-| [Azure AD MFA authentication](multi-factor-auth-technical-profile.md) | GA | |

-| [Application Insights user journey logs](troubleshoot-with-application-insights.md) | GA | Used for troubleshooting during development. |

-| [Application Insights event logs](analytics-with-application-insights.md) | GA | Used to monitor user flows in production. |

-During the first sign up or sign in, the user scans a QR code, opens a deep link, or enters the code manually using the authenticator app. To verify the TOTP code, use the [Begin verify OTP](#begin-verify-totp) followed by [Verify TOTP](#verify-totp) validation technical profiles.

-For subsequent sign ins, use the [Get available devices](#get-available-devices) method to check if the user has already enrolled their device. If the number of available devices is greater than zero, this indicates the user has enrolled before. In this case, the user needs to type the TOTP code that appears in the authenticator app.

-| DisplayClaims | 0:1 | A list of previously defined references to claim types that are presented by the [self-asserted technical profile](self-asserted-technical-profile.md). |

-## April 2022

-### New articles

-### Updated articles

-If you use `app.AddDistributedTokenCache`, the token cache is an adapter against the .NET `IDistributedCache` implementation. So you can choose between a distributed memory cache, a SQL Server cache, a Redis cache, or an Azure Cosmos DB cache. For details about the `IDistributedCache` implementations, see [Distributed memory cache](/aspnet/core/performance/caching/distributed).

-Here's the code for a distributed in-memory token cache:

-```CSharp

- // In-memory distributed token cache

- app.AddDistributedTokenCache(services =>

- {

- // In net462/net472, requires to reference Microsoft.Extensions.Caching.Memory

- services.AddDistributedMemoryCache();

- // Distributed token caches have an L1/L2 mechanism.

- // L1 is in memory, and L2 is the distributed cache

- // implementation that you will choose below.

- // You can configure them to limit the memory of the

- // L1 cache, encrypt, and set eviction policies.

- services.Configure<MsalDistributedTokenCacheAdapterOptions>(options =>

- {

- // You can disable the L1 cache if you want

- options.DisableL1Cache = false;

-

- // Or limit the memory (by default, this is 500 MB)

- options.sizeLimit = 1024 * 1024 * 1024, // 1 GB

- // You can choose to encrypt the cache or not

- options.Encrypt = false;

- // And you can set eviction policies for the distributed

- // cache

- options.SlidingExpiration = TimeSpan.FromHours(1);

- });

- });

-```

- // In net462/net472, requires to reference Microsoft.Extensions.Caching.Memory

-In the next article in the series, you configure a client app's registration with access to your web API and the scopes you defined by following the steps this article.

-### Add the relying party trust and claim rules

-1. On the AD FS server, go to **Tools** > **AD FS management**.

-1. In the navigation pane, select **Trust Relationships** > **Relying Party Trusts**.

-1. Under **Actions**, select **Add Relying Party Trust**.

-1. In the add relying party trust wizard, for **Select Data Source**, use the option **Import data about the relying party published online or on a local network**. Specify this federation metadata URL: `https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml`. Leave other default selections. Select **Close**.

-1. The **Edit Claim Rules** wizard opens.

-1. In the **Edit Claim Rules** wizard, select **Add Rule**. In **Choose Rule Type**, select **Send Claims Using a Custom Rule**. Select *Next*.

-1. Select **Finish**.

-1. In the same **Edit Claim Rules** wizard, select **Add Rule**. In **Cohose Rule Type**, select **Send LDAP Attributes as Claims**. Select **Next**.

-1. In **Configure Claim Rule**, specify the following values:

- - **Outgoing Claim Type**: E-Mail Address

-1. Select **Finish**.

-Next, you'll [configure SAML/WS-Fed IdP federation in Azure AD](direct-federation.md#step-3-configure-samlws-fed-idp-federation-in-azure-ad) either in the Azure AD portal or by using PowerShell.

-2. Under **Organizations**, find the organization that you want to leave, and select **Leave organization**.

- 

-3. When asked to confirm, select **Leave**.

-> [!NOTE]

- > You cannot leave your home organization.

-Azure Active Directory (Azure AD) B2B collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don't have Azure AD or an IT department.

-In some cases however, you're required make some changes to the default configuration. Here are some examples:

-The preferred way to change domain-based filtering is by running the installation wizard and changing [domain and OU filtering](how-to-connect-install-custom.md#domain-and-ou-filtering). The installation wizard automates all the tasks that are documented in this topic.

-You should only follow these steps if you're unable to run the installation wizard for some reason.

-Domain-based filtering configuration consists of these steps:

-1. Select the domains that you want to include in the synchronization.

-2. For each added and removed domain, adjust the run profiles.

-3. [Apply and verify changes](#apply-and-verify-changes).

-### Select the domains to be synchronized

-There are two ways to select the domains to be synchronized:

- - Using the Synchronization Service

- - Using the Azure AD Connect wizard.

-#### Select the domains to be synchronized using the Synchronization Service

-To set the domain filter, do the following steps:

-1. Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the **ADSyncAdmins** security group.

-2. Start **Synchronization Service** from the **Start** menu.

-3. Select **Connectors**, and in the **Connectors** list, select the Connector with the type **Active Directory Domain Services**. In **Actions**, select **Properties**.

- 

-4. Click **Configure Directory Partitions**.

-5. In the **Select directory partitions** list, select and unselect domains as needed. Verify that only the partitions that you want to synchronize are selected.

- 

- If you've changed your on-premises Active Directory infrastructure and added or removed domains from the forest, then click the **Refresh** button to get an updated list. When you refresh, you're asked for credentials. Provide any credentials with read access to Windows Server Active Directory. It doesn't have to be the user that is prepopulated in the dialog box.

- 

-6. When you're done, close the **Properties** dialog by clicking **OK**. If you removed domains from the forest, a message pop-up says that a domain was removed and that configuration will be cleaned up.

-7. Continue to adjust the run profiles.

-#### Select the domains to be synchronized using the Azure AD Connect wizard

-To set the domain filter, do the following steps:

-1. Start the Azure AD Connect wizard

-2. Click **Configure**.

-3. Select **Customize Synchronization Options** and click **Next**.

-4. Enter your Azure AD credentials

-5. On the **Connected Directories** screen click **Next**.

-6. On the **Domain and OU filtering page** click **Refresh**. New domains will now appear and deleted domains will disappear.

- 

-### Update the run profiles

-If you've updated your domain filter, you also need to update the run profiles.

-1. In the **Connectors** list, make sure that the Connector that you changed in the previous step is selected. In **Actions**, select **Configure Run Profiles**.

- 

-2. Find and identify the following profiles:

- * Full Import

- * Full Synchronization

- * Delta Import

- * Delta Synchronization

- * Export

-3. For each profile, adjust the **added** and **removed** domains.

- 1. For each of the five profiles, do the following steps for each **added** domain:

- 1. Select the run profile and click **New Step**.

- 2. On the **Configure Step** page, in the **Type** drop-down menu, select the step type with the same name as the profile that you're configuring. Then click **Next**.

- 

- 3. On the **Connector Configuration** page, in the **Partition** drop-down menu, select the name of the domain that you've added to your domain filter.

- 

- 4. To close the **Configure Run Profile** dialog, click **Finish**.

- 2. For each of the five profiles, do the following steps for each **removed** domain:

- 1. Select the run profile.

- 2. If the **Value** of the **Partition** attribute is a GUID, select the run step and click **Delete Step**.

- 

- 3. Verify your change. Each domain that you want to synchronize should be listed as a step in each run profile.

-4. To close the **Configure Run Profiles** dialog, click **OK**.

-5. To complete the configuration, you need to run a **Full import** and a **Delta sync**. Continue reading the section [Apply and verify changes](#apply-and-verify-changes).

-The preferred way to change OU-based filtering is by running the installation wizard and changing [domain and OU filtering](how-to-connect-install-custom.md#domain-and-ou-filtering). The installation wizard automates all the tasks that are documented in this topic.

-You should only follow these steps if you're unable to run the installation wizard for some reason.

-To configure organizational unitΓÇôbased filtering, do the following steps:

-1. Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the **ADSyncAdmins** security group.

-2. Start **Synchronization Service** from the **Start** menu.

-3. Select **Connectors**, and in the **Connectors** list, select the Connector with the type **Active Directory Domain Services**. In **Actions**, select **Properties**.

- 

-4. Click **Configure Directory Partitions**, select the domain that you want to configure, and then click **Containers**.

-5. When you're prompted, provide any credentials with read access to your on-premises Active Directory. It doesn't have to be the user that is prepopulated in the dialog box.

-6. In the **Select Containers** dialog box, clear the OUs that you donΓÇÖt want to synchronize with the cloud directory, and then click **OK**.

- 

- * The **Computers** container should be selected for your Windows 10 computers to be successfully synchronized to Azure AD. If your domain-joined computers are located in other OUs, make sure those are selected.

- * The **ForeignSecurityPrincipals** container should be selected if you have multiple forests with trusts. This container allows cross-forest security group membership to be resolved.

- * The **RegisteredDevices** OU should be selected if you enabled the device writeback feature. If you use another writeback feature, such as group writeback, make sure these locations are selected.

- * Select any other OU where Users, iNetOrgPersons, Groups, Contacts, and Computers are located. In the picture, all these OUs are located in the ManagedObjects OU.

- * If you use group-based filtering, then the OU where the group is located must be included.

- * Note that you can configure whether new OUs that are added after the filtering configuration finishes are synchronized or not synchronized. See the next section for details.

-7. When you're done, close the **Properties** dialog by clicking **OK**.

-8. To complete the configuration, you need to run a **Full import** and a **Delta sync**. Continue reading the section [Apply and verify changes](#apply-and-verify-changes).

-### Synchronize new OUs

-New OUs that are created after filtering has been configured are synchronized by default. This state is indicated by a selected check box. You can also unselect some sub-OUs. To get this behavior, click the box until it becomes white with a blue check mark (its default state). Then unselect any sub-OUs that you don't want to synchronize.

-If all sub-OUs are synchronized, then the box is white with a blue check mark.

-

-If some sub-OUs have been unselected, then the box is gray with a white check mark.

-

-With this configuration, a new OU that was created under ManagedObjects is synchronized.

-The Azure AD Connect installation wizard always creates this configuration.

-### Don't synchronize new OUs

-You can configure the sync engine to not synchronize new OUs after the filtering configuration has finished. This state is indicated in the UI by the box appearing solid gray with no check mark. To get this behavior, click the box until it becomes white with no check mark. Then select the sub-OUs that you want to synchronize.

-

-With this configuration, a new OU that was created under ManagedObjects isn't synchronized.

- ```azurecli-interactive

- az vmss create --resource-group myResourceGroup --name myVMSS --image win2016datacenter --upgrade-policy-mode automatic --custom-data cloud-init.txt --admin-username azureuser --admin-password myPassword12 --assign-identity --generate-ssh-keys

-3. [Create](/cli/azure/vmss/#az-vmss-create) a virtual machine scale set. The following example creates a virtual machine scale set associated with the new user-assigned managed identity, as specified by the `--assign-identity` parameter. Be sure to replace the `<RESOURCE GROUP>`, `<VMSS NAME>`, `<USER NAME>`, `<PASSWORD>`, and `<USER ASSIGNED IDENTITY>` parameter values with your own values.

- ```azurecli-interactive

- az vmss create --resource-group <RESOURCE GROUP> --name <VMSS NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY>

-$adminUser = Get-AzureADUser -ObjectId "Use the user's UPN, who would be an admin on this unit"

-$role = Get-AzureADDirectoryRole | Where-Object -Property DisplayName -EQ -Value "User Administrator"

-$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'The display name of the unit'"

-$roleMember = New-Object -TypeName Microsoft.Open.MSGraph.Model.MsRoleMemberInfo

-$roleMember.Id = $adminUser.ObjectId

-Add-AzureADMSScopedRoleMembership -Id $adminUnitObj.Id -RoleId $role.ObjectId -RoleMemberInfo $roleMember

-You can change the highlighted section as required for the specific environment.

-$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'The display name of the unit'"

-Get-AzureADMSScopedRoleMembership -Id $adminUnitObj.Id | fl *

-You can change the highlighted section as required for your specific environment.

-### Delete a role assignment

-# Delete role assignment

-* Manage your accounts in one central location - the Azure portal.

-1. On the **Set up Hubble** section, copy the appropriate URL(s) based on your requirement.

- 

-To configure single sign-on on **Hubble** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Hubble support team](mailto:cs@hubble-inc.jp). They set this setting to have the SAML SSO connection set properly on both sides.

-## May

-We are expanding our service to all Azure AD customers! Verifiable credentials are now available to everyone with an Azure AD subscription (Free and Premium). Existing tenants that configured the Verifiable Credentials service prior to May 4, 2022 must make a [small change](verifiable-credentials-faq.md#updating-the-vc-service-configuration) to avoid service disruptions.

-This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

-You also need the Azure CLI version 2.0.59 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

-For more information about AKS clusters interact with Azure disks, see the [Kubernetes plugin for Azure Disks][kubernetes-disks].

-This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

-You also need the Azure CLI version 2.0.59 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

-> Inline `azureFile` volume can only access secrets in the same namespace as the pod. To specify a different secret namespace, [please use the persistent volume example][persistent-volume-example] below instead.

-For information about AKS 1.20 or below clusters interact with Azure Files, see the [Kubernetes plugin for Azure Files][kubernetes-files].

-When you enable the cluster autoscaler on node pools in the cluster, those clusters will also use the cluster autoscaler profile. For example:

-[metrics-server]: https://kubernetes.io/docs/tasks/debug-application-cluster/resource-metrics-pipeline/#metrics-server

-For more details on using the KMS plugin, see [Encrypting Secret Data at Rest](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/).

-* Changing of key Id, including key name and key version.

-* KMS etcd encryption does not work with System-Assigned Managed Identity. The keyvault access-policy is required to be set before the feature is enabled. In addition, System-Assigned Managed Identity is not available until cluster creation, thus there is a cycle dependency.

-Use `az identity show` to get Identity Object Id.

-The above example stores the value of the Identity Object Id in *IDENTITY_OBJECT_ID*.

-Use `az identity show` to get Identity Resource Id.

-The above example stores the value of the Identity Resource Id in *IDENTITY_RESOURCE_ID*.

-Use below command to update all secrets. Otherwise, the old secrets are not encrypted.

-| Central India | Central US |

-| Central US | East Asia |

-| East Asia | East US |

-| East US | East US 2 |

-| East US 2 | France Central |

-| France Central | Germany West Central |

-| Germany West Central | Japan East |

-| Japan East | Korea Central |

-| Korea Central | North Europe |

-| North Central US | Norway East |

-| North Europe | South Africa North |

-| Norway East | South Central US |

-| South Africa North | Southeast Asia |

-| South Central US | UK South |

-| Southeast Asia | West Europe |

-| Switzerland North | West US 2 |

-| UAE North | West US 3 |

-apiVersion: extensions/v1beta1

-```

->If you wish to use rule priority, you will have to specify rule-priority field values for all the existing request routing rules. Once the rule priority field is in use, any new routing rule that is created would also need to have a rule priority field value as part of its config.

-| [Azure Application Gateway (V2)](../application-gateway/application-gateway-autoscaling-zone-redundant.md) |  |

- - CentOS: CentOS 7, CentOS 8

- - RedHat Enterprise Linux (RHEL): RHEL 7.4 to RHEL 7.10, RHEL 8.3+

- - SUSE Linux Enterprise Server (SLES): SLES 12, SLES 15.1+

- - Ubuntu Server: Ubuntu Server 16.04 to Ubuntu Server 20.04

-To view examples of using the ```az ssh vm``` command, view the az CLI documentation page for [az ssh](/cli/azure/ssh).

-For [ASP.NET Core](asp-net-core.md#how-can-i-track-telemetry-thats-not-automatically-collected) apps and [Non HTTP/Worker for .NET/.NET Core](worker-service.md#how-can-i-track-telemetry-thats-not-automatically-collected) apps, it is recommended to get an instance of `TelemetryClient` from the dependency injection container as explained in their respective documentation.

-The default configuration collects `ILogger` `Warning` logs and more severe logs. You can [customize this configuration](#how-do-i-customize-ilogger-logs-collection).

-## Frequently asked questions

-### Does Application Insights support ASP.NET Core 3.X?

-Yes. Update to [Application Insights SDK for ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) version 2.8.0 or later. Earlier versions of the SDK don't support ASP.NET Core 3.X.

-Also, if you're [enabling server-side telemetry based on Visual Studio](#enable-application-insights-server-side-telemetry-visual-studio), update to the latest version of Visual Studio 2019 (16.3.0) to onboard. Earlier versions of Visual Studio don't support automatic onboarding for ASP.NET Core 3.X apps.

-### How can I track telemetry that's not automatically collected?

-Get an instance of `TelemetryClient` by using constructor injection, and call the required `TrackXXX()` method on it. We don't recommend creating new `TelemetryClient` or `TelemetryConfiguration` instances in an ASP.NET Core application. A singleton instance of `TelemetryClient` is already registered in the `DependencyInjection` container, which shares `TelemetryConfiguration` with rest of the telemetry. Creating a new `TelemetryClient` instance is recommended only if it needs a configuration that's separate from the rest of the telemetry.

-The following example shows how to track more telemetry from a controller.

-```csharp

-using Microsoft.ApplicationInsights;

-public class HomeController : Controller

-{

- private TelemetryClient telemetry;

- // Use constructor injection to get a TelemetryClient instance.

- public HomeController(TelemetryClient telemetry)

- {

- this.telemetry = telemetry;

- }

- public IActionResult Index()

- {

- // Call the required TrackXXX method.

- this.telemetry.TrackEvent("HomePageRequested");

- return View();

- }

-```

-For more information about custom data reporting in Application Insights, see [Application Insights custom metrics API reference](./api-custom-events-metrics.md). A similar approach can be used for sending custom metrics to Application Insights using the [GetMetric API](./get-metric.md).

-### How do I customize ILogger logs collection?

-By default, only `Warning` logs and more severe logs are automatically captured. To change this behavior, explicitly override the logging configuration for the provider `ApplicationInsights` as shown below.

-The following configuration allows ApplicationInsights to capture all `Information` logs and more severe logs.

-```json

-{

- "Logging": {

- "LogLevel": {

- "Default": "Warning"

- },

- "ApplicationInsights": {

- "LogLevel": {

- "Default": "Information"

- }

- }

- }

-}

-```

-It's important to note that the following example doesn't cause the ApplicationInsights provider to capture `Information` logs. It doesn't capture it because the SDK adds a default logging filter that instructs `ApplicationInsights` to capture only `Warning` logs and more severe logs. ApplicationInsights requires an explicit override.

-```json

-{

- "Logging": {

- "LogLevel": {

- "Default": "Information"

- }

- }

-}

-```

-For more information, see [ILogger configuration](ilogger.md#logging-level).

-### Some Visual Studio templates used the UseApplicationInsights() extension method on IWebHostBuilder to enable Application Insights. Is this usage still valid?

-The extension method `UseApplicationInsights()` is still supported, but it's marked as obsolete in Application Insights SDK version 2.8.0 and later. It will be removed in the next major version of the SDK. To enable Application Insights telemetry, we recommend using `AddApplicationInsightsTelemetry()` because it provides overloads to control some configuration. Also, in ASP.NET Core 3.X apps, `services.AddApplicationInsightsTelemetry()` is the only way to enable Application Insights.

-### I'm deploying my ASP.NET Core application to Web Apps. Should I still enable the Application Insights extension from Web Apps?

-If the SDK is installed at build time as shown in this article, you don't need to enable the [Application Insights extension](./azure-web-apps.md) from the App Service portal. If the extension is installed, it will back off when it detects the SDK is already added. If you enable Application Insights from the extension, you don't have to install and update the SDK. But if you enable Application Insights by following instructions in this article, you have more flexibility because:

- * Application Insights telemetry will continue to work in:

- * All operating systems, including Windows, Linux, and Mac.

- * All publish modes, including self-contained or framework dependent.

- * All target frameworks, including the full .NET Framework.

- * All hosting options, including Web Apps, VMs, Linux, containers, Azure Kubernetes Service, and non-Azure hosting.

- * All .NET Core versions including preview versions.

- * You can see telemetry locally when you're debugging from Visual Studio.

- * You can track more custom telemetry by using the `TrackXXX()` API.

- * You have full control over the configuration.

-### Can I enable Application Insights monitoring by using tools like Azure Monitor Application Insights Agent (formerly Status Monitor v2)?

- Yes. In [Application Insights Agent 2.0.0-beta1](https://www.powershellgallery.com/packages/Az.ApplicationMonitor/2.0.0-beta1) and later, ASP.NET Core applications hosted in IIS are supported.

-### Are all features supported if I run my application in Linux?

-Yes. Feature support for the SDK is the same in all platforms, with the following exceptions:

-* The SDK collects [Event Counters](./eventcounters.md) on Linux because [Performance Counters](./performance-counters.md) are only supported in Windows. Most metrics are the same.

-* Although `ServerTelemetryChannel` is enabled by default, if the application is running in Linux or macOS, the channel doesn't automatically create a local storage folder to keep telemetry temporarily if there are network issues. Because of this limitation, telemetry is lost when there are temporary network or server issues. To work around this issue, configure a local folder for the channel:

-```csharp

-using Microsoft.ApplicationInsights.Channel;

-using Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel;

- public void ConfigureServices(IServiceCollection services)

- {

- // The following will configure the channel to use the given folder to temporarily

- // store telemetry items during network or Application Insights server issues.

- // User should ensure that the given folder already exists

- // and that the application has read/write permissions.

- services.AddSingleton(typeof(ITelemetryChannel),

- new ServerTelemetryChannel () {StorageFolder = "/tmp/myfolder"});

- services.AddApplicationInsightsTelemetry();

- }

-```

-This limitation isn't applicable from version [2.15.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore/2.15.0) and later.

-### Is this SDK supported for the new .NET Core 3.X Worker Service template applications?

-This SDK requires `HttpContext`; therefore, it doesn't work in any non-HTTP applications, including the .NET Core 3.X Worker Service applications. To enable Application Insights in such applications using the newly released Microsoft.ApplicationInsights.WorkerService SDK, see [Application Insights for Worker Service applications (non-HTTP applications)](worker-service.md).

-Internet Information Services (IIS) logs counts of all request reaching IIS and inherently could differ from the total request reaching an application. Due to this, it isn't guaranteed that the request count collected by the SDKs will match the total IIS log count.

-If your application sends a lot of data and you're using the Application Insights SDK for ASP.NET version 2.0.0-beta3 or later, the [adaptive sampling](./sampling.md) feature may operate and send only a percentage of your telemetry.

-You can disable it, but doing so is not recommended. Sampling is designed so that related telemetry is correctly transmitted, for diagnostic purposes.

-On February 5 2018, we announced that we removed logging of the Client IP address. This doesn't affect Geo Location.

-1. Modify your applicationinsights.config file to include the following:

-Alternatively, customers can also use a cross-platform .NET Core tool, [`dotnet-trace`](/dotnet/core/diagnostics/dotnet-trace) for collecting logs that can further help in troubleshooting. This may be helpful for linux-based environments.

-The Application Insights .NET SDK consists of a number of NuGet packages. The

-the Application Insights. [Additional packages](https://www.nuget.org/packages?q=Microsoft.ApplicationInsights) provide

-The configuration file is named `ApplicationInsights.config` or `ApplicationInsights.xml`, depending on the type of your application. It is automatically added to your project when you [install most versions of the SDK][start]. By default, when using the automated experience from the Visual Studio template projects that support **Add > Application Insights Telemetry**, the ApplicationInsights.config file is created in the project root folder and when compiled is copied to the bin folder. It is also added to a web app by [Status Monitor on an IIS server][redfield]. The configuration file is ignored if [extension for Azure website](azure-web-apps.md) or [extension for Azure VM and virtual machine scale set](azure-vm-vmss-apps.md) is used.

-if the code cannot access performance counters or if an `ITelemetryInitializer` throws an exception. Trace telemetry

-`DeveloperModeWithDebuggerAttachedTelemetryModule` forces the Application Insights `TelemetryChannel` to send data immediately, one telemetry item at a time, when a debugger is attached to the application process. This reduces the amount of time between the moment when your application tracks telemetry and when it appears on the Application Insights portal. It causes significant overhead in CPU and network bandwidth.

-The Microsoft.ApplicationInsights package provides the [core API](/dotnet/api/microsoft.applicationinsights) of the SDK. The other Telemetry Modules use this, and you can also [use it to define your own telemetry](./api-custom-events-metrics.md).

-* `SyntheticTelemetryInitializer` or `SyntheticUserAgentTelemetryInitializer` updates the `User`, `Session`, and `Operation` contexts properties of all telemetry items tracked when handling a request from a synthetic source, such as an availability test or search engine bot. By default, [Metrics Explorer](../essentials/metrics-charts.md) does not display synthetic telemetry.

-Telemetry Processors can filter and modify each telemetry item just before it is sent from the SDK to the portal.

-This is enabled by default. If your app sends a lot of telemetry, this processor removes some of it.

-There is also a standard [sampling Telemetry Processor](./api-filtering-sampling.md) (from 2.0.1):

-This determines the Application Insights resource in which your data appears. Typically you create a separate resource, with a separate key, for each of your applications.

-To set the key for all instances of TelemetryClient, including standard Telemetry Modules. Do this in an initialization method, such as global.aspx.cs in an ASP.NET service:

-The purpose of this provider is to lookup an Application ID based on an Instrumentation Key. The Application ID is included in RequestTelemetry and DependencyTelemetry and used to determine Correlation in the Portal.

-This is available by setting `TelemetryConfiguration.ApplicationIdProvider` either in code or in config.

-This is a wrapper around our Profile API. It will throttle requests and cache results.

-By default this is set to `https://dc.services.visualstudio.com/api/profiles/{0}/appId`.

-If you need to configure a proxy for this configuration, we recommend proxying the base address and including "/api/profiles/{0}/appId". Note that '{0}' is substituted at runtime per request with the Instrumentation Key.

-This is a static provider, which will rely on your configured Instrumentation Key / Application ID pairs.

-This class has an optional property `Next` which can be used to configure another provider to use when an Instrumentation Key is requested that does not exist in your configuration.

-> If you use the `Microsoft.ApplicationInsights.AspNetCore` package to enable Application Insights, modify this code to get `TelemetryClient` directly in the constructor. For an example, see [this FAQ](./asp-net-core.md#frequently-asked-questions).

-## Filter query results

-Let's add a filter to the query to reduce the number of records that are returned. Select the **Filter** tab on the left pane. This tab shows columns in the query results that you can use to filter the results. The top values in those columns are displayed with the number of records that have that value. Select **200** under **ResultCode**, and then select **Apply & Run**.

-A **where** statement is added to the query with the value that you selected. The results now include only records with that value, so you can see that the record count is reduced.

-Use the restore operation to query data in [Archived Logs](data-retention-archive.md). You can also use the restore operation to run powerful queries within a specific time range on any Analytics table when the log queries you run on the source table cannot complete within the log query timeout of 10 minutes.

-The destination table provides a view of the underlying source data, but does not affect it in any way. The table has no retention setting, and you must explicitly [dismiss the restored data](#dismiss-restored-data) when you no longer need it.

-Deleting the restored table does not delete the data in the source table.

-## April, 2022

-### General

-**New articles**

-**Updated articles**

-### Agents

-**New articles**

-**Updated articles**

-### Alerts

-**Updated articles**

-### Application Insights

-**New articles**

-**Updated articles**

-### Autoscale

-**Updated articles**

-### Essentials

-**Updated articles**

-### Insights

-**Updated articles**

-### Logs

-**New articles**

-**Updated articles**

-### Visualizations

-**Updated articles**

-### Visualizations

-The Workload application is open-sourced in the Azure Percept Advanced Development [github repository](https://github.com/microsoft/azure-percept-advanced-development/tree/main/azureeyemodule/app) and is made up of many small C++ modules, with some of the more important being:

-1. In the **Create an Azure Video Indexer resource** section enter required values. Here are the definitions:

- <!---->

-| Helm CLI | Install the [Helm CLI][helm-install], which is used to to install a helm chart (container package definition). |

-Use the following table to determine the **version string** in the API path based on the Read 3.x version you are migrating to.

-A new optional _language_ parameter is available. If you do not know the language of your document, or it may be multilingual, don't include it.

-* The page angle `clockwiseOrientation` has been renamed to `angle` and the range has been changed from 0 - 360 degrees to -180 to 180 degrees. Depending on your code, you may or may not have to makes changes as most math functions can handle either range.

-The v3.0 API also introduces the following improvements you can optionally leverage:

-* `createdDateTime` and `lastUpdatedDateTime` are added so you can track the duration of processing. See documentation for more details.

-`Recognize Text` is a *preview* operation which is being *deprecated in all versions of Computer Vision API*. You must migrate from `Recognize Text` to `Read` (v3.0) or `Batch Read File` (v2.0, v2.1). v3.0 of `Read` includes newer, better models for text recognition and additional features, so it is recommended. To upgrade from `Recognize Text` to `Read`:

-The _mode_ parameter is not supported in `Read`. Both handwritten and printed text will automatically be supported.

-A new optional _language_ parameter is available in v3.0. If you do not know the language of your document, or it may be multilingual, don't include it.

-The v3.0 API also introduces the following improvements you can optionally leverage. See the API reference for more details:

-* `createdDateTime` and `lastUpdatedDateTime` are added so you can track the duration of processing. See documentation for more details.

-Pronunciation assessment evaluates speech pronunciation and gives speakers feedback on the accuracy and fluency of spoken audio. With pronunciation assessment, language learners can practice, get instant feedback, and improve their pronunciation so that they can speak and present with confidence. Educators can use the capability to evaluate pronunciation of multiple speakers in real time.

-> [!NOTE]

-> Pronunciation assessment for the `en-US` locale is available in all [speech-to-text regions](regions.md#speech-to-text-text-to-speech-and-translation). Support for `en-GB` and `zh-CN` locales is in preview.

-| `Granularity` | The evaluation granularity. Accepted values are `Phoneme`, which shows the score on the full text, word and phoneme level, `Word`, which shows the score on the full text and word level, `FullText`, which shows the score on the full text level only. Default: `Phoneme`. | Optional |

-| `AccuracyScore` | Pronunciation accuracy of the speech. Accuracy indicates how closely the phonemes match a native speaker's pronunciation. Word and full text accuracy scores are aggregated from phoneme-level accuracy score. |

-| `PronScore` | Overall score indicating the pronunciation quality of the given speech. This is aggregated from `AccuracyScore`, `FluencyScore`, and `CompletenessScore` with weight. |

- "NBest": [

- {

- "Confidence" : "0.87",

- "Lexical" : "good morning",

- "PronunciationAssessment":

- {

- {

- "Word" : "Good",

- "Offset" : 500000,

- "Duration" : 2700000,

- "PronunciationAssessment":

- {

- }

- "Word" : "morning",

- "Offset" : 5300000,

- "Duration" : 900000,

- "PronunciationAssessment":

- {

- }

- }

- ]

- }

- ]

-* To learn more about released use cases, read the [Azure tech blog](https://techcommunity.microsoft.com/t5/azure-ai-blog/speech-service-update-pronunciation-assessment-is-generally/ba-p/2505501).

-The [pronunciation assessment](how-to-pronunciation-assessment.md) feature currently supports the `en-US` locale, which is available with all speech-to-text regions. Support for `en-GB` and `zh-CN` languages is in preview.

- 1. Choose the [region](regions.md) where the resource will be used. Azure is a global cloud platform that's generally available in many regions worldwide. To get the best performance, select a region that's closest to you or where your application runs. The Speech service availabilities vary among different regions. Make sure that you create your resource in a supported region. For more information, see [region support for Speech services](./regions.md#speech-to-text-text-to-speech-and-translation).

-### Speech-to-text, text-to-speech, and translation

-The Speech service is available in these regions for speech-to-text, text-to-speech, and translation:

-| from | _Optional parameter_. <br>Specifies the language of the input text. Find which languages are available to translate from by looking up [supported languages](../reference/v3-0-languages.md) using the `translation` scope. If the `from` parameter is not specified, automatic language detection is applied to determine the source language. <br> <br>You must use the `from` parameter rather than autodetection when using the [dynamic dictionary](../dynamic-dictionary.md) feature. |

-| allowFallback | _Optional parameter_. <br>Specifies that the service is allowed to fall back to a general system when a custom system does not exist. Possible values are: `true` (default) or `false`. <br> <br>`allowFallback=false` specifies that the translation should only use systems trained for the `category` specified by the request. If a translation for language X to language Y requires chaining through a pivot language E, then all the systems in the chain (X->E and E->Y) will need to be custom and have the same category. If no system is found with the specific category, the request will return a 400 status code. `allowFallback=true` specifies that the service is allowed to fall back to a general system when a custom system does not exist. |

-* The entire text included in the request cannot exceed 10,000 characters including spaces.

- * `detectedLanguage`: An object describing the detected language through the following properties:

- * `language`: A string representing the code of the detected language.

- * `score`: A float value indicating the confidence in the result. The score is between zero and one and a low score indicates a low confidence.

- * `translations`: An array of translation results. The size of the array matches the number of target languages specified through the `to` query parameter. Each element in the array includes:

- * `to`: A string representing the language code of the target language.

- * `text`: A string giving the translated text.

- * `transliteration`: An object giving the translated text in the script specified by the `toScript` parameter.

- * `script`: A string specifying the target script.

- * `text`: A string giving the translated text in the target script.

- The `transliteration` object is not included if transliteration does not take place.

- * `sentLen`: An object returning sentence boundaries in the input and output texts.

- * `srcSentLen`: An integer array representing the lengths of the sentences in the input text. The length of the array is the number of sentences, and the values are the length of each sentence.

- * `transSentLen`: An integer array representing the lengths of the sentences in the translated text. The length of the array is the number of sentences, and the values are the length of each sentence.

- * `sourceText`: An object with a single string property named `text`, which gives the input text in the default script of the source language. `sourceText` property is present only when the input is expressed in a script that's not the usual script for the language. For example, if the input were Arabic written in Latin script, then `sourceText.text` would be the same Arabic text converted into Arab script.

-| X-RequestId | Value generated by the service to identify the request. It is used for troubleshooting purposes. |

-| X-MT-System | Specifies the system type that was used for translation for each ΓÇÿtoΓÇÖ language requested for translation. The value is a comma-separated list of strings. Each string indicates a type: <br><br>* Custom - Request includes a custom system and at least one custom system was used during translation.<br>* Team - All other requests |

-| ProfanityAction | Action |

-| `NoAction` |NoAction is the default behavior. Profanity will pass from source to target. <br> <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He is a jackass. |

-| `Deleted` | Profane words will be removed from the output without replacement. <br> <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He is |

-| `Marked` | Profane words are replaced by a marker in the output. The marker depends on the `ProfanityMarker` parameter. <br> <br>For `ProfanityMarker=Asterisk`, profane words are replaced with `***`: <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He is a \\*\\*\\*. <br> <br>For `ProfanityMarker=Tag`, profane words are surrounded by XML tags &lt;profanity&gt; and &lt;/profanity&gt;: <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He is a &lt;profanity&gt;jackass&lt;/profanity&gt;. |

-This example shows how to translate a single sentence from English to Simplified Chinese. The request does not specify the input language. Autodetection of the source language is used instead.

-| `NoAction` | NoAction is the default behavior. Profanity will pass from source to target. <br> <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He is a jackass. |

-| `Deleted` | Profane words will be removed from the output without replacement. <br> <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He is a. |

-| `Marked` | Profane words are replaced by a marker in the output. The marker depends on the `ProfanityMarker` parameter. <br> <br>For `ProfanityMarker=Asterisk`, profane words are replaced with `***`: <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He is a \\*\\*\\*. <br> <br>For `ProfanityMarker=Tag`, profane words are surrounded by XML tags &lt;profanity&gt; and &lt;/profanity&gt;: <br>**Example Source (Japanese)**: 彼はジャッカスです。 <br>**Example Translation (English)**: He is a &lt;profanity&gt;jackass&lt;/profanity&gt;. |

-It's common to translate content that includes markup such as content from an HTML page or content from an XML document. Include query parameter `textType=html` when translating content with tags. In addition, it's sometimes useful to exclude specific content from translation. You can use the attribute `class=notranslate` to specify content that should remain in its original language. In the following example, the content inside the first `div` element will not be translated, while the content in the second `div` element will be translated.

-Here is a sample request to illustrate.

-Obtaining alignment information is an experimental feature that we have enabled for prototyping research and experiences with potential phrase mappings. We may choose to stop supporting this in the future. Here are some of the notable restrictions where alignments are not supported:

-* Alignment is not available for text in HTML format i.e., textType=html

-* You will not receive alignment if the sentence is a canned translation. Example of a canned translation is "This is a test", "I love you" and other high frequency sentences.

-* Alignment is not available when you apply any of the approaches to prevent translation as described [here](../prevent-translation.md)

- "text":"La réponse se trouve dans la traduction automatique. La meilleure technologie de traduction automatique ne peut pas toujours fournir des traductions adaptées à un site ou des utilisateurs comme un être humain. Il suffit de copier et coller un extrait de code n’importe où.",

-This feature works the same way with `textType=text` or with `textType=html`. The feature should be used sparingly. The appropriate and far better way of customizing translation is by using Custom Translator. Custom Translator makes full use of context and statistical probabilities. If you have or can afford to create training data that shows your work or phrase in context, you get much better results. [Learn more about Custom Translator](../customization.md).

-description: This article lists request limits for the Translator. Charges are incurred based on character count, not request frequency with a limit of 5,000 characters per request. Character limits are subscription-based, with F0 limited to 2 million characters per hour.

-Each translate request is limited to 10,000 characters, across all the target languages you are translating to. For example, sending a translate request of 3,000 characters to translate to three different languages results in a request size of 3000x3 = 9,000 characters, which satisfy the request limit. You're charged per character, not by the number of requests. It's recommended to send shorter requests.

-| Translate | 10,000| 100| 10,000 |

-* [v3 Translator reference](./reference/v3-0-reference.md)

-> To enable support for multiple languages, you need to enable this option when [creating your project](how-to/create-project.md) or you can enbale it later form the project settings page.

-For more details about connecting Dapr applications, refer to [Invoke services using HTTP](https://docs.dapr.io/developing-applications/building-blocks/service-invocation/howto-invoke-discover-services/).

-```text

-http://localhost:3500/v1.0/invoke/<YOUR_APP_NAME>/method

-```

-### HTTP edge proxy behavior

-The health logs describe how the Azure Functions trigger for Cosmos DB behaves when attempting operations during load-balancing scenarios or initialization.

- "Host.Triggers.CosmosDB": "Trace"

-After the Azure Function is deployed with the updated configuration, you will see the Azure Functions trigger for Cosmos DB logs as part of your traces. You can view the logs in your configured logging provider under the *Category* `Host.Triggers.CosmosDB`.

-Currently, the only SDK that returns the RU charge for table operations is the legacy [Microsoft.Azure.Cosmos.Table .NET Standard SDK](https://www.nuget.org/packages/Microsoft.Azure.Cosmos.Table). The `TableResult` object exposes a `RequestCharge` property that is populated by the SDK when you use it against the Azure Cosmos DB Table API:

-* [Optimize query cost in Azure Cosmos DB](../optimize-cost-reads-writes.md)

-Currently, the reservation administrator and reservation reader roles are are only available to assign using PowerShell. They can't be viewed or assigned in the Azure portal. For more information, see [Grant access with PowerShell](#grant-access-with-powershell).

-# User defined functions in mapping data flow

-You'll get 500 MB free data ingestion per day, for every Windows machine connected to the workspace. Specifically for security data types directly collected by Defender for Cloud.

-Defender for Cloud's billing is closely tied to the billing for Log Analytics. [Microsoft Defender for Servers](defender-for-servers-introduction.md) provides a 500 MB/node/day allocation for Windows machines against the following subset of [security data types](/azure/azure-monitor/reference/tables/tables-category#security):

-|**Rugged** | **Max bandwidth**: 10 Mb/sec <br>**Max monitored assets**: 100 | **vCPU**: 4 <br>**Memory**: 8 GB <br>**Storage**: 64 GB (150 IOPS) |

-You can use either the Azure portal, AZ PowerShell, Azure CLI or Azure Rest API to create the roles.

-You can use either the Azure portal, AZ PowerShell, Azure CLI or Azure Rest API to create the roles.

-ExpressRoute is designed for high availability to provide carrier grade private network connectivity to Microsoft resources. In other words, there's no single point of failure in the ExpressRoute path within Microsoft network. For design considerations to maximize the availability of an ExpressRoute circuit, see [Designing for high availability with ExpressRoute][HA].

-description: This article shows how to configure an endpoint with Endpoint Manager.

-# Configure an Azure Front Door Standard/Premium (Preview) endpoint with Endpoint Manager

-> [!NOTE]

-> This documentation is for Azure Front Door Standard/Premium (Preview). Looking for information on Azure Front Door? View **[Azure Front Door Docs](../front-door-overview.md)**.

-This article shows you how to create an endpoint for an existing Azure Front Door Standard/Premium profile with Endpoint Manager.

-> [!IMPORTANT]

-> Azure Front Door Standard/Premium (Preview) is currently in public preview.

-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-## Prerequisites

-Before you can create an Azure Front Door Standard/Premium endpoint with Endpoint Manager, you must have created at least one Azure Front Door profile created. The profile has to have at least one or more Azure Front Door Standard/Premium endpoints. To organize your Azure Front Door Standard/Premium endpoints by internet domain, web application, or other criteria, you can use multiple profiles.

-To create an Azure Front Door profile, see [Create a new Azure Front Door Standard/Premium profile](create-front-door-portal.md).

-## Create a new Azure Front Door Standard/Premium Endpoint

-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Front Door Standard/Premium profile.

-1. Select **Endpoint Manager**. Then select **Add an Endpoint** to create a new Endpoint.

-

- :::image type="content" source="../media/how-to-configure-endpoints/select-create-endpoint.png" alt-text="Screenshot of add an endpoint through Endpoint Manager.":::

-1. On the **Add an endpoint** page, enter, and select the following settings.

-

- :::image type="content" source="../media/how-to-configure-endpoints/create-endpoint-page.png" alt-text="Screenshot of add an endpoint page.":::

- | Settings | Value |

- | -- | -- |

- | Name | Enter a unique name for the new Azure Front Door Standard/Premium endpoint. This name is used to access your cached resources at the domain `<endpointname>.az01.azurefd.net` |

- | Origin Response timeout (secs) | Enter a timeout value in seconds that Azure Front Door will wait before considering the connection with origin has timeout. |

- | Status | Select the checkbox to enable this endpoint. |

-## Add Domains, Origin Group, Routes, and Security

-1. Select **Edit Endpoint** at the endpoint to configure the route.

-1. On the **Edit Endpoint** page, select **+ Add** under Domains.

-

- :::image type="content" source="../media/how-to-configure-endpoints/select-add-domain.png" alt-text="Screenshot of select domain on Edit Endpoint page.":::

-### Add Domain

-1. On the **Add Domain** page, choose to associate a domain *from your Azure Front Door profile* or *add a new domain*. For information about how to create a brand new domain, see [Create a new Azure Front Door Standard/Premium custom domain](how-to-add-custom-domain.md).

- :::image type="content" source="../media/how-to-configure-endpoints/add-domain-page.png" alt-text="Screenshot of Add a domain page.":::

-1. Select **Add** to add the domain to current endpoint. The selected domain should appear within the Domain panel.

- :::image type="content" source="../media/how-to-configure-endpoints/domain-in-domainview.png" alt-text="Screenshot of domains in domain view.":::

-### Add Origin Group

-1. Select **Add** at the Origin groups view. The **Add an origin group** page appears

- :::image type="content" source="../media/how-to-configure-endpoints/add-origin-group-view.png" alt-text="Screenshot of add an origin group page":::

-1. For **Name**, enter a unique name for the new origin group

-1. Select **Add an Origin** to add a new origin to current group.

-

-#### Health Probes

-Front Door sends periodic HTTP/HTTPS probe requests to each of your origin. Probe requests determine the proximity and health of each origin to load balance your end-user requests. Health probe settings for an origin group define how we poll the health status of app origin. The following settings are available for load-balancing configuration:

-> [!WARNING]

-> Since Front Door has many edge environments globally, health probe volume for your origin can be quite high - ranging from 25 requests every minute to as high as 1200 requests per minute, depending on the health probe frequency configured. With the default probe frequency of 30 seconds, the probe volume on your origin should be about 200 requests per minute.

-* **Status**: Specify whether to turn on the health probing. If you have a single origin in your origin group, you can choose to disable the health probes reducing the load on your application backend. Even if you have multiple origins in the group but only one of them is in enabled state, you can disable health probes.

-

-* **Path**: The URL used for probe requests for all the origin in this origin group. For example, if one of your origins is contoso-westus.azurewebsites.net and the path is set to /probe/test.aspx, then Front Door environments, assuming the protocol is set to HTTP, will send health probe requests to `http://contoso-westus.azurewebsites.net/probe/test.aspx`.

-

-* **Protocol**: Defines whether to send the health probe requests from Front Door to your origin with HTTP or HTTPS protocol.

-

-* **Probe Method**: The HTTP method to be used for sending health probes. Options include GET or HEAD (default).

- > [!NOTE]

- > For lower load and cost on your origin, Front Door recommends using HEAD requests for health probes.

-* **Interval(in seconds)**: Defines the frequency of health probes to your origin, or the intervals in which each of the Front Door environments sends a probe.

-

- >[!NOTE]

- >For faster failovers, set the interval to a lower value. The lower the value, the higher the health probe volume your origin receive. For example, if the interval is set to 30 seconds with say, 100 Front Door POPs globally, each backend will receive about 200 probe requests per minute.

-#### Load balancing

-Load-balancing settings for the origin group define how we evaluate health probes. These settings determine if the backend is healthy or unhealthy. They also check how to load-balance traffic between different origins in the origin group. The following settings are available for load-balancing configuration:

-Select **Add** to add the origin group to current endpoint. The origin group should appear within the Origin group panel

-### Add Route

-Select **Add** at the Routes view, the **Add a route** page appears. For information how to associate the domain and origin group, see [Create a new Azure Front Door route](how-to-configure-route.md)

-### Add Security

-1. Select **Add** at the Security view, The **Add a WAF policy** page appears

-

- :::image type="content" source="../media/how-to-configure-endpoints/add-waf-policy-page.png" alt-text="Screenshot of add a WAF policy page.":::

-1. **WAF Policy**: select a WAF policy you like apply for the selected domain within this endpoint.

-

- Select **Create New** to create a brand new WAF policy.

- :::image type="content" source="../media/how-to-configure-endpoints/create-new-waf-policy.png" alt-text="Screenshot of create a new WAF policy.":::

-

- **Name**: enter a unique name for the new WAF policy. You could edit this policy with more configuration from the Web Application Firewall page.

- **Domains**: select the domain to apply the WAF policy.

-1. Select **Add** button. The WAF policy should appear within the Security panel

- :::image type="content" source="../media/how-to-configure-endpoints/waf-in-security-view.png" alt-text="Screenshot of WAF policy in security view.":::

-## Clean up resources

-To delete an endpoint when it's no longer needed, select **Delete Endpoint** at the end of the endpoint row

-## Next steps

-To learn about custom domains, continue to [Adding a custom domain](how-to-add-custom-domain.md).

-* If requests going through Azure Front Door result in a 503 error response code, configure **Origin response timeout (in seconds)** for the endpoint. You can extend the default timeout to up to 4 minutes, which is 240 seconds. To configure the setting, go to **Endpoint manager** and select **Edit endpoint**.

- :::image type="content" source="./media/troubleshoot-issues/origin-response-timeout-1.png" alt-text="Screenshot that shows selecting Edit endpoint from Endpoint manager.":::

- Then select **Endpoint properties** to configure **Origin response timeout**.

- :::image type="content" source="./media/troubleshoot-issues/origin-response-timeout-2.png" alt-text="Screenshot that shows selecting Endpoint properties and the Origin response timeout field." lightbox="./media/troubleshoot-issues/origin-response-timeout-2-expanded.png":::

-Many Built-in roles grant permission to Azure Policy resources. The **Resource Policy Contributor**

-> All Policy objects, including definitions, initatives, and assignments, will be readable to all

-> roles over its scope. For example, a Policy assignment scoped to an Azure subscription will be readable

-If none of the Built-in roles have the permissions required, create a

-Azure Policy operations can have a significant impact on your Azure environment. Only the minimum set of

-

-For long-term storage and control over archiving and retention policies, you can [continuously export your data](howto-export-data.md) to other storage destinations. Use of separate storage also lets you use other analytics tools to derive insights and view the data in your solution.

-> IoT Central accepts any valid JSON but it can only be used for visualizations if it matches a definition in the device model. You can export data that doesn't match a definition, see [Export IoT data to destinations in Azure](howto-export-data.md).

-Now that you've learned how to visualize your data with the built-in analytics capabilities, a suggested next step is to learn how to [Export IoT data to cloud destinations using data export](howto-export-data.md).

-Organizations is an optional feature that gives you more control over the [users and roles](howto-manage-users-roles.md) in your application.

-Now that you've learned how to manage Azure IoT Central organizations, the suggested next step is learn how to [Export IoT data to cloud destinations using data export](howto-export-data.md).

-The legacy data export (classic) feature is now deprecated and you should plan to migrate to the new [data export feature](howto-export-data.md). The legacy data export lacks important capabilities such as the availability of different data types, filtering, and message transformation. See the following table for a comparison of legacy data export with new data export:

-> - For information about the latest data export features, see [Export IoT data to cloud destinations using data export](./howto-export-data.md).

-description: How to use the new data export to export your IoT data to Azure and custom cloud destinations.

-# Export IoT data to cloud destinations using data export

-This article describes how to use data export in Azure IoT Central. Use this feature to continuously export filtered and enriched IoT data from your IoT Central application. Data export pushes changes in near real time to other parts of your cloud solution for warm-path insights, analytics, and storage.

-For example, you can:

-> [!Tip]

-> When you turn on data export, you get only the data from that moment onward. Currently, data can't be retrieved for a time when data export was off. To retain more historical data, turn on data export early.

-## Prerequisites

-To use data export features, you must have the [Data export](howto-manage-users-roles.md) permission.

-## Set up an export destination

-Your export destination must exist before you configure your data export. Choose from the following destination types:

-# [Blob Storage](#tab/blob-storage)

-IoT Central exports data once per minute, with each file containing the batch of changes since the previous export. Exported data is saved in JSON format. The default paths to the exported data in your storage account are:

-To browse the exported files in the Azure portal, navigate to the file and select **Edit blob**.

-### Connection options

-Blob Storage destinations let you configure the connection with a *connection string* or a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md).

-This article shows how to create a managed identity in the Azure portal. You can also use the Azure CLI to create a manged identity. To learn more, see [Assign a managed identity access to a resource using Azure CLI](../../active-directory/managed-identities-azure-resources/howto-assign-access-cli.md).

-# [Service Bus](#tab/service-bus)

-Both queues and topics are supported for Azure Service Bus destinations.

-IoT Central exports data in near real time. The data is in the message body and is in JSON format encoded as UTF-8.

-The annotations or system properties bag of the message contains the `iotcentral-device-id`, `iotcentral-application-id`, `iotcentral-message-source`, and `iotcentral-message-type` fields that have the same values as the corresponding fields in the message body.

-### Connection options

-Service Bus destinations let you configure the connection with a *connection string* or a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md).

-This article shows how to create a managed identity in the Azure portal. You can also use the Azure CLI to create a manged identity. To learn more, see [Assign a managed identity access to a resource using Azure CLI](../../active-directory/managed-identities-azure-resources/howto-assign-access-cli.md).

-# [Event Hubs](#tab/event-hubs)

-IoT Central exports data in near real time. The data is in the message body and is in JSON format encoded as UTF-8.

-The annotations or system properties bag of the message contains the `iotcentral-device-id`, `iotcentral-application-id`, `iotcentral-message-source`, and `iotcentral-message-type` fields that have the same values as the corresponding fields in the message body.

-### Connection options

-Event Hubs destinations let you configure the connection with a *connection string* or a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md).

-This article shows how to create a managed identity in the Azure portal. You can also use the Azure CLI to create a manged identity. To learn more, see [Assign a managed identity access to a resource using Azure CLI](../../active-directory/managed-identities-azure-resources/howto-assign-access-cli.md).

-# [Azure Data Explorer](#tab/data-explorer)

-You can use an [Azure Data Explorer cluster](/azure/data-explorer/data-explorer-overview) or an [Azure Synapse Data Explorer pool](../../synapse-analytics/data-explorer/data-explorer-overview.md). To learn more, see [What is the difference between Azure Synapse Data Explorer and Azure Data Explorer?](../..//synapse-analytics/data-explorer/data-explorer-compare.md).

-IoT Central exports data in near real time to a database table in the Azure Data Explorer cluster. The data is in the message body and is in JSON format encoded as UTF-8. You can add a [Transform](howto-transform-data-internally.md) in IoT Central to export data that matches the table schema.

-To query the exported data in the Azure Data Explorer portal, navigate to the database and select **Query**.

-The following video walks you through exporting data to Azure Data Explorer:

-> [!VIDEO https://aka.ms/docs/player?id=9e0c0e58-2753-42f5-a353-8ae602173d9b]

-### Connection options

-Azure Data Explorer destinations let you configure the connection with a *service principal* or a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md).

-This article shows how to create a managed identity using the Azure CLI. You can also use the Azure portal to create a manged identity.

-# [Webhook](#tab/webhook)

-For webhook destinations, IoT Central exports data in near real time. The data in the message body is in the same format as for Event Hubs and Service Bus.

-### Create a webhook destination

-You can export data to a publicly available HTTP webhook endpoint. You can create a test webhook endpoint using [RequestBin](https://requestbin.net/). RequestBin throttles request when the request limit is reached:

-1. Open [RequestBin](https://requestbin.net/).

-1. Create a new RequestBin and copy the **Bin URL**. You use this URL when you test your data export.

-To create the Azure Data Explorer destination in IoT Central on the **Data export** page:

-1. Select **+ New destination**.

-1. Select **Webhook** as the destination type.

-1. Paste the callback URL for your webhook endpoint. You can optionally configure webhook authorization and add custom headers.

- - For **OAuth2.0**, only the client credentials flow is supported. When you save the destination, IoT Central communicates with your OAuth provider to retrieve an authorization token. This token is attached to the `Authorization` header for every message sent to this destination.

- - For **Authorization token**, you can specify a token value that's directly attached to the `Authorization` header for every message sent to this destination.

-1. Select **Save**.

-# [Service principal](#tab/service-principal/data-explorer)

-### Create an Azure Data Explorer destination

-If you don't have an existing Azure Data Explorer database to export to, follow these steps:

-1. You have two choices to create an Azure Data Explorer database:

- - Create a new Azure Data Explorer cluster and database. To learn more, see the [Azure Data Explorer quickstart](/azure/data-explorer/create-cluster-database-portal). Make a note of the cluster URI and the name of the database you create, you need these values in the following steps.

- - Create a new Azure Synapse Data Explorer pool and database. To learn more, see the [Azure Data Explorer quickstart](../../synapse-analytics/get-started-analyze-data-explorer.md). Make a note of the pool URI and the name of the database you create, you need these values in the following steps.

-1. Create a service principal that you can use to connect your IoT Central application to Azure Data Explorer. Use the Azure Cloud Shell to run the following command:

- ```azurecli

- az ad sp create-for-rbac --skip-assignment --name "My SP for IoT Central" --scopes /subscriptions/<SubscriptionId>

- ```

- Make a note of the `appId`, `password`, and `tenant` values in the command output, you need them in the following steps.

-1. To add the service principal to the database, navigate to the Azure Data Explorer portal and run the following query on your database. Replace the placeholders with the values you made a note of previously:

- ```kusto

- .add database ['<YourDatabaseName>'] admins ('aadapp=<YourAppId>;<YourTenant>');

- ```

-1. Create a table in your database with a suitable schema for the data you're exporting. The following example query creates a table called `smartvitalspatch`. To learn more, see [Transform data inside your IoT Central application for export](howto-transform-data-internally.md):

- ```kusto

- .create table smartvitalspatch (

- EnqueuedTime:datetime,

- Message:string,

- Application:string,

- Device:string,

- Simulated:boolean,

- Template:string,

- Module:string,

- Component:string,

- Capability:string,

- Value:dynamic

- )

- ```

-1. (Optional) To speed up ingesting data into your Azure Data Explorer database:

- 1. Navigate to the **Configurations** page for your Azure Data Explorer cluster. Then enable the **Streaming ingestion** option.

- 1. Run the following query to alter the table policy to enable streaming ingestion:

- ```kusto

- .alter table smartvitalspatch policy streamingingestion enable

- ```

-To create the Azure Data Explorer destination in IoT Central on the **Data export** page:

-1. Select **+ New destination**.

-1. Select **Azure Data Explorer** as the destination type.

-1. Enter your Azure Data Explorer cluster or pool URL, database name, and table name. The following table shows the service principal values to use for the authorization:

- | Service principal value | Destination configuration |

- | -- | - |

- | appId | ClientID |

- | tenant | Tenant ID |

- | password | Client secret |

- > [!TIP]

- > The cluster URL for a standalone Azure Data Explorer looks like `https://<ClusterName>.<AzureRegion>.kusto.windows.net`. The cluster URL for an Azure Synapse Data Explorer pool looks like `https://<DataExplorerPoolName>.<SynapseWorkspaceName>.kusto.azuresynapse.net`.

- :::image type="content" source="media/howto-export-data/export-destination.png" alt-text="Screenshot of Azure Data Explorer export destination.":::

-# [Managed identity](#tab/managed-identity/data-explorer)

-### Create an Azure Data Explorer destination

-If you don't have an existing Azure Data Explorer database to export to, follow these steps. You have two choices to create an Azure Data Explorer database:

-To configure the managed identity that enables your IoT Central application to securely export data to your Azure resource:

-1. Create a managed identity for your IoT Central application to use to connect to your database. Use the Azure Cloud Shell to run the following command:

- ```azurecli

- az iot central app identity assign --name {your IoT Central app name} \

- --resource-group {resource group name} \

- --system-assigned

- ```

- Make a note of the `principalId` and `tenantId` output by the command. You use these values in the following step.

-1. Configure the database permissions to allow connections from your IoT Central application. Use the Azure Cloud Shell to run the following command:

- ```azurecli

- az kusto database-principal-assignment create --cluster-name {name of your cluster} \

- --database-name {name of your database} \

- --resource-group {resource group name} \

- --principal-assignment-name {name of your IoT Central application} \

- --principal-id {principal id from the previous step} \

- --principal-type App --role Admin \

- --tenant-id {tenant id from the previous step}

- ```

- > [!TIP]

- > If you're using Azure Synapse, see [`az synapse kusto database-principal-assignment`](/cli/azure/synapse/kusto/database-principal-assignment).

-1. Create a table in your database with a suitable schema for the data you're exporting. The following example query creates a table called `smartvitalspatch`. To learn more, see [Transform data inside your IoT Central application for export](howto-transform-data-internally.md):

- ```kusto

- .create table smartvitalspatch (

- EnqueuedTime:datetime,

- Message:string,

- Application:string,

- Device:string,

- Simulated:boolean,

- Template:string,

- Module:string,

- Component:string,

- Capability:string,

- Value:dynamic

- )

- ```

-1. (Optional) To speed up ingesting data into your Azure Data Explorer database:

- 1. Navigate to the **Configurations** page for your Azure Data Explorer cluster. Then enable the **Streaming ingestion** option.

- 1. Run the following query to alter the table policy to enable streaming ingestion:

- ```kusto

- .alter table smartvitalspatch policy streamingingestion enable

- ```

-To create the Azure Data Explorer destination in IoT Central on the **Data export** page:

-1. Select **+ New destination**.

-1. Select **Azure Data Explorer** as the destination type.

-1. Enter your Azure Data Explorer cluster or pool URL, database name, and table name. Select **System-assigned managed identity** as the authorization type.

- > [!TIP]

- > The cluster URL for a standalone Azure Data Explorer looks like `https://<ClusterName>.<AzureRegion>.kusto.windows.net`. The cluster URL for an Azure Synapse Data Explorer pool looks like `https://<DataExplorerPoolName>.<SynapseWorkspaceName>.kusto.azuresynapse.net`.

- :::image type="content" source="media/howto-export-data/export-destination-managed.png" alt-text="Screenshot of Azure Data Explorer export destination.":::

-# [Connection string](#tab/connection-string/event-hubs)

-### Create an Event Hubs destination

-If you don't have an existing Event Hubs namespace to export to, follow these steps:

-1. Create a [new Event Hubs namespace in the Azure portal](https://portal.azure.com/#create/Microsoft.EventHub). You can learn more in [Azure Event Hubs docs](../../event-hubs/event-hubs-create.md).

-1. Create an event hub in your Event Hubs namespace. Go to your namespace, and select **+ Event Hub** at the top to create an event hub instance.

-1. Generate a key to use when you to set up your data export in IoT Central:

- - Select the event hub instance you created.

- - Select **Settings > Shared access policies**.

- - Create a new key or choose an existing key that has **Send** permissions.

- - Copy either the primary or secondary connection string. You use this connection string to set up a new destination in IoT Central.

- - Alternatively, you can generate a connection string for the entire Event Hubs namespace:

- 1. Go to your Event Hubs namespace in the Azure portal.

- 2. Under **Settings**, select **Shared Access Policies**.

- 3. Create a new key or choose an existing key that has **Send** permissions.

- 4. Copy either the primary or secondary connection string.

-To create the Event Hubs destination in IoT Central on the **Data export** page:

-1. Select **+ New destination**.

-1. Select **Azure Event Hubs** as the destination type.

-1. Select **Connection string** as the authorization type.

-1. Paste in the connection string for your Event Hubs resource, and enter the case-sensitive event hub name if necessary.

-1. Select **Save**.

-# [Managed identity](#tab/managed-identity/event-hubs)

-### Create an Event Hubs destination

-If you don't have an existing Event Hubs namespace to export to, follow these steps:

-1. Create a [new Event Hubs namespace in the Azure portal](https://portal.azure.com/#create/Microsoft.EventHub). You can learn more in [Azure Event Hubs docs](../../event-hubs/event-hubs-create.md).

-1. Create an event hub in your Event Hubs namespace. Go to your namespace, and select **+ Event Hub** at the top to create an event hub instance.

-To configure the permissions:

-1. On the **Add role assignment** page, select the scope and subscription you want to use.

- > [!TIP]

- > If your IoT Central application and event hub are in the same resource group, you can choose **Resource group** as the scope and then select the resource group.

-1. Select **Azure Event Hubs Data Sender** as the **Role**.

-1. Select **Save**. The managed identity for your IoT Central application is now configured.

-To further secure your event hub and only allow access from trusted services with managed identities, see [Export data to a secure destination on an Azure Virtual Network](howto-connect-secure-vnet.md).

-To create the Event Hubs destination in IoT Central on the **Data export** page:

-1. Select **+ New destination**.

-1. Select **Azure Event Hubs** as the destination type.

-1. Select **System-assigned managed identity** as the authorization type.

-1. Enter the host name of your Event Hubs resource. Then enter the case-sensitive event hub name. A host name looks like: `contoso-waste.servicebus.windows.net`.

-1. Select **Save**.

-# [Connection string](#tab/connection-string/service-bus)

-### Create a Service Bus queue or topic destination

-If you don't have an existing Service Bus namespace to export to, follow these steps:

-1. Create a [new Service Bus namespace in the Azure portal](https://portal.azure.com/#create/Microsoft.ServiceBus.1.0.5). You can learn more in [Azure Service Bus docs](../../service-bus-messaging/service-bus-create-namespace-portal.md).

-1. To create a queue or topic to export to, go to your Service Bus namespace, and select **+ Queue** or **+ Topic**.

-1. Generate a key to use when you to set up your data export in IoT Central:

- - Select the queue or topic you created.

- - Select **Settings/Shared access policies**.

- - Create a new key or choose an existing key that has **Send** permissions.

- - Copy either the primary or secondary connection string. You use this connection string to set up a new destination in IoT Central.

- - Alternatively, you can generate a connection string for the entire Service Bus namespace:

- 1. Go to your Service Bus namespace in the Azure portal.

- 2. Under **Settings**, select **Shared Access Policies**.

- 3. Create a new key or choose an existing key that has **Send** permissions.

- 4. Copy either the primary or secondary connection string.

-To create the Service Bus destination in IoT Central on the **Data export** page:

-1. Select **+ New destination**.

-1. Select **Azure Service Bus Queue** or **Azure Service Bus Topic** as the destination type.

-1. Select **Connection string** as the authorization type.

-1. Paste in the connection string for your Service Bus resource, and enter the case-sensitive queue or topic name if necessary.

-1. Select **Save**.

-# [Managed identity](#tab/managed-identity/service-bus)

-### Create a Service Bus queue or topic destination

-If you don't have an existing Service Bus namespace to export to, follow these steps:

-1. Create a [new Service Bus namespace in the Azure portal](https://portal.azure.com/#create/Microsoft.ServiceBus.1.0.5). You can learn more in [Azure Service Bus docs](../../service-bus-messaging/service-bus-create-namespace-portal.md).

-1. To create a queue or topic to export to, go to your Service Bus namespace, and select **+ Queue** or **+ Topic**.

-To configure the permissions:

-1. On the **Add role assignment** page, select the scope and subscription you want to use.

- > [!TIP]

- > If your IoT Central application and queue or topic are in the same resource group, you can choose **Resource group** as the scope and then select the resource group.

-1. Select **Azure Service Bus Data Sender** as the **Role**.

-1. Select **Save**. The managed identity for your IoT Central application is now configured.

-To further secure your queue or topic and only allow access from trusted services with managed identities, see [Export data to a secure destination on an Azure Virtual Network](howto-connect-secure-vnet.md).

-To create the Service Bus destination in IoT Central on the **Data export** page:

-1. Select **+ New destination**.

-1. Select **Azure Service Bus Queue** or **Azure Service Bus Topic** as the destination type.

-1. Select **System-assigned managed identity** as the authorization type.

-1. Enter the host name of your Service Bus resource. Then enter the case-sensitive queue or topic name. A host name looks like: `contoso-waste.servicebus.windows.net`.

-1. Select **Save**.

-# [Connection string](#tab/connection-string/blob-storage)

-### Create an Azure Blob Storage destination

-If you don't have an existing Azure storage account to export to, follow these steps:

-1. Create a [new storage account in the Azure portal](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM). You can learn more about creating new [Azure Blob storage accounts](../../storage/blobs/storage-quickstart-blobs-portal.md) or [Azure Data Lake Storage v2 storage accounts](../../storage/common/storage-account-create.md). Data export can only write data to storage accounts that support block blobs. The following list shows the known compatible storage account types:

- |Performance Tier|Account Type|

- |-|-|

- |Standard|General Purpose V2|

- |Standard|General Purpose V1|

- |Standard|Blob storage|

- |Premium|Block Blob storage|

-1. To create a container in your storage account, go to your storage account. Under **Blob Service**, select **Browse Blobs**. Select **+ Container** at the top to create a new container.

-1. Generate a connection string for your storage account by going to **Settings > Access keys**. Copy one of the two connection strings.

-To create the Blob Storage destination in IoT Central on the **Data export** page:

-1. Select **+ New destination**.

-1. Select **Azure Blob Storage** as the destination type.

-1. Select **Connection string** as the authorization type.

-1. Paste in the connection string for your Blob Storage resource, and enter the case-sensitive container name if necessary.

-1. Select **Save**.

-# [Managed identity](#tab/managed-identity/blob-storage)

-### Create an Azure Blob Storage destination

-If you don't have an existing Azure storage account to export to, follow these steps:

-1. Create a [new storage account in the Azure portal](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM). You can learn more about creating new [Azure Blob storage accounts](../../storage/blobs/storage-quickstart-blobs-portal.md) or [Azure Data Lake Storage v2 storage accounts](../../storage/common/storage-account-create.md). Data export can only write data to storage accounts that support block blobs. The following list shows the known compatible storage account types:

- |Performance Tier|Account Type|

- |-|-|

- |Standard|General Purpose V2|

- |Standard|General Purpose V1|

- |Standard|Blob storage|

- |Premium|Block Blob storage|

-1. To create a container in your storage account, go to your storage account. Under **Blob Service**, select **Browse Blobs**. Select **+ Container** at the top to create a new container.

-To configure the permissions:

-1. On the **Add role assignment** page, select the subscription you want to use and **Storage** as the scope. Then select your storage account as the resource.

-1. Select **Storage Blob Data Contributor** as the **Role**.

-1. Select **Save**. The managed identity for your IoT Central application is now configured.

- > [!TIP]

- > This role assignment isn't visible in the list on the **Azure role assignments** page.

-To further secure your blob container and only allow access from trusted services with managed identities, see [Export data to a secure destination on an Azure Virtual Network](howto-connect-secure-vnet.md).

-To create the Blob Storage destination in IoT Central on the **Data export** page:

-1. Select **+ New destination**.

-1. Select **Azure Blob Storage** as the destination type.

-1. Select **System-assigned managed identity** as the authorization type.

-1. Enter the endpoint URI for your storage account and the case-sensitive container name. An endpoint URI looks like: `https://contosowaste.blob.core.windows.net`.

-1. Select **Save**.

-## Set up a data export

-Now that you have a destination to export your data to, set up data export in your IoT Central application:

-1. Sign in to your IoT Central application.

-1. In the left pane, select **Data export**.

- > [!Tip]

- > If you don't see **Data export** in the left pane, then you don't have permissions to configure data export in your app. Talk to an administrator to set up data export.

-1. Select **+ New export**.

-1. Enter a display name for your new export, and make sure the data export is **Enabled**.

-1. Choose the type of data to export. The following table lists the supported data export types:

- | Data type | Description | Data format |

- | :- | :- | :-- |

- | Telemetry | Export telemetry messages from devices in near-real time. Each exported message contains the full contents of the original device message, normalized. | [Telemetry message format](#telemetry-format) |

- | Property changes | Export changes to device and cloud properties in near-real time. For read-only device properties, changes to the reported values are exported. For read-write properties, both reported and desired values are exported. | [Property change message format](#property-changes-format) |

- | Device connectivity | Export device connected and disconnected events. | [Device connectivity message format](#device-connectivity-changes-format) |

- | Device lifecycle | Export device registered, deleted, provisioned, enabled, disabled, displayNameChanged, and deviceTemplateChanged events. | [Device lifecycle changes message format](#device-lifecycle-changes-format) |

- | Device template lifecycle | Export published device template changes including created, updated, and deleted. | [Device template lifecycle changes message format](#device-template-lifecycle-changes-format) |

-1. Optionally, add filters to reduce the amount of data exported. There are different types of filter available for each data export type:

- <a name="DataExportFilters"></a>

- | Type of data | Available filters|

- |--||

- |Telemetry|<ul><li>Filter by device name, device ID, device template, and if the device is simulated</li><li>Filter stream to only contain telemetry that meets the filter conditions</li><li>Filter stream to only contain telemetry from devices with properties matching the filter conditions</li><li>Filter stream to only contain telemetry that has *message properties* meeting the filter condition. *Message properties* (also known as *application properties*) are sent in a bag of key-value pairs on each telemetry message optionally sent by devices that use the device SDKs. To create a message property filter, enter the message property key you're looking for, and specify a condition. Only telemetry messages with properties that match the specified filter condition are exported. [Learn more about application properties from IoT Hub docs](../../iot-hub/iot-hub-devguide-messages-construct.md) </li></ul>|

- |Property changes|<ul><li>Filter by device name, device ID, device template, and if the device is simulated</li><li>Filter stream to only contain property changes that meet the filter conditions</li></ul>|

- |Device connectivity|<ul><li>Filter by device name, device ID, device template, organizations, and if the device is simulated</li><li>Filter stream to only contain changes from devices with properties matching the filter conditions</li></ul>|

- |Device lifecycle|<ul><li>Filter by device name, device ID, device template, and if the device is provisioned, enabled, or simulated</li><li>Filter stream to only contain changes from devices with properties matching the filter conditions</li></ul>|

- |Device template lifecycle|<ul><li>Filter by device template</li></ul>|

-1. Optionally, enrich exported messages with extra key-value pair metadata. The following enrichments are available for the telemetry, property changes, device connectivity, and device lifecycle data export types:

-<a name="DataExportEnrichmnents"></a>

- - **Custom string**: Adds a custom static string to each message. Enter any key, and enter any string value.

- - **Property**, which adds to each message:

- - Device metadata such as device name, device template name, enabled, organizations, provisioned, and simulated.

- - The current device reported property or cloud property value to each message. If the exported message is from a device that doesn't have the specified property, the exported message doesn't get the enrichment.

-Configure the export destination:

-1. Select **+ Destination** to add a destination that you've already created or select **Create a new one**.

-1. To transform your data before it's exported, select **+ Transform**. To learn more, see [Transform data inside your IoT Central application for export](howto-transform-data-internally.md).

-1. Select **+ Destination** to add up to five destinations to a single export.

-1. When you've finished setting up your export, select **Save**. After a few minutes, your data appears in your destinations.

-## Monitor your export

-In IoT Central, the **Data export** page lets you check the status of your exports. You can also use [Azure Monitor](../../azure-monitor/overview.md) to see how much data you're exporting and any export errors. You can access export and device health metrics in charts in the Azure portal, with a REST API, or with queries in PowerShell or the Azure CLI. Currently, you can monitor the following data export metrics in Azure Monitor:

-To learn more, see [Monitor application health](howto-manage-iot-central-from-portal.md#monitor-application-health).

-## Data formats

-The following sections describe the formats of the exported data:

-### Telemetry format

-Each exported message contains a normalized form of the full message the device sent in the message body. The message is in JSON format and encoded as UTF-8. Information in each message includes:

-For Event Hubs and Service Bus, IoT Central exports a new message quickly after it receives the message from a device. In the user properties (also referred to as application properties) of each message, the `iotcentral-device-id`, `iotcentral-application-id`, and `iotcentral-message-source` are included automatically.

-For Blob storage, messages are batched and exported once per minute.

-The following example shows an exported telemetry message:

-```json

-{

- "applicationId": "1dffa667-9bee-4f16-b243-25ad4151475e",

- "messageSource": "telemetry",

- "deviceId": "1vzb5ghlsg1",

- "schema": "default@v1",

- "templateId": "urn:qugj6vbw5:___qbj_27r",

- "enqueuedTime": "2020-08-05T22:26:55.455Z",

- "telemetry": {

- "Activity": "running",

- "BloodPressure": {

- "Diastolic": 7,

- "Systolic": 71

- },

- "BodyTemperature": 98.73447010562934,

- "HeartRate": 88,

- "HeartRateVariability": 17,

- "RespiratoryRate": 13

- },

- "enrichments": {

- "userSpecifiedKey": "sampleValue"

- },

- "module": "VitalsModule",

- "component": "DeviceComponent",

- "messageProperties": {

- "messageProp": "value"

- }

-}

-```

-#### Message properties

-Telemetry messages have properties for metadata as well as the telemetry payload. The previous snippet shows examples of system messages such as `deviceId` and `enqueuedTime`. To learn more about the system message properties, see [System Properties of D2C IoT Hub messages](../../iot-hub/iot-hub-devguide-messages-construct.md#system-properties-of-d2c-iot-hub-messages).

-You can add properties to telemetry messages if you need to add custom metadata to your telemetry messages. For example, you need to add a timestamp when the device creates the message.

-The following code snippet shows how to add the `iothub-creation-time-utc` property to the message when you create it on the device:

-> [!IMPORTANT]

-> The format of this timestamp must be UTC with no timezone information. For example, `2021-04-21T11:30:16Z` is valid, `2021-04-21T11:30:16-07:00` is invalid.

-# [JavaScript](#tab/javascript)

-```javascript

-async function sendTelemetry(deviceClient, index) {

- console.log('Sending telemetry message %d...', index);

- const msg = new Message(

- JSON.stringify(

- deviceTemperatureSensor.updateSensor().getCurrentTemperatureObject()

- )

- );

- msg.properties.add("iothub-creation-time-utc", new Date().toISOString());

- msg.contentType = 'application/json';

- msg.contentEncoding = 'utf-8';

- await deviceClient.sendEvent(msg);

-}

-```

-# [Java](#tab/java)

-```java

-private static void sendTemperatureTelemetry() {

- String telemetryName = "temperature";

- String telemetryPayload = String.format("{\"%s\": %f}", telemetryName, temperature);

- Message message = new Message(telemetryPayload);

- message.setContentEncoding(StandardCharsets.UTF_8.name());

- message.setContentTypeFinal("application/json");

- message.setProperty("iothub-creation-time-utc", Instant.now().toString());

- deviceClient.sendEventAsync(message, new MessageIotHubEventCallback(), message);

- log.debug("My Telemetry: Sent - {\"{}\": {}┬░C} with message Id {}.", telemetryName, temperature, message.getMessageId());

- temperatureReadings.put(new Date(), temperature);

-}

-```

-# [C#](#tab/csharp)

-```csharp

-private async Task SendTemperatureTelemetryAsync()

-{

- const string telemetryName = "temperature";

- string telemetryPayload = $"{{ \"{telemetryName}\": {_temperature} }}";

- using var message = new Message(Encoding.UTF8.GetBytes(telemetryPayload))

- {

- ContentEncoding = "utf-8",

- ContentType = "application/json",

- };

- message.Properties.Add("iothub-creation-time-utc", DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ssZ"));

- await _deviceClient.SendEventAsync(message);

- _logger.LogDebug($"Telemetry: Sent - {{ \"{telemetryName}\": {_temperature}┬░C }}.");

-}

-```

-# [Python](#tab/python)

-```python

-async def send_telemetry_from_thermostat(device_client, telemetry_msg):

- msg = Message(json.dumps(telemetry_msg))

- msg.custom_properties["iothub-creation-time-utc"] = datetime.now(timezone.utc).isoformat()

- msg.content_encoding = "utf-8"

- msg.content_type = "application/json"

- print("Sent message")

- await device_client.send_message(msg)

-```

-The following snippet shows this property in the message exported to Blob storage:

-```json

-{

- "applicationId":"5782ed70-b703-4f13-bda3-1f5f0f5c678e",

- "messageSource":"telemetry",

- "deviceId":"sample-device-01",

- "schema":"default@v1",

- "templateId":"urn:modelDefinition:mkuyqxzgea:e14m1ukpn",

- "enqueuedTime":"2021-01-29T16:45:39.143Z",

- "telemetry":{

- "temperature":8.341033560421833

- },

- "messageProperties":{

- "iothub-creation-time-utc":"2021-01-29T16:45:39.021Z"

- },

- "enrichments":{}

-}

-```

-### Property changes format

-Each message or record represents changes to device and cloud properties. Information in the exported message includes:

-For Event Hubs and Service Bus, IoT Central exports new messages data to your event hub or Service Bus queue or topic in near real time. In the user properties (also referred to as application properties) of each message, the `iotcentral-device-id`, `iotcentral-application-id`, `iotcentral-message-source`, and `iotcentral-message-type` are included automatically.

-For Blob storage, messages are batched and exported once per minute.

-The following example shows an exported property change message received in Azure Blob Storage.

-```json

-{

- "applicationId": "1dffa667-9bee-4f16-b243-25ad4151475e",

- "messageSource": "properties",

- "messageType": "cloudPropertyChange",

- "deviceId": "18a985g1fta",

- "schema": "default@v1",

- "templateId": "urn:qugj6vbw5:___qbj_27r",

- "enqueuedTime": "2020-08-05T22:37:32.942Z",

- "properties": [{

- "name": "MachineSerialNumber",

- "value": "abc",

- "module": "VitalsModule",

- "component": "DeviceComponent"

- }],

- "enrichments": {

- "userSpecifiedKey" : "sampleValue"

- }

-}

-```

-### Device connectivity changes format

-Each message or record represents a connectivity event from a single device. Information in the exported message includes:

-For Event Hubs and Service Bus, IoT Central exports new messages data to your event hub or Service Bus queue or topic in near real time. In the user properties (also referred to as application properties) of each message, the `iotcentral-device-id`, `iotcentral-application-id`, `iotcentral-message-source`, and `iotcentral-message-type` are included automatically.

-For Blob storage, messages are batched and exported once per minute.

-The following example shows an exported device connectivity message received in Azure Blob Storage.

-```json

-{

- "applicationId": "1dffa667-9bee-4f16-b243-25ad4151475e",

- "messageSource": "deviceConnectivity",

- "messageType": "connected",

- "deviceId": "1vzb5ghlsg1",

- "schema": "default@v1",

- "templateId": "urn:qugj6vbw5:___qbj_27r",

- "enqueuedTime": "2021-04-05T22:26:55.455Z",

- "enrichments": {

- "userSpecifiedKey": "sampleValue"

- }

-}

-```

-### Device lifecycle changes format

-Each message or record represents one change to a single device. Information in the exported message includes:

-For Event Hubs and Service Bus, IoT Central exports new messages data to your event hub or Service Bus queue or topic in near real time. In the user properties (also referred to as application properties) of each message, the `iotcentral-device-id`, `iotcentral-application-id`, `iotcentral-message-source`, and `iotcentral-message-type` are included automatically.

-For Blob storage, messages are batched and exported once per minute.

-The following example shows an exported device lifecycle message received in Azure Blob Storage.

-```json

-{

- "applicationId": "1dffa667-9bee-4f16-b243-25ad4151475e",

- "messageSource": "deviceLifecycle",

- "messageType": "registered",

- "deviceId": "1vzb5ghlsg1",

- "schema": "default@v1",

- "templateId": "urn:qugj6vbw5:___qbj_27r",

- "enqueuedTime": "2021-01-01T22:26:55.455Z",

- "enrichments": {

- "userSpecifiedKey": "sampleValue"

- }

-}

-```

-### Device template lifecycle changes format

-Each message or record represents one change to a single published device template. Information in the exported message includes:

-For Event Hubs and Service Bus, IoT Central exports new messages data to your event hub or Service Bus queue or topic in near real time. In the user properties (also referred to as application properties) of each message, the `iotcentral-device-id`, `iotcentral-application-id`, `iotcentral-message-source`, and `iotcentral-message-type` are included automatically.

-For Blob storage, messages are batched and exported once per minute.

-The following example shows an exported device lifecycle message received in Azure Blob Storage.

-```json

-{

- "applicationId": "1dffa667-9bee-4f16-b243-25ad4151475e",

- "messageSource": "deviceTemplateLifecycle",

- "messageType": "created",

- "schema": "default@v1",

- "templateId": "urn:qugj6vbw5:___qbj_27r",

- "enqueuedTime": "2021-01-01T22:26:55.455Z",

- "enrichments": {

- "userSpecifiedKey": "sampleValue"

- }

-}

-```

-## Next steps

-Now that you know how to configure data export, a suggested next step is to learn [Transform data inside your IoT Central application for export](howto-transform-data-internally.md).

-The IoT Central REST API lets you develop client applications that integrate with IoT Central applications. You can use the REST API to create and manage [data exports](howto-export-data.md) in your IoT Central application.

-* `connectionString`:The connection string for accessing the destination resource.

-You can include connection and disconnection events in [exports from IoT Central](howto-export-data.md#set-up-a-data-export). To learn more, see [React to IoT Hub events > Limitations for device connected and device disconnected events](../../iot-hub/iot-hub-event-grid.md#limitations-for-device-connected-and-device-disconnected-events).

-description: This article describes how to create and manage your IoT Central application using the Azure CLI or PowerShell. You can view, modify, and remove the application using these tools. You can also configure a managed system identity that can you can use to setup secure data export.

-An IoT Central application can use a system assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) to secure the connection to a [data export destination](howto-export-data.md#connection-options).

-* To learn more about to configure role assignments in the Azure portal for specific destinations, see [Export IoT data to cloud destinations using data export](howto-export-data.md).

-The following steps assume you have an [IoT Central application](./howto-create-iot-central-application.md) with some [connected devices](./tutorial-connect-device.md) or a running [data export](howto-export-data.md).

-For a list of of the metrics that are currently available for IoT Central, see [Supported metrics with Azure Monitor](../../azure-monitor/essentials/metrics-supported.md#microsoftiotcentraliotapps).

-To learn more about how to add an Azure Data Explorer cluster and database as an export destination, see [Create an Azure Data Explorer destination](howto-export-data.md#create-an-azure-data-explorer-destination).

-In this scenario, you export data to Azure Data Explorer and then a use a connector to visualize the data in Power BI. To learn more about how to add an Azure Data Explorer cluster and database as an export destination, see [Create an Azure Data Explorer destination](howto-export-data.md#create-an-azure-data-explorer-destination).

-| Message Enrichment | Enrichments from external data sources not found in device properties or telemetry. To learn more about internal enrichments, see [Export IoT data to cloud destinations using data export](howto-export-data.md) | Add weather information to messages using [location data](howto-use-location-data.md) from devices. | Transform using the egress pattern to take advantage of scalable device ingress through direct connection to IoT Central. |

-Data export enables you to set up streams of data to external systems. To learn more, see the [Export your data in Azure IoT Central](./howto-export-data.md) article.

-As an application platform, IoT Central lets you transform your IoT data into the business insights that drive actionable outcomes. [Rules](./tutorial-create-telemetry-rules.md), [data export](./howto-export-data.md), and the [public REST API](/learn/modules/manage-iot-central-apps-with-rest-api/) are examples of how you can integrate IoT Central with line-of-business applications:

-> A similar offering, [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview), helps service providers onboard, monitor, and manage their Microsoft 365 customers at scale. Microsoft 365 Lighthouse is currently in preview.

-description: Connect to on-premises file systems with the File System connector through the on-premises data gateway in Azure Logic Apps.

-# Connect to on-premises file systems with Azure Logic Apps

-With Azure Logic Apps and the File System connector, you can create automated tasks and workflows that create and manage files on an on-premises file share, for example:

- > [!IMPORTANT]

- > - The File System connector currently supports only Windows file systems on Windows operating systems.

- > - The gateway machine and the file server must exist in the same Windows domain.

- > - Mapped network drives aren't supported.

-This article shows how you can connect to an on-premises file system as described by this example scenario: copy a file that's uploaded to Dropbox to a file share, and then send an email. To securely connect and access on-premises systems, logic apps use the [on-premises data gateway](../logic-apps/logic-apps-gateway-connection.md). If you're new to logic apps, review [What is Azure Logic Apps?](../logic-apps/logic-apps-overview.md). For connector-specific technical information, see the [File System connector reference](/connectors/filesystem/).

-* An Azure subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/).

-* Before you can connect logic apps to on-premises systems such as your file system server, you need to [install and set up an on-premises data gateway](../logic-apps/logic-apps-gateway-install.md). That way, you can specify to use your gateway installation when you create the file system connection from your logic app.

-* A [Dropbox account](https://www.dropbox.com/), which you can sign up for free. Your account credentials are necessary for creating a connection between your logic app and your Dropbox account.

-* An email account from a provider that's supported by Logic Apps, such as Office 365 Outlook, Outlook.com, or Gmail. For other providers, [review the connectors list here](/connectors/). This logic app uses a work or school account. If you use another email account, the overall steps are the same, but your UI might slightly differ.

-* Basic knowledge about [how to create logic apps](../logic-apps/quickstart-create-first-logic-app-workflow.md). For this example, you need a blank logic app.

-## Add trigger

-1. Sign in to the [Azure portal](https://portal.azure.com), and open your logic app in Logic App Designer, if not open already.

-1. In the search box, enter "dropbox" as your filter. From the triggers list, select this trigger: **When a file is created**

- 

-1. Sign in with your Dropbox account credentials, and authorize access to your Dropbox data for Azure Logic Apps.

-1. Provide the required information for your trigger.

- 

-## Add actions

-1. Under the trigger, choose **Next step**. In the search box, enter "file system" as your filter. From the actions list, select this action: **Create file**

- 

-1. If you don't already have a connection to your file system, you're prompted to create a connection.

- 

- | -- | -- | -- | -- |

- | **Connection Name** | Yes | <*connection-name*> | The name you want for your connection |

- | **Root folder** | Yes | <*root-folder-name*> | The root folder for your file system, for example, if you installed your on-premises data gateway such as a local folder on the computer where the on-premises data gateway is installed, or the folder for a network share that the computer can access. <p>For example: `\\PublicShare\\DropboxFiles` <p>The root folder is the main parent folder, which is used for relative paths for all file-related actions. |

- | **Authentication Type** | No | <*auth-type*> | The type of authentication that your file system uses: **Windows** |

- | **Username** | Yes | <*domain*>\\<*username*> <p>-or- <p><*local-computer*>\\<*username*> | The username for the computer where you have your file system folder. <p>If your file system folder is on the same computer as the on-premises data gateway, you can use <*local-computer*>\\<*username*>. |

- | **Password** | Yes | <*your-password*> | The password for the computer where you have your file system |

- | **gateway** | Yes | <*installed-gateway-name*> | The name for your previously installed gateway |

-1. When you're done, choose **Create**.

- Logic Apps configures and tests your connection, making sure that the connection works properly. If the connection is set up correctly, options appear for the action that you previously selected.

-1. In the **Create file** action, provide the details for copying files from Dropbox to the root folder in your on-premises file share. To add outputs from previous steps, click inside the boxes, and select from available fields when the dynamic content list appears.

- 

-1. Now, add an Outlook action that sends an email so the appropriate users know about the new file. Enter the recipients, title, and body of the email. For testing, you can use your own email address.

- 

-1. Save your logic app. Test your app by uploading a file to Dropbox.

- Your logic app should copy the file to your on-premises file share, and send the recipients an email about the copied file.

-## Connector reference

-For more technical details about this connector, such as triggers, actions, and limits as described by the connector's Swagger file, see the [connector's reference page](/connectors/fileconnector/).

-> [!NOTE]

-> For logic apps in an [integration service environment (ISE)](../logic-apps/connect-virtual-network-vnet-isolated-environment-overview.md),

-> this connector's ISE-labeled version uses the [ISE message limits](../logic-apps/logic-apps-limits-and-config.md#message-size-limits) instead.

-description: 'Learn about model management (MLOps) with Azure Machine Learning. Deploy, manage, track lineage and monitor your models to continuously improve them. '

-In this article, learn about how do Machine Learning Operations (MLOps) in Azure Machine Learning to manage the lifecycle of your models. MLOps improves the quality and consistency of your machine learning solutions.

-Machine Learning Operations (MLOps) is based on [DevOps](https://azure.microsoft.com/overview/what-is-devops/) principles and practices that increase the efficiency of workflows. For example, continuous integration, delivery, and deployment. MLOps applies these principles to the machine learning process, with the goal of:

-* Faster experimentation and development of models

-* Faster deployment of models into production

-* Quality assurance and end-to-end lineage tracking

-## MLOps in Azure Machine Learning

-Azure Machine Learning provides the following MLOps capabilities:

-For more information on MLOps, see [Machine Learning DevOps (MLOps)](/azure/cloud-adoption-framework/ready/azure-best-practices/ai-machine-learning-mlops).

-## Create reproducible ML pipelines

-Use ML pipelines from Azure Machine Learning to stitch together all of the steps involved in your model training process.

-An ML pipeline can contain steps from data preparation to feature extraction to hyperparameter tuning to model evaluation. For more information, see [ML pipelines](concept-ml-pipelines.md).

-If you use the [Designer](concept-designer.md) to create your ML pipelines, you may at any time click the **"..."** at the top-right of the Designer page and then select **Clone**. Cloning your pipeline allows you to iterate your pipeline design without losing your old versions.

-Azure Machine Learning environments allow you to track and reproduce your projects' software dependencies as they evolve. Environments allow you to ensure that builds are reproducible without manual software configurations.

-Environments describe the pip and Conda dependencies for your projects, and can be used for both training and deployment of models. For more information, see [What are Azure Machine Learning environments](concept-environments.md).

-### Register and track ML models

-Model registration allows you to store and version your models in the Azure cloud, in your workspace. The model registry makes it easy to organize and keep track of your trained models.

-> A registered model is a logical container for one or more files that make up your model. For example, if you have a model that is stored in multiple files, you can register them as a single model in your Azure Machine Learning workspace. After registration, you can then download or deploy the registered model and receive all the files that were registered.

-Registered models are identified by name and version. Each time you register a model with the same name as an existing one, the registry increments the version. Additional metadata tags can be provided during registration. These tags are then used when searching for a model. Azure Machine Learning supports any model that can be loaded using Python 3.5.2 or higher.

-> You can also register models trained outside Azure Machine Learning.

-You can't delete a registered model that is being used in an active deployment.

-For more information, see the register model section of [Deploy models](how-to-deploy-and-where.md#registermodel).

-> When using Filter by `Tags` option on the Models page of Azure Machine Learning Studio, instead of using `TagName : TagValue` customers should use `TagName=TagValue` (without space)

-Azure Machine Learning can help you understand the CPU and memory requirements of the service that will be created when you deploy your model. Profiling tests the service that runs your model and returns information such as the CPU usage, memory usage, and response latency. It also provides a CPU and memory recommendation based on the resource usage.

-For more information, see the profiling section of [Deploy models](how-to-deploy-profile-model.md).

-Before deploying a model into production, it is packaged into a Docker image. In most cases, image creation happens automatically in the background during deployment. You can manually specify the image.

-Converting your model to [Open Neural Network Exchange](https://onnx.ai) (ONNX) may improve performance. On average, converting to ONNX can yield a 2x performance increase.

-For more information on ONNX with Azure Machine Learning, see the [Create and accelerate ML models](concept-onnx.md) article.

-Trained machine learning models are deployed as web services in the cloud or locally. Deployments use CPU, GPU, or field-programmable gate arrays (FPGA) for inferencing. You can also use models from Power BI.

-When using a model as a web service, you provide the following items:

-* The model(s) that are used to score data submitted to the service/device.

-* An entry script. This script accepts requests, uses the model(s) to score the data, and return a response.

-* An Azure Machine Learning environment that describes the pip and Conda dependencies required by the model(s) and entry script.

-* Any additional assets such as text, data, etc. that are required by the model(s) and entry script.

-You also provide the configuration of the target deployment platform. For example, the VM family type, available memory, and number of cores when deploying to Azure Kubernetes Service.

-When the image is created, components required by Azure Machine Learning are also added. For example, assets needed to run the web service.

-Batch scoring is supported through ML pipelines. For more information, see [Batch predictions on big data](./tutorial-pipeline-batch-scoring-classification.md).

-You can use your models in **web services** with the following compute targets:

-* Azure Container Instance

-* Dependencies required to use the model. For example, a script that accepts requests and invokes the model, conda dependencies, etc.

-When deploying to Azure Kubernetes Service, you can use controlled rollout to enable the following scenarios:

-* Create multiple versions of an endpoint for a deployment

-For more information, see [Controlled rollout of ML models](./how-to-safely-rollout-managed-endpoints.md).

-Microsoft Power BI supports using machine learning models for data analytics. For more information, see [Azure Machine Learning integration in Power BI (preview)](/power-bi/service-machine-learning-integration).

-Azure ML gives you the capability to track the end-to-end audit trail of all of your ML assets by using metadata.

-> While some information on models and datasets is automatically captured, you can add additional information by using __tags__. When looking for registered models and datasets in your workspace, you can use tags as a filter.

-> Associating a dataset with a registered model is an optional step. For information on referencing a dataset when registering a model, see the [Model](/python/api/azureml-core/azureml.core.model%28class%29) class reference.

-## Notify, automate, and alert on events in the ML lifecycle

-Azure ML publishes key events to Azure Event Grid, which can be used to notify and automate on events in the ML lifecycle. For more information, please see [this document](how-to-use-event-grid.md).

-## Monitor for operational & ML issues

-This information helps you understand how your model is being used. The collected input data may also be useful in training future versions of the model.

-For more information, see [How to enable model data collection](how-to-enable-data-collection.md).

-Often, you'll want to validate your model, update it, or even retrain it from scratch, as you receive new information. Sometimes, receiving new data is an expected part of the domain. Other times, as discussed in [Detect data drift (preview) on datasets](how-to-monitor-datasets.md), model performance can degrade in the face of such things as changes to a particular sensor, natural data changes such as seasonal effects, or features shifting in their relation to other features.

-There is no universal answer to "How do I know if I should retrain?" but Azure ML event and monitoring tools previously discussed are good starting points for automation. Once you have decided to retrain, you should:

-A theme of the above steps is that your retraining should be automated, not ad hoc. [Azure Machine Learning pipelines](concept-ml-pipelines.md) are a good answer for creating workflows relating to data preparation, training, validation, and deployment. Read [Retrain models with Azure Machine Learning designer](how-to-retrain-designer.md) to see how pipelines and the Azure Machine Learning designer fit into a retraining scenario.

-## Automate the ML lifecycle

-You can use GitHub and Azure Pipelines to create a continuous integration process that trains a model. In a typical scenario, when a Data Scientist checks a change into the Git repo for a project, the Azure Pipeline will start a training run. The results of the run can then be inspected to see the performance characteristics of the trained model. You can also create a pipeline that deploys the model as a web service.

-The [Azure Machine Learning extension](https://marketplace.visualstudio.com/items?itemName=ms-air-aiagility.vss-services-azureml) makes it easier to work with Azure Pipelines. It provides the following enhancements to Azure Pipelines:

-* Enables workspace selection when defining a service connection.

-For more information on using Azure Pipelines with Azure Machine Learning, see the following links:

-* [Continuous integration and deployment of ML models with Azure Pipelines](/azure/devops/pipelines/targets/azure-machine-learning)

-* [Azure Machine Learning MLOps](https://aka.ms/mlops) repository

-* [Azure Machine Learning MLOpsPython](https://github.com/Microsoft/MLOpspython) repository

-+ [How & where to deploy models](how-to-deploy-and-where.md) with Azure Machine Learning

-+ [Tutorial: Train and deploy a model](tutorial-train-deploy-notebook.md).

-+ [CI/CD of ML models with Azure Pipelines](/azure/devops/pipelines/targets/azure-machine-learning)

-+ [Azure AI reference architectures & best practices rep](https://github.com/microsoft/AI)

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-| `Microsoft.MachineLearningServices.RunStatusChanged` | Raised when a run status changed, currently only raised when a run status is 'failed' |

-1. Right-click the specification file and select **Azure ML: Create Resource**. Creating a resource uses the configuration options defined in the YAML specification file and submits a job using the CLI (v2). At this point, a request to Azure is made to create a new workspace and dependent resources in your account. After a few minutes, the new workspace appears in your subscription node.

-1. Right-click the specification file and select **Azure ML: Create Resource**.

-1. Right-click the file in the text editor and select **Azure ML: Create Resource**.

-> [!div class="mx-imgBorder"]

-> 

-This article explains the Azure Database for MySQL connectivity architecture as well as how the traffic is directed to your Azure Database for MySQL instance from clients both within and outside Azure.

-As client connects to the database, the connection string to the server resolves to the gateway IP address. The gateway listens on the IP address on port 3306. Inside the database cluster, traffic is forwarded to appropriate Azure Database for MySQL. Therefore, in order to connect to your server, such as from corporate networks, it is necessary to open up the **client-side firewall to allow outbound traffic to be able to reach our gateways**. Below you can find a complete list of the IP addresses used by our gateways per region.

-As part of ongoing service maintenance, we will periodically refresh compute hardware hosting the gateways to ensure we provide the most secure and performant experience. When the gateway hardware is refreshed, a new ring of the compute nodes is built out first. This new ring serves the traffic for all the newly created Azure Database for MySQL servers and it will have a different IP address from older gateway rings in the same region to differentiate the traffic. Once the new ring is fully functional, the older gateway hardware serving existing servers are planned for decommissioning. Before decommissioning a gateway hardware, customers running their servers and connecting to older gateway rings will be notified via email and in the Azure portal, three months in advance before decommissioning. The decommissioning of gateways can impact the connectivity to your servers if

-* You do not update the newer gateway IP addresses in the client-side firewall to allow outbound traffic to be able to reach our new gateway rings.

-* **Gateway IP addresses:** This column lists the current IP addresses of the gateways hosted on the latest generation of hardware. If you are provisioning a new server, we recommend that you open the client-side firewall to allow outbound traffic for the IP addresses listed in this column.

-* **Gateway IP addresses (decommissioning):** This column lists the IP addresses of the gateways hosted on an older generation of hardware that is being decommissioned right now. If you are provisioning a new server, you can ignore these IP addresses. If you have an existing server, continue to retain the outbound rule for the firewall for these IP addresses as we have not decommissioned it yet. If you drop the firewall rules for these IP addresses, you may get connectivity errors. Instead, you are expected to proactively add the new IP addresses listed in Gateway IP addresses column to the outbound firewall rule as soon as you receive the notification for decommissioning. This will ensure when your server is migrated to latest gateway hardware, there is no interruptions in connectivity to your server.

-* **Gateway IP addresses (decommissioned):** This columns lists the IP addresses of the gateway rings, which are decommissioned and are no longer in operations. You can safely remove these IP addresses from your outbound firewall rule.

-This is a DNS change only which makes it transparent to clients. While the IP address for FQDN is changed in the DNS server, the local DNS cache will be refreshed within 5 minutes, and it is automatically done by the operating systems. After the local DNS refresh, all the new connections will connect to the new IP address, all existing connections will remain connected to the old IP address with no interruption until the old IP addresses are fully decommissioned. The old IP address will roughly take three to four weeks before getting decommissioned; therefore, it should have no effect on the client applications.

-Only Gateway nodes will be decommissioned. When users connect to their servers, the first stop of the connection is to gateway node, before connection is forwarded to server. We are decommissioning old gateway rings (not tenant rings where the server is running) refer to the [connectivity architecture](#connectivity-architecture) for more clarification.

-You will receive an email to inform you when we will start the maintenance work. The maintenance can take up to one month depending on the number of servers we need to migrate in al regions. Please prepare your client to connect to the database server using the FQDN or using the new IP address from the table above.

-### What do I do if my client applications are still connecting to old gateway server ?

-This maintenance is just a DNS change, so it is transparent to the client. Once the DNS cache is refreshed in the client (automatically done by operation system), all the new connection will connect to the new IP address and all the existing connection will still working fine until the old IP address fully get decommissioned, which usually several weeks later. And the retry logic is not required for this case, but it is good to see the application have retry logic configured. Please either use FQDN to connect to the database server or enable list the new 'Gateway IP addresses' in your application connection string.

-This maintenance operation will not drop the existing connections. It only makes the new connection requests go to new gateway ring.

-As the migration should be transparent and no impact to customer's connectivity, we expect there will be no issue for majority of users. Review your application proactively and ensure that you either use FQDN to connect to the database server or enable list the new 'Gateway IP addresses' in your application connection string.

-### I am using private link, will my connections get affected?

- >To dump multiple databases in parallel, you can modiffy regex variable as shown in the example: **regex ΓÇÖ^(DbName1\.|DbName2\.)**

-* Commonly encountered [migration errors](./howto-troubleshoot-common-errors.md)

-Classifications can be system or custom types. System classifications are present in Microsoft Purview by default. Custom classifications can be created based on a regular expression pattern. Classifications can be applied to assets either automatically or manually.

-Microsoft Purview can scan and automatically classify documentation files. For example, if you have a file named *multiple.docx* and it has a National ID number in its content, Microsoft Purview adds the classification **EU National Identification Number** to the file asset's detail page.

-In some scenarios, you might want to manually add classifications to your file asset. If you have multiple files that are grouped into a resource set, add classifications at the resource set level.

-description: This article gives an overview permission, access control, and collections in Microsoft Purview. Role-based access control is managed within Microsoft Purview itself, so this guide will cover the basics to secure your information.

-# Access control in Microsoft Purview

-Microsoft Purview uses **Collections** to organize and manage access across its sources, assets, and other artifacts. This article describes collections and access management in your Microsoft Purview account.

-> This article refers to permissions required for the Microsoft Purview governance portal. If you are looking for permissions information for the Microsoft Purview compliance center, follow [the article for permissions in the Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center-permissions).

-By default, Microsoft Purview determines the schema and classifications for resource sets based upon the [resource set file sampling rules](sources-and-scans.md#resource-set-file-sampling). Microsoft Purview can customize and further enrich your resource set assets through the **Advanced Resource Sets** capability. When Advanced Resource Sets are enabled, Microsoft Purview run extra aggregations to compute the following information about resource set assets:

-Enabling advanced resource sets also allows for the creation of [resource set pattern rules](how-to-resource-set-pattern-rules.md) that customize how Microsoft Purview groups resource sets during scanning.

-* Searching for classifications only matches on the formal classification name. For example, the keywords "World Cities" don't match classification "MICROSOFT.GOVERNMENT.CITY_NAME".

-In Microsoft Purview, there are few options to use as authentication method to scan data sources such as the following options:

-* The Azure Key Vault used to store credentials.

-| `<your_key_vault_name>.vault.azure.net` | 443 | Required if any credentials are stored in Azure Key Vault. |

- 1. App registration exists in your Azure Active Directory tenant.

- 2. Under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:

-> - You can use [Microsoft Purview Rest API - Scans - Create Or Update](/rest/api/purview/scanningdataplane/scans/create-or-update/) to create a new scan for your Synapse workspaces including dedicated and serverless pools.

-Currently, you can move resources from any source public region to any target public region, depending on the [resource types available in that region](https://azure.microsoft.com/global-infrastructure/services/). Moving resources in Azure Government regions isn't currently supported.

-Move support | Azure resources that are supported for move with Resource Mover can be moved from any public region to another public region.

-| **Steps** | Many javascript functions don't do encoding by default. When assigning untrusted input to DOM elements via such functions, may result in cross site script (XSS) executions.|

-The following table lists unifying parsers available:

-|<a name="domaintype"></a>**DomainType** | Enumerated | The type of domain stored in domain and FQDN fields. Supported values include `FQDN` and `Windows`. For more information, see [The Device entity](#the-device-entity). |

-|<a name="dvcidtype"></a>**DvcIdType** | Enumerated | The type of the device ID stored in DvcId fields. Supported values include `AzureResourceId`, `MDEid`, `MD4IoTid`, `VMConnectionId`, `AwsVpcId`, `VectraId`, and `Other`. For more information, see [The Device entity](#the-device-entity). |

-|<a name="usernametype"></a>**UsernameType** | Enumerated | The type of username stored in username fields. Supported values include `UPN`, `Windows`, `DN`, `Simple`, and `Unknown`. For more information, see [The User entity](#the-user-entity). |

-|<a name="usertype"></a>**UserType** | Enumerated | The type of a user. Supported values include: `Regular`, `Machine`, `Admin`, `System`, `Application`, `Service Principal`, and `Other`<br><br>. For more information, see [The User entity](#the-user-entity). |

-The descriptors used for a user are Actor, Target User, and Updated User, as described in the following scenarios:

-|Activity |Full scenario |Single entity scenario used for aliasing |

-||||

-|**Create user** | An Actor created or modified a Target User. | The (Target) User was created. |

-|**Modify user** | An Actor renamed Target User to Updated User. The Updated User usually doesn't have all the information associated with a user and has some overlap with the Target User. | |

-|**Network connection** | A process running as Actor on the source host, communicating with a process running as Target User on the destination host. | |

-|**DNS request** | An Actor initiated a DNS query. | |

-|**Sign-in** | An Actor signed in to a system as a Target User. |A (Target) User signed in. |

-|**Process creation** | An Actor (the user associated with the initiating process) has initiated process creation. The process created runs under the credentials of a Target User (the user related to the target process). | The process created runs under the credentials of a (Target) User. |

-|**Email** | An Actor sends an email to a Target User. | |

-The following table describes the supported identifiers for a user:

-|Normalized field |Type |Format and supported types |

-||||

-|**UserId** | String | A machine-readable, alphanumeric, unique representation of a user in a system. <br><br>Format and supported types include:<br> - **SID** (Windows): `S-1-5-21-1377283216-344919071-3415362939-500`<br> - **UID** (Linux): `4578`<br> - **AADID** (Azure Active Directory): `9267d02c-5f76-40a9-a9eb-b686f3ca47aa`<br> - **OktaId**: `00urjk4znu3BcncfY0h7`<br> - **AWSId**: `72643944673`<br><br> Store the ID type in the **UserIdType** field. If other IDs are available, we recommend that you normalize the field names to **UserSid**, **UserUid**, **UserAADID**, **UserOktaId**, and **UserAwsId**, respectively. |

-|**Username** | String | A username, including domain information when available, in one of the following formats and in the following order of priority: <br> - **Upn/Email**: `johndow@contoso.com` <br> - **Windows**: `Contoso\johndow` <br> - **DN**: `CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM` <br> - **Simple**: `johndow`. Use this form only if domain information is not available. <br><br> Store the Username type in the **UsernameType** field. |

-### The Process entity

-The descriptors used for a user are Acting Process, Target Process, and Parent Process, as described in the following scenarios:

-The following table describes the supported identifiers for processes:

-|Normalized field |Type |Format and supported types |

-||||

-|**Id** | String | The OS-assigned process ID. |

-|**Guid** | String | The OS-assigned process GUID. The GUID is commonly unique across system restarts, while the ID is often reused. |

-|**Path** | String | The full pathname of the process, including directory and file name. |

-|**Name** | Alias | The process name is an alias to the path. |

-For more information, see [Microsoft Sentinel Process Event normalization schema reference (preview)](process-events-normalization-schema.md).

-### The Device entity

-The normalization schemas attempt to follow user intuition as much as possible. They handle devices in different ways, depending on the scenario:

-Device handling guidelines are further clarified as follows:

-The following table describes the supported identifiers for devices:

-|Normalized field |Type |Format and supported types |

-||||

-|**Hostname** | String | |

-|**FQDN** | String | A fully qualified domain name. |

-|**IpAddr** | IP address | While devices might have multiple IP addresses, events usually have a single identifying IP address. The exception is a gateway device that might have two relevant IP addresses. For a gateway device, use `UpstreamIpAddr` and `DownstreamIpAddr`. |

-|**HostId** | String | |

-> [!NOTE]

-> `Domain` is a typical attribute of a device, but it isn't a complete identifier.

->

-For more information, see [Microsoft Sentinel Authentication normalization schema reference (preview)](authentication-normalization-schema.md).

-When the mapping conditiond are more complex use the `iff` or `case` functions. The `iff` function enables mapping two values:

-This test is resource intensive and may not work on your entire data set. Set X to the largest number for which the query will not timeout, or set the time range for the query using the time range picker.

-When implementing custom parsers for the [Process Event](normalization-about-schemas.md#the-process-entity) information model, name your KQL functions using the following syntax: `imProcessCreate<vendor><Product>` and `imProcessTerminate<vendor><Product>`. Replace `im` with `ASim` for the parameter-less version

-Add your KQL function to the `imProcess<Type>` and `imProcess` unifying parsers to ensure that any content using the [Process Event](normalization-about-schemas.md#the-process-entity) model also uses your new parser.

- // use the regular receive pump which we show in our Quick Start and in other github samples.

- > Please navigate to `https://github.com/login/device` and enter the user code 329B-3945 to activate and retrieve your github personal access token.

-To automatically update the key version for a customer-managed key, omit the key version when you configure encryption with customer-managed keys for the storage account. Call [az storage account update](/cli/azure/storage/account#az-storage-account-update) to update the storage account's encryption settings, as shown in the following example. Include the `--encryption-key-source parameter` and set it to `Microsoft.Keyvault` to enable customer-managed keys for the account. Remember to replace the placeholder values in brackets with your own values.

-> To rotate a key, create a new version of the key in Azure Key Vault. Azure Storage does not handle the rotation of the key in Azure Key Vault, so you will need to rotate your key manually or create a function to rotate it on a schedule.

-Azure Storage can automatically update the customer-managed key that is used for encryption to use the latest key version. When the customer-managed key is rotated in Azure Key Vault, Azure Storage will automatically begin using the latest version of the key for encryption.

-Azurite is automatically available with [Visual Studio 2022](https://visualstudio.microsoft.com/vs/). If you are running an earlier version of Visual Studio, you'll need to install Azurite by using either Node Package Manager, DockerHub, or by cloning the Azurite github repository.

-The SMB security settings can be viewed and changed using PowerShell or CLI. Please select the desired tab to see the steps on how to get and set the SMB security settings.

- In local and zone redundant storage accounts, Azure file shares can span up to 100 TiB, however in geo- and geo-zone redundant storage accounts, Azure file shares can span only up to 5 TiB.

-Before you create an Azure file share on an existing account, you may want to enable it for large file shares if you haven't already. Standard storage accounts using either LRS or ZRS can be upgraded to support large file shares. If you have a GRS, GZRS, RA-GRS, or RA-GZRS account, you will need to convert it to an LRS account before proceeding.

-To enable large file shares on your existing account, use the following command. Replace `<yourStorageAccountName>` and `<yourResourceGroup>` with your information.

-To enable large file shares on your existing account, use the following command. Replace `<yourStorageAccountName>` and `<yourResourceGroup>` with your information.

-Once you've created your storage account, all that is left is to create your file share. This process is mostly the same regardless of whether you're using a premium file share or a standard file share. You should consider the following differences.

-Azure Synapse data security and privacy are non-negotiable. The purpose of this white paper, then, is to provide a comprehensive overview of Azure Synapse security features, which are enterprise-grade and industry-leading. The white paper comprises a series of articles that cover the following five layers of security:

-**Writers:** Vengatesh Parasuraman, Fretz Nuson, Ron Dunn, Khendr'a Reid, John Hoang, Nithesh Krishnappa, Mykola Kovalenko, Brad Schacht, Pedro Matinez, Mark Pryce-Maher, and Arshad Ali.

-**Technical Reviewers:** Nandita Valsan, Rony Thomas, Daniel Crawford, and Tammy Richter Jones.

- FORMAT = 'PARQUET') AS file

- FORMAT = 'PARQUET') AS file

- sudo apt-key adv --fetch-keys https://developer.download.nvidia.com/compute/cuda/repos/ubuntu1604/x86_64/7fa2af80.pub

-$vm = Set-AzVmSecurityProfile -VM $vm `

-The below scenario also covers an optional portion where we create a snapshot of the VM's OS disk in order to create disk from the snapshot to have a backup because when the VM gets deleted, the OS disk will also be deleted along with it.

- $snapshotName = "MySnapShot"

-

-# Get Current VM OS Disk metadata

- $osDiskid = $originalVM.StorageProfile.OsDisk.ManagedDisk.Id

- $osDiskName = $originalVM.StorageProfile.OsDisk.Name

-# Create Disk Snapshot (optional)

- $snapshot = New-AzSnapshotConfig -SourceUri $osDiskid `

- -Location $originalVM.Location `

- -CreateOption copy

-

- $newsnap = New-AzSnapshot `

- -Snapshot $snapshot `

- -SnapshotName $snapshotName `

- -ResourceGroupName $resourceGroup

-

-# Create disk out of snapshot (optional)

- $osDisk = New-AzDisk -DiskName $osDiskName -Disk `

- (New-AzDiskConfig -Location $originalVM.Location -CreateOption Copy `

- -SourceResourceId $newsnap.Id) `

- -ResourceGroupName $resourceGroup

-

-# Delete Snapshot (optional)

- Remove-AzSnapshot -ResourceGroupName $resourceGroup -SnapshotName $snapshotName -Force

-> Under certain circumstances, 2 VMs in the same AvailabilitySet could share the same FaultDomain. This can be confirmed by going into your availability set and checking the Fault Domain column. This can be causeed by the following sequence of events while deploying the VMs:

-You can either use an Azure Template from github to deploy all required Azure resources, including the virtual machines, availability set and network interfaces or you can deploy the resources manually.

-You can use one of the quickstart templates on github to deploy all required resources. The template deploys the virtual machines, availability set etc.

-1. Go to one of the virtual networks in the portal and select **Peerings** under *Settings*. You should see a new peering connection create between the hub and the spokes virtual network with *ANM* in the name.

-1. Select **Network groups** under *Settings*, and then select **+ Create** to create a new network group.

- :::image type="content" source="./media/tutorial-create-secured-hub-and-spoke/add-network-group.png" alt-text="Screenshot of Create a network group button.":::

-1. On the *Create a network group* page, enter a **Name** and a **Description** for the network group. Then select **Add** to create the network group.

- :::image type="content" source="./media/create-virtual-network-manager-portal/network-group-basics.png" alt-text="Screenshot of create a network group page.":::

-1. You'll see the new network group added to the *Network Groups* page.

- :::image type="content" source="./media/create-virtual-network-manager-portal/network-groups-list.png" alt-text="Screenshot of network group page with list of network groups.":::

-1. From the list of network groups, select **myNetworkGroup** to manage the network group memberships.

- :::image type="content" source="media/how-to-create-mesh-network/manage-group-membership.png" alt-text="Screenshot of manage group memberships page.":::

-1. To add a virtual network manually, select the **Add** button under *Static membership*, and select the virtual networks to add. Then select **Add** to save the static membership. For more information, see [static members](concept-network-groups.md#static-membership).

- :::image type="content" source="./media/how-to-create-hub-and-spoke/add-static-members.png" alt-text="Screenshot of add virtual networks to network group page.":::

-1. To add virtual networks dynamically, select the **Define** button under *Define dynamic membership*, and then enter the conditional statements for membership. Select **Save** to save the dynamic membership conditions. For more information, see [dynamic membership](concept-network-groups.md#dynamic-membership).

- :::image type="content" source="media/how-to-create-mesh-network/define-dynamic-members.png" alt-text="Screenshot of Define dynamic membership page.":::

-1. Select **Configuration** under *Settings*, then select **+ Create**.

- :::image type="content" source="./media/create-virtual-network-manager-portal/add-configuration.png" alt-text="Screenshot of the configurations list.":::

-1. Select **Connectivity configuration** from the drop-down menu.

-1. On the *Add a connectivity configuration* page, enter the following information:

- :::image type="content" source="media/how-to-create-mesh-network/add-config-name.png" alt-text="Screenshot of add a connectivity configuration page.":::

-1. Select **Next: Topology >**. Select **Hub and Spoke** under the **Topology** setting. This selection will reveal more settings.

- :::image type="content" source="./media/tutorial-create-secured-hub-and-spoke/hub-configuration.png" alt-text="Screenshot of selecting a hub for the connectivity configuration.":::

-1. Select **Select a hub** under **Hub** setting. Then, select the virtual network to serve as your network hub and click **Select**.

- :::image type="content" source="media/tutorial-create-secured-hub-and-spoke/select-hub.png" alt-text="Screenshot of Select a hub configuration.":::

-1. Under **Spoke network groups**, select **+ add**. Then, select your network group and click **Select**.

- :::image type="content" source="media/how-to-create-hub-and-spoke/add-network-group.png" alt-text="Screenshot of Add network groups page.":::

-1. You'll see the following three options appear next to the network group name under **Spoke network groups**:

- | Setting | Value |

- | - | -- |

- | Direct connectivity | Select **Enable peering within network group** if you want to establish VNet peering between virtual networks in the network group of the same region. |

- | Gateway | Select **Hub as a gateway** if you have a virtual network gateway in the hub virtual network that you want this network group to use to pass traffic to on-premises. This option won't be available unless a virtual network gateway is deployed in the hub virtual network. |

- | Global Mesh | Select **Enable mesh connectivity across regions** if you want to establish VNet peering for all virtual networks in the network group across regions. This option requires you select **Enable peering within network group** first. |

-1. Finally, Select **Next: Review + create >** and then **Create** to create the hub-and-spoke connectivity configuration.

-To have this configuration take effect in your environment, you'll need to deploy the configuration to the regions where your selected virtual networks are created.

-> [!NOTE]

-> Make sure the virtual network gateway has been successfully deployed before deploying the connectivity configuration. If you deploy a hub and spoke configuration with **Use the hub as a gateway** enabled and there's no gateway, the deployment will fail. For more information, see [use hub as a gateway](concept-connectivity-configuration.md#use-hub-as-a-gateway).

->

-1. Select **Deployments** under *Settings*, then select **Deploy configuration**.

- :::image type="content" source="./media/create-virtual-network-manager-portal/deployments.png" alt-text="Screenshot of deployments page in Network Manager.":::

- | Configurations | Select elect **Include connectivity configurations in your goal state**. This will reveal more options. |

- | Connectivity Configurations | Select the name of the connectivity configuration you created in the previous section. |

- | Target regions | Select all the regions that include virtual networks you need configuration applied to. |

-1. Select **Deploy**. You'll see the deployment shows up in the list for those regions. The deployment of the configuration can take several minutes to complete. You can select the **Refresh** button to check on the status of the deployment.

- :::image type="content" source="./media/how-to-create-hub-and-spoke/deploy-status.png" alt-text="Screenshot of deployment status screen." lightbox="./media/how-to-create-hub-and-spoke/deploy-status-expanded.png":::

-1. Go to one of the virtual networks in the portal and select **Peerings** under *Settings*. You should see a new peering connection created between the hub and the spokes virtual network with *ANM* in the name.

-1. See [view applied configuration](how-to-view-applied-configurations.md).

- :::image type="content" source="media/how-to-create-hub-and-spoke/add-network-group.png" alt-text="Screenshot of Add network groups page.":::

-1. Select **Next: Review + create >** and then **Create** to create the connectivity configuration.

-1. Select **Deploy**. You should now see the deployment show up in the list for those regions. The deployment of the configuration can take several minutes to complete. You can select the **Refresh** button to check on the status of the deployment.

-1. Select **Configuration** under *Settings* again, then select **+ Create**, and select **SecurityAdmin** from the menu to begin creating a SecurityAdmin configuration.

-1. Select **Next** and then **Deploy**. You should now see the deployment show up in the list for the selected region. The deployment of the configuration can take about 15-20 minutes to complete.

-description: Learn about P2S VPN client profile files for Azure AD authentication.

-# Generate P2S Azure VPN client profile files - Azure AD authentication

-After you install the Azure VPN Client, you configure the VPN client profile. Client profile files contain information that's necessary to configure a VPN connection. This article helps you obtain and understand the information needed to configure an Azure VPN Client profile.

-1. At the top of the Point-to-site configuration page, select **Download VPN client**. It takes a few minutes for the client configuration package to generate.

-> [!IMPORTANT]

-> *Standard* public IP resources with Tier = Global cannot be attached to a Gateway. Only *Standard* public IP resources with Tier = Regional can be used.

-# Configure a VPN client for P2S OpenVPN protocol connections - Azure AD authentication - macOS

-# Configure Azure VPN Client for P2S OpenVPN protocol connections - Azure AD authentication - Windows

-# Configure OpenVPN clients for Azure VPN Gateway

-This article helps you configure **OpenVPN &reg; Protocol** clients for Azure VPN Gateway point-to-site configurations that use OpenVPN.

-This article contains general instructions. For the following point-to-site authentication types, see the associated articles instead: