pricing tier cannot be increased.

-The map control supports several different map [style options](/javascript/api/azure-maps-control/atlas.styleoptions) and [base map styles](supported-map-styles.md). All styles can be set when the map control is being initialized. Or, you can set styles by using the map control's `setStyle` function. This article shows you how to use these style options to customize the map's appearance. Also, you'll learn how to implement the style picker control in your map. The style picker control allows the user to toggle between different base styles.

-Style options can be set during web control initialization. Or, you can update style options by calling the map control's `setStyle` function. To see all available style options, see [style options](/javascript/api/azure-maps-control/atlas.styleoptions).

-You can also initialize the map control with one of the [base map styles](supported-map-styles.md) that are available in the Web SDK. You can then use the `setStyle` function to update the base style with a different map style.

-Base styles of the map control can be set during initialization. In the following code, the `style` option of the map control is set to the [`grayscale_dark` base map style](supported-map-styles.md#grayscale_dark).

-The base map style can be updated by using the `setStyle` function and setting the `style` option to either change to a different base map style or add additional style options.

-In the following code, after a map instance is loaded, the map style is updated from `grayscale_dark` to `satellite` using the [setStyle](/javascript/api/azure-maps-control/atlas.map#setstyle-styleoptions-) function.

-The style picker has two different layout options: `icon` and `list`. Also, the style picker allows you to choose two different style picker control `style` options: `light` and `dark`. In this example, the style picker uses the `icon` layout and displays a select list of base map styles in the form of icons. The style control picker includes the following base set of styles: `["road", "grayscale_light", "grayscale_dark", "night", "road_shaded_relief"]`. For more information on style picker control options, see [Style Control Options](/javascript/api/azure-maps-control/atlas.stylecontroloptions).

-The image below shows the style picker control displayed in `icon` layout.

-The image below shows the style picker control displayed in `list` layout.

-The following code shows you how to override the default `mapStyles` base style list. In this example, we're setting the `mapStyles` option to list which base styles we want to be displayed by the style picker control.

-> [Map](/javascript/api/azure-maps-control/atlas.map)

-> [StyleOptions](/javascript/api/azure-maps-control/atlas.styleoptions)

-> [StyleControl](/javascript/api/azure-maps-control/atlas.control.stylecontrol)

-> [StyleControlOptions](/javascript/api/azure-maps-control/atlas.stylecontroloptions)

-> [Add map controls](map-add-controls.md)

-> [Add a symbol layer](map-add-pin.md)

-> [Add a bubble layer](map-add-bubble-layer.md)

-Azure Maps now offers two pricing tiers: Gen 1 and Gen 2. The new Gen 2 pricing tier contains all Azure Maps capabilities with increased QPS (Queries Per Second) limits over Gen 1, and it allows you to achieve cost savings as Azure Maps transactions increases. The purpose of this article is to help you choose the right pricing tier for your needs.

-See the **pricing tier targeted customers** table below for a better understanding of Gen 1 and Gen 2 pricing tiers. For more information, see [Azure Maps pricing](https://aka.ms/CreatorPricing). If you're a current Azure Maps customer, you can learn how to change from Gen 1 to Gen 2 pricing in the [Manage pricing tier](how-to-manage-pricing-tier.md) article.

-| **Gen 2** | Maps/Location Insights | Gen 2 pricing is for new and current Azure Maps customers. Gen 2 comes with a free monthly tier of transactions to be used to test and build on Azure maps. Maps and Location Insights SKUΓÇÖs contain all Azure Maps capabilities. It allows you to achieve cost savings as Azure Maps transactions increases. Additionally, it has higher QPS limits than Gen 1. The Gen 2 pricing tier is required when using [Creator for indoor maps](creator-indoor-maps.md).

-| | |

-For more information on QPS limits, please refer to [Azure Maps QPS rate limits](azure-maps-qps-rate-limits.md).

-For additional pricing information on [Creator for indoor maps](creator-indoor-maps.md), see the *Creator* section in [Azure Maps pricing](https://aka.ms/CreatorPricing).

-When visualizing many data points on the map, data points may overlap over each other. The overlap may cause the map may become unreadable and difficult to use. Clustering point data is the process of combining point data that are near each other and representing them on the map as a single clustered data point. As the user zooms into the map, the clusters break apart into their individual data points. When you work with large number of data points, use the clustering processes to improve your user experience.

-Enable clustering in the `DataSource` class by setting the `cluster` option to `true`. Set `clusterRadius` to select nearby points and combines them into a cluster. The value of `clusterRadius` is in pixels. Use `clusterMaxZoom` to specify a zoom level at which to disable the clustering logic. Here is an example of how to enable clustering in a data source.

-| getClusterChildren(clusterId: number) | Promise&lt;Array&lt;Feature&lt;Geometry, any&gt; \| Shape&gt;&gt; | Retrieves the children of the given cluster on the next zoom level. These children may be a combination of shapes and subclusters. The subclusters will be features with properties matching ClusteredProperties. |

-| getClusterExpansionZoom(clusterId: number) | Promise&lt;number&gt; | Calculates a zoom level at which the cluster will start expanding or break apart. |

-When visualizing data points, the symbol layer automatically hides symbols that overlap each other to ensure a cleaner user interface. This default behavior might be undesirable if you want to show the data points density on the map. However, these settings can be changed. To display all symbols, set the `allowOverlap` option of the Symbol layers `iconOptions` property to `true`.

-Use clustering to show the data points density while keeping a clean user interface. The sample below shows you how to add custom symbols and represent clusters and individual data points using the symbol layer.

-Heat maps are a great way to display the density of data on the map. This visualization method can handle a large number of data points on its own. If the data points are clustered and the cluster size is used as the weight of the heat map, then the heat map can handle even more data. To achieve this option, set the `weight` option of the heat map layer to `['get', 'point_count']`. When the cluster radius is small, the heat map will look nearly identical to a heat map using the unclustered data points, but it will perform much better. However, the smaller the cluster radius, the more accurate the heat map will be, but with fewer performance benefits.

-When mouse events occur on a layer that contains clustered data points, the clustered data point return to the event as a GeoJSON point feature object. This point feature will have the following properties:

-## Display cluster area

-The point data that a cluster represents is spread over an area. In this sample when the mouse is hovered over a cluster, two main behaviors occur. First, the individual data points contained in the cluster will be used to calculate a convex hull. Then, the convex hull will be displayed on the map to show an area. A convex hull is a polygon that wraps a set of points like an elastic band and can be calculated using the `atlas.math.getConvexHull` method. All points contained in a cluster can be retrieved from the data source using the `getClusterLeaves` method.

-Often clusters are represented using a symbol with the number of points that are within the cluster. But, sometimes it's desirable to customize the style of clusters with additional metrics. With cluster aggregates, custom properties can be created and populated using an [aggregate expression](data-driven-style-expressions-web-sdk.md#aggregate-expression) calculation. Cluster aggregates can be defined in `clusterProperties` option of the `DataSource`.

-The following sample uses an aggregate expression. The code calculates a count based on the entity type property of each data point in a cluster. When a user clicks on a cluster, a popup shows with additional information about the cluster.

-* All parameters require **constantSpeedConsumption** to be specified by the user. It is an error to specify any other consumption model parameter, if **constantSpeedConsumption** is not specified. The **vehicleWeight** parameter is an exception for this requirement.

-The list of parameters that belong to this model are below. Refer to the Parameters section for detailed description.

-The list of parameters that belong to this model are below. Refer to the Parameters section for detailed description.

-A particular set of consumption parameters can be rejected, even though the set might fulfill all the explicit requirements. It happens when the value of a specific parameter, or a combination of values of several parameters, is considered to lead to unreasonable magnitudes of consumption values. If that happens, it most likely indicates an input error, as proper care is taken to accommodate all sensible values of consumption parameters. In case a particular set of consumption parameters is rejected, the accompanying error message will contain a textual explanation of the reason(s).

-* [Structured address geocoding]: Specify the parts of a single address, such as the street name, city, country, and postal code and process the request immediately. This service is recommended if you need to geocode individual addresses quickly and the data is already parsed into its individual address parts.

-| Hong Kong | Γ£ô | Γ£ô |

-| Macao | Γ£ô | Γ£ô |

-3. **Agent coexistence:**

- - If you're setting up a *new environment* with resources, such as deployment scripts and onboarding templates, install Azure Monitor Agent together with a legacy agent in your new environment to decrease the migration effort later.

- - Azure Monitor Agent **can run alongside the legacy Log Analytics agents on the same machine** so that you can continue to use existing functionality during evaluation or migration. You can begin the transition, but ensure you understand the **limitations below**:

- - Be careful when you collect duplicate data from the same machine, as this could skew query results, affect downstream features like alerts, dashboards, workbooks and generate more charges for data ingestion and retention. To avoid data duplication, ensure the agents are *collecting data from different machines* or *sending the data to different destinations*. Additionally,

- - For **Defender for Cloud**, you will only be [billed once per machine](../../defender-for-cloud/auto-deploy-azure-monitoring-agent.md#impact-of-running-with-both-the-log-analytics-and-azure-monitor-agents) when running both agents

- - For **Sentinel**, you can easily [disable the legacy connector](../../sentinel/ama-migrate.md#recommended-migration-plan) to stop ingestion of logs from legacy agents.

- - Running two telemetry agents on the same machine consumes double the resources, including but not limited to CPU, memory, storage space, and network bandwidth.

- 1. **Test first** by deploying extensions² and DCR-Associations on a few non-production machines. You can also deploy side-by-side on machines running legacy agents (see the section above for agent coexistence

- 3. Post testing, you can **roll out broadly**³ using [built-in policies]() for at-scale deployment of extensions and DCR-associations. **Using policy will also ensure automatic deployment of extensions and DCR-associations for any new machines in future.**

- 4. Use the [AMA Migration Helper](./azure-monitor-agent-migration-tools.md#using-ama-migration-helper) to **monitor the at-scale migration** across your machines

- 1. If you have migrated to Azure Monitor agent for selected features/solutions and you need to continue using the legacy Log Analytics for others, you can

-³ Before you deploy a large number of agents, consider [configuring the workspace](agent-data-sources.md) to disable data collection for the Log Analytics agent. If you leave data collection for the Log Analytics agent enabled, you might collect duplicate data and increase your costs. You might choose to collect duplicate data for a short period during migration until you verify that you've deployed and configured Azure Monitor Agent correctly.

-| Query | `Usage \| where IsBillable \| summarize DataGB = sum(Quantity / 1000.)` |

-The API supports setting some request options using the `Prefer` header. This section describes how to set each preference and their values.

-In the query language, you can specify different render options. By default, the API does not return information about the type of visualization. To include a specific visualization, include this header:

-[Azure Service Health](../../service-health/overview.md) monitors the health of your cloud resources, including Log Analytics workspaces. When a Log Analytics workspace is healthy, data you collect from resources in your IT environment is available for querying and analysis in a relatively short period of time, known as [latency](../logs/data-ingestion-time.md). This article explains how to view the health status of your Log Analytics workspace and set up alerts to track Log Analytics workspace health status changes.

- 1. select **Alerts**, then select **Enable recommended alert rules**. The **Enable recommended alert rules** pane opens with a list of recommended alert rules based on your type of resource.

- 1. In the **Alert me if** section, select all of the rules you want to enable. The rules are populated with the default values for the rule condition, you can change the default values if you would like.

- 1. In the **Notify me by** section, select the way you want to be notified if an alert is fired.

- :::image type="content" source="../alerts/media/alerts-managing-alert-instances/alerts-enable-recommended-alert-rule-pane.png" alt-text="Screenshot of recommended alert rules pane.":::

- The **Create alert rule** wizard opens, with the **Scope** and **Condition** panes pre-populated. By default, the rule triggers alerts all status changes in all Log Analytics workspaces in the subscription. If necessary, you can edit and modify the scope and condition at this stage.

-This article lists significant changes to Azure Monitor documentation.

-| After my private cloud NSX-T Data Center upgrade to version [3.2.2](https://docs.vmware.com/en/VMware-NSX/3.2.2/rn/vmware-nsxt-data-center-322-release-notes/https://docsupdatetracker.net/index.html), the NSX-T Manager **DNS Forwarder Upstream Server Timeout** alarm is raised | February 2023 | [Enable private cloud internet Access](concepts-design-public-internet-access.md), alarm is raised because NSX-T Manager cannot access the configured CloudFlare DNS server. Otherwise, [change the default DNS zone to point to a valid and reachable DNS server.](configure-dns-azure-vmware-solution.md) | February 2023 |

->- Enhanced policy currently doesn't support protecting Ultra SSD. You can use [selective disk backup (preview)](selective-disk-backup-restore.md) to exclude these disks, and then configure backup.

-Ultra SSD disks | Not supported. For more information, see [these limitations](selective-disk-backup-restore.md#limitations).

-3. If you're using [Enhanced policy](backup-azure-vms-enhanced-policy.md), you can use this solution to exclude unsupported disks (Ultra Disks, Shared Disks) and configure a VM for backup.

-Currently, Azure VM backup doesn't support VMs with ultra-disks or shared disks attached to them. Selective disk backup for Standard policy can't be used to in such cases, which exclude the disk and backup the VM. You can use selective disk backup with Enhanced policy to exclude these disks and configure backup.

-### I can't configure backup for the Azure virtual machine by excluding ultra disk or shared disks attached to the VM

-If you're using Standard policy, Azure VM backup doesn't support VMs with ultra-disk or shared disk attached to them and it is not possible to exclude them with selective disk backup and then configure backup.

-[Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure Active Directory (Azure AD) and using it to obtain Azure Active Directory (Azure AD) tokens.

-## Create a user-assigned identity

-First, [create your user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) in the same tenant as your Batch account. You can create the identity using the Azure portal, the Azure Command-Line Interface (Azure CLI), PowerShell, Azure Resource Manager, or the Azure REST API. This managed identity does not need to be in the same resource group or even in the same subscription.

-> Identities must be configured as user-assigned managed identities. The system-assigned managed identity is available for retrieving [customer-managed keys from Azure KeyVault](batch-customer-managed-key.md), but these are not supported in batch pools.

-1. In the **Pools** menu, select **Add** to add a new Batch pool.

- VmSize = "standard_d1_v2",

- "UbuntuServer",

- "18.04-LTS",

- "batch.node.ubuntu 18.04")

- cancellationToken: default(CancellationToken)).ConfigureAwait(false);

-Many Azure Batch technologies which access other Azure resources, such as Azure Storage or Azure Container Registry, support managed identities. For more information on using managed identities with Azure Batch, see the following links:

-$Response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource={Resource App Id Url}' -Method GET -Headers @{Metadata="true"}

-| Asia | Hong Kong<br />Jakarta, Indonesia<br />Osaka, Japan<br />Tokyo, Japan<br />Singapore<br />Kaohsiung, Taiwan<br />Taipei, Taiwan <br />Manila, Philippines | Hong Kong<br />Indonesia<br />Israel<br />Japan<br />Macau<br />Malaysia<br />Philippines<br />Singapore<br />South Korea<br />Taiwan<br />Thailand<br />T├╝rkiye<br />Vietnam |

-To test out Multivariate Anomaly Detection quickly, try the [Code Sample](https://github.com/Azure-Samples/AnomalyDetector)! For more instructions on how to run a jupyter notebook, please refer to [Install and Run a Jupyter Notebook](https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/install.html#).

-|**Batch Inference**| POST | `{endpoint}`/anomalydetector/v1.1/multivariate/models/`{modelId}`: detect-batch | Trigger an asynchronous inference with `modelId` which works in a batch scenario |

-|**Streaming Inference**| POST | `{endpoint}`/anomalydetector/v1.1/multivariate/models/`{modelId}`: detect-last | Trigger a synchronous inference with `modelId` which works in a streaming scenario |

-* **paddingValue**: Padding value is used to fill `nan` when `fillNAMethod` is `Fixed` and must be provided in that case. In other cases it's optional.

-* [Best practices of multivariate anomaly detection](../concepts/best-practices-multivariate.md)

-We've also added links to some user-generated content. Those items will be marked with **[UGC]** tag. Some of them are hosted on websites that are external to Microsoft and Microsoft is not responsible for the content there. Use discretion when you refer to these resources. Contact AnomalyDetector@microsoft.com or raise an issue on GitHub if you'd like us to remove the content.

-* Multivariate Anomaly Detection will begin charging as of January 10th, 2023. For pricing details see the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/anomaly-detector/).

-* New blog released: [4 sets of best practices to use Multivariate Anomaly Detector when monitoring your equipment](https://techcommunity.microsoft.com/t5/ai-cognitive-services-blog/4-sets-of-best-practices-to-use-multivariate-anomaly-detector/ba-p/3490848#footerContent).

-Currently, we offer three families of Embeddings models for different functionalities:

-| text-embedding-ada-002 | East US, South Central US, West Europe | N/A |2,046 | Sep 2021 |

-From a mathematic perspective, cosine similarity measures the cosine of the angle between two vectors projected in a multi-dimensional space. This is beneficial because if two documents are far apart by Euclidean distance because of size, they could still have a smaller angle between them and therefore higher cosine similarity.

-> * Use the **text-search-curie-doc-001** and **text-search-curie-query-001** models.

-* The following Python libraries: openai, num2words, matplotlib, plotly, scipy, scikit-learn,pandas, transformers.

-* An Azure OpenAI resource with **text-search-curie-doc-001** and **text-search-curie-query-001** models deployed. These models are currently only available in [certain regions](../concepts/models.md#model-summary-table-and-region-availability). If you don't have a resource the process is documented in our [resource deployment guide](../how-to/create-resource.md).

-> [!NOTE]

-> If you have never worked with the Hugging Face transformers library it has its own specific [prerequisites](https://huggingface.co/docs/transformers/installation) that are required before you can successfully run `pip install transformers`.

-pip install openai num2words matplotlib plotly scipy scikit-learn pandas transformers

-Alternatively, you can use our [requirements.txt file](https://github.com/Azure-Samples/Azure-OpenAI-Docs-Samples/blob/main/Samples/Tutorials/Embeddings/requirements.txt).

-| `ENDPOINT` | This value can be found in the **Keys & Endpoint** section when examining your resource from the Azure portal. Alternatively, you can find the value in **Azure OpenAI Studio** > **Playground** > **Code View**. An example endpoint is: `https://docs-test-001.openai.azure.com/`.|

-After setting the environment variables you may need to close and reopen Jupyter notebooks or whatever IDE you are using in order for the environment variables to be accessible.

-If you wish to view the Jupyter notebook that corresponds to this tutorial you can download the tutorial from our [samples repo](https://github.com/Azure-Samples/Azure-OpenAI-Docs-Samples/blob/main/Samples/Tutorials/Embeddings/embedding_billsum.ipynb).

-from transformers import GPT2TokenizerFast

-url = openai.api_base + "/openai/deployments?api-version=2022-12-01"

- "model": "text-davinci-002",

- "id": "text-davinci-002",

-The output of this command will vary based on the number and type of models you've deployed. In this case, we need to confirm that we have entries for both **text-search-curie-doc-001** and **text-search-curie-query-001**. If you find that you're missing one of these models, you'll need to [deploy the models](../how-to/create-resource.md#deploy-a-model) to your resource before proceeding.

-Now we need read our csv file and create a pandas DataFrame. After the initial DataFrame is created, we can view the contents of the table by running `df`.

-df = pd.read_csv("INSERT LOCAL PATH TO BILL_SUM_DATA.CSV") # example: df = pd.read_csv("c:\\test\\bill_sum_data.csv")df

-df_bills['text'] = df_bills["text"].apply(lambda x : normalize_text(x))

-> [!Note]

-> If you receive a warning stating *`A value is trying to be set on a copy of a slice from a DataFrame.Try using .loc[row_indexer,col_indexer] = value instead` you can safely ignore this message.

-Now we need to remove any bills that are too long for the token limit (~2000 tokens).

-tokenizer = GPT2TokenizerFast.from_pretrained("gpt2")

-df_bills = df_bills[df_bills.n_tokens<2000]

-12

- > [!Note]

-> You can ignore the message:`Token indices sequence length is longer than the specified maximum sequence length for this model (1480 > 1024). Running this sequence through the model will result in indexing errors. A value is trying to be set on a copy of a slice from a DataFrame.Try using .loc[row_indexer,col_indexer] = value instead.`

-We'll once again examine **df_bills**. Note that as expected, now only 12 results are returned though they retain their original index in the first column, and we've now added a column called n_tokens.

-To understand the n_tokens column a little more as well how the text is tokenized, it can be helpful to run the following code:

-understand_tokenization = tokenizer.tokenize(df_bills.text[0])

-understand_tokenization

-For our docs we're intentionally truncating the output, but running this command in your environment will return the full text from first index tokenized into chunks.

-['S',

- 'ECTION',

- '─á1',

- '.',

- '─áSH',

- 'ORT',

- '─áTIT',

- 'LE',

- '.',

- '─áThis',

- '─áAct',

- '─ámay',

- '─ábe',

- '─ácited',

- '─áas',

- '─áthe',

- '─á``',

- 'National',

- '─áScience',

- '─áEducation',

- '─áTax',

- '─áIn',

- 'cent',

- 'ive',

- '─áfor',

- '─áBusiness',

-...

-If you then check the length of the `understand_tokenization` variable, you'll find it matches the first number in the n_tokens column.

-len(understand_tokenization)

-1480

-Now that we understand more about how tokenization works we can move on to embedding. Before searching, we'll embed the text documents and save the corresponding embedding. We embed each chunk using a **doc model**, in this case `text-search-curie-doc-001`. These embeddings can be stored locally or in an Azure DB. As a result, each tech document has its corresponding embedding vector in the new curie search column on the right side of the DataFrame.

-df_bills['curie_search'] = df_bills["text"].apply(lambda x : get_embedding(x, engine = 'text-search-curie-doc-001'))

-At the time of search (live compute), we'll embed the search query using the corresponding **query model** (`text-search-query-001`). Next find the closest embedding in the database, ranked by [cosine similarity](../concepts/understand-embeddings.md).

-In our example, the user provides the query "can I get information on cable company tax revenue". The query is passed through a function that embeds the query with the corresponding **query model** and finds the embedding closest to it from the previously embedded documents in the previous step.

- engine="text-search-curie-query-001"

- df["similarities"] = df.curie_search.apply(lambda x: cosine_similarity(x, embedding))

-res = search_docs(df_bills, "can i get information on cable company tax revenue", top_n=4)

-## Video

-There is video walkthrough of this tutorial including the pre-requisite steps which can viewed on this [community YouTube post](https://www.youtube.com/watch?v=PSLO-yM6eFY).

-#### SMS by country

-> [Get started with Adding a Microsoft Teams user to an ongoing call using Call Automation](./../../quickstarts/call-automation/Callflows-for-customer-interactions.md)

-Here are some articles of interest to you:

-description: Learn about Country Availability, Subscription Eligibility and Number Capabilities for PSTN and SMS Numbers in Communication Services.

-# Country availability of telephone numbers and subscription eligibility

-The capabilities and numbers that are available to you depend on the country that you're operating within, your use case, and the phone number type that you've selected. These capabilities vary by country due to regulatory requirements.

-In most cases, customers with Azure subscriptions locations that match the country of the Number offer will be able to buy the Number. However, US and UK numbers may be purchased by customers with Azure subscription locations in other countries. Please see here for details on [in-country and cross-country purchases](../concepts/numbers/sub-eligibility-number-capability.md).

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-\* For destination-specific pricing for making outbound calls, please refer to details [here](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv)

-For Azure Communication Services direct routing there is a flat rate regardless of the geography:

-Outbound calling capability with Toll-Free telephone numbers is available in many countries where Azure Communication Services is available. However, there can be some limitations when trying to place outbound calls with toll-free telephone numbers.

-Microsoft provides Toll-Free telephone numbers that have outbound calling capabilities, but it's important to note that this feature is only provided on a "best-effort" basis. In some countries and regions, toll-free numbers are considered as an "inbound only" service from regulatory perspective. This means, that in some scenarios, the receiving carrier may not allow incoming calls from toll-free telephone numbers. Since Microsoft and our carrier-partners don't have control over other carrier networks, we can't guarantee that outbound calls will reach all possible destinations.

-Many countries and states have laws and regulations that apply to call recording. PSTN, voice, and video calls often require that users consent to the recording of their communications. It is your responsibility to use the call recording capabilities in compliance with the law. You must obtain consent from the parties of recorded communications in a manner that complies with the laws applicable to each participant.

-The change data capture feature in Azure Cosmos DB analytical store can write to a variety of sinks using an Azure Synapse or Azure Data Factory data flow.

-| Variable features | Supports Boolean, Integer, Byte, Double, Float, Integer, Long, String | Supports primitive types, is compatible with complex types via data model |

-> We strongly recommend that you configure the Azure Cosmos DB accounts used for production workloads to *enable service-managed failover*. This configuration enables Azure Cosmos DB to fail over the account databases to available regions automatically.

-* The affected region is automatically disconnected and marked offline. The [Azure Cosmos DB SDKs](nosql/sdk-dotnet-v3.md) redirect read calls to the next available region in the preferred region list.

-* No changes are required in your application code to handle read region outages. When the affected read region is back online, it automatically syncs with the current write region and is available again to serve read requests.

-* During a write region outage, the Azure Cosmos DB account automatically promotes a secondary region to be the new primary write region when *automatic (service-managed) failover* is configured on the Azure Cosmos DB account. The failover occurs to another region in the order of region priority that you specify.

-* After the previously affected write region recovers, it becomes automatically available as a read region. You can switch back to the recovered region as the write region by using [PowerShell, the Azure CLI, or the Azure portal](how-to-manage-database-account.md#manual-failover). There is *no data or availability loss* before, while, or after you switch the write region. Your application continues to be highly available.

-| Single write region | Not enabled | If there's an outage in a read region when you're not using strong consistency, all clients redirect to other regions. There's no read or write availability loss, and there's no data loss. When you use strong consistency, an outage in a read region can affect write availability if fewer than two read regions remain.<br/><br/> If there's an outage in the write region, clients experience write availability loss. If you didn't select strong consistency, the service might not replicate some data to the remaining active regions. This replication depends on the selected [consistency level](consistency-levels.md#rto). If the affected region suffers permanent data loss, you might lose unreplicated data. <br/><br/> Azure Cosmos DB restores write availability automatically when the outage ends. | During the outage, ensure that there are enough provisioned RUs in the remaining regions to support read traffic. <br/><br/> *Don't* trigger a manual failover during the outage, because it can't succeed. <br/><br/> When the outage is over, readjust provisioned RUs as appropriate. |

-| Single write region | Enabled | If there's an outage in a read region when you're not using strong consistency, all clients redirect to other regions. There's no read or write availability loss, and there's no data loss. When you're using strong consistency, the outage of a read region can affect write availability if fewer than two read regions remain.<br/><br/> If there's an outage in the write region, clients experience write availability loss until Azure Cosmos DB automatically elects a new region as the new write region according to your preferences. If you didn't select strong consistency, the service might not replicate some data to the remaining active regions. This replication depends on the selected [consistency level](consistency-levels.md#rto). If the affected region suffers permanent data loss, you might lose unreplicated data. | During the outage, ensure that there are enough provisioned RUs in the remaining regions to support read traffic. <br/><br/> *Don't* trigger a manual failover during the outage, because it can't succeed. <br/><br/> When the outage is over, you can move the write region back to the original region and readjust provisioned RUs as appropriate. Accounts that use the API for NoSQL can also recover the unreplicated data in the failed region from your [conflict feed](how-to-manage-conflicts.md#read-from-conflict-feed). |

-| Multiple write regions | Not applicable | Recently updated data in the failed region might be unavailable in the remaining active regions. Eventual, consistent prefix, and session consistency levels guarantee a staleness of less than 15 minutes. Bounded staleness guarantees fewer than *K* updates or *T* seconds, depending on the configuration. If the affected region suffers permanent data loss, you might lose unreplicated data. | During the outage, ensure that there are enough provisioned RUs in the remaining regions to support more traffic. <br/><br/> When the outage is over, you can readjust provisioned RUs as appropriate. If possible, Azure Cosmos DB automatically recovers unreplicated data in the failed region. This automatic recovery uses the conflict resolution method that you configure for accounts that use the API for NoSQL. For accounts that use other APIs, this automatic recovery uses *last write wins*. |

-1. On the **Service-Managed Failover** pane, make sure that **Enable Automatic Failover** is set to **ON**.

-Azure Cosmos DB enforces a minimum throughput of 10 RU/s per GB of data stored. If you're ingesting data while already being at that minimum, the throughput provisioned on your resources will automatically increase to honor 10 RU/s per GB. In this case, and this case only, your total provisioned throughput may exceed the limit you've set.

-Start emulator from an administrator [command prompt](emulator-command-line-parameters.md)with "/EnableGremlinEndpoint". Alternatively you can also set the environment variable `AZURE_COSMOS_EMULATOR_GREMLIN_ENDPOINT=true`

-1. [Install apache-tinkerpop-gremlin-console-3.6.0](https://archive.apache.org/dist/tinkerpop/3.6.0).

- ```bash

- cd /d C:\sdk\apache-tinkerpop-gremlin-console-3.6.0-bin\apache-tinkerpop-gremlin-console-3.6.0

-

- copy /y conf\remote.yaml conf\remote-localcompute.yaml

- notepad.exe conf\remote-localcompute.yaml

- hosts: [localhost]

- port: 8901

- username: /dbs/db1/colls/coll1

- password: C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==

- connectionPool: {

- enableSsl: false}

- serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GraphSONMessageSerializerV1d0,

- config: { serializeResultToString: true }}

- bin\gremlin.bat

- ```

- ```bash

- :remote connect tinkerpop.server conf/remote-localcompute.yaml

- :remote console

- :> g.V()

- :> g.addV('person1').property(id, '1').property('name', 'somename1')

- :> g.addV('person2').property(id, '2').property('name', 'somename2')

- :> g.V()

- ```

-| <input type="checkbox"/> | Regions | Make sure to run your application in the same [Azure region](../distribute-data-globally.md) as your Azure Cosmos DB account, whenever possible to reduce latency. Enable 2-4 regions and replicate your accounts in multiple regions for [best availability](../distribute-data-globally.md). For production workloads, enable [automatic failover](../how-to-manage-database-account.md#configure-multiple-write-regions). In the absence of this configuration, the account will experience loss of write availability for all the duration of the write region outage, as manual failover won't succeed due to lack of region connectivity. To learn how to add multiple regions using the .NET SDK visit [here](tutorial-global-distribution.md) |

-| <input type="checkbox"/> | Regions | Make sure to run your application in the same [Azure region](../distribute-data-globally.md) as your Azure Cosmos DB account, whenever possible to reduce latency. Enable 2-4 regions and replicate your accounts in multiple regions for [best availability](../distribute-data-globally.md). For production workloads, enable [automatic failover](../how-to-manage-database-account.md#configure-multiple-write-regions). In the absence of this configuration, the account will experience loss of write availability for all the duration of the write region outage, as manual failover won't succeed due to lack of region connectivity. To learn how to add multiple regions using the Java SDK [visit here](tutorial-global-distribution.md) |

-The following command sets an Azure Cosmos DB account to fail over automatically to its secondary region should the primary region become unavailable.

-Managed Airflow in Azure Data Factory is a managed orchestration service for [Apache Airflow](https://airflow.apache.org/) that simplifies the creation and management of Airflow environments on which you can operate end-to-end data pipelines at scale. Apache Airflow is an open-source tool used to programmatically author, schedule, and monitor sequences of processes and tasks referred to as "workflows." With Managed Airflow in Azure Data Factory, you can use Airflow and Python to create data workflows without managing the underlying infrastructure for scalability, availability, and security.

-* EastUs

-* SouthCentralUs

-* WestUs

-* UKSouth

-* NorthEurope

-* WestEurope

-* SouthEastAsia

-* EastUS2 (coming soon)

-* WestUS2 (coming soon)

-* GermanyWestCentral (coming soon)

-Azure Data Factory Managed Airflow orchestrates your workflows using Directed Acyclic Graphs (DAGs) written in Python. You must provide your DAGs and plugins in Azure Blob Storage. Airflow requirements or library dependencies can be installed during the creation of the new Managed Airflow environment or by editing an existing Managed Airflow environment. Then run and monitor your DAGs by launching the Airflow UI from ADF using a command line interface (CLI) or a software development kit (SDK).

-* [How to change the password for Managed Airflow environments](password-change-airflow.md)

->When changing DDoS IP protection from **Enabled** to **Disabled**, telemetry for the public IP resource will not be available.

- | Region | Select your region. In this example, we selected **(US) East US 2**. |

- | Name | Enter your resource name. In this example, we selected **mystandardpublicip**. |

- :::image type="content" source="./media/ddos-protection-quickstarts/ddos-protection-view-status.png" alt-text="Screenshot showing view of Public IP Properties.":::

-> When changing DDoS IP protection from **Enabled** to **Disabled**, telemetry for the public IP resource will not be available.

- :::image type="content" source="./media/ddos-protection-quickstarts/ddos-protection-protected-status.png" alt-text="Screenshot of status of IP Protection in Public IP Properties.":::

-> When changing DDoS IP protection from **Enabled** to **Disabled**, telemetry for the public IP resource will not be available.

-| Exposed to the internet | Indicates that a resource is exposed to the internet. Supports port filtering | Azure virtual machine, AWS EC2, Azure storage account, Azure SQL server, Azure Cosmos DB, AWS S3, Kubernetes pod, Azure SQL Managed Instance, Azure MySQL Single Server, Azure MySQL Flexible Server, Azure PostgreSQL Single Server, Azure PostgreSQL Flexible Server, Azure MariaDB Single Server, Synapse Workspace, RDS Instance |

-| Allows public access | Indicates that a public read access is allowed to the resource with no authorization required | Azure storage account, AWS S3 bucket, GitHub repository |

-What Azure data resources can I scan? | Azure storage accounts v1, v2<br/><br/> Azure Data Lake Storage Gen1/Gen2<br/><br/>Accounts are supported behind private networks but not behind private endpoints.<br/><br/> Defender for Cloud can discover data encrypted by KMB or a customer-managed key. <br/><br/>Page blobs aren't scanned.

-What AWS data resources can I scan? | AWS S3 buckets<br/><br/> Defender for Cloud can scan encrypted data, but not data encrypted with a customer-managed key.

-What permissions do I need for scanning? | Storage account: Subscription Owner or Microsoft.Storage/storageaccounts/{read/write} and Microsoft.Authorization/roleAssignments/{read/write/delete}<br/><br/> Amazon S3 buckets: AWS account permission to run Cloud Formation (to create a role).

-What Azure regions are supported? | You can scan Azure storage accounts in:<br/><br/> Australia Central; Australia Central 2; Australia East; Australia Southeast; Brazil South; Canada Central; Canada East; Central India; Central US; East Asia; East US; East US 2; France Central; Germany West Central; Japan East; Japan West: Jio India West: North Central US; North Europe; Norway East; South Africa North: South Central US; South India; Sweden Central; Switzerland North; UAE North; UK South; UK West: West Central US; West Europe; West US, West US3.<br/><br/> Scanning is done locally in the region.

-What AWS regions are supported? | Asia Pacific (Mumbai); Asia Pacific (Singapore); Asia Pacific (Sydney); Asia Pacific (Tokyo); Canada (Central); Europe (Frankfurt); Europe (Ireland); Europe (London); Europe (Paris); South America (São Paulo); US East (Ohio); US East (N. Virginia); US West (N. California): US West (Oregon).<br/><br/> Scanning is done locally in the region.

-Do I need to install an agent? | No, scanning is agentless.

-## Scanning

-## Discovery and scanning

-Defender for Cloud starts discovering and scanning data immediately after enabling a plan, or after turning on the feature in plans that are already running.

-## Scanning AWS storage

-In order to protect AWS resources in Defender for Cloud, you set up an AWS connector, using a CloudFormation template to onboard the AWS account.

-As digital transformation accelerates, organizations move data to the cloud at an exponential rate using multiple data stores such as object stores and managed/hosted databases. The dynamic and complex nature of the cloud has increased data threat surfaces and risk. This causes challenges for security teams around data visibility and protecting the cloud data estate.

-By applying sensitivity information types and Microsoft Purview sensitivity labels on storage resources, you can easily prioritize the alerts and recommendations that focus on sensitive data.

-## Scanning with smart sampling

-Defender for Cloud uses smart sampling to scan a selected number of files in your cloud datastores. The sampling results discover evidence of sensitive data issues, while saving on scanning costs and time.

-When scanning resources for data sensitivity, scan results are based on these settings.

-Changes in sensitivity settings take effect the next time that resources are scanned.

-1. Select a query template, or build your own query. Here's an example:

-This article describes how to customize data sensitivity settings in Microsoft Defender for Cloud.

-You need one of these permissions in order to sign in and edit sensitivity settings: Global Administrator, Compliance Administrator, Compliance Data Administrator, Security Administrator, Security Operator.

-Changes in sensitivity settings take effect the next time that resources are scanned.

-## Import custom sensitive info types/labels from Microsoft Purview compliance portal

-Defender for Cloud uses built-in sensitive info types. You can optionally import your own custom sensitive info types and labels from Microsoft Purview compliance portal to align with your organization's needs.

-In the device inventory grid, select the devices you want to merge, and then select **Merge** in the toolbar at the top of the page.

-1. At the prompt, select **Confirm** to confirm that you want to delete the device from Defender for IoT.

-A confirmation message appears at the top right.

-Azure Front Door is MicrosoftΓÇÖs modern cloud Content Delivery Network (CDN) that provides fast, reliable, and secure access between your users and your applicationsΓÇÖ static and dynamic web content across the globe. Azure Front Door delivers your content using the MicrosoftΓÇÖs global edge network with hundreds of [global and local points of presence (PoPs)](edge-locations-by-region.md) distributed around the world close to both your enterprise and consumer end users.

-> [Understand the MedTech service device message data transformation](overview.md)

-FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

-description: This article describes how to configure device mappings in the Azure Health Data Services MedTech service.

-# How to configure device mappings

-This article provides an overview and describes how to configure the MedTech service device mappings.

-The MedTech service requires two types of JSON-based mappings. The first type, **device mappings**, is responsible for mapping the device payloads sent to the MedTech service device message event hub endpoint. The device mapping extracts types, device identifiers, measurement date time, and the measurement value(s).

-The second type, **Fast Healthcare Interoperability Resources (FHIR&#174;) destination mappings**, controls the mapping for FHIR resource. The FHIR destination mappings allow configuration of the length of the observation period, FHIR data type used to store the values, and terminology code(s).

-> [!NOTE]

-> Device and FHIR destination mappings are stored in an underlying blob storage and loaded from blob per compute execution. Once updated they should take effect immediately.

-The two types of mappings are composed into a JSON document based on their type. These JSON documents are then added to your MedTech service through the Azure portal. The device mapping is added through the **Device mapping** page and the FHIR destination mapping through the **Destination** page.

-

-## Device mappings overview

-Device mappings provide functionality to extract device message content into a common format for further evaluation. Each device message received is evaluated against all device mapping templates. A single inbound device message can be separated into multiple outbound messages that are later mapped to different observations in the FHIR service. The result is a normalized data object representing the value or values parsed by the device mapping templates.

-The normalized data model has a few required properties that must be found and extracted:

-|Property|Description|

-|--|--|

-|**Type**|The name/type to classify the measurement. This value is used to bind to the required FHIR destination mapping. Multiple mappings can output to the same type allowing you to map different representations across multiple devices to a single common output.|

-|**OccurenceTimeUtc**|The time the measurement occurred.|

-|**DeviceId**|The identifier for the device. This value should match an identifier on the device resource that exists on the destination FHIR service.|

-|**Properties**|Extract at least one property so the value can be saved in the Observation resource created. Properties are a collection of key value pairs extracted during normalization.|

-> [!IMPORTANT]

-> The full normalized model is defined by the [IMeasurement](https://github.com/microsoft/iomt-fhir/blob/master/src/lib/Microsoft.Health.Fhir.Ingest.Schema/IMeasurement.cs) interface.

-Below is an example of what happens during normalization and transformation process within the MedTech service. For the purposes of the device mapping, we'll be focusing on the **Normalized data** process:

-The content payload itself is an Azure Event Hubs message, which is composed of three parts: Body, Properties, and SystemProperties. The `Body` is a byte array representing an UTF-8 encoded string. During template evaluation, the byte array is automatically converted into the string value. `Properties` is a key value collection for use by the message creator. `SystemProperties` is also a key value collection reserved by the Azure Event Hubs framework with entries automatically populated by it.

-```json

-{

- "Body": {

- "content": "value"

- },

- "Properties": {

- "key1": "value1",

- "key2": "value2"

- },

- "SystemProperties": {

- "x-opt-sequence-number": 1,

- "x-opt-enqueued-time": "2021-02-01T22:46:01.8750000Z",

- "x-opt-offset": 1,

- "x-opt-partition-key": "1"

- }

-}

-```

-## Device mappings validations

-The validation process validates the device mappings before allowing them to be saved for use. These elements are required in the device mapping templates.

-**Device mappings**

-|Element|Required|

-|:-|:|

-|TypeName|True|

-|TypeMatchExpression|True|

-|DeviceIdExpression|True|

-|TimestampExpression|True|

-|Values[].ValueName|True|

-|Values[].ValueExpression|True|

-> [!NOTE]

-> `Values[].ValueName and Values[].ValueExpression` elements are only required if you have a value entry in the array. It's valid to have no values mapped. This is used when the telemetry being sent is an event.

->

-> For example:

->

-> Some IoMT scenarios may require creating an Observation Resource in the FHIR service that does not contain a value.

-## CollectionContentTemplate

-The CollectionContentTemplate is the **root** template type used by the MedTech service device mappings template and represents a list of all templates that will be used during the normalization process.

-

-### Example

-```json

-{

- "templateType": "CollectionContent",

- "template": [

- {

- "templateType": "CalculatedContent",

- "template": {

- "typeName": "heartrate",

- "typeMatchExpression": "$..[?(@heartRate)]",

- "deviceIdExpression": "$.matchedToken.deviceId",

- "timestampExpression": "$.matchedToken.endDate",

- "values": [

- {

- "required": "true",

- "valueExpression": "$.matchedToken.heartRate",

- "valueName": "hr"

- }

- ]

- }

- },

- {

- "templateType": "CalculatedContent",

- "template": {

- "typeName": "stepcount",

- "typeMatchExpression": "$..[?(@steps)]",

- "deviceIdExpression": "$.matchedToken.deviceId",

- "timestampExpression": "$.matchedToken.endDate",

- "values": [

- {

- "required": "true",

- "valueExpression": "$.matchedToken.steps",

- "valueName": "steps"

- }

- ]

- }

- }

- ]

-}

-```

-## Mapping with JSONPath

-The device mapping content types supported by the MedTech service rely on JSONPath to both match the required mapping and extracted values. More information on JSONPath can be found [here](https://goessner.net/articles/JsonPath/). All template types use the [JSON .NET implementation](https://www.newtonsoft.com/json/help/html/QueryJsonSelectTokenJsonPath.htm) for resolving JSONPath expressions.

-### Example

-**Heart rate**

-*A device message from the Azure Event Hubs event hub received by the MedTech service*

-```json

-{

- "Body": {

- "heartRate": "78",

- "endDate": "2021-02-01T22:46:01.8750000Z",

- "deviceId": "device123"

- },

- "Properties": {},

- "SystemProperties": {}

-}

-```

-*A conforming MedTech service device mapping template that could be used during the normalization process with the example device message*

-```json

-{

- "templateType": "CollectionContent",

- "template": [

- {

- "templateType": "JsonPathContent",

- "template": {

- "typeName": "heartrate",

- "typeMatchExpression": "$..[?(@heartRate)]",

- "deviceIdExpression": "$.deviceId",

- "timestampExpression": "$.endDate",

- "values": [

- {

- "required": "true",

- "valueExpression": "$.heartRate",

- "valueName": "hr"

- }

- ]

- }

- }

- ]

-}

-```

-JSONPath allows matching on and extracting values from a device message.

-|Property|Description|Example|

-|--|--|-|

-|TypeName|The type to associate with measurements that match the template|`heartrate`|

-|TypeMatchExpression|The JSONPath expression that is evaluated against the EventData payload. If a matching JToken is found, the template is considered a match. All later expressions are evaluated against the extracted JToken matched here.|`$..[?(@heartRate)]`|

-|DeviceIdExpression|The JSONPath expression to extract the device identifier.|`$.matchedToken.deviceId`|

-|TimestampExpression|The JSONPath expression to extract the timestamp value for the measurement's OccurrenceTimeUtc.|`$.matchedToken.endDate`|

-|PatientIdExpression|*Required* when IdentityResolution is in **Create** mode and *Optional* when IdentityResolution is in **Lookup** mode. The expression to extract the patient identifier.|`$.matchedToken.patientId`|

-|EncounterIdExpression|*Optional*: The expression to extract the encounter identifier.|`$.matchedToken.encounterId`|

-|CorrelationIdExpression|*Optional*: The expression to extract the correlation identifier. This output can be used to group values into a single observation in the FHIR destination mappings.|`$.matchedToken.correlationId`|

-|Values[].ValueName|The name to associate with the value extracted by the next expression. Used to bind the wanted value/component in the FHIR destination mapping template.|`hr`|

-|Values[].ValueExpression|The JSONPath expression to extract the wanted value.|`$.matchedToken.heartRate`|

-|Values[].Required|Will require the value to be present in the payload. If not found, a measurement won't be generated, and an InvalidOperationException will be created.|`true`|

-## Other supported template types

-You can define one or more templates within the MedTech service device mapping. Each device message received is evaluated against all device mapping templates.

-|Template Type|Description|

-|-|--|

-|[CalculatedContent](how-to-use-calculatedcontent-mappings.md)|A template that supports writing expressions using one of several expression languages. Supports data transformation via the use of JMESPath functions.|

-|[IotJsonPathContentTemplate](how-to-use-iot-jsonpath-content-mappings.md)|A template that supports messages sent from Azure Iot Hub or the Legacy Export Data feature of Azure Iot Central.

-

-> [!TIP]

-> See the MedTech service article [Troubleshoot MedTech service errors](troubleshoot-errors.md) for assistance fixing common MedTech service errors.

-## Next steps

-In this article, you learned how to configure device mappings.

-To learn how to configure FHIR destination mappings, see

-> [!div class="nextstepaction"]

-> [How to configure FHIR destination mappings](how-to-configure-fhir-mappings.md)

-FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

-If for any reason the migration fails, the EFLOW VM will be restored to its original 1.1LTS version.

-If you want to cancel the migration, you can use the following cmdlets `Start-EflowMigration` and then `Restore-EflowPriorToMigration`

-1. In the Visual Studio Code explorer, open **modules** > **CSharpModule** > **ModuleBackgroundService.cs**.

-1. At the top of the **CSharpModule** namespace, add three **using** statements for types that are used later:

-1. Find the **Init** function. This function creates and configures a **ModuleClient** object, which allows the module to connect to the local Azure IoT Edge runtime to send and receive messages. After creating the **ModuleClient**, the code reads the **temperatureThreshold** value from the module twin's desired properties. The code registers a callback to receive messages from an IoT Edge hub via an endpoint called **input1**.

- Replace the **SetInputMessageHandlerAsync** method with a new one that updates the name of the endpoint and the method that's called when input arrives. Also, add a **SetDesiredPropertyUpdateCallbackAsync** method for updates to the desired properties. To make this change, replace the last line of the **Init** method with the following code:

-1. Add the **onDesiredPropertiesUpdate** method to the **Program** class. This method receives updates on the desired properties from the module twin, and updates the **temperatureThreshold** variable to match. All modules have their own module twin, which lets you configure the code that's running inside a module directly from the cloud.

-1. Replace the **PipeMessage** method with the **FilterMessages** method. This method is called whenever the module receives a message from the IoT Edge hub. It filters out messages that report temperatures below the temperature threshold set via the module twin. It also adds the **MessageType** property to the message with the value set to **Alert**.

-A lab plan can contain zero or more [labs](#lab). Each lab uses the configuration settings from the lab plan. Azure Lab Services uses Azure AD roles to grant permissions for creating labs. Learn more about [Azure Lab Services built-in roles](./administrator-guide.md#rbac-roles).

-To create labs in Azure Lab Services, your Azure account needs to have the Lab Creator Azure AD role, or you need to be the owner of the corresponding lab plan. Learn more about [Azure Lab Services built-in roles](./administrator-guide.md#rbac-roles).

-You can choose to create a customizable lab, which enables you to modify the base image for the [lab VMs](#lab-virtual-machine). For example, to install extra software components or modify operating system settings. In this case, Azure Lab Services creates a lab template VM, which you can connect to and customize.

-## Create the lab plan as a lab plan administrator

-The first step in using Azure Lab Services is to create a lab plan in the Azure portal. After a lab plan administrator creates the lab plan, the admin adds the Lab Creator role to users who want to create labs, such as educators.

-The lab creator can then create labs with virtual machines for students to do exercises for the course they're teaching. For details, see [Create and manage lab plan](how-to-manage-lab-plans.md).

-## Create and manage labs

-If you have the Lab Creator role for a lab plan, you can create one or more labs in the lab plan. You create and configure a template VM with all the required software for doing exercises in your course. You select a ready-made image from the available images for creating a lab and then optionally customize it by installing the software required for the lab. For details, see [Create and manage labs](how-to-manage-labs.md).

-## Set up and publish a template VM

-A template VM in a lab is a base virtual machine image from which all usersΓÇÖ VMs are created. Set up the template VM so that it's configured with exactly what you want to provide to the training attendees. You can provide a name and description of the template that the lab users see.

-Then, you publish the template to make instances of the template VM available to your lab users. When you publish a template, Azure Lab Services creates VMs in the lab by using the template. The number of VMs created in this process is the same as the maximum number of users allowed into the lab, which you can set in the usage policy of the lab. All virtual machines have the same configuration as the template. For details, see [Set up and publish template virtual machines](how-to-create-manage-template.md).

-## Configure usage settings and policies

-The lab creator can add or remove users to the lab, get a registration link to invite lab users, set up policies such as setting individual quotas per user, update the number of VMs available in the lab, and more. For details, see [Configure usage settings and policies](how-to-configure-student-usage.md).

-When you use Azure Lab Services with [Microsoft Teams](./how-to-manage-labs-within-teams.md) or [Canvas](./how-to-manage-labs-within-canvas.md), Azure Lab Services automatically synchronizes the lab user list with the membership in Teams or Canvas.

-## Create and manage schedules

-Schedules allow you to configure a lab such that VMs in the lab automatically start and shut down at a specified time. You can define a one-time schedule or a recurring schedule. For details, see [Create and manage schedules for labs](how-to-create-schedules.md).

-## Use VMs in the lab

-A student or training attendee registers to the lab by using the registration link they received from the lab creator. They can then connect to the VM to do the exercises for the course. For details, see [How to access a lab](how-to-use-lab.md).

-Azure Lab Services lets you create labs whose infrastructure is managed by Azure. The service itself handles all the infrastructure management, from spinning up virtual machines (VMs) to handling errors and scaling the infrastructure. Azure Lab Services was designed with three major personas in mind: administrators, educators, and students. After an IT administrator creates a lab plan, an educator can quickly set up a lab for the class. Educators specify the number and type of VMs needed, configure the template VM, and add users to the class. Once a user registers to the class, the user can access the VM to do exercises for the class.

-To get started with Azure Lab Services, you need to [create a lab plan Azure resource](./quick-create-resources.md) for your organization first. The lab plan serves as a collection of configurations and settings that apply to the labs created from it.

-To learn more about lab plans, labs, or other concepts, see the [key concepts for Azure Lab Services](./classroom-labs-concepts.md).

-The service creates and manages resources in a subscription managed by Microsoft. Resources aren't created in your own Azure subscription. The [advanced networking](how-to-connect-vnet-injection.md) option is an exception as there are a few resources saved in your subscription. Virtual machines are always hosted in the Microsoft managed subscription. The service keeps track of usage of these resources in internal Microsoft subscriptions. This usage is [billed back to your Azure subscription](cost-management-guide.md) that contains the lab plan.

-Here are some of the **use cases for managed labs**:

-## Example class types

-You can set up labs for several types of classes with Azure Lab Services. See the [Example class types on Azure Lab Services](class-types.md) article for a few example types of classes for which you can set up labs with Azure Lab Services.

-## Region availability

-Visit the [Azure Global Infrastructure products by region](https://azure.microsoft.com/global-infrastructure/services/?products=lab-services) page to learn where Azure Lab Services is available.

-[Azure Lab Services August 2022 Update](lab-services-whats-new.md)) doesn't move or store customer data outside the region it's deployed in. However, accessing Azure Lab Services resources through the Azure Lab Services portal may cause customer data to cross regions.

-There are no guarantees customer data stays in the region it's deployed to when using Azure Lab Services prior to the August 2022 Update.

-## Data at rest

-Before Azure Lab Services can create lab VMs for your lab, you first need to publish the lab. When you publish the lab, you need to specify the maximum number of lab VMs that Azure Lab Services creates. All VMs in the lab share the same configuration as the lab template.

-## Add a lab schedule

-Instead of each lab user starting their lab VM manually, you can create a lab schedule to automatically start and stop the lab VM according to your training calendar. Azure Lab Services supports one-time events or recurring schedules.

-Follow these steps to add a recurring schedule to your lab:

-1. On the **Schedule** page for the lab, select **Add scheduled event** on the toolbar.

- :::image type="content" source="./media/tutorial-setup-lab/add-schedule-button.png" alt-text="Screenshot of the Add scheduled event button on the Schedule page, highlighting the Schedule menu and Add scheduled event button.":::

-1. On the **Add scheduled event** page, enter the following information:

- | Field | Value |

- | -- | -- |

- | **Event type** | *Standard* |

- | **Start date** | Enter a start date for the classroom training. |

- | **Start time** | Enter a start time for the classroom training. |

- | **Stop time** | Enter an end time for the classroom training. |

- | **Time zone** | Select your time zone. |

- | **Repeat** | Keep the default value, which is a weekly recurrence for four months. |

- | **Notes** | Optionally enter a description for the schedule. |

-1. Select **Save** to confirm the lab schedule.

- :::image type="content" source="./media/tutorial-setup-lab/add-schedule-page-weekly.png" alt-text="Screenshot of the Add scheduled event window.":::

-1. In the calendar view, confirm that the scheduled event is present.

- :::image type="content" source="./media/tutorial-setup-lab/schedule-calendar.png" alt-text="Screenshot of the Schedule page for Azure Lab Services. Repeating schedule, Monday through Friday shown in the calendar.":::

-In this tutorial, you have the Lab Creator Azure AD role to let you create labs for a lab plan. Depending on your organziation, the responsibilities for creating lab plans and labs might be assigned to different people or teams. Learn more about [mapping permissions across your organization](./classroom-labs-scenarios.md#mapping-organizational-roles-to-permissions).

-If deep learning is enabled, validation is limited to _train_validation split_. [Learn more about validation options](../how-to-configure-cross-validation-data-splits.md).

- Concurrency| *Max concurrent iterations*: Maximum number of pipelines (iterations) to test in the training job. The job will not run more than the specified number of iterations. Learn more about how automated ML performs [multiple child jobs on clusters](/how-to-configure-auto-train.md#multiple-child-runs-on-clusters).

- 1. Specify the type of validation to be used for your training job. [Learn more about cross validation](../how-to-configure-cross-validation-data-splits.md#prerequisites).

- 1. Specify the type of validation to be used for your training job. [Learn more about cross validation](../how-to-configure-cross-validation-data-splits.md#prerequisites).

-> * [v1](./v1/concept-automated-ml-v1.md)

-While model building is automated, you can also [learn how important or relevant features are](./v1/how-to-configure-auto-train-v1.md#explain) to the generated models.

-For automated machine learning experiments, featurization is applied automatically, but can also be customized based on your data. [Learn more about what featurization is included](how-to-configure-auto-features.md#featurization) and how AutoML helps [prevent over-fitting and imbalanced data](concept-manage-ml-pitfalls.md) in your models.

-+ Learn how to [view the generated code from your automated ML models](how-to-generate-automl-training-code.md).

-You can also bring your own validation data. Learn more in the [configure data splits and cross-validation in AutoML](how-to-configure-cross-validation-data-splits.md#provide-validation-data) article.

-This article applies to the second version of the [Azure Machine Learning CLI & Python SDK (v2)](concept-v2.md). For version one (v1), see [How Azure Machine Learning works: Architecture and concepts (v1)](v1/concept-azure-machine-learning-architecture.md)

-Notebooks and Python scripts are stored in the default storage account of your workspace in Azure file share. These files are located under your ΓÇ£User filesΓÇ¥ directory. This storage makes it easy to share notebooks between compute instances. The storage account also keeps your notebooks safely preserved when you stop or delete a compute instance.

-Don't store training data on the notebooks file share. You can use the `/tmp` directory on the compute instance for your temporary data. However, don't write large files of data on the OS disk of the compute instance. OS disk on compute instance has 128-GB capacity. You can also store temporary training data on temporary disk mounted on /mnt. Temporary disk size is based on the VM size chosen and can store larger amounts of data if a higher size VM is chosen. You can also mount [datastores and datasets](v1/concept-azure-machine-learning-architecture.md#datasets-and-datastores). Any software packages you install are saved on the OS disk of compute instance. Note customer managed key encryption is currently not supported for OS disk. The OS disk for compute instance is encrypted with Microsoft-managed keys.

-* [Connect to Azure storage](how-to-access-data.md)

-* [Get data from a datastore](how-to-create-register-datasets.md)

-* [Customer-managed keys](concept-customer-managed-keys.md).

-> * [v1](./v1/concept-data.md)

-A [pipeline](v1/concept-azure-machine-learning-architecture.md#ml-pipelines) consists of data assets and analytical components, which you connect. Pipelines have many uses: you can make a pipeline that trains a single model, or one that trains multiple models. You can create a pipeline that makes predictions in real time or in batch, or make a pipeline that only cleans data. Pipelines let you reuse your work and organize your projects.

-Pipeline jobs are grouped into [experiments](v1/concept-azure-machine-learning-architecture.md#experiments) to organize job history. You can set the experiment for every pipeline job.

-| **Cluster sizing (scaling)** | [Managed manual and autoscale](how-to-autoscale-endpoints.md), supporting additional nodes provisioning | [Manual and autoscale](v1/how-to-deploy-azure-kubernetes-service.md#autoscaling), supporting scaling the number of replicas within fixed cluster boundaries |

-> Cross-validation is not enabled by default; it must be configured in automated ML settings. However, after cross-validation is configured and a validation data set has been provided, the process is automated for you. Learn more about [cross validation configuration in Auto ML](how-to-configure-cross-validation-data-splits.md)

-Besides being the tool to put MLOps into practice, the machine learning pipeline also improves large model trainingΓÇÖs efficiency and reduces cost. Taking modern natural language model training as an example. It requires pre-processing large amounts of data and GPU intensive transformer model training. It takes hours to days to train a model each time. When the model is being built, the data scientist wants to test different training code or hyperparameters and run the training many times to get the best model performance. For most of these trainings, there's usually small changes from one training to another one. It will be a significant waste if every time the full training from data processing to model training takes place. By using machine learning pipeline, it can automatically calculate which steps result is unchanged and reuse outputs from previous training. Additionally, the machine learning pipeline supports running each step on different computation resources. Such that, the memory heavy data processing work and run-on high memory CPU machines, and the computation intensive training can run on expensive GPU machines. By properly choosing which step to run on which type of machines, the training cost can be significantly reduced.

-The first approach usually applies to the team that hasnΓÇÖt used pipeline before and wants to take some advantage of pipeline like MLOps. In this situation, data scientists typically have developed some machine learning models on their local environment using their favorite tools. Machine learning engineers need to take data scientistsΓÇÖ output into production. The work involves cleaning up some unnecessary code from original notebook or Python code, changes the training input from local data to parameterized values, split the training code into multiple steps as needed, perform unit test of each step, and finally wraps all steps into a pipeline.

-Once the teams get familiar with pipelines and want to do more machine learning projects using pipelines, they'll find the first approach is hard to scale. The second approach is set up a few pipeline templates, each try to solve one specific machine learning problem. The template predefines the pipeline structure including how many steps, each stepΓÇÖs inputs and outputs, and their connectivity. To start a new machine learning project, the team first forks one template repo. The team leader then assigns members which step they need to work on. The data scientists and data engineers do their regular work. When they're happy with their result, they structure their code to fit in the pre-defined steps. Once the structured codes are checked-in, the pipeline can be executed or automated. If there's any change, each member only needs to work on their piece of code without touching the rest of the pipeline code.

-Once a team has built a collection of machine learnings pipelines and reusable components, they could start to build the machine learning pipeline from cloning previous pipeline or tie existing reusable component together. At this stage, the teamΓÇÖs overall productivity will be improved significantly.

-Azure Machine Learning offers different methods to build a pipeline. For users who are familiar with DevOps practices, we recommend using [CLI](how-to-create-component-pipelines-cli.md). For data scientists who are familiar with python, we recommend writing pipeline using the [Azure Machine Learning SDK v1](v1/how-to-create-machine-learning-pipelines.md). For users who prefer to use UI, they could use the [designer to build pipeline by using registered components](how-to-create-component-pipelines-ui.md).

-> * [v1](v1/concept-mlflow-v1.md)

-> * [v1](./v1/concept-model-management-and-deployment.md)

-Data profiling depends on the Azure Machine Learning managed service being able to access the default Azure Storage Account for your workspace. The managed service _doesn't exist in your VNet_, so canΓÇÖt directly access the storage account in the VNet. Instead, the workspace uses a service principal to access storage.

-Securing an online endpoint with a private endpoint is a preview feature.

-> [!IMPORTANT]

-> Workspace soft delete is currently in public preview. This preview is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> During preview of workspace soft-delete, the retention period is fixed to 14 days and canΓÇÖt be modified.

-If you do collect this data, always let data contributors self-identify (choose their own responses) instead of having data collectors make assumptions, which might be incorrect. Also include a ΓÇ£prefer not to answerΓÇ¥ option for each question. These practices will show respect for the data contributors and yield more balanced and higher-quality data.

-> * [v1](v1/concept-train-machine-learning-model-v1.md)

-+ In any Python environment with the [Azure Machine Learning SDK for Python](https://aka.ms/sdk-v2-install).

-+ On the command line using the Azure Machine Learning [CLI extension](how-to-configure-cli.md)

-+ [Azure Application Insights](https://azure.microsoft.com/services/application-insights/): Stores monitoring and diagnostics information. For more information, see [Monitor online endpoints](how-to-monitor-online-endpoints.md).

-> * [v1](./v1/concept-network-data-access.md)

-> * [v1](./v1/how-to-auto-train-forecast-v1.md)

-> * [v1](v1/how-to-auto-train-image-models-v1.md)

-* [Troubleshoot automated ML experiments](how-to-troubleshoot-auto-ml.md).

-> * [v1](./v1/how-to-auto-train-nlp-models-v1.md)

-You can seamlessly integrate with the [Azure Machine Learning data labeling](how-to-create-text-labeling-projects.md) capability to label your text data or bring your existing labeled data. Automated ML provides the option to use distributed training on multi-GPU compute clusters for faster model training. The resulting model can be operationalized at scale by leveraging Azure Machine LearningΓÇÖs MLOps capabilities.

-You can specify your dataset language in the featurization section of your configuration YAML file. BERT is also used in the featurization process of automated ML experiment training, learn more about [BERT integration and featurization in automated ML](how-to-configure-auto-features.md#bert-integration-in-automated-ml).

-You can specify your dataset language with the `set_featurization()` method. BERT is also used in the featurization process of automated ML experiment training, learn more about [BERT integration and featurization in automated ML](how-to-configure-auto-features.md#bert-integration-in-automated-ml).

-| gradient_accumulation_steps | The number of backward operations whose gradients are to be summed up before performing one step of gradient descent by calling the optimizerΓÇÖs step function. <br><br> This is leveraged to use an effective batch size which is gradient_accumulation_steps times larger than the maximum size that fits the GPU. | Must be a positive integer.

-+ [Troubleshoot automated ML experiments](how-to-troubleshoot-auto-ml.md)

-> * [v1](./v1/how-to-configure-auto-train-v1.md)

-> * [v1](v1/reference-azure-machine-learning-cli.md)

-| [Azure Databricks](how-to-configure-databricks-automl-environment.md) | Ideal for running large-scale intensive machine learning workflows on the scalable Apache Spark platform. | Overkill for experimental machine learning, or smaller-scale experiments and workflows. Additional cost incurred for Azure Databricks. See [pricing details](https://azure.microsoft.com/pricing/details/databricks/). |

-> * [CLI or SDK v1](v1/how-to-configure-private-link.md)

-> * [v1](v1/how-to-create-attach-compute-cluster.md)

-> * [v1](./v1/how-to-create-register-datasets.md)

-> * [v1](v1/how-to-create-manage-compute-instance.md)

-> This article shows CLI v2 in the sections below. If you are still using CLI v1, see [Create an Azure Machine Learning compute cluster CLI v1)](v1/how-to-create-manage-compute-instance.md).

-* Action can have value of ΓÇ£StartΓÇ¥ or ΓÇ£StopΓÇ¥.

-1. Fill out the form to [create a new compute instance](?tabs=azure-studio#create).

-1. Select **Next: Advanced Settings**.

-1. Enable **Assign a managed identity**.

-1. Fill out the form to [create a new compute instance](?tabs=azure-studio#create)

-1. Select **Next: Advanced Settings**

-1. Select **Add application** under the **Custom application setup (RStudio Workbench, etc.)** section

-1. Follow the steps listed above to **Add application** when creating your compute instance.

-1. Select **Posit Workbench (bring your own license)** in the **Application** dropdown and enter your Posit Workbench license key in the **License key** field. You can get your Posit Workbench license or trial license [from posit](https://posit.co).

-1. Follow the steps listed above to **Add application** when creating your compute instance.

-1. Select **Custom Application** on the **Application** dropdown

-1. Configure the **Application name** you would like to use.

-[Azure RBAC](../role-based-access-control/overview.md) allows you to control which users in the workspace can create, delete, start, stop, restart a compute instance. All users in the workspace contributor and owner role can create, delete, start, stop, and restart compute instances across the workspace. However, only the creator of a specific compute instance, or the user assigned if it was created on their behalf, is allowed to access Jupyter, JupyterLab, and RStudio on that compute instance. A compute instance is dedicated to a single user who has root access. That user has access to Jupyter/JupyterLab/RStudio running on the instance. Compute instance will have single-user sign-in and all actions will use that userΓÇÖs identity for Azure RBAC and attribution of experiment jobs. SSH access is controlled through public/private key mechanism.

- Navigate to the Private Endpoint to the Azure Machine Learning workspace. The workspace FQDNs will be listed on the ΓÇ£OverviewΓÇ¥ tab.

- Navigate to the Private Endpoint to the Azure Machine Learning workspace. The workspace FQDNs will be listed on the ΓÇ£OverviewΓÇ¥ tab.

-> * [v1](v1/how-to-access-data.md)

-> * [v1](./v1/how-to-deploy-mlflow-models.md)

-> * [v1](./v1/how-to-deploy-mlflow-models.md)

-| Tensor input formatted as in TF ServingΓÇÖs API | **&check;** | |

-You can unregister data assets and archive jobs, but these operations don't delete the data. To entirely remove the data, data assets and job data require deletion at the storage level. Storage level deletion happens in the portal, as described earlier. Azure Machine Learning Studio can handle individual deletion. Job deletion deletes the data of that job.

-Azure Machine Learning Studio can handle training artifact downloads from experimental jobs. Choose the relevant **Job**. Choose **Output + logs**, and navigate to the specific artifacts you wish to download. Choose **...** and **Download**, or select **Download all**.

-Learn more about [Managing a workspace](how-to-manage-workspace.md).

-> * [v1](./v1/how-to-use-managed-identities.md)

-* If the virtual network setting is ΓÇ£Allow Azure services on the trusted services list to access this storage accountΓÇ¥, then Workspace MSI is used.

-> * [v1](v1/how-to-inference-onnx-automl-image-models-v1.md)

-* [Troubleshoot AutoML experiments](how-to-troubleshoot-auto-ml.md)

-> * [v1](./v1/how-to-log-view-metrics.md)

-> * [v1](./v1/how-to-use-environments.md)

-Some resources like environments, datasets, and models allow you to make changes to a resource and store the different versions.

-For more information, see [models](v1/concept-azure-machine-learning-architecture.md#models)

-> * [v1](v1/how-to-manage-workspace-cli.md)

-> * [v1](v1/how-to-manage-workspace.md)

-### Networking

-> [!IMPORTANT]

-1. The default network configuration is to use a __Public endpoint__, which is accessible on the public internet. To limit access to your workspace to an Azure Virtual Network you've created, you can instead select __Private endpoint__ as the __Connectivity method__, and then use __+ Add__ to configure the endpoint.

- :::image type="content" source="media/how-to-manage-workspace/select-private-endpoint.png" alt-text="Private endpoint selection":::

-1. On the __Create private endpoint__ form, set the location, name, and virtual network to use. If you'd like to use the endpoint with a Private DNS Zone, select __Integrate with private DNS zone__ and select the zone using the __Private DNS Zone__ field. Select __OK__ to create the endpoint.

- :::image type="content" source="media/how-to-manage-workspace/create-private-endpoint.png" alt-text="Private endpoint creation":::

-> [!IMPORTANT]

-> Selecting high business impact can only be done when creating a workspace. You cannot change this setting after workspace creation.

-> [!IMPORTANT]

-> Before following these steps, you must first perform the following actions:

-> If your workspace uses a private endpoint, it will automatically have the `v1_legacy_mode` flag enabled, preventing usage of v2 APIs. See [how to configure network isolation with v2](how-to-configure-network-isolation-with-v2.md) for details.

-If you create workspaces using automation, do consider upgrading the code for creating a workspace to v2. Typically Azure resources are managed via Azure Resource Manager (and Bicep) or similar resource provisioning tools. Alternatively, you can use the [CLI (v2) and YAML files](how-to-manage-workspace-cli.md#create-a-workspace).

-With SDK/CLI v1, you can deploy models on ACI or AKS as web services. Your existing v1 model deployments and web services will continue to function as they are, but Using SDK/CLI v1 to deploy models on ACI or AKS as web services is now consiered as **legacy**. For new model deployments, we recommend upgrading to v2. In v2, we offer [managed endpoints or Kubernetes endpoints](./concept-endpoints.md). The following table guides our recommendation:

-This article talks more about handling data in v2 - [Read and write data in a job](how-to-read-write-data-v2.md)

-For details about Key Vault, see [Use authentication credential secrets in Azure Machine Learning training jobs](how-to-use-secrets-in-runs.md).

-With v2, you should separate your machine learning code from the control plane code. This separation allows for easier iteration and allows for easier transition between local and cloud. We also recommend using MLflow for tracking and model logging. See the [MLflow concept article](concept-mlflow.md) for details.

-> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning developer platform you use:"]

-> * [v2 (current version)](how-to-mltable.md)

-> [!div class="op_single_selector" title1="Select the Azure Machine Learning SDK or CLI version you are using:"]

-> * [SDK/CLI v1](v1/how-to-network-security-overview.md)

-> * [SDK/CLI v2 (current version)](how-to-network-security-overview.md)

-For detailed instructions on how to complete these steps, see [Secure an Azure Machine Learning workspace](how-to-secure-workspace-vnet.md).

-> * [v1](v1/how-to-prepare-datasets-for-automl-images-v1.md)

-> * [v1](v1/how-to-train-with-datasets.md)

-* For how to publish and run a published pipeline using the SDK v1, see the [How to deploy pipelines](v1/how-to-deploy-pipelines.md) article.

-> * [SDK/CLI v1](v1/how-to-secure-inferencing-vnet.md)

-> * [SDK v1](./v1/how-to-secure-training-vnet.md)

-> * [v1](v1/how-to-secure-workspace-vnet.md)

-When ACR is behind a virtual network, Azure Machine Learning canΓÇÖt use it to directly build Docker images. Instead, the compute cluster is used to build the images.

-> The compute cluster used to build Docker images needs to be able to access the package repositories that are used to train and deploy your models. You may need to add network security rules that allow access to public repos, [use private Python packages](how-to-use-private-python-packages.md), or use [custom Docker images](v1/how-to-train-with-custom-image.md) that already include the packages.

-

-> * [v1](./v1/how-to-setup-authentication.md)

-> * [v1](v1/how-to-train-keras.md)

-> * [v1](v1/how-to-train-pytorch.md)

-> * [v1](v1/how-to-train-scikit-learn.md)

-> * [v1](v1/how-to-train-tensorflow.md)

-This error is returned when the environment (docker image) is being built. You can check the build log for more information on the failure(s). The build log is located in the default storage for your Azure Machine Learning workspace. The exact location may be returned as part of the error. For example, "The build log is available in the workspace blob store '[storage-account-name]' under the path '/azureml/ImageLogs/your-image-id/build.log'". In this case, "azureml" is the name of the blob container in the storage account.

-| 429 | Too many pending requests | Your model is getting more requests than it can handle. Azure Machine Learning allows maximum 2 * `max_concurrent_requests_per_instance` * `instance_count` requests in parallel at any time and rejects extra requests. You can confirm these settings in your model deployment config under `request_settings` and `scale_settings`, respectively. If you're using auto-scaling, this error means that your model is getting requests faster than the system can scale up. With auto-scaling, you can try to resend requests with [exponential backoff](https://en.wikipedia.org/wiki/Exponential_backoff). Doing so can give the system time to adjust. Apart from enabling auto-scaling, you could also increase the number of instances by using the [code to calculate instance count](#how-to-calculate-instance-count). |

-> * [v1](v1/how-to-tune-hyperparameters-v1.md)

- If deep learning is enabled, validation is limited to _train_validation split_. [Learn more about validation options](how-to-configure-cross-validation-data-splits.md).

- 1. Specify the type of validation to be used for your training job. [Learn more about cross validation](how-to-configure-cross-validation-data-splits.md#prerequisites).

-> * [v1](v1/how-to-use-automl-small-object-detect-v1.md)

- tile_grid_size='3x2'

- SearchSpace(

- model_name=Choice(['fasterrcnn_resnet50_fpn']),

- tile_grid_size=Choice(['2x1', '3x2', '5x3'])

- )

-| Parameter Name | Description | Default |

-> Copyright © 2020 Roboflow, Inc.

-> * [v1](./v1/how-to-use-mlflow.md)

-You can also learn how to [use pipelines programmatically with the SDK v1](v1/how-to-deploy-pipelines.md).

-> * [v1](v1/how-to-use-secrets-in-runs.md)

-> [!div class="op_single_selector" title1="Select the version of the Azure Machine Learning Python SDK you are using:"]

-> * [v1](v1/how-to-workspace-diagnostic-api.md)

-> * [v2 (current version)](how-to-workspace-diagnostic-api.md)

-> * [v1](v1/reference-automl-images-hyperparameters-v1.md)

-> * [v1](v1/reference-automl-images-schema-v1.md)

-> The images used in this article are from the Fridge Objects dataset, copyright © Microsoft Corporation and available at [computervision-recipes/01_training_introduction.ipynb](https://github.com/microsoft/computervision-recipes/blob/master/scenarios/detection/01_training_introduction.ipynb) under the [MIT License](https://github.com/microsoft/computervision-recipes/blob/master/LICENSE).

-| `max_concurrent_requests_per_instance` | integer | The maximum number of concurrent requests per instance allowed for the deployment. <br><br> Set to the number of requests that your model can process concurrently on a single node. Setting this value higher than your model's actual concurrency can lead to higher latencies. Setting this value too low may lead to under utilized nodes. Setting too low may also result in requests being rejected with a 429 HTTP status code, as the system will opt to fail fast. <br><br> For more information, see [Troubleshooting online endpoints: HTTP status codes](how-to-troubleshoot-online-endpoints.md#http-status-codes). | `1` |

-> * [v1](v1/reference-pipeline-yaml.md)

-> * [v1](v1/reference-pipeline-yaml.md)

-> * [v1](v1/samples-notebooks-v1.md)

-> * [v1](v1/tutorial-auto-train-image-models-v1.md)

- Compute name | A unique name that identifies your compute context. | bike-compute

-+ Learn more about [featurization](how-to-configure-auto-features.md#featurization).

-+ Learn more about [data profiling](v1/how-to-connect-data-ui.md#profile).

-To learn more about common secure workspace configurations and input/output requirements, see [Azure Machine Learning secure workspace traffic flow](concept-secure-network-traffic-flow.md).

-Now that you've created a secure workspace and can access studio, learn how to [deploy a model to an online endpoint with network isolation](how-to-secure-online-endpoint.md).

- Compute name | A unique name that identifies your compute context. | automl-compute

-+ Learn more about [featurization](how-to-configure-auto-features.md#featurization).

-+ Learn more about [data profiling](v1/how-to-connect-data-ui.md#profile).

-> * [v2 (current version)](../concept-automated-ml.md)

-Classification is a common machine learning task. Classification is a type of supervised learning in which models learn using training data, and apply those learnings to new data. Azure Machine Learning offers featurizations specifically for these tasks, such as deep neural network text featurizers for classification. Learn more about [featurization (v1) options](../how-to-configure-auto-features.md#featurization).

-Learn how to [configure AutoML experiments to use test data (preview) with the SDK (v1)](../how-to-configure-cross-validation-data-splits.md#provide-test-data-preview) or with the [Azure Machine Learning studio](../how-to-use-automated-ml-for-ml-models.md#create-and-run-experiment).

-For automated machine learning experiments, featurization is applied automatically, but can also be customized based on your data. [Learn more about what featurization is included (v1)](../how-to-configure-auto-features.md#featurization) and how AutoML helps [prevent over-fitting and imbalanced data](../concept-manage-ml-pitfalls.md) in your models.

-+ Python SDK: Specify `"feauturization": 'auto' / 'off' / 'FeaturizationConfig'` in your [AutoMLConfig](/python/api/azureml-train-automl-client/azureml.train.automl.automlconfig.automlconfig) object. Learn more about [enabling featurization (v1)](../how-to-configure-auto-features.md).

-+ Learn how to [view the generated code from your automated ML models](../how-to-generate-automl-training-code.md).

-> * [v2 (current version)](../concept-data.md)

-> * [v2 (current version)](../concept-mlflow.md)

-> * [v2 (current version)](../concept-model-management-and-deployment.md)

-> * [v2 (current version)](../how-to-administrate-data-authentication.md)

-> * [v2 (current)](../concept-train-machine-learning-model.md)

-> * [v2 (current version)](../how-to-datastore.md)

-> * [v2 (current version)](../how-to-train-model.md)

-

-> * [v2 (current version)](../how-to-auto-train-forecast.md)

-You can also bring your own validation data, learn more in [Configure data splits and cross-validation in AutoML](../how-to-configure-cross-validation-data-splits.md#provide-validation-data).

-In every automated machine learning experiment, automatic scaling and normalization techniques are applied to your data by default. These techniques are types of **featurization** that help *certain* algorithms that are sensitive to features on different scales. Learn more about default featurization steps in [Featurization in AutoML](../how-to-configure-auto-features.md#automatic-featurization)

-To customize featurizations with the SDK, specify `"featurization": FeaturizationConfig` in your `AutoMLConfig` object. Learn more about [custom featurizations](../how-to-configure-auto-features.md#customize-featurization).

-

-> * [v2 (current version)](../how-to-auto-train-image-models.md)

-

-In general, deep learning model performance can often improve with more data. Data augmentation is a practical technique to amplify the data size and variability of a dataset which helps to prevent overfitting and improve the modelΓÇÖs generalization ability on unseen data. Automated ML applies different data augmentation techniques based on the computer vision task, before feeding input images to the model. Currently, there is no exposed hyperparameter to control data augmentations.

-|Image classification (multi-class and multi-label) | Training <br><br><br> Validation & Test| Random resize and crop, horizontal flip, color jitter (brightness, contrast, saturation, and hue), normalization using channel-wise ImageNetΓÇÖs mean and standard deviation <br><br><br>Resize, center crop, normalization |

-* [Troubleshoot automated ML experiments](../how-to-troubleshoot-auto-ml.md).

-> * [v2 (current version)](../how-to-auto-train-nlp-models.md)

-You can seamlessly integrate with the [Azure Machine Learning data labeling](../how-to-create-text-labeling-projects.md) capability to label your text data or bring your existing labeled data. Automated ML provides the option to use distributed training on multi-GPU compute clusters for faster model training. The resulting model can be operationalized at scale by leveraging Azure Machine LearningΓÇÖs MLOps capabilities.

-You can specify your dataset language in your `FeaturizationConfig`. BERT is also used in the featurization process of automated ML experiment training, learn more about [BERT integration and featurization in automated ML](../how-to-configure-auto-features.md#bert-integration-in-automated-ml).

-+ [Troubleshoot automated ML experiments](../how-to-troubleshoot-auto-ml.md).

-> * [v2 (current version)](../how-to-configure-auto-train.md)

-You can specify separate **training data and validation data sets** directly in the `AutoMLConfig` constructor. Learn more about [how to configure training, validation, cross validation, and test data](../how-to-configure-cross-validation-data-splits.md) for your AutoML experiments.

-> * [Pass in test data to your AutoMLConfig object](../how-to-configure-cross-validation-data-splits.md#provide-test-data-preview).

- * An **Azure Databricks cluster** in your Azure subscription. You can find more details in [Set up an Azure Databricks cluster for automated ML](../how-to-configure-databricks-automl-environment.md). See this [GitHub site](https://github.com/Azure/azureml-examples/tree/main/v1/python-sdk/tutorials/automl-with-databricks) for examples of notebooks with Azure Databricks.

-See [Featurization in AutoML](../how-to-configure-auto-features.md) for more detail and code examples.

-|`"featurization": 'auto'`| Indicates that as part of preprocessing, [data guardrails and featurization steps](../how-to-configure-auto-features.md#featurization) are performed automatically. **Default setting**.|

-|`"featurization":`&nbsp;`'FeaturizationConfig'`| Indicates customized featurization step should be used. [Learn how to customize featurization](../how-to-configure-auto-features.md#customize-featurization).|

-* To get a featurization summary and understand what features were added to a particular model, see [Featurization transparency](../how-to-configure-auto-features.md#featurization-transparency).

-You can view the hyperparameters, the scaling and normalization techniques, and algorithm applied to a specific automated ML run with the [custom code solution, `print_model()`](../how-to-configure-auto-features.md#scaling-and-normalization).

-> Automated ML also let's you [view the generated model training code for Auto ML trained models](../how-to-generate-automl-training-code.md). This functionality is in public preview and can change at any time.

-Passing the `test_data` or `test_size` parameters into the `AutoMLConfig`, automatically triggers a remote test run that uses the provided test data to evaluate the best model that automated ML recommends upon completion of the experiment. This remote test run is done at the end of the experiment, once the best model is determined. See how to [pass test data into your `AutoMLConfig`](../how-to-configure-cross-validation-data-splits.md#provide-test-data-preview).

-+ [Troubleshoot automated ML experiments](../how-to-troubleshoot-auto-ml.md).

-| [Azure Databricks](../how-to-configure-databricks-automl-environment.md) | Ideal for running large-scale intensive machine learning workflows on the scalable Apache Spark platform. | Overkill for experimental machine learning, or smaller-scale experiments and workflows. Additional cost incurred for Azure Databricks. See [pricing details](https://azure.microsoft.com/pricing/details/databricks/). |

-> * [CLI v2 (current version)](../how-to-configure-private-link.md)

-In this document, you learn how to configure a private endpoint for your Azure Machine Learning workspace. For information on creating a virtual network for Azure Machine Learning, see [Virtual network isolation and privacy overview](how-to-network-security-overview.md).

-> * [Virtual network isolation and privacy overview](how-to-network-security-overview.md).

-* For more information on securing your Azure Machine Learning workspace, see the [Virtual network isolation and privacy overview](how-to-network-security-overview.md) article.

-> * [v2 (current version)](../how-to-create-attach-compute-cluster.md)

-> * [v2 (current version)](../how-to-attach-kubernetes-anywhere.md)

-> * [v2 (current version)](../how-to-create-manage-compute-instance.md)

-[Azure RBAC](../../role-based-access-control/overview.md) allows you to control which users in the workspace can create, delete, start, stop, restart a compute instance. All users in the workspace contributor and owner role can create, delete, start, stop, and restart compute instances across the workspace. However, only the creator of a specific compute instance, or the user assigned if it was created on their behalf, is allowed to access Jupyter, JupyterLab, RStudio, and Posit Workbench (formerly RStudio Workbench) on that compute instance. A compute instance is dedicated to a single user who has root access. That user has access to Jupyter/JupyterLab/RStudio/Posit Workbench running on the instance. Compute instance will have single-user sign in and all actions will use that userΓÇÖs identity for Azure RBAC and attribution of experiment runs. SSH access is controlled through public/private key mechanism.

-> * [v2 (current version)](../how-to-create-data-assets.md)

-> * [v2 (current version)](../how-to-deploy-mlflow-models-online-endpoints.md)

-description: Learn how to export or delete your workspace with the Azure Machine Learning studio, CLI, SDK, and authenticated REST APIs.

-# Export or delete your Machine Learning service workspace data (v1)

-In Azure Machine Learning, you can export or delete your workspace data using either the portal's graphical interface or the Python SDK. This article describes both options.

-## Control your workspace data

-In-product data stored by Azure Machine Learning is available for export and deletion. You can export and delete using Azure Machine Learning studio, CLI, and SDK. Telemetry data can be accessed through the Azure Privacy portal.

-In Azure Machine Learning, personal data consists of user information in job history documents.

-## Delete high-level resources using the portal

-When you create a workspace, Azure creates several resources within the resource group:

-These resources can be deleted by selecting them from the list and choosing **Delete**

-Job history documents, which may contain personal user information, are stored in the storage account in blob storage, in subfolders of `/azureml`. You can download and delete the data from the portal.

-## Export and delete machine learning resources using Azure Machine Learning studio

-Azure Machine Learning studio provides a unified view of your machine learning resources, such as notebooks, datasets, models, and experiments. Azure Machine Learning studio emphasizes preserving a record of your data and experiments. Computational resources such as pipelines and compute resources can be deleted using the browser. For these resources, navigate to the resource in question and choose **Delete**.

-Datasets can be unregistered and Experiments can be archived, but these operations don't delete the data. To entirely remove the data, datasets and experiment data must be deleted at the storage level. Deleting at the storage level is done using the portal, as described previously. An individual Job can be deleted directly in studio. Deleting a Job deletes the Job's data.

-> [!NOTE]

-> Prior to unregistering a Dataset, use its **Data source** link to find the specific Data URL to delete.

-You can download training artifacts from experimental jobs using the Studio. Choose the **Experiment** and **Job** in which you're interested. Choose **Output + logs** and navigate to the specific artifacts you wish to download. Choose **...** and **Download**.

-You can download a registered model by navigating to the **Model** and choosing **Download**.

-## Export and delete resources using the Python SDK

-You can download the outputs of a particular job using:

-```python

-# Retrieved from Azure Machine Learning web UI

-run_id = 'aaaaaaaa-bbbb-cccc-dddd-0123456789AB'

-experiment = ws.experiments['my-experiment']

-run = next(run for run in ex.get_runs() if run.id == run_id)

-metrics_output_port = run.get_pipeline_output('metrics_output')

-model_output_port = run.get_pipeline_output('model_output')

-metrics_output_port.download('.', show_progress=True)

-model_output_port.download('.', show_progress=True)

-```

-The following machine learning resources can be deleted using the Python SDK:

-| Type | Function Call | Notes |

-| | | |

-| `Workspace` | [`delete`](/python/api/azureml-core/azureml.core.workspace.workspace#delete-delete-dependent-resources-false--no-wait-false-) | Use `delete-dependent-resources` to cascade the delete |

-| `Model` | [`delete`](/python/api/azureml-core/azureml.core.model%28class%29#delete--) | |

-| `ComputeTarget` | [`delete`](/python/api/azureml-core/azureml.core.computetarget#delete--) | |

-| `WebService` | [`delete`](/python/api/azureml-core/azureml.core.webservice%28class%29) | |

-> * [v2 (current version)](../how-to-inference-onnx-automl-image-models.md)

-* [Troubleshoot AutoML experiments](../how-to-troubleshoot-auto-ml.md)

-> * [v2](../how-to-log-view-metrics.md)

-> To get all metrics logged for a particular metric name, you can use [`MlFlowClient.get_metric_history()`](https://www.mlflow.org/docs/latest/python_api/mlflow.tracking.html#mlflow.tracking.MlflowClient.get_metric_history).

-> * [v2 (current version)](../how-to-manage-workspace-cli.md)

-> * [v2 (current version)](../how-to-manage-workspace.md)

-### Networking

-> [!IMPORTANT]

-> For more information on using a private endpoint and virtual network with your workspace, see [Network isolation and privacy](how-to-network-security-overview.md).

-> [!IMPORTANT]

-> Selecting high business impact can only be done when creating a workspace. You cannot change this setting after workspace creation.

-> [!IMPORTANT]

-> Before following these steps, you must first perform the following actions:

-description: Secure Azure Machine Learning workspace resources and compute environments using an isolated Azure Virtual Network. SDK/CLI v1.

-<!-- # Virtual network isolation and privacy overview -->

-# Secure Azure Machine Learning workspace resources using virtual networks (SDK/CLI v1)

-> [!div class="op_single_selector" title1="Select the Azure Machine Learning SDK or CLI version you are using:"]

-> * [SDK v1](how-to-network-security-overview.md)

-> * [SDK v2 (current version)](../how-to-network-security-overview.md)

-Secure Azure Machine Learning workspace resources and compute environments using virtual networks (VNets). This article uses an example scenario to show you how to configure a complete virtual network.

-> [!TIP]

-> This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:

->

-> * [Secure the workspace resources](../how-to-secure-workspace-vnet.md)

-> * [Secure the training environment (v1)](how-to-secure-training-vnet.md)

-> * [Secure inference environment (v1)](how-to-secure-inferencing-vnet.md)

-> * [Enable studio functionality](../how-to-enable-studio-virtual-network.md)

-> * [Use custom DNS](../how-to-custom-dns.md)

-> * [Use a firewall](../how-to-access-azureml-behind-firewall.md)

-> * [API platform network isolation](../how-to-configure-network-isolation-with-v2.md)

->

-> For a tutorial on creating a secure workspace, see [Tutorial: Create a secure workspace](../tutorial-create-secure-workspace.md) or [Tutorial: Create a secure workspace using a template](../tutorial-create-secure-workspace-template.md).

-## Prerequisites

-This article assumes that you have familiarity with the following topics:

-+ [Azure Virtual Networks](../../virtual-network/virtual-networks-overview.md)

-+ [IP networking](../../virtual-network/ip-services/public-ip-addresses.md)

-+ [Azure Machine Learning workspace with private endpoint](how-to-configure-private-link.md)

-+ [Network Security Groups (NSG)](../../virtual-network/network-security-groups-overview.md)

-+ [Network firewalls](../../firewall/overview.md)

-## Example scenario

-In this section, you learn how a common network scenario is set up to secure Azure Machine Learning communication with private IP addresses.

-The following table compares how services access different parts of an Azure Machine Learning network with and without a VNet:

-| Scenario | Workspace | Associated resources | Training compute environment | Inferencing compute environment |

-|-|-|-|-|-|-|

-|**No virtual network**| Public IP | Public IP | Public IP | Public IP |

-|**Public workspace, all other resources in a virtual network** | Public IP | Public IP (service endpoint) <br> **- or -** <br> Private IP (private endpoint) | Public IP | Private IP |

-|**Secure resources in a virtual network**| Private IP (private endpoint) | Public IP (service endpoint) <br> **- or -** <br> Private IP (private endpoint) | Private IP | Private IP |

-* **Workspace** - Create a private endpoint for your workspace. The private endpoint connects the workspace to the vnet through several private IP addresses.

- * **Public access** - You can optionally enable public access for a secured workspace.

-* **Associated resource** - Use service endpoints or private endpoints to connect to workspace resources like Azure storage, Azure Key Vault. For Azure Container Services, use a private endpoint.

- * **Service endpoints** provide the identity of your virtual network to the Azure service. Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network. Service endpoints use public IP addresses.

- * **Private endpoints** are network interfaces that securely connect you to a service powered by Azure Private Link. Private endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet.

-* **Training compute access** - Access training compute targets like Azure Machine Learning Compute Instance and Azure Machine Learning Compute Clusters with public or private IP addresses.

-* **Inference compute access** - Access Azure Kubernetes Services (AKS) compute clusters with private IP addresses.

-The next sections show you how to secure the network scenario described above. To secure your network, you must:

-1. Secure the [**workspace and associated resources**](#secure-the-workspace-and-associated-resources).

-1. Secure the [**training environment** (v1)](#secure-the-training-environment).

-1. Secure the [**inferencing environment** (v1)](#secure-the-inferencing-environment-v1).

-1. Optionally: [**enable studio functionality**](#optional-enable-studio-functionality).

-1. Configure [**firewall settings**](#configure-firewall-settings).

-1. Configure [**DNS name resolution**](#custom-dns).

-## Public workspace and secured resources

-If you want to access the workspace over the public internet while keeping all the associated resources secured in a virtual network, use the following steps:

-1. Create an [Azure Virtual Network](../../virtual-network/virtual-networks-overview.md) that will contain the resources used by the workspace.

-1. Use __one__ of the following options to create a publicly accessible workspace:

- * Create an Azure Machine Learning workspace that __does not__ use the virtual network. For more information, see [Manage Azure Machine Learning workspaces](../how-to-manage-workspace.md).

- * Create a [Private Link-enabled workspace](../how-to-secure-workspace-vnet.md#secure-the-workspace-with-private-endpoint) to enable communication between your VNet and workspace. Then [enable public access to the workspace](#optional-enable-public-access).

-1. Add the following services to the virtual network by using _either_ a __service endpoint__ or a __private endpoint__. Also allow trusted Microsoft services to access these

- | Service | Endpoint information | Allow trusted information |

- | -- | -- | -- |

- | __Azure Key Vault__| [Service endpoint](../../key-vault/general/overview-vnet-service-endpoints.md)</br>[Private endpoint](../../key-vault/general/private-link-service.md) | [Allow trusted Microsoft services to bypass this firewall](../how-to-secure-workspace-vnet.md#secure-azure-key-vault) |

- | __Azure Storage Account__ | [Service and private endpoint](../how-to-secure-workspace-vnet.md?tabs=se#secure-azure-storage-accounts)</br>[Private endpoint](../how-to-secure-workspace-vnet.md?tabs=pe#secure-azure-storage-accounts) | [Grant access to trusted Azure services](../../storage/common/storage-network-security.md#grant-access-to-trusted-azure-services) |

- | __Azure Container Registry__ | [Private endpoint](../../container-registry/container-registry-private-link.md) | [Allow trusted services](../../container-registry/allow-access-trusted-services.md) |

-1. In properties for the Azure Storage Account(s) for your workspace, add your client IP address to the allowed list in firewall settings. For more information, see [Configure firewalls and virtual networks](../../storage/common/storage-network-security.md#configuring-access-from-on-premises-networks).

-## Secure the workspace and associated resources

-Use the following steps to secure your workspace and associated resources. These steps allow your services to communicate in the virtual network.

-1. Create an [Azure Virtual Networks](../../virtual-network/virtual-networks-overview.md) that will contain the workspace and other resources. Then create a [Private Link-enabled workspace](../how-to-secure-workspace-vnet.md#secure-the-workspace-with-private-endpoint) to enable communication between your VNet and workspace.

-1. Add the following services to the virtual network by using _either_ a __service endpoint__ or a __private endpoint__. Also allow trusted Microsoft services to access these

- | Service | Endpoint information | Allow trusted information |

- | -- | -- | -- |

- | __Azure Key Vault__| [Service endpoint](../../key-vault/general/overview-vnet-service-endpoints.md)</br>[Private endpoint](../../key-vault/general/private-link-service.md) | [Allow trusted Microsoft services to bypass this firewall](../how-to-secure-workspace-vnet.md#secure-azure-key-vault) |

- | __Azure Storage Account__ | [Service and private endpoint](../how-to-secure-workspace-vnet.md?tabs=se#secure-azure-storage-accounts)</br>[Private endpoint](../how-to-secure-workspace-vnet.md?tabs=pe#secure-azure-storage-accounts) | [Grant access from Azure resource instances](../../storage/common/storage-network-security.md#grant-access-from-azure-resource-instances)</br>**or**</br>[Grant access to trusted Azure services](../../storage/common/storage-network-security.md#grant-access-to-trusted-azure-services) |

- | __Azure Container Registry__ | [Private endpoint](../../container-registry/container-registry-private-link.md) | [Allow trusted services](../../container-registry/allow-access-trusted-services.md) |

-For detailed instructions on how to complete these steps, see [Secure an Azure Machine Learning workspace](../how-to-secure-workspace-vnet.md).

-### Limitations

-Securing your workspace and associated resources within a virtual network have the following limitations:

-## Secure the training environment

-In this section, you learn how to secure the training environment in Azure Machine Learning. You also learn how Azure Machine Learning completes a training job to understand how the network configurations work together.

-To secure the training environment, use the following steps:

-1. Create an Azure Machine Learning [compute instance and computer cluster in the virtual network](how-to-secure-training-vnet.md) to run the training job.

-1. If your compute cluster or compute instance uses a public IP address, you must [Allow inbound communication](how-to-secure-training-vnet.md#required-public-internet-access-to-train-models) so that management services can submit jobs to your compute resources.

- > [!TIP]

- > Compute cluster and compute instance can be created with or without a public IP address. If created with a public IP address, you get a load balancer with a public IP to accept the inbound access from Azure batch service and Azure Machine Learning service. You need to configure User Defined Routing (UDR) if you use a firewall. If created without a public IP, you get a private link service to accept the inbound access from Azure batch service and Azure Machine Learning service without a public IP.

-For detailed instructions on how to complete these steps, see [Secure a training environment](how-to-secure-training-vnet.md).

-### Example training job submission

-In this section, you learn how Azure Machine Learning securely communicates between services to submit a training job. This shows you how all your configurations work together to secure communication.

-1. The client uploads training scripts and training data to storage accounts that are secured with a service or private endpoint.

-1. The client submits a training job to the Azure Machine Learning workspace through the private endpoint.

-1. Azure Batch service receives the job from the workspace. It then submits the training job to the compute environment through the public load balancer for the compute resource.

-1. The compute resource receives the job and begins training. The compute resource uses information stored in key vault to access storage accounts to download training files and upload output.

-### Limitations

-## Secure the inferencing environment (v1)

-In this section, you learn the options available for securing an inferencing environment when using the Azure CLI extension for ML v1 or the Azure Machine Learning Python SDK v1. When doing a v1 deployment, we recommend that you use Azure Kubernetes Services (AKS) clusters for high-scale, production deployments.

-You have two options for AKS clusters in a virtual network:

-**Default AKS clusters** have a control plane with public IP addresses. You can add a default AKS cluster to your VNet during the deployment or attach a cluster after it's created.

-**Private AKS clusters** have a control plane, which can only be accessed through private IPs. Private AKS clusters must be attached after the cluster is created.

-For detailed instructions on how to add default and private clusters, see [Secure an inferencing environment](how-to-secure-inferencing-vnet.md).

-Regardless default AKS cluster or private AKS cluster used, if your AKS cluster is behind of VNET, your workspace and its associate resources (storage, key vault, and ACR) must have private endpoints or service endpoints in the same VNET as the AKS cluster.

-The following network diagram shows a secured Azure Machine Learning workspace with a private AKS cluster attached to the virtual network.

-## Optional: Enable public access

-You can secure the workspace behind a VNet using a private endpoint and still allow access over the public internet. The initial configuration is the same as [securing the workspace and associated resources](#secure-the-workspace-and-associated-resources).

-After securing the workspace with a private endpoint, use the following steps to enable clients to develop remotely using either the SDK or Azure Machine Learning studio:

-1. [Enable public access](how-to-configure-private-link.md#enable-public-access) to the workspace.

-1. [Configure the Azure Storage firewall](../../storage/common/storage-network-security.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#grant-access-from-an-internet-ip-range) to allow communication with the IP address of clients that connect over the public internet.

-## Optional: Enable studio functionality

-If your storage is in a VNet, you must use extra configuration steps to enable full functionality in studio. By default, the following features are disabled:

-* Preview data in the studio.

-* Visualize data in the designer.

-* Deploy a model in the designer.

-* Submit an AutoML experiment.

-* Start a labeling project.

-To enable full studio functionality, see [Use Azure Machine Learning studio in a virtual network](../how-to-enable-studio-virtual-network.md).

-### Limitations

-[ML-assisted data labeling](../how-to-create-image-labeling-projects.md#use-ml-assisted-data-labeling) doesn't support a default storage account behind a virtual network. Instead, use a storage account other than the default for ML assisted data labeling.

-> [!TIP]

-> As long as it is not the default storage account, the account used by data labeling can be secured behind the virtual network.

-## Configure firewall settings

-Configure your firewall to control traffic between your Azure Machine Learning workspace resources and the public internet. While we recommend Azure Firewall, you can use other firewall products.

-For more information on firewall settings, see [Use workspace behind a Firewall](../how-to-access-azureml-behind-firewall.md).

-## Custom DNS

-If you need to use a custom DNS solution for your virtual network, you must add host records for your workspace.

-For more information on the required domain names and IP addresses, see [how to use a workspace with a custom DNS server](../how-to-custom-dns.md).

-## Microsoft Sentinel

-Microsoft Sentinel is a security solution that can integrate with Azure Machine Learning. For example, using Jupyter notebooks provided through Azure Machine Learning. For more information, see [Use Jupyter notebooks to hunt for security threats](../../sentinel/notebooks.md).

-### Public access

-Microsoft Sentinel can automatically create a workspace for you if you are OK with a public endpoint. In this configuration, the security operations center (SOC) analysts and system administrators connect to notebooks in your workspace through Sentinel.

-For information on this process, see [Create an Azure Machine Learning workspace from Microsoft Sentinel](../../sentinel/notebooks-hunt.md?tabs=public-endpoint#create-an-azure-ml-workspace-from-microsoft-sentinel)

-### Private endpoint

-If you want to secure your workspace and associated resources in a VNet, you must create the Azure Machine Learning workspace first. You must also create a virtual machine 'jump box' in the same VNet as your workspace, and enable Azure Bastion connectivity to it. Similar to the public configuration, SOC analysts and administrators can connect using Microsoft Sentinel, but some operations must be performed using Azure Bastion to connect to the VM.

-For more information on this configuration, see [Create an Azure Machine Learning workspace from Microsoft Sentinel](../../sentinel/notebooks-hunt.md?tabs=private-endpoint#create-an-azure-ml-workspace-from-microsoft-sentinel)

-## Next steps

-This article is part of a series on securing an Azure Machine Learning workflow. See the other articles in this series:

-* [Secure the workspace resources](../how-to-secure-workspace-vnet.md)

-* [Secure the training environment (v1)](how-to-secure-training-vnet.md)

-* [Secure inference environment (v1)](how-to-secure-inferencing-vnet.md)

-* [Enable studio functionality](../how-to-enable-studio-virtual-network.md)

-* [Use custom DNS](../how-to-custom-dns.md)

-* [Use a firewall](../how-to-access-azureml-behind-firewall.md)

-* [API platform network isolation](../how-to-configure-network-isolation-with-v2.md)

-> * [v2 (current version)](../how-to-prepare-datasets-for-automl-images.md)

-> * [SDK/CLI v2 (current version)](../how-to-secure-inferencing-vnet.md)

-> * [SDK v2 (current version)](../how-to-secure-training-vnet.md)

-+ Read the [Network security overview](how-to-network-security-overview.md) article to understand common virtual network scenarios and overall virtual network architecture.

-* [Virtual network overview (v1)](how-to-network-security-overview.md)

-> * [v2 (current version)](../how-to-secure-workspace-vnet.md)

-> * [Virtual network overview](how-to-network-security-overview.md)

-+ Read the [Network security overview](how-to-network-security-overview.md) article to understand common virtual network scenarios and overall virtual network architecture.

-When ACR is behind a virtual network, Azure Machine Learning canΓÇÖt use it to directly build Docker images. Instead, the compute cluster is used to build the images.

-* [Virtual network overview](how-to-network-security-overview.md)

- Permanent deletion of individual experiments or jobs is not currently supported. For more information on deleting Workspace assets, see [Export or delete your Machine Learning service workspace data](how-to-export-delete-data.md).

-

-> * [v2 (current version)](../how-to-setup-authentication.md)

-* [How to use secrets in training](../how-to-use-secrets-in-runs.md).

- 

- 

- 

-> * [v2 (current version)](../how-to-train-keras.md)

-> * [v2 (current version)](../how-to-train-pytorch.md)

-> * [v2 (current version)](../how-to-train-scikit-learn.md)

-> * [v2 (current version)](../how-to-train-tensorflow.md)

-> * [v2 (current version)](../how-to-read-write-data-v2.md)

-> * [v2 (current version)](../how-to-tune-hyperparameters.md)

-

-> * [v2 (current version)](../how-to-use-automl-small-object-detect.md)

- 'model_name': choice('fasterrcnn_resnet50_fpn'),

- 'tile_grid_size': choice('(3, 2)'),

- ...

- 'model_name': choice('fasterrcnn_resnet50_fpn'),

- 'tile_grid_size': choice('(2, 1)', '(3, 2)', '(5, 3)'),

- ...

-| Parameter Name | Description | Default |

-> Copyright © 2020 Roboflow, Inc.

-> * [v2 (current version)](../how-to-manage-environments-v2.md)

-* After you have a trained model, learn [how and where to deploy models](../how-to-deploy-online-endpoints.md).

-> * [v2 (current version)](../how-to-identity-based-service-authentication.md)

-For information on configuring managed identity when creating a compute cluster in studio, see [Set up managed identity](../how-to-create-attach-compute-cluster.md#set-up-managed-identity).

-Finally, when submitting a training run, specify the base image location in the [environment definition](../how-to-use-environments.md#use-existing-environments).

-* Learn about [identity-based data access](../how-to-identity-based-data-access.md)

-> * [v2 (current version)](../how-to-use-mlflow-cli-runs.md)

-For details about how to log metrics, parameters and artifacts in a run using MLflow view [How to log and view metrics](../how-to-log-view-metrics.md).

-If you want to deploy and register your production ready model in one step, see [Deploy and register MLflow models](../how-to-deploy-mlflow-models.md).

-> * [v2 (current version)](../how-to-use-secrets-in-runs.md)

-description: Learn how to use Azure Machine Learning workspace diagnostics with the Python SDK v1.

-# How to use workspace diagnostics (SDK v1)

-> [!div class="op_single_selector" title1="Select the version of the Azure Machine Learning Python SDK you are using:"]

-> * [v1](how-to-workspace-diagnostic-api.md)

-> * [v2 (current version)](../how-to-workspace-diagnostic-api.md)

-Azure Machine Learning provides a diagnostic API that can be used to identify problems with your workspace. Errors returned in the diagnostics report include information on how to resolve the problem.

-In this article, learn how to use the workspace diagnostics from the Azure Machine Learning Python SDK v1.

-## Prerequisites

-* An Azure Machine Learning workspace. If you don't have one, see [Create a workspace](../quickstart-create-resources.md).

-* The [Azure Machine Learning SDK for Python](/python/api/overview/azure/ml).

-## Diagnostics from Python

-The following snippet demonstrates how to use workspace diagnostics from Python

-```python

-from azureml.core import Workspace

-ws = Workspace.from_config()

-diag_param = {

- "value": {

- }

- }

-resp = ws.diagnose_workspace(diag_param)

-print(resp)

-```

-The response is a JSON document that contains information on any problems detected with the workspace. The following JSON is an example response:

-```json

-{

- "value": {

- "user_defined_route_results": [],

- "network_security_rule_results": [],

- "resource_lock_results": [],

- "dns_resolution_results": [{

- "code": "CustomDnsInUse",

- "level": "Warning",

- "message": "It is detected VNet '/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/virtualNetworks/<virtual-network-name>' of private endpoint '/subscriptions/<subscription-id>/resourceGroups/larrygroup0916/providers/Microsoft.Network/privateEndpoints/<workspace-private-endpoint>' is not using Azure default DNS. You need to configure your DNS server and check https://learn.microsoft.com/azure/machine-learning/how-to-custom-dns to make sure the custom DNS is set up correctly."

- }],

- "storage_account_results": [],

- "key_vault_results": [],

- "container_registry_results": [],

- "application_insights_results": [],

- "other_results": []

- }

-}

-```

-If no problems are detected, an empty JSON document is returned.

-For more information, see the [Workspace.diagnose_workspace()](/python/api/azureml-core/azureml.core.workspace(class)#diagnose-workspace-diagnose-parameters-) reference.

-## Next steps

-* [Workspace.diagnose_workspace()](/python/api/azureml-core/azureml.core.workspace(class)#diagnose-workspace-diagnose-parameters-)

-* [How to manage workspaces in portal or SDK](../how-to-manage-workspace.md)

-> * [v2 (current version)](../index.yml)

-* `ml` - [Install and set up the CLI (v2)](../how-to-configure-cli.md)

-> * [v2 (current version)](../reference-automl-images-hyperparameters.md)

-

-> * [v2 (current version)](../reference-automl-images-schema.md)

-

-> The images used in this article are from the Fridge Objects dataset, copyright © Microsoft Corporation and available at [computervision-recipes/01_training_introduction.ipynb](https://github.com/microsoft/computervision-recipes/blob/master/scenarios/detection/01_training_introduction.ipynb) under the [MIT License](https://github.com/microsoft/computervision-recipes/blob/master/LICENSE).

-> * [v2 (current version)](../how-to-configure-cli.md)

-> * [v2 (current version)](../reference-yaml-job-pipeline.md)

-> * [v2](../samples-notebooks.md)

-> * [v2](../tutorial-1st-experiment-bring-data.md)

-> * [v2](../tutorial-1st-experiment-hello-world.md)

-> * [v2](../tutorial-1st-experiment-sdk-train.md)

-> * [v2 (current version)](../tutorial-auto-train-image-models.md)

-

-* If you donΓÇÖt have an Azure subscription, create a free account before you begin. Try the [free or paid version](https://azure.microsoft.com/free/) of Azure Machine Learning today.

- "records":

- [

-

- {

- "time": "2017-02-16T22:00:32.8950000Z",

- "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",

- "category": "NetworkSecurityGroupFlowEvent",

- "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",

- "operationName": "NetworkSecurityGroupFlowEvents",

- "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282421,42.119.146.95,10.1.0.4,51529,5358,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282370,163.28.66.17,10.1.0.4,61771,3389,T,I,A","1487282393,5.39.218.34,10.1.0.4,58596,3389,T,I,A","1487282393,91.224.160.154,10.1.0.4,61540,3389,T,I,A","1487282423,13.76.89.229,10.1.0.4,53163,3389,T,I,A"]}]}]}

- }

- ,

- {

- "time": "2017-02-16T22:01:32.8960000Z",

- "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",

- "category": "NetworkSecurityGroupFlowEvent",

- "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",

- "operationName": "NetworkSecurityGroupFlowEvents",

- "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282481,195.78.210.194,10.1.0.4,53,1732,U,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282435,61.129.251.68,10.1.0.4,57776,3389,T,I,A","1487282454,84.25.174.170,10.1.0.4,59085,3389,T,I,A","1487282477,77.68.9.50,10.1.0.4,65078,3389,T,I,A"]}]}]}

- }

- ,

- "time": "2017-02-16T22:02:32.9040000Z",

- "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",

- "category": "NetworkSecurityGroupFlowEvent",

- "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",

- "operationName": "NetworkSecurityGroupFlowEvents",

- "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282492,175.182.69.29,10.1.0.4,28918,5358,T,I,D","1487282505,71.6.216.55,10.1.0.4,8080,8080,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282512,91.224.160.154,10.1.0.4,59046,3389,T,I,A"]}]}]}

-Before you link the subscription to New Relic, complete the pre-deployment configuration. For more information, see [Configure pre-deployment for Azure Native New Relic Service](new-relic-how-to-configure-prereqs.md).

- | **Resource group** |Specify whether you want to create a new resource group or use an existing one. A [resource group](../../azure-resource-manager/management/overview.md) is a container that holds related resources for an Azure solution.|

- | **Resource name** |Specify a name for the New Relic resource. This name will be the friendly name of the New Relic account.|

- | **Region** |Select the region where the New Relic resource on Azure and the New Relic account will be created.|

-1. When you're choosing the organization under which to create the New Relic account, you have two options: create a new organization, or select an existing organization to link the newly created account.

- > [!IMPORTANT]

- > You can't use **Associate with existing** functionality, presently. The ability to create a new New Relic resource and associate it with an existing organization is currently disabled.

- If you opt to create a new organization, you can choose a plan from the list of available plans by selecting **Change Plan** on the working pane.

-

-1. To set up monitoring of platform metrics for Azure resources by New Relic, select **Enable metrics collection**. If you leave this option cleared, metrics are not be pulled by New Relic.

- These logs provide insight into the operations on your resources at the [control plane](../../azure-resource-manager/management/control-plane-and-data-plane.md). These logs also include updates on service-health events.

-1. To send Azure resource logs to New Relic, select **Azure resource logs** for all supported resource types. The types of Azure resource logs are listed in [Azure Monitor Resource Log categories](../../azure-monitor/essentials/resource-logs-categories.md).

- These logs provide insight into operations that were taken on an Azure resource at the [data plane](../../azure-resource-manager/management/control-plane-and-data-plane.md). For example, getting a secret from a key vault is a data plane operation. Making a request to a database is also a data plane operation. The content of resource logs varies by the Azure service and resource type.

-To set up New Relic on Azure, you must have owner access on the Azure subscription. [Confirm that you have the appropriate access](../../role-based-access-control/check-access.md) before you start the setup.

- | **Subscription** | Select the Azure subscription that you want to use for creating the New Relic resource. This subscription will be linked to the New Relic account for monitoring purposes.|

-1. After you select a New Relic account, the New Relic billing details appear for your reference. The user who is performing the linking action should have global administrator permissions on the New Relic account that's being linked.

-Azure Native New Relic Service in Azure Marketplace enables you to create and manage New Relic accounts by using the Azure portal with a fully integrated experience. Integration with Azure enables you to use New Relic as a monitoring solution for your Azure workloads through a streamlined workflow, starting from procurement and moving all the way to configuration and management.

-<!-- need some clarification here -->

-Search for all Postgres logs for a particular server in the last day

-Search for all non-localhost connection attempts

-The query above will show results over the last 6 hours for any Postgres server logging in this workspace.

-If you have made an error in the Azure Stack Edge configuration, you can use the portal to remove the AKS cluster. You can then modify the settings via the local UI, or perform a full reset using the **Device Reset** blade in the local UI and then restart this procedure.

-# Troubleshoot Microsoft Purview SHIR self-hosted integration runtime

-APPLIES TO: :::image type="icon" source="media/yes.png" border="false":::Microsoft Purview :::image type="icon" source="media/yes.png" border="false":::Azure Data Factory :::image type="icon" source="media/yes.png" border="false":::Azure Synapse Analytics

-This article explores common troubleshooting methods for self-hosted integration runtime (SHIR) in Microsoft Purview, Azure Data Factory and Synapse workspaces.

-For failed activities that are running on a self-hosted IR or a shared IR, the service supports viewing and uploading error logs from the [Windows Event Viewer](https://learn.microsoft.com/shows/inside/event-viewer).

-To get support and troubleshooting guidance for SHIR issues, you may need to generate an error report and send it across to Microsoft. To generate the error report ID, follow the instructions here, and then enter the report ID to search for related known issues.

-1. Before starting the scan on the Microsoft Purview governance portal:

-

- :::image type="content" source="media/scanning-shir-troubleshooting/shir-event-viewer-logs-ir.png" lightbox="media/scanning-shir-troubleshooting/shir-event-viewer-logs-ir.png" alt-text="Screenshot of the logs for the failed scan SHIR activity.":::

-

-

-1. Select which logs you want to send.

- * For a *self-hosted IR*, you can upload logs that are related to the failed activity or all logs on the self-hosted IR node.

-> Log viewing and uploading requests are executed on all online self-hosted IR instances. If any logs are missing, make sure that all the self-hosted IR instances are online.

-## Manage your Purview SHIR - next steps

-* [Getting started with Microsoft Purview](https://azure.microsoft.com/products/purview/)

-* [Create and Manage SHIR Self-hosted integration runtimes in Purview](manage-integration-runtimes.md)

-* [Stack overflow forum for Microsoft Purview](https://stackoverflow.com/questions/tagged/azure-purview)

-* [Twitter information about Microsoft Purview](https://twitter.com/hashtag/Purview)

-* [Microsoft Purview Troubleshooting](frequently-asked-questions.yml)

-You can stream events from Linux-based, Syslog-supporting devices into Microsoft Sentinel using the Log Analytics agent for Linux, formerly named the OMS agent. Depending on the device type, the agent is installed either directly on the device, or on a dedicated Linux-based log forwarder. The Log Analytics agent receives events from the Syslog daemon over UDP. If a Linux machine is expected to collect a high volume of Syslog events, it sends events over TCP from the Syslog daemon to the agent, and from there to Log Analytics. Learn how to [connect Syslog-based appliances to Microsoft Sentinel](connect-syslog.md).

-[Azure Service Health](https://azure.microsoft.com/get-started/azure-portal/service-health/) helps customers view any health events that affect their subscriptions and tenants. In the Azure portal, the **Service Issues** pane in **Service Health** shows any ongoing problems in Azure services that are affecting your resources. You can understand when each problem began, and what services and regions are affected.

-In support of the experience of viewing affected resources, Service Health has enabled a new feature to:

-This article details what Service Health communicates and where you can view information about your affected resources.

->This feature will be rolled out in phases. Initially, only selected subscription-level customers will get the experience. The rollout will gradually expand to 100 percent of subscription customers. It will go live for tenant-level customers in the future.

-## View affected resources

-In the Azure portal, the **Impacted Resources** tab under **Service Health** > **Service Issues** displays resources that are or might be affected by an outage. The following example of the **Impacted Resources** tab shows an incident with confirmed and potentially affected resources.

-Service Health provides the following information:

-|**Resource Health**|Health status of the resource: <br><br>**Available**: Your resource is healthy, but a service event might have affected it at a previous point in time. <br><br>**Degraded** or **Unavailable**: A customer-initiated action or a platform-initiated action might have caused this status. It means your resource was affected but might now be healthy, pending a status update. <br><br>:::image type="content" source="./media/impacted-resource-outage/rh-cropped.PNG" alt-text="Screenshot of health statuses for a resource.":::|

-|**Impact Type**|Indication of whether the resource is or might be affected: <br><br>**Confirmed**: The resource is confirmed to be affected by an outage. Check the **Summary** section for any action items that you can take to remediate the problem. <br><br>**Potential**: The resource is not confirmed to be affected, but it could potentially be affected because it's under a service or region that an outage is affecting. Check the **Resource Health** column to make sure that everything is working as planned.|

-|**Resource Type**|Type of affected resource (for example, virtual machine).|

-|**Resource Group**|Resource group that contains the affected resource.|

-|**Location**|Location that contains the affected resource.|

-|**Subscription ID**|Unique ID for the subscription that contains the affected resource.|

-|**Subscription Name**|Subscription name for the subscription that contains the affected resource.|

-|**Tenant ID**|Unique ID for the tenant that contains the affected resource.|

->Not all resources show a Resource Health status. The status appears only on resources for which a Resource Health signal is available. The status of resources for which a Resource Health signal is not available appears as **N/A**, and the corresponding **Resource Name** value is text instead of a clickable link.

-To export the list of affected resources to an Excel file, select the **Export to CSV** option.

-## Access affected resources programmatically via an API

-You can get information about outage-affected resources programmatically by using the Events API. For details on how to access this data, see the [API documentation](/rest/api/resourcehealth/2022-05-01/impacted-resources/list-by-subscription-id-and-event-id?tabs=HTTP).

-18.04 LTS |[9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)| 5.4.0-137-generic <br> 5.4.0-1101-azure <br> 4.15.0-1161-azure <br> 4.15.0-204-generic <br> 5.4.0-1103-azure <br> 5.4.0-139-generic <br> 4.15.0-206-generic <br> 5.4.0-1104-azure <br> 5.4.0-144-generic |

-SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> No new SLES 12 Azure kernels supported in this release. |

-SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.31-azure:4 <br> 5.14.21-150400.14.34-azure:4 |

-EFI/UEFI<br></br>The migrated VM in Azure will be automatically converted to a BIOS boot VM. The VM should be running Windows Server 2012 and later only. The OS disk should have up to five partitions or fewer and the size of OS disk should be less than 300 GB.| Yes | Yes

-Disk >1 TB | Yes, up to 4,095 GB | Yes, up to 4,095 GB

-Operating system disk size | Up to 2,048 GB for generation 1 VMs.<br/><br/> Up to 300 GB for generation 2 VMs. | Prerequisites check fails if unsupported.

-Data disk VHD size | Up to 4,095 GB | Prerequisites check fails if unsupported.

-VM type | Generation 1<br/><br/> Generation 2--Windows | Generation 2 VMs with an OS disk type of basic (which includes one or two data volumes formatted as VHDX) and less than 300 GB of disk space are supported.<br></br>Linux Generation 2 VMs aren't supported. [Learn more](https://azure.microsoft.com/blog/2015/04/28/disaster-recovery-to-azure-enhanced-and-were-listening/).|

-Follow [this tutorial](vmware-azure-tutorial.md) to enable VMware to Azure replication.

-This article shows you how to configure VMware Spring Cloud Gateway with Azure Spring Apps Enterprise tier.

-[VMware Spring Cloud Gateway](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/https://docsupdatetracker.net/index.html) is a commercial VMware Tanzu component based on the open-source Spring Cloud Gateway project. Spring Cloud Gateway for Tanzu handles cross-cutting concerns for API development teams, such as single sign-on (SSO), access control, rate-limiting, resiliency, security, and more. You can accelerate API delivery using modern cloud native patterns, and any programming language you choose for API development.

-To integrate with [API portal for VMware Tanzu®](./how-to-use-enterprise-api-portal.md), VMware Spring Cloud Gateway automatically generates OpenAPI version 3 documentation after any route configuration additions or changes.

- > To use VMware Spring Cloud Gateway, you must enable it when you provision your Azure Spring Apps service instance. You cannot enable it after provisioning at this time.

-This section describes how to assign an endpoint to Spring Cloud Gateway and configure its properties.

-To view the running state and resources given to Spring Cloud Gateway and its operator, open your Azure Spring Apps instance in the Azure portal, select the **Spring Cloud Gateway** section, and then select **Overview**.

-To assign a public endpoint, select **Yes** next to **Assign endpoint**. You'll get a URL in a few minutes. Save the URL to use later.

-You can also use Azure CLI to assign the endpoint, as shown in the following command:

-VMware Spring Cloud Gateway metadata is used to automatically generate OpenAPI version 3 documentation so that the [API portal](./how-to-use-enterprise-api-portal.md) can gather information to show the route groups. The available metadata options are described in the following table.

-| title | A title describing the context of the APIs available on the Gateway instance. The default value is *Spring Cloud Gateway for K8S*. |

-| description | A detailed description of the APIs available on the Gateway instance. The default value is *Generated OpenAPI 3 document that describes the API routes configured for '\[Gateway instance name\]' Spring Cloud Gateway instance deployed under '\[namespace\]' namespace.*. |

-| documentation | The location of more documentation for the APIs available on the Gateway instance. |

-| version | The version of APIs available on this Gateway instance. The default value is *unspecified*. |

-| serverUrl | The base URL that API consumers will use to access APIs on the Gateway instance. |

-> `serverUrl` is mandatory if you want to integrate with [API portal](./how-to-use-enterprise-api-portal.md).

-Use the following command to configure VMware Spring Cloud Gateway metadata properties:

- --server-url "<endpoint-in-the-previous-step>" \

-You can also view or edit these properties in the Azure portal, as shown in the following screenshot.

-VMware Spring Cloud Gateway supports authentication and authorization using single sign-on (SSO) with an OpenID identity provider (IdP) which supports OpenID Connect Discovery protocol.

-| `issuerUri` | Yes | The URI that is asserted as its Issuer Identifier. For example, if the `issuer-uri` provided is `https://example.com`, then an OpenID Provider Configuration Request will be made to `https://example.com/.well-known/openid-configuration`. The result is expected to be an OpenID Provider Configuration Response. |

-| `clientId` | Yes | The OpenID Connect client ID provided by your IdP. |

-| `clientSecret` | Yes | The OpenID Connect client secret provided by your IdP. |

-To set up SSO with Azure AD, see [How to set up single sign-on with Azure Active Directory for Spring Cloud Gateway and API Portal](./how-to-set-up-sso-with-azure-ad.md).

-Use the following command to configure SSO properties for VMware Spring Cloud Gateway:

-You can also view or edit those properties in the Azure portal, as shown in the following screenshot:

-> Only authorization servers supporting OpenID Connect Discovery protocol are supported. Also, be sure to configure the external authorization server to allow redirects back to the gateway. Refer to your authorization server's documentation and add `https://<gateway-external-url>/login/oauth2/code/sso` to the list of allowed redirect URIs.

-VMware Spring Cloud Gateway service instances provide a default API endpoint to log out of the current SSO session. The path to this endpoint is `/scg-logout`. You can accomplish one of the following two outcomes depending on how you call the logout endpoint:

-If you send a GET request to the `/scg-logout` endpoint, then the endpoint will send a 302 redirect response to the IdP logout URL. To get the endpoint to return the user back to a path on the gateway service instance, add a redirect parameter to the GET `/scg-logout` request. For example, `${serverUrl}/scg-logout?redirect=/home`.

-The following steps describe an example of how to implement the function in your microservices.

-1. You need [a route config](https://github.com/Azure-Samples/animal-rescue/blob/0e343a27f44cc4a4bfbf699280476b0517854d7b/frontend/azure/api-route-config.json#L32) to route the logout request to your application.

-1. In that application, you can add whatever logout logic you need. At the end, you need to [send a get request](https://github.com/Azure-Samples/animal-rescue/blob/0e343a27f44cc4a4bfbf699280476b0517854d7b/frontend/src/App.js#L84) to the gateway's `/scg-logout` endpoint.

-> The value of the redirect parameter is a valid path on the gateway service instance. You can't redirect to an external URL.

-If you send the GET request to the `/scg-logout` endpoint using a `XMLHttpRequest` (XHR), then the 302 redirect could be swallowed and not handled in the response handler. In this case, the user would only be logged out of the SSO session on the gateway service instance and would still have a valid IdP session. The behavior typically seen in this case is that if the user attempts to log in again, they are automatically sent back to the gateway as authenticated from IdP.

-You need to have a route configuration to route the logout request to your application, as shown in the following example. This code will make a gateway-only logout SSO session.

-| maxAge | How long, in seconds, the response from a pre-flight request can be cached by clients. |

-> Be sure you have the correct CORS configuration if you want to integrate with the [API portal](./how-to-use-enterprise-api-portal.md). For an example, see the [Configure Spring Cloud Gateway](#configure-spring-cloud-gateway) section.

-Customization of resource allocation for Spring Cloud Gateway instances is supported, including vCpu, memory, and instance count.

-The following table describes the default resource usage:

-There are several types of application performance monitoring (APM) Java agents provided by Spring Cloud Gateway to monitor a gateway managed by Azure Spring Apps.

-### [Azure portal](#tab/Azure-portal)

-1. Open the **Spring Cloud Gateway** page and select the **Configuration** tab.

-### [Azure CLI](#tab/Azure-CLI)

-The supported APM types are `ApplicationInsights`, `AppDynamics`, `Dynatrace`, `NewRelic`, and `ElasticAPM`. For more information about the functions provided and which environment variables are exposed, see the public documentation for the APM Java agent you're using. Azure Spring Apps will upgrade the APM agent with the same cadence as deployed apps to keep compatibility of agents between Spring Cloud Gateway and apps.

-> By default, Azure Spring Apps prints the logs of the APM Java agent to `STDOUT`. These logs are mixed with the Spring Cloud Gateway logs. You can check the version of the APM agent used in the logs. You can query these logs in Log Analytics to troubleshoot.

-To purchase the Tanzu component license successfully, the billing account of your subscription must be included in one of the locations listed in the [Supported geographic locations of billing account](#supported-geographic-locations-of-billing-account) section. Because of tax management restrictions from VMware in some countries, not all countries are supported.

-To configure single sign-on for the application, you'll need to prepare credentials. The following sections describe steps for an existing provider or provisioning an application registration with Azure Active Directory.

-1. Configure your existing identity provider to allow redirects back to Spring Cloud Gateway and API Portal. Spring Cloud Gateway has a single URI to allow re-entry to the gateway. API Portal has two URIs for supporting the user interface and underlying API. Retrieve these URIs by using the following commands, then add them to your single sign-on provider's configuration.

-1. Obtain the `Issuer URI` for your identity provider. You must configure the provider with an issuer URI, which is the URI that it asserts as its Issuer Identifier. For example, if the `issuer-uri` provided is "https://example.com", then an OpenID Provider Configuration Request will be made to "https://example.com/.well-known/openid-configuration". The result is expected to be an OpenID Provider Configuration Response.

- > You can only use authorization servers supporting OpenID Connect Discovery protocol.

-1. Obtain the `JWK URI` for your identity provider for use later. The `JWK URI` typically takes the form `${ISSUER_URI}/keys` or `${ISSUER_URI}/<version>/keys`. The Identity Service application will use the public JSON Web Keys (JWK) to verify JSON Web Tokens (JWT) issued by your single sign-on identity provider's authorization server.

-1. Use the following commands to retrieve the URLs for Spring Cloud Gateway and API Portal and add the necessary Reply URLs to the Active Directory App Registration:

- --reply-urls "https://${GATEWAY_URL}/login/oauth2/code/sso" "https://${PORTAL_URL}/oauth2-redirect.html" "https://${PORTAL_URL}/login/oauth2/code/sso"

-1. Retrieve the `JWK URI` from the output of the following command. The Identity Service application will use the public JSON Web Keys (JWK) to verify JSON Web Tokens (JWT) issued by Active Directory.

-To complete the single sign-on experience, use the following steps to deploy the Identity Service application. The Identity Service application provides a single route to aid in identifying the user. For these steps, be sure to navigate to the project folder before running any commands.

-You can configure Spring Cloud Gateway to authenticate requests via single sign-on. To configure Spring Cloud Gateway to use single sign-on, follow these steps:

- You can open the output URL in a browser to explore the updated application. The Log In function will now work, allowing you to add items to the cart and place orders. After you sign in, the customer information button will display the signed-in username.

-## Configure single sign-on for API Portal

-You can configure API Portal to use single sign-on to require authentication before exploring APIs. Use the following commands to configure single sign-on for API Portal:

-Use the following commands to retrieve the URL for API Portal:

-You can open the output URL in a browser to explore the application APIs. This time, you'll be directed to sign on before exploring APIs.

-In most cases, deploying only a single storage mover resource is the best option, even when you need to migrate files located in other countries. One or more migration agents are registered to a storage mover resource. An agent can only be used by the storage mover to which it's registered. The agents themselves should be located close to the source storage, even if that means registering agents deployed in other countries to a storage mover resource located across the globe.

-Always mount Azure file shares using file.core.windows.net, even if you set up a private endpoint for your share. Using CNAME for file share mount isn't supported for identity-based authentication.

-If you run into issues mounting with AD DS credentials, refer to [Unable to mount Azure file shares with AD credentials](files-troubleshoot-smb-authentication.md#unable-to-mount-azure-file-shares-with-ad-credentials).

-To mount a file share from a non-domain-joined VM, the user must either:

-Using one of these approaches will allow the client to contact the domain controller to request and receive Kerberos tickets.

-```

-net use Z: \\<YourStorageAccountName>.file.core.windows.net\<FileShareName> /user:<DOMAINNAME\username>

-```

-or

-| Australia Central | 20.36.105.0, 20.36.104.6, 20.36.104.7 | 20.36.105.32/29 |

-| Australia Southeast | 191.239.192.109, 13.73.109.251, 13.77.48.10, 13.77.49.32 | 13.77.49.32/29 |

-| Canada Central | 40.85.224.249, 52.246.152.0, 20.38.144.1 | 13.71.168.32/29, 20.38.144.32/29, 52.246.152.32/29 |

-| Canada East | 40.86.226.166, 52.242.30.154, 40.69.105.9 , 40.69.105.10 | 40.69.105.32/29|

-| Central US | 13.67.215.62, 52.182.137.15, 104.208.21.1, 13.89.169.20 | 104.208.21.192/29, 13.89.168.192/29, 52.182.136.192/29 |

-| China North | 139.219.15.17 | 52.130.128.88/29 |

-| East Asia | 52.175.33.150, 13.75.32.4, 13.75.32.14, 20.205.77.200, 20.205.83.224 | 13.75.32.192/29, 13.75.33.192/29 |

-| East US 2 | 40.79.84.180, 52.177.185.181, 52.167.104.0, 191.239.224.107, 104.208.150.3, 40.70.144.193 | 104.208.150.192/29, 40.70.144.192/29, 52.167.104.192/29 |

-| France Central | 40.79.137.0, 40.79.129.1, 40.79.137.8, 40.79.145.12 | 40.79.136.32/29, 40.79.144.32/29 |

-| Japan East | 13.78.61.196, 40.79.184.8, 13.78.106.224, 40.79.192.5, 13.78.104.32, 40.79.184.32 | 13.78.104.32/29, 40.79.184.32/29, 40.79.192.32/29 |

-| Japan West | 104.214.148.156, 40.74.100.192, 40.74.97.10 | 40.74.96.32/29 |

-| Korea South | 52.231.200.86, 52.231.151.96 | |

-| North Central US | 23.96.178.199, 23.98.55.75, 52.162.104.33, 52.162.105.9 | 52.162.105.192/29 |

-| North Europe | 40.113.93.91, 52.138.224.1, 13.74.104.113 | 13.69.233.136/29, 13.74.105.192/29, 52.138.229.72/29 |

-| South Central US | 13.66.62.124, 104.214.16.32, 20.45.121.1, 20.49.88.1 | 20.45.121.32/29, 20.49.88.32/29, 20.49.89.32/29, 40.124.64.136/29 |

-| Switzerland North | 51.107.56.0, 51.107.57.0 | 51.107.56.32/29, 51.103.203.192/29, 20.208.19.192/29, 51.107.242.32/27 |

-| Switzerland West | 51.107.152.0, 51.107.153.0 | 51.107.153.32/29 |

-| West Europe | 40.68.37.158, 104.40.168.105, 52.236.184.163 | 104.40.169.32/29, 13.69.112.168/29, 52.236.184.32/29 |

-| West US 2 | 13.66.226.202, 40.78.240.8, 40.78.248.10 | 13.66.136.192/29, 40.78.240.192/29, 40.78.248.192/29 |

-$diskConfig = New-AzDiskConfig -Location $region -CreateOption Copy -DiskSizeGB $size -SkuName $sku -PerfromancePlus $true -SourceResourceID $sourceURI

-$dataDisk = New-AzDisk -ResourceGroupName $myRG -DiskName $myDisk

- > The example below shows the CUDA package path for Ubuntu 16.04. Replace the path specific to the version you plan to use.

- > Visit the [Nvidia Download Center](https://developer.download.nvidia.com/compute/cuda/repos/) for the full path specific to each version.

- CUDA_REPO_PKG=cuda-repo-ubuntu1604_10.0.130-1_amd64.deb

- wget -O /tmp/${CUDA_REPO_PKG} https://developer.download.nvidia.com/compute/cuda/repos/ubuntu1604/x86_64/${CUDA_REPO_PKG}

- sudo dpkg -i /tmp/${CUDA_REPO_PKG}

- sudo apt-key adv --fetch-keys https://developer.download.nvidia.com/compute/cuda/repos/ubuntu1604/x86_64/3bf863cc.pub

- rm -f /tmp/${CUDA_REPO_PKG}

- sudo apt-get install cuda-drivers

-

-2. To optionally install the complete CUDA toolkit, type:

- ```bash

- sudo apt-get install cuda

- ```

-3. Reboot the VM and proceed to verify the installation.

- - If the virtual networks are in different subscriptions and Active Directory tenants, add the user from each tenant as a guest in the opposite tenant. For more information about guest users, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md?toc=%2fazure%2fvirtual-network%2ftoc.json#add-guest-users-to-the-directory).

-No.