+```xml

+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"

+ ID="id6c1c178c166d486687be4aaf5e482730"

+ Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z"

+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

+ <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer>

+```xml

+```xml

+```xml

+```xml

+```xml

+ Trace ID: 66febed4-e737-49ff-ac23-464ba090d57c

+ Timestamp: 2013-03-18 08:49:24Z</samlp:StatusMessage>

+ </samlp:Status>

+</samlp:Response>

+```xml

+```xml

+ digital_signature_here

+</ds:Signature>

+```xml

+ <NameID>Uz2Pqz1X7pxe4XLWxV9KJQ+n59d573SepSAkuYKSde8=</NameID>

+ <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

+ <SubjectConfirmationData InResponseTo="id758d0ef385634593a77bdf7e632984b6" NotOnOrAfter="2013-03-18T07:43:15.144Z" Recipient="https://contoso.com/identity/inboundsso.aspx" />

+ </SubjectConfirmation>

+```xml

+ <AudienceRestriction>

+ <Audience>https://www.contoso.com</Audience>

+ </AudienceRestriction>

+```xml

+ <Audience>https://www.contoso.com</Audience>

+```xml

+ <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">

+ <AttributeValue>testuser@contoso.com</AttributeValue>

+ </Attribute>

+ <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">

+ <AttributeValue>3F2504E0-4F89-11D3-9A0C-0305E82C3301</AttributeValue>

+ </Attribute>

+ ...

+```xml

+ <AuthnContext>

+ <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>

+ </AuthnContext>

+>This information last updated on May 2nd, 2022.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| COMMUNICATIONS CREDITS | MCOPSTNC | 47794cd0-f0e5-45c5-9033-2eb6b5fc84e0 | MCOPSTNC (505e180f-f7e0-4b65-91d4-00d670bbd18c) | COMMUNICATIONS CREDITS (505e180f-f7e0-4b65-91d4-00d670bbd18c) |

+| Compliance Manager Premium Assessment Add-On for GCC | CMPA_addon_GCC | a9d7ef53-9bea-4a2a-9650-fa7df58fe094 | COMPLIANCE_MANAGER_PREMIUM_ASSESSMENT_ADDON (3a117d30-cfac-4f00-84ac-54f8b6a18d78) | Compliance Manager Premium Assessment Add-On (3a117d30-cfac-4f00-84ac-54f8b6a18d78) |

+| Microsoft 365 GCC G5 | M365_G5_GCC | e2be619b-b125-455f-8660-fb503e431a5d | CDS_O365_P3_GCC (bce5e5ca-c2fd-4d53-8ee2-58dfffed4c10)<br/>LOCKBOX_ENTERPRISE_GOV (89b5d3b1-3855-49fe-b46c-87c66dbc1526)<br/>EXCHANGE_S_ENTERPRISE_GOV (8c3069c0-ccdb-44be-ab77-986203a67df2)<br/>INFORMATION_BARRIERS (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Content_Explorer (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>ContentExplorer_Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>MIP_S_CLP2 (efb0351d-3b08-4503-993d-383af8de41e3)<br/>MIP_S_CLP1 (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>M365_ADVANCED_AUDITING (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>OFFICESUBSCRIPTION_GOV (de9234ff-6483-44d9-b15e-dca72fdd27af)<br/>MCOMEETADV_GOV (f544b08d-1645-4287-82de-8d91f37c02a1)<br/>MICROSOFT_COMMUNICATION_COMPLIANCE (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>MTP (bf28f719-7844-4079-9c78-c1307898e192)<br/>MCOEV_GOV (db23fce2-a974-42ef-9002-d78dd42a0f22)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>COMMUNICATIONS_DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>CUSTOMER_KEY (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>ATP_ENTERPRISE_GOV (493ff600-6a2b-4db6-ad37-a7d4eb214516)<br/>THREAT_INTELLIGENCE_GOV (900018f1-0cdb-4ecb-94d4-90281760fdc6)<br/>FORMS_GOV_E5 (843da3a8-d2cc-4e7a-9e90-dc46019f964c)<br/>INFO_GOVERNANCE (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>INSIDER_RISK (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>ML_CLASSIFICATION (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>EXCHANGE_ANALYTICS_GOV (208120d1-9adb-4daf-8c22-816bd5d237e7)<br/>RECORDS_MANAGEMENT (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>TEAMS_GOV (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>EQUIVIO_ANALYTICS_GOV (d1cbfb67-18a8-4792-b643-630b7f19aad1)<br/>PROJECTWORKMANAGEMENT_GOV (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>SHAREPOINTWAC_GOV (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>BI_AZURE_P_2_GOV (944e9726-f011-4353-b654-5f7d2663db76)<br/>PREMIUM_ENCRYPTION (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>SHAREPOINTENTERPRISE_GOV (153f85dd-d912-4762-af6c-d6e0fb4f6692)<br/>MCOSTANDARD_GOV (a31ef4a2-f787-435e-8335-e47eb0cafc94)<br/>STREAM_O365_E5_GOV (92c2089d-9a53-49fe-b1a6-9e6bdf959547)<br/>BPOS_S_TODO_3 (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af)<br/>WINDEFATP (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>MICROSOFTENDPOINTDLP (64bfac92-2b17-4482-b5e5-a0304429de3e)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>AAD_PREMIUM_P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>RMS_S_PREMIUM_GOV (1b66aedf-8ca1-4f73-af76-ec76c6180f98)<br/>RMS_S_PREMIUM2_GOV (5400a66d-eaa5-427d-80f2-0f26d59d8fce)<br/>RMS_S_ENTERPRISE_GOV (6a76346d-5d6e-4051-9fe3-ed3f312b5597)<br/>DYN365_CDS_O365_P3_GCC (a7d3fb37-b6df-4085-b509-50810d991a39)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>ADALLOM_S_STANDALONE (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>ATA (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>POWERAPPS_O365_P3_GOV (0eacfc38-458a-40d3-9eab-9671258f1a3e)<br/>FLOW_O365_P3_GOV (8055d84a-c172-42eb-b997-6c2ae4628246) | Common Data Service for Teams (bce5e5ca-c2fd-4d53-8ee2-58dfffed4c10)<br/>Customer Lockbox for Government (89b5d3b1-3855-49fe-b46c-87c66dbc1526)<br/>Exchange Online (Plan 2) for Government (8c3069c0-ccdb-44be-ab77-986203a67df2)<br/>Information Barriers (c4801e8a-cb58-4c35-aca6-f2dcc106f287)<br/>Information Protection and Governance Analytics - Premium (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>Information Protection and Governance Analytics ΓÇô Standard (2b815d45-56e4-4e3a-b65c-66cb9175b560)<br/>Information Protection for Office 365 - Premium (efb0351d-3b08-4503-993d-383af8de41e3)<br/>Information Protection for Office 365 - Standard (5136a095-5cf0-4aff-bec3-e84448b38ea5)<br/>Microsoft 365 Advanced Auditing (2f442157-a11c-46b9-ae5b-6e39ff4e5849)<br/>Microsoft 365 Apps for enterprise G (de9234ff-6483-44d9-b15e-dca72fdd27af)<br/>Microsoft 365 Audio Conferencing for Government (f544b08d-1645-4287-82de-8d91f37c02a1)<br/>Microsoft 365 Communication Compliance (a413a9ff-720c-4822-98ef-2f37c2a21f4c)<br/>Microsoft 365 Defender (bf28f719-7844-4079-9c78-c1307898e192)<br/>Microsoft 365 Phone System for Government (db23fce2-a974-42ef-9002-d78dd42a0f22)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Communications DLP (6dc145d6-95dd-4191-b9c3-185575ee6f6b)<br/>Microsoft Customer Key (6db1f1db-2b46-403f-be40-e39395f08dbb)<br/>Microsoft Defender for Office 365 (Plan 1) for Government (493ff600-6a2b-4db6-ad37-a7d4eb214516)<br/>Microsoft Defender for Office 365 (Plan 2) for Government (900018f1-0cdb-4ecb-94d4-90281760fdc6)<br/>Microsoft Forms for Government (Plan E5) (843da3a8-d2cc-4e7a-9e90-dc46019f964c)<br/>Microsoft Information Governance (e26c2fcc-ab91-4a61-b35c-03cdc8dddf66)<br/>Microsoft Insider Risk Management (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>Microsoft ML-Based Classification (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>Microsoft MyAnalytics for Government (Full) (208120d1-9adb-4daf-8c22-816bd5d237e7)<br/>Microsoft Records Management (65cc641f-cccd-4643-97e0-a17e3045e541)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft Teams for Government (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office 365 Advanced eDiscovery for Government (d1cbfb67-18a8-4792-b643-630b7f19aad1)<br/>Office 365 Planner for Government (5b4ef465-7ea1-459a-9f91-033317755a51)<br/>Office for the Web for Government (8f9f0f3b-ca90-406c-a842-95579171f8ec)<br/>Power BI Pro for Government (944e9726-f011-4353-b654-5f7d2663db76)<br/>Premium Encryption in Office 365 (617b097b-4b93-4ede-83de-5f075bb5fb2f)<br/>SharePoint Plan 2G (153f85dd-d912-4762-af6c-d6e0fb4f6692)<br/>Skype for Business Online (Plan 2) for Government (a31ef4a2-f787-435e-8335-e47eb0cafc94)<br/>Stream for Office 365 for Government (E5) (92c2089d-9a53-49fe-b1a6-9e6bdf959547)<br/>To-Do (Plan 3) (3fb82609-8c27-4f7b-bd51-30634711ee67)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af)<br/>Microsoft Defender for Endpoint (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>Microsoft Endpoint DLP (64bfac92-2b17-4482-b5e5-a0304429de3e)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Azure Active Directory Premium P2 (eec0eb4f-6444-4f95-aba0-50c24d67f998)<br/>Azure Information Protection Premium P1 for GCC (1b66aedf-8ca1-4f73-af76-ec76c6180f98)<br/>Azure Information Protection Premium P2 for GCC (5400a66d-eaa5-427d-80f2-0f26d59d8fce)<br/>Azure Rights Management (6a76346d-5d6e-4051-9fe3-ed3f312b5597)<br/>Common Data Service (a7d3fb37-b6df-4085-b509-50810d991a39)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Defender for Cloud Apps (2e2ddb96-6af9-4b1d-a3f0-d6ecfd22edb2)<br/>Microsoft Defender for Identity (14ab5db5-e6c4-4b20-b4bc-13e36fd2227f)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Power Apps for Office 365 for Government (0eacfc38-458a-40d3-9eab-9671258f1a3e)<br/>Power Automate for Office 365 for Government (8055d84a-c172-42eb-b997-6c2ae4628246) |

+| Microsoft Teams Rooms Standard | MEETING_ROOM | 6070a4c8-34c6-4937-8dfb-39bbc6397a60 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Teams_Room_Standard (92c6b761-01de-457a-9dd9-793a975238f7)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) | Azure Active Directory Premium Plan 1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Teams Room Standard (92c6b761-01de-457a-9dd9-793a975238f7)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) |

+| Office 365 E1| STANDARDPACK | 18181a46-0d4e-45cd-891e-60aabd171b4e | CDS_O365_P1 (bed136c6-b799-4462-824d-fc045d3a9d25)<br/>EXCHANGE_S_STANDARD (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>MYANALYTICS_P2 (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>MICROSOFTBOOKINGS (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>FORMS_PLAN_E1 (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>KAIZALA_O365_P2 (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Deskless (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>OFFICEMOBILE_SUBSCRIPTION (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>PROJECT_O365_P1 (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>SHAREPOINTSTANDARD (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>VIVA_LEARNING_SEEDED (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>WHITEBOARD_PLAN1 (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653)<br/>DYN365_CDS_O365_P1 (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>RMS_S_BASIC (31cf2cfc-6b0d-4adc-a336-88b724ed8122)<br/>STREAM_O365_E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)<br/>POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>POWER_VIRTUAL_AGENTS_O365_P1 (0683001c-0492-4d59-9515-d9a6426b5813) | Common Data Service for Teams (bed136c6-b799-4462-824d-fc045d3a9d25)<br/>Exchange Online (Plan 1) (9aaf7827-d63c-4b61-89c3-182f06f82e5c)<br/>Insights by MyAnalytics (33c4f319-9bdd-48d6-9c4d-410b750a4a5a)<br/>Microsoft Bookings (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2)<br/>Microsoft Forms (Plan E1) (159f4cd6-e380-449f-a816-af1a9ef76344)<br/>Microsoft Kaizala Pro (54fc630f-5a40-48ee-8965-af0503c1386e)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Microsoft StaffHub (8c7d2df8-86f0-4902-b2ed-a0458298f3b3)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Nucleus (db4d623d-b514-490b-b7ef-8885eee514de)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Office Mobile Apps for Office 365 (c63d4d19-e8cb-460e-b37c-4d6c34603745)<br/>Project for Office (Plan E1) (a55dfd10-0864-46d9-a3cd-da5991a3e0e2)<br/>SharePoint (Plan 1) (c7699d2e-19aa-44de-8edf-1736da088ca1)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>To-Do (Plan 1) (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>Viva Learning Seeded (b76fb638-6ba6-402a-b9f9-83d28acb3d86)<br/>Whiteboard (Plan 1) (b8afc642-032e-4de5-8c0a-507a7bba7e5d)<br/>Yammer Enterprise (7547a3fe-08ee-4ccb-b430-5077c5041653)<br/>Common Data Service (40b010bb-0b69-4654-ac5e-ba161433f4b4)<br/>Microsoft Azure Rights Management Service (31cf2cfc-6b0d-4adc-a336-88b724ed8122)<br/>Microsoft Stream for Office 365 E1 (743dd19e-1ce3-4c62-a3ad-49ba8f63a2f6)<br/>Power Apps for Office 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>Power Automate for Office 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>Power Virtual Agents for Office 365 (0683001c-0492-4d59-9515-d9a6426b5813) |

+## Remove an organization

+When you remove an organization from your Organizational settings, the default cross-tenant access settings will go into effect for that organization.

+> [!NOTE]

+> If the organization is a cloud service provider for your organization (the isServiceProvider property in the Microsoft Graph [partner-specific configuration](/graph/api/resources/crosstenantaccesspolicyconfigurationpartner) is true), you won't be able to remove the organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.

+1. Select **External Identities**, and then select **Cross-tenant access settings (Preview)**.

+1. Select the **Organizational settings** tab.

+1. Find the organization in the list, and then select the trash can icon on that row.

+When you remove an organization from your Organizational settings, the default cross-tenant access settings will go into effect for that organization.

+1. Find the organization in the list, and then select the trash can icon on that row.

+## April 2022

+### Updated articles

+- [Email one-time passcode authentication](one-time-passcode.md)

+- [Configure external collaboration settings](external-collaboration-settings-configure.md)

+- [Add a self-service sign-up user flow to an app](self-service-sign-up-user-flow.md)

+- [B2B direct connect overview (Preview)](b2b-direct-connect-overview.md)

+- [Azure Active Directory B2B collaboration invitation redemption](redemption-experience.md)

+- [Federation with SAML/WS-Fed identity providers for guest users (preview)](direct-federation.md)

+- [Azure Active Directory External Identities: What's new](whats-new-docs.md)

+- [Azure Active Directory B2B best practices](b2b-fundamentals.md)

+- [Troubleshooting Azure Active Directory B2B collaboration](troubleshoot.md)

+- [Properties of an Azure Active Directory B2B collaboration user](user-properties.md)

+- [B2B collaboration overview](what-is-b2b.md)

+> [!NOTE]

+> Selecting multiple groups or applications results in the creation of multiple access reviews. For example, if you select five groups to review, the result is five separate access reviews.

+7. Now you can select a scope for the review. Your options are:

+1. Or if you are conducting group membership review, you can create access reviews only for inactive users in the group (preview). In the *Users scope* section, check the box next to **Inactive users (on tenant level)**. If you check the box, the scope of the review will focus on inactive users only. Then, specify **Days inactive** with a number of days inactive up to 730 days (two years). Users in the group inactive for the specified number of days will be the only users in the review.

+Use the following instructions to create an access review on a team with shared channels:

+1. Sign in to the Azure portal as a Global Admin, User Admin or Identity Governance Admin.

+11. Or, you can create access reviews only for inactive users (preview). In the *Users scope* section, set the **Inactive users (on tenant level) only** to **true**. If the toggle is set to *true*, the scope of the review will focus on inactive users only. Then, specify **Days inactive** with a number of days inactive up to 730 days (two years). Users inactive for the specified number of days will be the only users in the review.

+

+12. Under **Review role membership**, select the privileged Azure resource or Azure AD roles to review.

+13. In **assignment type**, scope the review by how the principal was assigned to the role. Choose **eligible assignments only** to review eligible assignments (regardless of activation status when the review is created) or **active assignments only** to review active assignments. Choose **all active and eligible assignments** to review all assignments regardless of type.

+14. In the **Reviewers** section, select one or more people to review all the users. Or you can select to have the members review their own access.

+## Next steps

+- [Basic info in the Azure AD sign-in logs](reference-basic-info-sign-in-logs.md)

+- [How to download logs in Azure Active Directory](howto-download-logs.md)

+- [How to access activity logs in Azure AD](howto-access-activity-logs.md)

+- [Basic info in the Azure AD sign-in logs](reference-basic-info-sign-in-logs.md)

+- [How to download logs in Azure Active Directory](howto-download-logs.md)

+- [How to access activity logs in Azure AD](howto-access-activity-logs.md)

+ > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Adobe Sign Client support team](https://helpx.adobe.com/support.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Before configuration, contact the [Adobe Sign Client support team](https://helpx.adobe.com/support.html) to add your domain in the Adobe Sign allowlist. Here's how to add the domain:

+ a. The [Adobe Sign Client support team](https://helpx.adobe.com/support.html) sends you a randomly generated token. For your domain, the token will be like the following: **adobe-sign-verification= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx**

+ b. Publish the verification token in a DNS text record, and notify the [Adobe Sign Client support team](https://helpx.adobe.com/support.html).

+ c. When you notify the [Adobe Sign Client support team](https://helpx.adobe.com/support.html) through the support ticket, after the token is published, they validate the domain and add it to your account.

+ Title: 'Tutorial: Azure AD SSO integration with TeamSlide'

+description: Learn how to configure single sign-on between Azure Active Directory and TeamSlide.

+# Tutorial: Azure AD SSO integration with TeamSlide

+In this tutorial, you'll learn how to integrate TeamSlide with Azure Active Directory (Azure AD). When you integrate TeamSlide with Azure AD, you can:

+* Control in Azure AD who has access to TeamSlide.

+* Enable your users to be automatically signed-in to TeamSlide with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* TeamSlide single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* TeamSlide supports **SP** initiated SSO.

+* TeamSlide supports **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add TeamSlide from the gallery

+To configure the integration of TeamSlide into Azure AD, you need to add TeamSlide from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **TeamSlide** in the search box.

+1. Select **TeamSlide** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for TeamSlide

+Configure and test Azure AD SSO with TeamSlide using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TeamSlide.

+To configure and test Azure AD SSO with TeamSlide, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure TeamSlide SSO](#configure-teamslide-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create TeamSlide test user](#create-teamslide-test-user)** - to have a counterpart of B.Simon in TeamSlide that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **TeamSlide** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type the URL:

+ `https://www.teamslide.io/AuthServices/`

+ b. In the **Reply URL** textbox, type the URL:

+ `https://www.teamslide.io/AuthServices/Acs`

+ c. In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://www.teamslide.io/ChooseSso?domain=<CustomerDomain>`

+ > [!NOTE]

+ > The Sign-on URL is not real. Update the value with the actual Sign-on URL. Contact [TeamSlide Client support team](mailto:support@aploris.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. TeamSlide application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, TeamSlide application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | displayname | user.displayname |

+ | groups | user.groups [All] |

+

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to TeamSlide.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **TeamSlide**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure TeamSlide SSO

+1. Log in to your TeamSlide company site as an administrator.

+1. Go to **Global Settings** > **SSO Settings** tab.

+1. In the **Single sign-on settings** page, perform the following steps:

+ 

+ a. In the **Entity ID** textbox, paste the **Azure AD Identifier** value which you have copied from the Azure portal.

+ b. In the **Sign-On URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.

+ c. In the **Metadata location** textbox, paste the **App Federation Metadata Url** value which you have copied from the Azure portal.

+ d. Click **Save Changes**.

+### Create TeamSlide test user

+In this section, a user called B.Simon is created in TeamSlide. TeamSlide supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in TeamSlide, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to TeamSlide Sign-on URL where you can initiate the login flow.

+* Go to TeamSlide Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the TeamSlide tile in the My Apps, this will redirect to TeamSlide Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure TeamSlide you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Use Windows HostProcess containers

+description: Learn how to use HostProcess & Privileged containers for Windows workloads on AKS

+# Use Windows HostProcess containers

+HostProcess / Privileged containers extend the Windows container model to enable a wider range of Kubernetes cluster management scenarios. HostProcess containers run directly on the host and maintain behavior and access similar to that of a regular process. HostProcess containers allow users to package and distribute management operations and functionalities that require host access while retaining versioning and deployment methods provided by containers.

+A privileged DaemonSet can carry out changes or monitor a Linux host on Kubernetes but not Windows hosts. HostProcess containers are the Windows equivalent of host elevation.

+## Limitations

+* HostProcess containers require Kubernetes 1.23 or greater.

+* HostProcess containers require `containerd` 1.6 or higher container runtime.

+* HostProcess pods can only contain HostProcess containers. This is a current limitation of the Windows operating system. Non-privileged Windows containers can't share a vNIC with the host IP namespace.

+* HostProcess containers run as a process on the host. The only isolation those containers have from the host is the resource constraints imposed on the HostProcess user account.

+* Filesystem isolation and Hyper-V isolation aren't supported for HostProcess containers.

+* Volume mounts are supported and are mounted under the container volume. See Volume Mounts.

+* A limited set of host user accounts are available for Host Process containers by default. See Choosing a User Account.

+* Resource limits such as disk, memory, and cpu count, work the same way as fashion as processes on the host.

+* Named pipe mounts and Unix domain sockets are not directly supported, but can be accessed on their host path, for example `\\.\pipe\*`.

+## Run a HostProcess workload

+To use HostProcess features with your deployment, set *privilaged: true*, *hostProcess: true*, and *hostNetwork: true*:

+```yaml

+ spec:

+ ...

+ containers:

+ ...

+ securityContext:

+ privileged: true

+ windowsOptions:

+ hostProcess: true

+ ...

+ hostNetwork: true

+ ...

+```

+To run an example workload that uses HostProcess features on an existing AKS cluster with Windows nodes, create `hostprocess.yaml` with the following:

+```yaml

+apiVersion: apps/v1

+kind: DaemonSet

+metadata:

+ name: privileged-daemonset

+ namespace: kube-system

+ labels:

+ app: privileged-daemonset

+spec:

+ selector:

+ matchLabels:

+ app: privileged-daemonset

+ template:

+ metadata:

+ labels:

+ app: privileged-daemonset

+ spec:

+ nodeSelector:

+ kubernetes.io/os: windows

+ containers:

+ - name: powershell

+ image: mcr.microsoft.com/powershell:lts-nanoserver-1809

+ securityContext:

+ privileged: true

+ windowsOptions:

+ hostProcess: true

+ runAsUserName: "NT AUTHORITY\\SYSTEM"

+ command:

+ - pwsh.exe

+ - -command

+ - |

+ $AdminRights = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")

+ Write-Host "Process has admin rights: $AdminRights"

+ while ($true) { Start-Sleep -Seconds 2147483 }

+ hostNetwork: true

+ terminationGracePeriodSeconds: 0

+```

+Use `kubectl` to run the example workload:

+```azurecli-interactive

+kubectl apply -f hostprocess.yaml

+```

+You should see the following output:

+```output

+$ kubectl apply -f hostprocess.yaml

+daemonset.apps/privileged-daemonset created

+```

+You can verify your workload use the features of HostProcess by view the pod's logs.

+Use `kubectl` to find the name of the pod in the `kube-system` namespace.

+```output

+$ kubectl get pods --namespace kube-system

+NAME READY STATUS RESTARTS AGE

+...

+privileged-daemonset-12345 1/1 Running 0 2m13s

+```

+Use `kubctl log` to view the logs of the pod and verify the pod has administrator rights:

+```output

+$ kubectl logs privileged-daemonset-12345 --namespace kube-system

+InvalidOperation: Unable to find type [Security.Principal.WindowsPrincipal].

+Process has admin rights:

+```

+## Next steps

+For more details on HostProcess containers and Microsoft's contribution to Kubernetes upstream, see the [Alpha in v1.22: Windows HostProcess Containers][blog-post].

+<!-- LINKS - External -->

+[blog-post]: https://kubernetes.io/blog/2021/08/16/windows-hostprocess-containers/

+ <inbound>

+ <!-- statements to be applied to the request go here -->

+ </inbound>

+ <backend>

+ <!-- statements to be applied before the request is

+ forwarded to the backend service go here -->

+ <!-- statements to be applied to the response go here -->

+ </on-error>

+ #Assign the following permissions: Microsoft Graph Delegated Permission: User.Read, Microsoft Graph Application Permission: Directory.ReadAll

+> [!TIP]

+> Feature flags and Key Vault references are special types of key-values. Check out the [Next steps](#next-steps) for examples of creating them using the ARM template.

+- [ARM template for feature flag](https://azure.microsoft.com/resources/templates/app-configuration-store-ff/)

+- [ARM template for Key Vault reference](https://azure.microsoft.com/resources/templates/app-configuration-store-keyvaultref/)

+* To read, modify, and delete the resource bridge, you are a member of the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role in the resource group.

+> [!NOTE]

+> See [Flushing data](api-custom-events-metrics.md#flushing-data) if you want to flush the buffer--for example, if you are using the SDK in an application that shuts down.

+ If it's not created automatically, you'll need to create it yourself. In the root directory of an ASP.NET application, create a new file called *ApplicationInsights.config*.

+In a microservices environment, traces from components can go to different storage items. Every component can have its own connection string in Application Insights. To get telemetry for the logical operation, Application Insights queries data from every storage item. When the number of storage items is large, you'll need a hint about where to look next. The Application Insights data model defines two fields to solve this problem: `request.source` and `dependency.target`. The first field identifies the component that initiated the dependency request. The second field identifies which component returned the response of the dependency call.

+For information on querying from multiple disparate instances using the `app` query expression, see [app() expression in Azure Monitor query](../logs/app-expression.md#app-expression-in-azure-monitor-query).

+In the results, all telemetry items share the root `operation_Id`. When an Ajax call is made from the page, a new unique ID (`qJSXU`) is assigned to the dependency telemetry, and the ID of the pageView is used as `operation_ParentId`. The server request then uses the Ajax ID as `operation_ParentId`.

+| `Operation_ParentId` | [parent-id](https://w3c.github.io/trace-context/#parent-id) of this span's parent span. This field must be empty if it's a root span.|

+ Java 3.0 agent supports W3C out of the box and no more configuration is needed.

+OpenCensus Python supports [W3C Trace-Context](https://w3c.github.io/trace-context/) without requiring extra configuration.

+OpenCensus Python correlates W3C Trace-Context headers from incoming requests to the spans that are generated from the requests themselves. OpenCensus will correlate automatically with integrations for these popular web application frameworks: Flask, Django, and Pyramid. You just need to populate the W3C Trace-Context headers with the [correct format](https://www.w3.org/TR/trace-context/#trace-context-http-headers-format) and send them with the request.

+**Sample Flask application**

+If you look at the request entry that was sent to Azure Monitor, you can see fields populated with the trace header information. You can find the data under Logs (Analytics) in the Azure Monitor Application Insights resource.

+OpenCensus Python enables you to correlate logs by adding a trace ID, a span ID, and a sampling flag to log records. You add these attributes by installing OpenCensus [logging integration](https://pypi.org/project/opencensus-ext-logging/). The following attributes will be added to Python `LogRecord` objects: `traceId`, `spanId`, and `traceSampled`. (applicable only for loggers that are created after the integration)

+**Sample application**

+Notice that there's a `spanId` present for the log message that's within the span. The `spanId` is the same as that which belongs to the span named `hello`.

+ <ConnectionString>InstrumentationKey=00000000-0000-0000-0000-000000000000</ConnectionString>

+`TrackMetric()` sends raw telemetry denoting a metric. It's inefficient to send a single telemetry item for each value. `TrackMetric()` is also inefficient in terms of performance since every `TrackMetric(item)` goes through the full SDK pipeline of telemetry initializers and processors. Unlike `TrackMetric()`, `GetMetric()` handles local pre-aggregation for you and then only submits an aggregated summary metric at a fixed interval of one minute. So if you need to closely monitor some custom metric at the second or even millisecond level you can do so while only incurring the storage and network traffic cost of only monitoring every minute. This behavior also greatly reduces the risk of throttling occurring since the total number of telemetry items that need to be sent for an aggregated metric are greatly reduced.

+In Application Insights, custom metrics collected via `TrackMetric()` and `GetMetric()` aren't subject to [sampling](./sampling.md). Sampling important metrics can lead to scenarios where alerting you may have built around those metrics could become unreliable. By never sampling your custom metrics, you can generally be confident that when your alert thresholds are breached, an alert will fire. But since custom metrics aren't sampled, there are some potential concerns.

+Trend tracking in a metric every second, or at an even more granular interval can result in:

+- Increased data storage costs. There's a cost associated with how much data you send to Azure Monitor. (The more data you send the greater the overall cost of monitoring.)

+- Increased network traffic/performance overhead. (In some scenarios this overhead could have both a monetary and application performance cost.)

+- Risk of ingestion throttling. (The Azure Monitor service drops ("throttles") data points when your app sends a high rate of telemetry in a short time interval.)

+Throttling is a concern as it can lead to missed alerts. The condition to trigger an alert could occur locally and then be dropped at the ingestion endpoint due to too much data being sent. We don't recommend using `TrackMetric()` for .NET and .NET Core unless you've implemented your own local aggregation logic. If you're trying to track every instance an event occurs over a given time period, you may find that [`TrackEvent()`](./api-custom-events-metrics.md#trackevent) is a better fit. Though keep in mind that unlike custom metrics, custom events are subject to sampling. You can still use `TrackMetric()` even without writing your own local pre-aggregation, but if you do so be aware of the pitfalls.

+In summary `GetMetric()` is the recommended approach since it does pre-aggregation, it accumulates values from all the Track() calls and sends a summary/aggregate once every minute. `GetMetric()` can significantly reduce the cost and performance overhead by sending fewer data points, while still collecting all relevant information.

+For our examples, we're going to use a basic .NET Core 3.1 worker service application. If you would like to replicate the test environment used with these examples, follow steps 1-6 of the [monitoring worker service article](./worker-service.md#net-core-30-worker-service-application). These steps will add Application Insights to a basic worker service project template and the concepts apply to any general application where the SDK can be used including web apps and console apps.

+Replace the contents of your `worker.cs` file with the following code:

+When running the sample code, you'll see the while loop repeatedly executing with no telemetry being sent in the Visual Studio output window. A single telemetry item will be sent by around the 60-second mark, which in our test looks as follows:

+If we examine our Application Insights resource in the Logs (Analytics) experience, the individual telemetry item would look as follows:

+Metric values may be observed frequently in some cases. For example, a high-throughput service that processes 500 requests/second may want to emit 20 telemetry metrics for each request. The result means tracking 10,000 values per second. In such high-throughput scenarios, users may need to help the SDK by avoiding some lookups.

+For example, the example above performed a lookup for a handle for the metric "ComputersSold" and then tracked an observed value 42. Instead, the handle may be cached for multiple track invocations:

+ Here's an example of how to create a one-dimensional metric:

+Running the sample code for at least 60 seconds will result in three distinct telemetry items being sent to Azure, each representing the aggregation of one of the three form factors. As before you can further examine in the Logs (Analytics) view:

+In the Metrics explorer experience:

+However, you'll notice that you aren't able to split the metric by your new custom dimension, or view your custom dimension with the metrics view:

+By default multi-dimensional metrics within the Metric explorer experience aren't turned on in Application Insights resources.

+To enable multi-dimensional metrics for an Application Insights resource, Select **Usage and estimated costs** > **Custom Metrics** > **Enable alerting on custom metric dimensions** > **OK**. More details about can be found [here](pre-aggregated-metrics-log-metrics.md#custom-metrics-dimensions-and-pre-aggregation).

+Once you have made that change and send new multi-dimensional telemetry, you'll be able to **Apply splitting**.

+If you want to alter the metric configuration, you need make alterations in the place where the metric is initialized.

+Metrics don't use the telemetry context of the `TelemetryClient` used to access them, special dimension names available as constants in `MetricDimensionNames` class is the best workaround for this limitation.

+The values of this special dimension will be copied into the `TelemetryContext` and won't be used as a 'normal' dimension. If you want to also keep an operation dimension for normal metric exploration, you need to create a separate dimension for that purpose:

+> [!IMPORTANT]

+> Use low cardinal values for dimensions to avoid throttling.

+ In the context of dimension and time series capping, we use `Metric.TrackValue(..)` to make sure that the limits are observed. If the limits are already reached, `Metric.TrackValue(..)` will return "False" and the value won't be tracked. Otherwise it will return "True". This behavior is useful if the data for a metric originates from user input.

+Here's an example of how to send a message to know if cap limits are exceeded:

+### Add spans

+You can use `opentelemetry-api` to create [tracers](https://opentelemetry.io/docs/instrumentation/java/manual/#tracing) and spans. Spans populate the dependencies table in Application Insights. The string passed in for the span's name is saved to the _target_ field within the dependency.

+> [!NOTE]

+> This feature is only in 3.2.0 and later.

+1. Add `opentelemetry-api-1.6.0.jar` to your application:

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.6.0</version>

+ </dependency>

+ ```

+1. Add spans in your code:

+ ```java

+ import io.opentelemetry.api.trace.Span;

+ Span span = tracer.spanBuilder("mySpan").startSpan();

+ ```

+### Add span events

+You can use `opentelemetry-api` to create span events, which populate the traces table in Application Insights. The string passed in to `addEvent()` is saved to the _message_ field within the trace.

+> [!NOTE]

+> This feature is only in 3.2.0 and later.

+1. Add `opentelemetry-api-1.6.0.jar` to your application:

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.6.0</version>

+ </dependency>

+ ```

+1. Add span events in your code:

+ ```java

+ import io.opentelemetry.api.trace.Span;

+ span.addEvent("eventName");

+ ```

+Adding one or more custom dimensions populates the _customDimensions_ field in the requests, dependencies, traces, or exceptions table.

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.6.0</version>

+ </dependency>

+ ```

+ ```java

+ import io.opentelemetry.api.common.AttributeKey;

+ import io.opentelemetry.api.common.Attributes;

+ Attributes attributes = Attributes.of(AttributeKey.stringKey("mycustomdimension"), "myvalue1");

+ span.setAllAttributes(attributes);

+ span.addEvent("eventName", attributes);

+ ```

+### Update span status and record exceptions

+You can use `opentelemetry-api` to update the status of a span and record exceptions.

+> [!NOTE]

+> This feature is only in 3.2.0 and later.

+1. Add `opentelemetry-api-1.6.0.jar` to your application:

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.6.0</version>

+ </dependency>

+ ```

+1. Set status to error and record an exception in your code:

+ ```java

+ import io.opentelemetry.api.trace.Span;

+ import io.opentelemetry.api.trace.StatusCode;

+ span.setStatus(StatusCode.ERROR, "errorMessage");

+ span.recordException(e);

+ ```

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.6.0</version>

+ </dependency>

+ ```

+ ```java

+ import io.opentelemetry.api.trace.Span;

+ Span.current().setAttribute("enduser.id", "myuser");

+ ```

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.6.0</version>

+ </dependency>

+ ```

+ ```java

+ import io.opentelemetry.api.trace.Span;

+ String traceId = Span.current().getSpanContext().getTraceId();

+ String spanId = Span.current().getSpanContext().getSpanId();

+ ```

+| Traces | | Yes | Yes | Yes |

+| enableDebug | If true, **internal** debugging data is thrown as an exception **instead** of being logged, regardless of SDK logging settings. Default is false. <br>***Note:*** Enabling this setting will result in dropped telemetry whenever an internal error occurs. This can be useful for quickly identifying issues with your configuration or usage of the SDK. If you don't want to lose telemetry while debugging, consider using `loggingLevelConsole` or `loggingLevelTelemetry` instead of `enableDebug`. | boolean<br/>false |

+The following sample creates a [classic Application Insights resource](../app/create-new-resource.md).

+# [Bicep](#tab/bicep)

+```bicep

+@description('Name of Application Insights resource.')

+param name string

+@description('Type of app you are deploying. This field is for legacy reasons and will not impact the type of App Insights resource you deploy.')

+param type string

+@description('Which Azure Region to deploy the resource to. This must be a valid Azure regionId.')

+param regionId string

+@description('See documentation on tags: https://docs.microsoft.com/azure/azure-resource-manager/management/tag-resources.')

+param tagsArray object

+@description('Source of Azure Resource Manager deployment')

+param requestSource string

+resource component 'Microsoft.Insights/components@2020-02-02' = {

+ name: name

+ location: regionId

+ tags: tagsArray

+ kind: 'other'

+ properties: {

+ Application_Type: type

+ Flow_Type: 'Bluefield'

+ Request_Source: requestSource

+ }

+}

+```

+# [JSON](#tab/json)

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "name": {

+ "type": "string",

+ "metadata": {

+ "description": "Name of Application Insights resource."

+ }

+ },

+ "type": {

+ "type": "string",

+ "metadata": {

+ "description": "Type of app you are deploying. This field is for legacy reasons and will not impact the type of App Insights resource you deploy."

+ }

+ },

+ "regionId": {

+ "type": "string",

+ "metadata": {

+ "description": "Which Azure Region to deploy the resource to. This must be a valid Azure regionId."

+ }

+ },

+ "tagsArray": {

+ "type": "object",

+ "metadata": {

+ "description": "See documentation on tags: https://docs.microsoft.com/azure/azure-resource-manager/management/tag-resources."

+ }

+ },

+ "requestSource": {

+ "type": "string",

+ "metadata": {

+ "description": "Source of Azure Resource Manager deployment"

+ }

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Insights/components",

+ "apiVersion": "2020-02-02",

+ "name": "[parameters('name')]",

+ "location": "[parameters('regionId')]",

+ "tags": "[parameters('tagsArray')]",

+ "kind": "other",

+ "properties": {

+ "Application_Type": "[parameters('type')]",

+ "Flow_Type": "Bluefield",

+ "Request_Source": "[parameters('requestSource')]"

+ }

+ }

+ ]

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "type": {

+ "value": "web"

+ },

+ "name": {

+ "value": "my_app_insights_resource"

+ },

+ "regionId": {

+ "value": "westus2"

+ },

+ "tagsArray": {

+ "value": {}

+ },

+ "requestSource": {

+ "value": "CustomDeployment"

+ }

+## Workspace-based Application Insights resource

+The following sample creates a [workspace-based Application Insights resource](../app/create-workspace-resource.md). Workspace-based Application Insights are currently in **preview**.

+# [Bicep](#tab/bicep)

+```bicep

+@description('Name of Application Insights resource.')

+param name string

+@description('Type of app you are deploying. This field is for legacy reasons and will not impact the type of App Insights resource you deploy.')

+param type string

+@description('Which Azure Region to deploy the resource to. This must be a valid Azure regionId.')

+param regionId string

+@description('See documentation on tags: https://docs.microsoft.com/azure/azure-resource-manager/management/tag-resources.')

+param tagsArray object

+@description('Source of Azure Resource Manager deployment')

+param requestSource string

+@description('Log Analytics workspace ID to associate with your Application Insights resource.')

+param workspaceResourceId string

+resource component 'Microsoft.Insights/components@2020-02-02' = {

+ name: name

+ location: regionId

+ tags: tagsArray

+ kind: 'other'

+ properties: {

+ Application_Type: type

+ Flow_Type: 'Bluefield'

+ Request_Source: requestSource

+ WorkspaceResourceId: workspaceResourceId

+ }

+}

+```

+# [JSON](#tab/json)

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "name": {

+ "type": "string",

+ "metadata": {

+ "description": "Name of Application Insights resource."

+ }

+ },

+ "type": {

+ "type": "string",

+ "metadata": {

+ "description": "Type of app you are deploying. This field is for legacy reasons and will not impact the type of App Insights resource you deploy."

+ }

+ },

+ "regionId": {

+ "type": "string",

+ "metadata": {

+ "description": "Which Azure Region to deploy the resource to. This must be a valid Azure regionId."

+ }

+ },

+ "tagsArray": {

+ "type": "object",

+ "metadata": {

+ "description": "See documentation on tags: https://docs.microsoft.com/azure/azure-resource-manager/management/tag-resources."

+ }

+ },

+ "requestSource": {

+ "type": "string",

+ "metadata": {

+ "description": "Source of Azure Resource Manager deployment"

+ }

+ },

+ "workspaceResourceId": {

+ "type": "string",

+ "metadata": {

+ "description": "Log Analytics workspace ID to associate with your Application Insights resource."

+ }

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Insights/components",

+ "apiVersion": "2020-02-02",

+ "name": "[parameters('name')]",

+ "location": "[parameters('regionId')]",

+ "tags": "[parameters('tagsArray')]",

+ "kind": "other",

+ "properties": {

+ "Application_Type": "[parameters('type')]",

+ "Flow_Type": "Bluefield",

+ "Request_Source": "[parameters('requestSource')]",

+ "WorkspaceResourceId": "[parameters('workspaceResourceId')]"

+ }

+ }

+ ]

+The following sample creates a .NET Core 3.1 Azure Function app running on a Windows App Service plan and a [classic Application Insights resource](../app/create-new-resource.md) with monitoring enabled.

+# [Bicep](#tab/bicep)

+```bicep

+param subscriptionId string

+param name string

+param location string

+param hostingPlanName string

+param serverFarmResourceGroup string

+param alwaysOn bool

+param storageAccountName string

+resource site 'Microsoft.Web/sites@2021-03-01' = {

+ name: name

+ kind: 'functionapp'

+ location: location

+ properties: {

+ siteConfig: {

+ appSettings: [

+ {

+ name: 'FUNCTIONS_EXTENSION_VERSION'

+ value: '~3'

+ name: 'FUNCTIONS_WORKER_RUNTIME'

+ value: 'dotnet'

+ }

+ name: 'APPINSIGHTS_INSTRUMENTATIONKEY'

+ value: reference('microsoft.insights/components/function-app-01', '2015-05-01').InstrumentationKey

+ }

+ {

+ name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'

+ value: reference('microsoft.insights/components/function-app-01', '2015-05-01').ConnectionString

+ }

+ name: 'AzureWebJobsStorage'

+ value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${storageAccount.listKeys().keys[0]};EndpointSuffix=core.windows.net'

+ }

+ ]

+ alwaysOn: alwaysOn

+ }

+ serverFarmId: '/subscriptions/${subscriptionId}/resourcegroups/${serverFarmResourceGroup}/providers/Microsoft.Web/serverfarms/${hostingPlanName}'

+ clientAffinityEnabled: true

+ }

+ dependsOn: [

+ functionApp

+ ]

+}

+resource functionApp 'microsoft.insights/components@2015-05-01' = {

+ name: 'function-app-01'

+ location: location

+ kind: 'web'

+ properties: {

+ Application_Type: 'web'

+ Request_Source: 'rest'

+ }

+}

+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = {

+ name: storageAccountName

+ location: location

+ sku: {

+ name: 'Standard_LRS'

+ }

+ kind: 'Storage'

+ properties: {

+ supportsHttpsTrafficOnly: true

+ }

+}

+```

+# [JSON](#tab/json)

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "subscriptionId": {

+ "type": "string"

+ },

+ "name": {

+ "type": "string"

+ },

+ "location": {

+ "type": "string"

+ },

+ "hostingPlanName": {

+ "type": "string"

+ },

+ "serverFarmResourceGroup": {

+ "type": "string"

+ },

+ "alwaysOn": {

+ "type": "bool"

+ },

+ "storageAccountName": {

+ "type": "string"

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Web/sites",

+ "apiVersion": "2021-03-01",

+ "name": "[parameters('name')]",

+ "kind": "functionapp",

+ "location": "[parameters('location')]",

+ "properties": {

+ "siteConfig": {

+ "appSettings": [

+ {

+ "name": "FUNCTIONS_EXTENSION_VERSION",

+ "value": "~3"

+ },

+ {

+ "name": "FUNCTIONS_WORKER_RUNTIME",

+ "value": "dotnet"

+ },

+ {

+ "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

+ "value": "[reference('microsoft.insights/components/function-app-01', '2015-05-01').InstrumentationKey]"

+ },

+ {

+ "name": "APPLICATIONINSIGHTS_CONNECTION_STRING",

+ "value": "[reference('microsoft.insights/components/function-app-01', '2015-05-01').ConnectionString]"

+ {

+ "name": "AzureWebJobsStorage",

+ "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1};EndpointSuffix=core.windows.net', parameters('storageAccountName'), listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-08-01').keys[0])]"

+ ],

+ "alwaysOn": "[parameters('alwaysOn')]"

+ },

+ "serverFarmId": "[format('/subscriptions/{0}/resourcegroups/{1}/providers/Microsoft.Web/serverfarms/{2}', parameters('subscriptionId'), parameters('serverFarmResourceGroup'), parameters('hostingPlanName'))]",

+ "clientAffinityEnabled": true

+ },

+ "dependsOn": [

+ "[resourceId('Microsoft.Insights/components', 'function-app-01')]",

+ "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"

+ ]

+ },

+ {

+ "type": "Microsoft.Insights/components",

+ "apiVersion": "2015-05-01",

+ "name": "function-app-01",

+ "location": "[parameters('location')]",

+ "kind": "web",

+ "properties": {

+ "Application_Type": "web",

+ "Request_Source": "rest"

+ }

+ },

+ {

+ "type": "Microsoft.Storage/storageAccounts",

+ "apiVersion": "2021-08-01",

+ "name": "[parameters('storageAccountName')]",

+ "location": "[parameters('location')]",

+ "sku": {

+ "name": "Standard_LRS"

+ },

+ "kind": "Storage",

+ "properties": {

+ "supportsHttpsTrafficOnly": true

+ }

+ }

+ ]

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",

+The following sample creates a basic Azure App Service web app with the .NET Core runtime and a [classic Application Insights resource](../app/create-new-resource.md) with monitoring enabled.

+# [Bicep](#tab/bicep)

+```bicep

+param subscriptionId string

+param name string

+param location string

+param hostingPlanName string

+param serverFarmResourceGroup string

+param alwaysOn bool

+param phpVersion string

+param errorLink string

+resource site 'Microsoft.Web/sites@2021-03-01' = {

+ name: name

+ location: location

+ properties: {

+ siteConfig: {

+ appSettings: [

+ {

+ name: 'APPINSIGHTS_INSTRUMENTATIONKEY'

+ value: reference('microsoft.insights/components/web-app-name-01', '2015-05-01').InstrumentationKey

+ }

+ {

+ name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'

+ value: reference('microsoft.insights/components/web-app-name-01', '2015-05-01').ConnectionString

+ }

+ {

+ name: 'ApplicationInsightsAgent_EXTENSION_VERSION'

+ value: '~2'

+ }

+ {

+ name: 'XDT_MicrosoftApplicationInsights_Mode'

+ value: 'default'

+ }

+ {

+ name: 'ANCM_ADDITIONAL_ERROR_PAGE_LINK'

+ value: errorLink

+ }

+ ]

+ phpVersion: phpVersion

+ alwaysOn: alwaysOn

+ }

+ serverFarmId: '/subscriptions/${subscriptionId}/resourcegroups/${serverFarmResourceGroup}/providers/Microsoft.Web/serverfarms/${hostingPlanName}'

+ clientAffinityEnabled: true

+ }

+ dependsOn: [

+ webApp

+ ]

+}

+resource webApp 'Microsoft.Insights/components@2020-02-02' = {

+ name: 'web-app-name-01'

+ location: location

+ kind: 'web'

+ properties: {

+ Application_Type: 'web'

+ Request_Source: 'rest'

+ }

+}

+```

+# [JSON](#tab/json)

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "subscriptionId": {

+ "type": "string"

+ "name": {

+ "type": "string"

+ },

+ "location": {

+ "type": "string"

+ },

+ "hostingPlanName": {

+ "type": "string"

+ },

+ "serverFarmResourceGroup": {

+ "type": "string"

+ },

+ "alwaysOn": {

+ "type": "bool"

+ },

+ "phpVersion": {

+ "type": "string"

+ },

+ "errorLink": {

+ "type": "string"

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Web/sites",

+ "apiVersion": "2021-03-01",

+ "name": "[parameters('name')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "siteConfig": {

+ "appSettings": [

+ {

+ "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

+ "value": "[reference('microsoft.insights/components/web-app-name-01', '2015-05-01').InstrumentationKey]"

+ },

+ {

+ "name": "APPLICATIONINSIGHTS_CONNECTION_STRING",

+ "value": "[reference('microsoft.insights/components/web-app-name-01', '2015-05-01').ConnectionString]"

+ },

+ {

+ "name": "ApplicationInsightsAgent_EXTENSION_VERSION",

+ "value": "~2"

+ },

+ {

+ "name": "XDT_MicrosoftApplicationInsights_Mode",

+ "value": "default"

+ },

+ {

+ "name": "ANCM_ADDITIONAL_ERROR_PAGE_LINK",

+ "value": "[parameters('errorLink')]"

+ ],

+ "phpVersion": "[parameters('phpVersion')]",

+ "alwaysOn": "[parameters('alwaysOn')]"

+ "serverFarmId": "[format('/subscriptions/{0}/resourcegroups/{1}/providers/Microsoft.Web/serverfarms/{2}', parameters('subscriptionId'), parameters('serverFarmResourceGroup'), parameters('hostingPlanName'))]",

+ "clientAffinityEnabled": true

+ },

+ "dependsOn": [

+ "[resourceId('Microsoft.Insights/components', 'web-app-name-01')]"

+ ]

+ },

+ {

+ "type": "Microsoft.Insights/components",

+ "apiVersion": "2020-02-02",

+ "name": "web-app-name-01",

+ "location": "[parameters('location')]",

+ "kind": "web",

+ "properties": {

+ "Application_Type": "web",

+ "Request_Source": "rest"

+ }

+ }

+ ]

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",

+The following sample creates a basic Azure App Service web app with the ASP.NET runtime and a [classic Application Insights resource](../app/create-new-resource.md) with monitoring enabled.

+# [Bicep](#tab/bicep)

+```bicep

+param subscriptionId string

+param name string

+param location string

+param hostingPlanName string

+param serverFarmResourceGroup string

+param alwaysOn bool

+param phpVersion string

+param netFrameworkVersion string

+resource sites 'Microsoft.Web/sites@2021-03-01' = {

+ name: name

+ location: location

+ properties: {

+ siteConfig: {

+ appSettings: [

+ {

+ name: 'APPINSIGHTS_INSTRUMENTATIONKEY'

+ value: reference('microsoft.insights/components/web-app-name-01', '2015-05-01').InstrumentationKey

+ }

+ {

+ name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'

+ value: reference('microsoft.insights/components/web-app-name-01', '2015-05-01').ConnectionString

+ }

+ {

+ name: 'ApplicationInsightsAgent_EXTENSION_VERSION'

+ value: '~2'

+ }

+ {

+ name: 'XDT_MicrosoftApplicationInsights_Mode'

+ value: 'default'

+ }

+ ]

+ phpVersion: phpVersion

+ netFrameworkVersion: netFrameworkVersion

+ alwaysOn: alwaysOn

+ }

+ serverFarmId: '/subscriptions/${subscriptionId}/resourcegroups/${serverFarmResourceGroup}/providers/Microsoft.Web/serverfarms/${hostingPlanName}'

+ clientAffinityEnabled: true

+ }

+ dependsOn: [

+ webApp

+ ]

+}

+resource webApp 'Microsoft.Insights/components@2020-02-02' = {

+ name: 'web-app-name-01'

+ location: location

+ kind: 'web'

+ properties: {

+ Application_Type: 'web'

+ Request_Source: 'rest'

+ }

+}

+```

+# [JSON](#tab/json)

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "subscriptionId": {

+ "type": "string"

+ "name": {

+ "type": "string"

+ },

+ "location": {

+ "type": "string"

+ },

+ "hostingPlanName": {

+ "type": "string"

+ },

+ "serverFarmResourceGroup": {

+ "type": "string"

+ },

+ "alwaysOn": {

+ "type": "bool"

+ },

+ "phpVersion": {

+ "type": "string"

+ },

+ "netFrameworkVersion": {

+ "type": "string"

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Web/sites",

+ "apiVersion": "2021-03-01",

+ "name": "[parameters('name')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "siteConfig": {

+ "appSettings": [

+ {

+ "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

+ "value": "[reference('microsoft.insights/components/web-app-name-01', '2015-05-01').InstrumentationKey]"

+ },

+ {

+ "name": "APPLICATIONINSIGHTS_CONNECTION_STRING",

+ "value": "[reference('microsoft.insights/components/web-app-name-01', '2015-05-01').ConnectionString]"

+ },

+ {

+ "name": "ApplicationInsightsAgent_EXTENSION_VERSION",

+ "value": "~2"

+ },

+ {

+ "name": "XDT_MicrosoftApplicationInsights_Mode",

+ "value": "default"

+ ],

+ "phpVersion": "[parameters('phpVersion')]",

+ "netFrameworkVersion": "[parameters('netFrameworkVersion')]",

+ "alwaysOn": "[parameters('alwaysOn')]"

+ "serverFarmId": "[format('/subscriptions/{0}/resourcegroups/{1}/providers/Microsoft.Web/serverfarms/{2}', parameters('subscriptionId'), parameters('serverFarmResourceGroup'), parameters('hostingPlanName'))]",

+ "clientAffinityEnabled": true

+ },

+ "dependsOn": [

+ "[resourceId('Microsoft.Insights/components', 'web-app-name-01')]"

+ ]

+ },

+ {

+ "type": "Microsoft.Insights/components",

+ "apiVersion": "2020-02-02",

+ "name": "web-app-name-01",

+ "location": "[parameters('location')]",

+ "kind": "web",

+ "properties": {

+ "Application_Type": "web",

+ "Request_Source": "rest"

+ }

+ }

+ ]

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",

+The following sample creates a basic Azure App Service Linux web app with the Node.js runtime and a [classic Application Insights resource](../app/create-new-resource.md) with monitoring enabled.

+# [Bicep](#tab/bicep)

+```bicep

+param subscriptionId string

+param name string

+param location string

+param hostingPlanName string

+param serverFarmResourceGroup string

+param alwaysOn bool

+param linuxFxVersion string

+resource site 'Microsoft.Web/sites@2021-03-01' = {

+ name: name

+ location: location

+ properties: {

+ siteConfig: {

+ appSettings: [

+ {

+ name: 'APPINSIGHTS_INSTRUMENTATIONKEY'

+ value: reference('microsoft.insights/components/web-app-name-01', '2015-05-01').InstrumentationKey

+ }

+ {

+ name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'

+ value: reference('microsoft.insights/components/web-app-name-01', '2015-05-01').ConnectionString

+ }

+ {

+ name: 'ApplicationInsightsAgent_EXTENSION_VERSION'

+ value: '~2'

+ }

+ {

+ name: 'XDT_MicrosoftApplicationInsights_Mode'

+ value: 'default'

+ }

+ ]

+ linuxFxVersion: linuxFxVersion

+ alwaysOn: alwaysOn

+ }

+ serverFarmId: '/subscriptions/${subscriptionId}/resourcegroups/${serverFarmResourceGroup}/providers/Microsoft.Web/serverfarms/${hostingPlanName}'

+ clientAffinityEnabled: false

+ }

+ dependsOn: [

+ webApp

+ ]

+}

+resource webApp 'Microsoft.Insights/components@2020-02-02' = {

+ name: 'web-app-name-01'

+ location: location

+ kind: 'web'

+ properties: {

+ Application_Type: 'web'

+ Request_Source: 'rest'

+ }

+}

+```

+# [JSON](#tab/json)

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "subscriptionId": {

+ "type": "string"

+ "name": {

+ "type": "string"

+ },

+ "location": {

+ "type": "string"

+ },

+ "hostingPlanName": {

+ "type": "string"

+ },

+ "serverFarmResourceGroup": {

+ "type": "string"

+ },

+ "alwaysOn": {

+ "type": "bool"

+ },

+ "linuxFxVersion": {

+ "type": "string"

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Web/sites",

+ "apiVersion": "2021-03-01",

+ "name": "[parameters('name')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "siteConfig": {

+ "appSettings": [

+ {

+ "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

+ "value": "[reference('microsoft.insights/components/web-app-name-01', '2015-05-01').InstrumentationKey]"

+ },

+ {

+ "name": "APPLICATIONINSIGHTS_CONNECTION_STRING",

+ "value": "[reference('microsoft.insights/components/web-app-name-01', '2015-05-01').ConnectionString]"

+ },

+ {

+ "name": "ApplicationInsightsAgent_EXTENSION_VERSION",

+ "value": "~2"

+ },

+ {

+ "name": "XDT_MicrosoftApplicationInsights_Mode",

+ "value": "default"

+ ],

+ "linuxFxVersion": "[parameters('linuxFxVersion')]",

+ "alwaysOn": "[parameters('alwaysOn')]"

+ "serverFarmId": "[format('/subscriptions/{0}/resourcegroups/{1}/providers/Microsoft.Web/serverfarms/{2}', parameters('subscriptionId'), parameters('serverFarmResourceGroup'), parameters('hostingPlanName'))]",

+ "clientAffinityEnabled": false

+ },

+ "dependsOn": [

+ "[resourceId('Microsoft.Insights/components', 'web-app-name-01')]"

+ ]

+ },

+ {

+ "type": "Microsoft.Insights/components",

+ "apiVersion": "2020-02-02",

+ "name": "web-app-name-01",

+ "location": "[parameters('location')]",

+ "kind": "web",

+ "properties": {

+ "Application_Type": "web",

+ "Request_Source": "rest"

+ }

+ }

+ ]

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",

+|Property | US Government Cloud | China Cloud |

+[Application Insights SDK for Worker Service](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService) is a new SDK, which is best suited for non-HTTP workloads like messaging, background tasks, console applications etc. These types of applications don't have the notion of an incoming HTTP request like a traditional ASP.NET/ASP.NET Core Web Application, and hence using Application Insights packages for [ASP.NET](asp-net.md) or [ASP.NET Core](asp-net-core.md) applications isn't supported.

+The new SDK doesn't do any telemetry collection by itself. Instead, it brings in other well known Application Insights auto collectors like [DependencyCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.DependencyCollector/), [PerfCounterCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.PerfCounterCollector/), [ApplicationInsightsLoggingProvider](https://www.nuget.org/packages/Microsoft.Extensions.Logging.ApplicationInsights) etc. This SDK exposes extension methods on `IServiceCollection` to enable and configure telemetry collection.

+A valid Application Insights connection string. This string is required to send any telemetry to Application Insights. If you need to create a new Application Insights resource to get a connection string, see [Create an Application Insights resource](./create-new-resource.md).

+1. Configure the connection string in the `APPLICATIONINSIGHTS_CONNECTION_STRING` environment variable or in configuration. (`appsettings.json`)

+Specific instructions for each type of application are described in the following sections.

+6. Set up the connection string.

+> [!NOTE]

+> We recommend that you specify the connection string in configuration. The following code sample shows how to specify a connection string in `appsettings.json`. Make sure `appsettings.json` is copied to the application root folder during publishing.

+ "ConnectionString" : "InstrumentationKey=00000000-0000-0000-0000-000000000000;"

+Alternatively, specify the connection string in the `APPLICATIONINSIGHTS_CONNECTION_STRING` environment variable.

+Typically `APPLICATIONINSIGHTS_CONNECTION_STRING` specifies the connection string for applications deployed to Web Apps as Web Jobs.

+> A connection string specified in code takes precedence over the environment variable `APPLICATIONINSIGHTS_CONNECTION_STRING`, which takes precedence over other options.

+ // connection string is read automatically from appsettings.json

+3. Set up the connection string.

+ // Hence connection string and any changes to default logging level must be specified here.

+ services.AddApplicationInsightsTelemetryWorkerService("connection string here");

+Run your application. The example workers from all of the above makes an http call every second to bing.com, and also emits few logs using `ILogger`. These lines are wrapped inside `StartOperation` call of `TelemetryClient`, which is used to create an operation (in this example `RequestTelemetry` named "operation"). Application Insights will collect these ILogger logs (warning or above by default) and dependencies, and they'll be correlated to the `RequestTelemetry` with parent-child relationship. The correlation also works cross process/network boundary. For example, if the call was made to another monitored component, then it will be correlated to this parent as well.

+This custom operation of `RequestTelemetry` can be thought of as the equivalent of an incoming web request in a typical Web Application. While it isn't necessary to use an Operation, it fits best with the [Application Insights correlation data model](./correlation.md) - with `RequestTelemetry` acting as the parent operation, and every telemetry generated inside the worker iteration being treated as logically belonging to the same operation. This approach also ensures all the telemetry generated (automatic and manual) will have the same `operation_id`. As sampling is based on `operation_id`, sampling algorithm either keeps or drops all of the telemetry from a single iteration.

+### Manually tracking other telemetry

+While the SDK automatically collects telemetry as explained above, in most cases user will need to send other telemetry to Application Insights service. The recommended way to track other telemetry is by obtaining an instance of `TelemetryClient` from Dependency Injection, and then calling one of the supported `TrackXXX()` [API](api-custom-events-metrics.md) methods on it. Another typical use case is [custom tracking of operations](custom-operations-tracking.md). This approach is demonstrated in the Worker examples above.

+The `ApplicationInsightsServiceOptions` in this SDK is in the namespace `Microsoft.ApplicationInsights.WorkerService` as opposed to `Microsoft.ApplicationInsights.AspNetCore.Extensions` in the ASP.NET Core SDK.

+|EnableDiagnosticsTelemetryModule | Enable/Disable `DiagnosticsTelemetryModule`. Disabling this setting will cause the following settings to be ignored; `EnableHeartbeat`, `EnableAzureInstanceMetadataTelemetryModule`, `EnableAppServicesHeartbeatTelemetryModule` | true

+To configure other sampling settings, the following example can be used.

+Telemetry initializers are present by default. To remove all or specific telemetry initializers, use the following sample code *after* calling `AddApplicationInsightsTelemetryWorkerService()`.

+* `AppServicesHeartbeatTelemetryModule` - (There's currently an issue involving this telemetry module. For a temporary workaround, see [GitHub Issue 1689](https://github.com/microsoft/ApplicationInsights-dotnet/issues/1689

+### Are all features supported if I run my application in Linux?

+* Performance counters are supported only in Windows except for Process CPU/Memory shown in Live Metrics.

+Use this sample if you're using a Console Application written in either .NET Core (2.0 or higher) or .NET Framework (4.7.2 or higher)

+- to [Azure Monitor Logs](../logs/data-platform-logs.md) for more complex querying and alerting, and longer retention (up to two years)

+Activity log events are retained in Azure for **90 days** and then deleted. There's no charge for entries during this time regardless of volume. For more functionality such as longer retention, you should create a diagnostic setting and route the entires to another location based on your needs. See the criteria in the earlier section of this article.

+If there are any associated changes with the event, you'll see a list of changes that you can select. This opens up the **Change history (Preview)** page. On this page, you see the changes to the resource. In the following example, you can see not only that the VM changed sizes, but what the previous VM size was before the change and what it was changed to. To learn more about change history, see [Get resource changes](../../governance/resource-graph/how-to/get-resource-changes.md).

+Send the Activity Log to an Azure Storage Account if you want to retain your log data longer than 90 days for audit, static analysis, or backup. If you only must retain your events for 90 days or less you don't need to set up archival to a Storage Account, since Activity Log events are retained in the Azure platform for 90 days.

+Following is a sample PowerShell script to create a log profile that writes the Activity Log to both a Storage Account and an Event Hub.

+The columns in the following table have been deprecated in the updated schema. They still exist in *AzureActivity* but they have no data. The replacements for these columns aren't new, but they contain the same data as the deprecated column. They are in a different format, so you might need to modify log queries that use them.

+## Activity log insights (Preview)

+Before using Activity log insights, you'll have to [enable sending logs to your Log Analytics workspace](./diagnostic-settings.md).

+### How does Activity log insights work?

+Activity logs you send to a [Log Analytics workspace](/articles/azure-monitor/logs/log-analytics-workspace-overview.md) are stored in a table called AzureActivity.

+Activity log insights are a curated [Log Analytics workbook](/articles/azure-monitor/visualize/workbooks-overview.md) with dashboards that visualize the data in the AzureActivity table. For example, which administrators deleted, updated or created resources, and whether the activities failed or succeeded.

+### View Activity log insights - Resource group / Subscription level

+To view Activity log insights on a resource group or a subscription level:

+1. In the Azure portal, select **Monitor** > **Workbooks**.

+1. Select **Activity Logs Insights** in the **Insights** section.

+ :::image type="content" source="media/activity-log/open-activity-log-insights-workbook.png" lightbox= "media/activity-log/open-activity-log-insights-workbook.png" alt-text="A screenshot showing how to locate and open the Activity logs insights workbook on a scale level.":::

+1. At the top of the **Activity Logs Insights** page, select:

+ 1. One or more subscriptions from the **Subscriptions** dropdown.

+ 1. Resources and resource groups from the **CurrentResource** dropdown.

+ 1. A time range for which to view data from the **TimeRange** dropdown.

+### View Activity log insights on any Azure resource

+>[!Note]

+> * Currently Applications Insights resources are not supported for this workbook.

+To view Activity log insights on a resource level:

+1. In the Azure portal, go to your resource, select **Workbooks**.

+1. Select **Activity Logs Insights** in the **Activity Logs Insights** section.

+ :::image type="content" source="media/activity-log/activity-log-resource-level.png" lightbox= "media/activity-log/activity-log-resource-level.png" alt-text="A screenshot showing how to locate and open the Activity logs insights workbook on a resource level.":::

+1. At the top of the **Activity Logs Insights** page, select:

+

+ 1. A time range for which to view data from the **TimeRange** dropdown.

+ * **Azure Activity Log Entries** shows the count of Activity log records in each [activity log category](/articles/azure-monitor/essentials/activity-log-schema#categories).

+

+ :::image type="content" source="media/activity-log/activity-logs-insights-category-value.png" lightbox= "media/activity-log/activity-logs-insights-category-value.png" alt-text="Screenshot of Azure Activity Logs by Category Value":::

+

+ * **Activity Logs by Status** shows the count of Activity log records in each status.

+

+ :::image type="content" source="media/activity-log/activity-logs-insights-status.png" lightbox= "media/activity-log/activity-logs-insights-status.png" alt-text="Screenshot of Azure Activity Logs by Status":::

+

+ * At the subscription and resource group level, **Activity Logs by Resource** and **Activity Logs by Resource Provider** show the count of Activity log records for each resource and resource provider.

+

+ :::image type="content" source="media/activity-log/activity-logs-insights-resource.png" lightbox= "media/activity-log/activity-logs-insights-resource.png" alt-text="Screenshot of Azure Activity Logs by Resource":::

+

+Operations on the cluster level require Microsoft.OperationalInsights/clusters/write action permission. Linking workspaces to a cluster requires both Microsoft.OperationalInsights/clusters/write and Microsoft.OperationalInsights/workspaces/write actions. Permission could be granted by the Owner or Contributor that have `*/write` action, or by the Log Analytics Contributor role that have `Microsoft.OperationalInsights/*` action. For more information on Log Analytics permissions, see [Manage access to log data and workspaces in Azure Monitor](./manage-access.md).

+The video below uses an earlier version of the diagram above, but its explanations are still relevant.

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qXeL]

+## dateTimeFromEpoch

+`dateTimeFromEpoch(epochTime)`

+Converts an epoch time integer value to an ISO 8601 datetime.

+Namespace: [sys](bicep-functions.md#namespaces-for-functions).

+### Parameters

+| Parameter | Required | Type | Description |

+|: |: |: |: |

+| epochTime | Yes | int | The epoch time to convert to a datetime string. |

+### Return value

+An ISO 8601 datetime string.

+### Remarks

+This function requires **Bicep version 0.5.6 or later**.

+### Example

+The following example shows output values for the epoch time functions.

+```bicep

+param convertedEpoch int = dateTimeToEpoch(dateTimeAdd(utcNow(), 'P1Y'))

+var convertedDatetime = dateTimeFromEpoch(convertedEpoch)

+output epochValue int = convertedEpoch

+output datetimeValue string = convertedDatetime

+```

+The output is:

+| Name | Type | Value |

+| - | - | -- |

+| datetimeValue | String | 2023-05-02T15:16:13Z |

+| epochValue | Int | 1683040573 |

+## dateTimeToEpoch

+`dateTimeToEpoch(dateTime)`

+Converts an ISO 8601 datetime string to an epoch time integer value.

+Namespace: [sys](bicep-functions.md#namespaces-for-functions).

+### Parameters

+| Parameter | Required | Type | Description |

+|: |: |: |: |

+| dateTime | Yes | string | The datetime string to convert to an epoch time. |

+### Return value

+An integer that represents the number of seconds from midnight on January 1, 1970.

+### Remarks

+This function requires **Bicep version 0.5.6 or later**.

+### Examples

+The following example shows output values for the epoch time functions.

+```bicep

+param convertedEpoch int = dateTimeToEpoch(dateTimeAdd(utcNow(), 'P1Y'))

+var convertedDatetime = dateTimeFromEpoch(convertedEpoch)

+output epochValue int = convertedEpoch

+output datetimeValue string = convertedDatetime

+```

+The output is:

+| Name | Type | Value |

+| - | - | -- |

+| datetimeValue | String | 2023-05-02T15:16:13Z |

+| epochValue | Int | 1683040573 |

+The next example uses the epoch time value to set the expiration for a key in a key vault.

+* [dateTimeFromEpoch](./bicep-functions-date.md#datetimefromepoch)

+* [dateTimeToEpoch](./bicep-functions-date.md#datetimetoepoch)

+> | publicipaddresses | Yes | Yes | Yes<br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move public IP address configurations (IP addresses are not retained). |

+ Title: Back up Azure VMs with Enhanced policy

+# Back up an Azure VM using Enhanced policy

+This article explains how to use _Enhanced policy_ to configure _Multiple Backups Per Day_ and back up [Trusted Launch VMs](../virtual-machines/trusted-launch.md) with Azure Backup service.

+<a name="tvm-backup">Trusted Launch VM</a> | Backup supported. <br><br> Backup of Trusted Launch VM is supported through [Enhanced policy](backup-azure-vms-enhanced-policy.md). You can enable backup through [Recovery Services vault](./backup-azure-arm-vms-prepare.md), [VM Manage blade](./backup-during-vm-creation.md#start-a-backup-after-creating-the-vm), and [Create VM blade](backup-during-vm-creation.md#create-a-vm-with-backup-configured). <br><br> **Feature details** <br> <ul><li> Backup is supported in all regions where Trusted Launch VM is available. </li><li> Configurations of Backup, Alerts, and Monitoring for Trusted Launch VM are currently not supported through Backup center. </li><li> Migration of an existing [Generation 2](../virtual-machines/generation-2.md) VM (protected with Azure Backup) to Trusted Launch VM is currently not supported. Learn about how to [create a Trusted Launch VM](../virtual-machines/trusted-launch-portal.md?tabs=portal#deploy-a-trusted-vm). </li></ul>

+ Title: Regional availability of Chaos Studio

+description: Understand how Azure Chaos Studio makes chaos experiments and chaos targets available in Azure regions.

+# Regional availability of Azure Chaos Studio

+This article describes the regional availability model for Azure Chaos Studio, specifically the difference between a region where experiments can be deployed and one where resources can be targeted. It also provides an overview of Chaos Studio's high availability model.

+Chaos Studio is a regional Azure service, which means that the service is deployed and run within an Azure region. However, Chaos Studio has two regional components - the region where an experiment is deployed and the region where a resource is targeted. A chaos experiment can target a resource in a different region than the experiment (cross-region targeting), but in order to enable chaos experimentation on targets in more regions, Chaos Studio's set of regions in which you can do **resource targeting** is a superset of the regions in which you can create and manage **experiments**. You can [view the list of regions where Chaos Studio and resource targeting are available here](https://azure.microsoft.com/global-infrastructure/services/?products=chaos-studio).

+## Regional availability of chaos experiments

+A [chaos experiment](chaos-studio-chaos-experiments.md) is an Azure resource that describes the faults that should be run and the resources those faults should be run against. An experiment is deployed to a single region and the following information and operations stay within that region:

+* The experiment definition, which includes the hierarchy of steps, branches, and actions, the faults and parameters defined, and the resource IDs of target resources. Open-ended properties in the experiment resource JSON including the step name, branch name, and any fault parameters are stored in region and treated as system metadata.

+* The experiment execution each time an experiment is run, or the activity that orchestrates the execution of steps, branches, and actions.

+* The experiment history, which includes details such as the step, branch, and action timestamps, status, IDs, and any error messages for each historical experiment run. This data is treated as system metadata.

+Any experiment data stored in Chaos Studio is deleted when an experiment is deleted.

+## Regional availability of chaos targets (resource targeting)

+A [chaos target](chaos-studio-targets-capabilities.md) enables Chaos Studio to interact with an Azure resource. Faults in a chaos experiment run against a chaos target, but the target resource can be in a different region than the experiment. A resource can only be onboarded as a chaos target if Chaos Studio resource targeting is available in that region. The list of regions where resource targeting is available is a superset of the regions where experiments can be created. A chaos target is deployed to the same region as the target resource and the following information and operations stay in that region:

+* The target definition, which includes basic metadata about the target. Agent-based targets have one user-configurable property: the [identity that will be used to connect the agent to the chaos agent service](chaos-studio-permissions-security.md#agent-authentication).

+* The capability definitions, which include basic metadata about the capabilities enabled on a target.

+* The action execution. When an experiment runs a fault, the fault itself (for example, shutting down a VM) happens within the target region.

+Any target or capability metadata is deleted when a target is deleted.

+## High availability with Chaos Studio

+Chaos Studio is a regional, zone-redundant service (in regions that support availability zones). In the case of an availability zone outage, any chaos operation may fail, but experiment metadata, history, and details should remain available and the service should not see a full outage.

+## Next steps

+Now that you understand the region availability model for Chaos Studio, you are ready to:

+- [Review the availability of Chaos Studio per region](https://azure.microsoft.com/global-infrastructure/services/?products=chaos-studio)

+- [Create and run your first experiment](chaos-studio-tutorial-service-direct-portal.md)

+For captioning of a prerecording, send file input to the Speech service. For more information, see [How to use compressed input audio](how-to-use-codec-compressed-audio-input-streams.md).

+* [Get speech recognition results](get-speech-recognition-results.md)

+In this article, you'll learn how to create shared access signature (SAS) tokens using the Azure Storage Explorer or the Azure portal. A SAS token provides secure, delegated access to resources in your Azure storage account.

+ * Specify the signed key **Start** and **Expiry** date and time. A short lifespan is recommended because, once generated, a SAS can't be revoked.

+1. To construct a SAS URL, append the SAS token (URI) to the URL for a storage service.

+ * Specify the signed key **Start** and **Expiry** date and time. A short lifespan is recommended because, once generated, a SAS can't be revoked.

+1. To construct a SAS URL, append the SAS token (URI) to the URL for a storage service.

+1. To construct a SAS URL, append the SAS token (URI) to the URL for a storage service.

+1. In the [Azure portal](https://portal.azure.com), open your workflow in the designer.

+## Limitations

+- Currently, only stateful workflows in a **Logic App (Standard)** resource can use both the managed connector operations and built-in operations. Stateless workflows can use only built-in operations.

+- The Azure Cosmos DB connector supports only Azure Cosmos DB accounts created with the [Core (SQL) API](../cosmos-db/choose-api.md#coresql-api).

+* Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

+Now let's switch to working with code. Let's clone a Cassandra API app from GitHub, set the connection string, and run it. You'll see how easily you can work with data programmatically.

+In this quickstart, you've learned how to create an Azure Cosmos DB account, create a container using the Data Explorer, and run a web app. You can now import other data to your Cosmos DB account.

+* Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

+Now let's switch to working with code. Let's clone a Cassandra API app from GitHub, set the connection string, and run it. You'll see how easily you can work with data programmatically.

+In this quickstart, you've learned how to create an Azure Cosmos DB account, create a container using the Data Explorer, and run a web app. You can now import other data to your Cosmos DB account.

+2. Construct `GremlinVertex` and `GremlinEdge` objects from the obtained records and add them into an `IEnumerable` data structure. In this part of the application the logic to detect and add relationships should be implemented, in case the data source isn't a graph database.

+For more information about the parameters of the bulk executor library, see [BulkImportData to Azure Cosmos DB article](../bulk-executor-dot-net.md#bulk-import-data-to-an-azure-cosmos-account).

+The payload needs to be instantiated into `GremlinVertex` and `GremlinEdge` objects. Here's how these objects can be created:

+* Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

+`EndPointUrl`|This is **your .NET SDK endpoint** found in the Overview page of your Azure Cosmos DB Gremlin API database account. This has the format of `https://your-graph-database-account.documents.azure.com:443/`

+`DatabaseName`, `CollectionName`|These are the **target database and collection names**. When `ShouldCleanupOnStart` is set to `true` these values, along with `CollectionThroughput`, will be used to drop them and create a new database and collection. Similarly, if `ShouldCleanupOnFinish` is set to `true`, they'll be used to delete the database as soon as the ingestion is over. The target collection must be **an unlimited collection**.

+1. Add your specific database configuration parameters in `App.config`. This will be used to create a DocumentClient instance. If the database and container haven't been created yet, they'll be created automatically.

+2. Run the application. This will call `BulkImportAsync` two times, one to import Vertices and one to import Edges. If any of the objects generates an error when they're inserted, they'll be added to either `.\BadVertices.txt` or `.\BadEdges.txt`.

+Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

+Now let's clone a Gremlin API app from GitHub, set the connection string, and run it. You'll see how easy it's to work with data programmatically.

+5. Restore the NuGet packages in the project. This should include the Gremlin.Net driver, and the Newtonsoft.Json package.

+6. You can also install the Gremlin.Net@v3.4.6 driver manually using the NuGet package manager, or the [NuGet command-line utility](/nuget/install-nuget-client-tools):

+1. After you've copied the URI and PRIMARY KEY of your account, save them to a new environment variable on the local machine running the application. To set the environment variable, open a command prompt window, and run the following command. Make sure to replace <Your_Azure_Cosmos_account_URI> and <Your_Azure_Cosmos_account_PRIMARY_KEY> values.

+Select CTRL + F5 to run the application. The application will print both the Gremlin query commands and results in the console.

+1. In Data Explorer, the new database appears in the Graphs pane. Expand the database and container nodes, and then select **Graph**.

+2. Select the **Apply Filter** button to use the default query to view all the vertices in the graph. The data generated by the sample app is displayed in the Graphs pane.

+ You can zoom in and out of the graph, you can expand the graph display space, add extra vertices, and move vertices on the display surface.

+* Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

+[Download](https://www.mongodb.com/try/download/database-tools) [mongoimport](https://docs.mongodb.com/database-tools/mongoimport/#mongodb-binary-bin.mongoimport), a CLI tool that easily imports small amounts of JSON, CSV, or TSV data. We'll use mongoimport to load the sample product data provided in the `Data` folder of this project.

+If you prefer the CLI, run the following command in a command window to start the sample app. This command will also install project dependencies and build the project, but won't automatically launch the browser.

+In this quickstart, you've learned how to create an API for MongoDB account, create a database and a collection with code, and run a web API app. You can now import other data to your database.

+* [Create](create-mongodb-dotnet.md#create-a-database-account) a Cosmos account configured to use Azure Cosmos DB's API for MongoDB.

+This tutorial provides instructions on using the bulk executor .NET library to import and update documents to an Azure Cosmos container. To learn about the bulk executor library and how it helps you use massive throughput and storage, see the [bulk executor library overview](../bulk-executor-overview.md) article. In this tutorial, you'll see a sample .NET application that bulk imports randomly generated documents into an Azure Cosmos container. After importing the data, the library shows you how you can bulk update the imported data by specifying patches as operations to perform on specific document fields.

+* Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

+* Create an Azure Cosmos DB SQL API account by using the steps described in the [create a database account](create-sql-api-dotnet.md#create-account) section of the .NET quickstart article.

+The "BulkImportSample" application generates random documents and bulk imports them to your Azure Cosmos account. The "BulkUpdateSample" application bulk updates the imported documents by specifying patches as operations to perform on specific document fields. In the next sections, you'll review the code in each of these sample apps.

+4. The BulkExecutor object is initialized with a high retry value for wait time and throttled requests. And then they're set to 0 to pass congestion control to BulkExecutor for its lifetime.

+ |enableUpsert | A flag to enable upsert operations on the documents. If a document with the given ID already exists, it's updated. By default, it's set to false. |

+ |disableAutomaticIdGeneration | A flag to disable automatic generation of ID. By default, it's set to true. |

+ |BadInputDocuments (List\<object>) | The list of bad-format documents that weren't successfully imported in the bulk import API call. Fix the documents returned and retry import. Bad-formatted documents include documents whose ID value isn't a string (null or any other datatype is considered invalid). |

+You can update existing documents by using the BulkUpdateAsync API. In this example, you'll set the `Name` field to a new value and remove the `Description` field from the existing documents. For the full set of supported update operations, refer to the [API documentation](/dotnet/api/microsoft.azure.cosmosdb.bulkexecutor.bulkupdate).

+2. Define the update items along with the corresponding field update operations. In this example, you'll use `SetUpdateOperation` to update the `Name` field and `UnsetUpdateOperation` to remove the `Description` field from all the documents. You can also perform other operations like increment a document field by a specific value, push specific values into an array field, or remove a specific value from an array field. To learn about different methods provided by the bulk update API, refer to the [API documentation](/dotnet/api/microsoft.azure.cosmosdb.bulkexecutor.bulkupdate).

+* It's recommended that you instantiate a single `BulkExecutor` object for the whole application within a single virtual machine that corresponds to a specific Azure Cosmos container.

+* A single bulk operation API execution consumes a large chunk of the client machine's CPU and network IO (This happens by spawning multiple tasks internally). Avoid spawning multiple concurrent tasks within your application process that execute bulk operation API calls. If a single bulk operation API call that is running on a single virtual machine is unable to consume the entire container's throughput (if your container's throughput > 1 million RU/s), it's preferred to create separate virtual machines to concurrently execute the bulk operation API calls.

+* Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

+* **ConnectionMode** - Use direct connection mode to connect to the data nodes in the Azure Cosmos DB service. Use gateway mode only to initialize and cache the logical addresses and refresh on updates. For more information, see [connectivity modes](sql-sdk-connection-modes.md).

+* **ApplicationRegion** - This option is used to set the preferred geo-replicated region that is used to interact with Azure Cosmos DB. For more information, see [global distribution](../distribute-data-globally.md).

+* **ConsistencyLevel** - This option is used to override default consistency level. For more information, see [consistency levels](../consistency-levels.md).

+* **BulkExecutionMode** - This option is used to execute bulk operations by setting the *AllowBulkExecution* property to true. For more information, see [bulk import](tutorial-sql-api-dotnet-bulk-import.md).

+### Create the container

+To store the data into Amazon DynamoDB, you need to create the table first. In the table creation process; you define the schema, key type, and attributes as shown in the following code:

+In Azure Cosmos DB, you can opt for stream and write with `moviesContainer.CreateItemStreamAsync()`. However, in this sample, the JSON will be deserialized into the *MovieModel* type to demonstrate type-casting feature. The code is multi-threaded, which will use Azure Cosmos DB's distributed architecture and speed up the loading:

+However, with Azure Cosmos DB the query is natural (LINQ):

+Cross-Origin Resource Sharing (CORS) is an HTTP feature that enables a web application running under one domain to access resources in another domain. Web browsers implement a security restriction known as same-origin policy that prevents a web page from calling APIs in a different domain. However, CORS provides a secure way to allow the origin domain to call APIs in another domain. The Core (SQL) API in Azure Cosmos DB now supports Cross-Origin Resource Sharing (CORS) by using the ΓÇ£allowedOriginsΓÇ¥ header. After you enable the CORS support for your Azure Cosmos account, only authenticated requests are evaluated to determine whether they're allowed according to the rules you've specified.

+You can configure the Cross-origin resource sharing (CORS) setting from the Azure portal or from an Azure Resource Manager template. For Cosmos accounts using the Core (SQL) API, Azure Cosmos DB supports a JavaScript library that works in both Node.js and browser-based environments. This library can now take advantage of CORS support when using Gateway mode. There's no client-side configuration needed to use this feature. With CORS support, resources from a browser can directly access Azure Cosmos DB through the [JavaScript library](https://www.npmjs.com/package/@azure/cosmos) or directly from the [REST API](/rest/api/cosmos-db/) for simple operations.

+Follow these steps to enable Cross-Origin Resource Sharing by using Azure portal:

+1. Navigate to your Azure Cosmos DB account. Open the **CORS** page.

+To enable CORS by using a Resource Manager template, add the ΓÇ£corsΓÇ¥ section with ΓÇ£allowedOriginsΓÇ¥ property to any existing template. This JSON is an example of a template that creates a new Azure Cosmos account with CORS enabled.

+ "allowedOrigins": "https://contoso.com"

+Today, the Azure Cosmos DB JavaScript library only has the CommonJS version of the library shipped with its package. To use this library from the browser, you have to use a tool such as Rollup or Webpack to create a browser compatible library. Certain Node.js libraries should have browser mocks for them. This is an example of a webpack config file that has the necessary mock settings.

+Here's a [code sample](https://github.com/christopheranderson/cosmos-browser-sample) that uses TypeScript and Webpack with the Azure Cosmos DB JavaScript SDK library. The sample builds a Todo app that sends real time updates when new items are created.

+As a best practice, don't use the primary key to communicate with Azure Cosmos DB from the browser. Instead, use resource tokens to communicate. For more information about resource tokens, see [Securing access to Azure Cosmos DB](../secure-access-to-data.md#resource-tokens) article.

+1. You can create multiple Azure Functions by adding Azure Functions triggers for Cosmos DB to each - all of which listen to the same change feed of shopping cart data. When multiple functions listen to the same change feed, a new lease collection is required for each function. For more information about lease collections, see [Understanding the Change Feed Processor library](change-feed-processor.md).

+Native integration between Azure Cosmos DB and Azure Functions is available in the Azure portal and in Visual Studio.

+* In Visual Studio, you can create the trigger using the [Azure Functions Tools](../../azure-functions/functions-develop-vs.md):

+* **Instant access to all your data**: You have granular access to every value stored because Azure Cosmos DB [automatically indexes](../index-policy.md) all data by default, and makes those indexes immediately available. This means you're able to constantly query, update, and add new items to your database and have instant access via Azure Functions.

+* **Schemaless**. Azure Cosmos DB is schemaless - so it's uniquely able to handle any data output from an Azure Function. This "handle anything" approach makes it straightforward to create various Functions that all output to Azure Cosmos DB.

+* **Event-driven**. Azure Functions is event-driven and can listen to a change feed from Azure Cosmos DB. This means you don't need to create listening logic, you just keep an eye out for the changes you're listening for.

+## Prerequisites

+* Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

+## Step 1: Create an Azure Cosmos account

+Let's start by creating an Azure Cosmos account. If you already have an Azure Cosmos DB SQL API account or if you're using the Azure Cosmos DB Emulator, skip to [Step 2: Create a new ASP.NET MVC application](#step-2-create-a-new-aspnet-core-mvc-application).

+## Step 2: Create a new ASP.NET Core MVC application

+## Step 3: Add Azure Cosmos DB NuGet package to the project

+## Step 4: Set up the ASP.NET Core MVC application

+### Add a model

+### Add views

+* A view to get an item detail

+#### Create item view

+#### Delete item view

+#### Add a view to get item details

+#### Add an edit item view

+#### Add a view to list all the items

+### Declare and initialize services

+### Add a controller

+## Step 5: Run the application locally

+## Step 6: Deploy the application

+Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

+- Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

+An active Azure account. If you don't have one, you can sign up for a [free account](https://azure.microsoft.com/free/).

+Latest [!INCLUDE [cosmos-db-visual-studio](../includes/cosmos-db-visual-studio.md)]

+>

+>

+>

+>

+## Prerequisites

+* An active Azure account. If you don't have one, you can sign up for a [Free Azure Trial](https://azure.microsoft.com/pricing/free-trial/).

+Let's create an Azure Cosmos DB account. If you already have an account you want to use, you can skip ahead to [Set up your Node.js application](#set-up-your-nodejs-application). If you're using the Azure Cosmos DB Emulator, follow the steps at [Azure Cosmos DB Emulator](../local-emulator.md) to set up the emulator and skip ahead to [Set up your Node.js application](#set-up-your-nodejs-application).

+## Set up your Node.js application

+Before you start writing code to build the application, you can build the scaffolding for your app. Open your favorite terminal and locate the folder or directory where you'd like to save your Node.js application. Create placeholder JavaScript files with the following commands for your Node.js application:

+### [Windows](#tab/windows)

+```powershell

+fsutil file createnew app.js 0

+fsutil file createnew config.js 0

+md data

+fsutil file createnew data\databaseContext.js 0

+```

+### [Linux / macOS](#tab/linux+macos)

+```bash

+touch app.js

+touch config.js

+mkdir data

+touch data/databaseContext.js

+```

+1. Create and initialize a `package.json` file. Use the following command:

+ ```bash

+ npm init -y

+ ```

+1. Install the ``@azure/cosmos`` module via **npm**. Use the following command:

+ ```bash

+ npm install @azure/cosmos --save

+ ```

+## Set your app's configurations

+1. Copy and paste the following code snippet into the *config.js* file and set the properties `endpoint` and `key` to your Azure Cosmos DB endpoint URI and primary key. The database, container names are set to **Tasks** and **Items**. The partition key you'll use for this application is **/category**.

+ A database is the logical container of items partitioned across containers. You create a database by using either the `createIfNotExists` or create function of the **Databases** class. A container consists of items, which, in the SQL API, are actually JSON documents. You create a container by using either the `createIfNotExists` or create function from the **Containers** class. After creating a container, you can store and query the data.

+1. Copy and paste the code below to import the `@azure/cosmos` module, the configuration, and the databaseContext that you defined in the previous steps.

+## Create an asynchronous function

+In the *app.js* file, copy and paste the following code to create an asynchronous function named **main** and immediately execute the function.

+Within the **main** method, copy and paste the following code to use the previously saved endpoint and key to create a new CosmosClient object.

+>

+>

+Now that you have the code to initialize the Azure Cosmos DB client, add a try/catch block that you'll use for your code performing point operations.

+Let's take a look at how to work with Azure Cosmos DB resources.

+## Query items

+Azure Cosmos DB supports rich queries against JSON items stored in each container. The following sample code shows a query that you can run against the items in your container. You can query the items by using the query function of the `Items` class.

+Add the following code to the **try** block to query the items from your Azure Cosmos account:

+## Create an item

+1. In the *app.js* file, outside of the **main** method, define the item definition:

+1. Back within the **try** block of the **main** method, add the following code to create the previously defined item:

+## Update an item

+Azure Cosmos DB supports replacing the contents of items. Copy and paste the following code to **try** block. This code gets an item from the container and updates the *isComplete* field to true.

+## Delete an item

+Azure Cosmos DB supports deleting JSON items. The following code shows how to get an item by its ID and delete it. Copy and paste the following code to the **try** block:

+## Run your Node.js application

+```bash

+```bash

+## Get the complete Node.js tutorial solution

+To run the getting started solution that contains all the code in this article, you'll need:

+* ```npm install```

+Next, in the ```config.js``` file, update the config.endpoint and config.key values as described in [Step 3: Set your app's configurations](#set-your-apps-configurations).

+* If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

+[create-account]: create-sql-api-dotnet.md#create-account

+Returns a string expression after converting uppercase character data to lowercase.

+> [!NOTE]

+> This function uses culture-independent (invariant) casing rules when returning the converted string expression.

+The LOWER system function doesn't utilize the index. If you plan to do frequent case insensitive comparisons, the LOWER system function may consume a significant number of RUs. If so, instead of using the LOWER system function to normalize data each time for comparisons, you can normalize the casing upon insertion. Then a query such as SELECT * FROM c WHERE LOWER(c.name) = 'username' simply becomes SELECT * FROM c WHERE c.name = 'username'.

+Returns a string expression.

+The following example shows how to use `LOWER` in a query.

+ Here's the result set.

+[{"lower": "abc"}]

+This system function won't [use indexes](../index-overview.md#index-usage).

+Returns a string expression after converting lowercase character data to uppercase.

+> [!NOTE]

+> This function uses culture-independent (invariant) casing rules when returning the converted string expression.

+The UPPER system function doesn't utilize the index. If you plan to do frequent case insensitive comparisons, the UPPER system function may consume a significant number of RUs. If so, instead of using the UPPER system function to normalize data each time for comparisons, you can normalize the casing upon insertion. Then a query such as SELECT * FROM c WHERE UPPER(c.name) = 'USERNAME' simply becomes SELECT * FROM c WHERE c.name = 'USERNAME'.

+Returns a string expression.

+The following example shows how to use `UPPER` in a query

+Here's the result set.

+[{"upper": "ABC"}]

+This system function won't [use indexes](../index-overview.md#index-usage).

+1. Sign in to the Azure [EA portal](https://ea.azure.com/) as an Enterprise Administrator.

+Data transformation expressions in Azure Data Factory and Azure Synapse Analytics allow you to transform expressions in many ways, and are a powerful tool enabling you to customize the behavior of your pipelines in almost every setting and property - anywhere you find a text field that shows the **Add dynamic content** or **Open expression builder** links within your pipeline.

+ private static String clientId = "FILL-IN-HERE";

+ Title: Reset the password on VMs for your Azure Stack Edge Pro GPU device via the Azure portal

+description: Describes how to reset the password on virtual machines (VMs) on an Azure Stack Edge Pro GPU device via the Azure portal.

+#Customer intent: As an IT admin, I need to understand how reset or change the password on virtual machines (VMs) on my Azure Stack Edge Pro GPU device via the Azure portal.

+# Reset VM password for your Azure Stack Edge Pro GPU device via the Azure portal

+This article covers steps to reset the password on both Windows and Linux VMs using the Azure portal. To reset a password using PowerShell and local Azure Resource Manager templates, see [Install the VM password reset extension](azure-stack-edge-gpu-deploy-virtual-machine-install-password-reset-extension.md).

+## Reset Windows VM password

+Use the following steps to reset the VM password for your Azure Stack Edge Pro GPU device:

+1. In the Azure portal, go to the Azure Stack Edge resource for your device, then go to **Edge services** > **Virtual machines**.

+ 

+1. From the Azure portal VM list view, select the VM name with the password you would like to reset.

+ 

+1. Select **Reset password**.

+ 

+1. Specify the username and the new password. Confirm the new password, and then select **Save**.

+ For more information about Windows VM password requirements, see [Password requirements for a Windows VM](/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).

+ 

+1. While the operation is in progress, you can view the notification that shows the status of the operation. Select **Refresh** to update status of the operation.

+ 

+1. When the operation is complete, you can see that the *windowsVMAccessExt* extension is installed for the VM.

+ 

+1. Connect to the VM with the new password.

+## Reset Linux VM password

+Use the following steps to reset the VM password for your Azure Stack Edge Pro GPU device:

+1. In the Azure portal, go to the Azure Stack Edge resource for your device, then go to **Edge services** > **Virtual machines**.

+ 

+1. From the Azure portal VM list view, select the VM name with the password you would like to reset.

+ 

+1. Select **Reset password**.

+ 

+1. Specify the username and the new password. Confirm the new password, and then select **Save**.

+ For more information about Linux VM password requirements, see [Password requirements for a Linux VM](/azure/virtual-machines/linux/faq#what-are-the-password-requirements-when-creating-a-vm-).

+ 

+1. While the operation is in progress, you can view the notification that shows the status of the operation. Select **Refresh** to update status of the operation.

+ 

+1. When the operation is complete, you can see that the *linuxVMAccessExt* extension is installed for the VM.

+ 

+1. Connect to the VM with the new password.

+## Next steps

+ - Learn about [Deploy VMs on your Azure Stack Edge Pro GPU device via the Azure portal](azure-stack-edge-gpu-deploy-virtual-machine-portal.md).

+ - Learn about [Install the password reset extension on VMs for your Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-deploy-virtual-machine-install-password-reset-extension.md).

+Depending on your environment and the type of applications you're running, you can deploy one of the following edge computing workloads on these devices:

+You need to be aware of VM sizes if you're planning to deploy VMs. There are multiple sizes available for the VMs that you can use to run apps and workloads on your device. The size that you choose then determines factors such as processing power, memory, and storage capacity. For more information, see [Supported VM sizes](azure-stack-edge-gpu-virtual-machine-sizes.md#supported-vm-sizes).

+To figure out the size and the number of VMs that you can deploy on your device, factor in the usable compute on your device and other workloads that you're running. If running Kubernetes, consider the compute requirements for the Kubernetes master and worker VMs as well.

+The following extensions are available for the VMs on your device.

+|Extension|Description|Learn more|

+||||

+|Custom script extensions|Use custom script extensions to configure workloads.|[Deploy Custom Script Extension on VMs running on your device](azure-stack-edge-gpu-deploy-virtual-machine-custom-script-extension.md)|

+|GPU extensions |Use GPU extensions to install GPU drivers.|[Create GPU VMs](azure-stack-edge-gpu-deploy-gpu-virtual-machine.md#create-gpu-vms) and [Install GPU extensions](azure-stack-edge-gpu-deploy-virtual-machine-install-gpu-extension.md)|

+|Reset VM password extensions|Reset a VM password using PowerShell.|[Install the VM password reset extension](azure-stack-edge-gpu-deploy-virtual-machine-install-password-reset-extension.md)|

+1. In the **Overview** page, go to **Virtual machines** and select the virtual machine that you're interested in. You can then view the details of the VM.

+You can [turn on the VM](azure-stack-edge-gpu-deploy-virtual-machine-powershell.md#turn-on-the-vm), [suspend or shut down the VM](azure-stack-edge-gpu-deploy-virtual-machine-powershell.md#suspend-or-shut-down-the-vm). Finally, you can [delete the VMs](azure-stack-edge-gpu-deploy-virtual-machine-powershell.md#delete-the-vm) after you're done using them.

+| **Attempt to create a new Linux namespace from a container detected (Preview)**<br>(K8S.NODE_NamespaceCreation) | Analysis of processes running within a container in Kubernetes cluster detected an attempt to create a new Linux namespace. While this behavior might be legitimate, it might indicate that an attacker tries to escape from the container to the node. Some CVE-2022-0185 exploitations use this technique. | PrivilegeEscalation | Medium |

+ Title: How to use Defender for Containers to identify vulnerabilities

+description: Learn how to use Defender for Containers to scan images in your registries

+There are four triggers for an image scan:

+- **On push** - Whenever an image is pushed to your registry, Defender for Containers automatically scans that image. To trigger the scan of an image, push it to your repository.

+- **Recently pulled** - Since new vulnerabilities are discovered every day, **Microsoft Defender for Containers** also scans, on a weekly basis, any image that has been pulled within the last 30 days. There's no extra charge for these rescans; as mentioned above, you're billed once per image.

+- **On import** - Azure Container Registry has import tools to bring images to your registry from Docker Hub, Microsoft Container Registry, or another Azure container registry. **Microsoft Defender for Containers** scans any supported images you import. Learn more in [Import container images to a container registry](../container-registry/container-registry-import-images.md).

+- **Continuous scan**- This trigger has two modes:

+ - A continuous scan based on an image pull. This scan is performed every seven days after an image was pulled, and only for 30 days after the image was pulled. This mode doesn't require the security profile, or extension.

+ - (Preview) Continuous scan for running images. This scan is performed every seven days for as long as the image runs. This mode runs instead of the above mode when the Defender profile, or extension is running on the cluster.

+This scan typically completes within 2 minutes, but it might take up to 40 minutes. For every vulnerability identified, Defender for Cloud provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue.

+Defender for Cloud filters, and classifies findings from the scanner. When an image is healthy, Defender for Cloud marks it as such. Defender for Cloud generates security recommendations only for images that have issues to be resolved. By only notifying when there are problems, Defender for Cloud reduces the potential for unwanted informational alerts.

+ When a scan is triggered, findings are available as Defender for Cloud recommendations from 2 minutes up to 15 minutes after the scan is complete.

+Some images may reuse tags from an image that was already scanned. For example, you may reassign the tag ΓÇ£LatestΓÇ¥ every time you add an image to a digest. In such cases, the ΓÇÿoldΓÇÖ image does still exist in the registry and may still be pulled by its digest. If the image has security findings and is pulled, it'll expose security vulnerabilities.

+Defender for Containers includes an integrated vulnerability scanner for scanning images in Azure Container Registry registries. The vulnerability scanner runs on an image:

+- When you push the image to your registry

+- Weekly on any image that was pulled within the last 30

+- When you import the image to your Azure Container Registry

+- Continuously in specific situations

+Learn more in [Vulnerability assessment](defender-for-container-registries-usage.md).

+The recommendation **Running container images should have vulnerability findings resolved** shows vulnerabilities for running images by using the scan results from ACR registries and information on running images from the Defender security profile/extension. Images that are deployed from a non ACR registry, will appear under the **Not applicable** tab.

+| [Multiple changes to identity recommendations](#multiple-changes-to-identity-recommendations) | June 2022 |

+### Multiple changes to identity recommendations

+**Estimated date for change:** June 2022

+Defender for Cloud includes multiple recommendations for improving the management of users and accounts. In June, we'll be making the changes outlined below.

+#### New recommendations in preview

+The new release will bring the following capabilities:

+- **Extended evaluation scope** ΓÇô Improved coverage to identity accounts without MFA and external accounts on Azure resources (instead of subscriptions only) allowing security admins to view role assignments per account.

+- **Improved freshness interval** - Currently, the identity recommendations have a freshness interval of 24 hours. This update will reduce that interval to 12 hours.

+- **Account exemption capability** - Defender for Cloud has many features you can use to customize your experience and ensure that your secure score reflects your organization's security priorities. For example, you can [exempt resources and recommendations from your secure score](exempt-resource.md).

+ This update will allow you to exempt specific accounts from evaluation with the six recommendations listed in the following table.

+ Typically, you'd exempt emergency ΓÇ£break glassΓÇ¥ accounts from MFA recommendations, because such accounts are often deliberately excluded from an organization's MFA requirements. Alternatively, you might have external accounts that you'd like to permit access to but which don't have MFA enabled.

+ > [!TIP]

+ > When you exempt an account, it won't be shown as unhealthy and also won't cause a subscription to appear unhealthy.

+ |Recommendation| Assessment key|

+ |-|-|

+ |MFA should be enabled on accounts with owner permissions on your subscription|94290b00-4d0c-d7b4-7cea-064a9554e681|

+ |MFA should be enabled on accounts with read permissions on your subscription|151e82c5-5341-a74b-1eb0-bc38d2c84bb5|

+ |MFA should be enabled on accounts with write permissions on your subscription|57e98606-6b1e-6193-0e3d-fe621387c16b|

+ |External accounts with owner permissions should be removed from your subscription|c3b6ae71-f1f0-31b4-e6c1-d5951285d03d|

+ |External accounts with read permissions should be removed from your subscription|a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b|

+ |External accounts with write permissions should be removed from your subscription|04e7147b-0deb-9796-2e5c-0336343ceb3d|

+#### Recommendations rename

+This update, will rename two recommendations, and revise their descriptions. The assessment keys will remain unchanged.

+| Property | Current value | New update's change |

+|--|--|--|

+|**First recommendation**| - | - |

+|Assessment key | e52064aa-6853-e252-a11e-dffc675689c2 | No change |

+| Name | [Deprecated accounts with owner permissions should be removed from your subscription](https://ms.portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e52064aa-6853-e252-a11e-dffc675689c2) | Subscriptions should be purged of accounts that are blocked in Active Directory and have owner permissions. |

+| Description | User accounts that have been blocked from signing in, should be removed from your subscriptions.

+These accounts can be targets for attackers looking to find ways to access your data without being noticed. | User accounts that have been blocked from signing into Active Directory, should be removed from your subscriptions. These accounts can be targets for attackers looking to find ways to access your data without being noticed. <br> Learn more about securing the identity perimeter in [Azure Identity Management and access control security best practices](../security/fundamentals/identity-management-best-practices.md). |

+| Related policy | [Deprecated accounts with owner permissions should be removed from your subscription](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2febb62a0c-3560-49e1-89ed-27e074e9f8ad) | Subscriptions should be purged of accounts that are blocked in Active Directory and have owner permissions. |

+|**Second recommendation**| - | - |

+| Assessment key | 00c6d40b-e990-6acf-d4f3-471e747a27c4 | No change |

+| Name | [Deprecated accounts should be removed from your subscription](https://ms.portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/00c6d40b-e990-6acf-d4f3-471e747a27c4) | Subscriptions should be purged of accounts that are blocked in Active Directory and have read and write permissions. |

+| Description | User accounts that have been blocked from signing in, should be removed from your subscriptions. <br> These accounts can be targets for attackers looking to find ways to access your data without being noticed. | User accounts that have been blocked from signing into Active Directory, should be removed from your subscriptions. These accounts can be targets for attackers looking to find ways to access your data without being noticed. <br> Learn more about securing the identity perimeter in [Azure Identity Management and access control security best practices](../security/fundamentals/identity-management-best-practices.md). |

+| Related policy | [Deprecated accounts should be removed from your subscription](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f6b1cbf55-e8b6-442f-ba4c-7246b6381474) | Subscriptions should be purged of accounts that are blocked in Active Directory and have read and write permissions. |

+ "eventHubNamespaceName": "[concat(uniqueString(subscription().subscriptionId), 'tls')]"

+ "name": "[variables('eventHubNamespaceName')]",

+When a client accesses an Event Hubs namespace using a TLS version that does not meet the minimum TLS version configured for the namespace, Azure Event Hubs returns error code 401 (Unauthorized) and a message indicating that the TLS version that was used is not permitted for making requests against this Event Hubs namespace.

+- [Use Azure Policy to audit for compliance of minimum TLS version for an Event Hubs namespace](transport-layer-security-audit-minimum-version.md)

+* Preventing exfiltration attacks from sensitive on-premises networks.

+* When using private endpoints, we recommend deploying DPS in one of the regions that support [Availability Zones](iot-dps-ha-dr.md). Otherwise, DPS instances with private endpoints enabled may see reduced availability in the event of outages.

+### VMware virtual machine

+Azure IoT Edge for Linux on Windows supports running inside a Windows virtual machine running on top of [VMware ESXi](https://www.vmware.com/products/esxi-and-esx.html) product family. Specific networking and virtualization configurations are needed to support this scenario. For more information about VMware configuration, see [EFLOW Nested virtualization](./nested-virtualization.md).

+## Deployment on Windows VM on VMware ESXi

+Both VMware ESXi [6.7](https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-67-installation-setup-guide.pdf) and [7.0](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html) versions support nested virtualization needed for hosting Azure IoT Edge for Linux on Windows on top of a Windows virtual machine.

+To set up an Azure IoT Edge for Linux on Windows on a VMware ESXi Windows virtual machine, use the following steps:

+1. Create a Windows virtual machine on the VMware ESXi host. For more information about VMware VM deployment, see [VMware - Deploying Virtual Machines](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-39D19B2B-A11C-42AE-AC80-DDA8682AB42C.html).

+>[!NOTE]

+> If you're creating a Windows 11 virtual machine, ensure to meet the minimum requirements by Microsoft to run Windows 11. For more information about Windows 11 VM VMware support, see [Installing Windows 11 as a guest OS on VMware](https://kb.vmware.com/s/article/86207).

+1. Turn off the virtual machine created in previous step.

+1. Select the Windows virtual machine and then **Edit settings**.

+1. Search for _Hardware virtualization_ and turn on _Expose hardware assisted virtualization to the guest OS_.

+1. Select **Save** and start the virtual machine.

+1. Install Hyper-V hypervisor. If you're using Windows client, make sure you [Install Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v). If you're using Windows Server, make sure you [install the Hyper-V role](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server).

+> [!NOTE]

+> For VMware Windows virtual machines, if you plan to use an **external virtual switch** for the EFLOW virtual machine networking, make sure you enable _Promiscious mode_. For more information, see [Configuring promiscuous mode on a virtual switch or portgroup](https://kb.vmware.com/s/article/1004099). Failing to do so will result in EFLOW installation errors.

+ Title: 'Quickstart: Create an internal Azure load balancer using Bicep'

+description: This quickstart shows how to create an internal Azure load balancer using Bicep.

+# Quickstart: Create an internal load balancer to load balance VMs by using Bicep

+This quickstart describes how to use Bicep to create an internal Azure load balancer.

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Review the Bicep file

+The Bicep file used in this quickstart is from the [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/2-vms-internal-load-balancer/).

+Multiple Azure resources have been defined in the Bicep file:

+- [**Microsoft.Storage/storageAccounts**](/azure/templates/microsoft.storage/storageaccounts): Virtual machine storage accounts for boot diagnostics.

+- [**Microsoft.Compute/availabilitySets**](/azure/templates/microsoft.compute/availabilitySets): Availability set for virtual machines.

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualNetworks): Virtual network for load balancer and virtual machines.

+- [**Microsoft.Network/networkInterfaces**](/azure/templates/microsoft.network/networkInterfaces): Network interfaces for virtual machines.

+- [**Microsoft.Network/loadBalancers**](/azure/templates/microsoft.network/loadBalancers): Internal load balancer.

+- [**Microsoft.Compute/virtualMachines**](/azure/templates/microsoft.compute/virtualMachines): Virtual machines.

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters adminUsername=<admin-user>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -adminUsername "<admin-user>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<admin-user\>** with the admin username. You'll also be prompted to enter **adminPassword**.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review deployed resources

+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+## Clean up resources

+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+For a step-by-step tutorial that guides you through the process of creating a Bicep file, see:

+> [!div class="nextstepaction"]

+> [Quickstart: Create Bicep files with Visual Studio Code](../azure-resource-manager/bicep/quickstart-create-bicep-use-visual-studio-code.md)

+If you follow good DevOps practices, you already use [Azure Resource Manager templates](../azure-resource-manager/management/overview.md) to define and deploy your logic apps and their dependent resources. Resource Manager templates give you the capability to use a single deployment definition and then use parameter files to provide the configuration values to use for each deployment destination. This capability means that you can deploy the same logic app to different environments, for example, development, test, and production. You can also deploy the same logic app to different Azure regions or ISEs, which support disaster recovery strategies that use [paired-regions](../availability-zones/cross-region-replication-azure.md).

+* In the primary location, an active logic app listens to an Azure Service Bus queue for messages, while another active logic app checks for emails by using an Office 365 Outlook polling trigger.

+<a name="availability-zones"></a>

+## Zone redundancy with availability zones

+In each Azure region, *availability zones* are physically separate locations that are tolerant to local failures. Such failures can range from software and hardware failures to events such as earthquakes, floods, and fires. These zones achieve tolerance through the redundancy and logical isolation of Azure services.

+To provide resiliency and distributed availability, at least three separate availability zones exist in any Azure region that supports and enables zone redundancy. The Azure Logic Apps platform distributes these zones and logic app workloads across these zones. This capability is a key requirement for enabling resilient architectures and providing high availability if datacenter failures happen in a region.

+Currently, this capability is preview and available for new Consumption logic apps in specific regions. For more information, see the following documentation:

+* [Protect Consumption logic apps from region failures with zone redundancy and availability zones](set-up-zone-redundancy-availability-zones.md)

+* [Azure regions and availability zones](../availability-zones/az-overview.md)

+ | **Consumption** | This logic app type runs in global, multi-tenant Azure Logic Apps and uses the [Consumption billing model](logic-apps-pricing.md#consumption-pricing). After you select **Consumption**, the **Zone redundancy** section appears. This section offers the choice to enable availability zones for your Consumption logic app. In this example, keep **Enabled** as the setting value. For more information, see [Protect Consumption logic apps from region failures with zone redundancy and availability zones](set-up-zone-redundancy-availability-zones.md). |

+ Title: Protect logic apps from region failures with zone redundancy

+description: Set up availability zones for logic apps with zone redundancy for business continuity and disaster recovery.

+ms.suite: integration

+#Customer intent: As a developer, I want to protect logic apps from regional failures by setting up availability zones.

+# Protect Consumption logic apps from region failures with zone redundancy and availability zones (preview)

+In each Azure region, *availability zones* are physically separate locations that are tolerant to local failures. Such failures can range from software and hardware failures to events such as earthquakes, floods, and fires. These zones achieve tolerance through the redundancy and logical isolation of Azure services.

+To provide resiliency and distributed availability, at least three separate availability zones exist in any Azure region that supports and enables zone redundancy. The Azure Logic Apps platform distributes these zones and logic app workloads across these zones. This capability is a key requirement for enabling resilient architectures and providing high availability if datacenter failures happen in a region. For more information about availability zones and zone redundancy, review [Azure regions and availability zones](../availability-zones/az-overview.md).

+This article provides a brief overview about considerations for using availability zones in Azure Logic Apps and how to enable this capability for your Consumption logic app.

+## Considerations

+During preview, the following considerations apply:

+* The following list includes the Azure regions where you can currently enable availability zones with the list expanding as available:

+ - Brazil South

+ - Canada Central

+ - France Central

+* Azure Logic Apps currently supports the option to enable availability zones *only for new Consumption logic app workflows* that run in multi-tenant Azure Logic Apps.

+ * This option is available *only when you create a Consumption logic app using the Azure portal*. No programmatic tool support, such as Azure PowerShell or Azure CLI, currently exists to enable availability zones.

+ * This option is unavailable for existing Consumption logic app workflows and for any Standard logic app workflows.

+* Existing Consumption logic app workflows are unaffected until mid-May 2022. After this time, the Azure Logic Apps team will gradually start to move existing Consumption logic app workflows towards using availability zones, several Azure regions at a time. The option to enable availability zones on new Consumption logic app workflows remains available during this time.

+* If you use a firewall or restricted environment, you have to allow traffic through all the IP addresses required by Azure Logic Apps, managed connectors, and custom connectors in the Azure region where you create your logic app workflows. New IP addresses that support availability zones are already published for Azure Logic Apps, managed connectors, and custom connectors. For more information, review [Prerequisites](#prerequisites).

+## Limitations

+With HTTP-based actions, certificates exported or created with AES256 encryption won't work when used for client certificate authentication. The same certificates also won't work when used for OAuth authentication.

+## Prerequisites

+* An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* If you have a firewall or restricted environment, you have to allow traffic through all the IP addresses required by Azure Logic Apps, managed connectors, and any custom connectors in the Azure region where you create your logic app workflows. For more information, review the following documentation:

+ * [Firewall configuration: IP addresses and service tags](logic-apps-limits-and-config.md#firewall-ip-configuration)

+ * [Inbound IP addresses for Azure Logic Apps](logic-apps-limits-and-config.md#inbound)

+ * [Outbound IP addresses for Azure Logic Apps](logic-apps-limits-and-config.md#outbound)

+ * [Outbound IP addresses for managed connectors and custom connectors](/connectors/common/outbound-ip-addresses)

+## Set up availability zones for Consumption logic app workflows

+1. In the [Azure portal](https://portal.azure.com), start creating a Consumption logic app. On the **Create Logic App** page, stop after you select **Consumption** as the plan type for your logic app.

+ 

+ For a quick tutorial, review [Quickstart: Create your first integration workflow with multi-tenant Azure Logic Apps and the Azure portal](quickstart-create-first-logic-app-workflow.md).

+ After you select **Consumption**, the **Zone redundancy** section and options become available.

+1. Under **Zone redundancy**, select **Enabled**.

+ At this point, your logic app creation experience appears similar to this example:

+ 

+1. Finish creating your logic app.

+1. If you use a firewall and haven't set up access for traffic through the required IP addresses, make sure to complete that [requirement](#prerequisites).

+## Next steps

+* [Business continuity and disaster recovery for Azure Logic Apps](business-continuity-disaster-recovery-guidance.md)

+* [Connectors in Azure Logic Apps](../connectors/apis-list.md)

+| <*ocurrence*> | Yes | Integer | A number that specifies the *n*th occurrence of the substring to find. If *ocurrence* is negative, starts searching from the end. |

+Learn about the [Workflow Definition Language](../logic-apps/logic-apps-workflow-definition-language.md)

+* [Train TensorFlow DNN Models](how-to-train-tensorflow.md)

+ Title: 'Quickstart: Create an Azure DB for MariaDB - Bicep'

+description: In this Quickstart article, learn how to create an Azure Database for MariaDB server using Bicep.

+# Quickstart: Use Bicep to create an Azure Database for MariaDB server

+Azure Database for MariaDB is a managed service that you use to run, manage, and scale highly available MariaDB databases in the cloud. In this quickstart, you use Bicep to create an Azure Database for MariaDB server in PowerShell or Azure CLI.

+## Prerequisites

+You'll need an Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/).

+## Review the Bicep file

+You create an Azure Database for MariaDB server with a defined set of compute and storage resources. To learn more, see [Azure Database for MariaDB pricing tiers](concepts-pricing-tiers.md). You create the server within an [Azure resource group](../azure-resource-manager/management/overview.md).

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/managed-mariadb-with-vnet/).

+The Bicep file defines five Azure resources:

+* [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks)

+* [**Microsoft.Network/virtualNetworks/subnets**](/azure/templates/microsoft.network/virtualnetworks/subnets)

+* [**Microsoft.DBforMariaDB/servers**](/azure/templates/microsoft.dbformariadb/servers)

+* [**Microsoft.DBforMariaDB/servers/virtualNetworkRules**](/azure/templates/microsoft.dbformariadb/servers/virtualnetworkrules)

+* [**Microsoft.DBforMariaDB/servers/firewallRules**](/azure/templates/microsoft.dbformariadb/servers/firewallrules)

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters serverName=<server-name> administratorLogin=<admin-login>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -serverName "<server-name>" -administratorLogin "<admin-login>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<server-name\>** with the name of the server. Replace **\<admin-login\>** with the database administrator login name. The minimum required length is one character. You'll also be prompted to enter **administratorLoginPassword**. The minimum password length is eight characters.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review deployed resources

+Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+## Clean up resources

+When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group and its resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+For a step-by-step tutorial that guides you through the process of creating a Bicep file using Visual Studio Code, see:

+> [!div class="nextstepaction"]

+> [Quickstart: Create Bicep files with Visual Studio Code](../azure-resource-manager/bicep/quickstart-create-bicep-use-visual-studio-code.md)

+> Offer listing content (such as the description, documents, screenshots, and terms of use) is not required to be in English if the offer description begins with the phrase, "This application is available only in [non-English language]." It is also acceptable to provide a _Useful Link_ URL to offer content in a language other than the one used in the offer listing content if the offer description begins with the phrase "This application is also available in [non-English language]".

+ Title: Customers dashboard in Microsoft commercial marketplace analytics on Partner Center

+ 

+1. In the left-nav menu, select **[Customers](https://partner.microsoft.com/dashboard/insights/commercial-marketplace/analytics/customer)**.

+ :::image type="content" source="media/customer-dashboard/menu-customer.png" alt-text="Screenshot showing the Customer option in the left-nav menu.":::

+### Download

+To download a snapshot of the dashboard, select **Download as PDF**. Alternatively, go to the [Downloads](https://partner.microsoft.com/dashboard/insights/commercial-marketplace/analytics/downloads) dashboard and download the report.

+### Share

+To email dashboard widgets data, select **Share** and provide the email information. Share report URLs using **Copy link** and **Share to Teams**, or **Copy as image** to send a snapshot of chart data.

+### WhatΓÇÖs new

+Use this to check on changes and enhancements.

+

+### About data refresh

+View the data source and the data refresh details, such as frequency of the data refresh.

+### Got feedback?

+Submit feedback about the report/dashboard along with an optional screenshot.

+A month range selection is at the top-right corner of each page. Customize the output of graphs by selecting a month range based on the last **six** or **12** months, or by selecting a **custom** month range with a maximum duration of 12 months. The default month range is six months.

+### Customer page dashboard filters

+These filters are applied at the Customers page level. Select multiple filters to render the chart for what you want to see in the **Detailed orders data** export. Filters are applied on the data extracted for the month range you selected on the upper-right corner of the page.

+The page has dashboard-level filters for the following:

+- Sales Channel

+- Marketplace Subscription Id

+- Customer Id

+- Customer Name

+- Customer Company Name

+- Country

+Each filter is expandable with multiple options that you can select. Filter options are dynamic and based on the selected date range.

+This widget shows your customer's growth trend for the selected computation period. Metrics and growth trends are represented by a line chart and displays the value for each month by hovering over the line on the chart. The percentage value below **Active customers** in the widget represents the amount of growth during the selected computation period. For example, the following Screenshot showing a decline of 1.93% in active customers for the selected computation period.

+

+There are three customer types: new, existing, and churned.

+- A **new** customer has acquired one or more of your offers for the first time within the selected month.

+- An **existing** customer has acquired one or more of your offers prior to the month selected.

+- A **churned** customer has canceled all offers previously purchased. Churned customers for VM offers are calculated as customers who didnΓÇÖt show any VM usage for two days or more. Churned customers are represented in the negative axis in the Trend widget.

+Select the ellipsis (...) to copy the widget image, download aggregated widget data as a .csv file, or download the image as a PDF.

+This widget shows trend and count of all customers, including new, existing, and churned, with a month-by-month growth trend.

+

+Select the ellipsis (...) to copy the widget image, download aggregated widget data as .csv file, or download the image as a PDF.

+### Orders by customers type

+This chart has tabs for Orders, Normalized usage, and Raw usage. Select **Orders** to show order details.

+

+Select **Normalized usage** or **Raw usage** for those views.

+Select the ellipsis (...) to copy the widget image, download aggregated widget data as .csv file, or download the image as a PDF.

+

+Select the ellipsis (...) to copy the widget image, download aggregated widget data as .csv file, or download the image as a PDF.

+Select the ellipsis (...) to copy the widget image, download aggregated widget data as .csv file, or download the image as a PDF.

+

+Select the ellipsis (...) to copy the widget image, download aggregated widget data as .csv file, or download the image as a PDF.

+

+Select the ellipsis (...) to copy the widget image, download aggregated widget data as .csv file, or download the image as a PDF.

+| AzureLicenseType | Azure License Type | The type of licensing agreement used by customers to purchase Azure. Also known as the _channel_. The possible values are:<br>- Cloud Solution Provider<br>- Enterprise<br>- Enterprise through Reseller<br>- Pay as You Go | AzureLicenseType |

+| Customer Type | Customer Type | The value of this field signifies the type of the customer. The possible values are:<br>- individual<br>- organization | CustomerType |

+1. Select **Compute**, and then select **Windows Server 2019 Datacenter** or a version of **Ubuntu Server**.

+1. Enter, or select, the following information, accept the defaults for the remaining settings, and then select **OK**:

+ |Virtual machine name|myVm|

+ |Region| Select **East US**|

+ |User name| Enter a user name of your choosing.|

+ |Password| Enter a password of your choosing. The password must be at least 12 characters long and meet the defined complexity requirements.|

+1. Select **Review + create** to start VM deployment. The VM takes a few minutes to deploy. Wait for the VM to finish deploying before continuing with the remaining steps.

+1. In the **Home** portal, select **More services**. In the **Filter box**, enter *Network Watcher*. When **Network Watcher** appears in the results, select it.

+1. Enable a network watcher in the East US region, because that's the region the VM was deployed to in a previous step. Select **Add**, to expand it, and then select **Region** under **Subscription**, as shown in the following picture:

+ :::image type="content" source="./media/diagnose-vm-network-traffic-filtering-problem/enable-network-watcher.png" alt-text="Screenshot of how to Enable Network Watcher.":::

+1. Select your region then select **Add**.

+1. In the **Home** portal, select **More services**. In the **All services** *Filter* box, enter *Network Watcher*. When **Network Watcher** appears in the results, select it.

+1. Select **IP flow verify**, under **Network diagnostic tools**.

+1. Select your subscription, enter or select the following values, and then select **Check**, as shown in the picture that follows:

+ | Subscription | Select your subscription |

+ | Resource group | Select **myResourceGroup** |

+ | Virtual machine | Select **myVm** |

+ :::image type="content" source="./media/diagnose-vm-network-traffic-filtering-problem/ip-flow-verify-outbound.png" alt-text="Screenshot of values to input in IP flow verify.":::

+1. Complete step 3 again, but change the **Remote IP address** to **172.31.0.100**. The result returned informs you that access is denied because of a security rule named **DenyAllOutBound**.

+1. Complete step 3 again, but change the **Direction** to **Inbound**, the **Local port** to **80** and the **Remote port** to **60000**. **Remote IP address** remains **172.31.0.100**. The result returned informs you that access is denied because of a security rule named **DenyAllInBound**.

+To determine why the rules in steps 3-5 of **Use IP flow verify** allow or deny communication, review the effective security rules for the network interface in the VM.

+1. In the search box at the top of the portal, enter *myvm*. When the **myvm Regular Network Interface** appears in the search results, select it.

+1. Select **Effective security rules** under **Support + troubleshooting**, as shown in the following picture:

+

+ :::image type="content" source="./media/diagnose-vm-network-traffic-filtering-problem/effective-security-rules.png" alt-text="Screenshot of Effective security rules.":::

+ In step 3 of **Use IP flow verify**, you learned that the reason the communication was allowed is because of the **AllowInternetOutbound** rule. You can see in the previous picture that the **Destination** for the rule is **Internet**. It's not clear how 13.107.21.200, the address you tested in step 3 of **Use IP flow verify**, relates to **Internet** though.

+1. Select the **AllowInternetOutBound** rule, and then scroll down to **Destination**, as shown in the following picture:

+

+ :::image type="content" source="./media/diagnose-vm-network-traffic-filtering-problem/security-rule-prefixes.png" alt-text="Screenshot of Security rule prefixes.":::

+ One of the prefixes in the list is **12.0.0.0/8**, which encompasses the 12.0.0.1-15.255.255.254 range of IP addresses. Since 13.107.21.200 is within that address range, the **AllowInternetOutBound** rule allows the outbound traffic. Additionally, there are no higher priority (lower number) rules shown in the picture in step 2 that override this rule. Close the **Address prefixes** box. To deny outbound communication to 13.107.21.200, you could add a security rule with a higher priority, that denies port 80 outbound to the IP address.

+1. When you ran the outbound check to 172.131.0.100 in step 4 of **Use IP flow verify**, you learned that the **DenyAllOutBound** rule denied communication. That rule equates to the **DenyAllOutBound** rule shown in the picture in step 2 that specifies **0.0.0.0/0** as the **Destination**. This rule denies the outbound communication to 172.131.0.100, because the address is not within the **Destination** of any of the other **Outbound rules** shown in the picture. To allow the outbound communication, you could add a security rule with a higher priority, that allows outbound traffic to port 80 for the 172.131.0.100 address.

+1. When you ran the inbound check from 172.131.0.100 in step 5 of **Use IP flow verify**, you learned that the **DenyAllInBound** rule denied communication. That rule equates to the **DenyAllInBound** rule shown in the picture in step 2. The **DenyAllInBound** rule is enforced because no other higher priority rule exists that allows port 80 inbound to the VM from 172.31.0.100. To allow the inbound communication, you could add a security rule with a higher priority, that allows port 80 inbound from 172.31.0.100.

+1. Select **Delete resource group**.

+1. Enter *myResourceGroup* for **TYPE THE RESOURCE GROUP NAME:** and select **Delete**.

+A metadata repository that is the foundation of Microsoft Purview. The data map is a graph that describes assets across a data estate and is populated through scans and other data ingestion processes. This graph helps organizations understand and govern their data by providing rich descriptions of assets, representing data lineage, classifying assets, storing relationships between assets, and housing information at both the technical and semantic layers. The data map is an open platform that can be interacted with and accessed through Apache Atlas APIs or the Microsoft Purview governance portal.

+* **System-assigned managed identity** (Recommended) - This is an identity associated directly with your Microsoft Purview account that allows you to authenticate directly with other Azure resources without needing to manage a go-between user or credential set. The **system-assigned** managed identity is created when your Microsoft Purview resource is created, is managed by Azure, and uses your Microsoft Purview account's name. The SAMI can't currently be used with a self-hosted integration runtime for Azure SQL. For more information, see the [managed identity overview](/azure/active-directory/managed-identities-azure-resources/overview).

+* **Service Principal**- A service principal is an application that can be assigned permissions like any other group or user, without being associated directly with a person. Their authentication has an expiration date, and so can be useful for temporary projects. For more information, see the [service principal documenatation](/azure/active-directory/develop/app-objects-and-service-principals).

+1. [Configure the Activity](../azure-monitor/essentials/activity-log.md) for your workspace.

+1. [View the activity logs Insights](../azure-monitor/essentials/activity-log.md). A quick way to navigate to the Activity Log Overview page is to click the **Logs** option.

+Note that Azure Route Server per default will advertise all prefixes learnt from the NVA to ExpressRoute too. This might not be desired, for example because of the route limits of ExpressRoute or the Route Server itself. In that case, the NVA can announce its routes to the Route Server including the BGP community `no-advertise` (with value 65535:65282). When Azure Route Server receives routes with this BGP community, it will push them to the subnets, but it will not advertise them to any other BGP peer (like ExpressRoute or VPN gateways, or other NVAs).

+## SDWAN coexistence with ExpressRoute and Azure Firewall

+A particular case of the previous design is when customers insert the Azure Firewall in the traffic flow to inspect all traffic going to on-premises networks, either via ExpressRoute or via SD-WAN/VPN appliances. In this situation, all spoke subnets have route tables that prevent the spokes from learning any route from ExpressRoute or the Route Server, and have default routes (0.0.0.0/0) with the Azure Firewall as next hop, as the following diagram shows:

+The Azure Firewall subnet will learn the routes coming from both ExpressRoute and the VPN/SDWAN NVA, and will decide whether sending traffic one way or the other. As described in the previous section, if the NVA appliance advertises more than 200 routes to the Azure Route Server, it should send its BGP routes marked with the BGP community `no-advertise`. This way, the SDWAN prefixes will not be injected back to on-premises via Express-Route.

+| Azure Storage for AI enrichment (caching, debug sessions, knowledge store) | Supported only if the storage account and search service are in different regions. | Supported |

+For more information, see the article [Plan a Privileged Identity Management deployment](../../active-directory/privileged-identity-management/pim-deployment-plan.md) and [securing privileged access](/security/compass/overview).

+For more information, see the article [Azure Active Directory consent framework](../../active-directory/develop/consent-framework.md).

+> [!IMPORTANT]

+>

+> The Microsoft Sentinel content hub experience is currently in **PREVIEW**, as are all individual solution packages. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Apache

+|Name |Includes |Categories |Supported by |

+|||||

+|**Tomcat** |Data connector, parser | DevOps, application |[Microsoft |

+## Atlassian

+|Name |Includes |Categories |Supported by |

+|||||

+|**Atlassian Confluence Audit** |Data connector |IT operations, application |Microsoft|

+|**Atlassian Jira Audit** |Workbook, analytics rules, hunting queries |DevOps |Microsoft|

+## Bosch

+|Name |Includes |Categories |Supported by |

+|||||

+|**AIShield AI Security Monitoring**| Data connector, analytics rule, parser | Security - Threat Protection | [Bosch](https://www.bosch-softwaretechnologies.com/en/products-and-solutions/products-and-solutions/aishield/)|

+|**Google Workspace Reports**|Workbook, analytics rules, hunting queries|IT Operations |Microsoft |

+## Holm Security

+|Name |Includes |Categories |Supported by |

+|||||

+|**Holm Security**| Data connector| Security - Threat Intelligence |[Holm Security](https://support.holmsecurity.com/hc)|

+## Joshua Cyberisk Vision

+|Name |Includes |Categories |Supported by |

+|||||

+|**Joshua Cyberisk Vision**| Playbooks| Security - Threat Intelligence |[Joshua Cyberisk Vision](https://www.cyberiskvision.com/) |

+## Lastpass

+|Name |Includes |Categories |Supported by |

+|||||

+|**Lastpass Enterprise Activity Monitoring** |Data connector, analytic rules, hunting queries, watchlist, workbook | Application|[The Collective Consulting](https://thecollective.eu) |

+|**Microsoft Defender for Endpoint** | Hunting queries, parsers | Security - Threat Protection |Microsoft |

+|**Microsoft Sentinel for Microsoft Dynamics 365** | [Data connector](data-connectors-reference.md#dynamics-365), workbooks, analytics rules, and hunting queries | Application |Microsoft |

+## NGINX

+|Name |Includes |Categories |Supported by |

+|||||

+|**Nginx** | Data connector, workbooks, analytics rules, hunting queries, parser | Security ΓÇô Network, Networking, DevOps |Microsoft |

+## NXLog

+|Name |Includes |Categories |Supported by |

+|||||

+|**NXLog AIX Audit** | Data connector, parser | IT operations |NXLog |

+|**NXLog DNS Logs** | Data connector | Networking |NXLog |

+## Oracle

+|**Oracle Database Audit** | Data connector, workbook, analytics rules, hunting queries, parser| Application|Microsoft |

+|**Oracle WebLogic Server** | Data connector, workbook, analytics rules, hunting queries, parser| IT Operations|Microsoft |

+## Shadowbytes

+|Name |Includes |Categories |Supported by |

+|||||

+|**Shadowbytes ARIA Threat Intelligence** |Data connector, playbook |Security - Threat protection |[Shadowbyte](https://shadowbyte.com/#contact)|

+## SIGNL4

+|Name |Includes |Categories |Supported by |

+|||||

+|**SIGNL4 Mobile Alerting** |Data connector, playbook |DevOps, IT Operations |[SIGNL4](https://www.signl4.com) |

+|**VMware ESXi**|Workbooks, analytics rules, data connectors, hunting queries, parser| IT Operations| Microsoft|

+## Zscalar

+|Name |Includes |Categories |Supported by |

+|||||

+|**Zscalar Private Access**|Data connector, workbook, analytics rules, hunting queries, parser | Security - Network | Microsoft|

+When a client accesses a Service Bus namespace using a TLS version that does not meet the minimum TLS version configured for the namespace, Azure Service Bus returns error code 401 (Unauthorized) and a message indicating that the TLS version that was used is not permitted for making requests against this Service Bus namespace.

+- [Use Azure Policy to audit for compliance of minimum TLS version for a Service Bus namespace](transport-layer-security-audit-minimum-version.md)

+> [!IMPORTANT]

+> Remote debugging is not supported on VS 2022

+18.04 LTS |[9.48](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39) | 4.15.0-1134-azure </br> 4.15.0-1136-azure </br> 4.15.0-173-generic </br> 4.15.0-175-generic </br> 5.4.0-105-generic </br> 5.4.0-1073-azure </br> 5.4.0-1074-azure </br> 5.4.0-107-generic |

+20.04 LTS |[9.48](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39) | 5.4.0-1074-azure </br> 5.4.0-107-generic |

+Debian 10 | [9.48](https://support.microsoft.com/topic/update-rollup-61-for-azure-site-recovery-kb5012960-a1cc029b-03ad-446f-9365-a00b41025d39) | 4.19.0-20-amd64 </br> 4.19.0-20-cloud-amd64 |

+Debian 10 | [9.44](https://support.microsoft.com/topic/update-rollup-57-for-azure-site-recovery-kb5006172-9fccc879-6e0c-4dc8-9fec-e0600cf94094) | 4.19.0-6-amd64 to 4.19.0-16-amd64 </br> 4.19.0-6-cloud-amd64 to 4.19.0-16-cloud-amd64 </br>

+SUSE Linux Enterprise Server 15, SP1, SP2 | [9.47](https://support.microsoft.com/topic/update-rollup-60-for-azure-site-recovery-k5011122-883a93a7-57df-4b26-a1c4-847efb34a9e8) | By default, all [stock SUSE 15, SP1, SP2 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br></br> 5.3.18-38.31-azure </br> 5.3.18-38.8-azure </br> 5.3.18-57-default </br> 5.3.18-59.10-default </br> 5.3.18-59.13-default </br> 5.3.18-59.16-default </br> 5.3.18-59.19-default </br> 5.3.18-59.24-default </br> 5.3.18-59.27-default </br> 5.3.18-59.30-default </br> 5.3.18-59.34-default </br> 5.3.18-59.37-default </br> 5.3.18-59.5-default </br> 5.3.18-38.34-azure:3 </br> 5.3.18-150300.59.43-default:3 </br> 5.3.18-150300.59.46-default:3 </br> 5.3.18-59.40-default:3 </br>

+- Deploy disaster recovery by [replicating Azure VMs](./azure-to-azure-quickstart.md).

+ Title: How to deploy applications in Azure Spring Cloud with a custom container image (Preview)

+description: How to deploy applications in Azure Spring Cloud with a custom container image

+# Deploy an application with a custom container image (Preview)

+**This article applies to:** ✔️ Standard tier ✔️ Enterprise tier

+This article explains how to deploy Spring Boot applications in Azure Spring Cloud using a custom container image. Deploying an application with a custom container supports most features as when deploying a JAR application. Other Java and non-Java applications can also be deployed with the container image.

+## Prerequisites

+* A container image containing the application.

+* The image is pushed to an image registry. For more information, see [Azure Container Registry](/azure/container-instances/container-instances-tutorial-prepare-acr).

+> [!NOTE]

+> The web application must listen on port `1025` for Standard tier and on port `8080` for Enterprise tier. The way to change the port depends on the framework of the application. For example, specify `SERVER_PORT=1025` for Spring Boot applications or `ASPNETCORE_URLS=http://+:1025/` for ASP.Net Core applications. The probe can be disabled for applications that do not listen on any port.

+## Deploy your application

+To deploy an application to a custom container image, use the following steps:

+# [Azure CLI](#tab/azure-cli)

+To deploy a container image, use one of the following commands:

+* To deploy a container image to the public Docker Hub to an app, use the following command:

+ ```azurecli

+ az spring-cloud app deploy \

+ --resource-group <your-resource-group> \

+ --name <your-app-name> \

+ --container-image <your-container-image> \

+ --service <your-service-name>

+ ```

+* To deploy a container image from ACR to an app, or from another private registry to an app, use the following command:

+ ```azurecli

+ az spring-cloud app deploy \

+ --resource-group <your-resource-group> \

+ --name <your-app-name> \

+ --container-image <your-container-image> \

+ --service <your-service-name>

+ --container-registry <your-container-registry> \

+ --registry-password <your-password> |

+ --registry-username <your-username>

+ ```

+To overwrite the entry point of the image, add the following two arguments to any of the above commands:

+```azurecli

+ --container-command "java" \

+ --container-args "-jar /app.jar -Dkey=value"

+```

+To disable listening on a port for images that aren't web applications, add the following argument to the above commands:

+```azurecli

+ --disable-probe true

+```

+# [Portal](#tab/azure-portal)

+1. Open the [Azure portal](https://portal.azure.com).

+1. Open your existing Spring Cloud service instance.

+1. Select **Apps** from left the menu, then select **Create App**.

+1. Name your app, and in the **Runtime platform** pulldown list, select **Custom Container**.

+ :::image type="content" source="media/how-to-deploy-with-custom-container-image/create-app-custom-container.png" alt-text="Azure portal screenshot of Create App page with Runtime platform dropdown showing and Custom Container selected." lightbox="media/how-to-deploy-with-custom-container-image/create-app-custom-container.png":::

+1. Select **Edit** under *Image*, then fill in the fields as shown in the following image:

+ :::image type="content" source="media/how-to-deploy-with-custom-container-image/custom-image-settings.png" alt-text="Azure portal screenshot showing the Custom Image Settings pane." lightbox="media/how-to-deploy-with-custom-container-image/custom-image-settings.png":::

+ > [!NOTE]

+ > The **Commands** and **Arguments** field are optional, which are used to overwrite the `cmd` and `entrypoint` of the image.

+ >

+ > You need to also specify the **Language Framework**, which is the web framework of the container image used. Currently, only **Spring Boot** is supported. For other Java applications or non-Java (polyglot) applications, select **Polyglot**.

+1. Select **Save**, then select **Create** to deploy your application.

+## Feature Support matrix

+The following matrix shows what features are supported in each application type.

+| Feature | Spring Boot Apps - container deployment | Polyglot Apps - container deployment | Notes |

+|||||

+| App lifecycle management | ✔️ | ✔️ | |

+| Support for container registries | ✔️ | ✔️ | |

+| Assign endpoint | ✔️ | ✔️ | |

+| Azure Monitor | ✔️ | ✔️ | |

+| APM integration | ✔️ | ✔️ | Supported by [manual installation](#install-an-apm-into-the-image-manually) |

+| Blue/green deployment | ✔️ | ✔️ | |

+| Custom domain | ✔️ | ✔️ | |

+| Scaling - auto scaling | ✔️ | ✔️ | |

+| Scaling - manual scaling (in/out, up/down) | ✔️ | ✔️ | |

+| Managed Identity | ✔️ | ✔️ | |

+| Spring Cloud Eureka & Config Server | ✔️ | ❌ | |

+| API portal for VMware Tanzu® | ✔️ | ✔️ | Enterprise tier only |

+| Spring Cloud Gateway for VMware Tanzu® | ✔️ | ✔️ | Enterprise tier only |

+| Application Configuration Service for VMware Tanzu® | ✔️ | ❌ | Enterprise tier only |

+| VMware Tanzu® Service Registry | ✔️ | ❌ | Enterprise tier only |

+| VNET | ✔️ | ✔️ | Add registry to [allowlist in NSG or Azure Firewall](#avoid-not-being-able-to-connect-to-the-container-registry-in-a-vnet) |

+| Outgoing IP Address | ✔️ | ✔️ | |

+| E2E TLS | ✔️ | ✔️ | Trust a self-signed CA is supported by [manual installation](#trust-a-certificate-authority-in-the-image) |

+| Liveness and readiness settings | ✔️ | ✔️ | |

+| Advanced troubleshooting - thread/heap/JFR dump | ✔️ | ❌ | The image must include `bash` and JDK with `PATH` specified. |

+| Bring your own storage | ✔️ | ✔️ | |

+| Integrate service binding with Resource Connector | ✔️ | ❌ | |

+| Availability Zone | ✔️ | ✔️ | |

+| App Lifecycle events | ✔️ | ✔️ | |

+| Reduced app size - 0.5 vCPU and 512 MB | ✔️ | ✔️ | |

+| Automate app deployments with Terraform | ✔️ | ✔️ | |

+| Soft Deletion | ✔️ | ✔️ | |

+| Interactive diagnostic experience (AppLens-based) | ✔️ | ✔️ | |

+| SLA | ✔️ | ✔️ | |

+> [!NOTE]

+> Polyglot apps include non-Spring Boot Java, NodeJS, AngularJS, Python, and .NET apps.

+## Common points to be aware of when deploying with a custom container

+The following points will help you address common situations when deploying with a custom image.

+### Trust a Certificate Authority in the image

+To trust a CA in the image, set the following variables depending on your environment:

+* You must import Java applications into the trust store by adding the following lines into your *Dockerfile*:

+ ```dockerfile

+ ADD EnterpriseRootCA.crt /opt/

+ RUN keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias EnterpriseRootCA -file /opt/EnterpriseRootCA.crt

+ ```

+* For Node.js applications, set the `NODE_EXTRA_CA_CERTS` environment variable:

+ ```dockerfile

+ ADD EnterpriseRootCA.crt /opt/

+ ENV NODE_EXTRA_CA_CERTS="/opt/EnterpriseRootCA.crt"

+ ```

+* For Python, or other languages relying on the system CA store, on Debian or Ubuntu images, add the following environment variables:

+ ```dockerfile

+ ADD EnterpriseRootCA.crt /usr/local/share/ca-certificates/

+ RUN /usr/sbin/update-ca-certificates

+ ```

+* For Python, or other languages relying on the system CA store, on CentOS or Fedora based images, add the following environment variables:

+ ```dockerfile

+ ADD EnterpriseRootCA.crt /etc/pki/ca-trust/source/anchors/

+ RUN /usr/bin/update-ca-trust

+ ```

+### Avoid unexpected behavior when images change

+When your application is restarted or scaled out, the latest image will always be pulled. If the image has been changed, the newly started application instances will use the new image while the old instances will continue to use the old image. Avoid using the `latest` tag or overwrite the image without a tag change to avoid unexpected application behavior.

+### Avoid not being able to connect to the container registry in a VNet

+If you deployed the instance to a VNet, make sure you allow the network traffic to your container registry in the NSG or Azure Firewall (if used). For more information, see [Customer responsibilities for running in VNet](/azure/spring-cloud/vnet-customer-responsibilities) to add the needed security rules.

+### Install an APM into the image manually

+The installation steps vary on different APMs and languages. The following steps are for New Relic with Java applications. You must modify the *Dockerfile* using the following steps:

+1. Download and install the agent file into the image by adding the following to the *Dockerfile*:

+ ```dockerfile

+ ADD newrelic-agent.jar /opt/agents/newrelic/java/newrelic-agent.jar

+ ```

+1. Add the environment variables required by the APM:

+ ```dockerfile

+ ENV NEW_RELIC_APP_NAME=appName

+ ENV NEW_RELIC_LICENSE_KEY=newRelicLicenseKey

+ ```

+1. Modify the image entry point by adding: `java -javaagent:/opt/agents/newrelic/java/newrelic-agent.jar`

+To install the agents for other languages, refer to the official documentation for the other agents:

+New Relic:

+* Python: [Standard Python agent install](https://docs.newrelic.com/docs/apm/agents/python-agent/installation/standard-python-agent-install/)

+* Node.js: [Install the Node.js agent](https://docs.newrelic.com/docs/apm/agents/nodejs-agent/installation-configuration/install-nodejs-agent/)

+Dynatrace:

+* Python: [Instrument Python applications with OpenTelemetry](https://www.dynatrace.com/support/help/extend-dynatrace/opentelemetry/opentelemetry-traces/opentelemetry-ingest/opent-python)

+* Node.js: [Instrument Node.js applications with OpenTelemetry](https://www.dynatrace.com/support/help/extend-dynatrace/opentelemetry/opentelemetry-traces/opentelemetry-ingest/opent-nodejs)

+AppDynamics:

+* Python: [Install the Python Agent](https://docs.appdynamics.com/4.5.x/en/application-monitoring/install-app-server-agents/python-agent/install-the-python-agent)

+* Node.js: [Installing the Node.js Agent](https://docs.appdynamics.com/4.5.x/en/application-monitoring/install-app-server-agents/node-js-agent/install-the-node-js-agent#InstalltheNode.jsAgent-install_nodejsInstallingtheNode.jsAgent)

+### View the container logs

+To view the console logs of your container application, the following CLI command can be used:

+```azurecli

+az spring-cloud app logs \

+ --resource-group <your-resource-group> \

+ --name <your-app-name> \

+ --service <your-service-name> \

+ --instance <your-instance-name>

+```

+To view the container events logs from the Azure Monitor, enter the query:

+```query

+AppPlatformContainerEventLogs

+| where App == "hw-20220317-1b"

+```

+### Scan your image for vulnerabilities

+We recommend that you use Microsoft Defender for Cloud with ACR to prevent your images from being vulnerable. For more information, see [Microsoft Defender for Cloud] (/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks#scanning-images-in-acr-registries)

+### Switch between JAR deployment and container deployment

+You can switch the deployment type directly by redeploying using the following command:

+```azurecli

+az spring-cloud app deploy \

+ --resource-group <your-resource-group> \

+ --name <your-app-name> \

+ --container-image <your-container-image> \

+ --service <your-service-name>

+```

+### Create another deployment with an existing JAR deployment

+You can create another deployment using an existing JAR deployment using the following command:

+```azurecli

+az spring-cloud app deployment create \

+ --resource-group <your-resource-group> \

+ --name <your-deployment-name> \

+ --app <your-app-name> \

+ --container-image <your-container-image> \

+ --service <your-service-name>

+```

+> [!NOTE]

+> Automating deployments using Azure Pipelines Tasks or GitHub Actions are not currently supported.

+## Next steps

+* [How to capture dumps](/azure/spring-cloud/how-to-capture-dumps)

+- Set the `production_branch` input to your production branch name on the `static-web-apps-deploy` job in GitHub action or on the AzureStaticWebApp task. This ensures changes to your production branch are deployed to the production environment, while changes to other branches are deployed to a preview environment.

+- List the branches you want to deploy to preview environments in the trigger array in your workflow configuration so that changes to those branches also trigger the GitHub Actions or Azure Pipelines deployment.

+ - Set this array to `**` for GitHub Actions or `*` for Azure Pipelines if you want to track all branches.

+# [GitHub Actions](#tab/github-actions)

+# [Azure Pipelines](#tab/azure-devops)

+```yml

+trigger:

+ - main

+ - dev

+ - staging

+pool:

+ vmImage: ubuntu-latest

+steps:

+ - checkout: self

+ submodules: true

+ - task: AzureStaticWebApp@0

+ inputs:

+ ...

+ production_branch: 'main'

+```

+

+ Title: Create named preview environments in Azure Static Web Apps

+description: Expose stable URLs for named environments to evaluate changes in Azure Static Web Apps

+# Create named preview environments in Azure Static Web Apps

+You can configure your site to deploy every change to a named environment. This preview deployment is published at a stable URL that includes the environment name. For example, if the environment is named `release`, then the preview is available at a location like `<DEFAULT_HOST_NAME>-release.<LOCATION>.azurestaticapps.net`.

+## Configuration

+To enable stable URL environments with named deployment environment, make the following changes to your [configuration file](configuration.md).

+- Set the `deployment_environment` input to a specific name on the `static-web-apps-deploy` job in GitHub action or on the AzureStaticWebApp task. This ensures all changes to your tracked branches are deployed to the named preview environment.

+- List the branches you want to deploy to preview environments in the trigger array in your workflow configuration so that changes to those branches also trigger the GitHub Actions or Azure Pipelines deployment.

+ - Set this array to `**` for GitHub Actions or `*` for Azure Pipelines if you want to track all branches.

+## Example

+The following example demonstrates how to enable branch preview environments.

+# [GitHub Actions](#tab/github-actions)

+```yml

+name: Azure Static Web Apps CI/CD

+on:

+ push:

+ branches:

+ - "**"

+ pull_request:

+ types: [opened, synchronize, reopened, closed]

+ branches:

+ - main

+jobs:

+ build_and_deploy_job:

+ ...

+ name: Build and Deploy Job

+ steps:

+ - uses: actions/checkout@v2

+ with:

+ submodules: true

+ - name: Build And Deploy

+ id: builddeploy

+ uses: Azure/static-web-apps-deploy@v1

+ with:

+ ...

+ deployment_environment: "release"

+```

+# [Azure Pipelines](#tab/azure-devops)

+```yml

+trigger:

+ - "*"

+pool:

+ vmImage: ubuntu-latest

+steps:

+ - checkout: self

+ submodules: true

+ - task: AzureStaticWebApp@0

+ inputs:

+ ...

+ deployment_environment: "release"

+```

+> [!NOTE]

+> The `...` denotes code skipped for clarity.

+In this example, changes to all branches will be deployed to the `release` named preview environment.

+## Next Steps

+> [!div class="nextstepaction"]

+> [Review pull requests in pre-production environments](./review-publish-pull-requests.md)

+- [**Branch**](branch-environments.md): You can optionally configure your site to deploy every change made to branches that aren't a production branch. This preview deployment is published at a stable URL that includes the branch name. For example, if the branch is named `dev`, then the environment is available at a location like `<DEFAULT_HOST_NAME>-dev.<LOCATION>.azurestaticapps.net`.

+- [**Named environment**](named-environments.md): You can configure your pipeline to deploy all changes to a named environment. This preview deployment is published at a stable URL that includes the environment name. For example, if the deployment environment is named `release`, then the environment is available at a location like `<DEFAULT_HOST_NAME>-release.<LOCATION>.azurestaticapps.net`.

+When it completes connecting, Azure Storage Explorer loads with the **Explorer** tab shown. This view gives you insight to all of your Azure storage accounts as well as local storage configured through the [Azurite storage emulator](../common/storage-use-azurite.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json) or [Azure Stack](/azure-stack/user/azure-stack-storage-connect-se?toc=%2fazure%2fstorage%2fblobs%2ftoc.json) environments.

+When it completes connecting, Azure Storage Explorer loads with the **Explorer** tab shown. This view gives you insight to all of your Azure storage accounts as well as local storage configured through the [Azurite storage emulator](../common/storage-use-azurite.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json) or [Azure Stack](/azure-stack/user/azure-stack-storage-connect-se?toc=%2fazure%2fstorage%2fblobs%2ftoc.json) environments.

+After Storage Explorer finishes connecting, it displays the **Explorer** tab. This view gives you insight to all of your Azure storage accounts as well as local storage configured through the [Azurite storage emulator](../common/storage-use-azurite.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json) or [Azure Stack](/azure-stack/user/azure-stack-storage-connect-se?toc=%2fazure%2fstorage%2fblobs%2ftoc.json) environments.

+- **Shared Key authorization** for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key. For more information, see [Authorize with Shared Key](/rest/api/storageservices/authorize-with-shared-key/).

+ Microsoft recommends that you disallow Shared Key authorization for your storage account. When Shared Key authorization is disallowed, clients must use Azure AD or a user delegation SAS to authorize requests for data in that storage account. For more information, see [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md).

+- **Shared access signatures** for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account via a signed URL. The signed URL specifies the permissions granted to the resource and the interval over which the signature is valid. A service SAS or account SAS is signed with the account key, while the user delegation SAS is signed with Azure AD credentials and applies to blobs only. For more information, see [Using shared access signatures (SAS)](storage-sas-overview.md).

+ - To block traffic from all networks, select **Disabled**.

+ "anyOf": [

+ {

+ "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",

+ "notEquals": "TLS1_2"

+ },

+ {

+ "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",

+ "exists": "false"

+ }

+ ]

+ "anyOf": [

+ {

+ "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",

+ "notEquals": "TLS1_2"

+ },

+ {

+ "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",

+ "exists": "false"

+ }

+ ]

+| Acess same data from Windows and Linux client| Γ¢ö |

+* Create a Windows Server 2022 or Windows Server 2019 virtual machine, or deploy a physical server. A Windows Server failover cluster is also supported.

+ 3. when more free space is created on the volume, proceed with the next batch of files. Alternatively, review the RoboCopy command in the [RoboCopy section](#phase-7-robocopy) of this article for use of the new `/LFSM` switch. Using `/LFSM` can significantly simplify your RoboCopy jobs, but it is not compatible with some other RoboCopy switches you might depend on. Only use the `/LFSM` switch when the migration destination is local storage. It's not supported when the destination is a remote SMB share.

+| Maximum object name length (total pathname including all directories and filename) | 2,048 characters | 2,048 characters |

+| Maximum individual pathname component length (in the path \A\B\C\D, each letter represents a directory or file that is an individual component) | 255 characters | 255 characters |

+- [Microsoft Purview account](../../purview/create-catalog-portal.md)

+- [Microsoft Purview account](../../purview/create-catalog-portal.md)

+A basic authentication approach requires user to configure `username` and `password` options. Refer to the section - [Configuration options](#configuration-options) to learn about relevant configuration parameters for reading from and writing to tables in Azure Synapse Dedicated SQL Pool.

+* **Write using basic authentication**

+ //Defaults to storage path defined in the runtime configurations

+#### Write using basic authentication

+## User sessions

+In this section, we'll go over each of the three types of user sessions that end users can have.

+### Active user session

+A user session is considered "active" when a user signs in and connects to their remote app or desktop resource.

+### Disconnected user session

+A disconnected user session is an inactive session that the user hasn't signed out of yet. When a user closes the remote session window without signing out, the session becomes disconnected. When a user reconnects to their remote resources, they'll be redirected to their disconnected session on the session host they were working on. At this point, the disconnected session becomes an active session again.

+### Pending user session

+A pending user session is a placeholder session that reserves a spot on the load-balanced virtual machine for the user. Because the sign-in process can take anywhere from 30 seconds to five minutes depending on the user profile, this placeholder session ensures that the user won't be kicked out of their session if another user completes their sign-in process first.

+1. Under **Disk options**, by default the OS disk is set to **Delete with VM**. If you don't want to delete the OS disk, clear the checkbox. If you're using an existing OS disk, the default is to detach the OS disk when the VM is deleted.

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Base CPU Perf of VM | Max CPU Perf of VM | Initial Credits | Credits banked/hour | Max Banked Credits | Max data disks | Max uncached disk throughput: IOPS/MBps | Max burst uncached disk throughput: IOPS/MBps¹ |Max NICs |

+||||||||||||||

+| Standard_B1ls² | 1 | 0.5 | 4 | 5% | 100% | 30 | 3 | 72 | 2 | 160/10 | 4000/100 | 2 |

+| Standard_B1s | 1 | 1 | 4 | 10% | 100% | 30 | 6 | 144 | 2 | 320/10 | 4000/100 | 2 |

+| Standard_B1ms | 1 | 2 | 4 | 20% | 100% | 30 | 12 | 288 | 2 | 640/10 | 4000/100 | 2 |

+| Standard_B2s | 2 | 4 | 8 | 40% | 200% | 60 | 24 | 576 | 4 | 1280/15 | 4000/100 | 3 |

+| Standard_B2ms | 2 | 8 | 16 | 60% | 200% | 60 | 36 | 864 | 4 | 1920/22.5 | 4000/100 | 3 |

+| Standard_B4ms | 4 | 16 | 32 | 90% | 400% | 120 | 54 | 1296 | 8 | 2880/35 | 8000/200 | 4 |

+| Standard_B8ms | 8 | 32 | 64 | 135% | 800% | 240 | 81 | 1944 | 16 | 4320/50 | 8000/200 | 4 |

+| Standard_B12ms | 12 | 48 | 96 | 202% | 1200% | 360 | 121 | 2909 | 16 | 4320/50 | 16000/400 | 6 |

+| Standard_B16ms | 16 | 64 | 128 | 270% | 1600% | 480 | 162 | 3888 | 32 | 4320/50 | 16000/400 | 8 |

+| Standard_B20ms | 20 | 80 | 160 | 337% | 2000% | 600 | 203 | 4860 | 32 | 4320/50 | 16000/400 | 8 |

+[Configure a VNet-to-VNet VPN gateway connection by using the Azure portal](/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal).

+* [ExpressRoute documentation](https://azure.microsoft.com/documentation/services/expressroute/)

+* [Azure ExpressRoute pricing](https://azure.microsoft.com/pricing/details/expressroute/)

+* [ExpressRoute FAQ](/azure/expressroute/expressroute-faqs)

+* [Tutorial: Connect a virtual network to an ExpressRoute circuit](/azure/expressroute/expressroute-howto-linkvnet-arm)

+* [Quickstart: Create and modify an ExpressRoute circuit using Azure PowerShell](/azure/expressroute/expressroute-howto-circuit-arm)

+In order to avoid such a direct internet connectivity, you can configure Forced Tunneling with site-to-site connectivity between on-premises and Azure. The detailed description of the Forced Tunneling feature is published here:

+[Configure forced tunneling using the classic deployment model](/azure/vpn-gateway/vpn-gateway-about-forced-tunneling)

+Unmanaged disks only: The concepts as explained below may need to be compromised a bit when you deploy many SAP systems and the number of VMs deployed are exceeding the maximum limit of Storage Accounts per subscription. In such cases, VHDs of VMs need to be combined within one Storage Account. Usually you would do so by combining VHDs of SAP application layer VMs of different SAP systems. We also combined different VHDs of different DBMS VMs of different SAP systems in one Azure Storage Account. Thereby keeping the IOPS limits of Azure Storage Accounts in mind [Scalability and performance targets for standard storage accounts](/azure/storage/common/scalability-targets-standard-account)

+- [SAP HANA infrastructure configurations and operations on Azure](./hana-vm-operations.md)

+[azure-storage-redundancy]:/azure/storage/common/storage-redundancy

+ :::image type="content" source="./media/create-virtual-network-manager-portal/network-manager-basics.png" alt-text="Screenshot of Create a network manager Basics page.":::

+ | [Scope](concept-network-manager-scope.md#scope) | Define the scope for which Azure Virtual Network Manager can manage. This example will use a subscription-level scope.

+1. Select **Network Groups** under *Settings*, then select **+ Create**.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/add-network-group-2.png" alt-text="Screenshot of add a network group button.":::

+1. On the *Create a network group* page, enter a **Name** for the network group. This example will use the name **myNetworkGroup**. Select **Add** to create the network group.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/network-group-basics.png" alt-text="Screenshot of create a network group page.":::

+1. You'll see the new network group added to the *Network Groups* page.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/network-groups-list.png" alt-text="Screenshot of network group page with list of network groups.":::

+1. From the list of network groups, select **myNetworkGroup** and select **Add** under **Static membership** on the *myNetworkGroup* page.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/add-static-member.png" alt-text="Screenshot of add a virtual network f.":::

+1. On the *Add static members* page, select all three virtual networks created previously (VNetA, VNetB, and VNetC). Then select **Add** to add the 3 virtual networks to the network group.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/add-virtual-networks.png" alt-text="Screenshot of add virtual networks to network group page.":::

+1. Return to the *Network groups* page, and you'll see 3 members added under **Member virtual network**.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/list-network-members.png" alt-text="Screenshot of network manager instance page with three member virtual networks.":::

+1. Select **Configurations** under *Settings*, then select **+ Create**.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/add-configuration.png" alt-text="Screenshot of configuration creation screen for Network Manager.":::

+1. Select **Connectivity configuration** from the drop-down menu to begin creating a connectivity configuration.

+1. On the *Basics* page, enter the following information, and select **Next: Topology >**.

+1. On the *Topology* tab, select the *Mesh* topology if not selected, and leave the **Enable mesh connectivity across regions** unchecked. Cross-region connectivity isn't required for this set up since all the virtual networks are in the same region.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/topology-configuration.png" alt-text="Screenshot of topology selection for network group connectivity configuration.":::

+1. Select **+ Add** and then select the network group you created in the last section. Select **Select** to add the network group to the configuration.

+1. Select **Next: Review + Create >** and **Create** to create the configuration.

+1. Once the deployment completes, select **Refresh** and you'll see the new connectivity configuration added to the *Configurations* page.

+1. Select **Deployments** under *Settings*, then select **Deploy configurations**.

+ | Configurations | Select the type of configuration you want to deploy. This example will select **Include connectivity configurations in your goal state** . |

+ | Connectivity configurations | Select the **ConnectivityConfigA** configuration created from the previous section. |

+ | Regions | Select the region to deploy this configuration to. For this example, choose the **West US** region since all the virtual networks were created in that region. |

+1. Select **Next** and then select **Deploy** to complete the deployment.

+1. You should now see the deployment show up in the list for the selected region. The deployment of the configuration can take several minutes to complete.

+1. Select **Refresh** on the *Deployments* page to see the updated status of the configuration that you committed.

+1. To remove all configurations from a region, start in the virtual network manager and select **Deploy configurations**. Select the following settings:

+ :::image type="content" source="./media/create-virtual-network-manager-portal/none-configuration.png" alt-text="Screenshot of deploy a none connectivity configuration settings.":::

+ | Setting | Value |

+ | - | -- |

+ | Configurations | Select **Include connectivity configurations in your goal state**. |

+ | Connectivity configurations | Select the ****None - Remove existing connectivity configurations**** configuration. |

+ | Regions | Select **West US** as the deployed region. |

+1. Select **Next** and select **Deploy** to complete the deployment removal.

+1. To delete a configuration, select **Configurations** under *Settings* from the left pane of Azure Virtual Network Manager. Select the checkbox next to the configuration you want to remove and then select **Delete** at the top of the resource page. Select **Yes** to confirm the configuration deletion.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/delete-network-group.png" alt-text="Screenshot of delete a network group button.":::

+1. On the **Delete a network group** page, select the following options:

+ :::image type="content" source="./media/create-virtual-network-manager-portal/ng-delete-options.png" alt-text="Screenshot of Network group to be deleted option selection.":::

+ | Setting | Value |

+ | - | -- |

+ | Delete option | Select **Force delete the resource and all dependent resources**. |

+ | Confirm deletion | Enter the name of the network group. In this example, it's **myNetworkGroup**. |

+1. Select **Delete** and Select **Yes** to confirm the network group deletion.

+1. Once all network groups have been removed, select **Overview** from the left pane of Azure Virtual Network Manager and select **Delete**.

+1. On the **Delete a network manager** page, select the following options and select **Delete**. Select **Yes** to confirm the deletion.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/network-manager-delete.png" alt-text="Screenshot of network manager to be deleted option selection.":::

+ | Setting | Value |

+ | - | -- |

+ | Delete option | Select **Force delete the resource and all dependent resources**. |

+ | Confirm deletion | Enter the name of the network manager. In this example, it's **myAVNM**. |

+1. To delete the resource group, locate the resource group and select the **Delete resource group**. Confirm that you want to delete by entering the name of the resource group, then select **Delete**

+ :::image type="content" source="./media/create-virtual-network-manager-portal/add-configuration.png" alt-text="Screenshot of add a security admin configuration.":::

+1. On the **Basics** tab, enter a *Name* to identify this security configuration and select **Next: Rule collections**.

+1. Enter a *Name* to identify this rule collection and then select the *Target network groups* you want to apply the set of rules to.

+1. Select **+ Add** from the *Add a rule collection page*.

+1. Repeat steps 1-3 again if you want to add more rules to the rule collection.

+1. Once you're satisfied with all the rules you wanted to create, select **Add** to add the rule collection to the security admin configuration.

+ :::image type="content" source="./media/how-to-block-network-traffic-portal/save-rule-collection.png" alt-text="Screenshot of a rule collection.":::

+1. Then select **Review + Create** and **Create** to complete the security configuration.

+1. Select the configuration type of **Include security admin in your goal state** and the security configuration you created in the last section. Then choose the region(s) you would like to deploy this configuration to.

+1. Select **Next** and **Deploy** to deploy the security admin configuration.

+WAF on Application Gateway is based on the [Core Rule Set (CRS)](application-gateway-crs-rulegroups-rules.md) from the Open Web Application Security Project (OWASP).

+All of the WAF features listed below exist inside of a WAF policy. You can create multiple policies, and they can be associated with an Application Gateway, to individual listeners, or to path-based routing rules on an Application Gateway. This way, you can have separate policies for each site behind your Application Gateway if needed. For more information on WAF policies, see [Create a WAF Policy](create-waf-policy-ag.md).

+- SQL injection protection.

+- Cross-site scripting protection.

+- Protection against other common web attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion.

+- Protection against HTTP protocol violations.

+- Protection against HTTP protocol anomalies, such as missing host user-agent and accept headers.

+- Protection against crawlers and scanners.

+- Detection of common application misconfigurations (for example, Apache and IIS).

+Application Gateway supports multiple rule sets, including CRS 3.2, CRS 3.1, and CRS 3.0. These rules protect your web applications from malicious activity.

+### Bot mitigation

+### WAF engines

+The Azure web application firewall (WAF) engine is the component that inspects traffic and determines whether a request includes a signature that represents a potential attack. When you use CRS 3.2 or later, your WAF runs the new [WAF engine](waf-engine.md), which gives you higher performance and an improved set of features. When you use earlier versions of the CRS, your WAF runs on an older engine. New features will only be available on the new Azure WAF engine.

+The Application Gateway WAF comes pre-configured with CRS 3.1 by default, but you can choose to use any other supported CRS version.

+CRS 3.2 offers a new engine and new rule sets defending against Java infections, an initial set of file upload checks, and fewer false positives compared with earlier versions of CRS. You can also [customize rules to suit your needs](application-gateway-customize-waf-rules-portal.md). Learn more about the new [Azure WAF engine](waf-engine.md).

+- SQL-injection attacks

+- Cross-site scripting attacks

+- Other common attacks, such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion

+- HTTP protocol violations

+- HTTP protocol anomalies, such as missing host user-agent and accept headers

+- Bots, crawlers, and scanners

+- Common application misconfigurations (for example, Apache and IIS)

+### OWASP CRS 3.2

+> CRS 3.2 is only available on the WAF_v2 SKU. Because CRS 3.2 runs on the new Azure WAF engine, you can't downgrade to CRS 3.1 or earlier. If you need to downgrade, [contact Azure Support](https://aka.ms/azuresupportrequest).

+> [!NOTE]

+> CRS 2.2.9 is no longer supported for new WAF policies. We recommend you upgrade to the latest CRS version.

+# [OWASP 3.2](#tab/owasp32)

+The Azure Application Gateway Web Application Firewall (WAF) provides protection for web applications. This article describes the configuration for WAF exclusion lists. These settings are located in the WAF policy associated to your Application Gateway. To learn more about WAF policies, see [Azure Web Application Firewall on Azure Application Gateway](ag-overview.md) and [Create Web Application Firewall policies for Application Gateway](create-waf-policy-ag.md).

+Sometimes WAF might block a request that you want to allow for your application. WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. The rest of the request is evaluated as normal.

+For example, Active Directory inserts tokens that are used for authentication. When used in a request header, these tokens can contain special characters that might trigger a false positive detection from the WAF rules. By adding the header to an exclusion list, you can configure WAF to ignore the header, but WAF still evaluates the rest of the request.

+You can configure exclusions to apply when specific WAF rules are evaluated, or to apply globally to the evaluation of all WAF rules. Exclusion rules apply to your whole web application.

+## Identify request attributes to exclude

+When you configure a WAF exclusion, you must specify the attributes of the request that should be excluded from the WAF evaluation. You can configure a WAF exclusion for the following request attributes:

+* Request headers

+* Request cookies

+You can specify an exact request header, body, cookie, or query string attribute match. Or, you can specify partial matches. Use the following operators to configure the exclusion:

+In all cases matching is case insensitive. Regular expressions aren't allowed as selectors.

+### Request attributes by keys and values

+When you configure an exclusion, you need to determine whether you want to exclude the key or the value from WAF evaluation.

+For example, suppose your requests include this header:

+```

+My-Header: 1=1

+```

+The value of the header (`1=1`) might be detected as an attack by the WAF. But if you know this is a legitimate value for your scenario, you can configure an exclusion for the *value* of the header. To do so, you use the **RequestHeaderValues** request attribute, and select the header name (`My-Header`) with the value that should be ignored.

+> [!NOTE]

+> Request attributes by key and values are only available in CRS 3.2 and newer.

+>

+> Request attributes by names work the same way as request attributes by values, and are included for backward compatibility with CRS 3.1 and earlier versions. We recommend you use request attributes by values instead of attributes by names. For example, use **RequestHeaderValues** instead of **RequestHeaderNames**.

+In contrast, if your WAF detects the header's name (`My-Header`) as an attack, you could configure an exclusion for the header *key* by using the **RequestHeaderKeys** request attribute. The **RequestHeaderKeys** attribute is only available in CRS 3.2 and newer.

+## Exclusion scopes

+Exclusions can be configured to apply to a specific set of WAF rules, to rulesets, or globally across all rules.

+> [!TIP]

+> It's a good practice to make exclusions as narrow and specific as possible, to avoid accidentally leaving room for attackers to exploit your system. When you need to add an exclusion rule, use per-rule exclusions wherever possible.

+### Per-rule exclusions

+You can configure an exclusion for a specific rule, group of rules, or rule set. You must specify the rule or rules that the exclusion applies to. You also need to specify the request attribute that should be excluded from the WAF evaluation.

+Per-rule exclusions are available when you use the OWASP (CRS) ruleset version 3.2 or later.

+#### Example

+Suppose you want the WAF to ignore the value of the `User-Agent` request header. The `User-Agent` header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor, or software version of the requesting software user agent. For more information, see [User-Agent](https://developer.mozilla.org/docs/Web/HTTP/Headers/User-Agent).

+There can be any number of reasons to disable evaluating this header. There could be a string that the WAF detects and assumes itΓÇÖs malicious. For example, the `User-Agent` header might include the classic SQL injection attack `x=x` in a string. In some cases, this can be legitimate traffic. So you might need to exclude this header from WAF evaluation.

+You can use the following approaches to exclude the `User-Agent` header from evaluation by all of the SQL injection rules:

+> [!NOTE]

+> As of early May 2022, we are rolling out updates to the Azure portal for these features. If you don't see configuration options in the portal, please use PowerShell, the Azure CLI, Bicep, or ARM templates to configure global or per-rule exclusions.

+# [Azure PowerShell](#tab/powershell)

+$ruleGroupEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup `

+ -RuleGroupName 'REQUEST-942-APPLICATION-ATTACK-SQLI'

+$exclusionManagedRuleSet = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleSet `

+ -RuleSetType 'OWASP' `

+ -RuleSetVersion '3.2' `

+ -RuleGroup $ruleGroupEntry

+$exclusionEntry = New-AzApplicationGatewayFirewallPolicyExclusion `

+ -MatchVariable "RequestHeaderValues" `

+ -SelectorMatchOperator 'Equals' `

+ -Selector 'User-Agent' `

+ -ExclusionManagedRuleSet $exclusionManagedRuleSet

+$wafPolicy = Get-AzApplicationGatewayFirewallPolicy `

+ -Name $wafPolicyName `

+ -ResourceGroupName $resourceGroupName

+$wafPolicy.ManagedRules[0].Exclusions.Add($exclusionEntry)

+$wafPolicy | Set-AzApplicationGatewayFirewallPolicy

+```

+# [Azure CLI](#tab/cli)

+```azurecli

+az network application-gateway waf-policy managed-rule exclusion rule-set add \

+ --resource-group $resourceGroupName \

+ --policy-name $wafPolicyName \

+ --type OWASP \

+ --version 3.2 \

+ --group-name 'REQUEST-942-APPLICATION-ATTACK-SQLI' \

+ --match-variable 'RequestHeaderValues' \

+ --match-operator 'Equals' \

+ --selector 'User-Agent'

+# [Bicep](#tab/bicep)

+```bicep

+resource wafPolicy 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-05-01' = {

+ name: wafPolicyName

+ location: location

+ properties: {

+ managedRules: {

+ managedRuleSets: [

+ {

+ ruleSetType: 'OWASP'

+ ruleSetVersion: '3.2'

+ }

+ ]

+ exclusions: [

+ {

+ matchVariable: 'RequestHeaderValues'

+ selectorMatchOperator: 'Equals'

+ selector: 'User-Agent'

+ exclusionManagedRuleSets: [

+ {

+ ruleSetType: 'OWASP'

+ ruleSetVersion: '3.2'

+ ruleGroups: [

+ {

+ ruleGroupName: 'REQUEST-942-APPLICATION-ATTACK-SQLI'

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+ }

+}

+```

+# [ARM template](#tab/armtemplate)

+```json

+{

+ "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",

+ "apiVersion": "2021-05-01",

+ "name": "[parameters('wafPolicyName')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "managedRules": {

+ "managedRuleSets": [

+ {

+ "ruleSetType": "OWASP",

+ "ruleSetVersion": "3.2"

+ }

+ ],

+ "exclusions": [

+ {

+ "matchVariable": "RequestHeaderValues",

+ "selectorMatchOperator": "Equals",

+ "selector": "User-Agent",

+ "exclusionManagedRuleSets": [

+ {

+ "ruleSetType": "OWASP",

+ "ruleSetVersion": "3.2",

+ "ruleGroups": [

+ {

+ "ruleGroupName": "REQUEST-942-APPLICATION-ATTACK-SQLI"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+ }

+}

+```

+### Global exclusions

+You can configure an exclusion to apply across all WAF rules.

+#### Example

+Suppose you want to exclude the value in the *user* parameter that is passed in the request via the URL. For example, say itΓÇÖs common in your environment for the `user` query string argument to contain a string that the WAF views as malicious content, so it blocks it. You can exclude all query string arguments where the name begins with the word `user`, so that the WAF doesn't evaluate the field's value.

+The following example shows how you can exclude the `user` query string argument from evaluation:

+> [!NOTE]

+> As of early May 2022, we are rolling out updates to the Azure portal for these features. If you don't see configuration options in the portal, please use PowerShell, the Azure CLI, Bicep, or ARM templates to configure global or per-rule exclusions.

+# [Azure PowerShell](#tab/powershell)

+$exclusion = New-AzApplicationGatewayFirewallExclusionConfig `

+ -MatchVariable 'RequestArgNames' `

+ -SelectorMatchOperator 'StartsWith' `

+ -Selector 'user'

+```

+# [Azure CLI](#tab/cli)

+```azurecli

+az network application-gateway waf-policy managed-rule exclusion add \

+ --resource-group $resourceGroupName \

+ --policy-name $wafPolicyName \

+ --match-variable 'RequestArgNames' \

+ --selector-match-operator 'StartsWith' \

+ --selector 'user'

+```

+# [Bicep](#tab/bicep)

+```bicep

+resource wafPolicy 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-05-01' = {

+ name: wafPolicyName

+ location: location

+ properties: {

+ managedRules: {

+ managedRuleSets: [

+ {

+ ruleSetType: 'OWASP'

+ ruleSetVersion: '3.2'

+ }

+ ]

+ exclusions: [

+ {

+ matchVariable: 'RequestArgNames'

+ selectorMatchOperator: 'StartsWith'

+ selector: 'user'

+ }

+ ]

+ }

+ }

+}

+# [ARM template](#tab/armtemplate)

+```json

+{

+ "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",

+ "apiVersion": "2021-05-01",

+ "name": "[parameters('wafPolicyName')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "managedRules": {

+ "managedRuleSets": [

+ {

+ "ruleSetType": "OWASP",

+ "ruleSetVersion": "3.2"

+ }

+ ],

+ "exclusions": [

+ {

+ "matchVariable": "RequestArgNames",

+ "selectorMatchOperator": "StartsWith",

+ "selector": "user"

+ }

+ ]

+ }

+ }

+}

+```

+So if the URL `http://www.contoso.com/?user%3c%3e=joe` is scanned by the WAF, it won't evaluate the string **joe**, but it will still evaluate the parameter name **user%3c%3e**.

+ - **WAF Policy**: Select **Create new**, type a name for the new policy, and then select **OK**.

+ This creates a basic WAF policy with a managed Core Rule Set (CRS).

+ :::image type="content" source="../media/application-gateway-web-application-firewall-portal/application-gateway-create-basics.png" alt-text="Screenshot of Create new application gateway: Basics tab." lightbox="../media/application-gateway-web-application-firewall-portal/application-gateway-create-basics.png":::

+2. Set the location parameter for your environment, and then run the following command to install IIS on the virtual machine:

+You can use the Bot Protection ruleset alongside any of the OWASP rulesets with the Application Gateway WAF v2 SKU. Only one OWASP ruleset can be used at any given time. The bot protection ruleset contains an additional rule that appears in its own ruleset. It's titled **Microsoft_BotManagerRuleSet_0.1**, and you can enable or disable it like the other OWASP rules.

+ Title: WAF engine on Azure Application Gateway

+description: This article provides an overview of the Azure WAF engine.

+# WAF engine on Azure Application Gateway

+The Azure Web Application Firewall (WAF) engine is the component that inspects traffic and determines whether a request includes a signature that represents a potential attack and takes appropriate action depending on the configuration.

+## Next generation of WAF engine

+The new WAF engine is a high-performance, scalable Microsoft proprietary engine and has significant improvements over the previous WAF engine.

+The new engine, released with CRS 3.2, provides the following benefits:

+* **Improved performance:** Significant improvements in WAF latency, including P99 POST and GET latencies. We observed a significant reduction in P99 tail latencies with up to approximately 8x reduction in processing POST requests and approximately 4x reduction in processing GET requests.

+* **Increased scale:** Higher requests per second (RPS), using the same compute power and with the ability to process larger request sizes. Our next-generation engine can scale up to 8 times more RPS using the same compute power, and has an ability to process 16 times larger request sizes (up to 2 MB request sizes), which was not possible with the previous engine.

+* **Better protection:** New redesigned engine with efficient regex processing offers better protection against RegEx denial of service (DOS) attacks while maintaining a consistent latency experience.

+* **Richer feature set:** New features and future enhancement are available only through the new engine.

+## Support for new features

+There are many new features that are only supported in the Azure WAF engine. The features include:

+* [CRS 3.2](application-gateway-crs-rulegroups-rules.md#owasp-crs-32)

+ * Increased request body size limit to 2 MB

+ * Increased file upload limit to 4 GB

+* [WAF v2 metrics](application-gateway-waf-metrics.md#application-gateway-waf-v2-metrics)

+* [Per rule exclusions](application-gateway-waf-configuration.md) and support for exclusion attributes by name

+New WAF features will only be released with later versions of CRS on the new WAF engine.

+## Request logging for custom rules

+There's a difference between how the previous engine and the new WAF engine log requests when a custom rule defines the action type as *Log*.

+When your WAF runs in prevention mode, the previous engine logs the request's action type as *Blocked* even though the request is allowed through by the custom rule. In detection mode, the previous engine logs the same request's action type as *Detected*.

+In contrast, the new WAF engine logs the request action type as *Log*, whether the WAF is running in prevention or detection mode.

+## Next steps

+Learn more about [WAF managed rules](application-gateway-crs-rulegroups-rules.md).