-Azure AD B2C uses [Azure Active Directory monitoring](../active-directory/reports-monitoring/overview-monitoring.md). Unlike Azure AD tenants, an Azure AD B2C tenant can't have a subscription associated with it. So, we need to take extra steps to enable the integration between Azure AD B2C and Log Analytics, which is where we'll send the logs.

-## Pre-requisites

-Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events occur. You can also create alerts on absence of an event, or a number of events occur within a particular time window. For example, alerts can be used to notify you when average number of sign in exceeds a certain threshold. For more information, see [Create alerts](../azure-monitor/alerts/alerts-log.md).

-Use the following instructions to create a new Azure Alert, which will send an [email notification](../azure-monitor/alerts/action-groups.md#configure-notifications) whenever there's a 25% drop in the **Total Requests** compared to previous period. Alert will run every 5 minutes and look for the drop in the last hour compared to the hour before it. The alerts are created using Kusto query language.

-1. Create a new **Kusto query** by using the query below.

-1. Select **Run**, to test the query. You should see the results if there is a drop of 25% or more in the total requests within the past hour.

-1. To create an alert rule based on the query above, use the **+ New alert rule** option available in the toolbar.

-1. Under **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**.

- [](../../../includes/media/active-directory-app-provisioning-ldap/ldp-3.png#lightbox)</br>

-#Export the certifcate from the local machine personal store

-> If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the aplication contains the entire URL provided above.

-The connectors and the service take care of all the high availability tasks. You can monitor the status of your connectors from the Application Proxy page in the Azure portal. For more information about connector maintainence see [Understand Azure AD Application Proxy Connectors](./application-proxy-connectors.md#maintenance).

-| buid | Common | Tracks browser related information. Used for service telemetry and protection mechanisms. |

-

-One of the user attributes that's automatically synchronized by Azure AD Connect is *ProxyAddresses*. If users have an email address defined in the on-premesis AD DS environment as part of the *ProxyAddresses* attribute, it's automatically synchronized to Azure AD. This email address can then be used directly in the Azure AD sign-in process as an alternate login ID.

- > The steps listed on the screen outline how to create the role assignment for the Cloud Infrastructure Entitlements Management application. This can be performed manually in the Entra console, or programatically with PowerShell or the Azure CLI.

- > The steps listed on the screen outline how to create the role assignment for the Cloud Infrastructure Entitlements Management application. You can do this manually in the Entra console, or programatically with PowerShell or the Azure CLI.

-Once done, the steps are listed in the screen, which shows how to further configure in the GPC console, or programatically with the gcloud CLI.

-// Psuedo Code

-// Psuedo Code

-| `upn` | User Principal Name | An identifer for the user that can be used with the username_hint parameter. Not a durable identifier for the user and shouldn't be used for authorization or to uniquely identity user information (for example, as a database key). For more information, see [Validate the user has permission to access this data](access-tokens.md). Instead, use the user object ID (`oid`) as a database key. Users signing in with an [alternate login ID](../authentication/howto-authentication-use-email-signin.md) shouldn't be shown their User Principal Name (UPN). Instead, use the following `preferred_username` claim for displaying sign-in state to the user. | See [additional properties](#additional-properties-of-optional-claims) for configuration of the claim. Requires the `profile` scope.|

- // read the header and checks if it conatins error with insufficient_claims value.

-| All other Azure Active Directory areas | [Azure Active Diretory](/answers/tags/49/azure-active-directory) |

-If you're implementing app role business logic in an app-calling-API scenario, you have two app registrations. One app registration is for the app, and a second app registration is for the API. In this case, define the app roles and assign them to the user or group in the app registration of the API. When the user authenticates with the app and requests an ID token to call the API, a roles claim is included in the ID token. Your next step is to add code to your web API to check for those roles when the API is called.

-

-> Microsoft Identity Web (in the [Microsoft.Identity.Web.TokenAcquisition](https://www.nuget.org/packages/Microsoft.Identity.Web.TokenAcquisition) package) is the library that's used to request tokens for accessing an API protected by the Microsoft identity platform. This quickstart requests tokens by using the application's own identity instead of delegated permissions. The authentication flow in this case is known as a [client credentials OAuth flow](v2-oauth2-client-creds-grant-flow.md). For more information on how to use MSAL.NET with a client credentials flow, see [this article](https://aka.ms/msal-net-client-credentials). Given the daemon app in this quickstart calls Microsoft Graph, you install tje [Microsoft.Identity.Web.MicrosoftGraph](https://www.nuget.org/packages/Microsoft.Identity.Web.MicrosoftGraph) package, which handles automatically authenticated requests to Microsoft Graph (and references itself Microsoft.Identity.Web.TokenAcquisition)

-> | .NET Core | &#8226; [Call Microsoft Graph using MAUI](https://github.com/Azure-Samples/ms-identity-dotnetcore-maui/tree/main/MauiAppBasic) <br/> &#8226; [Call Microsoft Graph using MAUI wih broker](https://github.com/Azure-Samples/ms-identity-dotnetcore-maui/tree/main/MauiAppWithBroker) <br/> &#8226; [Call Active Directory B2C tenant using MAUI](https://github.com/Azure-Samples/ms-identity-dotnetcore-maui/tree/main/MauiAppB2C) | MSAL MAUI | Authorization code with PKCE |

-> 1. Open your browser, visit `http://locahost:4200`, select **Sign-in**, then follow the prompts.

-> 1. Open your browser, visit `http://locahost:3000`, select **Sign-in**, then follow the prompts.

-> 1. Open your browser, visit `http://locahost:3000`, select **Sign-in**, then follow the prompts.

- @Overide

-> 1. Open your browser, visit `https://locahost:7274`, select **Sign-in**, then follow the prompts.

-> 1. Open your browser, visit `http://locahost:3000`, select **Sign-in**, then follow the prompts.

-Device Registration is a prerequisite to cloud-based authentication. Commonly, devices are Azure AD or hybrid Azure AD joined to complete device registration. This article provides details of how Azure AD join and hybrid Azure Ad join work in managed and federated environments.For more information about how Azure AD authentication works on these devices, see the article [Primary refresh tokens](concept-primary-refresh-token.md#detailed-flows)

-> The sample log snippets that follows, have been annoted with comment headers // that are not seen in the logs. They are used to help illustrate a specific action being undertaken. We have documented the log snippets this way to assist with copy and paste operations. In addition, the log examples have been trimmed to only show lines of significance for troubleshooting.

-[MSAL] Presenting web view contoller.

-[MSAL] Dismissed web view contoller.

- 

-> Non-adminstrators can still access to the Azure AD management interfaces via command-line and other programmatic interfaces.

- Diagram Title: Azure Application Proxy architecture solution. On the top left, a box labeled https: //sales.constoso.com contains a globe icon to represent a webiste. Below it, a group of icons represent the User and are connected by an arrow from the User to the website. On the top right, a cloud shape labeled Azure Active Directory contains an icon labeled Application Proxy Service. An arrow connects the website to the cloud shape. On the bottom right, a box labeled DMZ has the subtitle On-premises. An arrow connects the cloud shape to the DMZ box, splitting in two to point to icons labeled Connector. Below the Connector icon on the left, an arrow points down and splits in two to point to icons labeled App 1 and App 2. Below the Connector icon on the right, an arrow points down to an icon labeled App 3.

-* Deploy [Azure AD Password Protection](../authentication/howto-password-ban-bad-on-premises-operations.md) in a subset of domain contollers with **Audit** mode to gather information about the impact of modern policies.

- "workflowVerson": {

-description: A step by step guide for customizing emails sent out using tasks within Lifecycle Workflows

-# Customize emails sent out by workflow tasks (Preview)

-Lifecycle Workflows provide several tasks that send out email notifications. Email notifications can be customized to suit the needs of a specific workflow. For a list of these tasks, see: [Lifecycle Workflows tasks and definitions (Preview)](lifecycle-workflow-tasks.md).

-Emails tasks allow for the customization of the following aspects:

-> [!NOTE]

-> When customizing the subject or message body, we recommend that you also enable the custom sender domain and organizational branding, otherwise an additional security disclaimer will be added to your email.

-For more information on these customizable parameters, see: [Common email task parameters](lifecycle-workflow-tasks.md#common-email-task-parameters).

-For more information, see: [License requirements](what-are-lifecycle-workflows.md#license-requirements)

-## Customize email using the Azure portal

-When customizing an email sent via Lifecycle workflows, you can choose to customize either a new or existing task. These customizations are done the same way no matter if the task is new or existing, but the following steps walk you through updating an existing task. To customize emails sent out from tasks within workflows using the Azure portal, you'd follow these steps:

-1. Type in **Identity Governance** in the search bar near the top of the page, and select it.

-1. In the left menu, select **Lifecycle workflows (Preview)**.

-1. In the left menu, select **workflows (Preview)**.

-

-1. On the left side of the screen, select **Tasks (Preview)**.

-1. On the tasks screen, select the task for which you want to customize the email.

-1. On the specific task screen, you're able to set CC to include others in the email outside of the default audience.

-1. On the email customization screen, enter a custom subject, message body, and the email language translation option that will be used to translate the message body of the email. The custom subject and message body will not be translated.

- :::image type="content" source="media/customize-workflow-email/customize-workflow-email-example.png" alt-text="Screenshot of an example of a customized email from a workflow.":::

-1. After making changes, select **save** to capture changes to the customized email.

-To further personalize customized emails, you can take advantage of dynamic attributes. With dynamic attributes by placing in specific attributes, you're able to specifically call out values such as a user's name, their generated Temporary Access Pass, or even their manager's email.

-To use dynamic attributes within your customized emails, you must follow the formatting rules within the customized email. The proper format is:

-{{**dynamic attribute**}}

-When typing this it's written the following way:

-For a full list of dynamic attributes that can be used with customized emails, see:[Dynamic attributes within email](lifecycle-workflow-tasks.md#dynamic-attributes-within-email).

-## Use custom branding and domain in emails sent out using workflows

-Emails sent out using Lifecycle workflows can be customized to have your own company branding, and be sent out using your company domain. When you opt in to using custom branding and domain, every email sent out using Lifecycle Workflows reflect these settings. To enable these features the following prerequisites are required:

-> The recommendation is to use a domain that has the appropriate DNS records to facilitate email validation, like SPF, DKIM, DMARC, and MX as this then complies with the [RFC compliance](https://www.ietf.org/rfc/rfc2142.txt) for sending and receiving email. Please see [Learn more about Exchange Online Email Routing](/exchange/mail-flow-best-practices/mail-flow-best-practices) for more information.

-After these prerequisites are satisfied, you'd follow these steps:

-1. On the Lifecycle workflows page, select **Workflow settings (Preview)**.

-1. On the settings page, with **email domain** you're able to select your domain from a drop-down list of your verified domains.

- :::image type="content" source="media/customize-workflow-email/workflow-email-settings.png" alt-text="Screenshot of workflow domain settings.":::

-1. With the Use company branding banner logo setting, you're able to turn on whether or not company branding is used in emails.

- :::image type="content" source="media/customize-workflow-email/customize-email-logo-setting.png" alt-text="Screenshot of email logo setting.":::

-## Customize email using Microsoft Graph

-To customize email using Microsoft Graph API see: [workflow: createNewVersion](/graph/api/identitygovernance-workflow-createnewversion).

-## Set custom branding and domain workflow settings in Lifecycle Workflows using Microsoft Graph

-To turn on custom branding and domain feature settings in Lifecycle Workflows using Microsoft Graph API, see: [lifecycleManagementSettings resource type](/graph/api/resources/identitygovernance-lifecyclemanagementsettings)

-description: Describes how to customize the schedule of a Lifecycle Workflow.

-# Customize the schedule of workflows (Preview)

-Workflows created using Lifecycle Workflows can be fully customized to match the schedule that fits your organization's needs. By default, workflows are scheduled to run every 3 hours, but the interval can be set as frequent as 1 hour, or as infrequent as 24 hours.

-## Customize the schedule of workflows using the Azure portal

-Workflows created within Lifecycle Workflows follow the same schedule that you define within the **Workflow Settings** page. To adjust the schedule, you'd follow these steps:

-1. Type in **Identity Governance** on the search bar near the top of the page and select it.

-1. In the left menu, select **Lifecycle workflows (Preview)**.

-1. Select **Workflow settings (Preview)** from the Lifecycle workflows overview page.

-1. On the workflow settings page you can set the schedule of workflows from an interval between 1-24.

- :::image type="content" source="media/customize-workflow-schedule/workflow-schedule-settings.png" alt-text="Screenshot of the settings for workflow schedule.":::

-1. After setting the workflow schedule, select save.

-## Customize the schedule of workflows using Microsoft Graph

-To schedule workflow settings using API via Microsoft Graph, see: Update lifecycleManagementSettings [tenant settings for Lifecycle Workflows](/graph/api/resources/identitygovernance-lifecyclemanagementsettings).

-

-> This article provides information on manging your federation cerficates. For infromation on emergency rotation see [Emergency Rotation of the AD FS certificates](how-to-connect-emergency-ad-fs-certificate-rotation.md)

-> The group writeback functionality is currently in Public Preview as we are collecting customer feedback and telemetry. Please refer to [the limitations](#understand-limitations-of-public-preview) before you enable this functionality. You should not deploy the functionality to write back security groups in your production environment. We are planning to replace the AADConnect security group writeback functionality with the new Cloud Sync group writeback feature, and when this releases we will remove the AADConnect Group Writeback functionality. This does not impact M365 group writeback funcitonality, which will remain unchanged.

-> The alert logic means that the alert would be triggered if at least one IP from the extranet lockout error counts, or combined bad password and extranet lockout error counts exceeds the designated thresholds. You can select teh frequency for evaluating the query to detect Risky IPs.

-To disable writeback of all Microsoft 365 groups that were created before these modifications, use one of the folowing methods:

-1. Open Windows Powershell, import the ADSync module and disable the scheduler using the follwoing commands

-> You can read more about constructed attributes in [this artice](/openspecs/windows_protocols/ms-adts/a3aff238-5f0e-4eec-8598-0a59c30ecd56).

- 

-* If you have mutli-forest sync is the sync server able to get to each forest?

- #### Sytem.Management.Automation.PSCredential

->With this version of Azure AD Connect some customers may see some or all of their Windows devices disappear from Azure AD. These device identities aren't used by Azure AD during Conditional Access authorization. For more information, see [Understanding Azure AD Connect 1.4.xx.x device disappearnce](/troubleshoot/azure/active-directory/reference-connect-device-disappearance)

-3. If you are using OOB (out-of-box) sync rules to Azure AD connector to export userCertficiate attribute for User objects, you should get back the *ΓÇ£Out to AAD ΓÇô User ExchangeOnlineΓÇ¥* rule.

-Organizations can use the [Microsoft Graph API to programatically interact with risk events](howto-identity-protection-graph-api.md).

-1. Sign in to the PeopleSoft Consol `http://{your-peoplesoft-fqdn}:8000/psp/ps/?cmd=start` using Admin credentials, for example, PS/PS.

- 

- 

-Reproduce your problem before you look at the logs. Then revert this feature, when finished. Otherwise the verbosity is signficant.

-* Enforce organizatinal policies. See [What is Conditional Access?](../conditional-access/overview.md).

- 

- 

- 

-> If `Require Verification certificates` is checked, SAML Request Signature Verification will work for SP-initiated(service provider/relying party initiated) authentication requests only. Only the application configured by the service provider will have the access to to the private and public keys for signing the incoming SAML Authentication Reqeusts from the applicaiton. The public key should be uploaded to allow the verification of the request, in which case AAD will have access to only the public key.

-> Enabling `Require Verification certificates` will not allow IDP-initiated authentication requests (like SSO testing feature, MyApps or M365 app launcher) to be validated as the IDP would not possess the same private keys as the registered applicaiton.

- The following example shows an application manifest configured with two encryption certificates, and with the second selected as the active one using the tokenEnryptionKeyId.

- 

- 

->- Can't be asigned for a duration of less than five minutes

-Are you having a problem with Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsft Entra? The information that follows can help you to get things working again.

-The table under **Step 2** summarizes all outbound and inbound sign-in activity for the selected tenant, including the number of successful sign-ins and the resons for failed sign-ins. You can select **Outbound activity** or **Inbound activity** to update the remaining sections of the workbook with the type of activity you want to view.

- > By Default, User Provisioning is not enabled in SSO. If the customer wants to enable this feature, they have to set it up as mentioned in [this](https://support.absorblms.com/hc/en-us/articles/360014083294-Incoming-SAML-2-0-SSO-Account-Provisioning) documentation. Also please note that User Provisioing is only available on **Absorb 5 - New Learner Experience** with ACS URL-`https://company.myabsorb.com/api/rest/v2/authentication/saml`

- 

-To configure and test Azure AD SSO with Airstack, perfrom the following steps:

-> Adminstrators need to create the test users in their tenant if needed. Following steps show how to create a test user.

-Before we proceed we need to obtain a *Tenant Url* and a *Secret Token*, to configure secure communcation between Azure AD and Ardoq.

- 

- > * To set up SSO, the URLs must be accessible from public websites. You must enable the firewall or other security settings on the Citrix ADC SAML Connector for Azure AD side to enble Azure AD to post the token at the configured URL.

- > These values are not real. Update these values with the actual Reply URL and Sign-on URL which is explained later in the turorial.

- 

- 

-> B.Simon's Concur login id needs to match B.Simon's unique identifier at Azure AD. For example, if B.Simon's Azure AD unique identifer is `B.Simon@contoso.com`. B.Simon's Concur login id needs to be `B.Simon@contoso.com` as well.

-11. In the **Attribute Mappings** section, review the user attributes that are synchronized from Azure AD to GitHub. The attributes selected as **Matching** properties are used to match the user accounts in GitHub for update operations. Do not enable the **Matching precendence** setting for the other default attributes in the **Provisioning** section because errors might occur. Select **Save** to commit any changes.

- 

- > * To set up SSO, the URLs must be accessible from public websites. You must enable the firewall or other security settings on the Citrix ADC side to enble Azure AD to post the token at the configured URL.

-5. Under the **Admin Credentials** section, input the SCIM endpoint URL in **Tenant URL**. The enpoint URL should be in the format `https://<Insight4GRC Domain Name>.insight4grc.com/public/api/scim/v2 ` where **Insight4GRC Domain Name** is the value retrieved in previous steps. Input the bearer token value retrieved earlier in **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to Insight4GRC. If the connection fails, ensure your Insight4GRC account has Admin permissions and try again.

- > Repeat steps c-i to add both custom attibutes.

- 

- 1. In **ID Provider Certificate**, enter the Azure AD certificate, which you get from your Azure AD account. Enter the certificate value with the header and footer. Example: `--BEGIN CERTIFICATE--<certifciate value>--END CERTIFICATE--`

- > - Certificate value example format: `--BEGIN CERTIFICATE--<certifciate value>--END CERTIFICATE--`

- > - Certificate key value example format: `--BEGIN RSA PRIVATE KEY--<certifciate key value>--END RSA PRIVATE KEY--`

- 

- * Non-specifc tenant URL : {OTDS URL}/scim/{partitionName}

- 

-> The admininistrator user in SAP Cloud Platform Identity Authentication must be of type **System**. Creating a normal administrator user can lead to *unauthorized* errors while provisioning.

- 

-1. Open the downloaded **Cerificate(Base64)** from the Azure portal into Notepad and paste the content into the **Public Certificate** textbox.

- b. Open the downloaded **Cerificate(Base64)** from the Azure portal into Notepad and paste the content into the **Certificate** textbox.

- `https://<comapany-name>.showpad.biz/login`

-> Manually provisioning is uneccesary, if users and groups are provisioned with a SCIM integration. See how to enable auto provisioning for [Snowflake](snowflake-provisioning-tutorial.md).

-1. From the menu, navigate to **Utilites** -> **Accounts Manager**, then click **Create New User** and perform the following steps:

- | DispalyName | user.displayname |

- * give the **Email Attribute** value as **emailAdress**.

- > These values are not the real. Update these values with the actual Identifer and Reply URL. Contact [Unite Us Client support team](mailto:isd.support@uniteus.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- > These values are not the real. Update these values with the actual Identifer, Reply URL and Sign on URL. Contact [WebCE Client support team](mailto:CustomerService@WebCE.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-|Credential|An object or data structure that authoritatively binds an identity to at least one *subscriber authenticator* that a *subscriber* posseses and controls|

-description: Learn PCI-DSS defined approach requirements about logging and monitoring all acess to system components and CHD

-| `resouceName` | string | Key Vault name |

-| `message`| string| The internal error message. Contains a detailed message of the error. In this example, the `inlcudeQRCode` field is of the wrong type.|

- SKU_NAME="$(kubectl get storageClass $STORAGECLASS -o jsonpath='{.reclaimPolicy}')"

- SKU_NAME="$(kubectl get storageClass $STORAGE_CLASS -o jsonpath='{.reclaimPolicy}')"

-* **Business Card**,**ID Document**, **Receipt**, **Invoice**, and **Custom** models are currently only supported in the [v2.1 containers](form-recognizer-container-install-run.md?view=form-recog-2.1.0&preserve-view=true).

- sudo apt-get udpate

-In order to deploy Arc resouce bridge, images need to be downloaded to the management machine and then uploaded to the on-premises private cloud gallery. If your proxy server throttles download speed, this may impact your ability to download the required images (~3 GB) within the alotted time (90 min).

-When you develop your functions locally, you need to take trigger and binding behaviors into consideration. The easiest way to test bindings during local development is to use connection strings that target live Azure services. You can target live services by adding the appropriate connection string settings in the `Values` array in the local.settings.json file. When you do this, local executions during testing impact live service data. Because of this, consider setting-up separate services to use during development and testing, and then switch to difference services during production. You can also use a local storage emulator.

-description: Find out how to create and manage action groups. Learn about notifications and actions that action groups enable, such as email, webhooks, and Azure Functions.

-# Create and manage action groups in the Azure portal

-When Azure Monitor data indicates that there might be a problem with your infrastructure or application, an alert is triggered. Azure Monitor, Azure Service Health, and Azure Advisor then use *action groups* to notify users about the alert and take an action. An action group is a collection of notification preferences that are defined by the owner of an Azure subscription.

-This article shows you how to create and manage action groups in the Azure portal. Depending on your requirements, you can configure various alerts to use the same action group or different action groups.

-For information about how to use Azure Resource Manager templates to configure action groups, see [Action group Resource Manager templates](./action-groups-create-resource-manager-template.md).

-An action group is a *global* service, so there's no dependency on a specific Azure region. Requests from clients can be processed by action group services in any region. For instance, if one region of the action group service is down, the traffic is automatically routed and processed by other regions. As a global service, an action group helps provide a disaster recovery solution.

-## Create an action group by using the Azure portal

-1. Go to the [Azure portal](https://portal.azure.com).

- :::image type="content" source="./media/action-groups/manage-action-groups.png" alt-text="Screenshot that shows the Alerts page in the Azure portal. The Action groups button is called out.":::

- :::image type="content" source="./media/action-groups/create-action-group.png" alt-text="Screenshot that shows the Action groups page in the Azure portal. The Create button is called out.":::

-1. Enter information as explained in the following sections.

-### Configure basic action group settings

-1. Under **Project details**, select:

- - Values for **Subscription** and **Resource group**.

- - The region.

-

- The action group is saved in the subscription, region, and resource group that you select.

-1. Under **Instance details**, enter values for **Action group name** and **Display name**. The display name is used in place of a full action group name when the group is used to send notifications.

- :::image type="content" source="./media/action-groups/action-group-1-basics.png" alt-text="Screenshot that shows the Create action group dialog. Values are visible in the Subscription, Resource group, Action group name, and Display name boxes.":::

-### Configure notifications

-1. To open the **Notifications** tab, select **Next: Notifications**. Alternately, at the top of the page, select the **Notifications** tab.

-1. Define a list of notifications to send when an alert is triggered. Provide the following information for each notification:

- - **Notification type**: Select the type of notification that you want to send. The available options are:

- - **Email Azure Resource Manager Role**: Send an email to users who are assigned to certain subscription-level Azure Resource Manager roles.

- - **Email/SMS message/Push/Voice**: Send various notification types to specific recipients.

- - **Name**: Enter a unique name for the notification.

- - **Details**: Based on the selected notification type, enter an email address, phone number, or other information.

- - **Common alert schema**: You can choose to turn on the common alert schema, which provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor. For more information about this schema, see [Common alert schema](./alerts-common-schema.md).

- :::image type="content" source="./media/action-groups/action-group-2-notifications.png" alt-text="Screenshot that shows the Notifications tab of the Create action group dialog. Configuration information for an email notification is visible.":::

-1. Select **OK**.

-### Configure actions

-1. To open the **Actions** tab, select **Next: Actions**. Alternately, at the top of the page, select the **Actions** tab.

-1. Define a list of actions to trigger when an alert is triggered. Provide the following information for each action:

- - **Action type**: Select from the following types of actions:

- - An Azure Automation runbook

- - An Azure Functions function

- - A notification that's sent to Azure Event Hubs

- - A notification that's sent to an IT service management (ITSM) tool

- - An Azure Logic Apps workflow

- - A secure webhook

- - A webhook

- - **Name**: Enter a unique name for the action.

- - **Details**: Enter appropriate information for your selected action type. For instance, you might enter a webhook URI, the name of an Azure app, an ITSM connection, or an Automation runbook. For an ITSM action, also enter values for **Work item** and other fields that your ITSM tool requires.

- - **Common alert schema**: You can choose to turn on the common alert schema, which provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor. For more information about this schema, see [Common alert schema](./alerts-common-schema.md).

- :::image type="content" source="./media/action-groups/action-group-3-actions.png" alt-text="Screenshot that shows the Actions tab of the Create action group dialog. Several options are visible in the Action type list.":::

-### Create the action group

-1. To assign a key-value pair to the action group, select **Next: Tags**. Alternately, at the top of the page, select the **Tags** tab. Otherwise, skip this step. By using tags, you can categorize your Azure resources. Tags are available for all Azure resources, resource groups, and subscriptions.

- :::image type="content" source="./media/action-groups/action-group-4-tags.png" alt-text="Screenshot that shows the Tags tab of the Create action group dialog. Values are visible in the Name and Value boxes.":::

-1. To review your settings, select **Review + create**. This step quickly checks your inputs to make sure you've entered all required information. If there are issues, they're reported here. After you've reviewed the settings, select **Create** to create the action group.

- :::image type="content" source="./media/action-groups/action-group-5-review.png" alt-text="Screenshot that shows the Review + create tab of the Create action group dialog. All configured values are visible.":::

-1. Define an action, as described in the previous few sections. Then select **Review + create**.

- >

- > If you're editing an already existing action group, you must save changes to the action group before you begin testing.

-1. On the page that lists the information you entered, select **Test action group**.

- :::image type="content" source="./media/action-groups/test-action-group.png" alt-text="Screenshot that shows the test action group page with the Test option.":::

- :::image type="content" source="./media/action-groups/test-sample-action-group.png" alt-text="Screenshot that shows the Test sample action group page with an email notification type and a webhook action type.":::

- :::image type="content" source="./media/action-groups/stop-running-test.png" alt-text="Screenshot that shows the Test Sample action group page. A dialog contains a Stop button and asks the user about stopping the test.":::

- :::image type="content" source="./media/action-groups/test-sample-failed.png" alt-text="Screenshot that shows the Test sample action group page showing a test that failed.":::

-#### Azure Resource Manager role membership requirements

-| User's role membership | Existing action group | Existing resource group and new action group | New resource group and new action group |

-> [!NOTE]

->

-> You can run a limited number of tests per time period. To check which limits apply to your situation, see [Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts](./alerts-rate-limiting.md).

->

-> When you configure an action group in the portal, you can opt in or out of the common alert schema:

->

-> - To find common schema samples for all sample types, see [Alert payload samples](./alerts-payload-samples.md).

-> - To find non-common schema alert definitions, see [Non-common alert schema definitions for Test Action Group](./alerts-non-common-schema-definitions.md).

-### Resource Manager templates for an action group

-## Manage your action groups

-1. On the **Monitor** page, select **Alerts**.

-1. Select **Manage actions**.

-## Action-specific information

-The following sections provide information about the various actions and notifications that you can configure in an action group.

-> [!NOTE]

->

-> To check numeric limits on each type of action or notification, see [Subscription service limits for monitoring](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-monitor-limits).

-### Automation runbook

-To check limits on Automation runbook payloads, see [Automation limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#automation-limits).

-You are limited to 10 runbook actions per action group.

-### Azure App Service push notifications

-To enable push notifications to the Azure mobile app, provide the email address that you use as your account ID when you configure the Azure mobile app. For more information about the Azure mobile app, see [Get the Azure mobile app](https://azure.microsoft.com/features/azure-portal/mobile-app/).

-You are limited to 10 Azure app actions per action group.

-### Email

-Ensure that your email filtering and any malware/spam prevention services are configured appropriately. Emails are sent from the following email addresses:

-You might have a limited number of email actions per action group. For information about rate limits, see [Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts](./alerts-rate-limiting.md).

-### Email Azure Resource Manager role

-When you use this type of notification, you can send email to the members of a subscription's role. Email is only sent to Azure Active Directory (Azure AD) **user** members of the role. Email isn't sent to Azure AD groups or service principals.

-A notification email is sent only to the *primary email* address.

-If your primary email doesn't receive notifications:

-You might have a limited number of email actions per action group. To check which limits apply to your situation, see [Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts](./alerts-rate-limiting.md).

-### Event Hubs

-An Event Hubs action publishes notifications to Event Hubs. For more information about Event Hubs, see [Azure Event HubsΓÇöA big data streaming platform and event ingestion service](../../event-hubs/event-hubs-about.md). You can subscribe to the alert notification stream from your event receiver.

-### Functions

-An action that uses Functions calls an existing HTTP trigger endpoint in Functions. For more information about Functions, see [Azure Functions](../../azure-functions/functions-get-started.md). To handle a request, your endpoint must handle the HTTP POST verb.

-When you define the function action, the function's HTTP trigger endpoint and access key are saved in the action definition, for example, `https://azfunctionurl.azurewebsites.net/api/httptrigger?code=<access_key>`. If you change the access key for the function, you must remove and re-create the function action in the action group.

-You are limited to 10 function actions per action group.

- > [!NOTE]

- >

- > The function must have access to the storage account. If not, no keys will be available and the function URI won't be accessible.

- > [Learn about restoring access to the storage account](../../azure-functions/functions-recover-storage-account.md)

-### ITSM

-An ITSM action requires an ITSM connection. To learn how to create an ITSM connection, see [ITSM integration](./itsmc-overview.md).

-You are limited to 10 ITSM actions per action group.

-### Logic Apps

-You are limited to 10 Logic Apps actions per action group.

-### Secure webhook

-When you use a secure webhook action, you must use Azure AD to secure the connection between your action group and your protected web API, which is your webhook endpoint.

-#### Secure webhook PowerShell script

-### SMS

-For information about rate limits, see [Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts](./alerts-rate-limiting.md).

-For important information about using SMS notifications in action groups, see [SMS alert behavior in action groups](./alerts-sms-behavior.md).

-You are limited to 10 SMS actions per action group.

-> [!NOTE]

->

-> If you can't select your country/region code in the Azure portal, SMS isn't supported for your country/region. If your country/region code isn't available, you can vote to have your country/region added at [Share your ideas](https://feedback.azure.com/d365community/idea/e527eaa6-2025-ec11-b6e6-000d3a4f09d0). In the meantime, as a workaround, configure your action group to call a webhook to a third-party SMS provider that offers support in your country/region.

-#### Countries with SMS notification support

-| Country code | Country |

-|:|:|

-| 61 | Australia |

-| 43 | Austria |

-| 32 | Belgium |

-| 55 | Brazil |

-| 1 |Canada |

-| 56 | Chile |

-| 86 | China |

-| 420 | Czech Republic |

-| 45 | Denmark |

-| 372 | Estonia |

-| 358 | Finland |

-| 33 | France |

-| 49 | Germany |

-| 852 | Hong Kong |

-| 91 | India |

-| 353 | Ireland |

-| 972 | Israel |

-| 39 | Italy |

-| 81 | Japan |

-| 352 | Luxembourg |

-| 60 | Malaysia |

-| 52 | Mexico |

-| 31 | Netherlands |

-| 64 | New Zealand |

-| 47 | Norway |

-| 351 | Portugal |

-| 1 | Puerto Rico |

-| 40 | Romania |

-| 7 | Russia |

-| 65 | Singapore |

-| 27 | South Africa |

-| 82 | South Korea |

-| 34 | Spain |

-| 41 | Switzerland |

-| 886 | Taiwan |

-| 971 | UAE |

-| 44 | United Kingdom |

-| 1 | United States |

-### Voice

-For important information about rate limits, see [Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts](./alerts-rate-limiting.md).

-You are limited to 10 voice actions per action group.

-> [!NOTE]

->

-> If you can't select your country/region code in the Azure portal, voice calls aren't supported for your country/region. If your country/region code isn't available, you can vote to have your country/region added at [Share your ideas](https://feedback.azure.com/d365community/idea/e527eaa6-2025-ec11-b6e6-000d3a4f09d0). In the meantime, as a workaround, configure your action group to call a webhook to a third-party voice call provider that offers support in your country/region.

-#### Countries with Voice notification support

-| Country code | Country |

-|:|:|

-| 61 | Australia |

-| 43 | Austria |

-| 32 | Belgium |

-| 55 | Brazil |

-| 1 |Canada |

-| 56 | Chile |

-| 420 | Czech Republic |

-| 45 | Denmark |

-| 358 | Finland |

-| 353 | Ireland |

-| 972 | Israel |

-| 352 | Luxembourg |

-| 60 | Malaysia |

-| 52 | Mexico |

-| 31 | Netherlands |

-| 64 | New Zealand |

-| 47 | Norway |

-| 351 | Portugal |

-| 65 | Singapore |

-| 27 | South Africa |

-| 46 | Sweeden |

-| 44 | United Kingdom |

-| 1 | United States |

-For information about pricing for supported countries/regions, see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/).

-### Webhook

-> [!NOTE]

->

-> If you use the webhook action, your target webhook endpoint must be able to process the various JSON payloads that different alert sources emit. You can't pass security certificates through a webhook action. To use basic authentication, you must pass your credentials through the URI. If the webhook endpoint expects a specific schema, for example, the Microsoft Teams schema, use the Logic Apps action to transform the alert schema to meet the target webhook's expectations.

-Webhook action groups use the following rules:

-The retry logic below assumes that the failure is retriable. The status codes: 408, 429, 503, 504, or HttpRequestException, WebException, `TaskCancellationException` are considered ΓÇ£retriableΓÇ¥.

-When a webhook is invoked, if the first call fails, it will be retried at least 1 more time (retry), and up to 5 times (5 retries) at various delay intervals (5, 20, 40 seconds).

-For source IP address ranges, see [Action group IP addresses](../app/ip-addresses.md).

-[Log alerts](alerts-log.md) support [configuring webhook action groups](./action-groups.md#webhook). In this article, we describe the properties that are available. You can use webhook actions to invoke a single HTTP POST request. The service that's called should support webhooks and know how to use the payload it receives.

-1. Specify if the alert rule should trigger one or more [action groups](./action-groups.md#webhook) when the alert condition is met.

-description: Understand how Azure limits the number of possible SMS, email, Azure App Service push, or webhook notifications from an action group.

-# Rate limiting for voice, SMS, emails, Azure App Service push notifications, and webhook posts

-Rate limiting is a suspension of notifications that occurs when too many notifications are sent to a particular phone number, email address, or device. Rate limiting ensures that alerts are manageable and actionable.

-The rate limit thresholds in **production** are:

- Other actions aren't rate limited.

-The rate limit thresholds for **test action group** are:

- Other actions aren't rate limited.

-## Rate limit rules

-## Next steps ##

-* Learn more about [SMS alert behavior](alerts-sms-behavior.md).

-* Get an [overview of activity log alerts](./alerts-overview.md) and learn how to receive alerts.

-* Learn how to [configure alerts whenever a service health notification is posted](../../service-health/alerts-activity-log-service-notifications-portal.md).

-description: SMS message format and responding to SMS messages to unsubscribe, resubscribe, or request help.

-# SMS alert behavior in action groups

-Action groups enable you to configure a list of actions. These groups are used when you define alerts. They ensure that a particular action group is notified when the alert is triggered. One of the actions supported is SMS. SMS notifications support bidirectional communication. A user can respond to an SMS to:

-This article covers the behavior of SMS alerts and the response actions the user can take based on the locale of the user.

-## Receive an SMS alert

-An SMS receiver configured as part of an action group receives an SMS when an alert is triggered. The SMS contains the following information:

-* Short name of the action group where this alert was sent

-* Title of the alert

-| REPLY | Description |

-| -- | -- |

-| DISABLE `<Action Group Short name>` | Disables further SMS from the action group. |

-| ENABLE `<Action Group Short name>` | Re-enables SMS from the action group. |

-| STOP | Disables further SMS from all action groups. |

-| START | Re-enables SMS from all action groups. |

-| HELP | A response is sent to the user with a link to this article. |

->[!NOTE]

->If a user has unsubscribed from SMS alerts but is then added to a new action group, they *will* receive SMS alerts for that new action group but remain unsubscribed from all previous action groups.

-## Next steps

-* Get an [overview of activity log alerts](./alerts-overview.md) and learn how to get alerted.

-* Learn more about [SMS rate limiting](alerts-rate-limiting.md).

-* Learn more about [action groups](./action-groups.md).

- Add the [IP addresses](./action-groups.md#action-specific-information) that the webhook is called from to your allowlist.

-1. Select [Add action group](../alerts/action-groups.md#create-an-action-group-by-using-the-azure-portal) and fill in the fields.

-You can add one or more decorators for each parameter. These decorators describe the parameter and define constraints for the values that are passed in. The following example shows one decorator but there are many others that are available.

-> The only permission required to delete a resource group is permission to the delete action for deleting resource groups. You do **not** need permission to delete individual resources within that resource group. Additionally, delete actions that are specified in **notActions** for a roleAssignment are superseded by the resource group delete action. This is consistent with the scope heirarchy in the Azure role-based access control model.

-Enhanced soft delete is available in all Azure public regions.

-[About Enhanced soft delete for Azure Backup (preview)](backup-azure-enhanced-soft-delete-about.md).

->- [Default policy](./backup-during-vm-creation.md#create-a-vm-with-backup-configured) will not support protecting newer Azure offerings, such as [Trusted Launch VM](backup-support-matrix-iaas.md#tvm-backup), [Ultra SSD](backup-support-matrix-iaas.md#vm-storage-support), [Shared disk](backup-support-matrix-iaas.md#vm-storage-support), and Confidential Azure VMs.

->- Enhanced policy now supports protecting Ultra SSD (preview). To enroll your subscription for this feature, [fill this form](https://forms.office.com/r/1GLRnNCntU).

-Windows 11 (Enterprise, Pro, Home) | Yes | No | Check the corresponding server version for software/module requirements

-Windows 10 (Enterprise, Pro, Home) | Yes | No | Check the corresponding server version for software/module requirements

-Windows Server 2022 (Standard, Datacenter, Essentials) | Yes | Yes | Check the corresponding server version for software/module requirements

-Windows Server 2019 (Standard, Datacenter, Essentials) | Yes | Yes | - .NET 4.5 <br> - Windows PowerShell <br> - Latest Compatible Microsoft VC++ Redistributable <br> - Microsoft Management Console (MMC) 3.0

-## Select analysis options (using standard model)

-### Select visual features

-## Get results from the service (standard model)

-## Select analysis options (using custom model)

-You can also do image analysis with a custom trained model. To create and train a model, see [Create a custom Image Analysis model](./model-customization.md). Once your model is trained, all you need is the model's name.

-### [C#](#tab/csharp)

-To use a custom model, create the [ImageAnalysisOptions](/dotnet/api/azure.ai.vision.imageanalysis.imageanalysisoptions) object and set the [ModelName](/dotnet/api/azure.ai.vision.imageanalysis.imageanalysisoptions.modelname#azure-ai-vision-imageanalysis-imageanalysisoptions-modelname) property. You don't need to set any other properties on **ImageAnalysisOptions**. There's no need to set the [Features](/dotnet/api/azure.ai.vision.imageanalysis.imageanalysisoptions.features#azure-ai-vision-imageanalysis-imageanalysisoptions-features) property, as you do with the standard model, since your custom model already implies the visual features the service extracts.

-[!code-csharp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/csharp/image-analysis/3/Program.cs?name=model_name)]

-### [Python](#tab/python)

-To use a custom model, create the [ImageAnalysisOptions](/python/api/azure-ai-vision/azure.ai.vision.imageanalysisoptions) object and set the [model_name](/python/api/azure-ai-vision/azure.ai.vision.imageanalysisoptions#azure-ai-vision-imageanalysisoptions-model-name) property. You don't need to set any other properties on **ImageAnalysisOptions**. There's no need to set the [features](/python/api/azure-ai-vision/azure.ai.vision.imageanalysisoptions#azure-ai-vision-imageanalysisoptions-features) property, as you do with the standard model, since your custom model already implies the visual features the service extracts.

-[!code-python[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/python/image-analysis/3/main.py?name=model_name)]

-### [C++](#tab/cpp)

-To use a custom model, create the [ImageAnalysisOptions](/cpp/cognitive-services/vision/imageanalysis-imageanalysisoptions) object and call the [SetModelName](/cpp/cognitive-services/vision/imageanalysis-imageanalysisoptions#setmodelname) method. You don't need to call any other methods on **ImageAnalysisOptions**. There's no need to call [SetFeatures](/cpp/cognitive-services/vision/imageanalysis-imageanalysisoptions#setfeatures) as you do with standard model, since your custom model already implies the visual features the service extracts.

-[!code-cpp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/cpp/image-analysis/3/3.cpp?name=model_name)]

-### [REST API](#tab/rest)

-To use a custom model, don't use the features query parameter. Instead, set the `model-name` parameter to the name of your model as shown here. Replace `MyCustomModelName` with your custom model name.

-`https://<endpoint>/computervision/imageanalysis:analyze?api-version=2023-02-01-preview&model-name=MyCustomModelName`

-## Get results from the service (using custom model)

-* [Call the Analyze Image API](./call-analyze-image-40.md#select-analysis-options-using-custom-model)

-* See the [Model customization concepts](../concept-model-customization.md) guide for a broad overview of this feature and a list of frequently asked questions.

-The meaning of medical content is highly affected by modifiers, such as negative or conditional assertions, which can have critical implications if misrepresented. Text Analytics for health supports three categories of assertion detection for entities in the text:

-Text Analytics for health returns assertion modifiers, which are informative attributes assigned to medical concepts that provide a deeper understanding of the conceptsΓÇÖ context within the text. These modifiers are divided into three categories, each focusing on a different aspect and containing a set of mutually exclusive values. Only one value per category is assigned to each entity. The most common value for each category is the Default value. The serviceΓÇÖs output response contains only assertion modifiers that are different from the default value. In other words, if no assertion is returned, the implied assertion is the default value.

-**CONDITIONALITY** ΓÇô provides information regarding whether the existence of a concept depends on certain conditions.

-* **None** [Default]: the concept is a fact and not hypothetical and does not depend on certain conditions.

-* **Hypothetical**: the concept may develop or occur in the future.

-* **Conditional**: the concept exists or occurs only under certain conditions.

-**ASSOCIATION** ΓÇô describes whether the concept is associated with the subject of the text or someone else.

-* **Subject** [Default]: the concept is associated with the subject of the text, usually the patient.

-* **Other**: the concept is associated with someone who is not the subject of the text.

-**TEMPORAL** - provides additional temporal information for a concept detailing whether it is an occurrence related to the past, present, or future.

-* **Current** [Default]: the concept is related to conditions/events that belong to the current encounter. For example, medical symptoms that have brought the patient to seek medical attention (e.g., “started having headaches 5 days prior to their arrival to the ER”). This includes newly made diagnoses, symptoms experienced during or leading to this encounter, treatments and examinations done within the encounter.

-* **Past**: the concept is related to conditions, examinations, treatments, medication events that are mentioned as something that existed or happened prior to the current encounter, as might be indicated by hints like s/p, recently, ago, previously, in childhood, at age X. For example, diagnoses that were given in the past, treatments that were done, past examinations and their results, past admissions, etc. Medical background is considered as PAST.

-* **Future**: the concept is related to conditions/events that are planned/scheduled/suspected to happen in the future, e.g., will be obtained, will undergo, is scheduled in two weeks from now.

-Assertion detection represents negated entities as a negative value for the certainty category, for example:

-You can configure alerts based on your actual cost or forecasted cost to ensure that your spending is within your organizational spending limit. Notifications are triggered when the budget thresholds you've created are exceeded. None of your resources is affected, and your consumption isn't stopped. You can use budgets to compare and track spending as you analyze costs.

-Action Groups are currently only supported for subscription and resource group scopes. For more information about creating action groups, see [Configure basic action group settings](../../azure-monitor/alerts/action-groups.md#configure-basic-action-group-settings).

-## <a name="alerts-fusion"></a>Security incident alerts

-> The Agentless Container Posture preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available" and are excluded from the service-level agreements and limited warranty. Agentless Container Posture previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use.

-| Feature | Foundational CSPM capabilities | Defender CSPM | Cloud availability |

-| Defender for Containers provisioning ARC K8s Enabled | ΓÇó Azure Kubernetes Service Contributor<br>ΓÇó Kubernetes Extension Contributor<br>ΓÇó Contributor<br>ΓÇó Log Analytics Contributor |

-Defender for DevOps will be adding an additional scope to the already existing Azure DevOps (ADO) application.

-The scopes that will be added include:

-With Agentless Container Posture capabilities available in Defender CSPM, the agent-based discovery capabilities are set to be retired in June 2023. If you currently use container capabilities within Defender CSPM, please make sure that the [relevant extensions](concept-agentless-containers.md#enable-extension-for-agentless-container-posture-for-cspm) are enabled before this date to continue receiving container-related value of the new agentless capabilities such as container-related attack paths, insights, and inventory.

-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

-1. Sign in to your OT sensor console and select **Forwarding** on the left.

-1. Enter a meaningful name for your rule, and then define your rule details, including:

- - The minimal alert level. For example, if you select Minor, you are notified about all minor, major and critical incidents.

- - The protocols you want to include in the rule.

- - The traffic you want to include in the rule.

- - **Server**: Select **ArcSight**

- - **Host**: The ArcSight server address

- - **Port**: The ArcSight server port

- - **Timezone**: The timezone of the ArcSight server

-For more information, see:

-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

-1. Sign in to your OT sensor console and select **Forwarding** on the left.

-1. Enter a meaningful name for your rule, and then define your rule details, including:

- - The minimal alert level. For example, if you select Minor, you are notified about all minor, major and critical incidents.

- - The protocols you want to include in the rule.

- - The traffic you want to include in the rule.

- - **Server**: Select a SYSLOG server option, such as **SYSLOG Server (LEEF format)

- - **Host**: The IP or hostname of your LogRhythm collector

- - **Port**: Enter **514**

- - **Timezone**: Enter your timezone

-1. Select **Save** to save your forwarding rule.

-For more information, see:

-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

-1. Sign in to your OT sensor console and select **Forwarding** on the left.

-1. Enter a meaningful name for your rule, and then define your rule details, including:

- - The minimal alert level. For example, if you select Minor, you are notified about all minor, major and critical incidents.

- - The protocols you want to include in the rule.

- - The traffic you want to include in the rule.

- - **Server**: Select **NetWitness**

- - **Host**: The NetWitness hostname

- - **Port**: The NetWitness port

- - **Timezone**: Enter your NetWitness timezone

-For more information, see:

-> [Investigate in Microsoft Sentinel](../../../sentinel/investigate-cases.md)

-This article describes how to forward alerts generated by cloud-connected sensors only. If you're working on-premises, such as in air-gapped environments, you may be able to create a forwarding alert rule to forward alert data directly from an OT sensor or on-premises management console.

-For more information, see [Integrations with Microsoft and partner services](../integrate-overview.md).

-This tutorial will help you learn how to integrate, and use ServiceNow with Microsoft Defender for IoT.

-The Defender for IoT integration with ServiceNow provides a new level of centralized visibility, monitoring, and control for the IoT and OT landscape. These bridged platforms enable automated device visibility and threat management to previously unreachable ICS & IoT devices.

-In this tutorial, you learn how to:

-Access to ServiceNow and Defender for IoT

- To set up your system to work with an on-premises management console, you will need to disable the ServiceNow Sync, Forwarding Rules, and Proxy configurations on any sensors where they were set up.

-To access the Defender for IoT application within ServiceNow, you will need to download the application from the ServiceNow application store.

- :::image type="content" source="../media/tutorial-servicenow/search-results.png" alt-text="Screenshot of the search screen in ServiceNow.":::

- :::image type="content" source="../media/tutorial-servicenow/cyberx-app.png" alt-text="Screenshot of the search screen results.":::

- :::image type="content" source="../media/tutorial-servicenow/sign-in.png" alt-text="Sign in to the application with your credentials.":::

-Configure Defender for IoT to push alert information to the ServiceNow tables. Defender for IoT alerts will appear in ServiceNow as security incidents. This can be done by defining a Defender for IoT forwarding rule to send alert information to ServiceNow.

-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

-1. Sign in to the on-premises management console.

-1. Select **Forwarding**, in the left side pane.

-1. Select the :::image type="icon" source="../media/tutorial-servicenow/plus-icon.png" border="false"::: button.

- :::image type="content" source="../media/tutorial-servicenow/forwarding-rule.png" alt-text="Screenshot of the Create Forwarding Rule window.":::

-1. Add a rule name.

-1. Define criteria under which Defender for IoT will trigger the forwarding rule. Working with Forwarding rule criteria helps pinpoint and manage the volume of information sent from Defender for IoT to ServiceNow. The following options are available:

- - **Severity levels:** This is the minimum-security level incident to forward. For example, if **Minor** is selected, minor alerts, and any alert above this severity level will be forwarded. Levels are pre-defined by Defender for IoT.

- - **Protocols:** Only trigger the forwarding rule if the traffic detected was running over specific protocols. Select the required protocols from the drop-down list or choose them all.

- - **Engines:** Select the required engines or choose them all. Alerts from selected engines will be sent.

-1. In the Actions section, select **Add** and then select **ServiceNow**.

- :::image type="content" source="../media/tutorial-servicenow/select-servicenow.png" alt-text="Select ServiceNow from the dropdown options.":::

-1. Enter the ServiceNow action parameters:

- :::image type="content" source="../media/tutorial-servicenow/parameters.png" alt-text="Fill in the ServiceNow action parameters.":::

- | Domain | Enter the ServiceNow server IP address. |

- | Username | Enter the ServiceNow server username. |

- | Password | Enter the ServiceNow server password. |

- | Client ID | Enter the Client ID you received for Defender for IoT in the **Application Registries** page in ServiceNow. |

- | Client Secret | Enter the client secret string you created for Defender for IoT in the **Application Registries** page in ServiceNow. |

- | Report Type | **Incidents**: Forward a list of alerts that are presented in ServiceNow with an incident ID and short description of each alert.<br /><br />**Defender for IoT Application**: Forward full alert information, including the sensor details, the engine, the source, and destination addresses. The information is forwarded to the Defender for IoT on the ServiceNow application. |

-You'll need the `Client ID` and `Client Secret` that you entered when creating the Defender for IoT Forwarding rules. The Forwarding rules forward alert information to ServiceNow, and when configuring Defender for IoT to push device attributes to ServiceNow tables.

-1. Select **System Settings**, and then **ServiceNow** from the on-premises management console Integration section.

- :::image type="content" source="../media/tutorial-servicenow/servicenow.png" alt-text="Screenshot of the select the ServiceNow button.":::

- :::image type="content" source="../media/tutorial-servicenow/sync.png" alt-text="Screenshot of the ServiceNow sync dialog box.":::

- | Enable Sync | Enable and disable the sync after defining parameters. |

- | Sync Frequency (minutes) | By default, information is pushed to ServiceNow every 60 minutes. The minimum is 5 minutes. |

- | ServiceNow Instance | Enter the ServiceNow instance URL. |

- | Client ID | Enter the Client ID you received for Defender for IoT in the **Application Registries** page in ServiceNow. |

- | Client Secret | Enter the Client Secret string you created for Defender for IoT in the **Application Registries** page in ServiceNow. |

- | Username | Enter the username for this instance. |

- | Password | Enter the password for this instance. |

- [:::image type="content" source="../media/tutorial-servicenow/alert-list.png" alt-text="Screenshot of the Inventory or Alert.":::](../media/tutorial-servicenow/alert-list.png#lightbox)

- :::image type="content" source="../media/tutorial-servicenow/appliance.png" alt-text="Screenshot of the desired appliance from the list.":::

-## Clean up resources

-There are no resources to clean up.

-In this article, you learned how to get started with the ServiceNow integration. Continue on to learn about our [Cisco integration](../tutorial-forescout.md).

-description: In this tutorial, you will learn how to integrate Microsoft Defender for IoT with ClearPass.

-This tutorial will help you learn how to integrate ClearPass Policy Manager (CPPM) with Microsoft Defender for IoT.

-Defender for IoT detects, discovers, and classifies OT and ICS endpoints, and share information directly with ClearPass using the ClearPass Security Exchange framework, and the open API.

-In this tutorial, you learn how to:

-CPPM runs on hardware appliances with pre-installed software or as a Virtual Machine under the following hypervisors. Hypervisors that run on a client computer such as VMware Player are not supported.

-As part of the communications channel between the two products, Defender for IoT uses many APIs (both TIPS, and REST). Access to the TIPS APIs is validated via username, and password combination credentials. This user ID needs to have minimum levels of access. Do not use a Super Administrator profile, use API Administrator as shown below.

-1. In the left pane, select **Administration** > **Users and Privileges**, and select **ADD**.

- :::image type="content" source="media/tutorial-clearpass/policy-manager.png" alt-text="Screenshot of the administrator user's dialog box view.":::

-| Parameter | Description |

-|--|--|

-| **API Services** | Set to **Allow Access** |

-| **Policy Manager** | Set the following: <br />- **Dictionaries**: **Attributes** set to **Read, Write, Delete**<br />- **Dictionaries**: **Fingerprintsset** to **Read, Write, Delete**<br />- **Identity**: **Endpoints** set to **Read, Write, Delete** |

-1. In the Create API Client tab, set the following parameters:

-1. Ensure you record the **Client Secret** and the client ID. For example, `defender-rest`.

- :::image type="content" source="media/tutorial-clearpass/aruba.png" alt-text="Screenshot of the Create API Client.":::

- - **Enable Sync:** Enable the sync between Defender for IoT and ClearPass

- - **Sync Frequency:** Define the sync frequency in minutes. The default is 60 minutes. The minimum is 5 minutes.

- - **ClearPass IP Address:** The IP address of the ClearPass system with which Defender for IoT is in sync.

- - **Client ID:** The client ID that was created on ClearPass for syncing the data with Defender for IoT.

- - **Client Secret:** The client secret that was created on ClearPass for syncing the data with Defender for IoT.

- - **Username:** The ClearPass administrator user.

- - **Password:** The ClearPass administrator password.

-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

-1. In the Defender for IoT sensor, select **Forwarding** and then select **Create new rule**.

-1. Define a rule name.

-1. Define the rule conditions.

-1. In the Actions section, select **ClearPass**.

- :::image type="content" source="media/tutorial-clearpass/create-rule.png" alt-text="Screenshot of, create a Forwarding Rule window.":::

-1. In the **Host** field, define the ClearPass server IP and port to send alert information.

-1. Define which alert information you want to forward.

- - **Report illegal function codes:** Protocol violations - Illegal field value violating ICS protocol specification (potential exploit).

- - **Report unauthorized PLC programming and firmware updates:** Unauthorized PLC changes.

- - **Report unauthorized PLC stop:** PLC stop (downtime).

- - **Report malware related alerts:** Industrial malware attempts, such as TRITON, NotPetya.

- - **Report unauthorized scanning:** Unauthorized scanning (potential reconnaissance)

- :::image type="content" source="media/tutorial-clearpass/last-sync.png" alt-text="Screenshot of the view the time and date of your last sync.":::

-If Sync is not working, or shows an error, then itΓÇÖs likely youΓÇÖve missed capturing some of the information. Recheck the data recorded, additionally you can view the API calls between Defender for IoT and ClearPass from **Guest** > **Administration** > **Support** > **Application Log**.

-Below is an example of API logs between Defender for IoT and ClearPass.

-## Clean up resources

-There are no resources to clean up.

-In this article, you learned how to get started with the ClearPass integration. Continue on to learn about our [CyberArk integration](./tutorial-cyberark.md).

-description: In this tutorial, you will learn how to integrate Microsoft Defender for IoT with CyberArk.

-This tutorial will help you learn how to integrate, and use CyberArk with Microsoft Defender for IoT.

-Defender for IoT delivers ICS, and IIoT cybersecurity platform with ICS-aware threat analytics, and machine learning.

-The Defender for IoT appliance is connected to the OT network via a SPAN port (mirror port) on network devices such as switches, and routers via a one-way (inbound) connection to the dedicated network interfaces on the Defender for IoT appliance.

-In this tutorial, you learn how to:

-> - Stop the Integration

-1. Locate, open the `c:\Program Files\PrivateArk\Server\dbparam.xml` file.

- `[SYSLOG]` <br>

- `UseLegacySyslogFormat=Yes` <br>

- `SyslogTranslatorFile=Syslog\CyberX.xsl` <br>

- `SyslogServerIP=<CyberX Server IP>` <br>

- `SyslogServerProtocol=UDP` <br>

- `SyslogMessageCodeFilter=319,320,295,378,380` <br>

-1. Save the file, and close it.

-1. Select the **Stop Traffic Light**, to stop the server.

- :::image type="content" source="media/tutorial-cyberark/server.png" alt-text="Screenshot of the server central administration stop traffic light.":::

-In order to enable the integration, Syslog Server will need to be enabled in the Defender for IoT management console. By default, the Syslog Server listens to the IP address of the system using port 514 UDP.

-**To configure the Defender for IoT**:

-1. In Defender for IoT management console, navigate to **System Settings**.

-1. (Optional) Change the port by signing in to the system via the CLI, and navigate to `/var/cyberx/properties/syslog.properties`, and change `listener: 514/udp`.

-The integration between Microsoft Defender for IoT, and CyberArk PSM is performed via syslog messages. These messages are sent by the PSM solution to Defender for IoT, notifying Defender for IoT of any remote sessions, or verification failures.

-Once the Defender for IoT platform receives these messages from PSM, it correlates them with the data it sees in the network. Thus validating that any remote access connections to the network were generated by the PSM solution and not by an unauthorized user.

-Whenever the Defender for IoT platform identifies remote sessions that haven't been authorized by PSM, it will issue an `Unauthorized Remote Session`. To facilitate immediate investigation, the alert also shows the IP addresses and names of the source and destination devices.

-1. Sign in to the management console.

-1. Select **Alerts** from the left side panel.

- :::image type="content" source="media/tutorial-cyberark/unauthorized.png" alt-text="The Unauthorized Remote Session alert.":::

-Whenever PSM authorizes a remote connection, it is visible in the Defender for IoT Event Timeline page. The Event Timeline page shows a timeline of all alerts and notifications.

-1. Sign in to the Defender for IoT sensor.

-1. Select **Event timeline** from the left side panel.

-Administrators can audit, and investigate remote access sessions by querying the Defender for IoT platform via its built-in data mining interface. This information can be used to identify all remote access connections that have occurred including forensic details such as from, or to devices, protocols (RDP, or SSH), source, and destination users, time-stamps, and whether the sessions were authorized using PSM.

-1. Sign in to the Defender for IoT sensor.

-1. Select **Data mining** from the left side panel.

-1. In the Defender for IoT management console, navigate to the **System Settings** screen.

-## Clean up resources

-There are no resources to clean up.

-In this article, you learned how to get started with the CyberArk integration. Continue on to learn about our [Forescout integration](./tutorial-forescout.md).

-description: In this tutorial, you'll learn how to integrate Microsoft Defender for IoT with Forescout.

-> [!Note]

-> References to CyberX refer to Microsoft Defender for IoT.

-This tutorial will help you learn how to integrate Forescout with Microsoft Defender for IoT.

-Microsoft Defender for IoT delivers an ICS, and IoT cybersecurity platform. Defender for IoT is the only platform with ICS aware threat analytics, and machine learning. Defender for IoT provides:

-The Defender for IoT integration with the Forescout platform provides centralized visibility, monitoring, and control for the IoT, and OT landscape. These bridged platforms enable automated device visibility, management to ICS devices and, siloed workflows. The integration provides SOC analysts with multilevel visibility into OT protocols deployed in industrial environments. Information becomes available such as firmware, device types, operating systems, and risk analysis scores based on proprietary Microsoft Defender for IoT technologies.

-In this tutorial, you learn how to:

-If you don't already have an Azure account, you can [create your Azure free account today](https://azure.microsoft.com/free/).

-1. Enter a token description in the **Description** field.

- :::image type="content" source="media/tutorial-forescout/new-forescout-token.png" alt-text="New access token":::

- :::image type="content" source="media/tutorial-forescout/forescout-access-token-added-successfully.png" alt-text="Finish adding token":::

-1. On the Forescout platform, search for,and install **the Forescout eyeExtend module for CyberX**.

- :::image type="content" source="media/tutorial-forescout/settings-for-module.png" alt-text="Microsoft Defender for IoT module settings":::

-To make the Forescout platform, communicate with a different sensor, the configuration within Forescout has to be changed.

-Once the connection has been configured, you'll need to confirm that the two platforms are communicating.

-The Used field will alert you if the connection between the sensor and the Forescout appliance is not working. If **N/A** is displayed, the connection is not working. If **Used** is displayed, it will indicate the last time an external call with this token was received.

-By integrating Defender for IoT with Forescout, you will be able to view different device's attributes that were detected by Defender for IoT, in the Forescout application.

-| Item | Description |

-| **Firmware** | The firmware details of the device. For example, model, and version details. |

-| **Type** | The type of device. For example, a PLC, Historian or Engineering Station. |

-**To view a device's attributes**:

-1. Sign in to the Forescout platform and then navigate to the **Asset Inventory**.

- :::image type="content" source="media/tutorial-forescout/device-firmware-attributes-in-forescout.png" alt-text="View the firmware attributes.":::

-1. Select the **CyberX Platform**.

- :::image type="content" source="media/tutorial-forescout/vendor-attributes-in-forescout.png" alt-text="View the vendors attributes.":::

-### View more details

-After viewing a device's attributes, you can see more details for each device such as Forescout compliance and policy information.

-**To view additional details**:

-1. Sign in to the Forescout platform and then navigate to the **Asset Inventory**.

-1. Select the **CyberX Platform**.

-1. From the Device Inventory Hosts section, right-click on a device. The host details dialog box opens with additional information.

-Forescout policies can be used to automate control and management of devices detected by Defender for IoT. For example,

-1. In the Properties Tree, expand the CyberX Platform folder. The Defender for IoT following properties are available.

- :::image type="content" source="media/tutorial-forescout/forescout-property-tree.png" alt-text="Properties":::

-## Clean up resources

-There are no resources to clean up.

-In this article, you learned how to get started with the Forescout integration. Continue on to learn about our [Palo Alto integration](./tutorial-palo-alto.md).

-description: In this article, you'll learn how to integrate Microsoft Defender for IoT with Fortinet.

-This tutorial will help you learn how to integrate, and use Fortinet with Microsoft Defender for IoT.

-Microsoft Defender for IoT mitigates IIoT and ICS and SCADA risk with ICS-aware self-learning engines that deliver immediate insights about ICS devices, vulnerabilities, and threats. Defender for IoT accomplishes this without relying on agents, rules, signatures, specialized skills, or prior knowledge of the environment.

-Defender for IoT, and Fortinet have established a technological partnership that detects, and stop attacks on IoT, and ICS networks.

-Fortinet, and Microsoft Defender for IoT prevent:

-Defender for IoT detects anomalous behavior in IoT, and ICS networks and delivers that information to FortiGate, and FortiSIEM, as follows:

-FortiSIEM, and FortinetΓÇÖs multivendor security incident, and events management solution brings visibility, correlation, automated response, and remediation to a single scalable solution.

-Using a Business Services view, the complexity of managing network and security operations is reduced, freeing resources, improving breach detection. FortiSIEM provides cross correlation while applying machine learning, and UEBA to improve response, in order to stop breaches before they occur.

-In this tutorial, you learn how to:

-If you do not already have an Azure account, you can [create your Azure free account today](https://azure.microsoft.com/free/).

-There are no prerequisites for this tutorial.

- | **Administrator Profile** | From the dropdown list, select the profile name that you have defined in the previous step. |

- | **Restrict login to trusted hosts** | Add the IP addresses of the sensors, and management consoles that will connect to FortiGate. |

-When the API key is generated, save it as it will not be provided again.

-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

-1. Sign in to the Microsoft Defender for IoT Management Console.

-1. In the left pane, select **Forwarding**.

- [:::image type="content" source="media/tutorial-fortinet/forwarding-view.png" alt-text="Screenshot of the Forwarding window option in a sensor.":::](media/tutorial-fortinet/forwarding-view.png#lightbox)

-1. Select **Create Forwarding Rules** and define the following rule parameters.

- | | -- |

- | **Name** | Enter a meaningful name for the forwarding rule. |

- | **Select Severity** | From the drop-down menu, select the minimal security level incident to forward. For example, if **Minor** is selected, minor alerts and any alert above this severity level will be forwarded. |

- | **Protocols** | To select a specific protocol, select **Specific**, and select the protocol for which this rule is applied. By default, all the protocols are selected. |

- | **Engines** | To select a specific security engine for which this rule is applied, select **Specific**, and select the engine. By default, all the security engines are involved. |

- | **System Notifications** | Forward the sensor's *online* and *offline* status. This option is only available if you have logged into the on-premises management console. |

-1. In the Actions section, select **Add**, and then select **Send to FortiGate** from the drop-down menu.

- :::image type="content" source="media/tutorial-fortinet/fortigate.png" alt-text="Screenshot of the Add an action section of the Create Forwarding Rule window.":::

-1. To configure the FortiGate forwarding rule, set the following parameters:

- :::image type="content" source="media/tutorial-fortinet/configure.png" alt-text="Screenshot of the configure the Create Forwarding Rule window.":::

- | **Host** | Enter the FortiGate server IP address. |

- | **API Key** | Enter the [API key](#create-an-api-key-in-fortinet) that you created in FortiGate. |

- | **Configure**| Ensure a **√** is showing in the following options to enable blocking of suspicious sources via the FortiGate firewall: <br> - **Block illegal function codes**: Protocol violations - Illegal field value violating ICS protocol specification (potential exploit) <br /> - **Block unauthorized PLC programming / firmware updates**: Unauthorized PLC changes <br /> - **Block unauthorized PLC stop**: PLC stop (downtime) <br> - **Block malware-related alerts**: Blocking of the industrial malware attempts (TRITON, NotPetya, etc.). <br> - **(Optional)** You can select the option for **Automatic blocking**. If Automatic Blocking is selected, blocking is executed automatically, and immediately. <br /> - **Block unauthorized scanning**: Unauthorized scanning (potential reconnaissance) |

-1. Select **Submit**.

-1. Sign in to the management console and select **Alerts** from the left side menu.

- :::image type="content" source="media/tutorial-fortinet/block-source.png" alt-text="Screenshot of the Alert window.":::

-You can configure Defender for IoT to send alerts to the FortiSIEM server, where alert information is displayed in the Analytics window:

-Each Defender for IoT alert is then parsed without any other configuration on the FortiSIEM, side and they are presented in the FortiSIEM as security events. The following event details appear by default:

-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

-1. From the sensor, or management console left pane, select **Forwarding**.

- [:::image type="content" source="media/tutorial-fortinet/forwarding-view.png" alt-text="Screenshot of the view of your forwarding rules in the Forwarding window.":::](media/tutorial-fortinet/forwarding-view.png#lightbox)

-2. Select **Create Forwarding Rules**, and define the rule's parameters.

- | **Name** | Enter a meaningful name for the forwarding rule. |

- | **Select Severity** | Select the minimum security level incident to forward. For example, if **Minor** is selected, minor alerts and any alert above this severity level will be forwarded. |

- | **Protocols** | To select a specific protocol, select **Specific**, and select the protocol for which this rule is applied. By default, all the protocols are selected. |

- | **Engines** | To select a specific security engine for which this rule is applied, select **Specific** and select the engine. By default, all the security engines are involved. |

- | **System Notifications** | Forward a sensor's *online*, or *offline* status. This option is only available if you have logged into the on-premises management console. |

-3. In the actions section, select **Send to FortiSIEM**.

- :::image type="content" source="media/tutorial-fortinet/forward-rule.png" alt-text="Screenshot of the create a Forwarding Rule and select send to Fortinet.":::

-4. Enter the FortiSIEM server details.

- :::image type="content" source="media/tutorial-fortinet/details.png" alt-text="Screenshot of the add the FortiSIEm details to the forwarding rule.":::

- | | -- |

- | **Host** | Enter the FortiSIEM server IP address. |

- | **Port** | Enter the FortiSIEM server port. |

-5. Select **Submit**.

-You can set policies to automatically block malicious sources in the FortiGate firewall using alerts in Defender for IoT.

-1. Sign in to the Defender for IoT sensor, or the management console, and select **Forwarding**, [set a forwarding rule that blocks malware-related alerts](#set-a-forwarding-rule-to-block-malware-related-alerts).

-1. In the Defender for IoT sensor, or the management console, and select **Alerts**, and [block a malicious source](#block-a-malicious-source-using-the-fortigate-firewall).

- :::image type="content" source="media/tutorial-fortinet/administrator.png" alt-text="Screenshot of the FortiGate Administrator window view.":::

- The blocking policy will be automatically created, and appears in the FortiGate IPv4 Policy window.

- :::image type="content" source="media/tutorial-fortinet/policy.png" alt-text="Screenshot of the FortiGate IPv4 Policy window view.":::

-1. Select the policy and ensure that Enable this policy is toggled to on position.

- :::image type="content" source="media/tutorial-fortinet/edit.png" alt-text="Screenshot of the FortiGate IPv4 Policy Edit view.":::

-## Clean up resources

-There are no resources to clean up.

-In this article, you learned how to get started with the Fortinet integration. Continue on to learn about our [Palo Alto integration](./tutorial-palo-alto.md)

-This tutorial will help you learn how to integrate, and use Palo Alto with Microsoft Defender for IoT.

-In this tutorial, you learn how to:

-### Panorama permissions

-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

-1. In the left pane, select **Forwarding**.

-1. Select **Create rule**.

-1. From the Actions drop down menu, select **Send to Palo Alto NGFW**.

-1. In the Actions pane, set the following parameters:

- - **Host**: Enter the NGFW server IP address.

- - **Port**: Enter the NGFW server port.

- - **Username**: Enter the NGFW server username.

- - **Password**: Enter the NGFW server password.

- - **Configure**: Set up the following options to allow blocking of the suspicious sources by the Palo Alto firewall:

- - **Block illegal function codes**: Protocol violations - Illegal field value violating ICS protocol specification (potential exploit).

- - **Block unauthorized PLC programming/firmware updates**: Unauthorized PLC changes.

- - **Block unauthorized PLC stop**: PLC stop (downtime).

- - **Block malware-related alerts**: Blocking of industrial malware attempts (TRITON, NotPetya, etc.). You can select the option of **Automatic blocking**. In that case, the blocking is executed automatically and immediately.

- - **Block unauthorized scanning**: Unauthorized scanning (potential reconnaissance).

- :::image type="content" source="media/tutorial-palo-alto/edit.png" alt-text="Screenshot of the Edit your Forwarding Rule screen.":::

-1. Select **Submit**.

-1. Navigate to the **Alerts** pane, and select the alert related to the Palo Alto integration.

-1. To automatically block the suspicious source, select **Block Source**. The **Please Confirm** dialog box appears.

- :::image type="content" source="media/tutorial-palo-alto/unauthorized.png" alt-text="Screenshot of the Block Source button, to block the unauthorized source.":::

-1. Select **OK**.

-Defender for IoT, and Palo Alto Network's integration automatically creates new policies in the Palo Alto Network's NMS, and Panorama.

-When Defender for IoT detects a pre-configured use case, the **Block Source** button is added to the alert. Then, when the CyberX user selects the **Block Source** button, Defender for IoT creates policies on Panorama by sending the predefined forwarding rule.

-In addition, Defender for IoT sends an email to the relevant Panorama user to notify that a new policy created by Defender for IoT is waiting for the approval. The figure below presents the Defender for IoT-Panorama Integration Architecture.

-1. In the console left pane, select **System settings** > **Network monitoring** > **DNS Reverse Lookup**.

-1. Select **Add DNS server**.

-1. In the **Number of Labels** field instruct Defender for IoT to automatically resolve network IP addresses to device FQDNs. <br /> To configure DNS FQDN resolution, add the number of domain labels to display. Up to 30 characters are displayed from left to right.

-1. Add the following server details:

- - **DNS Server Address**: Enter the IP address, or the FQDN of the network DNS Server.

- - **DNS Server Port**: Enter the port used to query the DNS server.

- - **Subnets**: Set the Dynamic IP address subnet range. The range that Defender for IoT reverses lookup their IP address in the DNS server to match their current FQDN name.

-1. Select **Save**.

-1. Turn on the **Enabled** toggle to activate the lookup.

-## Block suspicious traffic with the Palo Alto firewall

-Suspicious traffic will need to be blocked with the Palo Alto firewall. You can block suspicious traffic through the use forwarding rules in Defender for IoT.

-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

-**To block suspicious traffic with the Palo Alto firewall using a Defender for IoT forwarding rule**:

-1. In the left pane, select **Forwarding**.

-1. Select **Create Forwarding Rule**.

-1. From the **Actions** drop down menu, select **Send to Palo Alto Panorama**.

-1. In the Actions pane, set the following parameters:

- - **Host**: Enter the Panorama server IP address.

- - **Port**: Enter the Panorama server port.

- - **Username**: Enter the Panorama server username.

- - **Password**: Enter the Panorama server password.

- - **Report Address**: Define how the blocking is executed, as follows:

- - **By IP Address**: Always creates blocking policies on Panorama based on the IP address.

- - **By FQDN or IP Address**: Creates blocking policies on Panorama based on FQDN if it exists, otherwise by the IP Address.

- - **Email**: Set the email address for the policy notification email

- - **Execute a DNS lookup upon alert detection (Checkbox)**: When the FQDN, or IP Address option is set in the Report Address. This checkbox is selected by default. If only the IP address is set, this option is disabled.

- - **Configure**: Set up the following options to allow blocking of the suspicious sources by the Palo Alto Panorama:

- - **Block illegal function codes**: Protocol violations - Illegal field value violating ICS, protocol specification (potential exploit).

- - **Block unauthorized PLC programming/firmware updates**: Unauthorized PLC changes.

- - **Block unauthorized PLC stop**: PLC stop (downtime).

- - **Block malware-related alerts**: Blocking of industrial malware attempts (TRITON, NotPetya, etc.). You can select the option of **Automatic blocking**. In that case, the blocking is executed automatically and immediately.

- - **Block unauthorized scanning**: Unauthorized scanning (potential reconnaissance).

- :::image type="content" source="media/tutorial-palo-alto/details.png" alt-text="Screenshot of the Select action screen.":::

-1. Select **Submit**.

-You'll then need to block the suspicious source.

-**To block the suspicious source**:

-1. In the **Alerts** pane, select the alert related to Palo Alto integration. The **AlertΓÇÖs Details** dialog box appears.

- :::image type="content" source="media/tutorial-palo-alto/unauthorized.png" alt-text="Screenshot of the alert screen, select the one related to Palo Alto, and then select block source.":::

-1. Select **OK.**

-## Clean up resources

-There are no resources to clean up.

-In this article, you learned how to get started with the [Palo Alto integration](./tutorial-splunk.md).

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

-1. In the Data Sources window, select **Log Sources**. For example:

- [:::image type="content" source="media/tutorial-qradar/log.png" alt-text="Screenshot of selecting a log sources from the available options.":::](media/tutorial-qradar/log.png#lightbox)

-1. In the **Modal** window, select **Add**. For example:

- [:::image type="content" source="media/tutorial-qradar/modal.png" alt-text="Screenshot of after selecting Syslog the modal window opens.":::](media/tutorial-qradar/modal.png#lightbox)

- - **Log Source Name**: `<Sensor name>`

- - **Log Source Description**: `<Sensor name>`

- - **Log Source Type**: `Universal LEEF`

- - **Protocol Configuration**: `Syslog`

- - **Log Source Identifier**: `<Sensor name>`

-1. Select **Save** > **Deploy Changes**. For example.

- :::image type="content" source="media/tutorial-qradar/deploy.png" alt-text="Screenshot of the Deploy Changes view":::

-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

-1. Sign in to the on-premises management console and select **Forwarding** on the left.

-1. Enter values for the rule name and conditions. In the **Actions** area, select **Add**, and then select **Qradar**. For example:

- :::image type="content" source="media/tutorial-qradar/create.png" alt-text="Screenshot of the Create a Forwarding Rule window.":::

-1. Define the QRadar IP address and timezone, and then select **Save**.

-1. Sign into your QRadar console, select **QRadar**> **Log Activity** .

-1. Select **Add Filter** and define the following parameters:

- - **Parameter**: `Log Sources [Indexed]`

- - **Operator**: `Equals`

- - **Log Source Group**: `Other`

- - **Log Source**: `<Xsense Name>`

- - New Property: _choose from the list below_

- - Sensor Alert Description

- - Sensor Alert ID

- - Sensor Alert Score

- - Sensor Alert Title

- - Sensor Destination Name

- - Sensor Direct Redirect

- - Sensor Sender IP

- - Sensor Sender Name

- - Sensor Alert Engine

- - Sensor Source Device Name

- - Check **Optimize Parsing**

- - Field Type: `AlphaNumeric`

- - Check **Enabled**

- - Log Source Type: `Universal LEAF`

- - Log Source: `<Sensor Name>`

- - Event Name (should be already set as Sensor Alert)

- - Capture Group: 1

- - Regex:

- - Sensor Alert Description RegEx: `msg=(.*)(?=\t)`

- - Sensor Alert ID RegEx: `alertId=(.*)(?=\t)`

- - Sensor Alert Score RegEx: `Detected score=(.*)(?=\t)`

- - Sensor Alert Title RegEx: `title=(.*)(?=\t)`

- - Sensor Destination Name RegEx: `dstName=(.*)(?=\t)`

- - Sensor Direct Redirect RegEx: `rta=(.*)(?=\t)`

- - Sensor Sender IP: RegEx: `reporter=(.*)(?=\t)`

- - Sensor Sender Name RegEx: `senderName=(.*)(?=\t)`

- - Sensor Alert Engine RegEx: `engine =(.*)(?=\t)`

- - Sensor Source Device Name RegEx: `src`

-In this tutorial, you learned how to get started with the QRadar integration. Continue on to learn how to [Integrate ServiceNow with Microsoft Defender for IoT](tutorial-servicenow.md).

-> [Integrate ServiceNow with Microsoft Defender for IoT](tutorial-servicenow.md)

-This tutorial will help you learn how to integrate, and use Splunk with Microsoft Defender for IoT.

-> [!Note]

-> References to CyberX refer to Microsoft Defender for IoT.

-In this tutorial, you learn how to:

-> * Download the Defender for IoT application in Splunk

-> * Send Defender for IoT alerts to Splunk

-* Defender for IoT version 2.4 and above.

-* Splunkbase version 11 and above.

-* Splunk Enterprise version 7.2 and above.

-### Splunk permission requirements

-The following Splunk permission is required:

-* Any user with an *Admin* level user role.

-To access the Defender for IoT application within Splunk, you will need to download the application form the Splunkbase application store.

-The Defender for IoT alerts provides information about an extensive range of security events. These events include:

-* Deviations from the learned baseline network activity.

-* Malware detections.

-* Detections based on suspicious operational changes.

-* Network anomalies.

-* Protocol deviations from protocol specifications.

- :::image type="content" source="media/tutorial-splunk/address-scan.png" alt-text="A screen capture if an Address Scan Detected alert.":::

-To send alert information to the Splunk servers from Defender for IoT, you will need to create a Forwarding Rule.

-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

-1. Sign in to the sensor, and select **Forwarding** from the left side pane.

-1. Select **Create nre rule**.

-1. In the **Add forwarding rule** dialog box, define the rule parameters.

- :::image type="content" source="media/tutorial-splunk/forwarding-rule.png" alt-text="Create the rules for your forwarding rule." lightbox="media/tutorial-splunk/forwarding-rule-expanded.png":::

- | **Name** | The forwarding rule name. |

- | **Select Severity** | The minimal security level incident to forward. For example, if Minor is selected, minor alerts and any alert above this severity level will be forwarded. |

- | **Protocols** | By default, all the protocols are selected. To select a specific protocol, select **Specific** and select the protocol for which this rule is applied. |

- | **Engines** | By default, all the security engines are involved. To select a specific security engine for which this rule is applied, select **Specific** and select the engine. |

- | **System Notifications** | Forward sensor system notifications to the Splunk server. For example, send the online/offline status of connected sensor. This option is only available if you have logged into the Central Manager. |

-1. Select **Action**, and then select **Send to Splunk Server**.

-1. Enter the following Splunk parameters.

- | **Host** | Splunk server address |

- | **Port** | 8089 |

- | **Username** | Splunk server username |

- | **Password** | Splunk server password |

-1. Select **Submit**.

-## Clean up resources

-There are no resources to clean up.

-In this tutorial, you learned how to get started with the Splunk integration. Continue on to learn how to [Integrate ServiceNow with Microsoft Defender for IoT](tutorial-servicenow.md).

-> [Integrate ServiceNow with Microsoft Defender for IoT](tutorial-servicenow.md)

-The [Jobs API](/rest/api/digital-twins/dataplane/import-jobs) is a data plane API that allows you to import a set of models, twins, and/or relationships in a single API call. Jobs API operations are also included with the [CLI commands](/cli/azure/dt/job) and [data plane SDKs](#data-plane-apis). Using the Jobs API requires use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md).

-You can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to create many relationships at once in a single API call. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for relationships and bulk jobs.

-You can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to upload multiple models, twins, and relationships to your instance in a single API call, effectively creating the graph all at once. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for graph elements (models, twins, and relationships) and bulk jobs.

-For large model sets, you can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to upload many models at once in a single API call. The API can simultaneously accept up to the [Azure Digital Twins limit for number of models in an instance](reference-service-limits.md), and it automatically reorders models if needed to resolve dependencies between them. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for models and bulk jobs.

-You can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to create many twins at once in a single API call. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for twins and bulk jobs.

-> When compiling configurations for Windows, use **PSDesiredStateConfiguration** version 2.0.5 (the

-### Microsoft.KeyVault.Data

-Policies with mode `Microsoft.KeyVault.Data` are applicable if the `type` condition of the policy rule evaluates to true. The `type` refers to component type, such as:

-### Microsoft.ManagedHSM.Data

-Policies with mode `Microsoft.ManagedHSM.Data` are applicable if the `type` condition of the policy rule evaluates to true. The `type` refers to component type:

-> There are several other actions an alert can trigger besides an Email/SMS/Push/Voice, such as an Azure Function, LogicApp, Webhook, ITSM, and Automation Runbook. [Learn More.](../azure-monitor/alerts/action-groups.md#action-specific-information)

-description: Learn about the open-source components and versions in Azure HDInsight 5.x

-## Public preview

-From February 27, 2023 we have started rolling out a new version of HDInsight 5.1, this version is backward compatible with HDInsight 4.0. and 5.0. All new open-source releases added as incremental releases on HDInsight 5.1.

-**All upgraded cluster shapes are supported as part of HDI 5.1.**

-## Open-source components available with HDInsight version 5.x

-The Open-source component versions associated with HDInsight 5.1 listed in the following table.

-\* Under development/Planned

-** Public Preview

-> ESP isn't supported for HDI 5.1 clusters.

-Apache Spark versions supported in Azure HDIinsight

-|Apache Spark version on HDInsight|Release date|Release stage|End of life announcement date|End of standard support|End of basic support|

-|2.4|July 8, 2019|End of Life Announced (EOLA)| Feb10,2023| Aug 10,2023|Feb 10,2024|

-|3.1|March 11,2022|GA |-|-|-|

-|3.3|To be announced for Public Preview|-|-|-|-|

-### Apache Spark 2.4 to Spark 3.x Migration Guides

-Spark 2.4 to Spark 3.x Migration Guides see [here](https://spark.apache.org/docs/latest/migration-guide.html).

-## HDInsight version 5.0

-Starting from June 1, 2022, we have started rolling out a new version of HDInsight 5.0, this version is backward compatible with HDInsight 4.0. All new open-source releases will be added as incremental releases on HDInsight 5.0.

-> [!NOTE]

-> * If you are using Azure User Interface to create a Spark Cluster for HDInsight, you will see from the dropdown list an additional version Spark 3.1.(HDI 5.0) along with the older versions. This version is a renamed version of Spark 3.1.(HDI 4.0) and it is backward compatible.

-> * This is only a UI level change, which doesnΓÇÖt impact anything for the existing users and users who are already using the ARM template to build their clusters.

-> * For backward compatibility, ARM supports creating Spark 3.1 with HDI 4.0 and 5.0 versions which maps to same versions Spark 3.1 (HDI 5.0)

-> * Spark 3.1 (HDI 5.0) cluster comes with HWC 2.0 which works well together with Interactive Query (HDI 5.0) cluster.

-> [!NOTE]

-> * If you are creating an Interactive Query Cluster, you will see from the dropdown list another version as Interactive Query 3.1 (HDI 5.0).

-> * If you are going to use Spark 3.1 version along with Hive which require ACID support via Hive Warehouse Connector (HWC). You need to select this version Interactive Query 3.1 (HDI 5.0).

-### Kafka

-Current ARM template supports HDI 5.0 for Kafka 2.4.1

-`HDI Version '5.0' is supported for clusterType "Kafka" and component Version '2.4'.`

-We have fixed the arm templated issue.

-### Upcoming version upgrades.

-HDInsight team is working on upgrading other open-source components.

-* HWC 2.1 

-| GET | ../studies/{study}/series/{series}/instances/{instance}/frames/{frames} | Retrieves one or many frames from a single instance. To specify more than one frame, a comma separate each frame to return. For example, /studies/1/series/2/instance/3/frames/4,5,6 |

-| `404 (Not Found)` | The specified DICOM resource couldn't be found. |

-| `406 (Not Acceptable)` | The specified `Accept` header isn't supported. |

-| GET | ../studies/{study}/series/{series}/instances/{instance}/frames/{frames} | Retrieves one or many frames from a single instance. To specify more than one frame, use a comma to separate each frame to return. For example, /studies/1/series/2/instance/3/frames/4,5,6 |

-| `404 (Not Found)` | The specified DICOM resource couldn't be found. |

-| `406 (Not Acceptable)` | The specified `Accept` header isn't supported. |

- Note : In the scenarios where FHIR service audience parameter is not mapped to FHIR service endpoint url, the resource parameter value should be mapped to Audience value under FHIR Service Authentication blade.

-FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

-FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

-MLflow, with over 13 million monthly downloads, has become the standard platform for end-to-end MLOps, enabling teams of all sizes to track, share, package and deploy any model for batch or real-time inference. By integrating with MLflow, your training code will not need to hold any specific code related to Azure Machine Learning, achieving true portability and seamless integration with other open-source platforms.

-To use MLflow tracking, you will need to install `mlflow` and `azureml-mlflow` Python packages. All Azure Machine Learning environments have these packages already available for you but you will need to include them if creating your own environment.

-> [!TIP]

-> You can use the [`mlflow-skinny`](https://github.com/mlflow/mlflow/blob/master/README_SKINNY.rst) which is a lightweight MLflow package without SQL storage, server, UI, or data science dependencies. This is recommended for users who primarily need the tracking and logging capabilities without importing the full suite of MLflow features including deployments.

-Azure Machine Learning allows users to perform tracking in training jobs running on your workspace or running remotely (tracking experiments running outside Azure Machine Learning). If performing remote tracking, you will need to indicate the workspace you want to connect MLflow to.

-Once the tracking is configured, you'll also need to configure how the authentication needs to happen to the associated workspace. By default, the Azure Machine Learning plugin for MLflow will perform interactive authentication by opening the default browser to prompt for credentials. Refer to [Configure MLflow for Azure Machine Learning: Configure authentication](how-to-use-mlflow-configure-tracking.md#configure-authentication) for more ways to configure authentication for MLflow in Azure Machine Learning workspaces.

-* The string will be logged as an _artifact_, not as a metric. In Azure Machine Learning studio, the value will be displayed in the __Outputs + logs__ tab.

-The image is logged as an artifact and will appear in the __Images__ tab in Azure Machine Learning Studio.

-* The image is logged as an artifact and will appear in the __Images__ tab in Azure Machine Learning Studio.

-* The `mlflow.log_figure` method is __experimental__.

-You can access run information using the MLflow run object's `data` and `info` properties. For more information, see [mlflow.entities.Run](https://mlflow.org/docs/latest/python_api/mlflow.entities.html#mlflow.entities.Run) reference.

-finished_mlflow_run = MlflowClient().get_run(mlflow_run.info.run_id)

-To download an artifact, use [MlFlowClient.download_artifacts](https://www.mlflow.org/docs/latest/python_api/mlflow.tracking.html#mlflow.tracking.MlflowClient.download_artifacts):

-client.download_artifacts(finished_mlflow_run.info.run_id, "Azure.png")

-* [Track ML experiments and models with MLflow](how-to-use-mlflow-cli-runs.md)

-* [Log and view metrics](how-to-log-view-metrics.md)

-| `continue_on_step_failure` | boolean | Whether the execution of steps in the pipeline should continue if one step fails. The default value is `False`, which means that if one step fails, the pipeline execution will be stopped, canceling any running steps. | `False` |

-2. On the Azure Migrate dashboard, select **Servers, databases and web apps** > **Create project** on the top left.

-**Supported servers** | supported only for servers running SQL Server in your VMware, Microsoft Hyper-V, and Physical/Bare metal environments as well as IaaS Servers of other public clouds such as AWS, GCP, etc. You can discover up to 300 SQL Server instances or 6,000 SQL databases, whichever is less.

-**Supported servers** | supported only for servers running SQL Server in your VMware, Microsoft Hyper-V, and Physical/Bare metal environments as well as IaaS Servers of other public clouds such as AWS, GCP, etc. You can discover up to 300 SQL Server instances or 6,000 SQL databases, whichever is less.

-**Supported servers** | Supported only for servers running SQL Server in your VMware, Microsoft Hyper-V, and Physical/Bare metal environments as well as IaaS Servers of other public clouds such as AWS, GCP, etc. You can discover up to 300 SQL Server instances or 6,000 SQL databases, whichever is less.

-By default, the slow query log is disabled. To enable logs, set the `slow_query_log` server parameter to *ON*. This can be configured using the Azure portal or Azure CLI <!-- add link to server parameter-->.

-In this quickstart shows how to create an automated workflow usingPower automate flow with [Azure database for MySQL connector(Preview)](/connectors/azuremysql/).

-Create a cloud flow when you want your automation to be triggered either automatically, instantly, or via a schedule. Here are types of flows you can create and then use with Azure database for MySQL connector.

-2. In the box that shows Search connectors and actions, enter **Azure database for MySQL**.

-3. Select **Azure database for MySQL** connector and then select **Get Rows** operation. Get rows operation allows you to get all the rows from a table or query.

- :::image type="content" source="./media/tutorial-power-automate-with-mysql/azure-mysql-connector-add-action.png" alt-text="Screenshot that shows how to view all the actions for Azure database for MySQL connector.":::

-[Azure database for MySQL connector](/connectors/azuremysql/) reference

-| Supported versions | 10, 11 | 11, 12, 13, 14 |

-Azure Database for PostgreSQL Flexible server supports PostgreSQL versions 11, 12,13, and 14. Postgres community releases a new major version containing new features about once a year. Additionally, major version receives periodic bug fixes in the form of minor releases. Minor version upgrades include changes that are backward-compatible with existing applications. Azure Database for PostgreSQL Flexible service periodically updates the minor versions during customerΓÇÖs maintenance window. Major version upgrades are more complicated than minor version upgrades as they can include internal changes and new features that may not be backward-compatible with existing applications.

-> If TIMESCALEDB, PG_PARTMAN or POSTGIS_TIGER_DECODER extensions are used in your single server database, please raise a support request since the Single to Flex migration tool will not handle these extensions.

-description: Discover which Azure Stack Edge versions are compatible with each packet core version

-Each site in your deployment contains an Azure Stack Edge (ASE) Pro device that hosts a packet core instance. This article provides information on version compatibility between ASE and packet core that you can refer to when installing a packet core instance or performing an upgrade.

-## Packet core and ASE compatibility table

-## Remaining usable resource on ASE Pro GPU

-| Resource | Value |

-|--|--|

-| vCPUs | 16 |

-| Memory | 56 GB |

-| Storage | ~3.75 TB |

-# What is Azure Monitor for SAP solutions? (preview)

-When you have critical SAP applications and business processes that rely on Azure resources, you might want to monitor those resources for availability, performance, and operation. *Azure Monitor for SAP solutions* is an Azure-native monitoring product for SAP landscapes that run on Azure. Azure Monitor for SAP solutions uses specific parts of the [Azure Monitor](../../azure-monitor/overview.md) infrastructure. You can use Azure Monitor for SAP solutions with both [SAP on Azure Virtual Machines (Azure VMs)](../../virtual-machines/workloads/sap/hana-get-started.md) and [SAP on Azure Large Instances](../../virtual-machines/workloads/sap/hana-overview-architecture.md).

-There are currently two versions of this product, *Azure Monitor for SAP solutions* and *Azure Monitor for SAP solutions (classic)*.

-The following table provides a quick comparison of the Azure Monitor for SAP solutions (classic) and Azure Monitor for SAP solutions.

-| Azure Monitor for SAP solutions | Azure Monitor for SAP solutions (classic) |

-| - | -- |

-| Azure Functions-based collector architecture | VM-based collector architecture |

-| Support for Microsoft SQL Server, SAP HANA, and IBM Db2 databases | Support for Microsoft SQL Server, and SAP HANA databases |

-Data collection in Azure Monitor for SAP solutions depends on the providers that you configure. During public preview, the following data is collected.

-Microsoft SQL server data includes:

-### OS (Linux) data

-OS (Linux) data includes:

-There are separate explanations for the [Azure Monitor for SAP solutions architecture](#azure-monitor-for-sap-solutions-architecture) and the [Azure Monitor for SAP solutions (classic) architecture](#azure-monitor-for-sap-solutions-classic-architecture).

-Some important points about the architecture include:

-### Azure Monitor for SAP solutions architecture

- - An **Azure Functions resource** that hosts the monitoring code. This logic collects data from the source systems and transfers the data to the monitoring framework.

- - The **Log Analytics workspace**, which is the destination for storing data. Optionally, you can choose to use an existing workspace in the same subscription as your Azure Monitor for SAP solutions resource at deployment.

-

-[Azure Workbooks](../../azure-monitor/visualize/workbooks-overview.md) provides customizable visualization of the data in Log Analytics. To automatically refresh your workbooks or visualizations, pin the items to the Azure dashboard. The maximum refresh frequency is every 30 minutes.

-

-You can also use Kusto Query Language (KQL) to [run log queries](../../azure-monitor/logs/log-query-overview.md) against the raw tables inside the Log Analytics workspace.

-### Azure Monitor for SAP solutions (classic) architecture

-The following diagram shows, at a high level, how Azure Monitor for SAP solutions (classic) collects data from the SAP HANA database. The architecture is the same if SAP HANA is deployed on Azure VMs or Azure Large Instances.

- Diagram of the Azure Monitor for SAP solutions (classic) architecture. The customer connects to the Azure Monitor for SAP solutions resource through the Azure portal. There's a managed resource group containing Log Analytics, Azure Functions, Key Vault, and Storage queue. The Azure function connects to the providers. Providers include SAP NetWeaver (ABAP and JAVA), SAP HANA, Microsoft SQL Server, Pacemaker clusters, and Linux OS.

-The key components of the architecture are:

- - **Azure VM**, also known as the *collector VM*, which is a **Standard_B2ms** VM. The main purpose of this VM is to host the *monitoring payload*. The monitoring payload is the logic of collecting data from the source systems and transferring the data to the monitoring framework. In the architecture diagram, the monitoring payload contains the logic to connect to the SAP HANA database over the SQL port. You're responsible for patching and maintaining the VM.

- - **[Azure Key Vault](../../key-vault/general/basic-concepts.md)**: which is deployed to securely hold SAP HANA database credentials and to store information about providers.

- - **Log Analytics Workspace**, which is the destination where the data is stored.

- - Visualization is built on top of data in Log Analytics using [Azure Workbooks](../../azure-monitor/visualize/workbooks-overview.md). You can customize visualization. You can also pin your Workbooks or specific visualization within Workbooks to Azure dashboard for auto-refresh. The maximum frequency for refresh is every 30 minutes.

- - You can use your existing workspace within the same subscription as SAP monitor resource by choosing this option at deployment.

- - You can use KQL to run [queries](../../azure-monitor/logs/log-query-overview.md) against the raw tables inside the Log Analytics workspace. Look at **Custom Logs**.

- - You can use an existing Log Analytics workspace for data collection if it's deployed within the same Azure subscription as the resource for Azure Monitor for SAP solutions.

-## Can you analyze metrics?

-Azure Monitor for SAP solutions doesn't support metrics.

-### Analyze logs

-Azure Monitor for SAP solutions doesn't support resource logs or activity logs. For a list of the tables used by Azure Monitor Logs that can be queried by Log Analytics, see [the data reference for monitoring SAP on Azure](data-reference.md#azure-monitor-logs-tables).

-### Make Kusto queries

-You can use Kusto queries to help you monitor your Azure Monitor for SAP solutions resources. The following sample query gives you data from a custom log for a specified time range. You can specify the time range and the number of rows. In this example, you'll get five rows of data for your selected time range.

-custom log name

-## How do you enable data sharing with Microsoft?

-> [!NOTE]

-> The following content only applies to the Azure Monitor for SAP solutions (classic) version.

-Azure Monitor for SAP solutions collects system metadata to provide improved support for SAP on Azure. No PII/EUII is collected.

-You can enable data sharing with Microsoft when you create Azure Monitor for SAP solutions resource by choosing *Share* from the drop-down. We recommend that you enable data sharing. Data sharing gives Microsoft support and engineering teams information about your environment, which helps us provide better support for your mission-critical SAP on Azure solution.

-# Data reference for Azure Monitor for SAP solutions (preview)

-This article provides a reference of log data collected to analyze the performance and availability of Azure Monitor for SAP solutions. See [Monitor SAP on Azure (preview)](about-azure-monitor-sap-solutions.md) for details on collecting and analyzing monitoring data for SAP on Azure.

-# Enable TLS 1.2 or higher in Azure Monitor for SAP solutions (preview)

-# Configure alerts in Azure Monitor for SAP solutions in Azure portal (preview)

-This content applies to both versions of the service, Azure Monitor for SAP solutions and Azure Monitor for SAP solutions (classic).

-# Create High Availability cluster provider for Azure Monitor for SAP solutions (preview)

-In this how-to guide, you'll learn to create a High Availability (HA) Pacemaker cluster provider for Azure Monitor for SAP solutions. You'll install the HA agent, then create the provider for Azure Monitor for SAP solutions.

-This content applies to both Azure Monitor for SAP solutions and Azure Monitor for SAP solutions (classic) versions.

-For SUSE-based clusters, install **ha_cluster_provider** in each node. For more information, see [the HA cluster exporter installation guide](https://github.com/ClusterLabs/ha_cluster_exporter#installation). Supported SUSE versions include SLES for SAP 12 SP3 and above.

-For RHEL-based clusters, install **performance co-pilot (PCP)** and the **pcp-pmda-hacluster** sub package in each node.For more information, see the [PCP HACLUSTER agent installation guide](https://access.redhat.com/articles/6139852). Supported RHEL versions include 8.2, 8.4 and above.

-1. Install and enable the HA Cluster PMDA. Replace `$PCP_PMDAS_DIR` with the path where `hacluster` is installed. Use the `find` command in Linuxto find the path.

- systemctl start pmproxy

- systemctl enable pmproxy

-1. Data will then be collected by PCP on the system. You can export the data using `pmproxy` at `http://<SERVER-NAME-OR-IP-ADDRESS>:44322/metrics?names=ha_cluster`. Replace `<SERVER-NAME-OR-IP-ADDRESS>` with your server name or IP address.

-## Prerequisites to enable secure communication

-1. *Optional* Select **Enable secure communciation**, choose a certificate type

- 1. For SUSE-based clusters, enter `http://<IP-address> :9664/metrics`.

- 

- 

-# Configure SAP HANA provider for Azure Monitor for SAP solutions (preview)

-In this how-to guide, you'll learn to configure an SAP HANA provider for Azure Monitor for SAP solutions through the Azure portal. There are instructions to set up the [current version](#configure-azure-monitor-for-sap-solutions) and the [classic version](#configure-azure-monitor-for-sap-solutions-classic) of Azure Monitor for SAP solutions.

-## Configure Azure Monitor for SAP solutions (classic)

-To configure the SAP HANA provider for Azure Monitor for SAP solutions (classic):

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select the **Azure Monitors for SAP Solutions (classic)** service in the search bar.

-1. On the Azure Monitor for SAP solutions (classic) service page, select **Create**.

-1. On the creation page's **Basics** tab, enter the basic information for your Azure Monitor for SAP solutions instance.

-1. On the **Providers** tab, add the providers that you want to configure. You can add multiple providers during creation. You can also add more providers after you deploy the Azure Monitor for SAP solutions resource. For each provider:

- 1. Select **Add provider**.

- 1. For **Type**, select **SAP HANA**. Make sure that you configure an SAP HANA provider for the main node.

- 1. For **IP address**, enter the private IP address for the HANA server.

- 1. For **Database tenant**, enter the name of the tenant that you want to use. You can choose any tenant. However, it's recommended to use **SYSTEMDB**, because this tenant has more monitoring areas.

- 1. For **SQL port**, enter the port number for your HANA database. The format begins with 3, includes the instance number, and ends in 13. For example, 30013 is the SQL port for the instance 001.

- 1. For **Database username**, enter the username that you want to use. Make sure the database user has **monitoring** and **catalog read** role assignments.

- 1. Select **Add provider** to finish adding the provider.

-1. Select **Review + create** to review and validate your configuration.

-1. Select **Create** to finish creating the Azure Monitor for SAP solutions resource.

-# Create IBM Db2 provider for Azure Monitor for SAP solutions (preview)

-In this how-to guide, you'll learn how to create an IBM Db2 provider for Azure Monitor for SAP solutions through the Azure portal. This content applies only to Azure Monitor for SAP solutions, not the Azure Monitor for SAP solutions (classic) version.

-# Configure Linux provider for Azure Monitor for SAP solutions (preview)

-This content applies to both versions of the service, *Azure Monitor for SAP solutions* and *Azure Monitor for SAP solutions (classic)*.

-1. Go to the Azure Monitor for SAP solutions or Azure Monitor for SAP solutions (classic) service.

-# Configure SAP NetWeaver for Azure Monitor for SAP solutions (preview)

-In this how-to guide, you'll learn to configure the SAP NetWeaver provider for use with *Azure Monitor for SAP solutions*. You can use SAP NetWeaver with both versions of the service, *Azure Monitor for SAP solutions* and *Azure Monitor for SAP solutions (classic)*.

-## Configure NetWeaver for Azure Monitor for SAP solutions (classic)

-To configure the NetWeaver provider for the Azure Monitor for SAP solutions (classic) version:

-1. [Unprotect some methods](#unprotect-methods)

-1. [Restart the SAP start service](#restart-sap-start-service)

-1. [Check that your settings have been updated properly](#validate-changes)

-1. [Install the NetWeaver provider through the Azure portal](#install-netweaver-provider)

-# Configure SQL Server for Azure Monitor for SAP solutions (preview)

-# What are providers in Azure Monitor for SAP solutions? (preview)

-This content applies to both versions of the service, *Azure Monitor for SAP solutions* and *Azure Monitor for SAP solutions (classic)*.

-

-You can choose to configure different provider types for data collection from the corresponding component in their SAP landscape. For example, you can configure one provider for the SAP HANA provider type, another provider for high availability cluster provider type, and so on.

-It's recommended to configure at least one provider when you deploy an Azure Monitor for SAP solutions resource. By configuring a provider, you start data collection from the corresponding component for which the provider is configured.

-You can configure one or more providers of provider type SAP NetWeaver to enable data collection from SAP NetWeaver layer. Azure Monitor for SAP solutions NetWeaver provider uses the existing

-You can get the following data with the SAP NetWeaver provider:

-You can configure one or more providers of provider type *SAP HANA* to enable data collection from SAP HANA database. The SAP HANA provider connects to the SAP HANA database over SQL port, pulls data from the database, and pushes it to the Log Analytics workspace in your subscription. The SAP HANA provider collects data every 1 minute from the SAP HANA database.

-You can configure one or more Microsoft SQL Server providers to enable data collection from [SQL Server on Virtual Machines](https://azure.microsoft.com/services/virtual-machines/sql-server/). The SQL Server provider connects to Microsoft SQL Server over the SQL port. It then pulls data from the database and pushes it to the Log Analytics workspace in your subscription. Configure SQL Server for SQL authentication and for signing in with the SQL Server username and password. Set the SAP database as the default database for the provider. The SQL Server provider collects data from every 60 seconds up to every hour from the SQL server.

-In public preview, you can expect to see the following data with SQL Server provider:

-You can configure one or more providers of provider type *High-availability cluster* to enable data collection from Pacemaker cluster within the SAP landscape. The High-availability cluster provider connects to Pacemaker using the [ha_cluster_exporter](https://github.com/ClusterLabs/ha_cluster_exporter) for **SUSE** based clusters and by using [Performance co-pilot](https://access.redhat.com/articles/6139852) for **RHEL** based clusters. Azure Monitor for SAP solutions then pulls data from the database and pushes it to Log Analytics workspace in your subscription. The High-availability cluster provider collects data every 60 seconds from Pacemaker.

-In public preview, you can expect to see the following data with the High-availability cluster provider:

-1. Install [ha_cluster_exporter](https://github.com/ClusterLabs/ha_cluster_exporter) in *each* node within the Pacemaker cluster.

-

- - Use Azure Automation scripts to deploy a high-availability cluster. The scripts install [ha_cluster_exporter](https://github.com/ClusterLabs/ha_cluster_exporter) on each cluster node.

- - Do a [manual installation](https://github.com/ClusterLabs/ha_cluster_exporter#manual-clone--build).

-

- - **SID**. For SAP systems, use the SAP SID. For other systems (for example, NFS clusters), use a three-character name for the cluster. The SID must be distinct from other clusters that are monitored.

- - **Hostname**. The Linux hostname of the virtual machine (VM).

-You can configure one or more providers of provider type OS (Linux) to enable data collection from a BareMetal or VM node. The OS (Linux) provider connects to BareMetal or VM nodes using the [Node_Exporter](https://github.com/prometheus/node_exporter) endpoint. It then pulls data from the nodes and pushes it to Log Analytics workspace in your subscription. The OS (Linux) provider collects data every 60 seconds for most of the metrics from the nodes.

-In public preview, you can expect to see the following data with the OS (Linux) provider:

- - CPU usage, CPU usage by process

- - Disk usage, I/O read & write

- - Memory distribution, memory usage, swap memory usage

- - Network usage, network inbound & outbound traffic details

- You have two options for installing [Node_exporter](https://github.com/prometheus/node_exporter):

- - For automated installation with Ansible, use [Node_Exporter](https://github.com/prometheus/node_exporter) on each BareMetal or VM node to install the OS (Linux) Provider.

-1. Configure an OS (Linux) provider for each BareMetal or VM node instance in your environment.

- To configure the OS (Linux) provider, the following information is required:

- - **Name**: a name for this provider, unique to the Azure Monitor for SAP solutions instance.

- - **Node Exporter endpoint**: usually `http://<servername or ip address>:9100/metrics`.

-> Make sure **Node-Exporter** keeps running after the node reboot.

-You can configure one or more IBM Db2 providers. The following data is available with this provider type:

-# Quickstart: deploy Azure Monitor for SAP solutions in Azure portal (preview)

-This content applies to both versions of the service, Azure Monitor for SAP solutions and Azure Monitor for SAP solutions (classic).

-If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account before you begin.

- 

- 1. **Workload Region** is the region where the monitoring resources are created, make sure to select a region that is same as your virtual network.

- 2. **Service Region** is where proxy resource gets created which manages monitoring resources deployed in the workload region. Service region is automatically selected based on your Workload Region selection.

- 3. For **Virtual Network** field select a virtual network, which has connectivity to your SAP systems.

- 4. For the **Subnet** field, select a subnet that has connectivity to your SAP systems. You can use an existing subnet or create a new subnet. Make sure that you select a subnet, which is an **IPv4/25 block or larger**.

- 5. For **Log Analytics Workspace**, you can use an existing Log Analytics workspace or create a new one. If you create a new workspace, it will be created inside the managed resource group along with other monitoring resources.

- 6. When entering **managed resource group** name, make sure to use a unique name. This name is used to create a resource group, which will contain all the monitoring resources. Managed Resource Group name cannot be changed once the resource is created.

- 

-## Create Azure Monitor for SAP solutions (classic) monitoring resource

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In Azure **Marketplace** or **Search**, select **Azure Monitor for SAP solutions (classic)**.

- 

-1. On the **Basics** tab, provide the required values. If applicable, you can use an existing Log Analytics workspace.

- :::image type="content" source="./media/quickstart-portal/azure-monitor-quickstart-2.png" alt-text="Screenshot that shows configuration options on the Basics tab." lightbox="./media/quickstart-portal/azure-monitor-quickstart-2.png":::

- When you're selecting a virtual network, ensure that the systems you want to monitor are reachable from within that virtual network.

- > [!IMPORTANT]

- > Selecting **Share** for **Share data with Microsoft support** enables our support teams to help you with troubleshooting. This feature is available only for Azure Monitor for SAP solutions (classic)

-# Quickstart: deploy Azure Monitor for SAP solutions with PowerShell (preview)

-Get started with Azure Monitor for SAP solutions by using the

-[Az.HanaOnAzure](/powershell/module/az.hanaonazure/#sap-hana-on-azure) PowerShell module to create Azure Monitor for SAP solutions resources. You'll create a resource group, set up monitoring, and create a provider instance.

-This content only applies to the Azure Monitor for SAP solutions (classic) version of the service.

- ```azurepowershell-interactive

- Install-Module -Name Az.HanaOnAzure

- ```

- ```azurepowershell-interactive

- Set-AzContext -SubscriptionId 00000000-0000-0000-0000-000000000000

- ```

-New-AzResourceGroup -Name myResourceGroup -Location westus2

-## SAP monitor

-To create an SAP monitor, use the [New-AzSapMonitor](/powershell/module/az.hanaonazure/new-azsapmonitor) cmdlet. The following example creates an SAP monitor for the specified subscription, resource group, and resource name.

-$Workspace = New-AzOperationalInsightsWorkspace -ResourceGroupName myResourceGroup -Name sapmonitor-test -Location westus2 -Sku Standard

-$WorkspaceKey = Get-AzOperationalInsightsWorkspaceSharedKey -ResourceGroupName myResourceGroup -Name sapmonitor-test

-$SapMonitorParams = @{

- Name = 'ps-sapmonitor-t01'

- ResourceGroupName = 'myResourceGroup'

- Location = 'westus2'

- EnableCustomerAnalytic = $true

- MonitorSubnet = '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/vnet-sap/subnets/mysubnet'

- LogAnalyticsWorkspaceSharedKey = $WorkspaceKey.PrimarySharedKey

- LogAnalyticsWorkspaceId = $Workspace.CustomerId

- LogAnalyticsWorkspaceResourceId = $Workspace.ResourceId

-}

-New-AzSapMonitor @SapMonitorParams

-To retrieve the properties of an SAP monitor, use the [Get-AzSapMonitor](/powershell/module/az.hanaonazure/get-azsapmonitor) cmdlet. The following example gets properties of an SAP monitor for the specified subscription, resource group, and resource name.

-Get-AzSapMonitor -ResourceGroupName myResourceGroup -Name ps-spamonitor-t01

-## Provider instance

-To create a provider instance, use the [New-AzSapMonitorProviderInstance](/powershell/module/az.hanaonazure/new-azsapmonitorproviderinstance) cmdlet. The following example creates a provider instance for the specified subscription, resource group, and resource name.

-$SapProviderParams = @{

- ResourceGroupName = 'myResourceGroup'

- Name = 'ps-sapmonitorins-t01'

- SapMonitorName = 'yemingmonitor'

- ProviderType = 'SapHana'

- HanaHostname = 'hdb1-0'

- HanaDatabaseName = 'SYSTEMDB'

- HanaDatabaseSqlPort = '30015'

- HanaDatabaseUsername = 'SYSTEM'

- HanaDatabasePassword = (ConvertTo-SecureString 'Manager1' -AsPlainText -Force)

-}

-New-AzSapMonitorProviderInstance @SapProviderParams

-```

-To retrieve properties of a provider instance, use the [Get-AzSapMonitorProviderInstance](/powershell/module/az.hanaonazure/get-azsapmonitorproviderinstance) cmdlet. The following example gets properties of:

-Get-AzSapMonitorProviderInstance -ResourceGroupName myResourceGroup -SapMonitorName ps-spamonitor-t01

-## Clean up resources

-[Remove-AzSapMonitorProviderInstance](/powershell/module/az.hanaonazure/remove-azsapmonitorproviderinstance) cmdlet. The following example deletes a provider instance for the specified subscription, resource group, SapMonitor name, and resource name.

-Remove-AzSapMonitorProviderInstance -ResourceGroupName myResourceGroup -SapMonitorName ps-spamonitor-t01 -Name ps-sapmonitorins-t02

-To remove an SAP monitor, use the [Remove-AzSapMonitor](/powershell/module/az.hanaonazure/remove-azsapmonitor) cmdlet. The following example deletes an SAP monitor for the specified subscription, resource group, and monitor name.

-Remove-AzSapMonitor -ResourceGroupName myResourceGroup -Name ps-sapmonitor-t02

-### Delete the resource group

-Remove-AzResourceGroup -Name myResourceGroup

-# Set up network for Azure Monitor for SAP solutions (preview)

-In this how-to guide, you'll learn how to configure an Azure virtual network so that you can deploy *Azure Monitor for SAP solutions*. You'll learn to [create a new subnet](#create-new-subnet) for use with Azure Functions for both versions of the product, *Azure Monitor for SAP solutions* and *Azure Monitor for SAP solutions (classic)*. Then, if you're using the current version of Azure Monitor for SAP solutions, you'll learn to [set up outbound internet access](#configure-outbound-internet-access) to the SAP environment that you want to monitor.

-> [!NOTE]

-> This section applies to both Azure Monitor for SAP solutions and Azure Monitor for SAP solutions (classic).

-[Create a new subnet](../../azure-functions/functions-networking-options.md#subnets) with an **IPv4/28** block or larger.

-

-> [!IMPORTANT]

-> This section only applies to the current version of Azure Monitor for SAP solutions. If you're using Azure Monitor for SAP solutions (classic), skip this section.

-1. [Create a new subnet](../../virtual-network/virtual-network-manage-subnet.md#add-a-subnet) in the same virtual network as the SAP system that you're monitoring.

-1. In the Azure portal, go to your Azure Monitor for SAP solutions resource.

-1. On the **Overview** page for the Azure Monitor for SAP solutions resource, select the **Managed resource group**.

-1. Create a private endpoint connection for the following resources inside the managed resource group.

- 1. [Azure Key Vault resources](#create-key-vault-endpoint)

- 2. [Azure Storage resources](#create-storage-endpoint)

- 3. [Azure Log Analytics workspaces](#create-log-analytics-endpoint)

-#### Create key vault endpoint

-You only need one private endpoint for all the Azure Key Vault resources (secrets, certificates, and keys). Once a private endpoint is created for key vault, the vault resources can't be accessed from systems outside the given vnet.

-1. On the key vault resource's menu, under **Settings**, select **Networking**.

-1. Select the **Private endpoint connections** tab.

-1. Select **Create** to open the endpoint creation page.

-1. On the **Basics** tab, enter or select all required information.

-1. On the **Resource** tab, enter or select all required information. For the key vault resource, there's only one subresource available, the vault.

-1. On the **Virtual Network** tab, select the virtual network and the subnet that you created specifically for the endpoint. It's not possible to use the same subnet as the Azure Functions app.

-1. On the **DNS** tab, for **Integrate with private DNS zone**, select **Yes**. If necessary, add tags.

-1. Select **Review + create** to create the private endpoint.

-1. On the **Networking** page again, select the **Firewalls and virtual networks** tab.

- 1. For **Allow access from**, select **Allow public access from all networks**.

- 1. Select **Apply** to save the changes.

-1. On the **DNS** tab, for **Integrate with private DNS zone**, select **Yes**. If necessary, add tags.

-1. On the **Networking** page again, select the **Firewalls and virtual networks** tab.

- 1. For **Allow access from**, select **Allow public access from all networks**.

-> [!IMPORTANT]

-> Role-based access control for data plane operations, such as creating or querying an index, is currently in public preview and available under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). This functionality is only available in public cloud regions and may impact the latency of your operations while the functionality is in preview. For more information on preview limitations, see [RBAC preview limitations](search-security-rbac.md#preview-limitations).

- + Search Index Data Contributor (preview)

- + Search Index Data Reader (preview)

-Azure AD authentication is also supported in the preview SDKs for [Java](https://search.maven.org/artifact/com.azure/azure-search-documents/11.5.0-beta.3/jar), [Python](https://pypi.org/project/azure-search-documents/11.3.0b3/), and [JavaScript](https://www.npmjs.com/package/@azure/search-documents/v/11.3.0-beta.3).

-Use [Azure.Search.Documents version 11.4.0](https://www.nuget.org/packages/Azure.Search.Documents/11.4.0) for Azure AD authentication.

-The following list is a full enumeration of the outbound requests that can be made by a search service. A search makes requests on its own behalf, and on the behalf of an indexer or custom skill:

-While this solution is the most secure, using additional services is an added cost so be sure you have a clear understanding of the benefits before diving in. For more information about costs, see the [pricing page](https://azure.microsoft.com/pricing/details/private-link/). For more information about how these components work together, [watch this video](#watch-this-video). Coverage of the private endpoint option starts at 5:48 into the video. For instructions on how to set up the endpoint, see [Create a Private Endpoint for Azure Cognitive Search](service-create-private-endpoint.md).

-+ [Key-based authentication](search-security-api-keys.md) is performed on the request (not the calling app or user) through an API key, where the key is a string composed of randomly generated numbers and letters that prove the request is from a trustworthy source. Keys are required on every request. Submission of a valid key is considered proof the request originates from a trusted entity.

-+ [Azure AD authentication (preview)](search-security-rbac.md) establishes the caller (and not the request) as the authenticated identity. An Azure role assignment determines the allowed operation.

-Outbound requests made by an indexer are subject to the authentication protocols supported by the external service. A search service can be made a trusted service on Azure, connecting to other services using a system or user-assigned managed identity. For more information, see [Set up an indexer connection to a data source using a managed identity](search-howto-managed-identities-data-sources.md).

-Cognitive Search provides different authorization models for content management and service management.

-### Authorization for content management

-If you're using key-based authentication, authorization on content operations is conferred through the type of [API key](search-security-api-keys.md) on the request:

-+ Admin key (allows read-write access for create-read-update-delete operations on the search service), created when the service is provisioned

-+ Query key (allows read-only access to the documents collection of an index), created as-needed and are designed for client applications that issue queries

-In application code, you specify the endpoint and an API key to allow access to content and options. An endpoint might be the service itself, the indexes collection, a specific index, a documents collection, or a specific document. When chained together, the endpoint, the operation (for example, a create or update request) and the permission level (full or read-only rights based on the key) constitute the security formula that protects content and operations.

-If you're using Azure AD authentication, [use role assignments instead of API keys](search-security-rbac.md) to establish who and what can read and write to your search service.

-### Controlling access to indexes

-In Azure Cognitive Search, an individual index is generally not a securable object. As noted previously for key-based authentication, access to an index will include read or write permissions based on which API key you provide on the request, along with the context of an operation. Queries are read-only operations. In a query request, there's no concept of joining indexes or accessing multiple indexes simultaneously so all requests target a single index by definition. As such, construction of the query request itself (a key plus a single target index) defines the security boundary.

-However, if you're using Azure roles, you can [set permissions on individual indexes](search-security-rbac.md#grant-access-to-a-single-index) as long as it's done programmatically.

-For key-based authentication scenarios, administrator and developer access to indexes is undifferentiated: both need write access to create, delete, and update the objects managed by the service. Anyone with an [admin key](search-security-api-keys.md) to your service can read, modify, or delete any index in the same service. For protection against accidental or malicious deletion of indexes, your in-house source control for code assets is the solution for reversing an unwanted index deletion or modification. Azure Cognitive Search has failover within the cluster to ensure availability, but it doesn't store or execute your proprietary code used to create or load indexes.

-For multitenancy solutions requiring security boundaries at the index level, such solutions typically include a middle tier, which customers use to handle index isolation. For more information about the multitenant use case, see [Design patterns for multitenant SaaS applications and Azure Cognitive Search](search-modeling-multitenant-saas-applications.md).

-### Controlling access to documents

-If you require granular, per-user control over search results, you can build security filters on your queries, returning documents associated with a given security identity.

-Conceptually equivalent to "row-level security", authorization to content within the index isn't natively supported using predefined roles or role assignments that map to entities in Azure Active Directory. Any user permissions on data in external systems, such as Azure Cosmos DB, don't transfer with that data as its being indexed by Cognitive Search.

-Workarounds for solutions that require "row-level security" include creating a field in the data source that represents a security group or user identity, and then using filters in Cognitive Search to selectively trims search results of documents and content based on identities. The following table describes two approaches for trimming search results of unauthorized content.

-### Authorization for Service Management

-Service Management operations are authorized through [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md). Azure RBAC is an authorization system built on [Azure Resource Manager](../azure-resource-manager/management/overview.md) for provisioning of Azure resources.

-In Azure Cognitive Search, Resource Manager is used to create or delete the service, manage API keys, and scale the service. As such, Azure role assignments will determine who can perform those tasks, regardless of whether they're using the [portal](search-manage.md), [PowerShell](search-manage-powershell.md), or the [Management REST APIs](/rest/api/searchmanagement).

-[Three basic roles](search-security-rbac.md) are defined for search service administration. The role assignments can be made using any supported methodology (portal, PowerShell, and so forth) and are honored service-wide. The Owner and Contributor roles can perform various administration functions. You can assign the Reader role to users who only view essential information.

-> [!NOTE]

-> Using Azure-wide mechanisms, you can lock a subscription or resource to prevent accidental or unauthorized deletion of your search service by users with admin rights. For more information, see [Lock resources to prevent unexpected deletion](../azure-resource-manager/management/lock-resources.md).

-Object names will be stored and processed outside of your selected region or location. Customers shouldn't place any sensitive data in name fields or create applications designed to store sensitive data in these fields. This data will appear in the telemetry logs used by Microsoft to provide support for the service. Object names include names of indexes, indexers, data sources, skillsets, resources, containers, and key vault store.

-Azure Policy is a capability built into Azure that helps you manage compliance for multiple standards, including those of Microsoft cloud security benchmark. For well-known benchmarks, Azure Policy provides built-in definitions that provide both criteria and an actionable response that addresses non-compliance.

-For Azure Cognitive Search, there's currently one built-in definition. It's for resource logging. With this built-in, you can assign a policy that identifies any search service that is missing resource logging, and then turns it on. For more information, see [Azure Policy Regulatory Compliance controls for Azure Cognitive Search](security-controls-policy.md).

-Azure provides a global [role-based access control authorization system](../role-based-access-control/role-assignments-portal.md) for all services running on the platform. In Cognitive Search, you can:

-+ Use generally available roles for service administration.

-+ Use new preview roles for data requests, including creating, loading, and querying indexes.

-> Azure resources have the concept of [control plane and data plane](../azure-resource-manager/management/control-plane-and-data-plane.md) categories of operations. In Cognitive Search, "control plane" refers to any operation supported in the [Management REST API](/rest/api/searchmanagement/) or equivalent client libraries. The "data plane" refers to operations against the search service endpoint, such as indexing or queries, or any other operation specified in the [Search REST API](/rest/api/searchservice/) or equivalent client libraries.

-+ Adoption of role-based access control might increase the latency of some requests. Each unique combination of service resource (index, indexer, etc.) and service principal used on a request will trigger an authorization check. These authorization checks can add up to 200 milliseconds of latency to a request.

-All network calls for search service operations and content will respect the option you select: API keys, bearer token, or either one if you select **Both**.

-When you enable role-based access control in the portal, the failure mode will be "http401WithBearerChallenge" if authorization fails.

-All calls to the Management REST API are authenticated through Azure Active Directory, with Contributor or Owner permissions. For help setting up authenticated requests in Postman, see [Manage Azure Cognitive Search using REST](search-manage-rest.md).

-Before you start, make sure you load the **Az** and **AzureAD** modules and connect to Azure:

-Scoped to the service, your syntax should look similar to the following example:

-Scoped to an individual index:

-When testing roles, remember that roles are cumulative and inherited roles that are scoped to the subscription or resource group can't be deleted or denied at the resource (search service) level.

- + Members of the Contributor role can view and create any object, but can't query an index using Search Explorer.

- + Members of Search Index Data Reader can use Search Explorer to query the index. You can use any API version to check for access. You should be able to issue queries and view results, but you shouldn't be able to view the index definition.

- + Members of Search Index Data Contributor can select **New Index** to create a new index. Saving a new index will verify write access on the service.

-This approach assumes Postman as the REST client and uses a Postman collection and variables to provide the bearer token. You'll need Azure CLI or another tool to create a security principal for the REST client.

-1. Get your subscription ID. The ID is used as a variable in a future step.

-1. Create a resource group for your security principal, specifying a location and name. This example uses the West US region. You'll provide this value as variable in a future step. The role you'll create will be scoped to the resource group.

- A successful response includes "appId", "password", and "tenant". You'll use these values for the variables "clientId", "clientSecret", and "tenant".

-See [Authorize access to a search app using Azure Active Directory](search-howto-aad.md) for instructions that create an identity for your client app, assign a role, and call [DefaultAzureCredential()](/dotnet/api/azure.identity.defaultazurecredential).

-The Azure SDK for .NET supports an authorization header in the [NuGet Gallery | Azure.Search.Documents 11.4.0](https://www.nuget.org/packages/Azure.Search.Documents/11.4.0) package. Configuration is required to register an application with Azure Active Directory, and to obtain and pass authorization tokens:

-+ When obtaining the OAuth token, the scope is "https://search.azure.com/.default". The SDK requires the audience to be "https://search.azure.com". The ".default" is an Azure AD convention.

-+ The SDK validates that the user has the "user_impersonation" scope, which must be granted by your app, but the SDK itself just asks for "https://search.azure.com/.default".

-Example of using [client secret credential](/dotnet/api/azure.core.tokencredential):

-```csharp

-var tokenCredential = new ClientSecretCredential(aadTenantId, aadClientId, aadSecret);

-SearchClient srchclient = new SearchClient(serviceEndpoint, indexName, tokenCredential);

-```

-More details about using [Azure AD authentication with the Azure SDK for .NET](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/identity/Azure.Identity) are available in the SDK's GitHub repo.

-> [!NOTE]

-> If you get a 403 error, verify that your search service is enrolled in the preview program and that your service is configured for preview role assignments.

-Requests that include an API key only, with no bearer token, will fail with an HTTP 401.

-To re-enable key authentication, rerun the last request, setting "disableLocalAuth" to false. The search service will resume acceptance of API keys on the request automatically (assuming they're specified).

-## November 2022

-| Item&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Type | Description |

-|--||--|

-| **Add search to websites** <ul><li>[C#](tutorial-csharp-overview.md)</li><li>[Python](tutorial-python-overview.md)</li><li>[JavaScript](tutorial-javascript-overview.md) </li></ul>| Sample | "Add search to websites" is a tutorial series with sample code available in three languages. This series was updated in November to run with current versions of React and the SDK client libraries. If you're integrating client code with a search index, these samples demonstrate an end-to-end approach to integration. |

-| [Visual Studio Code extension for Azure Cognitive Search](https://github.com/microsoft/vscode-azurecognitivesearch/blob/master/README.md) | Feature | **Retired**. This preview feature isn't moving forward to general availability and has been removed from Visual Studio Code Marketplace. See the [documentation](search-get-started-vs-code.md) for details. |

-| [Query performance dashboard](https://github.com/Azure-Samples/azure-samples-search-evaluation) | Sample | This Application Insights sample demonstrates an approach for deep monitoring of query usage and performance of an Azure Cognitive Search index. It includes a JSON template that creates a workbook and dashboard in Application Insights and a Jupyter Notebook that populates the dashboard with simulated data. |

-## October 2022

-|Item &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Type | Description |

-|||-|

-| [Compliance risk analysis using Azure Cognitive Search](/azure/architecture/guide/ai/compliance-risk-analysis) | Content | Published on Azure Architecture Center, this guide covers the implementation of a compliance risk analysis solution that uses Azure Cognitive Search. |

-| [Beiersdorf customer story using Azure Cognitive Search](https://customers.microsoft.com/story/1552642769228088273-Beiersdorf-consumer-goods-azure-cognitive-search) | Content | This customer story showcases semantic search and document summarization to provide researchers with ready access to institutional knowledge. |

-## September 2022

-|Item &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Type | Description |

-|||-|

-| [Azure Cognitive Search Lab](https://github.com/Azure-Samples/azure-search-lab/blob/main/README.md) | Sample | This C# sample provides the source code for building a web front-end that accesses all of the REST API calls against an index. This tool is used by support engineers to investigate customer support issues. You can try this [demo site](https://azuresearchlab.azurewebsites.net/) before building your own copy. |

-| [Event-driven indexing for Cognitive Search](https://github.com/aditmer/Event-Driven-Indexing-For-Cognitive-Search/blob/main/README.md) | Sample | This C# sample is an Azure Function app that demonstrates event-driven indexing in Azure Cognitive Search. If you've used indexers and skillsets before, you know that indexers can run on demand or on a schedule, but not in response to events. This demo shows you how to set up an indexing pipeline that responds to data update events. |

-## August 2022

-|Item&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Type | Description |

-|||-|

-| [Tutorial: Index large data from Apache Spark](search-synapseml-cognitive-services.md) | Content | This tutorial explains how to use the SynapseML open-source library to push data from Apache Spark into a search index. It also shows you how to make calls to Cognitive Services to get AI enrichment without skillsets and indexers. |

-## June 2022

-|Item&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Type | Description |

-|||-|

-| [Semantic search (preview)](semantic-search-overview.md) | Feature | New support for Storage Optimized tiers (L1, L2). |

-| [Debug Sessions](cognitive-search-debug-session.md) | Feature | **General availability**. Debug sessions, a built-in editor that runs in Azure portal, is now generally available. |

-## May 2022

-|Item &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Type | Description |

-|||-|

-| [Power Query connector preview](/previous-versions/azure/search/search-how-to-index-power-query-data-sources) | Feature | **Retired**. This indexer data source was introduced in May 2021 but won't be moving forward. Migrate your data indexing code by November 2022. See the feature documentation for migration guidance. |

-## February 2022

-|Item &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Type | Description |

-|||-|

-| [Index aliases](search-how-to-alias.md) | Feature | An index alias is a secondary name that can be used to refer to an index for querying, indexing, and other operations. When index names change, for example if you version the index, instead of updating the references to an index name in your application, you can just update the mapping for your alias. |

-## 2021 announcements

-| Month | Feature | Description |

-|-||-|

-| December | [Enhanced configuration for semantic search](semantic-how-to-query-request.md#2create-a-semantic-configuration) | This configuration is a new addition to the 2021-04-30-Preview API, and is now required for semantic queries and Azure portal.|

-| November | [Azure Files indexer (preview)](./search-file-storage-integration.md) | Public preview in the portal and preview REST APIs.|

-| July | [Search REST API 2021-04-30-Preview](/rest/api/searchservice/index-preview) | Public preview announcement. |

-| July | [Role-based access control for data plane (preview)](search-security-rbac.md) | Public preview announcement. |

-| July | [Management REST API 2021-04-01-Preview](/rest/api/searchmanagement/) | Modifies [Create or Update Service](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update) to support new [DataPlaneAuthOptions](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update#dataplaneauthoptions). Public preview announcement. |

-| May | [Power Query connector support (preview)](/previous-versions/azure/search/search-how-to-index-power-query-data-sources) | Public preview announcement. |

-| May | [Azure Data Lake Storage Gen2 indexer](search-howto-index-azure-data-lake-storage.md) | Generally available, using REST api-version=2020-06-30 and Azure portal. |

-| May | [Azure MySQL indexer (preview)](search-howto-index-mysql.md) | Public preview, REST api-version=2020-06-30-Preview, [.NET SDK 11.2.1](/dotnet/api/azure.search.documents.indexes.models.searchindexerdatasourcetype.mysql), and Azure portal. |

-| May | [More queryLanguages for spell check and semantic results](/rest/api/searchservice/preview-api/search-documents#queryLanguage) | See [Announcement (techcommunity blog)](https://techcommunity.microsoft.com/t5/azure-ai/introducing-multilingual-support-for-semantic-search-on-azure/ba-p/2385110). Public preview ([by request](https://aka.ms/SemanticSearchPreviewSignup)). Use [Search Documents (REST)](/rest/api/searchservice/preview-api/search-documents) api-version=2020-06-30-Preview, [Azure.Search.Documents 11.3.0-beta.2](https://www.nuget.org/packages/Azure.Search.Documents/11.3.0-beta.2), or [Search explorer](search-explorer.md) in Azure portal. |

-| May| [Full support for customer-managed key (CMK) encryption](search-security-manage-encryption-keys.md#full-double-encryption) | Generally available in all regions, subject to service creation dates. |

-| April | [Azure Cosmos DB for Apache Gremlin support (preview)](search-howto-index-cosmosdb-gremlin.md) | Public preview ([by request](https://aka.ms/azure-cognitive-search/indexer-preview)), using api-version=2020-06-30-Preview. |

-| March | [Semantic search (preview)](semantic-search-overview.md) | Search results relevance scoring based on semantic models. Public preview ([by request](https://aka.ms/SemanticSearchPreviewSignup)). Use [Search Documents (REST)](/rest/api/searchservice/preview-api/search-documents) api-version=2020-06-30-Preview or [Search explorer](search-explorer.md) in Azure portal. Region and tier restrictions apply. |

-| March | [Spell check query terms (preview)](speller-how-to-add.md) | The `speller` option works with any query type (simple, full, or semantic). Public preview, REST only, api-version=2020-06-30-Preview|

-| March | [SharePoint indexer (preview)](search-howto-index-sharepoint-online.md) | Public preview, REST only, api-version=2020-06-30-Preview |

-| March | [Normalizers (preview)](search-normalizers.md) | Public preview, REST only, api-version=2020-06-30-Preview |

-| March | [Custom Entity Lookup skill](cognitive-search-skill-custom-entity-lookup.md ) | Scans for strings specified in a custom, user-defined list of words and phrases. Generally available. |

-| February | [Reset Documents (preview)](search-howto-run-reset-indexers.md) | Available in the [Search REST API 2020-06-30-Preview](/rest/api/searchservice/index-preview). |

-| February | [Availability Zones](search-reliability.md#availability-zones) | Search services with two or more replicas in certain regions gain resiliency by having replicas in two or more distinct physical locations. The region and date of search service creation determine availability. |

-| February | [Azure CLI](/cli/azure/search) </br>[Azure PowerShell](/powershell/module/az.search/) | New revisions now provide the full range of operations in the Management REST API 2020-08-01, including support for IP firewall rules and private endpoint. Generally available. |

-| January | [Solution accelerator for Azure Cognitive Search and QnA Maker](https://github.com/Azure-Samples/search-qna-maker-accelerator) | Pulls questions and answers out of the document and suggest the most relevant answers. A live demo app can be found at [https://aka.ms/qnaWithAzureSearchDemo](https://aka.ms/qnaWithAzureSearchDemo). This feature is an open-source project (no SLA). |

-## 2020 announcements

-See [2020 Archive for "What's New in Cognitive Search"](/previous-versions/azure/search/search-whats-new-2020) in the content archive.

-## 2019 announcements

-See [2019 Archive for "What's New in Cognitive Search"](/previous-versions/azure/search/search-whats-new-2019) in the content archive.

-## Service re-brand announcement

-Azure Search was renamed to **Azure Cognitive Search** in October 2019 to reflect the expanded (yet optional) use of cognitive skills and AI processing in service operations. API versions, NuGet packages, namespaces, and endpoints are unchanged. New and existing search solutions are unaffected by the service name change.

-1. In a new folder, copy the Terraform `GCPAuditLogsSetup` script into a new file, and save it as a .tf file:

->Depending on your requirements, you can configure various alerts to use the same [action group](../azure-monitor/alerts/action-groups.md) or different action groups. Action group types include sending a voice call, SMS, or email. You can also trigger various types of automated actions. For detailed information about notification and action types, see [Action-specific information](../azure-monitor/alerts/action-groups.md#action-specific-information).

-Depending on your requirements, you can configure various alerts to use the same [action group](../azure-monitor/alerts/action-groups.md) or different action groups. Action group types include sending a voice call, SMS, or email. You can also trigger various types of automated actions. For detailed information about notification and action types, see [Action-specific information](../azure-monitor/alerts/action-groups.md#action-specific-information).

-Operating system | Windows Server 2016

-**Update** | **Unified Setup** | **Configuration server/Replication appliance** | **Mobility service agent** | **Site Recovery Provider** | **Recovery Services agent**

-[Rollup 66](https://support.microsoft.com/en-us/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 9.53.6615.1 | 5.1.8095.0 | 9.53.6615.1 | 5.1.8103.0 (Modernized VMware), 5.1.8095.0 (Hyper-V) & 5.23.0210.5 (Classic VMware) | 2.0.9260.0

-[Rollup 65](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | 9.52.6522.1 | 5.1.7870.0 | 9.52.6522.1 | 5.1.7870.0 (VMware) & 5.1.7882.0 (Hyper-V) | 2.0.9259.0

-[Rollup 64](https://support.microsoft.com/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) | 9.51.6477.1 | 5.1.7802.0 | 9.51.6477.1 | 5.1.7802.0 | 2.0.9257.0

-[Rollup 63](https://support.microsoft.com/topic/update-rollup-63-for-azure-site-recovery-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | 9.50.6419.1 | 5.1.7626.0 | 9.50.6419.1 | 5.1.7626.0 | 2.0.9249.0

-[Rollup 62](https://support.microsoft.com/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b) | 9.49.6395.1 | 5.1.7418.0 | 9.49.6395.1 | 5.1.7418.0 | 2.0.9248.0

-## Site Recovery configuration server

-The configuration server is an on-premises machine that runs Site Recovery components, including the configuration server, process server, and master target server.

-Number of disks | 3 disks<br/><br/> Disks include the OS disk, process server cache disk, and retention drive for failback.

-Disk free space | 600 GB of space for the process server cache.

-Disk free space | 600 GB of space for the retention drive.

-Operating system | Windows Server 2012 R2, or Windows Server 2016 with Desktop experience <br/><br> If you plan to use the in-built Master Target of this appliance for failback, ensure that the OS version is same or higher than the replicated items.|

-[PowerCLI](https://my.vmware.com/web/vmware/details?productId=491&downloadGroup=PCLI600R1) | Not needed for configuration server version [9.14](https://support.microsoft.com/help/4091311/update-rollup-23-for-azure-site-recovery) or later.

-Group policies| - Prevent access to the command prompt. <br/> - Prevent access to registry editing tools. <br/> - Trust logic for file attachments. <br/> - Turn on Script Execution. <br/> - [Learn more](/previous-versions/windows/it-pro/windows-7/gg176671(v=ws.10))|

-IP address type | Static

-IP address | Make sure that configuration server and process server have a static IPv4 address, and doesn't have NAT configured.

-In Modernized, replication is done by the Azure Site Recovery replication appliance. For detailed information about replication appliance, see [this article](deploy-vmware-azure-replication-appliance-modernized.md).

-Availability sets | Yes. Not supported for modernized experience.

-To begin, [download your usage details](../cost-management-billing/understand/download-azure-daily-usage.md). The table below provides the definition and example values of usage for Virtual Machines deployed via the Azure Resource Manager. This document does not contain detailed information for VMs deployed via our classic model.

-| Meter Sub-Category | The billed meter identifier. <br><br> For Compute Hour usage, there is a meter for each VM Size + OS (Windows, Non-Windows) + Region. <br><br> For Premium software usage, there is a meter for each software type. Most premium software images have different meters for each core size. For more information, visit the [Compute Pricing Page](https://azure.microsoft.com/pricing/details/virtual-machines/)</li></ul>| `2005544f-659d-49c9-9094-8e0aea1be3a5`|

-| Meter Name| This is specific for each service in Azure. For compute, it is always ΓÇ£Compute HoursΓÇ¥.| `Compute Hours`|

-| Consumed| The amount of the resource that has been consumed for that day. For Compute, we bill for each minute the VM ran for a given hour (up to 6 decimals of accuracy).| `1, 0.5`|

-| Instance ID | The identifier for the resource. The identifier contains the name you specify for the resource when it was created. For VMs, the Instance ID will contain the SubscriptionId, ResourceGroupName, and VMName (or scale set name for scale set usage).| `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/ resourceGroups/MyRG/providers/Microsoft.Compute/virtualMachines/MyVM1`<br><br>or<br><br>`/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/ resourceGroups/MyRG/providers/Microsoft.Compute/virtualMachineScaleSets/MyVMSS1`|

-| Additional Info | Service-specific metadata. For VMs, we populate the following data in the additional info field: <br><br> Image Type- specific image that you ran. Find the full list of supported strings below under Image Types.<br><br> Service Type: the size that you deployed.<br><br> VMName: name of your VM. This field is only populated for scale set VMs. If you need your VM Name for scale set VMs, you can find that in the Instance ID string above.<br><br> UsageType: This specifies the type of usage this represents.<br><br> ComputeHR is the Compute Hour usage for the underlying VM, like Standard_D1_v2.<br><br> ComputeHR_SW is the premium software charge if the VM is using premium software. | Virtual Machines<br>`{"ImageType":"Canonical","ServiceType":"Standard_DS1_v2","VMName":"", "UsageType":"ComputeHR"}`<br><br>Virtual Machine Scale Sets<br> `{"ImageType":"Canonical","ServiceType":"Standard_DS1_v2","VMName":"myVM1", "UsageType":"ComputeHR"}`<br><br>Premium Software<br> `{"ImageType":"","ServiceType":"Standard_DS1_v2","VMName":"", "UsageType":"ComputeHR_SW"}` |

-The service type field in the Additional Info field corresponds to the exact VM size you deployed. Premium storage VMs (SSD-based) and non-premium storage VMs (HDD-based) are priced the same. If you deploy an SSD-based size, like Standard\_DS2\_v2, you see the non-SSD size (`Standard\_D2\_v2 VM`) in the Meter Sub-Category column and the SSD-size (`Standard\_DS2\_v2`)

-The region name populated in the Resource Location field in the usage details varies from the region name used in the Azure Resource Manager. Here is a mapping between the region values:

-If you deploy using the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/), you are charged the Non-Windows VM rate since you are bringing your own license to the cloud. In your bill, you can distinguish which Resource Manager VMs are running Azure Hybrid Benefit because they have either ΓÇ£Windows\_Server BYOLΓÇ¥ or ΓÇ£Windows\_Client BYOLΓÇ¥ in the ImageType column.

-The ImageType field is only populated for a subset of images. If you did not deploy one of the images above, the ImageType is blank.

-The VMName is only populated in the Additional Info field for VMs in a scale set. The InstanceID field contains the VM name for non-scale set VMs.

-ComputeHR stands for Compute Hour which represents the usage event for the underlying infrastructure cost. If the UsageType is ComputeHR\_SW, the usage event represents the premium software charge for the VM.

-### How do I know if I am charged for premium software?

-When exploring which VM Image best fits your needs, be sure to check out [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/category/compute). The image has the software plan rate. If you see ΓÇ£FreeΓÇ¥ for the rate, there is no additional cost for the software.

-### What is the difference between Microsoft.ClassicCompute and Microsoft.Compute in the Consumed service?

-If you deploy via the classic deployment model, the InstanceID string is not available.

-Tags flow to the Usage CSV for Resource Manager VMs only. Classic resource tags are not available in the usage details.

-In the Classic model, billing for resources is aggregated at the Cloud Service level. If you have more than one VM in a Cloud Service that uses the same billing meter, your usage is aggregated together. VMs deployed via Resource Manager are billed at the VM level, so this aggregation will not apply.

-Premium storage capable VMs are billed at the same rate as non-premium storage capable VMs. Only your storage costs differ. Visit the [storage pricing page](https://azure.microsoft.com/pricing/details/storage/unmanaged-disks/) for more information.

-To learn more about your usage details, see [Understand your bill for Microsoft Azure.](../cost-management-billing/understand/review-individual-bill.md)

->

-|Bot300600|Unknown bots detected by threat intelligence<br />(This rule also includes IP addresses matched to the Tor network.)|

-|Bot300600|Unknown bots detected by threat intelligence<br />(This rule also includes IP addresses matched to the Tor network.)|