-### Verify the application's publisher domain

-As of November 2020, new application registrations show up as unverified in the user consent prompt unless [the application's publisher domain is verified](../active-directory/develop/howto-configure-publisher-domain.md) ***and*** the companyΓÇÖs identity has been verified with the Microsoft Partner Network and associated with the application. ([Learn more](../active-directory/develop/publisher-verification-overview.md) about this change.) Note that for Azure AD B2C user flows, the publisherΓÇÖs domain appears only when using a Microsoft account or other [Azure AD](../active-directory-b2c/identity-provider-azure-ad-single-tenant.md) tenant as the identity provider. To meet these new requirements, do the following:

-1. [Verify your company identity using your Microsoft Partner Network (MPN) account](/partner-center/verification-responses). This process verifies information about your company and your companyΓÇÖs primary contact.

-1. Complete the publisher verification process to associate your MPN account with your app registration using one of the following options:

- - If the app registration for the Microsoft account identity provider is in an Azure AD tenant, [verify your app in the App Registration portal](../active-directory/develop/mark-app-as-publisher-verified.md).

- - If your app registration for the Microsoft account identity provider is in an Azure AD B2C tenant, [mark your app as publisher verified using Microsoft Graph APIs](../active-directory/develop/troubleshoot-publisher-verification.md#making-microsoft-graph-api-calls) (for example, using Graph Explorer). The UI for setting an appΓÇÖs verified publisher is currently disabled for Azure AD B2C tenants.

-In this article, you'll learn how to:

-1. In the left navigation pane, select **provisioning**. From the provisioning configuration page, click on **attribute mappings**, then **show advanced options**, and finally **review your schema**. This will take you to the schema editor.

-Exporting and saving your configuration allows you to roll back to a previous version of your configuration. We recommend exporting your provisioning configuration and saving it for later use anytime you make a change to your attribute mappings or scoping filters. All you need to do is open up the JSON file that you downloaded in the steps above, copy the entire contents of the JSON file, replace the entire contents of the JSON payload in the schema editor, and then save. If there is an active provisioning cycle, it will complete and the next cycle will use the updated schema. The next cycle will also be an initial cycle, which reevaluates every user and group based on the new configuration. Consider the following when rolling back to a previous configuration:

-1. In the Properties section of your provisioning app, copy the GUID value associated with the *Object ID* field. This value is also called the **ServicePrincipalId** of your App and it will be used in Microsoft Graph Explorer operations.

-1. Upon successful sign-in, you will see the user account details in the left-hand pane.

-You will get a response as shown below. Copy the "id attribute" present in the response. This value is the **ProvisioningJobId** and will be used to retrieve the underlying schema metadata.

-Select **Run Query** to import the new schema.

-1. To deploy the Microsoft.SCIM.WebHostSample app to Azure App Services, [create a new App Services](../../app-service/quickstart-dotnetcore.md?tabs=net60&pivots=development-environment-vscode#publish-your-web-app).

-To develop a SCIM-compliant user and group endpoint with interoperability for a client, see [SCIM client implementation](http://www.simplecloud.info/#Implementations2).

-# Customer intent: As an identity administrator, I want to encourage users to use the Microsoft Authenticator app in Azure AD to improve and secure user sign-in events.

-# How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy

-This topic covers how to enable number matching in Microsoft Authenticator push notifications to improve user sign-in security.

->[!NOTE]

->Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023.<br>

->We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance.

-## Prerequisites

-## Number matching

-Number matching can be targeted to only a single group, which can be dynamic or nested. On-premises synchronized security groups and cloud-only security groups are supported for the Authentication methods policy.

-When a user responds to an MFA push notification using the Authenticator app, they'll be presented with a number. They need to type that number into the app to complete the approval. For more information about how to set up MFA, see [Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication](tutorial-enable-azure-mfa.md).

-Self-service password reset (SSPR) with Microsoft Authenticator will require number matching when using Microsoft Authenticator. During self-service password reset, the sign-in page will show a number that the user will need to type into the Microsoft Authenticator notification. This number will only be seen by users who are enabled for number matching. For more information about how to set up SSPR, see [Tutorial: Enable users to unlock their account or reset passwords](howto-sspr-deployment.md).

-Combined registration with Microsoft Authenticator will require number matching. When a user goes through combined registration to set up the Authenticator app, the user is asked to approve a notification as part of adding the account. For users who are enabled for number matching, this notification will show a number that they need to type in their Authenticator app notification. For more information about how to set up combined registration, see [Enable combined security information registration](howto-registration-mfa-sspr-combined.md).

-AD FS adapter will require number matching on supported versions of Windows Server. On earlier versions, users will continue to see the **Approve**/**Deny** experience and wonΓÇÖt see number matching until you upgrade. The AD FS adapter supports number matching only after installing one of the updates in the following table. For more information about how to set up AD FS adapter, see [Configure Azure Active Directory (Azure AD) Multi-Factor Authentication Server to work with AD FS in Windows Server](howto-mfaserver-adfs-windows-server.md).

->Unpatched versions of Windows Server don't support number matching. Users will continue to see the **Approve**/**Deny** experience and won't see number matching unless these updates are applied.

-Although NPS doesn't support number matching, the latest NPS extension does support time-based one-time password (TOTP) methods such as the TOTP available in Microsoft Authenticator, other software tokens, and hardware FOBs. TOTP sign-in provides better security than the alternative **Approve**/**Deny** experience. Make sure you run the latest version of the [NPS extension](https://www.microsoft.com/download/details.aspx?id=54688).

-After May 8, 2023, when number matching is enabled for all users, anyone who performs a RADIUS connection with NPS extension version 1.2.2216.1 or later will be prompted to sign in with a TOTP method instead.

-Prior to the release of NPS extension version 1.2.2216.1 after May 8, 2023, organizations that run any of these earlier versions of NPS extension can modify the registry to require users to enter a TOTP:

- >MSCHAPv2 doesn't support TOTP. If the NPS Server isn't configured to use PAP, user authorization will fail with events in the **AuthZOptCh** log of the NPS Extension server in Event Viewer:<br>

- >You can configure the NPS Server to support PAP. If PAP is not an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications.

-If your organization uses Remote Desktop Gateway and the user is registered for a TOTP code along with Microsoft Authenticator push notifications, the user won't be able to meet the Azure AD MFA challenge and Remote Desktop Gateway sign-in will fail. In this case, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to **Approve**/**Deny** push notifications with Microsoft Authenticator.

-This is because TOTP will be preferred over the **Approve**/**Deny** push notification and Remote Desktop Gateway doesn't provide the option to enter a verification code with Azure AD Multi-Factor Authentication. For more information, see [Configure accounts for two-step verification](howto-mfa-nps-extension-rdg.md#configure-accounts-for-two-step-verification).

-### Apple Watch supported for Microsoft Authenticator

-In the upcoming Microsoft Authenticator release in January 2023 for iOS, there will be no companion app for watchOS due to it being incompatible with Authenticator security features. You won't be able to install or use Microsoft Authenticator on Apple Watch. We therefore recommend that you [delete Microsoft Authenticator from your Apple Watch](https://support.apple.com/HT212064), and sign in with Microsoft Authenticator on another device.

-## Enable number matching in the portal

-To enable number matching in the Azure portal, complete the following steps:

-1. In the Azure portal, click **Security** > **Authentication methods** > **Microsoft Authenticator**.

-1. On the **Enable and Target** tab, click **Yes** and **All users** to enable the policy for everyone or add selected users and groups. Set the **Authentication mode** for these users/groups to **Any** or **Push**.

- Only users who are enabled for Microsoft Authenticator here can be included in the policy to require number matching for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see the feature.

- :::image type="content" border="true" source="./media/how-to-mfa-number-match/enable-settings-number-match.png" alt-text="Screenshot of how to enable Microsoft Authenticator settings for Push authentication mode.":::

-1. On the **Configure** tab, for **Require number matching for push notifications**, change **Status** to **Enabled**, choose who to include or exclude from number matching, and click **Save**.

- :::image type="content" border="true" source="./media/how-to-mfa-number-match/number-match.png" alt-text="Screenshot of how to enable number matching.":::

-## Enable number matching using Graph APIs

-Identify your single target group for the schema configuration. Then use the following API endpoint to change the numberMatchingRequiredState property under featureSettings to **enabled**, and include or exclude groups:

-```

-https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

-```

->[!NOTE]

->In Graph Explorer, you'll need to consent to the **Policy.Read.All** and **Policy.ReadWrite.AuthenticationMethod** permissions.

-### MicrosoftAuthenticatorAuthenticationMethodConfiguration properties

-**PROPERTIES**

-| Property | Type | Description |

-|||-|

-| id | String | The authentication method policy identifier. |

-| state | authenticationMethodState | Possible values are: **enabled**<br>**disabled** |

-

-**RELATIONSHIPS**

-| Relationship | Type | Description |

-|--||-|

-| includeTargets | [microsoftAuthenticatorAuthenticationMethodTarget](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget) collection | A collection of users or groups who are enabled to use the authentication method |

-| featureSettings | [microsoftAuthenticatorFeatureSettings](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget) collection | A collection of Microsoft Authenticator features. |

-

-### MicrosoftAuthenticator includeTarget properties

-

-**PROPERTIES**

-| Property | Type | Description |

-|-||-|

-| authenticationMode | String | Possible values are:<br>**any**: Both passwordless phone sign-in and traditional second factor notifications are allowed.<br>**deviceBasedPush**: Only passwordless phone sign-in notifications are allowed.<br>**push**: Only traditional second factor push notifications are allowed. |

-| id | String | Object ID of an Azure AD user or group. |

-| targetType | authenticationMethodTargetType | Possible values are: **user**, **group**.|

-### MicrosoftAuthenticator featureSettings properties

-

-**PROPERTIES**

-| Property | Type | Description |

-|-||-|

-| numberMatchingRequiredState | authenticationMethodFeatureConfiguration | Require number matching for MFA notifications. Value is ignored for phone sign-in notifications. |

-| displayAppInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown application name in Microsoft Authenticator notification. |

-| displayLocationInformationRequiredState | authenticationMethodFeatureConfiguration | Determines whether the user is shown geographic location context in Microsoft Authenticator notification. |

-### Authentication method feature configuration properties

-**PROPERTIES**

-| Property | Type | Description |

-|-||-|

-| excludeTarget | featureTarget | A single entity that is excluded from this feature. <br>You can only exclude one group for number matching. |

-| includeTarget | featureTarget | A single entity that is included in this feature. <br>You can only include one group for number matching.|

-| State | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. |

-### Feature target properties

-**PROPERTIES**

-| Property | Type | Description |

-|-||-|

-| id | String | ID of the entity targeted. |

-| targetType | featureTargetType | The kind of entity targeted, such as group, role, or administrative unit. The possible values are: ΓÇÿgroupΓÇÖ, 'administrativeUnitΓÇÖ, ΓÇÿroleΓÇÖ, unknownFutureValueΓÇÖ. |

->[!NOTE]

->Number matching can be enabled only for a single group.

-### Example of how to enable number matching for all users

-In **featureSettings**, you'll need to change the **numberMatchingRequiredState** from **default** to **enabled**.

-The value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we'll use **any**, but if you don't want to allow passwordless, use **push**.

->[!NOTE]

->For passwordless users, enabling or disabling number matching has no impact because it's already part of the passwordless experience.

-You might need to patch the entire schema to prevent overwriting any previous configuration. In that case, do a GET first, update only the relevant fields, and then PATCH. The following example only shows the update to the **numberMatchingRequiredState** under **featureSettings**.

-Only users who are enabled for Microsoft Authenticator under Microsoft AuthenticatorΓÇÖs **includeTargets** will see the number match requirement. Users who aren't enabled for Microsoft Authenticator won't see the feature.

-```json

-//Retrieve your existing policy via a GET.

-//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.

-//Change the Query to PATCH and Run query

-

-{

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

- "id": "MicrosoftAuthenticator",

- "state": "enabled",

- "featureSettings": {

- "numberMatchingRequiredState": {

- "state": "enabled",

- "includeTarget": {

- "targetType": "group",

- "id": "all_users"

- },

- "excludeTarget": {

- "targetType": "group",

- "id": "00000000-0000-0000-0000-000000000000"

- }

- }

- },

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "includeTargets": [

- {

- "targetType": "group",

- "id": "all_users",

- "isRegistrationRequired": false,

- "authenticationMode": "any",

- }

- ]

-}

-

-```

-

-To confirm the change is applied, run the GET request by using the following endpoint:

-```http

-GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

-```

-### Example of how to enable number matching for a single group

-

-In **featureSettings**, you'll need to change the **numberMatchingRequiredState** value from **default** to **enabled.**

-Inside the **includeTarget**, you'll need to change the **id** from **all_users** to the ObjectID of the group from the Azure portal.

-To remove an excluded group from number matching, change the **id** of the **excludeTarget** to `00000000-0000-0000-0000-000000000000`.

-You need to PATCH the entire configuration to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The example below only shows the update to the **numberMatchingRequiredState**.

-Only users who are enabled for Microsoft Authenticator under Microsoft AuthenticatorΓÇÖs **includeTargets** will see the number match requirement. Users who aren't enabled for Microsoft Authenticator won't see the feature.

-```json

-{

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

- "id": "MicrosoftAuthenticator",

- "state": "enabled",

- "featureSettings": {

- "numberMatchingRequiredState": {

- "state": "enabled",

- "includeTarget": {

- "targetType": "group",

- "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a"

- },

- "excludeTarget": {

- "targetType": "group",

- "id": "00000000-0000-0000-0000-000000000000"

- }

- }

- },

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "includeTargets": [

- {

- "targetType": "group",

- "id": "all_users",

- "isRegistrationRequired": false,

- "authenticationMode": "any"

- }

- ]

-}

-```

-

-To verify, run GET again and verify the ObjectID:

-```http

-GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

-```

-### When will my tenant see number matching if I don't use the Azure portal or Graph API to roll out the change?

-Number match will be enabled for all users of Microsoft Authenticator push notifications after May 8, 2023. We had previously announced that we will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to customers, we will extend the availability of the rollout controls for a few more weeks.

-Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all your users, we highly recommend you use the Azure portal or Graph API to roll out number match for all Microsoft Authenticator users.

-### What happens to number matching settings that are currently configured for a group in the Authentication methods policy after number matching is enabled for Authenticator push notifications after May 8th, 2023?

-When Microsoft begins protecting all organizations by enabling number matching after May 8th, 2023, administrators will see the **Require number matching for push notifications** setting on the **Configure** tab of the Microsoft Authenticator policy is set to **Enabled** for **All users** and can't be disabled. In addition, the **Exclude** option for this setting will be removed.

-### What happens for users who aren't specified in the Authentication methods policy but they are enabled for Notifications through mobile app in the legacy MFA tenant-wide policy?

-Users who are enabled for MFA push notifications in the legacy MFA policy will also see number match after May 8th, 2023. If the legacy MFA policy has enabled **Notifications through mobile app**, users will see number matching regardless of whether or not it's enabled on the **Enable and Target** tab for Microsoft Authenticator in the Authentication methods policy.

-### How should users be prepared for default number matching?

-Here are differences in sign-in scenarios that Microsoft Authenticator users will see after number matching is enabled by default:

-

- To create a registry entry that overrides this behavior and prompts users with **Approve**/**Deny**:

- 1. On the NPS Server, open the Registry Editor.

- 1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.

- 1. Create the following String/Value:

- - Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP

- - Value = FALSE

- 1. Restart the NPS Service.

-### How can users enter a TOTP with the NPS extension?

-The VPN and NPS server must be using PAP protocol for TOTP prompts to appear. If they're using a protocol that doesn't support TOTP, such as MSCHAPv2, they'll continue to see the **Approve/Deny** notifications.

-### Will users get a prompt similar to a number matching prompt, but will need to enter a TOTP?

-They'll see a prompt to supply a verification code. They must select their account in Microsoft Authenticator and enter the random generated code that appears there.

-### Can I opt out of number matching?

-Yes, currently you can disable number matching. We highly recommend that you enable number matching for all users in your tenant to protect yourself from MFA fatigue attacks. To protect the ecosystem and mitigate these threats, Microsoft will enable number matching for all tenants starting May 8, 2023. After protection is enabled by default, users can't opt out of number matching in Microsoft Authenticator push notifications.

-Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance.

-### Does number matching only apply if Microsoft Authenticator is set as the default authentication method?

-If the user has a different default authentication method, there won't be any change to their default sign-in. If the default method is Microsoft Authenticator and the user is specified in either of the following policies, they'll start to receive number matching approval after May 8th, 2023:

-Regardless of their default method, any user who is prompted to sign-in with Authenticator push notifications will see number match after May 8th, 2023. If the user is prompted for another method, they won't see any change.

-### What happens if a user runs an older version of Microsoft Authenticator?

-If a user is running an older version of Microsoft Authenticator that doesn't support number matching, authentication won't work if number matching is enabled. Users need to upgrade to the latest version of Microsoft Authenticator to use it for sign-in.

-### Why is my user prompted to tap on one of three numbers rather than enter the number in their Microsoft Authenticator app?

-Older versions of Microsoft Authenticator prompt users to tap and select a number rather than enter the number in Microsoft Authenticator. These authentications won't fail, but Microsoft highly recommends that users upgrade to the latest version of Microsoft Authenticator.

-description: Learn how to build a desktop app that calls web APIs to acquire a token for the app interactively

-#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.

-### In MSAL.NET

-`AcquireTokenInteractive` has only one mandatory parameter, ``scopes``, which contains an enumeration of strings that define the scopes for which a token is required. If the token is for Microsoft Graph, the required scopes can be found in the API reference of each Microsoft Graph API in the section named "Permissions." For instance, to [list the user's contacts](/graph/api/user-list-contacts), the scope "User.Read", "Contacts.Read" must be used. For more information, see [Microsoft Graph permissions reference](/graph/permissions-reference).

-On Android, you also need to specify the parent activity by using `.WithParentActivityOrWindow`, as shown, so that the token gets back to that parent activity after the interaction. If you don't specify it, an exception is thrown when calling `.ExecuteAsync()`.

-### Specific optional parameters in MSAL.NET

-The UI is important because it's interactive. `AcquireTokenInteractive` has one specific optional parameter that can specify, for platforms that support it, the parent UI. When used in a desktop application, `.WithParentActivityOrWindow` has a different type, which depends on the platform. Alternatively you can omit the optional parent window parameter to create a window, if you do not want to control where the sign-in dialog appears on the screen. This would be applicable for applications which are command line based, used to pass calls to any other backend service and do not need any windows for user interaction.

-`WithPrompt()` is used to control the interactivity with the user by specifying a prompt. The exact behavior can be controlled by using the [Microsoft.Identity.Client.Prompt](/dotnet/api/microsoft.identity.client.prompt) structure.

-The struct defines the following constants:

-This modifier is used in an advanced scenario where you want the user to pre-consent to several resources upfront, and you don't want to use incremental consent, which is normally used with MSAL.NET/the Microsoft identity platform. For more information, see [Have the user consent upfront for several resources](scenario-desktop-production.md#have-the-user-consent-upfront-for-several-resources).

-MSAL provides web UI implementations for most platforms, but there are cases where you might want to host the browser yourself:

-##### At a glance

-To achieve this, you give to MSAL `start Url`, which needs to be displayed in a browser of choice so that the end user can enter items such as their username.

-After authentication finishes, your app needs to pass back to MSAL `end Url`, which contains a code provided by Azure AD.

-The host of `end Url` is always `redirectUri`. To intercept `end Url`, do one of the following things:

-##### WithCustomWebUi is an extensibility point

-`WithCustomWebUi` is an extensibility point that you can use to provide your own UI in public client applications. You can also let the user go through the /Authorize endpoint of the identity provider and let them sign in and consent. MSAL.NET can then redeem the authentication code and get a token. For example, it's used in Visual Studio to have electrons applications (for instance, Visual Studio Feedback) provide the web interaction, but leave it to MSAL.NET to do most of the work. You can also use it if you want to provide UI automation. In public client applications, MSAL.NET uses the Proof Key for Code Exchange (PKCE) standard to ensure that security is respected. Only MSAL.NET can redeem the code. For more information, see [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636).

- ```csharp

- using Microsoft.Identity.Client.Extensions;

- ```

-##### Use WithCustomWebUi

-To use `.WithCustomWebUI`, follow these steps.

- 1. Implement the `ICustomWebUi` interface. For more information, see [this website](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/053a98d16596be7e9ca1ab916924e5736e341fe8/src/Microsoft.Identity.Client/Extensibility/ICustomWebUI.cs#L32-L70). Implement one `AcquireAuthorizationCodeAsync`method and accept the authorization code URL computed by MSAL.NET. Then let the user go through the interaction with the identity provider and return back the URL by which the identity provider would have called your implementation back along with the authorization code. If you have issues, your implementation should throw a `MsalExtensionException` exception to nicely cooperate with MSAL.

- 2. In your `AcquireTokenInteractive` call, use the `.WithCustomUI()` modifier passing the instance of your custom web UI.

- ```csharp

- result = await app.AcquireTokenInteractive(scopes)

- .WithCustomWebUi(yourCustomWebUI)

- .ExecuteAsync();

- ```

-##### Examples of implementation of ICustomWebUi in test automation: SeleniumWebUI

-The MSAL.NET team has rewritten the UI tests to use this extensibility mechanism. If you're interested, look at the [SeleniumWebUI](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/053a98d16596be7e9ca1ab916924e5736e341fe8/tests/Microsoft.Identity.Test.Integration/Infrastructure/SeleniumWebUI.cs#L15-L160) class in the MSAL.NET source code.

-To learn more about all the other optional parameters for `AcquireTokenInteractive`, see [AcquireTokenInteractiveParameterBuilder](/dotnet/api/microsoft.identity.client.acquiretokeninteractiveparameterbuilder#methods).

- // Load token cache from file and initialize token cache aspect. The token cache will have

- // Take first account in the cache. In a production application, you would filter

- // accountsInCache to get the right account for the user authenticating.

- // try to acquire token silently. This call will fail since the token cache

- // does not have any data for the user you are trying to acquire a token for

- // Try to acquire a token interactively with system browser. If successful, you should see

- // the token and account information printed out to console

-### In MSAL for iOS and macOS

-Objective-C:

-Swift:

- // Get access token from result

-In MSAL Node, you acquire tokens via authorization code flow with Proof Key for Code Exchange (PKCE). The process has two steps: first, the application obtains a URL that can be used to generate an authorization code. This URL can be opened in a browser of choice, where the user can input their credentials, and will be redirected back to the `redirectUri` (registered during the app registration) with an authorization code. Second, the application passes the authorization code received to the `acquireTokenByCode()` method which exchanges it for an access token.

- codeChallenge: challenge, // PKCE Code Challenge

- codeChallengeMethod: "S256" // PKCE Code Challenge Method

-// get url to sign user in and consent to scopes needed for application

- codeVerifier: verifier // PKCE Code Verifier

- // acquire a token by exchanging the code

-MSAL Python 1.7+ provides an interactive acquire token method.

-# Firstly, check the cache to see if this end user has signed in before

-description: Learn how to build a desktop app that calls web APIs to acquire a token for the app using web account manager

-#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.

-# Desktop app that calls web APIs: Acquire a token using WAM

-MSAL is able to call Web Account Manager (WAM), a Windows 10+ component that ships with the OS. This component acts as an authentication broker and users of your app benefit from integration with accounts known from Windows, such as the account you signed-in with in your Windows session.

-Using an authentication broker such as WAM has numerous benefits.

-Most apps will need to reference `Microsoft.Identity.Client.Broker` package to use this integration. MAUI apps are not required to do this; the functionality is inside MSAL when the target is `net6-windows` and later.

-You can use the following pattern to use WAM.

- // Add a token cache, see https://learn.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=desktop

- // 2. Find a account for silent login

- // is there an account in the cache?

- // 3. no account in the cache, try to login with the OS account

- // cannot login silently - most likely AAD would like to show a consent dialog or the user needs to re-enter credentials

- // this is mandatory so that WAM is correctly parented to your app, read on for more guidance

- // consider allowing the user to re-authenticate with a different account, by calling AcquireTokenInteractive again

-If a broker isn't present (for example, Win8.1, Mac, or Linux), then MSAL will fall back to a browser, where redirect URI rules apply.

-WAM redirect URIs don't need to be configured in MSAL, but they must be configured in the app registration.

-It's important to persist MSAL's token cache because MSAL continues to store id tokens and account metadata there. See https://learn.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=desktop

-### Find a account for silent login

-The recommended pattern is:

-1. If the user previously logged in, use that account.

-2. If not, use `PublicClientApplication.OperatingSystemAccount` which the current Windows Account

-3. Allow the end-user to change to a different account by logging in interactively.

-## Parent Window Handles

-It is required to configure MSAL with the window that the interactive experience should be parented to, using `WithParentActivityOrWindow` APIs.

-For UI apps like WinForms, WPF, WinUI3 see https://learn.microsoft.com/windows/apps/develop/ui-input/retrieve-hwnd

-For console applications it is a bit more involved, because of the terminal window and its tabs. Use the following code:

-/// <param name="hwnd">A handle to the window whose ancestor is to be retrieved.

-This message indicates that either the application user closed the dialog that displays accounts, or the dialog itself crashed. A crash might occur if AccountsControl, a Windows control, is registered incorrectly in Windows. To resolve this issue:

-1. In the taskbar, right-click **Start**, and then select **Windows PowerShell (Admin)**.

-1. If you're prompted by a User Account Control (UAC) dialog, select **Yes** to start PowerShell.

-### "MsalClientException: ErrorCode: wam_runtime_init_failed" error message during Single-file deployment

-You may see the following error when packaging your application into a [single file bundle](/dotnet/core/deploying/single-file/overview).

-This error indicates that the native binaries from the [Microsoft.Identity.Client.NativeInterop](https://www.nuget.org/packages/Microsoft.Identity.Client.NativeInterop/) were not packaged into the single file bundle. To embed those files for extraction and get one output file, set the property IncludeNativeLibrariesForSelfExtract to true. Read more about [how to package native binaries into a single file](/dotnet/core/deploying/single-file/overview?tabs=cli#native-libraries).

-### Connection issues

-The application user sees an error message similar to "Please check your connection and try again." If this issue occurs regularly, see the [troubleshooting guide for Office](/microsoft-365/troubleshoot/authentication/connection-issue-when-sign-in-office-2016), which also uses the broker.

-[WPF sample that uses WAM](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2)

-PS D:\> Get-MgGroup -All |Where-Object {$_.AdditionalProperties.writebackConfiguration.isEnabled -Like $true} |Select-Object Displayname,@{N="WriteBackEnabled";E={$_.AdditionalProperties.writebackConfiguration.isEnabled}}

- --address-prefixes 10.0.0.0/28

- The output of the command resembles the following example:

- ```output

- namespace/trident created

- ```

-> | 1.24.0 or greater | 1.2.3 |

-> - If your cluster is running Kubernetes version 1.24.0 or greater, the OSM add-on installs version *1.2.3* of OSM.

-> - If your cluster is running Kubernetes version 1.24.0 or greater, the OSM add-on installs version *1.2.3* of OSM.

-> - If your cluster is running Kubernetes version 1.24.0 or greater, the OSM add-on installs version *1.2.3* of OSM.

-> [!NOTE]

-> Alternatively you can use [Pod Identity](./use-azure-ad-pod-identity.md) though this is in Public Preview. It has a pod (NMI) that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the Azure Instance Metadata Service on each node, redirect them to itself and validates if the pod has access to the identity it's requesting a token for and fetch the token from the Azure AD tenant on behalf of the application.

->

-> * This feature is being released during March and April 2023.

-> * This feature is being released during March and April 2023.

-> * This feature is being released during March and April 2023.

-description: Learn how to deploy multiple Azure App Service apps as a single unit and in a predictable manner using Azure Resource Manager templates and PowerShell scripting.

-# Provision and deploy microservices predictably in Azure

-This tutorial shows how to provision and deploy an application composed of [microservices](https://en.wikipedia.org/wiki/Microservices) in [Azure App Service](https://azure.microsoft.com/services/app-service/) as a single unit and in a predictable manner using JSON resource group templates and PowerShell scripting.

-When provisioning and deploying high-scale applications that are composed of highly decoupled microservices, repeatability and predictability are crucial to success. [Azure App Service](https://azure.microsoft.com/services/app-service/) enables you to create microservices that include web apps, mobile back ends, and API apps. [Azure Resource Manager](../azure-resource-manager/management/overview.md) enables you to manage all the microservices as a unit, together with resource dependencies such as database and source control settings. Now, you can also deploy such an application using JSON templates and simple PowerShell scripting.

-## What you will do

-In the tutorial, you will deploy an application that includes:

-* Two App Service apps (i.e. two microservices)

-* A backend SQL Database

-* App settings, connection strings, and source control

-* Application insights, alerts, autoscaling settings

-## Tools you will use

-In this tutorial, you will use the following tools. Since itΓÇÖs not comprehensive discussion on tools, IΓÇÖm going to stick to the end-to-end scenario and just give you a brief intro to each, and where you can find more information on it.

-### Azure Resource Manager templates (JSON)

-Every time you create an app in Azure App Service, for example, Azure Resource Manager uses a JSON template to create the entire resource group with the component resources. A complex template from the [Azure Marketplace](../marketplace/index.yml) can include the database, storage accounts, the App Service plan, the app itself, alert rules, app settings, autoscale settings, and more, and all these templates are available to you through PowerShell. For more information on the Azure Resource Manager templates, see [Authoring Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md)

-### Azure SDK 2.6 for Visual Studio

-The newest SDK contains improvements to the Resource Manager template support in the JSON editor. You can use this to quickly create a resource group template from scratch or open an existing JSON template (such as a downloaded gallery template) for modification, populate the parameters file, and even deploy the resource group directly from an Azure Resource Group solution.

-For more information, see [Azure SDK 2.6 for Visual Studio](https://azure.microsoft.com/blog/2015/04/29/announcing-the-azure-sdk-2-6-for-net/).

-### Azure PowerShell 0.8.0 or later

-Beginning in version 0.8.0, the Azure PowerShell installation includes the Azure Resource Manager module in addition to the Azure module. This new module enables you to script the deployment of resource groups.

-For more information, see [Using Azure PowerShell with Azure Resource Manager](../azure-resource-manager/management/manage-resources-powershell.md)

-### Azure Resource Explorer

-This [preview tool](https://resources.azure.com) enables you to explore the JSON definitions of all the resource groups in your subscription and the individual resources. In the tool, you can edit the JSON definitions of a resource, delete an entire hierarchy of resources, and create new resources. The information readily available in this tool is very helpful for template authoring because it shows you what properties you need to set for a particular type of resource, the correct values, etc. You can even create your resource group in the [Azure Portal](https://portal.azure.com/), then inspect its JSON definitions in the explorer tool to help you templatize the resource group.

-### Deploy to Azure button

-If you use GitHub for source control, you can put a [Deploy to Azure button](../azure-resource-manager/templates/deploy-to-azure-button.md) into your README.MD, which enables a turn-key deployment UI to Azure. While you can do this for any simple app, you can extend this to enable deploying an entire resource group by putting an azuredeploy.json file in the repository root. This JSON file, which contains the resource group template, will be used by the Deploy to Azure button to create the resource group. For an example, see the [ToDoApp](https://github.com/azure-appservice-samples/ToDoApp) sample, which you will use in this tutorial.

-## Get the sample resource group template

-So now letΓÇÖs get right to it.

-1. Navigate to the [ToDoApp](https://github.com/azure-appservice-samples/ToDoApp) App Service sample.

-2. In readme.md, click **Deploy to Azure**.

-3. YouΓÇÖre taken to the [deploy-to-azure](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure-appservice-samples%2FToDoApp%2Fmaster%2Fazuredeploy.json) site and asked to input deployment parameters. Notice that most of the fields are populated with the repository name and some random strings for you. You can change all the fields if you want, but the only things you have to enter are the SQL Server administrative login and the password, then click **Next**.

-

- 

-4. Next, click **Deploy** to start the deployment process. Once the process runs to completion, click the http://todoapp*XXXX*.azurewebsites.net link to browse the deployed application.

-

- 

-

- The UI would be a little slow when you first browse to it because the apps are just starting up, but convince yourself that itΓÇÖs a fully-functional application.

-5. Back in the Deploy page, click the **Manage** link to see the new application in the Azure Portal.

-6. In the **Essentials** dropdown, click the resource group link. Note also that the app is already connected to the GitHub repository under **External Project**.

-

- 

-7. In the resource group blade, note that there are already two apps and one SQL Database in the resource group.

-

- 

-Everything that you just saw in a few short minutes is a fully deployed two-microservice application, with all the components, dependencies, settings, database, and continuous publishing, set up by an automated orchestration in Azure Resource Manager. All this was done by two things:

-* The Deploy to Azure button

-* azuredeploy.json in the repo root

-You can deploy this same application tens, hundreds, or thousands of times and have the exact same configuration every time. The repeatability and the predictability of this approach enables you to deploy high-scale applications with ease and confidence.

-## Examine (or edit) AZUREDEPLOY.JSON

-Now letΓÇÖs look at how the GitHub repository was set up. You will be using the JSON editor in the Azure .NET SDK, so if you havenΓÇÖt already installed [Azure .NET SDK 2.6](https://azure.microsoft.com/downloads/), do it now.

-1. Clone the [ToDoApp](https://github.com/azure-appservice-samples/ToDoApp) repository using your favorite git tool. In the screenshot below, IΓÇÖm doing this in the Team Explorer in Visual Studio 2013.

-

- 

-2. From the repository root, open azuredeploy.json in Visual Studio. If you donΓÇÖt see the JSON Outline pane, you need to install Azure .NET SDK.

-

- 

-IΓÇÖm not going to describe every detail of the JSON format, but the [More Resources](#resources) section has links for learning the resource group template language. Here, IΓÇÖm just going to show you the interesting features that can help you get started in making your own custom template for app deployment.

-### Parameters

-Take a look at the parameters section to see that most of these parameters are what the **Deploy to Azure** button prompts you to input. The site behind the **Deploy to Azure** button populates the input UI using the parameters defined in azuredeploy.json. These parameters are used throughout the resource definitions, such as resource names, property values, etc.

-### Resources

-In the resources node, you can see that 4 top-level resources are defined, including a SQL Server instance, an App Service plan, and two apps.

-#### App Service plan

-LetΓÇÖs start with a simple root-level resource in the JSON. In the JSON Outline, click the App Service plan named **[hostingPlanName]** to highlight the corresponding JSON code.

-![Shows the [hostingPlanName] section of the JSON code.](./media/app-service-deploy-complex-application-predictably/examinejson-3-appserviceplan.png)

-Note that the `type` element specifies the string for an App Service plan (it was called a server farm a long, long time ago), and other elements and properties are filled in using the parameters defined in the JSON file, and this resource doesnΓÇÖt have any nested resources.

-> [!NOTE]

-> Note also that the value of `apiVersion` tells Azure which version of the REST API to use the JSON resource definition with, and it can affect how the resource should be formatted inside the `{}`.

->

->

-#### SQL Server

-Next, click on the SQL Server resource named **SQLServer** in the JSON Outline.

-

-Note the following about the highlighted JSON code:

-* The use of parameters ensures that the created resources are named and configured in a way that makes them consistent with one another.

-* The SQLServer resource has two nested resources, each has a different value for `type`.

-* The nested resources inside `“resources”: […]`, where the database and the firewall rules are defined, have a `dependsOn` element that specifies the resource ID of the root-level SQLServer resource. This tells Azure Resource Manager, “before you create this resource, that other resource must already exist; and if that other resource is defined in the template, then create that one first”.

-

- > [!NOTE]

- > For detailed information on how to use the `resourceId()` function, see [Azure Resource Manager Template Functions](../azure-resource-manager/templates/template-functions-resource.md#resourceid).

- >

- >

-* The effect of the `dependsOn` element is that Azure Resource Manager can know which resources can be created in parallel and which resources must be created sequentially.

-#### App Service app

-Now, letΓÇÖs move on to the actual apps themselves, which are more complicated. Click the [variables(ΓÇÿapiSiteNameΓÇÖ)] app in the JSON Outline to highlight its JSON code. YouΓÇÖll notice that things are getting much more interesting. For this purpose, IΓÇÖll talk about the features one by one:

-##### Root resource

-The app depends on two different resources. This means that Azure Resource Manager will create the app only after both the App Service plan and the SQL Server instance are created.

-

-##### App settings

-The app settings are also defined as a nested resource.

-

-In the `properties` element for `config/appsettings`, you have two app settings in the format `"<name>" : "<value>"`.

-* `PROJECT` is a [KUDU setting](https://github.com/projectkudu/kudu/wiki/Customizing-deployments) that tells Azure deployment which project to use in a multi-project Visual Studio solution. I will show you later how source control is configured, but since the ToDoApp code is in a multi-project Visual Studio solution, we need this setting.

-* `clientUrl` is simply an app setting that the application code uses.

-##### Connection strings

-The connection strings are also defined as a nested resource.

-

-In the `properties` element for `config/connectionstrings`, each connection string is also defined as a name:value pair, with the specific format of `"<name>" : {"value": "…", "type": "…"}`. For the `type` element, possible values are `MySql`, `SQLServer`, `SQLAzure`, and `Custom`.

-> [!TIP]

-> For a definitive list of the connection string types, run the following command in Azure PowerShell:

-> \[Enum]::GetNames("Microsoft.WindowsAzure.Commands.Utilities.Websites.Services.WebEntities.DatabaseType")

->

->

-##### Source control

-The source control settings are also defined as a nested resource. Azure Resource Manager uses this resource to configure continuous publishing (see caveat on `IsManualIntegration` later) and also to kick off the deployment of application code automatically during the processing of the JSON file.

-

-`RepoUrl` and `branch` should be pretty intuitive and should point to the Git repository and the name of the branch to publish from. Again, these are defined by input parameters.

-Note in the `dependsOn` element that, in addition to the app resource itself, `sourcecontrols/web` also depends on `config/appsettings` and `config/connectionstrings`. This is because once `sourcecontrols/web` is configured, the Azure deployment process will automatically attempt to deploy, build, and start the application code. Therefore, inserting this dependency helps you make sure that the application has access to the required app settings and connection strings before the application code is run.

-> [!NOTE]

-> Note also that `IsManualIntegration` is set to `true`. This property is necessary in this tutorial because you do not actually own the GitHub repository, and thus cannot actually grant permission to Azure to configure continuous publishing from [ToDoApp](https://github.com/azure-appservice-samples/ToDoApp) (i.e. push automatic repository updates to Azure). You can use the default value `false` for the specified repository only if you have configured the ownerΓÇÖs GitHub credentials in the [Azure portal](https://portal.azure.com/) before. In other words, if you have set up source control to GitHub or BitBucket for any app in the [Azure Portal](https://portal.azure.com/) previously, using your user credentials, then Azure will remember the credentials and use them whenever you deploy any app from GitHub or BitBucket in the future. However, if you havenΓÇÖt done this already, deployment of the JSON template will fail when Azure Resource Manager tries to configure the appΓÇÖs source control settings because it cannot log into GitHub or BitBucket with the repository ownerΓÇÖs credentials.

->

->

-## Compare the JSON template with deployed resource group

-Here, you can go through all the appΓÇÖs blades in the [Azure Portal](https://portal.azure.com/), but thereΓÇÖs another tool thatΓÇÖs just as useful, if not more. Go to the [Azure Resource Explorer](https://resources.azure.com) preview tool, which gives you a JSON representation of all the resource groups in your subscriptions, as they actually exist in the Azure backend. You can also see how the resource groupΓÇÖs JSON hierarchy in Azure corresponds with the hierarchy in the template file thatΓÇÖs used to create it.

-For example, when I go to the [Azure Resource Explorer](https://resources.azure.com) tool and expand the nodes in the explorer, I can see the resource group and the root-level resources that are collected under their respective resource types.

-

-If you drill down to an app, you should be able to see app configuration details similar to the below screenshot:

-

-Again, the nested resources should have a hierarchy very similar to those in your JSON template file, and you should see the app settings, connection strings, etc., properly reflected in the JSON pane. The absence of settings here may indicate an issue with your JSON file and can help you troubleshoot your JSON template file.

-## Deploy the resource group template yourself

-The **Deploy to Azure** button is great, but it allows you to deploy the resource group template in azuredeploy.json only if you have already pushed azuredeploy.json to GitHub. The Azure .NET SDK also provides the tools for you to deploy any JSON template file directly from your local machine. To do this, follow the steps below:

-1. In Visual Studio, click **File** > **New** > **Project**.

-2. Click **Visual C#** > **Cloud** > **Azure Resource Group**, then click **OK**.

-

- 

-3. In **Select Azure Template**, select **Blank Template** and click **OK**.

-4. Drag azuredeploy.json into the **Template** folder of your new project.

-

- 

-5. From Solution Explorer, open the copied azuredeploy.json.

-6. Just for the sake of the demonstration, letΓÇÖs add some standard Application Insight resources to our JSON file, by clicking **Add Resource**. If youΓÇÖre just interested in deploying the JSON file, skip to the deploy steps.

-

- 

-7. Select **Application Insights for Web Apps**, then make sure an existing App Service plan and app is selected, and then click **Add**.

-

- 

-

- YouΓÇÖll now be able to see several new resources that, depending on the resource and what it does, have dependencies on either the App Service plan or the app. These resources are not enabled by their existing definition and youΓÇÖre going to change that.

-

- 

-8. In the JSON Outline, click **appInsights AutoScale** to highlight its JSON code. This is the scaling setting for your App Service plan.

-9. In the highlighted JSON code, locate the `location` and `enabled` properties and set them as shown below.

-

- 

-10. In the JSON Outline, click **CPUHigh appInsights** to highlight its JSON code. This is an alert.

-11. Locate the `location` and `isEnabled` properties and set them as shown below. Do the same for the other three alerts (purple bulbs).

-

- 

-12. YouΓÇÖre now ready to deploy. Right-click the project and select **Deploy** > **New Deployment**.

-

- 

-13. Log into your Azure account if you havenΓÇÖt already done so.

-14. Select an existing resource group in your subscription or create a new one, select **azuredeploy.json**, and then click **Edit Parameters**.

-

- 

-

- YouΓÇÖll now be able to edit all the parameters defined in the template file in a nice table. Parameters that define defaults will already have their default values, and parameters that define a list of allowed values will be shown as dropdowns.

-

- 

-15. Fill in all the empty parameters, and use the [GitHub repo address for ToDoApp](https://github.com/azure-appservice-samples/ToDoApp.git) in **repoUrl**. Then, click **Save**.

-

- 

-

- > [!NOTE]

- > Autoscaling is a feature offered in **Standard** tier or higher, and plan-level alerts are features offered in **Basic** tier or higher, youΓÇÖll need to set the **sku** parameter to **Standard** or **Premium** in order to see all your new App Insights resources light up.

- >

- >

-16. Click **Deploy**. If you selected **Save passwords**, the password will be saved in the parameter file **in plain text**. Otherwise, youΓÇÖll be asked to input the database password during the deployment process.

-ThatΓÇÖs it! Now you just need to go to the [Azure Portal](https://portal.azure.com/) and the [Azure Resource Explorer](https://resources.azure.com) tool to see the new alerts and autoscale settings added to your JSON deployed application.

-Your steps in this section mainly accomplished the following:

-1. Prepared the template file

-2. Created a parameter file to go with the template file

-3. Deployed the template file with the parameter file

-The last step is easily done by a PowerShell cmdlet. To see what Visual Studio did when it deployed your application, open Scripts\Deploy-AzureResourceGroup.ps1. ThereΓÇÖs a lot of code there, but IΓÇÖm just going to highlight all the pertinent code you need to deploy the template file with the parameter file.

-

-The last cmdlet, `New-AzureResourceGroup`, is the one that actually performs the action. All this should demonstrate to you that, with the help of tooling, it is relatively straightforward to deploy your cloud application predictably. Every time you run the cmdlet on the same template with the same parameter file, youΓÇÖre going to get the same result.

-## Summary

-In DevOps, repeatability and predictability are keys to any successful deployment of a high-scale application composed of microservices. In this tutorial, you have deployed a two-microservice application to Azure as a single resource group using the Azure Resource Manager template. Hopefully, it has given you the knowledge you need in order to start converting your application in Azure into a template and can provision and deploy it predictably.

-<a name="resources"></a>

-## More resources

-* [Azure Resource Manager Template Language](../azure-resource-manager/templates/syntax.md)

-* [Authoring Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md)

-* [Azure Resource Manager Template Functions](../azure-resource-manager/templates/template-functions.md)

-* [Deploy an application with Azure Resource Manager template](../azure-resource-manager/templates/deploy-powershell.md)

-* [Using Azure PowerShell with Azure Resource Manager](../azure-resource-manager/management/manage-resources-powershell.md)

-* [Troubleshooting Resource Group Deployments in Azure](../azure-resource-manager/templates/common-deployment-errors.md)

-## Next steps

-To learn about the JSON syntax and properties for resource types deployed in this article, see:

-* [Microsoft.Sql/servers](/azure/templates/microsoft.sql/servers)

-* [Microsoft.Sql/servers/databases](/azure/templates/microsoft.sql/servers/databases)

-* [Microsoft.Sql/servers/firewallRules](/azure/templates/microsoft.sql/servers/firewallrules)

-* [Microsoft.Web/serverfarms](/azure/templates/microsoft.web/serverfarms)

-* [Microsoft.Web/sites](/azure/templates/microsoft.web/sites)

-* [Microsoft.Web/sites/slots](/azure/templates/microsoft.web/sites/slots)

-* [Microsoft.Insights/autoscalesettings](/azure/templates/microsoft.insights/autoscalesettings)

-description: Find guidance on creating Azure Resource Manager templates to provision and deploy App Service apps.

-# Guidance on deploying web apps by using Azure Resource Manager templates

-This article provides recommendations for creating Azure Resource Manager templates to deploy Azure App Service solutions. These recommendations can help you avoid common problems.

-## Define dependencies

-Defining dependencies for web apps requires an understanding of how the resources within a web app interact. If you specify dependencies in an incorrect order, you might cause deployment errors or create a race condition that stalls the deployment.

-> [!WARNING]

-> If you include an MSDeploy site extension in your template, you must set any configuration resources as dependent on the MSDeploy resource. Configuration changes cause the site to restart asynchronously. By making the configuration resources dependent on MSDeploy, you ensure that MSDeploy finishes before the site restarts. Without these dependencies, the site might restart during the deployment process of MSDeploy. For an example template, see [WordPress Template with Web Deploy Dependency](https://github.com/davidebbo/AzureWebsitesSamples/blob/master/ARMTemplates/WordpressTemplateWebDeployDependency.json).

-The following image shows the dependency order for various App Service resources:

-

-You deploy resources in the following order:

-**Tier 1**

-* App Service plan.

-* Any other related resources, like databases or storage accounts.

-**Tier 2**

-* Web app--depends on the App Service plan.

-* Azure Application Insights instance that targets the server farm--depends on the App Service plan.

-**Tier 3**

-* Source control--depends on the web app.

-* MSDeploy site extension--depends on the web app.

-* Azure Application Insights instance that targets the web app--depends on the web app.

-**Tier 4**

-* App Service certificate--depends on source control or MSDeploy if either is present. Otherwise, it depends on the web app.

-* Configuration settings (connection strings, web.config values, app settings)--depends on source control or MSDeploy if either is present. Otherwise, it depends on the web app.

-**Tier 5**

-* Host name bindings--depends on the certificate if present. Otherwise, it depends on a higher-level resource.

-* Site extensions--depends on configuration settings if present. Otherwise, it depends on a higher-level resource.

-Typically, your solution includes only some of these resources and tiers. For missing tiers, map lower resources to the next-higher tier.

-The following example shows part of a template. The value of the connection string configuration depends on the MSDeploy extension. The MSDeploy extension depends on the web app and database.

-```json

-{

- "name": "[parameters('appName')]",

- "type": "Microsoft.Web/Sites",

- ...

- "resources": [

- {

- "name": "MSDeploy",

- "type": "Extensions",

- "dependsOn": [

- "[concat('Microsoft.Web/Sites/', parameters('appName'))]",

- "[concat('Microsoft.Sql/servers/', parameters('dbServerName'), '/databases/', parameters('dbName'))]",

- ],

- ...

- },

- {

- "name": "connectionstrings",

- "type": "config",

- "dependsOn": [

- "[concat('Microsoft.Web/Sites/', parameters('appName'), '/Extensions/MSDeploy')]"

- ],

- ...

- }

- ]

-}

-```

-For a ready-to-run sample that uses the code above, see [Template: Build a simple Umbraco Web App](https://github.com/Azure/azure-quickstart-templates/tree/master/application-workloads/umbraco/umbraco-webapp-simple).

-## Find information about MSDeploy errors

-If your Resource Manager template uses MSDeploy, the deployment error messages can be difficult to understand. To get more information after a failed deployment, try the following steps:

-1. Go to the site's [Kudu console](https://github.com/projectkudu/kudu/wiki/Kudu-console).

-2. Browse to the folder at D:\home\LogFiles\SiteExtensions\MSDeploy.

-3. Look for the appManagerStatus.xml and appManagerLog.xml files. The first file logs the status. The second file logs information about the error. If the error isn't clear to you, you can include it when you're asking for help on the [forum](/answers/topics/azure-webapps.html).

-## Choose a unique web app name

-The name for your web app must be globally unique. You can use a naming convention that's likely to be unique, or you can use the [uniqueString function](../azure-resource-manager/templates/template-functions-string.md#uniquestring) to assist with generating a unique name.

-```json

-{

- "apiVersion": "2016-08-01",

- "name": "[concat(parameters('siteNamePrefix'), uniqueString(resourceGroup().id))]",

- "type": "Microsoft.Web/sites",

- ...

-}

-```

-## Deploy web app certificate from Key Vault

-If your template includes a [Microsoft.Web/certificates](/azure/templates/microsoft.web/certificates) resource for TLS/SSL binding, and the certificate is stored in a Key Vault, you must make sure the App Service identity can access the certificate.

-In global Azure, the App Service service principal has the ID of **abfa0a7c-a6b6-4736-8310-5855508787cd**. To grant access to Key Vault for the App Service service principal, use:

-```azurepowershell-interactive

-Set-AzKeyVaultAccessPolicy `

- -VaultName KEY_VAULT_NAME `

- -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd `

- -PermissionsToSecrets get `

- -PermissionsToCertificates get

-```

-In Azure Government, the App Service service principal has the ID of **6a02c803-dafd-4136-b4c3-5a6f318b4714**. Use that ID in the preceding example.

-In your Key Vault, select **Certificates** and **Generate/Import** to upload the certificate.

-

-In your template, provide the name of the certificate for the `keyVaultSecretName`.

-For an example template, see [Deploy a Web App certificate from Key Vault secret and use it for creating SSL binding](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-certificate-from-key-vault).

-## Next steps

-* For a tutorial on deploying web apps with a template, see [Provision and deploy microservices predictably in Azure](deploy-complex-application-predictably.md).

-* To learn about JSON syntax and properties for resource types in templates, see [Azure Resource Manager template reference](/azure/templates/).

-target cross-platform with .NET 6.0.

-| .NET 6.0 | Windows | macOS | Cross-platform | Cross-platform |

-In this quickstart, you'll learn how to create and deploy your first ASP.NET web app to [Azure App Service](overview.md). App Service supports various versions of .NET apps, and provides a highly scalable, self-patching web hosting service. ASP.NET web apps are cross-platform and can be hosted on Linux or Windows. When you're finished, you'll have an Azure resource group consisting of an App Service hosting plan and an App Service with a deployed web application.

-### [.NET 6.0](#tab/net60)

-If you've already installed Visual Studio 2022:

-### [.NET 6.0](#tab/net60)

-<a href="https://dotnet.microsoft.com/download/dotnet/6.0" target="_blank">

- Install the latest .NET 6.0 SDK.

-</a>

-### [.NET Framework 4.8](#tab/netframework48)

-<a href="https://dotnet.microsoft.com/download/dotnet-framework/net48" target="_blank">

- Install the .NET Framework 4.8 Developer Pack.

-</a>

-> [!NOTE]

-> Visual Studio Code is cross-platform code editor, however; .NET Framework is not. If you're developing .NET Framework apps with Visual Studio Code, consider using a Windows machine to satisfy the build dependencies.

-### [.NET 6.0](#tab/net60)

-<a href="https://dotnet.microsoft.com/download/dotnet/6.0" target="_blank">

- Install the latest .NET 6.0 SDK.

-</a>

-### [.NET Framework 4.8](#tab/netframework48)

-<a href="https://dotnet.microsoft.com/download/dotnet/6.0" target="_blank">

- Install the latest .NET 6.0 SDK.

-</a> and <a href="https://dotnet.microsoft.com/download/dotnet-framework/net48" target="_blank">

- the .NET Framework 4.8 Developer Pack.

-</a>

-> [!NOTE]

-> The [.NET CLI](/dotnet/core/tools) and .NET 6.0 are both cross-platform, but .NET Framework is not. If you're developing .NET Framework apps with the .NET CLI, consider using a Windows machine to satisfy the build dependencies. .NET 6.0 is cross-platform.

-### [.NET 6.0](#tab/net60)

-<a href="https://dotnet.microsoft.com/download/dotnet/6.0" target="_blank">

- Install the latest .NET 6.0 SDK.

-</a>

-### [.NET Framework 4.8](#tab/netframework48)

-<a href="https://dotnet.microsoft.com/download/dotnet/6.0" target="_blank">

- Install the latest .NET 6.0 SDK.

-</a> and <a href="https://dotnet.microsoft.com/download/dotnet-framework/net48" target="_blank">

- the .NET Framework 4.8 Developer Pack.

-</a>

-> [!NOTE]

-> [Azure PowerShell](/powershell/azure/) and .NET 6.0 are both cross-platform, but .NET Framework is not. If you're developing .NET Framework apps with the .NET CLI, consider using a Windows machine to satisfy the build dependencies.

-### [.NET 6.0](#tab/net60)

-### [.NET Framework 4.8](#tab/netframework48)

-

-## Create an ASP.NET web app

-### [.NET 6.0](#tab/net60)

- :::image type="content" source="./media/quickstart-dotnet/configure-webapp-net.png" alt-text="Screenshot of Visual Studio - Configure ASP.NET 6.0 web app." lightbox="media/quickstart-dotnet/configure-webapp-net.png" border="true":::

-1. Select **.NET 6.0 (Long-term support)**.

- :::image type="content" source="media/quickstart-dotnet/vs-additional-info-net60.png" alt-text="Screenshot of Visual Studio - Additional info when selecting .NET 6.0." lightbox="media/quickstart-dotnet/vs-additional-info-net60.png" border="true":::

-1. From the Visual Studio menu, select **Debug** > **Start Without Debugging** to run the web app locally.

- :::image type="content" source="media/quickstart-dotnet/local-webapp-net.png" alt-text="Screenshot of Visual Studio - ASP.NET Core 6.0 running locally." lightbox="media/quickstart-dotnet/local-webapp-net.png" border="true":::

- :::image type="content" source="media/quickstart-dotnet/configure-webapp-netframework48.png" alt-text="Screenshot of Visual Studio - Configure ASP.NET Framework 4.8 web app." lightbox="media/quickstart-dotnet/configure-webapp-netframework48.png" border="true":::

- :::image type="content" source="media/quickstart-dotnet/vs-mvc-no-auth-netframework48.png" alt-text="Screenshot of Visual Studio - Select the MVC template." lightbox="media/quickstart-dotnet/vs-mvc-no-auth-netframework48.png" border="true":::

- :::image type="content" source="media/quickstart-dotnet/vs-local-webapp-netframework48.png" alt-text="Screenshot of Visual Studio - ASP.NET Framework 4.8 running locally." lightbox="media/quickstart-dotnet/vs-local-webapp-netframework48.png" border="true":::

-1. In the terminal window, create a new folder named _MyFirstAzureWebApp_, and open it in Visual Studio Code.

- ```terminal

- mkdir MyFirstAzureWebApp

- code MyFirstAzureWebApp

- ```

-1. In Visual Studio Code, open the <a href="https://code.visualstudio.com/docs/editor/integrated-terminal" target="_blank">Terminal</a> window by typing `Ctrl` + `` ` ``.

-1. In Visual Studio Code terminal, create a new .NET web app using the [`dotnet new webapp`](/dotnet/core/tools/dotnet-new#web-options) command.

- ### [.NET 6.0](#tab/net60)

-

- ```dotnetcli

- dotnet new webapp -f net6.0

- ```

-

- ### [.NET Framework 4.8](#tab/netframework48)

-

- ```dotnetcli

- dotnet new webapp --target-framework-override net48

- ```

-

- > [!IMPORTANT]

- > The `--target-framework-override` flag is a free-form text replacement of the target framework moniker (TFM) for the project, and makes *no guarantees* that the supporting template exists or compiles. You can only build and run .NET Framework apps on Windows.

-

-

-1. From the **Terminal** in Visual Studio Code, run the application locally using the [`dotnet run`](/dotnet/core/tools/dotnet-run) command.

- ```dotnetcli

- dotnet run --urls=https://localhost:5001/

- ```

-1. Open a web browser, and navigate to the app at `https://localhost:5001`.

- ### [.NET 6.0](#tab/net60)

-

- You'll see the template ASP.NET Core 6.0 web app displayed in the page.

-

- :::image type="content" source="media/quickstart-dotnet/local-webapp-net.png" alt-text="Screenshot of Visual Studio Code - run .NET 6.0 in browser locally." lightbox="media/quickstart-dotnet/local-webapp-net.png" border="true":::

-

- ### [.NET Framework 4.8](#tab/netframework48)

-

- You'll see the template ASP.NET Framework 4.8 web app displayed in the page.

-

- :::image type="content" source="media/quickstart-dotnet/local-webapp-net48.png" alt-text="Screenshot of Visual Studio Code - run .NET 4.8 in browser locally." lightbox="media/quickstart-dotnet/local-webapp-net48.png" border="true":::

-

-

- ### [.NET 6.0](#tab/net60)

-

- ```dotnetcli

- dotnet new webapp -n MyFirstAzureWebApp --framework net6.0

- cd MyFirstAzureWebApp

- ```

-

- ### [.NET Framework 4.8](#tab/netframework48)

-

- dotnet new webapp -n MyFirstAzureWebApp --target-framework-override net48

- > [!IMPORTANT]

- > The `--target-framework-override` flag is a free-form text replacement of the target framework moniker (TFM) for the project, and makes *no guarantees* that the supporting template exists or compiles. You can only build .NET Framework apps on Windows.

-

-

- ### [.NET 6.0](#tab/net60)

-

- You'll see the template ASP.NET Core 6.0 web app displayed in the page.

-

- :::image type="content" source="media/quickstart-dotnet/local-webapp-net.png" alt-text="Screenshot of Visual Studio Code - ASP.NET Core 6.0 in local browser." lightbox="media/quickstart-dotnet/local-webapp-net.png" border="true":::

- ### [.NET Framework 4.8](#tab/netframework48)

-

- You'll see the template ASP.NET Framework 4.8 web app displayed in the page.

-

- :::image type="content" source="media/quickstart-dotnet/local-webapp-net48.png" alt-text="Screenshot of Visual Studio Code - ASP.NET Framework 4.8 in local browser." lightbox="media/quickstart-dotnet/local-webapp-net48.png" border="true":::

-

-In this step we will fork a demo project to deploy.

-### [.NET 6.0](#tab/net60)

-## Publish your web app

-As part of setting up the App Service, you'll create:

- :::image type="content" source="media/quickstart-dotnet/vs-publish-target-Azure.png" alt-text="Screenshot of Visual Studio - Publish the web app and target Azure." lightbox="media/quickstart-dotnet/vs-publish-target-Azure.png" border="true":::

- :::image type="content" source="media/quickstart-dotnet/sign-in-azure.png" border="true" alt-text="Screenshot of Visual Studio - Select sign in to Azure dialog." lightbox="media/quickstart-dotnet/sign-in-azure.png" :::

- :::image type="content" source="media/quickstart-dotnet/publish-new-app-service.png" border="true" alt-text="Screenshot of Visual Studio - New App Service app dialog." lightbox="media/quickstart-dotnet/publish-new-app-service.png" :::

- :::image type="content" source="media/quickstart-dotnet/create-new-hosting-plan.png" border="true" alt-text="Screenshot of Create new Hosting Plan screen in the Azure portal." lightbox="media/quickstart-dotnet/create-new-hosting-plan.png" :::

- :::image type="content" source="media/quickstart-dotnet/web-app-name.png" border="true" alt-text="Screenshot of Visual Studio - Create app resources dialog." lightbox="media/quickstart-dotnet/web-app-name.png" :::

- Once the wizard completes, the Azure resources are created for you and you're ready to publish your ASP.NET Core project.

-1. In the **Publish** dialog, ensure your new App Service app is selected in **App Service instance**, then select **Finish**. Visual Studio creates a publish profile for you for the selected App Service app.

- ### [.NET 6.0](#tab/net60)

- You'll see the ASP.NET Core 6.0 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/Azure-webapp-net.png" lightbox="media/quickstart-dotnet/Azure-webapp-net.png" border="true" alt-text="Screenshot of Visual Studio - ASP.NET Core 6.0 web app in Azure." :::

- You'll see the ASP.NET Framework 4.8 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/vs-Azure-webapp-net48.png" lightbox="media/quickstart-dotnet/vs-Azure-webapp-net48.png" border="true" alt-text="Screenshot of Visual Studio - ASP.NET Framework 4.8 web app in Azure.":::

-

-1. In Visual Studio Code, open the [**Command Palette**](https://code.visualstudio.com/docs/getstarted/userinterface#_command-palette), <kbd>Ctrl</kbd>+<kbd>Shift</kbd>+<kbd>P</kbd>.

-1. Search for and select "Azure App Service: Deploy to Web App".

- 1. Select *MyFirstAzureWebApp* as the folder to deploy.

- 1. Select **Add Config** when prompted.

- 1. When prompted to **Select a runtime stack**:

- - For *.NET 6.0*, select **.NET 6**

- - For *.NET Framework 4.8*, select **ASP.NET V4.8**

- - For *.NET Framework 4.8*, Windows will be selected implicitly.

- ### [.NET 6.0](#tab/net60)

- You'll see the ASP.NET Core 6.0 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/Azure-webapp-net.png" lightbox="media/quickstart-dotnet/Azure-webapp-net.png" border="true" alt-text="Screenshot of Visual Studio Code - ASP.NET Core 6.0 web app in Azure.":::

- ### [.NET Framework 4.8](#tab/netframework48)

- You'll see the ASP.NET Framework 4.8 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/Azure-webapp-net48.png" lightbox="media/quickstart-dotnet/vs-Azure-webapp-net48.png" border="true" alt-text="Screenshot of Visual Studio Code - ASP.NET Framework 4.8 web app in Azure.":::

-

- - Replace `<os>` with either `linux` or `windows`. You must use `windows` when targeting *ASP.NET Framework 4.8*.

- The command might take a few minutes to complete. While running, it provides messages about creating the resource group, the App Service plan, and hosting app, configuring logging, then performing ZIP deployment. Then it shows a message with the app's URL:

- ### [.NET 6.0](#tab/net60)

-

- You'll see the ASP.NET Core 6.0 web app displayed in the page.

-

- :::image type="content" source="media/quickstart-dotnet/Azure-webapp-net.png" lightbox="media/quickstart-dotnet/Azure-webapp-net.png" border="true" alt-text="Screenshot of the CLI - ASP.NET Core 6.0 web app in Azure.":::

-

- ### [.NET Framework 4.8](#tab/netframework48)

- You'll see the ASP.NET Framework 4.8 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/Azure-webapp-net48.png" lightbox="media/quickstart-dotnet/Azure-webapp-net48.png" border="true" alt-text="Screenshot of the CLI - ASP.NET Framework 4.8 web app in Azure.":::

- --

- The command might take a few minutes to complete. While running, it creates a resource group, an App Service plan, and the App Service resource.

- ### [.NET 6.0](#tab/net60)

- ```powershell-interactive

- cd bin\Release\net6.0\publish

- Compress-Archive -Path * -DestinationPath deploy.zip

- ```

- ### [.NET Framework 4.8](#tab/netframework48)

- cd bin\Release\net48\publish

- --

- ### [.NET 6.0](#tab/net60)

-

- You'll see the ASP.NET Core 6.0 web app displayed in the page.

-

- :::image type="content" source="media/quickstart-dotnet/Azure-webapp-net.png" lightbox="media/quickstart-dotnet/Azure-webapp-net.png" border="true" alt-text="Screenshot of the CLI - ASP.NET Core 6.0 web app in Azure.":::

- ### [.NET Framework 4.8](#tab/netframework48)

-

- You'll see the ASP.NET Framework 4.8 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/Azure-webapp-net48.png" lightbox="media/quickstart-dotnet/Azure-webapp-net48.png" border="true" alt-text="Screenshot of the CLI - ASP.NET Framework 4.8 web app in Azure.":::

- --

-1. In the **Basics** tab, under **Project details**, ensure the correct subscription is selected and then select to **Create new** resource group. Type *myResourceGroup* for the name.

- :::image type="content" source="./media/quickstart-dotnet/project-details.png" alt-text="Screenshot of the Project details section showing where you select the Azure subscription and the resource group for the web app.":::

-1. Under **Instance details**:

- ### [.NET 6.0](#tab/net60)

- - Under **Runtime stack** select *.NET 6 (LTS)*.

- :::image type="content" source="media/quickstart-dotnet/app-service-dotnet-60.png" lightbox="media/quickstart-dotnet/Azure-webapp-net.png" border="true" alt-text="Screenshot of the App Service Instance Details with a .NET 6 runtime.":::

-

-

- :::image type="content" source="media/quickstart-dotnet/app-service-dotnet-48.png" lightbox="media/quickstart-dotnet/Azure-webapp-net.png" border="true" alt-text="Screenshot of the App Service Instance Details with a ASP.NET V4.8 runtime.":::

- --

-1. Under **App Service Plan**, select **Create new** App Service Plan. Type *myAppServicePlan* for the name. To change to the Free tier, select **Change size**, select **Dev/Test** tab, select **F1**, and select the **Apply** button at the bottom of the page.

- :::image type="content" source="./media/quickstart-dotnet/app-service-plan-details.png" alt-text="Screenshot of the Administrator account section where you provide the administrator username and password.":::

- ### [.NET 6.0](#tab/net60)

- :::image type="content" source="media/quickstart-dotnet/app-service-deploy-60.png" lightbox="media/quickstart-dotnet/Azure-webapp-net.png" border="true" alt-text="Screenshot of the deployment options for an app using the .NET 6 runtime.":::

- :::image type="content" source="media/quickstart-dotnet/app-service-deploy-48.png" lightbox="media/quickstart-dotnet/Azure-webapp-net.png" border="true" alt-text="Screenshot of the deployment options for an app using the .NET Framework 4.8 runtime.":::

- :::image type="content" source="./media/quickstart-dotnet/review-create.png" alt-text="Screenshot of the Review and create button at the bottom of the page.":::

- ### [.NET 6.0](#tab/net60)

- :::image type="content" source="media/quickstart-dotnet/browse-dotnet-60.png" lightbox="media/quickstart-dotnet/Azure-webapp-net.png" border="true" alt-text="Screenshot of the deployed sample app.":::

- :::image type="content" source="media/quickstart-dotnet/browse-dotnet-48.png" lightbox="media/quickstart-dotnet/Azure-webapp-net.png" border="true" alt-text="Screenshot of the deployed sample app.":::

-## Update the app and redeploy

- ### [.NET 6.0](#tab/net60)

- You'll see the updated ASP.NET Core 6.0 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/updated-Azure-webapp-net.png" lightbox="media/quickstart-dotnet/updated-Azure-webapp-net.png" border="true" alt-text="Screenshot of Visual Studio - Updated ASP.NET Core 6.0 web app in Azure.":::

- You'll see the updated ASP.NET Framework 4.8 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/vs-updated-Azure-webapp-net48.png" lightbox="media/quickstart-dotnet/vs-updated-Azure-webapp-net48.png" border="true" alt-text="Screenshot of Visual Studio - Updated ASP.NET Framework 4.8 web app in Azure.":::

-

- ### [.NET 6.0](#tab/net60)

- You'll see the updated ASP.NET Core 6.0 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/updated-Azure-webapp-net.png" lightbox="media/quickstart-dotnet/updated-Azure-webapp-net.png" border="true" alt-text="Screenshot of Visual Studio Code - Updated ASP.NET Core 6.0 web app in Azure.":::

- ### [.NET Framework 4.8](#tab/netframework48)

- You'll see the updated ASP.NET Framework 4.8 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/updated-Azure-webapp-net48.png" lightbox="media/quickstart-dotnet/updated-Azure-webapp-net48.png" border="true" alt-text="Screenshot of Visual Studio Code - Updated ASP.NET Framework 4.8 web app in Azure.":::

-

-### [.NET 6.0](#tab/net60)

-ASP.NET Core 6.0 is cross-platform, based on your previous deployment replace `<os>` with either `linux` or `windows`.

-### [.NET Framework 4.8](#tab/netframework48)

-ASP.NET Framework 4.8 has framework dependencies, and must be hosted on Windows.

-```azurecli

-az webapp up --os-type windows

-```

-> [!TIP]

-> If you're interested in hosting your .NET apps on Linux, consider migrating from [ASP.NET Framework to ASP.NET Core](/aspnet/core/migration/proper-to-2x).

-### [.NET 6.0](#tab/net60)

-You'll see the updated ASP.NET Core 6.0 web app displayed in the page.

-### [.NET Framework 4.8](#tab/netframework48)

-You'll see the updated ASP.NET Framework 4.8 web app displayed in the page.

- ### [.NET 6.0](#tab/net60)

- ```powershell-interactive

- cd bin\Release\net6.0\publish

- Compress-Archive -Path * -DestinationPath deploy.zip

- ```

- ### [.NET Framework 4.8](#tab/netframework48)

- cd bin\Release\net48\publish

- --

- ### [.NET 6.0](#tab/net60)

-

- You'll see the updated ASP.NET Core 6.0 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/updated-Azure-webapp-net.png" lightbox="media/quickstart-dotnet/updated-Azure-webapp-net.png" border="true" alt-text="Screenshot of the CLI - Updated ASP.NET Core 6.0 web app in Azure.":::

-

- ### [.NET Framework 4.8](#tab/netframework48)

-

- You'll see the updated ASP.NET Framework 4.8 web app displayed in the page.

-

- :::image type="content" source="media/quickstart-dotnet/updated-Azure-webapp-net48.png" lightbox="media/quickstart-dotnet/updated-Azure-webapp-net48.png" border="true" alt-text="Screenshot of the CLI - Updated ASP.NET Framework 4.8 web app in Azure.":::

-

-

-1. On your repo page, press `.` to start Visual Studio code within your browser.

- ### [.NET 6.0](#tab/net60)

- ### [.NET 6.0](#tab/net60)

- ### [.NET 6.0](#tab/net60)

- ### [.NET 6.0](#tab/net60)

- ### [.NET 6.0](#tab/net60)

- You'll see the updated ASP.NET Core 6.0 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/updated-Azure-webapp-net.png" lightbox="media/quickstart-dotnet/updated-Azure-webapp-net.png" border="true" alt-text="Screenshot of the CLI - Updated ASP.NET Core 6.0 web app in Azure.":::

- You'll see the updated ASP.NET Framework 4.8 web app displayed in the page.

- :::image type="content" source="media/quickstart-dotnet/updated-Azure-webapp-net48.png" lightbox="media/quickstart-dotnet/updated-Azure-webapp-net48.png" border="true" alt-text="Screenshot of the CLI - Updated ASP.NET Framework 4.8 web app in Azure.":::

-## Manage the Azure app

-In this quickstart, you created and deployed an ASP.NET web app to Azure App Service.

-### [.NET 6.0](#tab/net60)

-description: Deploy your first HTML Hello World to Azure App Service in minutes. You deploy using Git, which is one of many ways to deploy to App Service.

-# Create a static HTML web app in Azure

-This quickstart shows how to deploy a basic HTML+CSS site to <abbr title="An HTTP-based service for hosting web applications, REST APIs, and mobile back-end applications.">Azure App Service</abbr>. You'll complete this quickstart in [Cloud Shell](../cloud-shell/overview.md), but you can also run these commands locally with [Azure CLI](/cli/azure/install-azure-cli).

-## 1. Prepare your environment

-In [Cloud Shell](../cloud-shell/overview.md), create a quickstart directory and then change to it.

-```bash

-mkdir quickstart

-cd $HOME/quickstart

-```

-Next, run the following command to clone the sample app repository to your quickstart directory.

-```bash

-git clone https://github.com/Azure-Samples/html-docs-hello-world.git

-```

-<hr/>

-## 2. Create a web app

-Change to the directory that contains the sample code and run the [az webapp up](/cli/azure/webapp#az-webapp-up) command. **Replace** `<app-name>` with a globally unique name.

-```azurecli

-cd html-docs-hello-world

-az webapp up --location westeurope --name <app_name> --html

-```

-<details>

-<summary>Troubleshooting</summary>

-<ul>

-<li>If the <code>az</code> command isn't recognized, be sure you have the Azure CLI installed as described in <a href="#1-prepare-your-environment">Prepare your environment</a>.</li>

-<li>Replace <code>&lt;app-name&gt;</code> with a name that's unique across all of Azure (<em>valid characters are <code>a-z</code>, <code>0-9</code>, and <code>-</code></em>). A good pattern is to use a combination of your company name and an app identifier.</li>

-<li>The <code>--sku F1</code> argument creates the web app on the Free pricing tier. Omit this argument to use a faster premium tier, which incurs an hourly cost.</li>

-<li>The <code>--html</code> argument says to treat all folder content as static content and disable build automation.</li>

-<li>You can optionally include the argument <code>--location &lt;location-name&gt;</code> where <code>&lt;location-name&gt;</code> is an available Azure region. You can retrieve a list of allowable regions for your Azure account by running the <a href="/cli/azure/appservice#az-appservice-list-locations"><code>az account list-locations</code></a> command.</li>

-</ul>

-</details>

-The command may take a few minutes to complete.

-<details>

-<summary>What's <code>az webapp up</code> doing?</summary>

-<p>The <code>az webapp up</code> command does the following actions:</p>

-<ul>

-<li>Create a default resource group.</li>

-<li>Create a default App Service plan.</li>

-<li><a href="/cli/azure/webapp#az-webapp-create">Create an App Service app</a> with the specified name.</li>

-<li><a href="/azure/app-service/deploy-zip">Zip deploy</a> files from the current working directory to the app.</li>

-<li>While running, it provides messages about resource creation, logging, and ZIP deployment.</li>

-</ul>

-When it finishes, it displays information similar to the following example:

-```output

-{

- "app_url": "https://&lt;app_name&gt;.azurewebsites.net",

- "location": "westeurope",

- "name": "&lt;app_name&gt;",

- "os": "Windows",

- "resourcegroup": "appsvc_rg_Windows_westeurope",

- "serverfarm": "appsvc_asp_Windows_westeurope",

- "sku": "FREE",

- "src_path": "/home/&lt;username&gt;/quickstart/html-docs-hello-world ",

- &lt; JSON data removed for brevity. &gt;

-}

-```

-</details>

-You will need the `resourceGroup` value to [clean up resources](#6-clean-up-resources) later.

-<hr/>

-## 3. Browse to the app

-In a browser, go to the app URL: `http://<app_name>.azurewebsites.net`.

-The page is running as an Azure App Service web app.

-

-<hr/>

-## 4. Update and redeploy the app

-In the Cloud Shell, use `sed` to change "Azure App Service - Sample Static HTML Site" to "Azure App Service".

-```bash

-sed -i 's/Azure App Service - Sample Static HTML Site/Azure App Service/' https://docsupdatetracker.net/index.html

-```

-Redeploy the app with `az webapp up` command.

-```azurecli

-az webapp up --html

-```

-Switch back to the browser window that opened in the **Browse to the app** step.

-**Refresh** the page.

-

-<hr/>

-## 5. Manage your new Azure app

-**Navigate** to the [Azure portal](https://portal.azure.com).,

-**Search** for and **select** **App Services**.

-

-**Select** the name of your Azure app.

-

-You see your web app's Overview page. Here, you can perform basic management tasks like browse, stop, start, restart, and delete.

-

-The left menu provides different pages for configuring your app.

-<hr/>

-## 6. Clean up resources

-In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell. Remember that the resource group name was automatically generated for you in the [create a web app](#2-create-a-web-app) step.

-```azurecli

-az group delete --name appsvc_rg_Windows_westeurope

-```

-This command may take a minute to run.

-<hr/>

-## Next steps

-> [!div class="nextstepaction"]

-> [Secure with custom domain and certificate](tutorial-secure-domain-certificate.md)

-description: Deploy your first HTML Hello World to Azure App Service in minutes. You deploy using Git, which is one of many ways to deploy to App Service.

-# Create a static HTML web app in Azure

-[Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service. This quickstart shows how to deploy a basic HTML+CSS site to Azure App Service. You'll complete this quickstart in [Cloud Shell](../cloud-shell/overview.md), but you can also run these commands locally with [Azure CLI](/cli/azure/install-azure-cli).

-> [!NOTE]

-> For information regarding hosting static HTML files in a serverless environment, please see [Static Web Apps](../static-web-apps/overview.md).

-## Download the sample

-In the Cloud Shell, create a quickstart directory and then change to it.

-```bash

-mkdir quickstart

-cd $HOME/quickstart

-```

-Next, run the following command to clone the sample app repository to your quickstart directory.

-```bash

-git clone https://github.com/Azure-Samples/html-docs-hello-world.git

-```

-## Create a web app

-Change to the directory that contains the sample code and run the [az webapp up](/cli/azure/webapp#az-webapp-up) command. In the following example, replace <app_name> with a unique app name. Static content is indicated by the `--html` flag.

-```azurecli

-cd html-docs-hello-world

-az webapp up --location westeurope --name <app_name> --html

-```

-> [!NOTE]

-> If you want to host your static content on a Linux based App Service instance configure PHP as your runtime using the `--runtime` and `--os-type` flags:

->

-> `az webapp up --location westeurope --name <app_name> --runtime "PHP:8.1" --os-type linux`

->

-> The PHP container includes a web server that is suitable to host static HTML content.

-The `az webapp up` command does the following actions:

-This command may take a few minutes to run. While running, it displays information similar to the following example:

-```output

-{

- "app_url": "https://&lt;app_name&gt;.azurewebsites.net",

- "location": "westeurope",

- "name": "&lt;app_name&gt;",

- "os": "Windows",

- "resourcegroup": "appsvc_rg_Windows_westeurope",

- "serverfarm": "appsvc_asp_Windows_westeurope",

- "sku": "FREE",

- "src_path": "/home/&lt;username&gt;/quickstart/html-docs-hello-world ",

- &lt; JSON data removed for brevity. &gt;

-}

-```

-Make a note of the `resourceGroup` value. You need it for the [clean up resources](#clean-up-resources) section.

-## Browse to the app

-In a browser, go to the app URL: `http://<app_name>.azurewebsites.net`.

-The page is running as an Azure App Service web app.

-**Congratulations!** You've deployed your first HTML app to App Service.

-## Update and redeploy the app

-In the Cloud Shell, use `sed` to change "Azure App Service - Sample Static HTML Site" to "Azure App Service".

-```bash

-sed -i 's/Azure App Service - Sample Static HTML Site/Azure App Service/' https://docsupdatetracker.net/index.html

-```

-You'll now redeploy the app with the same `az webapp up` command.

-```azurecli

-az webapp up --location westeurope --name <app_name> --html

-```

-Once deployment has completed, switch back to the browser window that opened in the **Browse to the app** step, and refresh the page.

-## Manage your new Azure app

-To manage the web app you created, in the [Azure portal](https://portal.azure.com), search for and select **App Services**.

-

-On the **App Services** page, select the name of your Azure app.

-

-You see your web app's Overview page. Here, you can perform basic management tasks like browse, stop, start, restart, and delete.

-

-The left menu provides different pages for configuring your app.

-## Clean up resources

-In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell. Remember that the resource group name was automatically generated for you in the [create a web app](#create-a-web-app) step.

-```azurecli

-az group delete --name appsvc_rg_Windows_westeurope

-```

-This command may take a minute to run.

-## Next steps

-> [!div class="nextstepaction"]

-> [Secure with custom domain and certificate](tutorial-secure-domain-certificate.md)

-description: In this tutorial, you learn how to enable user authentication and authorization for a web app running on Azure App Service. Limit access to the web app to users in your organizationΓÇï.

-#Customer intent: As an application developer, enable authentication and authorization for a web app running on Azure App Service.

-# Tutorial: Add user authentication to your web app running on Azure App Service

-## Connect to backend services as user

-User authentication can begin with authenticating the user to your app service as described in the previous section.

-Once the app service has the authenticated identity, your system needs to **connect to backend services as the user**:

-* A database example is a SQL database which imposes its own security for that identity on tables

-

-* A storage example is Blob Storage which imposes its own security for that identity on containers and blobs

-* A user needs access to Microsoft Graph to access their own email.

-> [!div class="nextstepaction"]

-> [App service accesses Graph](scenario-secure-app-authentication-app-service-as-user.md)

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-#Customer intent: I want to learn how to use create a Form Recognizer service in the Azure portal.

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-recommendations: false

-#Customer intent: As a form-processing software developer, I want to learn how to use the Form Recognizer service with Logic Apps.

-recommendations: false

-recommendations: false

-recommendations: false

-| [Python](#python-runbooks) |Textual runbook based on Python scripting. The currently supported versions are: Python 2.7 (GA), Python 3.8 (preview), and Python 3.10 (preview). |

- **Workaround**: Use `Start-AutomationRunbook` (internal cmdlet) or `Start-AzAutomationRunbook` (from *Az.Automation* module) to start another runbook from parent runbook.

- **Workaround**: Explicitly set the preference at the start of the runbook as below -

- **Workaround**: Explicitly set the preference at the start of the runbook as below -

-Python runbooks compile under Python 2, Python 3.8 (preview) and Python 3.10 (preview). You can directly edit the code of the runbook using the text editor in the Azure portal. You can also use an offline text editor and [import the runbook](manage-runbooks.md) into Azure Automation.

-# [Python 3.8 (preview)](#tab/py38)

-description: This article tells how to create an Azure Automation Run As account with PowerShell or from the Azure portal.

-# How to create an Azure Automation Run As account

-> [!IMPORTANT]

-> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](https://learn.microsoft.com/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

-Run As accounts in Azure Automation provide authentication for managing resources on the Azure Resource Manager or Azure Classic deployment model using Automation runbooks and other Automation features. This article describes how to create a Run As or Classic Run As account from the Azure portal or Azure PowerShell.

-When you create the Run As or Classic Run As account in the Azure portal, by default it uses a self-signed certificate. If you want to use a certificate issued by your enterprise or third-party certification authority (CA), can use the [PowerShell script to create a Run As account](#powershell-script-to-create-a-run-as-account).

-## Create account in Azure portal

-Perform the following steps to update your Azure Automation account in the Azure portal. The Run As and Classic Run As accounts are created separately. If you don't need to manage classic resources, you can just create the Azure Run As account.

-1. Sign in to the Azure portal with an account that is a member of the Subscription Admins role and co-administrator of the subscription.

-2. Search for and select **Automation Accounts**.

-3. On the **Automation Accounts** page, select your Automation account from the list.

-4. In the left pane, select **Run As Accounts** in the **Account Settings** section.

- :::image type="content" source="media/create-run-as-account/automation-account-properties-pane.png" alt-text="Select the Run As Account option.":::

-5. Depending on the account you require, use the **+ Azure Run As Account** or **+ Azure Classic Run As Account** pane. After reviewing the overview information, click **Create**.

- :::image type="content" source="media/create-run-as-account/automation-account-create-run-as.png" alt-text="Select the option to create a Run As Account":::

-6. While Azure creates the Run As account, you can track the progress under **Notifications** from the menu. A banner is also displayed stating that the account is being created. The process can take a few minutes to complete.

-## Create account using PowerShell

-The following list provides the requirements to create a Run As account in PowerShell using a provided script. These requirements apply to both types of Run As accounts.

-* Windows 10 or Windows Server 2016 with Azure Resource Manager modules 3.4.1 and later. The PowerShell script doesn't support earlier versions of Windows.

-* Azure PowerShell PowerShell 6.2.4 or later. For information, see [How to install and configure Azure PowerShell](/powershell/azure/install-az-ps).

-* An Automation account, which is referenced as the value for the `AutomationAccountName` and `ApplicationDisplayName` parameters.

-* Permissions equivalent to the ones listed in [Required permissions to configure Run As accounts](automation-security-overview.md#permissions).

-If you are planning to use a certificate from your enterprise or third-party certificate authority (CA), Automation requires the certificate to have the following configuration:

- * Specify the provider **Microsoft Enhanced RSA and AES Cryptographic Provider**

- * Marked as exportable

- * Configured to use the SHA256 algorithm

- * Saved in the `*.pfx` or `*.cer` format.

-To get the values for `AutomationAccountName`, `SubscriptionId`, and `ResourceGroupName`, which are required parameters for the PowerShell script, complete the following steps.

-1. Sign in to the Azure portal.

-1. Search for and select **Automation Accounts**.

-1. On the Automation Accounts page, select your Automation account from the list.

-1. In the left pane, select **Properties**.

-1. Note the values for **Name**, **Subscription ID**, and **Resource Group** on the **Properties** page.

- 

-### PowerShell script to create a Run As account

-The PowerShell script includes support for several configurations.

-* Create a Run As account and/or a Classic Run As account by using a self-signed certificate.

-* Create a Run As account and/or a Classic Run As account by using a certificate issued by your enterprise or third-party certification authority (CA).

-* Create a Run As account and/or a Classic Run As account by using a self-signed certificate in the Azure Government cloud.

-1. Download and save the script to a local folder using the following command.

- ```powershell

- wget https://raw.githubusercontent.com/azureautomation/runbooks/master/Utility/AzRunAs/Create-RunAsAccount.ps1 -outfile Create-RunAsAccount.ps1

- ```

-2. Start PowerShell with elevated user rights and navigate to the folder that contains the script.

-3. Run one of the following commands to create a Run As and/or Classic Run As account based on your requirements.

- * Create a Run As account using a self-signed certificate.

- ```powershell

- .\Create-RunAsAccount.ps1 -ResourceGroup <ResourceGroupName> -AutomationAccountName <NameofAutomationAccount> -SubscriptionId <SubscriptionId> -ApplicationDisplayName <DisplayNameofAADApplication> -SelfSignedCertPlainPassword <StrongPassword> -CreateClassicRunAsAccount $false

- ```

- * Create a Run As account and a Classic Run As account by using a self-signed certificate.

- ```powershell

- .\Create-RunAsAccount.ps1 -ResourceGroup <ResourceGroupName> -AutomationAccountName <NameofAutomationAccount> -SubscriptionId <SubscriptionId> -ApplicationDisplayName <DisplayNameofAADApplication> -SelfSignedCertPlainPassword <StrongPassword> -CreateClassicRunAsAccount $true

- ```

- * Create a Run As account and a Classic Run As account by using an enterprise certificate.

- ```powershell

- .\Create-RunAsAccount.ps1 -ResourceGroup <ResourceGroupName> -AutomationAccountName <NameofAutomationAccount> -SubscriptionId <SubscriptionId> -ApplicationDisplayName <DisplayNameofAADApplication> -SelfSignedCertPlainPassword <StrongPassword> -CreateClassicRunAsAccount $true -EnterpriseCertPathForRunAsAccount <EnterpriseCertPfxPathForRunAsAccount> -EnterpriseCertPlainPasswordForRunAsAccount <StrongPassword> -EnterpriseCertPathForClassicRunAsAccount <EnterpriseCertPfxPathForClassicRunAsAccount> -EnterpriseCertPlainPasswordForClassicRunAsAccount <StrongPassword>

- ```

- If you've created a Classic Run As account with an enterprise public certificate (.cer file), use this certificate. The script creates and saves it to the temporary files folder on your computer, under the user profile `%USERPROFILE%\AppData\Local\Temp` you used to execute the PowerShell session. See [Uploading a management API certificate to the Azure portal](../cloud-services/cloud-services-configure-ssl-certificate-portal.md).

- * Create a Run As account and a Classic Run As account by using a self-signed certificate in the Azure Government cloud

- ```powershell

- .\Create-RunAsAccount.ps1 -ResourceGroup <ResourceGroupName> -AutomationAccountName <NameofAutomationAccount> -SubscriptionId <SubscriptionId> -ApplicationDisplayName <DisplayNameofAADApplication> -SelfSignedCertPlainPassword <StrongPassword> -CreateClassicRunAsAccount $true -EnvironmentName AzureUSGovernment

- ```

-4. After the script has executed, you're prompted to authenticate with Azure. Sign in with an account that's a member of the subscription administrators role. If you are creating a Classic Run As account, your account must be a co-administrator of the subscription.

-## Next steps

-* To get started with PowerShell runbooks, see [Tutorial: Create a PowerShell runbook](./learn/powershell-runbook-managed-identity.md).

-* To get started with a Python 3 runbook, see [Tutorial: Create a Python 3 runbook](learn/automation-tutorial-runbook-textual-python-3.md).

-description: This article tells how to manage Python 3 packages (preview) in Azure Automation.

-# Manage Python 3 packages (preview) in Azure Automation

-This article describes how to import, manage, and use Python 3 (preview) packages in Azure Automation running on the Azure sandbox environment and Hybrid Runbook Workers. Python packages should be downloaded on Hybrid Runbook workers for successful job execution. To help simplify runbooks, you can use Python packages to import the modules you need.

-To support Python 3.8 (preview) runbooks in the Automation service, Azure package 4.0.0 is installed by default in the Automation account. The default version can be overridden by importing Python packages into your Automation account.

-There are no default packages installed for Python 3.10 (preview).

-#### [Python 3.8 (preview)](#tab/py3)

-|cp38|Automation supports **Python 3.8 (preview)** for Cloud jobs.|

-1. On the **Add Python Package** page, select a local package to upload. The package can be a **.whl** or **.tar.gz** file for Python 3.8 (preview) and **.whl** file for Python 3.10 (preview).

-1. Enter a name and select the **Runtime Version** as Python 3.8 (preview) or Python 3.10 (preview).

- :::image type="content" source="media/python-3-packages/upload-package.png" alt-text="Screenshot shows the Add Python 3.8 (preview) Package page with an uploaded tar.gz file selected.":::

-After a package has been imported, it's listed on the Python packages page in your Automation account. To remove a package, select the package and click **Delete**.

-You can import a Python 3.8 (preview) package and its dependencies by importing the following Python script into a Python 3 runbook, and then running it.

-The **Import a runbook** page defaults the runbook name to match the name of the script. If you have access to the field, you can change the name. **Runbook type** may default to **Python 2**. If it does, make sure to change it to **Python 3**.

-|subscription_id | Subscription ID of the Automation account |

-### Python 3.8 (preview) PowerShell cmdlets

-#### Add new Python 3.8 (preview) package

-#### List all Python 3.8 (preview) packages

-#### Remove Python 3.8 (preview) package

-#### Update Python 3.8 (preview) package

-You must deploy your app to an Azure service when you use managed identities. Managed identities can't be used for authentication of locally running apps. To deploy the .NET Core app that you created in the [Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md) quickstart and modified to use managed identities, follow the guidance in [Publish your web app](../app-service/quickstart-dotnetcore.md?pivots=development-environment-vs&tabs=netcore31#publish-your-web-app).

-> Support for Flux v1-based cluster configuration resources created prior to May 1, 2023 will end on [May 24, 2025](https://azure.microsoft.com/updates/migrate-your-gitops-configurations-from-flux-v1-to-flux-v2-by-24-may-2025/). Starting on May 1, 2023, you won't be able to create new Flux v1-based cluster configuration resources.

-> Support for Flux v1-based cluster configuration resources created prior to May 1, 2023 will end on [May 24, 2025](https://azure.microsoft.com/updates/migrate-your-gitops-configurations-from-flux-v1-to-flux-v2-by-24-may-2025/). Starting on May 1, 2023, you won't be able to create new Flux v1-based cluster configuration resources.

-> Support for Flux v1-based cluster configuration resources created prior to May 1, 2023 will end on [May 24, 2025](https://azure.microsoft.com/updates/migrate-your-gitops-configurations-from-flux-v1-to-flux-v2-by-24-may-2025/). Starting on May 1, 2023, you won't be able to create new Flux v1-based cluster configuration resources.

-> We recommend [migrating to Flux v2](conceptual-gitops-flux2.md#migrate-from-flux-v1) as soon as possible. Support for Flux v1-based cluster configuration resources created prior to May 1, 2023 will end on [May 24, 2025](https://azure.microsoft.com/updates/migrate-your-gitops-configurations-from-flux-v1-to-flux-v2-by-24-may-2025/). Starting on May 1, 2023, you won't be able to create new Flux v1-based cluster configuration resources.

-> Support for Flux v1-based cluster configuration resources created prior to May 1, 2023 will end on [May 24, 2025](https://azure.microsoft.com/updates/migrate-your-gitops-configurations-from-flux-v1-to-flux-v2-by-24-may-2025/). Starting on May 1, 2023, you won't be able to create new Flux v1-based cluster configuration resources.

-> Support for Flux v1-based cluster configuration resources created prior to May 1, 2023 will end on [May 24, 2025](https://azure.microsoft.com/updates/migrate-your-gitops-configurations-from-flux-v1-to-flux-v2-by-24-may-2025/). Starting on May 1, 2023, you won't be able to create new Flux v1-based cluster configuration resources.

-> Support for Flux v1-based cluster configuration resources created prior to May 1, 2023 will end on [May 24, 2025](https://azure.microsoft.com/updates/migrate-your-gitops-configurations-from-flux-v1-to-flux-v2-by-24-may-2025/). Starting on May 1, 2023, you won't be able to create new Flux v1-based cluster configuration resources.

-> Support for Flux v1-based cluster configuration resources created prior to May 1, 2023 will end on [May 24, 2025](https://azure.microsoft.com/updates/migrate-your-gitops-configurations-from-flux-v1-to-flux-v2-by-24-may-2025/). Starting on May 1, 2023, you won't be able to create new Flux v1-based cluster configuration resources.

-* Use familiar Azure services and management capabilities, regardless of where they live.

-* Use GitOps to deploy configuration across one or more clusters from Git repositories.

-With Key Vault, you can import or generate encryption keys in HSMs, ensuring that keys never leave the HSM protection boundary to support *bring your own key (BYOK)* scenarios, as shown in Figure 3. **Keys generated inside the Key Vault HSMs aren't exportable ΓÇô there can be no clear-text version of the key outside the HSMs.** This binding is enforced by the underlying HSM. BYOK functionality is available with both [key vaults](../key-vault/keys/hsm-protected-keys.md) and [managed HSMs](../key-vault/managed-hsm/hsm-protected-keys-byok.md). Methods for transferring HSM-protected keys to Key Vault vary depending on the underlying HSM, as explained in online documentation.

-**Azure Key Vault is designed, deployed, and operated such that Microsoft and its agents don't see or extract your cryptographic keys.** For extra assurances, see [How does Azure Key Vault protect your keys?](../key-vault/managed-hsm/mhsm-control-data.md#how-does-azure-key-vault-managed-hsm-protect-your-keys)

-In addition to being isolated inside sandboxes, pico-processes are also substantially isolated from each other. Each pico-process resides in its own virtual memory address space and runs its own copy of the Library OS with its own user-mode kernel. Each time a user process is launched in a Drawbridge sandbox, a fresh Library OS instance is booted. While this task is more time-consuming compared to launching a non-isolated process on Windows, it's substantially faster than booting a VM while accomplishing logical isolation.

-> [!NOTE]

-> Microsoft provides detailed customer guidance on **[Windows](../virtual-machines/windows/quick-create-portal.md)** and **[Linux](../virtual-machines/linux/quick-create-portal.md)** Azure Virtual Machine provisioning using the Azure portal, Azure PowerShell, and Azure CLI.

-Table 5 summarizes the available security guidance for your virtual machines provisioned in Azure.

-These implementations give each service the illusion that all the servers assigned to it, and only those servers, are connected by a single non-interfering Ethernet switch ΓÇô a Virtual Layer 2 (VL2) ΓÇô and maintain this illusion even as the size of each service varies from one server to hundreds of thousands. This VL2 implementation achieves traffic performance isolation, ensuring that it isn't possible for the traffic of one service to be affected by the traffic of any other service, as if each service were connected by a separate physical switch.

-This section explains how packets flow through the Azure network, and how the topology, routing design, and directory system combine to virtualize the underlying network fabric, creating the illusion that servers are connected to a large, non-interfering datacenter-wide Layer-2 switch.

-Azure provides extensive options for [data encryption at rest](../security/fundamentals/encryption-atrest.md) to help you safeguard your data and meet your compliance needs using both Microsoft-managed encryption keys and customer-managed encryption keys. For more information, see [data encryption models](../security/fundamentals/encryption-models.md). This process relies on multiple encryption keys and services such as Azure Key Vault and Azure Active Directory to ensure secure key access and centralized key management.

-Drive encryption through BitLocker and DM-Crypt is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker and DM-Crypt provide the most protection when used with a Trusted Platform Module (TPM) version 1.2 or higher. The TPM is a microcontroller designed to secure hardware through integrated cryptographic keys ΓÇô it's commonly pre-installed on newer computers. BitLocker and DM-Crypt can use this technology to protect the keys used to encrypt disk volumes and provide integrity to computer boot process.

-Conceptually, this rationale applies regardless of the software that keeps track of reads and writes. For [Azure SQL Database](../security/fundamentals/isolation-choices.md#sql-database-isolation), it's the SQL Database software that does this enforcement. For Azure Storage, it's the Azure Storage software. For non-durable drives of a VM, it's the VHD handling code of the Host OS. The mapping from virtual to physical address takes place outside of the customer VM.

-These protections have been deployed to Azure and are available in Windows Server 2016 and later supported releases. The Hyper-V HyperClear architecture has proven to be a readily extensible design that helps provide strong isolation boundaries against a variety of speculative execution side channel attacks with negligible impact on performance.

-When VMs belonging to different customers are running on the same physical server, it's the HypervisorΓÇÖs job to ensure that they can't learn anything important about what the other customerΓÇÖs VMs are doing. Azure helps block unauthorized direct communication by design; however, there are subtle effects where one customer might be able to characterize the work being done by another customer. The most important of these effects are timing effects when different VMs are competing for the same resources. By carefully comparing operations counts on CPUs with elapsed time, a VM can learn something about what other VMs on the same server are doing. Known as side channel attacks, these exploits have received plenty of attention in the academic press where researchers have been seeking to learn much more specific information about what is going on in a peer VM. Of particular interest are efforts to learn the cryptographic keys of a peer VM by measuring the timing of certain memory accesses and inferring which cache lines the victimΓÇÖs VM is reading and updating. Under controlled conditions with VMs using hyper-threading, successful attacks have been demonstrated against commercially available implementations of cryptographic algorithms. In addition to the previously mentioned Hyper-V HyperClear mitigation architecture that's in use by Azure, there are several extra mitigations in Azure that reduce the risk of such an attack:

-Overall, PaaS ΓÇô or any workload that auto-creates VMs ΓÇô contributes to churn in VM placement that leads to randomized VM allocation. Random placement of your VMs makes it much harder for attackers to get on the same host. In addition, host access is hardened with greatly reduced attack surface that makes these types of exploits difficult to sustain.

-**Azure Government** maintains the following authorizations that pertain to Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia:

-> - Some Azure services deployed in Azure Government regions (US Gov Arizona, US Gov Texas, and US Gov Virginia) require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in **[Isolation guidelines for Impact Level 5 workloads](../documentation-government-impact-level-5.md).**

-> - For DoD IL5 PA compliance scope in Azure Government DoD regions (US DoD Central and US DoD East), see **[Azure Government DoD regions IL5 audit scope](../documentation-government-overview-dod.md#us-dod-regions-il5-audit-scope).**

-> - For DoD IL5 PA compliance scope in Azure Government DoD regions US DoD Central and US DoD East (US DoD regions), see **[Azure Government DoD regions IL5 audit scope](../documentation-government-overview-dod.md#us-dod-regions-il5-audit-scope).**

-**Azure Government regions** US Gov Arizona, US Gov Texas, and US Gov Virginia (**US Gov regions**) are intended for US federal (including DoD), state, and local government agencies, and their partners. **Azure Government DoD regions** US DoD Central and US DoD East (**US DoD regions**) are reserved for exclusive DoD use. Separate DoD IL5 PAs are in place for US Gov regions vs. US DoD regions. For service availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&rar=true).

- - For a complete list of services in scope for DoD IL5 in US DoD regions, see [Azure Government DoD regions IL5 audit scope](#us-dod-regions-il5-audit-scope) in this article.

-Hyperscale cloud also offers a feature-rich environment incorporating the latest cloud innovations such as artificial intelligence, machine learning, IoT services, intelligent edge, and many more to help DoD mission owners implement their mission objectives. Using Azure Government cloud capabilities, you benefit from rapid feature growth, resiliency, and the cost-effective operation of the hyperscale cloud while still obtaining the levels of isolation, security, and confidence required to handle workloads subject to FedRAMP High, DoD IL4, and DoD IL5 requirements.

-### What are the Azure Government DoD regions?

-Azure Government DoD regions US DoD Central and US DoD East (US DoD regions) are physically separated Azure Government regions reserved for exclusive use by the DoD. They reside on the same isolated network as Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions) and use the same identity model. Both the network and identity model are separate from Azure commercial.

-### What is the difference between Azure Government and Azure Government DoD regions?

-Azure Government is a US government community cloud providing services for federal, state and local government customers, tribal entities, and other entities subject to various US government regulations such as CJIS, ITAR, and others. All Azure Government regions are designed to meet the security requirements for DoD IL5 workloads. They are deployed on a separate and isolated network and use a separate identity model from Azure commercial regions. US DoD regions achieve DoD IL5 tenant separation requirements by being dedicated exclusively to DoD. In US Gov regions , some services require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in [Isolation guidelines for Impact Level 5 workloads](./documentation-government-impact-level-5.md).

-For a complete list of services in scope for DoD IL5 PA in US Gov regions, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope). For a complete list of services in scope for DoD IL5 PA in US DoD regions, see [Azure Government DoD regions IL5 audit scope](#us-dod-regions-il5-audit-scope) in this article.

-This article is intended for electric power utilities and [registered entities](https://www.nerc.com/pa/comp/Pages/Registration.aspx) considering cloud adoption for data and workloads subject to compliance with the North American Electric Reliability Corporation (NERC) [Critical Infrastructure Protection (CIP) standards](https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx).

-NERC develops and enforces reliability standards known as NERC [CIP standards](https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx). In the United States, FERC approved the first set of CIP standards in 2007 and has continued to do so with every new revision. In Canada, the Federal, Provincial, and Territorial Monitoring and Enforcement Subgroup (MESG) develops provincial summaries for making CIP standards enforceable in Canadian jurisdictions.

- "Country": "United States"

- "gender": "female",

-

-

-

-

-

-

-</

-

-

-

-

-

-

-

-

-

-

-You can define a data collection rule to send data from multiple machines to multiple Log Analytics workspaces, including workspaces in a different region or tenant. Create the data collection rule in the *same region* as your Log Analytics workspace.

- - **File Pattern** - Identifies where the log files are located on the local disk. You can enter multiple file patterns separated by commas.

-Application Insights is enabled through either [autoinstrumentation](codeless-overview.md) (agent) or by adding the [Application Insights SDK](sdk-support-guidance.md) to your application code. [Many languages](#supported-languages) are supported. The applications could be on Azure, on-premises, or hosted by another cloud. To figure out which type of instrumentation is best for you, see [How do I instrument an application?](#how-do-i-instrument-an-application).

-[autocollected dependencies](opentelemetry-enable.md?tabs=java#distributed-tracing).

-This article describes how to enable and configure OpenTelemetry-based data collection to power the experiences within [Azure Monitor Application Insights](app-insights-overview.md#application-insights-overview). To learn more about OpenTelemetry concepts, see the [OpenTelemetry overview](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry).

-> For a feature-by-feature release status, see the [FAQ](../faq.yml#what-s-the-current-release-state-of-features-within-each-opentelemetry-offering-).

-### [.NET](#tab/net)

-### Install the client libraries

-#### [.NET](#tab/net)

-Install the latest [Azure.Monitor.OpenTelemetry.Exporter](https://www.nuget.org/packages/Azure.Monitor.OpenTelemetry.Exporter) NuGet package:

-```dotnetcli

-dotnet add package --prerelease Azure.Monitor.OpenTelemetry.Exporter

-```

-If you get an error like "There are no versions available for the package Azure.Monitor.OpenTelemetry.Exporter," it's probably because the setting of NuGet package sources is missing. Try to specify the source with the `-s` option:

-# Install the latest package with the NuGet package source specified.

-dotnet add package --prerelease Azure.Monitor.OpenTelemetry.Exporter -s https://api.nuget.org/v3/index.json

-> If you are upgrading from an earlier 3.x version, you may be impacted by changing defaults or slight differences in the data we collect. See the migration notes at the top of the release notes for

-> for more details.

-npm install @opentelemetry/sdk-trace-base

-npm install @opentelemetry/sdk-trace-node

-npm install @azure/monitor-opentelemetry-exporter

-npm install @opentelemetry/api

-npm install @opentelemetry/instrumentation-http

-This section provides guidance that shows how to enable OpenTelemetry.

-#### Instrument with OpenTelemetry

-##### [.NET](#tab/net)

-The following code demonstrates how to enable OpenTelemetry in a C# console application by setting up OpenTelemetry TracerProvider. This code must be in the application startup. For ASP.NET Core, it's done typically in the `ConfigureServices` method of the application `Startup` class. For ASP.NET applications, it's done typically in `Global.asax.cs`.

-```csharp

-using System.Diagnostics;

-using Azure.Monitor.OpenTelemetry.Exporter;

-using OpenTelemetry;

-using OpenTelemetry.Trace;

-public class Program

-{

- private static readonly ActivitySource MyActivitySource = new ActivitySource(

- "OTel.AzureMonitor.Demo");

- public static void Main()

- {

- using var tracerProvider = Sdk.CreateTracerProviderBuilder()

- .AddSource("OTel.AzureMonitor.Demo")

- .AddAzureMonitorTraceExporter(o =>

- {

- o.ConnectionString = "<Your Connection String>";

- })

- .Build();

- using (var activity = MyActivitySource.StartActivity("TestActivity"))

- {

- activity?.SetTag("CustomTag1", "Value1");

- activity?.SetTag("CustomTag2", "Value2");

- }

- System.Console.WriteLine("Press Enter key to exit.");

- System.Console.ReadLine();

- }

-}

-> [!NOTE]

-> The `Activity` and `ActivitySource` classes from the `System.Diagnostics` namespace represent the OpenTelemetry concepts of `Span` and `Tracer`, respectively. You create `ActivitySource` directly by using its constructor instead of by using `TracerProvider`. Each [`ActivitySource`](https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/trace/customizing-the-sdk#activity-source) class must be explicitly connected to `TracerProvider` by using `AddSource()`. That's because parts of the OpenTelemetry tracing API are incorporated directly into the .NET runtime. To learn more, see [Introduction to OpenTelemetry .NET Tracing API](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry.Api/README.md#introduction-to-opentelemetry-net-tracing-api).

-Java auto-instrumentation is enabled through configuration changes; no code changes are required.

-The following code demonstrates how to enable OpenTelemetry in a simple JavaScript application:

-const { AzureMonitorTraceExporter } = require("@azure/monitor-opentelemetry-exporter");

-const { BatchSpanProcessor } = require("@opentelemetry/sdk-trace-base");

-const { NodeTracerProvider } = require("@opentelemetry/sdk-trace-node");

-const { context, trace } = require("@opentelemetry/api")

-const provider = new NodeTracerProvider();

-provider.register();

-// Create an exporter instance.

-const exporter = new AzureMonitorTraceExporter({

- connectionString: "<Your Connection String>"

-});

-// Add the exporter to the provider.

-provider.addSpanProcessor(

- new BatchSpanProcessor(exporter)

-);

-// Create a tracer.

-const tracer = trace.getTracer("example-basic-tracer-node");

-// Create a span. A span must be closed.

-const parentSpan = tracer.startSpan("main");

-for (let i = 0; i < 10; i += 1) {

- doWork(parentSpan);

-}

-// Be sure to end the span.

-parentSpan.end();

-function doWork(parent) {

- // Start another span. In this example, the main method already started a

- // span, so that will be the parent span, and this will be a child span.

- const ctx = trace.setSpan(context.active(), parent);

- // Set attributes to the span.

- // Check the SpanOptions interface for more options that can be set into the span creation

- const spanOptions = {

- attributes: {

- "key": "value"

- }

- };

- const span = tracer.startSpan("doWork", spanOptions, ctx);

- // Simulate some random work.

- for (let i = 0; i <= Math.floor(Math.random() * 40000000); i += 1) {

- // empty

- }

- // Annotate our span to capture metadata about our operation.

- span.addEvent("invoking doWork");

- // Mark the end of span execution.

- span.end();

-}

-The following code demonstrates how to enable OpenTelemetry in a simple Python application:

-> For .NET, Node.js, and Python, you'll need to manually add [instrumentation libraries](#instrumentation-libraries) to autocollect telemetry across popular frameworks and libraries. For Java, these instrumentation libraries are already included and no additional steps are required.

-#### Set the Application Insights connection string

-You can find your connection string in the Overview Pane of your Application Insights Resource.

-Here's how you set the connection string.

-#### [.NET](#tab/net)

-Replace the `<Your Connection String>` in the preceding code with the connection string from *your* Application Insights resource.

-#### [Java](#tab/java)

-Use one of the following two ways to point the jar file to your Application Insights resource:

-

-

-#### [Node.js](#tab/nodejs)

-Replace the `<Your Connection String>` in the preceding code with the connection string from *your* Application Insights resource.

-#### [Python](#tab/python)

-Replace the `<Your Connection String>` in the preceding code with the connection string from *your* Application Insights resource.

-> [!NOTE]

-> If you can't run the application or you aren't getting data as expected, see [Troubleshooting](#troubleshooting).

-> [!IMPORTANT]

-> If you have two or more services that emit telemetry to the same Application Insights resource, you're required to [set Cloud Role Names](#set-the-cloud-role-name-and-the-cloud-role-instance) to represent them properly on the Application Map.

-As part of using Application Insights instrumentation, we collect and send diagnostic data to Microsoft. This data helps us run and improve Application Insights. To learn more, see [Statsbeat in Azure Application Insights](./statsbeat.md).

-## Set the Cloud Role Name and the Cloud Role Instance

-You might want to update the [Cloud Role Name](app-map.md#understand-the-cloud-role-name-within-the-context-of-an-application-map) and the Cloud Role Instance from the default values to something that makes sense to your team. They'll appear on the Application Map as the name underneath a node.

-### [.NET](#tab/net)

-Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/semantic_conventions/README.md).

-```csharp

-// Setting role name and role instance

-var resourceAttributes = new Dictionary<string, object> {

- { "service.name", "my-service" },

- { "service.namespace", "my-namespace" },

- { "service.instance.id", "my-instance" }};

-var resourceBuilder = ResourceBuilder.CreateDefault().AddAttributes(resourceAttributes);

-// Done setting role name and role instance

-// Set ResourceBuilder on the provider.

-var tracerProvider = Sdk.CreateTracerProviderBuilder()

- .SetResourceBuilder(resourceBuilder)

- .AddSource("OTel.AzureMonitor.Demo")

- .AddAzureMonitorTraceExporter(o =>

- {

- o.ConnectionString = "<Your Connection String>";

- })

- .Build();

-```

-### [Java](#tab/java)

-To set the cloud role name, see [cloud role name](java-standalone-config.md#cloud-role-name).

-To set the cloud role instance, see [cloud role instance](java-standalone-config.md#cloud-role-instance).

-### [Node.js](#tab/nodejs)

-Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/semantic_conventions/README.md).

-```javascript

-...

-const { Resource } = require("@opentelemetry/resources");

-const { SemanticResourceAttributes } = require("@opentelemetry/semantic-conventions");

-const { NodeTracerProvider } = require("@opentelemetry/sdk-trace-node");

-const { MeterProvider } = require("@opentelemetry/sdk-metrics")

-// -

-// Setting role name and role instance

-// -

-const testResource = new Resource({

- [SemanticResourceAttributes.SERVICE_NAME]: "my-helloworld-service",

- [SemanticResourceAttributes.SERVICE_NAMESPACE]: "my-namespace",

- [SemanticResourceAttributes.SERVICE_INSTANCE_ID]: "my-instance",

-});

-// -

-// Done setting role name and role instance

-// -

-const tracerProvider = new NodeTracerProvider({

- resource: testResource

-});

-const meterProvider = new MeterProvider({

- resource: testResource

-});

-```

-### [Python](#tab/python)

-Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/semantic_conventions/README.md).

-```python

-...

-from azure.monitor.opentelemetry import configure_azure_monitor

-from opentelemetry.sdk.resources import Resource, ResourceAttributes

-configure_azure_monitor(

- connection_string="<your-connection-string>",

- resource=Resource.create(

- {

- ResourceAttributes.SERVICE_NAME: "my-helloworld-service",

-# -

-# Setting role name and role instance

-# -

- ResourceAttributes.SERVICE_NAMESPACE: "my-namespace",

- ResourceAttributes.SERVICE_INSTANCE_ID: "my-instance",

-# -

-# Done setting role name and role instance

-# -

- }

- )

-)

-...

-```

-## Enable Sampling

-You may want to enable sampling to reduce your data ingestion volume, which reduces your cost. Azure Monitor provides a custom *fixed-rate* sampler that populates events with a "sampling ratio", which Application Insights converts to "ItemCount". The *fixed-rate* sampler ensures accurate experiences and event counts. The sampler is designed to preserve your traces across services, and it's interoperable with older Application Insights SDKs. For more information, see [Learn More about sampling](sampling.md#brief-summary).

-> [!NOTE]

-> Metrics are unaffected by sampling.

-#### [.NET](#tab/net)

-The sampler expects a sample rate of between 0 and 1 inclusive. A rate of 0.1 means approximately 10% of your traces will be sent.

-In this example, we utilize the `ApplicationInsightsSampler`, which offers compatibility with Application Insights SDKs.

-```dotnetcli

-dotnet add package --prerelease OpenTelemetry.Extensions.AzureMonitor

-```

-```csharp

-var tracerProvider = Sdk.CreateTracerProviderBuilder()

- .AddSource("OTel.AzureMonitor.Demo")

- .SetSampler(new ApplicationInsightsSampler(0.1F))

- .AddAzureMonitorTraceExporter(o =>

- {

- o.ConnectionString = "<Your Connection String>";

- })

- .Build();

-```

-#### [Java](#tab/java)

-Starting from 3.4.0, rate-limited sampling is available and is now the default. See [sampling]( java-standalone-config.md#sampling) for more information.

-#### [Node.js](#tab/nodejs)

-```javascript

-const { BasicTracerProvider, SimpleSpanProcessor } = require("@opentelemetry/sdk-trace-base");

-const { ApplicationInsightsSampler, AzureMonitorTraceExporter } = require("@azure/monitor-opentelemetry-exporter");

-// Sampler expects a sample rate of between 0 and 1 inclusive

-// A rate of 0.1 means approximately 10% of your traces are sent

-const aiSampler = new ApplicationInsightsSampler(0.75);

-const provider = new BasicTracerProvider({

- sampler: aiSampler

-});

-const exporter = new AzureMonitorTraceExporter({

- connectionString: "<Your Connection String>"

-});

-provider.addSpanProcessor(new SimpleSpanProcessor(exporter));

-provider.register();

-```

-#### [Python](#tab/python)

-The `configure_azure_monitor()` function will automatically utilize

-ApplicationInsightsSampler for compatibility with Application Insights SDKs and

-to sample your telemetry. The `sampling_ratio` parameter can be used to specify

-the sampling rate, with a valid range of 0 to 1, where 0 is 0% and 1 is 100%.

-For example, a value of 0.1 means 10% of your traces will be sent.

-```python

-from azure.monitor.opentelemetry import configure_azure_monitor

-from opentelemetry import trace

-configure_azure_monitor(

- # connection_string="<your-connection-string>",

- # Sampling ratio of between 0 and 1 inclusive

- # 0.1 means approximately 10% of your traces are sent

- sampling_ratio=0.1,

-)

-tracer = trace.get_tracer(__name__)

-for i in range(100):

- # Approximately 90% of these spans should be sampled out

- with tracer.start_as_current_span("hello"):

- print("Hello, World!")

-```

-> [!TIP]

-> When using fixed-rate/percentage sampling and you aren't sure what to set the sampling rate as, start at 5% (i.e., 0.05 sampling ratio) and adjust the rate based on the accuracy of the operations shown in the failures and performance blades. A higher rate generally results in higher accuracy. However, ANY sampling will affect accuracy so we recommend alerting on [OpenTelemetry metrics](#metrics), which are unaffected by sampling.

-## Instrumentation libraries

-The following libraries are validated to work with the current release.

-> [!WARNING]

-> Instrumentation libraries are based on experimental OpenTelemetry specifications, which impacts languages in [preview status](#opentelemetry-release-status). Microsoft's *preview* support commitment is to ensure that the following libraries emit data to Azure Monitor Application Insights, but it's possible that breaking changes or experimental mapping will block some data elements.

-### Distributed Tracing

-#### [.NET](#tab/net)

- [1.0.0-rc9.6](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.AspNet/1.0.0-rc9.6)

- Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.7/src/OpenTelemetry.Instrumentation.AspNetCore/README.md) ^{[1](#FOOTNOTEONE)} version:

- [1.0.0-rc9.7](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.AspNetCore/1.0.0-rc9.7)

- clients](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.7/src/OpenTelemetry.Instrumentation.Http/README.md) ^{[1](#FOOTNOTEONE)} version:

- [1.0.0-rc9.7](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.Http/1.0.0-rc9.7)

- client](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.7/src/OpenTelemetry.Instrumentation.SqlClient/README.md) ^{[1](#FOOTNOTEONE)} version:

- [1.0.0-rc9.7](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.SqlClient/1.0.0-rc9.7)

-#### [Java](#tab/java)

-Java 3.x includes the following auto-instrumentation.

-Autocollected requests:

-> Servlet and Netty auto-instrumentation covers the majority of Java HTTP services, including Java EE, Jakarta EE, Spring Boot, Quarkus, and Micronaut.

-Autocollected dependencies (plus downstream distributed trace propagation):

-Autocollected dependencies (without downstream distributed trace propagation):

-Requests/Dependencies

- [0.33.0](https://www.npmjs.com/package/@opentelemetry/instrumentation-http/v/0.33.0)

-

-Dependencies

- [0.25.0](https://www.npmjs.com/package/@opentelemetry/instrumentation-mysql/v/0.25.0)

-#### [Python](#tab/python)

- [0.36b0](https://pypi.org/project/opentelemetry-instrumentation-django/0.36b0/)

- [0.36b0](https://pypi.org/project/opentelemetry-instrumentation-fastapi/0.36b0/)

- [0.36b0](https://pypi.org/project/opentelemetry-instrumentation-flask/0.36b0/)

- [0.36b0](https://pypi.org/project/opentelemetry-instrumentation-psycopg2/0.36b0/)

- [0.36b0](https://pypi.org/project/opentelemetry-instrumentation-requests/0.36b0/)

- [0.36b0](https://pypi.org/project/opentelemetry-instrumentation-urllib/0.36b0/)

- [0.36b0](https://pypi.org/project/opentelemetry-instrumentation-urllib3/0.36b0/)

-### Metrics

-#### [.NET](#tab/net)

- [1.0.0-rc9.6](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.AspNet/1.0.0-rc9.6)

- Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.7/src/OpenTelemetry.Instrumentation.AspNetCore/README.md) version:

- [1.0.0-rc9.7](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.AspNetCore/1.0.0-rc9.7)

- clients](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.7/src/OpenTelemetry.Instrumentation.Http/README.md) version:

- [1.0.0-rc9.7](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.Http/1.0.0-rc9.7)

-#### [Java](#tab/java)

-Autocollected metrics

-* Micrometer Metrics, including Spring Boot Actuator metrics

-* JMX Metrics

-#### [Node.js](#tab/nodejs)

- [0.33.0](https://www.npmjs.com/package/@opentelemetry/instrumentation-http/v/0.33.0)

-#### [Python](#tab/python)

-Autocollected metrics

-> [!TIP]

-> The OpenTelemetry-based offerings currently emit all metrics as [Custom Metrics](#add-custom-metrics) and [Performance Counters](standard-metrics.md#performance-counters) in Metrics Explorer. For .NET, Node.js, and Python, whatever you set as the meter name becomes the metrics namespace.

-### Logs

-#### [.NET](#tab/net)

-Coming soon.

-#### [Java](#tab/java)

-Autocollected logs

-* Logback ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)} (including MDC properties)

-* Log4j ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)} (including MDC/Thread Context properties)

-* JBoss Logging ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)} (including MDC properties)

-* java.util.logging ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)}

-#### [Node.js](#tab/nodejs)

-Coming soon.

-#### [Python](#tab/python)

-Autocollected logs

-* [Python logging library](https://docs.python.org/3/howto/logging.html) ^{[3](#FOOTNOTETHREE)}

-See [this](https://github.com/microsoft/ApplicationInsights-Python/tree/main/azure-monitor-opentelemetry/samples/logging) for examples of using the Python logging library.

-**Footnotes**

-| Custom Telemetry Types | Custom Events | Custom Metrics | Dependencies | Exceptions | Page Views | Requests | Traces |

-| **.NET** | | | | | | | |

-| &nbsp;&nbsp;&nbsp;Winston, Pino, Bunyan | | | | | | | Yes |

-> Application Insights Java 3.x listens for telemetry that's sent to the Application Insights Classic API. Similarly, Application Insights Node.js 3.x collects events created with the Application Insights Classic API. This makes upgrading easier and fills a gap in our custom telemetry support until all custom telemetry types are supported via the OpenTelemetry API.

-You may want to collect metrics beyond what is collected by [instrumentation libraries](#instrumentation-libraries).

-The OpenTelemetry API offers six metric "instruments" to cover various metric scenarios and you'll need to pick the correct "Aggregation Type" when visualizing metrics in Metrics Explorer. This requirement is true when using the OpenTelemetry Metric API to send metrics and when using an instrumentation library.

-> The histogram is the most versatile and most closely equivalent to the Application Insights Track Metric Classic API. Azure Monitor currently flattens the histogram instrument into our five supported aggregation types, and support for percentiles is underway. Although less versatile, other OpenTelemetry instruments have a lesser impact on your application's performance.

-#### [.NET](#tab/net)

-using System.Diagnostics.Metrics;

-using Azure.Monitor.OpenTelemetry.Exporter;

-using OpenTelemetry;

-using OpenTelemetry.Metrics;

-public class Program

-{

- private static readonly Meter meter = new("OTel.AzureMonitor.Demo");

- public static void Main()

- {

- using var meterProvider = Sdk.CreateMeterProviderBuilder()

- .AddMeter("OTel.AzureMonitor.Demo")

- .AddAzureMonitorMetricExporter(o =>

- {

- o.ConnectionString = "<Your Connection String>";

- })

- .Build();

- Histogram<long> myFruitSalePrice = meter.CreateHistogram<long>("FruitSalePrice");

- var rand = new Random();

- myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "apple"), new("color", "red"));

- myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "lemon"), new("color", "yellow"));

- myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "lemon"), new("color", "yellow"));

- myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "apple"), new("color", "green"));

- myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "apple"), new("color", "red"));

- myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "lemon"), new("color", "yellow"));

- System.Console.WriteLine("Press Enter key to exit.");

- System.Console.ReadLine();

- }

-}

- const {

- MeterProvider,

- PeriodicExportingMetricReader,

- } = require("@opentelemetry/sdk-metrics");

- const {

- AzureMonitorMetricExporter,

- } = require("@azure/monitor-opentelemetry-exporter");

- const provider = new MeterProvider();

- const exporter = new AzureMonitorMetricExporter({

- connectionString: "<Your Connection String>",

- });

- const metricReader = new PeriodicExportingMetricReader({

- exporter: exporter,

- });

- provider.addMetricReader(metricReader);

- const meter = provider.getMeter("OTel.AzureMonitor.Demo");

- histogram.record(1, { testKey: "testValue" });

- histogram.record(30, { testKey: "testValue2" });

- histogram.record(100, { testKey2: "testValue" });

-#### [.NET](#tab/net)

-using System.Diagnostics.Metrics;

-using Azure.Monitor.OpenTelemetry.Exporter;

-using OpenTelemetry;

-using OpenTelemetry.Metrics;

-public class Program

-{

- private static readonly Meter meter = new("OTel.AzureMonitor.Demo");

- public static void Main()

- {

- using var meterProvider = Sdk.CreateMeterProviderBuilder()

- .AddMeter("OTel.AzureMonitor.Demo")

- .AddAzureMonitorMetricExporter(o =>

- {

- o.ConnectionString = "<Your Connection String>";

- })

- .Build();

- Counter<long> myFruitCounter = meter.CreateCounter<long>("MyFruitCounter");

- myFruitCounter.Add(1, new("name", "apple"), new("color", "red"));

- myFruitCounter.Add(2, new("name", "lemon"), new("color", "yellow"));

- myFruitCounter.Add(1, new("name", "lemon"), new("color", "yellow"));

- myFruitCounter.Add(2, new("name", "apple"), new("color", "green"));

- myFruitCounter.Add(5, new("name", "apple"), new("color", "red"));

- myFruitCounter.Add(4, new("name", "lemon"), new("color", "yellow"));

- System.Console.WriteLine("Press Enter key to exit.");

- System.Console.ReadLine();

- }

-}

- const {

- MeterProvider,

- PeriodicExportingMetricReader,

- } = require("@opentelemetry/sdk-metrics");

- const { AzureMonitorMetricExporter } = require("@azure/monitor-opentelemetry-exporter");

- const provider = new MeterProvider();

- const exporter = new AzureMonitorMetricExporter({

- connectionString: "<Your Connection String>",

- });

- const metricReader = new PeriodicExportingMetricReader({

- exporter: exporter,

- });

- provider.addMetricReader(metricReader);

- const meter = provider.getMeter("OTel.AzureMonitor.Demo");

-#### [.NET](#tab/net)

- private static readonly Meter meter = new("OTel.AzureMonitor.Demo");

-#### [Node.js](#tab/nodejs)

-```javascript

- const {

- MeterProvider,

- PeriodicExportingMetricReader

- } = require("@opentelemetry/sdk-metrics");

- const { AzureMonitorMetricExporter } = require("@azure/monitor-opentelemetry-exporter");

- const provider = new MeterProvider();

- const exporter = new AzureMonitorMetricExporter({

- connectionString:

- connectionString: "<Your Connection String>",

- });

- const metricReader = new PeriodicExportingMetricReader({

- exporter: exporter

- });

- provider.addMetricReader(metricReader);

- const meter = provider.getMeter("OTel.AzureMonitor.Demo");

- gauge.addCallback((observableResult) => {

-#### [.NET](#tab/net)

-const { trace } = require("@opentelemetry/api");

-const { BasicTracerProvider, SimpleSpanProcessor } = require("@opentelemetry/sdk-trace-base");

-const { AzureMonitorTraceExporter } = require("@azure/monitor-opentelemetry-exporter");

-const provider = new BasicTracerProvider();

-const exporter = new AzureMonitorTraceExporter({

- connectionString: "<Your Connection String>",

-});

-provider.addSpanProcessor(new SimpleSpanProcessor(exporter));

-provider.register();

-const tracer = trace.getTracer("example-basic-tracer-node");

-The OpenTelemetry Python SDK is implemented in such a way that exceptions thrown will automatically be captured and recorded. See below for an example of this behavior.

-within the context manager and use `record_exception()` directly as shown below:

-You may want to add a custom span when there's a dependency request that's not already collected by an instrumentation library or an application process that you wish to model as a span on the end-to-end transaction view.

-

-#### [.NET](#tab/net)

-

-Coming soon.

-#### Use the OpenTelemetry annotation

-By default, the span will end up in the `dependencies` table with dependency type `InProc`.

-If your method represents a background job that isn't already captured by auto-instrumentation,

-we recommend that you apply the attribute `kind = SpanKind.SERVER` to the `@WithSpan` annotation

-so that it will end up in the Application Insights `requests` table.

-#### Use the OpenTelemetry API

-Coming soon.

-

-#### [Python](#tab/python)

-#### Use the OpenTelemetry API

-The OpenTelemetry API can be used to add your own spans, which will appear in

-the `requests` and `dependencies` tables in Application Insights.

-The code example shows how to use the `tracer.start_as_current_span()` method to

-start, make the span current, and end the span within its context.

-By default, the span will be in the `dependencies` table with a dependency type of `InProc`.

-If your method represents a background job that isn't already captured by

-auto-instrumentation, we recommend that you set the attribute `kind =

-SpanKind.SERVER` so that it will end up in the Application Insights `requests`

-table.

-#### [.NET](#tab/net)

-Coming soon.

-Coming soon.

-Coming soon.

-We recommend you use the OpenTelemetry APIs whenever possible, but there may be some scenarios when you have to use the Application Insights Classic APIs.

-

-#### [.NET](#tab/net)

-This is not available in .NET.

-

-Coming soon.

-

-This is not available in Python.

-##### [.NET](#tab/net)

-* Use options provided by [instrumentation libraries](#instrumentation-libraries).

- - [ASP.NET](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/Instrumentation.AspNet-1.0.0-rc9.6/src/OpenTelemetry.Instrumentation.AspNet/README.md#enrich)

- - [ASP.NET Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.7/src/OpenTelemetry.Instrumentation.AspNetCore/README.md#enrich)

- - [HttpClient and HttpWebRequest](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.7/src/OpenTelemetry.Instrumentation.Http/README.md#enrich)

-> Add the processor shown here *before* the Azure Monitor Exporter.

-using var tracerProvider = Sdk.CreateTracerProviderBuilder()

- .AddSource("OTel.AzureMonitor.Demo")

- .AddProcessor(new ActivityEnrichingProcessor())

- .AddAzureMonitorTraceExporter(o =>

- {

- o.ConnectionString = "<Your Connection String>"

- })

- .Build();

-Use a custom processor:

-> [!TIP]

-> Add the processor shown here *before* the Azure Monitor Exporter.

-```javascript

-const { AzureMonitorTraceExporter } = require("@azure/monitor-opentelemetry-exporter");

-const { NodeTracerProvider } = require("@opentelemetry/sdk-trace-node");

-const { SimpleSpanProcessor } = require("@opentelemetry/sdk-trace-base");

-class SpanEnrichingProcessor {

- forceFlush() {

- shutdown() {

- onStart(_span){}

- onEnd(span){

-const provider = new NodeTracerProvider();

-const azureExporter = new AzureMonitorTraceExporter({

- connectionString: "<Your Connection String>"

-});

-provider.addSpanProcessor(new SpanEnrichingProcessor());

-provider.addSpanProcessor(new SimpleSpanProcessor(azureExporter));

-##### [.NET](#tab/net)

-```javascript

-class SpanEnrichingProcessor {

-You can populate the _user_Id_ or _user_AuthenticatedId_ field for requests by using the guidance below. User ID is an anonymous user identifier. Authenticated User ID is a known user identifier.

-##### [.NET](#tab/net)

-Coming soon.

-#### [.NET](#tab/net)

-

-Coming soon.

-Logback, Log4j, and java.util.logging are [auto-instrumented](#logs). Attaching custom dimensions to your logs can be accomplished in these ways:

-* [Logback MDC](http://logback.qos.ch/manual/mdc.html)

-* [Log4j 2 MapMessage](https://logging.apache.org/log4j/2.x/log4j-api/apidocs/org/apache/logging/log4j/message/MapMessage.html) (a `MapMessage` key of `"message"` will be captured as the log message)

-Coming soon.

-The Python [logging](https://docs.python.org/3/howto/logging.html) library is [auto-instrumented](#logs). You can attach custom dimensions to your logs by passing a dictionary into the `extra` argument of your logs.

-#### [.NET](#tab/net)

- - [ASP.NET](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/Instrumentation.AspNet-1.0.0-rc9.6/src/OpenTelemetry.Instrumentation.AspNet/README.md#filter)

- - [ASP.NET Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.7/src/OpenTelemetry.Instrumentation.AspNetCore/README.md#filter)

- - [HttpClient and HttpWebRequest](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.7/src/OpenTelemetry.Instrumentation.Http/README.md#filter)

- using var tracerProvider = Sdk.CreateTracerProviderBuilder()

- .AddSource("OTel.AzureMonitor.Demo")

- .AddProcessor(new ActivityFilteringProcessor())

- .AddAzureMonitorTraceExporter(o =>

- {

- o.ConnectionString = "<Your Connection String>"

- })

- .Build();

-1. If a particular source isn't explicitly added by using `AddSource("ActivitySourceName")`, then none of the activities created by using that source will be exported.

- ```javascript

- const { registerInstrumentations } = require( "@opentelemetry/instrumentation");

- const { HttpInstrumentation } = require( "@opentelemetry/instrumentation-http");

- const { NodeTracerProvider } = require( "@opentelemetry/sdk-trace-node");

- const httpInstrumentationConfig = {

- ignoreIncomingRequestHook: (request) => {

- ignoreOutgoingRequestHook: (options) => {

- const httpInstrumentation = new HttpInstrumentation(httpInstrumentationConfig);

- const provider = new NodeTracerProvider();

- provider.register();

- registerInstrumentations({

- instrumentations: [

- httpInstrumentation,

- ]

- });

- ```javascript

-

-#### [Python](#tab/python)

-1. Exclude the URL option provided by many HTTP instrumentation libraries.

- The following example shows how to exclude a specific URL from being tracked by using the [Flask](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-flask) instrumentation configuration options in the `configure_azure_monitor()` function.

- # Pass in instrumentation configuration via kwargs

- # Key: <instrumentation-name>_config

- # Value: Dictionary of configuration keys and values

- flask_config={"excluded_urls": "http://localhost:8080/ignore"},

-You might want to get the trace ID or span ID. If you have logs that are sent to a different destination besides Application Insights, you might want to add the trace ID or span ID to enable better correlation when you debug and diagnose issues.

-#### [.NET](#tab/net)

-Coming soon.

-Coming soon.

-## Enable the OTLP Exporter

-You might want to enable the OpenTelemetry Protocol (OTLP) Exporter alongside your Azure Monitor Exporter to send your telemetry to two locations.

-> [!NOTE]

-> The OTLP Exporter is shown for convenience only. We don't officially support the OTLP Exporter or any components or third-party experiences downstream of it.

-#### [.NET](#tab/net)

-1. Install the [OpenTelemetry.Exporter.OpenTelemetryProtocol](https://www.nuget.org/packages/OpenTelemetry.Exporter.OpenTelemetryProtocol/) package along with [Azure.Monitor.OpenTelemetry.Exporter](https://www.nuget.org/packages/Azure.Monitor.OpenTelemetry.Exporter) in your project.

-1. Add the following code snippet. This example assumes you have an OpenTelemetry Collector with an OTLP receiver running. For details, see the [example on GitHub](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/examples/Console/TestOtlpExporter.cs).

-

- ```csharp

- // Sends data to Application Insights as well as OTLP

- using var tracerProvider = Sdk.CreateTracerProviderBuilder()

- .AddSource("OTel.AzureMonitor.Demo")

- .AddAzureMonitorTraceExporter(o =>

- {

- o.ConnectionString = "<Your Connection String>"

- })

- .AddOtlpExporter()

- .Build();

- ```

-#### [Java](#tab/java)

-Coming soon.

-#### [Node.js](#tab/nodejs)

-1. Install the [OpenTelemetry Collector Exporter](https://www.npmjs.com/package/@opentelemetry/exporter-otlp-http) package along with the [Azure Monitor OpenTelemetry Exporter](https://www.npmjs.com/package/@azure/monitor-opentelemetry-exporter) in your project.

- ```sh

- npm install @opentelemetry/exporter-otlp-http

- npm install @azure/monitor-opentelemetry-exporter

- ```

-2. Add the following code snippet. This example assumes you have an OpenTelemetry Collector with an OTLP receiver running. For details, see the [example on GitHub](https://github.com/open-telemetry/opentelemetry-js/tree/main/examples/otlp-exporter-node).

- ```javascript

- const { BasicTracerProvider, SimpleSpanProcessor } = require('@opentelemetry/sdk-trace-base');

- const { OTLPTraceExporter } = require('@opentelemetry/exporter-otlp-http');

- const { AzureMonitorTraceExporter } = require("@azure/monitor-opentelemetry-exporter");

-

- const provider = new BasicTracerProvider();

- const azureMonitorExporter = new AzureMonitorTraceExporter({

- connectionString: "<Your Connection String>",

- });

- const otlpExporter = new OTLPTraceExporter();

- provider.addSpanProcessor(new SimpleSpanProcessor(azureMonitorExporter));

- provider.addSpanProcessor(new SimpleSpanProcessor(otlpExporter));

- provider.register();

- ```

-#### [Python](#tab/python)

-1. Install the [azure-monitor-opentelemetry-exporter](https://pypi.org/project/azure-monitor-opentelemetry-exporter/) and [opentelemetry-exporter-otlp](https://pypi.org/project/opentelemetry-exporter-otlp/) packages.

-1. Add the following code snippet. This example assumes you have an OpenTelemetry Collector with an OTLP receiver running. For details, see this [README](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/monitor/azure-monitor-opentelemetry-exporter/samples/traces#collector).

-

- ```python

- from azure.monitor.opentelemetry import configure_azure_monitor

- from opentelemetry import trace

- from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter

- from opentelemetry.sdk.trace import TracerProvider

- from opentelemetry.sdk.trace.export import BatchSpanProcessor

- configure_azure_monitor(

- connection_string="<your-connection-string>",

- )

- tracer = trace.get_tracer(__name__)

-

- exporter = AzureMonitorTraceExporter(connection_string="<your-connection-string>")

- otlp_exporter = OTLPSpanExporter(endpoint="http://localhost:4317")

- span_processor = BatchSpanProcessor(otlp_exporter)

- trace.get_tracer_provider().add_span_processor(span_processor)

-

- with tracer.start_as_current_span("test"):

- print("Hello world!")

- ```

-## Configuration

-### Offline Storage and Automatic Retries

-To improve reliability and resiliency, Azure Monitor OpenTelemetry-based offerings write to offline/local storage by default when an application loses its connection with Application Insights. It saves the application telemetry to disk and periodically tries to send it again for up to 48 hours. In addition to exceeding the allowable time, telemetry will occasionally be dropped in high-load applications when the maximum file size is exceeded or the SDK doesn't have an opportunity to clear out the file. If we need to choose, the product will save more recent events over old ones. [Learn More](data-retention-privacy.md#does-the-sdk-create-temporary-local-storage)

-#### [.NET](#tab/net)

-By default, the AzureMonitorExporter uses one of the following locations for offline storage (listed in order of precedence):

- - %LOCALAPPDATA%\Microsoft\AzureMonitor

- - %TEMP%\Microsoft\AzureMonitor

- - %TMPDIR%/Microsoft/AzureMonitor

- - /var/tmp/Microsoft/AzureMonitor

- - /tmp/Microsoft/AzureMonitor

-To override the default directory, you should set `AzureMonitorExporterOptions.StorageDirectory`.

-For example:

-```csharp

-var tracerProvider = Sdk.CreateTracerProviderBuilder()

- .AddAzureMonitorTraceExporter(o => {

- o.ConnectionString = "<Your Connection String>";

- o.StorageDirectory = "C:\\SomeDirectory";

- })

- .Build();

-```

-To disable this feature, you should set `AzureMonitorExporterOptions.DisableOfflineStorage = true`.

-#### [Java](#tab/java)

-Configuring Offline Storage and Automatic Retries is not available in Java.

-For a full list of available configurations, see [Configuration options](./java-standalone-config.md).

-#### [Node.js](#tab/nodejs)

-By default, the AzureMonitorExporter uses one of the following locations for offline storage.

- - %TEMP%\Microsoft\AzureMonitor

- - %TMPDIR%/Microsoft/AzureMonitor

- - /var/tmp/Microsoft/AzureMonitor

-To override the default directory, you should set `storageDirectory`.

-For example:

-```javascript

-const exporter = new AzureMonitorTraceExporter({

- connectionString: "<Your Connection String>",

- storageDirectory: "C:\\SomeDirectory",

- disableOfflineStorage: false

-});

-```

-To disable this feature, you should set `disableOfflineStorage = true`.

-#### [Python](#tab/python)

-By default, the Azure Monitor exporters will use the following path:

-`<tempfile.gettempdir()>/Microsoft/AzureMonitor/opentelemetry-python-<your-instrumentation-key>`

-To override the default directory, you should set `storage_directory` to the directory you want.

-For example:

-```python

-...

-configure_azure_monitor(

- connection_string="your-connection-string",

- storage_directory="C:\\SomeDirectory",

-)

-...

-```

-To disable this feature, you should set `disable_offline_storage` to `True`. Defaults to `False`.

-For example:

-```python

-...

-configure_azure_monitor(

- connection_string="your-connection-string",

- disable_offline_storage=True,

-)

-...

-```

-## Troubleshooting

-This section provides help with troubleshooting.

-### Enable diagnostic logging

-#### [.NET](#tab/net)

-The Azure Monitor Exporter uses EventSource for its own internal logging. The exporter logs are available to any EventListener by opting into the source named OpenTelemetry-AzureMonitor-Exporter. For troubleshooting steps, see [OpenTelemetry Troubleshooting](https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/src/OpenTelemetry#troubleshooting).

-#### [Java](#tab/java)

-Diagnostic logging is enabled by default. For more information, see the dedicated [troubleshooting article](java-standalone-troubleshoot.md).

-#### [Node.js](#tab/nodejs)

-Azure Monitor Exporter uses the OpenTelemetry API Logger for internal logs. To enable it, use the following code:

-```javascript

-const { diag, DiagConsoleLogger, DiagLogLevel } = require("@opentelemetry/api");

-const { NodeTracerProvider } = require("@opentelemetry/sdk-trace-node");

-const provider = new NodeTracerProvider();

-diag.setLogger(new DiagConsoleLogger(), DiagLogLevel.ALL);

-provider.register();

-```

-#### [Python](#tab/python)

-The Azure Monitor Exporter uses the Python standard logging [library](https://docs.python.org/3/library/logging.html) for its own internal logging. OpenTelemetry API and Azure Monitor Exporter logs are logged at the severity level of WARNING or ERROR for irregular activity. The INFO severity level is used for regular or successful activity. By default, the Python logging library sets the severity level to WARNING, so you must change the severity level to see logs under this severity setting. The following example shows how to output logs of *all* severity levels to the console *and* a file:

-```python

-...

-import logging

-logging.basicConfig(format="%(asctime)s:%(levelname)s:%(message)s", level=logging.DEBUG)

-logger = logging.getLogger(__name__)

-file = logging.FileHandler("example.log")

-stream = logging.StreamHandler()

-logger.addHandler(file)

-logger.addHandler(stream)

-...

-```

-### Known issues

-Known issues for the Azure Monitor OpenTelemetry Exporters include:

-#### [.NET](#tab/net)

-#### [Java](#tab/java)

-No known issues.

-#### [Node.js](#tab/nodejs)

-#### [Python](#tab/python)

-To get support:

-### [.NET](#tab/net)

-### [.NET](#tab/net)

-Initially, the OpenTelemetry community took on Distributed Tracing. Metrics and Logs are still in progress. A complete observability story includes all three pillars, but currently our [Azure Monitor OpenTelemetry-based exporter preview offerings for .NET, Python, and JavaScript](opentelemetry-enable.md) only include Distributed Tracing.

-Manual instrumentation is coding against the OpenTelemetry API. In the context of a user, it typically refers to installing a language-specific SDK in an application. Manual instrumentation packages consist of [Azure Monitor OpenTelemetry-based exporter preview offerings for .NET, Python, and JavaScript](opentelemetry-enable.md).

-> A subset of OpenTelemetry instrumentation libraries will be supported by Azure Monitor, informed by customer feedback. We're also working to [instrument the most popular Azure Service SDKs using OpenTelemetry](https://devblogs.microsoft.com/azure-sdk/introducing-experimental-opentelemetry-support-in-the-azure-sdk-for-net/).

-Auto-instrumentation enables telemetry collection through configuration without touching the application's code. Although it's more convenient, it tends to be less configurable. It's also not available in all languages. The Azure Monitor OpenTelemetry-based auto-instrumentation offering consists of the [Java 3.X OpenTelemetry-based GA offering](opentelemetry-enable.md?tabs=java). We continue to invest in it informed by customer feedback. The OpenTelemetry community is also experimenting with C# and Python auto-instrumentation, but Azure Monitor is focused on creating a simple and effective manual instrumentation story in the near term.

-*All currently supported OpenTelemetry-based offerings in Azure Monitor use a direct exporter*.

-> Some customers have begun to use the [OpenTelemetry-Collector](https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/design.md) as an agent alternative even though Microsoft doesn't officially support the "via an agent" approach for application monitoring yet. In the meantime, the open-source community has contributed an OpenTelemetry-Collector Azure Monitor exporter that some customers are using to send data to Azure Monitor Application Insights.

-The following websites consist of language-by-language guidance to enable and configure Microsoft's OpenTelemetry-based offerings. The available functionality and limitations of each offering are explained so that you can determine whether OpenTelemetry is right for your project.

-Container insights can also scrape Prometheus metrics from your cluster and send the data to either Azure Monitor Logs or to Azure Monitor managed service for Prometheus. This requires exposing the Prometheus metrics endpoint through your exporters or pods and then configuring one of the addons for the Azure Monitor agent used by Container insights as shown the following diagram.

-See [Collect Prometheus metrics from AKS cluster (preview)](../essentials/prometheus-metrics-enable.md) for details on [verifying your deployment](../essentials/prometheus-metrics-enable.md#verify-deployment) and [limitations](../essentials/prometheus-metrics-enable.md#limitations)

-### Prometheus scraping settings

-Active scraping of metrics from Prometheus is performed from one of two perspectives:

-### Configure ConfigMaps

- 1. In the ConfigMap, specify the following configuration:

- 1. Specify the following configuration for pod annotations:

-> When you create an Azure Monitor workspace, by default a data collection rule and a data collection endpoint in the form `<azure-workspace-name>` will automatically be created in a resource group in the form `MA_<azure-workspace-name>_<location>_managed`.

-When you create an Azure Monitor workspace, a new resource group is created. The resource group name has the following format: `MA_<azure monitor workspace resource name>_<location code>_managed`, where the tokenized elements are in lower case. The resource group contains a data collection endpoint, and a data collection rule with the same name as the workspace. The resource group and its resources are automatically deleted when you delete the workspace.

-When you delete an Azure Monitor workspace, no soft-delete operation is performed like with a [Log Analytics workspace](../logs/delete-workspace.md). The data in the workspace is immediately deleted, and there's no recovery option.

-To delete an AzureMonitor workspace use [az resource delete](https://learn.microsoft.com/cli/azure/resource#az-resource-delete)

-> When you add the Azure Monitor workspace as a data source to Grafana, it will be listed in form `Managed_Prometheus_<azure-workspace-name>`.

-az aks update --enable-azuremonitormetrics -n <cluster-name> -g <cluster-resource-group> --azure-monitor-workspace-resource-id

-<azure-monitor-workspace-name-resource-id> --grafana-resource-id <grafana-workspace-name-resource-id>

-If your cluster is already configured to send data to an Azure Monitor managed service for Prometheus, disable it first using the following command:

-az aks update --disable-azuremonitormetrics -g <cluster-resource-group> -n <cluster-name>

-If your Grafana Instance is self managed, see [Use Azure Monitor managed service for Prometheus (preview) as data source for self-managed Grafana using managed system identity](./prometheus-self-managed-grafana-azure-active-directory.md)

-> Log Analytics workspaces contain logs and metrics data from multiple Azure resources, whereas Azure Monitor workspaces contain only metrics related to Prometheus.

-|Segregate by logical boundaries |Create separate Azure Monitor workspaces for operational data based on logical boundaries, for example, a role, application type, type of metric etc.|

-|Data ownership |Create separate Azure Monitor workspaces to define data ownership, for example by subsidiaries or affiliated companies.|

-* Azure Monitor workspaces are regional. When you create a new Azure Monitor workspace, you provide a region, setting the location in which the data is stored.

-* There's no reduction in performance due to the amount of data in your Azure Monitor workspace. Multiple services can send data to the same account simultaneously. There is, however, a limit on how large an Azure Monitor workspace can scale as explained below.

-Azure Monitor workspaces have default quotas and limitations for metrics. As your product grows and you need more metrics, you can request an increase to 50 million events or active time series. If your capacity needs grow exceptionally large, and your data ingestion needs can no longer be met by a single Azure Monitor workspace, consider creating multiple Azure Monitor workspaces.

-When an Azure Monitor workspace reaches 80% of its maximum capacity, or depending on your current and forecasted metrics volume, it's recommended to split the Azure Monitor workspace into multiple workspaces. Split the workspace based on how the data in the workspace is used by your applications and business processes, and how you want to access that data in the future.

-In certain circumstances, splitting Azure Monitor workspace into multiple workspaces can be necessary. For example:

-* Monitoring data in sovereign clouds ΓÇô Create Azure Monitor workspace(s) in each sovereign cloud.

-* Compliance or regulatory requirements that mandate storage of data in specific regions ΓÇô Create an Azure Monitor workspace per region as per requirements. There may be a need to manage the scale of metrics for large services or financial institutions with regional accounts.

-* Separating metric data in test, pre-production, and production environments

-> A single query cannot access multiple Azure Monitor workspaces. Keep data that you want to retrieve in a single query in same workspace. For presentation purposes, setting up Grafana with each workspace as a dedicated data source will allow for querying multiple workspaces in a single Grafana panel.

-Date list was last updated: 04/13/2023.

-<!--Gen Date: Thu Apr 13 2023 22:24:40 GMT+0300 (Israel Daylight Time)-->

-Azure Monitor managed service for Prometheus (preview), collects metrics from Azure Kubernetes Clusters and stores them in an Azure Monitor workspace. PromQL - Prometheus query language, is a functional query language that allows you to query and aggregate time series data. Use PromQL to query and aggregate metrics stored in an Azure Monitor workspace.

-+ An Azure Kubernetes Cluster or remote Kubernetes cluster.

-+ Azure Monitor managed service for Prometheus (preview) scraping metrics from a Kubernetes cluster

-+ An Azure Monitor Workspace where Prometheus metrics are being stored.

-The API supports Azure Active Directory authentication using Client credentials. Register a client app with Azure Active Directory and request a token.

-Assign the *Monitoring Data Reader* role your app so it can query data from your Azure Monitor workspace.

-You've created your App registration and have assigned it access to query data from your Azure Monitor workspace. You can now generate a token and use it in a query.

-Find your workspace's query endpoint on the Azure Monitor workspace overview page.

-+ Query must be scoped to metric

- + /query_range API supports a time range of 32 days. This is the maximum time range allowed including range selectors specified in the query itself.

- For example, the query `rate(http_requests_total[1h]` for last 24 hours would actually mean data is being queried for 25 hours. A 24 hours range + 1 hour specified in query itself.

- Start time and end time provided with `/labels` and `/label/__name__/values` are ignored, and all retained data in the Azure Monitor Workspace is queried.

-For information on using Grafana with Active Directory, see [Configure self-managed Grafana to use Azure-managed Prometheus with Azure Active Directory](./prometheus-self-managed-grafana-azure-active-directory.md).

-Both of these settings are configured by default when you created your Grafana workspace. Verify these settings on the **Identity** page for your Grafana workspace.

-This article describes how to configure your Azure Kubernetes Service (AKS) cluster to send data to Azure Monitor managed service for Prometheus. When you configure your AKS cluster to send data to Azure Monitor managed service for Prometheus, a containerized version of the [Azure Monitor agent](../agents/agents-overview.md) is installed with a metrics extension. Then you specify the Azure Monitor workspace where the data should be sent.

-> The process described here doesn't enable [Container insights](../containers/container-insights-overview.md) on the cluster even though the Azure Monitor agent installed in this process is the same one used by Container insights.

-If no Azure Monitor workspace is specified, a default Azure Monitor workspace is created in the `DefaultRG-<cluster_region>` following the format `DefaultAzureMonitorWorkspace-<mapped_region>`.

-This Azure Monitor workspace is in the region specified in [Region mappings](#region-mappings).

-If the Azure Monitor workspace is linked to one or more Grafana workspaces, the data is available in Grafana.

-If you're using an existing Azure Managed Grafana instance that's already linked to an Azure Monitor workspace, you need the list of Grafana integrations. Copy the value of the `azureMonitorWorkspaceIntegrations` field. If it doesn't exist, the instance hasn't been linked with any Azure Monitor workspace.

-### Minor limitation with Bicep deployment

-Currently in Bicep, there's no way to explicitly "scope" the Monitoring Data Reader role assignment on a string parameter "resource ID" for an Azure Monitor workspace (like in an ARM template). Bicep expects a value of type `resource | tenant`. Currently, there's no REST API [spec](https://github.com/Azure/azure-rest-api-specs) for an Azure Monitor workspace.

-As a workaround, the default scoping for the Monitoring Data Reader role is on the resource group. The role is applied on the same Azure Monitor workspace (by inheritance), which is the expected behavior. After you deploy this Bicep template, the Grafana resource gets read permissions in all the Azure Monitor workspaces under the subscription.

-If you're using an existing Azure Managed Grafana instance that's already linked to an Azure Monitor workspace, you need the list of Grafana integrations. Copy the value of the `azureMonitorWorkspaceIntegrations` field. If it doesn't exist, the instance hasn't been linked with any Azure Monitor workspace.

-1. Download the main Bicep template from [this GitHub file](https://aka.ms/azureprometheus-enable-bicep-template). Save it as **FullAzureMonitorMetricsProfile.bicep**.

-1. Download the parameter file from [this GitHub file](https://aka.ms/azureprometheus-enable-bicep-template-parameters) and save it as **FullAzureMonitorMetricsProfileParameters.json** in the same directory as the main Bicep template.

-1. Download the [nested_azuremonitormetrics_dcra_clusterResourceId.bicep](https://aka.ms/nested_azuremonitormetrics_dcra_clusterResourceId) and [nested_azuremonitormetrics_profile_clusterResourceId.bicep](https://aka.ms/nested_azuremonitormetrics_profile_clusterResourceId) files in the same directory as the main Bicep template.

-1. Edit the values in the parameter file.

-1. The main Bicep template creates all the required resources. It uses two modules for creating the Data Collection Rule Associations (DCRA) and Azure Monitor metrics profile resources from the other two Bicep files.

-If you're using an existing Azure Managed Grafana instance that's already linked to an Azure Monitor workspace, you need the list of Grafana integrations. Copy the value of the `azureMonitorWorkspaceIntegrations` field. If it doesn't exist, the instance hasn't been linked with any Azure Monitor workspace. Update the azure_monitor_workspace_integrations block(shown below) in main.tf with the list of grafana integrations.

-If you are deploying a new AKS cluster using Terraform with managed Prometheus addon enabled, follow the steps below.

-1. Please download all files under [AddonTerraformTemplate](https://aka.ms/AAkm357).

-**NOTE**

-1. Download the main Azure Policy rules template from [this GitHub file](https://aka.ms/AddonPolicyMetricsProfile). Save it as **AddonPolicyMetricsProfile.rules.json**.

-1. Download the parameter file from [this GitHub file](https://aka.ms/AddonPolicyMetricsProfile.parameters). Save it as **AddonPolicyMetricsProfile.parameters.json** in the same directory as the rules template.

-1. Create the policy definition by using a command like: <br> `az policy definition create --name "(Preview) Prometheus Metrics addon" --display-name "(Preview) Prometheus Metrics addon" --mode Indexed --metadata version=1.0.0 category=Kubernetes --rules .\AddonPolicyMetricsProfile.rules.json --params .\AddonPolicyMetricsProfile.parameters.json`

-1. Now that the policy is assigned to the subscription, whenever you create a new cluster, which doesn't have Prometheus enabled, the policy runs and deploys the resources. If you want to apply the policy to an existing AKS cluster, create a **Remediation task** for that AKS cluster resource after you go to the **Policy Assignment**.

-1. Now you should see metrics flowing in the existing linked Grafana resource, which is linked with the corresponding Azure Monitor workspace.

-In case you create a new Managed Grafana resource from the Azure portal, link it with the corresponding Azure Monitor workspace from the **Linked Grafana Workspaces** tab of the relevant **Azure Monitor Workspace** page. Assign the Monitoring Data Reader role to the Grafana MSI on the Azure Monitor workspace resource so that it can read data for displaying the charts. Use the following instructions.

-### Limitations

-1. Enable the recording rules required for the default dashboards:

- * For the CLI, include the option `--enable-windows-recording-rules`.

- * For an ARM template, Bicep, or Azure Policy, set `enableWindowsRecordingRules` to `true` in the parameters file.

- If the cluster is already onboarded to Azure Monitor metrics, to enable Windows recording rule groups, use this [ARM template](https://github.com/Azure/prometheus-collector/blob/kaveesh/windows_recording_rules/AddonArmTemplate/WindowsRecordingRuleGroupTemplate/WindowsRecordingRules.json) and [parameters](https://github.com/Azure/prometheus-collector/blob/kaveesh/windows_recording_rules/AddonArmTemplate/WindowsRecordingRuleGroupTemplate/WindowsRecordingRulesParameters.json) file to create the rule groups.

- The number of pods should be equal to the number of nodes on the cluster. The output should resemble the following example:

- The output should resemble the following example:

-1. Run the following command to verify that the ReplicaSets were deployed properly:

-## Feature support

-## Limitations

-1. Use the following command to remove the agent from the cluster nodes and delete the recording rules created for the data being collected from the cluster, along with the DCRA that links the data collection endpoint or data collection rule with your cluster. This action doesn't remove the data collection endpoint, data collection rule, or the data already collected and stored in your Azure Monitor workspace.

-## Region mappings

-When you allow a default Azure Monitor workspace to be created when you install the metrics add-on, it's created in the region listed in the following table.

-| AKS cluster region | Azure Monitor workspace region |

-|--||

-|australiacentral |eastus|

-|australiacentral2 |eastus|

-|australiaeast |eastus|

-|australiasoutheast |eastus|

-|brazilsouth |eastus|

-|canadacentral |eastus|

-|canadaeast |eastus|

-|centralus |centralus|

-|centralindia |centralindia|

-|eastasia |westeurope|

-|eastus |eastus|

-|eastus2 |eastus2|

-|francecentral |westeurope|

-|francesouth |westeurope|

-|japaneast |eastus|

-|japanwest |eastus|

-|koreacentral |westeurope|

-|koreasouth |westeurope|

-|northcentralus |eastus|

-|northeurope |westeurope|

-|southafricanorth |westeurope|

-|southafricawest |westeurope|

-|southcentralus |eastus|

-|southeastasia |westeurope|

-|southindia |centralindia|

-|uksouth |westeurope|

-|ukwest |westeurope|

-|westcentralus |eastus|

-|westeurope |westeurope|

-|westindia |centralindia|

-|westus |westus|

-|westus2 |westus2|

-|westus3 |westus|

-|norwayeast |westeurope|

-|norwaywest |westeurope|

-|switzerlandnorth |westeurope|

-|switzerlandwest |westeurope|

-|uaenorth |westeurope|

-|germanywestcentral |westeurope|

-|germanynorth |westeurope|

-|uaecentral |westeurope|

-|eastus2euap |eastus2euap|

-|centraluseuap |westeurope|

-|brazilsoutheast |eastus|

-|jioindiacentral |centralindia|

-|swedencentral |westeurope|

-|swedensouth |westeurope|

-|qatarcentral |westeurope|

-Routing metrics to more Azure Monitor Workspaces can be done through the creation of additional data collection rules. All metrics can be sent to all workspaces or different metrics can be sent to different workspaces.

-You can create multiple Data Collection Rules that point to the same Data Collection Endpoint for metrics to be sent to additional Azure Monitor Workspaces from the same Kubernetes cluster. In case you have a very high volume of metrics, a new Data Collection Endpoint can be created as well. Please refer to the service limits [document](../service-limits.md) regarding ingestion limits. Currently, this is only available through onboarding through Resource Manager templates. You can follow the [regular onboarding process](prometheus-metrics-enable.md) and then edit the same Resource Manager templates to add additional DCRs and DCEs(if applicable) for your additional Azure Monitor Workspaces. You'll need to edit the template to add an additional parameters for every additional Azure Monitor workspace, add another DCR for every additional Azure Monitor workspace, add another DCE (if applicable), add the Monitor Reader Role for the new Azure Monitor Workspace and add an additional Azure Monitor workspace integration for Grafana.

-If you want to send some metrics to one Azure Monitor Workspace and other metrics to a different one, follow the above steps to add additional DCRs. The value of `microsoft_metrics_include_label` under the `labelIncludeFilter` in the DCR is the identifier for the workspace. To then configure which metrics are routed to which workspace, you can add an extra pre-defined label, `microsoft_metrics_account` to the metrics. The value should be the same as the corresponding `microsoft_metrics_include_label` in the DCR for that workspace. To add the label to the metrics, you can utilize `relabel_configs` in your scrape config. To send all metrics from one job to a certain workspace, add the following relabel config:

-Azure Monitor managed service for Prometheus can currently collect data from any of the following data sources.

-## Limitations

-See [Azure Monitor service limits](../service-limits.md#prometheus-metrics) for performance related service limits for Azure Monitor workspaces.

-description: Describes how the setting for minimal ingestion profile for Prometheus metrics in Azure Monitor is configured and how you can modify it to collect additional data.

-When Prometheus metric scraping is enabled for a cluster in Container insights, it collects a minimal amount of data by default. This helps reduce ingestion volume of series/metrics used by default dashboards, default recording rules & default alerts. This article describes how this setting is configured and how you can modify it to collect additional data.

-The setting `default-targets-metrics-keep-list.minimalIngestionProfile="true"` is enabled by default on the metrics addon. You can specify this setting in [ama-metrics-settings-configmap](https://aka.ms/azureprometheus-addon-settings-configmap) under default-targets-metrics-keep-list section.

-This is the default behavior with the setting `default-targets-metrics-keep-list.minimalIngestionProfile="true"`. Only series and metrics listed below will be ingested for each of the default targets.

-**Ingest a few additional metrics for one or more default targets in addition to minimal metrics.**<br>

-Keep ` minimalIngestionProfile="true"` and specify the appropriate `keeplistRegexes.*` specific to the target, for example `keeplistRegexes.coreDns="X|Y"`. X,Y will be merged with default metric list for the target and then ingested. |

-Set `minimalIngestionProfile="false"` and specify the appropriate `default-targets-metrics-keep-list.="X|Y"` specific to the target in the `ama-metrics-settings-configmap`.

-Set `minimalIngestionProfile="false"` and don't specify any `default-targets-metrics-keep-list.<targetname>` for that target. This can increase metric ingestion volume by a factor per target.

-> `up` metric is not part of the allow/keep list because it will be ingested per scrape, per target, regardless of `keepLists` specified. This metric is not actually scraped but produced as result of scrape by the metrics addon. For histograms and summaries, each series has to be included explicitly in the list (`*bucket`, `*sum`, `*count`).

-### Minimal ingestion for ON targets

-The following metrics are allow-listed with `minimalingestionprofile=true` for default ON targets. These metrics will be collected by default as these targets are scraped by default.

-`default-targets-metrics-keep-list.kubelet` = `"kubelet_volume_stats_used_bytes|kubelet_node_name|kubelet_running_pods|kubelet_running_pod_count|kubelet_running_containers|kubelet_running_container_count|volume_manager_total_volumes|kubelet_node_config_error|kubelet_runtime_operations_total|kubelet_runtime_operations_errors_total|kubelet_runtime_operations_duration_seconds|kubelet_runtime_operations_duration_seconds_bucket|kubelet_runtime_operations_duration_seconds_sum|kubelet_runtime_operations_duration_seconds_count|kubelet_pod_start_duration_seconds|kubelet_pod_start_duration_seconds_bucket|kubelet_pod_start_duration_seconds_sum|kubelet_pod_start_duration_seconds_count|kubelet_pod_worker_duration_seconds|kubelet_pod_worker_duration_seconds_bucket|kubelet_pod_worker_duration_seconds_sum|kubelet_pod_worker_duration_seconds_count|storage_operation_duration_seconds|storage_operation_duration_seconds_bucket|storage_operation_duration_seconds_sum|storage_operation_duration_seconds_count|storage_operation_errors_total|kubelet_cgroup_manager_duration_seconds|kubelet_cgroup_manager_duration_seconds_bucket|kubelet_cgroup_manager_duration_seconds_sum|kubelet_cgroup_manager_duration_seconds_count|kubelet_pleg_relist_duration_seconds|kubelet_pleg_relist_duration_seconds_bucket|kubelet_pleg_relist_duration_sum|kubelet_pleg_relist_duration_seconds_count|kubelet_pleg_relist_interval_seconds|kubelet_pleg_relist_interval_seconds_bucket|kubelet_pleg_relist_interval_seconds_sum|kubelet_pleg_relist_interval_seconds_count|rest_client_requests_total|rest_client_request_duration_seconds|rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count|process_resident_memory_bytes|process_cpu_seconds_total|go_goroutines|kubelet_volume_stats_capacity_bytes|kubelet_volume_stats_available_bytes|kubelet_volume_stats_inodes_used|kubelet_volume_stats_inodes|kubernetes_build_info"`

-`default-targets-metrics-keep-list.cadvisor` = `"container_spec_cpu_period|container_spec_cpu_quota|container_cpu_usage_seconds_total|container_memory_rss|container_network_receive_bytes_total|container_network_transmit_bytes_total|container_network_receive_packets_total|container_network_transmit_packets_total|container_network_receive_packets_dropped_total|container_network_transmit_packets_dropped_total|container_fs_reads_total|container_fs_writes_total|container_fs_reads_bytes_total|container_fs_writes_bytes_total|container_memory_working_set_bytes|container_memory_cache|container_memory_swap|container_cpu_cfs_throttled_periods_total|container_cpu_cfs_periods_total|container_memory_usage_bytes|kubernetes_build_info"`

-`default-targets-metrics-keep-list.kubestate` = `"kube_node_status_capacity|kube_job_status_succeeded|kube_job_spec_completions|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_number_ready|kube_deployment_spec_replicas|kube_deployment_status_replicas_ready|kube_pod_container_status_last_terminated_reason|kube_node_status_condition|kube_pod_container_status_restarts_total|kube_pod_container_resource_requests|kube_pod_status_phase|kube_pod_container_resource_limits|kube_node_status_allocatable|kube_pod_info|kube_pod_owner|kube_resourcequota|kube_statefulset_replicas|kube_statefulset_status_replicas|kube_statefulset_status_replicas_ready|kube_statefulset_status_replicas_current|kube_statefulset_status_replicas_updated|kube_namespace_status_phase|kube_node_info|kube_statefulset_metadata_generation|kube_pod_labels|kube_pod_annotations|kube_horizontalpodautoscaler_status_current_replicas|kube_horizontalpodautoscaler_spec_max_replicas|kube_node_status_condition|kube_node_spec_taint|kube_pod_container_status_waiting_reason|kube_job_failed|kube_job_status_start_time|kube_deployment_spec_replicas|kube_deployment_status_replicas_available|kube_deployment_status_replicas_updated|kube_replicaset_owner|kubernetes_build_info"`

-`default-targets-metrics-keep-list.nodeexporter` = `"node_cpu_seconds_total|node_memory_MemAvailable_bytes|node_memory_Buffers_bytes|node_memory_Cached_bytes|node_memory_MemFree_bytes|node_memory_Slab_bytes|node_memory_MemTotal_bytes|node_netstat_Tcp_RetransSegs|node_netstat_Tcp_OutSegs|node_netstat_TcpExt_TCPSynRetrans|node_load1|node_load5|node_load15|node_disk_read_bytes_total|node_disk_written_bytes_total|node_disk_io_time_seconds_total|node_filesystem_size_bytes|node_filesystem_avail_bytes|node_network_receive_bytes_total|node_network_transmit_bytes_total|node_vmstat_pgmajfault|node_network_receive_drop_total|node_network_transmit_drop_total|node_disk_io_time_weighted_seconds_total|node_exporter_build_info|node_time_seconds|node_uname_info"`

-### Minimal ingestion for OFF targets

-The following metrics that are allow-listed with `minimalingestionprofile=true` for default OFF targets. These metrics won't be collected by default as these targets aren't scraped by default. You turn them on using `default-targets-metrics-keep-list.<target-name>=true`'.

-`default-targets-metrics-keep-list.coredns` = `"coredns_build_info|coredns_panics_total|coredns_dns_responses_total|coredns_forward_responses_total|coredns_dns_request_duration_seconds|coredns_dns_request_duration_seconds_bucket|coredns_dns_request_duration_seconds_sum|coredns_dns_request_duration_seconds_count|coredns_forward_request_duration_seconds|coredns_forward_request_duration_seconds_bucket|coredns_forward_request_duration_seconds_sum|coredns_forward_request_duration_seconds_count|coredns_dns_requests_total|coredns_forward_requests_total|coredns_cache_hits_total|coredns_cache_misses_total|coredns_cache_entries|coredns_plugin_enabled|coredns_dns_request_size_bytes|coredns_dns_request_size_bytes_bucket|coredns_dns_request_size_bytes_sum|coredns_dns_request_size_bytes_count|coredns_dns_response_size_bytes|coredns_dns_response_size_bytes_bucket|coredns_dns_response_size_bytes_sum|coredns_dns_response_size_bytes_count|coredns_dns_response_size_bytes_bucket|coredns_dns_response_size_bytes_sum|coredns_dns_response_size_bytes_count|process_resident_memory_bytes|process_cpu_seconds_total|go_goroutines|kubernetes_build_info"`

-`default-targets-metrics-keep-list.kubeproxy` = `"kubeproxy_sync_proxy_rules_duration_seconds|kubeproxy_sync_proxy_rules_duration_seconds_bucket|kubeproxy_sync_proxy_rules_duration_seconds_sum|kubeproxy_sync_proxy_rules_duration_seconds_count|kubeproxy_network_programming_duration_seconds|kubeproxy_network_programming_duration_seconds_bucket|kubeproxy_network_programming_duration_seconds_sum|kubeproxy_network_programming_duration_seconds_count|rest_client_requests_total|rest_client_request_duration_seconds|rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count|process_resident_memory_bytes|process_cpu_seconds_total|go_goroutines|kubernetes_build_info"`

-`default-targets-metrics-keep-list.apiserver` = `"apiserver_request_duration_seconds|apiserver_request_duration_seconds_bucket|apiserver_request_duration_seconds_sum|apiserver_request_duration_seconds_count|apiserver_request_total|workqueue_adds_total|workqueue_depth|workqueue_queue_duration_seconds|workqueue_queue_duration_seconds_bucket|workqueue_queue_duration_seconds_sum|workqueue_queue_duration_seconds_count|process_resident_memory_bytes|process_cpu_seconds_total|go_goroutines|kubernetes_build_info"`

-# Customize scraping of Prometheus metrics in Azure Monitor (preview)

-This article provides instructions on customizing metrics scraping for a Kubernetes cluster with the [metrics add-on](prometheus-metrics-enable.md) in Azure Monitor.

-Three different configmaps can be configured to change the default settings of the metrics add-on:

-The [ama-metrics-settings-configmap](https://github.com/Azure/prometheus-collector/blob/main/otelcollector/configmaps/ama-metrics-settings-configmap.yaml) can be downloaded, edited, and applied to the cluster to customize the out-of-the-box features of the metrics add-on.

-The following table has a list of all the default targets that the Azure Monitor metrics add-on can scrape by default and whether it's initially enabled. Default targets are scraped every 30 seconds.

-| Key | Type | Enabled | Description |

-|--||-|-|

-| kubelet | bool | `true` | Scrape kubelet in every node in the K8s cluster without any extra scrape config. |

-| cadvisor | bool | `true` | Scrape cadvisor in every node in the K8s cluster without any extra scrape config.<br>Linux only. |

-| kubestate | bool | `true` | Scrape kube-state-metrics in the K8s cluster (installed as a part of the add-on) without any extra scrape config. |

-| nodeexporter | bool | `true` | Scrape node metrics without any extra scrape config.<br>Linux only. |

-| coredns | bool | `false` | Scrape coredns service in the K8s cluster without any extra scrape config. |

-| kubeproxy | bool | `false` | Scrape kube-proxy in every Linux node discovered in the K8s cluster without any extra scrape config.<br>Linux only. |

-| apiserver | bool | `false` | Scrape the Kubernetes API server in the K8s cluster without any extra scrape config. |

-| windowsexporter | bool | `false` | Scrape windows-exporter in every node in the K8s cluster without any extra scrape config.<br>Windows only. |

-| windowskubeproxy | bool | `false` | Scrape windows-kube-proxy in every node in the K8s cluster without any extra scrape config.<br>Windows only. |

-| prometheuscollectorhealth | bool | `false` | Scrape information about the prometheus-collector container, such as the amount and size of time series scraped. |

-By default, for all the default targets, only minimal metrics used in the default recording rules, alerts, and Grafana dashboards are ingested as described in [minimal-ingestion-profile](prometheus-metrics-scrape-configuration-minimal.md). To collect all metrics from default targets, in the configmap under `default-targets-metrics-keep-list`, set `minimalingestionprofile` to `false`.

-To filter in more metrics for any default targets, edit the settings under `default-targets-metrics-keep-list` for the corresponding job you want to change.

-The cluster label appended to every time series scraped uses the last part of the full AKS cluster's Azure Resource Manager resource ID. For example, if the resource ID is `/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-name/providers/Microsoft.ContainerService/managedClusters/clustername`, the cluster label is `clustername`.

-To override the cluster label in the time series scraped, update the setting `cluster_alias` to any string under `prometheus-collector-settings` in the [configmap](https://aka.ms/azureprometheus-addon-settings-configmap) `ama-metrics-settings-configmap`. You can either create this configmap or edit an existing one.

-To update the scrape interval settings for any target, you can update the duration in the setting `default-targets-scrape-interval-settings` for that target in the [configmap](https://aka.ms/azureprometheus-addon-settings-configmap) `ama-metrics-settings-configmap`. You have to set the scrape intervals in the correct format specified in [this website](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#configuration-file). Otherwise, the default value of 30 seconds is applied to the corresponding targets.

-The `ama-metrics` ReplicaSet pod consumes the custom Prometheus config and scrapes the specified targets. For a cluster with a large number of nodes and pods and a large volume of metrics to scrape, some of the applicable custom scrape targets can be off-loaded from the single `ama-metrics` ReplicaSet pod to the `ama-metrics` DaemonSet pod.

-The [ama-metrics-prometheus-config-node configmap](https://aka.ms/azureprometheus-addon-ds-configmap), similar to the regular configmap, can be created to have static scrape configs on each node. The scrape config should only target a single node and shouldn't use service discovery. Otherwise, each node tries to scrape all targets and makes many calls to the Kubernetes API server.

-The following `node-exporter` config is one of the default targets for the DaemonSet pods. It uses the `$NODE_IP` environment variable, which is already set for every `ama-metrics` add-on container to target a specific port on the node.

- - job_name: node

-See the [Apply config file](prometheus-metrics-scrape-validate.md#apply-config-file) section to create a configmap from the Prometheus config.

-If you're currently using Azure Monitor Container insights Prometheus scraping with the setting `monitor_kubernetes_pods = true`, adding this job to your custom config allows you to scrape the same pods and metrics.

- - job_name: 'kubernetes-pods'

-See the [Apply config file](prometheus-metrics-scrape-validate.md#apply-config-file) section to create a configmap from the Prometheus config.

-## Targets scraped

- - `container_fs_writes_bytes_total`

- - `container_cpu_usage_seconds_total`

- - `kubelet_running_sum_containers`

- - `kubelet_runtime_operations_duration_seconds_bucket`

- - `kubelet_runtime_operations_duration_seconds_sum`

- - `kubelet_runtime_operations_duration_seconds_count`

- - `kubelet_pod_start_duration_seconds_bucket`

- - `kubelet_pod_start_duration_seconds_sum`

- - `kubelet_pod_start_duration_seconds_count`

- - `kubelet_pod_worker_duration_seconds_bucket`

- - `kubelet_pod_worker_duration_seconds_sum`

- - `kubelet_pod_worker_duration_seconds_count`

- - `storage_operation_duration_seconds_bucket`

- - `storage_operation_duration_seconds_sum`

- - `storage_operation_duration_seconds_count`

- - `kubelet_cgroup_manager_duration_seconds_bucket`

- - `kubelet_cgroup_manager_duration_seconds_sum`

- - `kubelet_cgroup_manager_duration_seconds_count`

- - `kubelet_pleg_relist_interval_seconds_bucket`

- - `kubelet_pleg_relist_interval_seconds_count`

- - `kubelet_pleg_relist_interval_seconds_sum`

- - `kubelet_pleg_relist_duration_seconds_bucket`

- - `kubelet_pleg_relist_duration_seconds_count`

- - `kubelet_pleg_relist_duration_seconds_sum`

- - `rest_client_request_duration_seconds_bucket`

- - `rest_client_request_duration_seconds_sum`

- - `rest_client_request_duration_seconds_count`

- - `kubernetes_build_info`

- - `node_memory_MemTotal_bytes`

- - `node_filesystem_avail_bytes`

- - `node_time_seconds`

- - `node_exporter_build_info`

- - `node_load1`

- - `node_vmstat_pgmajfault`

- - `node_disk_io_time_seconds_total`

- - `node_load5`

- - `node_load15`

- - `node_disk_read_bytes_total`

- - `node_disk_written_bytes_total`

- - `node_uname_info`

- - `kube_node_status_allocatable`

- - `kube_pod_owner`

- - `kube_pod_info|kube_replicaset_owner`

- - `kube_resourcequota`

- - `kube_namespace_status_phase`

- - `kube_node_status_capacity`

- - `kube_node_info`

- - `kube_deployment_spec_replicas`

- - `kube_deployment_status_replicas_available`

- - `kube_deployment_status_replicas_updated`

- - `kube_statefulset_status_replicas_ready`

- - `kube_job_status_start_time`

- - `kube_job_status_active`

- - `kube_job_failed`

- - `kube_horizontalpodautoscaler_status_desired_replicas`

- - `kubernetes_build_info`

-## Targets scraped for Windows

-> [!NOTE]

-> This requires an update in the ama-metrics-settings-configmap and installing windows-exporter on all Windows node pools. For more information, see the [enablement document](./prometheus-metrics-enable.md#enable-prometheus-metric-collection).

-The following default dashboards are automatically provisioned and configured by Azure Monitor managed service for Prometheus when you [link your Azure Monitor workspace to an Azure Managed Grafana instance](../essentials/azure-monitor-workspace-manage.md#link-a-grafana-workspace). Source code for these dashboards can be found in [this GitHub folder](https://aka.ms/azureprometheus-mixins).

-The following default recording rules are automatically configured by Azure Monitor managed service for Prometheus when you [link your Azure Monitor workspace to an Azure Managed Grafana instance](../essentials/azure-monitor-workspace-manage.md#link-a-grafana-workspace). Source code for these recording rules can be found in [this GitHub folder](https://aka.ms/azureprometheus-mixins).

-The CPU and memory usage is correlated with the number of bytes of each sample and the number of samples scraped. The benchmarks below are based on the [default targets scraped](prometheus-metrics-scrape-default.md), volume of custom metrics scraped, and number of nodes, pods, and containers. These numbers are meant as a reference since usage can still vary significantly depending on the number of timeseries and bytes per metric.

-The upper volume limit per pod is currently about 3-3.5 million samples per minute, depending on the number of bytes per sample. This limitation will be eliminated when sharding is added to the feature.

-The Container insights agent consists of a deployment with one replica and daemonset for scraping metrics. The daemonset scrapes any node-level targets such as cAdvisor, kubelet, and node exporter. You can also configure it to scrape any custom targets at the node level with static configs. The replicaset scrapes everything else such as kube-state-metrics or custom scrape jobs that utilize service discovery.

-## Comparison between small and large cluster for replicaset

-## Comparison between small and large cluster for daemonsets

-For more custom metrics, the single pod will behave the same as the replicaset pod depending on the volume of custom metrics.

-## Schedule ama-metrics replicaset pod on a nodepool with more resources

-A large volume of metrics per pod will require a large enough node to be able to handle the CPU and memory usage required. If the *ama-metrics* replicaset pod doesn't get scheduled on a node that has enough resources, it might keep getting OOMKilled and go to CrashLoopBackoff. In order to overcome this issue, if you have a node on your cluster that has higher resources (preferably in the system nodepool) and want to get the replicaset scheduled on that node, you can add the label `azuremonitor/metrics.replica.preferred=true` on the node and the replicaset pod will get scheduled on this node.

-In addition to the default scrape targets that Azure Monitor Prometheus agent scrapes by default, use the following steps to provide additional scrape config to the agent using a configmap. The Azure Monitor Prometheus agent doesn't understand or process operator [CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) for scrape configuration, but instead uses the native Prometheus configuration as defined in [Prometheus configuration](https://aka.ms/azureprometheus-promioconfig-scrape).

-The 2 configmaps that can be used for custom target scraping are -

-Create a Prometheus scrape configuration file named `prometheus-config`. See the [configuration tips and examples](prometheus-metrics-scrape-configuration.md#prometheus-configuration-tips-and-examples) for more details on authoring scrape config for Prometheus. You can also refer to [Prometheus.io](https://aka.ms/azureprometheus-promio) scrape configuration [reference](https://aka.ms/azureprometheus-promioconfig-scrape). Your config file will list the scrape configs under the section `scrape_configs` and can optionally use the global section for setting the global `scrape_interval`, `scrape_timeout`, and `external_labels`.

-Below is a sample Prometheus scrape config file:

- scrape_interval: 60s

-scrape_configs:

- scrape_interval: 30s

- scheme: http

- kubernetes_sd_configs:

- - role: endpoints

- namespaces:

- names:

- - node-exporter

- relabel_configs:

- - source_labels: [__meta_kubernetes_endpoints_name]

- action: keep

- regex: "dev-cluster-node-exporter-release-prometheus-node-exporter"

- - source_labels: [__metrics_path__]

- regex: (.*)

- target_label: metrics_path

- - source_labels: [__meta_kubernetes_endpoint_node_name]

- regex: (.*)

- target_label: instance

- - targets: ['dev-cluster-kube-state-metrics-release.kube-state-metrics.svc.cluster.local:8080']

- regex: "prometheus-reference-service"

-The agent uses the `promconfigvalidator` tool to validate the Prometheus config given to it through the configmap. If the config isn't valid, then the custom configuration given won't be used by the agent. Once you have your Prometheus config file, you can *optionally* use the `promconfigvalidator` tool to validate your config before creating a configmap that the agent consumes.

-The `promconfigvalidator` tool is inside the Azure Monitor metrics addon. You can use any of the `ama-metrics-node-*` pods in `kube-system` namespace in your cluster to download the tool for validation. Use `kubectl cp` to download the tool and its configuration as shown below:

-After copying the executable and the yaml, locate the path of your Prometheus configuration file. Then replace `<config path>` below and run the validator with the command:

-Running the validator generates the merged configuration file `merged-otel-config.yaml` if no path is provided with the optional `output` parameter. Don't use this merged file as config to the metrics collector agent, as it's only used for tool validation and debugging purposes.

-### Apply config file

-Your custom Prometheus configuration file is consumed as a field named `prometheus-config` in a configmap called `ama-metrics-prometheus-config` in the `kube-system` namespace. You can create a configmap from a file by renaming your Prometheus configuration file to `prometheus-config` (with no file extension) and running the following command:

-This will create a configmap named `ama-metrics-prometheus-config` in `kube-system` namespace. The Azure Monitor metrics pod will then restart to apply the new config. To see if there any issues with the config validation, processing, or merging, you can look at the `ama-metrics` pods.

-If you successfully created the configmap (ama-metrics-prometheus-config or ama-metrics-prometheus-config-node) in the **kube-system** namespace and still don't see the custom targets being scraped, check for errors in the **replicaset pod** logs for **ama-metrics-prometheus-config** configmap or **daemonset pod** logs for **ama-metrics-prometheus-config-node** configmap) using *kubectl logs* and make sure there are no errors in the *Start Merging Default and Custom Prometheus Config* section with prefix *prometheus-config-merger*

-Note that the ReplicaSet pod scrapes metrics from `kube-state-metrics` and custom scrape targets in the `ama-metrics-prometheus-config` configmap. The DaemonSet pods scrape metrics from the following targets on their respective node: `kubelet`, `cAdvisor`, `node-exporter`, and custom scrape targets in the `ama-metrics-prometheus-config-node` configmap. The pod that you will want to view the logs and the Prometheus UI for will depend on which scrape target you are investigating.

- - The message *No configuration present for the AKS resource* will be logged every 5 minutes.

- * The pod will restart every 15 minutes to try again with the error: *No configuration present for the AKS resource*.

-Every `ama-metrics-*` pod has the Prometheus Agent mode User Interface available on port 9090/ Port forward into either the replicaset or the daemonset to check the config, service discovery and targets endpoints as described below. This is used to verify the custom configs are correct, the intended targets have been discovered for each job, and there are no errors with scraping specific targets.

-Go to `127.0.0.1:9091/metrics` in a browser to see if the metrics were scraped by the OpenTelemetry Collector. This can be done for every `ama-metrics-*` pod. If metrics aren't there, there could be an issue with the metric or label name lengths or the number of labels. See below for the service limits for Prometheus metrics.

-| Label name length | Less than or equal to 511 characters. When this limit is exceeded for any time-series in a job, the entire scrape job will fail, and metrics will be dropped from that job before ingestion. You can see up=0 for that job and also target Ux will show the reason for up=0. |

-| Label value length | Less than or equal to 1023 characters. When this limit is exceeded for any time-series in a job, the entire scrape job will fail, and metrics will be dropped from that job before ingestion. You can see up=0 for that job and also target Ux will show the reason for up=0. |

-| Number of labels per timeseries | Less than or equal to 63. When this limit is exceeded for any time-series in a job, the entire scrape job will fail, and metrics will be dropped from that job before ingestion. You can see up=0 for that job and also target Ux will show the reason for up=0. |

-| Metric name length | Less than or equal to 511 characters. When this limit is exceeded for any time-series in a job, only that particular series will be dropped. MetricextensionConsoleDebugLog will have traces for the dropped metric. |

-| Recording | Recording rules allow you to pre-compute frequently needed or computationally extensive expressions and store their result as a new set of time series. Querying the precomputed result will then often be much faster than executing the original expression every time it's needed. This is especially useful for dashboards, which need to query the same expression repeatedly every time they refresh, or for use in alert rules, where multiple alert rules may be based on the same complex query. Time series created by recording rules are ingested back to your Azure Monitor workspace as new Prometheus metrics. |

-In the public preview, rule groups, recording rules and alert rules are configured using Azure Resource Manager (ARM) templates, API, and provisioning tools. This uses a new resource called **Prometheus Rule Group**. You can create and configure rule group resources where the alert rules and recording rules are defined as part of the rule group properties. Azure Prometheus rule groups are defined with a scope of a specific [Azure Monitor workspace](azure-monitor-workspace-overview.md).

-You can use a Resource Manager template to create and configure Prometheus rule groups, alert rules and recording rules. Resource Manager templates enable you to programmatically set up alert and recording rules in a consistent and reproducible way across your environments.

-You can optionally limit the rules in a rule group to query data originating from a specific cluster, using the rule group `clusterName` property.

-You should try to limit rules to a single cluster if your monitoring workspace contains a large scale of data from multiple clusters, and there's a concern that running a single set of rules on all the data may cause performance or throttling issues. Using the `clusterName` property, you can create multiple rule groups, each configured with the same rules, limiting each group to cover a different cluster.

-The rule group will have the following properties, whether it includes alerting rule, recording rule, or both.

-1. In the Client secrets tab, select **New client secret**.

-1. On the Add role Assignment page, search for *Monitoring*.

-You've created your App registration and have assigned it access to query data from your Azure Monitor workspace. The next step is setting up your Grafana data source.

-Grafana now supports connecting to Azure-managed Prometheus using the \https://grafana.com/docs/grafana/v9.0/setup-grafana/configure-grafana/Prometheus data source. Self-managed instances, a configuration change is needed to see the Azure Authentication option in Grafana. For self-hosted Grafana or other non-Azure-managed Grafana service, make the following changes:

- For Azure-managed Grafana, you don't need to make any configuration changes. Managed Identity is also enabled by default.

-## Configure Grafana data source

-## Next steps.

-This article introduces workbooks for Azure Monitor workspaces and shows you how to query Prometheus metrics using Azure workbooks and PromQL query language.

-> Querying data from an Azure Monitor workspace is a data plane operation. Even if you are an owner or have elevated control plane access, you still need to assign the Monitoring Data Reader role. For more information, see [Azure control and data plane](../../azure-resource-manager/management/control-plane-and-data-plane.md).

-## Microsoft.AAD/DomainServices

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AccountLogon |AccountLogon |No |

-|AccountManagement |AccountManagement |No |

-|DetailTracking |DetailTracking |No |

-|DirectoryServiceAccess |DirectoryServiceAccess |No |

-|LogonLogoff |LogonLogoff |No |

-|ObjectAccess |ObjectAccess |No |

-|PolicyChange |PolicyChange |No |

-|PrivilegeUse |PrivilegeUse |No |

-|SystemSecurity |SystemSecurity |No |

-## microsoft.aadiam/tenants

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Signin |Signin |Yes |

-## Microsoft.AgFoodPlatform/farmBeats

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ApplicationAuditLogs |Application Audit Logs |Yes |

-|FarmManagementLogs |Farm Management Logs |Yes |

-|FarmOperationLogs |Farm Operation Logs |Yes |

-|InsightLogs |Insight Logs |Yes |

-|JobProcessedLogs |Job Processed Logs |Yes |

-|ModelInferenceLogs |Model Inference Logs |Yes |

-|ProviderAuthLogs |Provider Auth Logs |Yes |

-|SatelliteLogs |Satellite Logs |Yes |

-|SensorManagementLogs |Sensor Management Logs |Yes |

-|WeatherLogs |Weather Logs |Yes |

-## Microsoft.AnalysisServices/servers

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Engine |Engine |No |

-|Service |Service |No |

-## Microsoft.ApiManagement/service

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|GatewayLogs |Logs related to ApiManagement Gateway |No |

-|WebSocketConnectionLogs |Logs related to Websocket Connections |Yes |

-## Microsoft.App/managedEnvironments

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AppEnvSpringAppConsoleLogs |Spring App console logs |Yes |

-|ContainerAppConsoleLogs |Container App console logs |Yes |

-|ContainerAppSystemLogs |Container App system logs |Yes |

-## Microsoft.AppConfiguration/configurationStores

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Audit |Audit |Yes |

-|HttpRequest |HTTP Requests |Yes |

-## Microsoft.AppPlatform/Spring

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ApplicationConsole |Application Console |No |

-|BuildLogs |Build Logs |Yes |

-|ContainerEventLogs |Container Event Logs |Yes |

-|IngressLogs |Ingress Logs |Yes |

-|SystemLogs |System Logs |No |

-## Microsoft.Attestation/attestationProviders

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AuditEvent |AuditEvent message log category. |No |

-|NotProcessed |Requests which could not be processed. |Yes |

-|Operational |Operational message log category. |Yes |

-## Microsoft.Automation/automationAccounts

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AuditEvent |AuditEvent |Yes |

-|DscNodeStatus |DscNodeStatus |No |

-|JobLogs |JobLogs |No |

-|JobStreams |JobStreams |No |

-## Microsoft.AutonomousDevelopmentPlatform/accounts

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Audit |Audit |Yes |

-|Operational |Operational |Yes |

-|Request |Request |Yes |

-## Microsoft.AutonomousDevelopmentPlatform/workspaces

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Audit |Audit |Yes |

-|Operational |Operational |Yes |

-|Request |Request |Yes |

-## microsoft.avs/privateClouds

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|vmwaresyslog |VMware Syslog |Yes |

-## microsoft.azuresphere/catalogs

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AuditLogs |Audit Logs |Yes |

-|DeviceEvents |Device Events |Yes |

-## Microsoft.Batch/batchaccounts

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AuditLog |Audit Logs |Yes |

-|ServiceLog |Service Logs |No |

-|ServiceLogs |Service Logs |Yes |

-## microsoft.botservice/botservices

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|BotRequest |Requests from the channels to the bot |Yes |

-## Microsoft.Cache/redis

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ConnectedClientList |Connected client list |Yes |

-## Microsoft.Cache/redisEnterprise/databases

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ConnectionEvents |Connection events (New Connection/Authentication/Disconnection) |Yes |

-## Microsoft.Cdn/cdnwebapplicationfirewallpolicies

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|WebApplicationFirewallLogs |Web Appliation Firewall Logs |No |

-## Microsoft.Cdn/profiles

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AzureCdnAccessLog |Azure Cdn Access Log |No |

-|FrontDoorAccessLog |FrontDoor Access Log |Yes |

-|FrontDoorHealthProbeLog |FrontDoor Health Probe Log |Yes |

-|FrontDoorWebApplicationFirewallLog |FrontDoor WebApplicationFirewall Log |Yes |

-## Microsoft.Cdn/profiles/endpoints

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|CoreAnalytics |Gets the metrics of the endpoint, e.g., bandwidth, egress, etc. |No |

-## Microsoft.Chaos/experiments

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ExperimentOrchestration |Experiment Orchestration Events |Yes |

-## Microsoft.ClassicNetwork/networksecuritygroups

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Network Security Group Rule Flow Event |Network Security Group Rule Flow Event |No |

-## Microsoft.CodeSigning/codesigningaccounts

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|SignTransactions |Sign Transactions |Yes |

-## Microsoft.CognitiveServices/accounts

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Audit |Audit Logs |No |

-|RequestResponse |Request and Response Logs |No |

-|Trace |Trace Logs |No |

-## Microsoft.Communication/CommunicationServices

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AuthOperational |Operational Authentication Logs |Yes |

-|CallAutomationOperational |Operational Call Automation Logs |Yes |

-|CallDiagnostics |Call Diagnostics Logs |Yes |

-|CallRecordingSummary |Call Recording Summary Logs |Yes |

-|CallSummary |Call Summary Logs |Yes |

-|ChatOperational |Operational Chat Logs |No |

-|EmailSendMailOperational |Email Service Send Mail Logs |Yes |

-|EmailStatusUpdateOperational |Email Service Delivery Status Update Logs |Yes |

-|EmailUserEngagementOperational |Email Service User Engagement Logs |Yes |

-|JobRouterOperational |Operational Job Router Logs |Yes |

-|NetworkTraversalDiagnostics |Network Traversal Relay Diagnostic Logs |Yes |

-|NetworkTraversalOperational |Operational Network Traversal Logs |Yes |

-|RoomsOperational |Operational Rooms Logs |Yes |

-|SMSOperational |Operational SMS Logs |No |

-|Usage |Usage Records |No |

-## Microsoft.Compute/virtualMachines

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|SoftwareUpdateProfile |SoftwareUpdateProfile |Yes |

-|SoftwareUpdates |SoftwareUpdates |Yes |

-## Microsoft.ConfidentialLedger/ManagedCCF

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|applicationlogs |CCF Application Logs |Yes |

-## Microsoft.ConfidentialLedger/ManagedCCFs

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|applicationlogs |CCF Application Logs |Yes |

-## Microsoft.ConnectedCache/CacheNodes

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Events |Events |Yes |

-## Microsoft.ConnectedCache/ispCustomers

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Events |Events |Yes |

-## Microsoft.ConnectedVehicle/platformAccounts

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Audit |MCVP Audit Logs |Yes |

-|Logs |MCVP Logs |Yes |

-## Microsoft.ContainerRegistry/registries

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ContainerRegistryLoginEvents |Login Events |No |

-|ContainerRegistryRepositoryEvents |RepositoryEvent logs |No |

-## Microsoft.ContainerService/fleets

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|cloud-controller-manager |Kubernetes Cloud Controller Manager |Yes |

-|cluster-autoscaler |Kubernetes Cluster Autoscaler |Yes |

-|csi-azuredisk-controller |csi-azuredisk-controller |Yes |

-|csi-azurefile-controller |csi-azurefile-controller |Yes |

-|csi-snapshot-controller |csi-snapshot-controller |Yes |

-|guard |guard |Yes |

-|kube-apiserver |Kubernetes API Server |Yes |

-|kube-audit |Kubernetes Audit |Yes |

-|kube-audit-admin |Kubernetes Audit Admin Logs |Yes |

-|kube-controller-manager |Kubernetes Controller Manager |Yes |

-|kube-scheduler |Kubernetes Scheduler |Yes |

-## Microsoft.ContainerService/managedClusters

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|cloud-controller-manager |Kubernetes Cloud Controller Manager |Yes |

-|cluster-autoscaler |Kubernetes Cluster Autoscaler |No |

-|csi-azuredisk-controller |csi-azuredisk-controller |Yes |

-|csi-azurefile-controller |csi-azurefile-controller |Yes |

-|csi-snapshot-controller |csi-snapshot-controller |Yes |

-|guard |guard |No |

-|kube-apiserver |Kubernetes API Server |No |

-|kube-audit |Kubernetes Audit |No |

-|kube-audit-admin |Kubernetes Audit Admin Logs |No |

-|kube-controller-manager |Kubernetes Controller Manager |No |

-|kube-scheduler |Kubernetes Scheduler |No |

-## Microsoft.CustomProviders/resourceproviders

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AuditLogs |Audit logs for MiniRP calls |No |

-## Microsoft.D365CustomerInsights/instances

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Audit |Audit events |No |

-|Operational |Operational events |No |

-## Microsoft.Dashboard/grafana

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|GrafanaLoginEvents |Grafana Login Events |Yes |

-## Microsoft.Databricks/workspaces

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|accounts |Databricks Accounts |No |

-|capsule8Dataplane |Databricks Capsule8 Container Security Scanning Reports |Yes |

-|clamAVScan |Databricks Clam AV Scan |Yes |

-|clusterLibraries |Databricks Cluster Libraries |Yes |

-|clusters |Databricks Clusters |No |

-|databrickssql |Databricks DatabricksSQL |Yes |

-|dbfs |Databricks File System |No |

-|deltaPipelines |Databricks Delta Pipelines |Yes |

-|featureStore |Databricks Feature Store |Yes |

-|genie |Databricks Genie |Yes |

-|gitCredentials |Databricks Git Credentials |Yes |

-|globalInitScripts |Databricks Global Init Scripts |Yes |

-|iamRole |Databricks IAM Role |Yes |

-|instancePools |Instance Pools |No |

-|jobs |Databricks Jobs |No |

-|mlflowAcledArtifact |Databricks MLFlow Acled Artifact |Yes |

-|mlflowExperiment |Databricks MLFlow Experiment |Yes |

-|modelRegistry |Databricks Model Registry |Yes |

-|notebook |Databricks Notebook |No |

-|partnerHub |Databricks Partner Hub |Yes |

-|RemoteHistoryService |Databricks Remote History Service |Yes |

-|repos |Databricks Repos |Yes |

-|secrets |Databricks Secrets |No |

-|serverlessRealTimeInference |Databricks Serverless Real-Time Inference |Yes |

-|sqlanalytics |Databricks SQL Analytics |Yes |

-|sqlPermissions |Databricks SQLPermissions |No |

-|ssh |Databricks SSH |No |

-|unityCatalog |Databricks Unity Catalog |Yes |

-|webTerminal |Databricks Web Terminal |Yes |

-|workspace |Databricks Workspace |No |

-## Microsoft.DataCollaboration/workspaces

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|CollaborationAudit |Collaboration Audit |Yes |

-|Computations |Computations |Yes |

-|DataAssets |Data Assets |No |

-|Pipelines |Pipelines |No |

-|Pipelines |Pipelines |No |

-|Proposals |Proposals |No |

-|Scripts |Scripts |No |

-## Microsoft.DataFactory/factories

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ActivityRuns |Pipeline activity runs log |No |

-|AirflowDagProcessingLogs |Airflow dag processing logs |Yes |

-|AirflowSchedulerLogs |Airflow scheduler logs |Yes |

-|AirflowTaskLogs |Airflow task execution logs |Yes |

-|AirflowWebLogs |Airflow web logs |Yes |

-|AirflowWorkerLogs |Airflow worker logs |Yes |

-|PipelineRuns |Pipeline runs log |No |

-|SandboxActivityRuns |Sandbox Activity runs log |Yes |

-|SandboxPipelineRuns |Sandbox Pipeline runs log |Yes |

-|SSISIntegrationRuntimeLogs |SSIS integration runtime logs |No |

-|SSISPackageEventMessageContext |SSIS package event message context |No |

-|SSISPackageEventMessages |SSIS package event messages |No |

-|SSISPackageExecutableStatistics |SSIS package executable statistics |No |

-|SSISPackageExecutionComponentPhases |SSIS package execution component phases |No |

-|SSISPackageExecutionDataStatistics |SSIS package exeution data statistics |No |

-|TriggerRuns |Trigger runs log |No |

-## Microsoft.DataLakeAnalytics/accounts

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Audit |Audit Logs |No |

-|ConfigurationChange |Configuration Change Event Logs |Yes |

-|JobEvent |Job Event Logs |Yes |

-|JobInfo |Job Info Logs |Yes |

-|Requests |Request Logs |No |

-## Microsoft.DataLakeStore/accounts

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Audit |Audit Logs |No |

-|Requests |Request Logs |No |

-## Microsoft.DataProtection/BackupVaults

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AddonAzureBackupJobs |Addon Azure Backup Job Data |Yes |

-|AddonAzureBackupPolicy |Addon Azure Backup Policy Data |Yes |

-|AddonAzureBackupProtectedInstance |Addon Azure Backup Protected Instance Data |Yes |

-|CoreAzureBackup |Core Azure Backup Data |Yes |

-## Microsoft.DataShare/accounts

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ReceivedShareSnapshots |Received Share Snapshots |No |

-|SentShareSnapshots |Sent Share Snapshots |No |

-|Shares |Shares |No |

-|ShareSubscriptions |Share Subscriptions |No |

-## Microsoft.DBforMariaDB/servers

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|MySqlAuditLogs |MariaDB Audit Logs |No |

-|MySqlSlowLogs |MariaDB Server Logs |No |

-## Microsoft.DBforMySQL/flexibleServers

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|MySqlAuditLogs |MySQL Audit Logs |No |

-|MySqlSlowLogs |MySQL Slow Logs |No |

-## Microsoft.DBforMySQL/servers

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|MySqlAuditLogs |MySQL Audit Logs |No |

-|MySqlSlowLogs |MySQL Server Logs |No |

-## Microsoft.DBforPostgreSQL/flexibleServers

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|PostgreSQLFlexDatabaseXacts |PostgreSQL remaining transactions |Yes |

-|PostgreSQLFlexQueryStoreRuntime |PostgreSQL Query Store Runtime |Yes |

-|PostgreSQLFlexQueryStoreWaitStats |PostgreSQL Query Store Wait Statistics |Yes |

-|PostgreSQLFlexSessions |PostgreSQL Sessions data |Yes |

-|PostgreSQLFlexTableStats |PostgreSQL Autovacuum and schema statistics |Yes |

-|PostgreSQLLogs |PostgreSQL Server Logs |No |

-## Microsoft.DBForPostgreSQL/serverGroupsv2

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|PostgreSQLLogs |PostgreSQL Server Logs |Yes |

-## Microsoft.DBforPostgreSQL/servers

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|PostgreSQLLogs |PostgreSQL Server Logs |No |

-|QueryStoreRuntimeStatistics |PostgreSQL Query Store Runtime Statistics |No |

-|QueryStoreWaitStatistics |PostgreSQL Query Store Wait Statistics |No |

-## Microsoft.DBforPostgreSQL/serversv2

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|PostgreSQLLogs |PostgreSQL Server Logs |No |

-## Microsoft.DesktopVirtualization/applicationgroups

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Checkpoint |Checkpoint |No |

-|Error |Error |No |

-|Management |Management |No |

-## Microsoft.DesktopVirtualization/hostpools

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AgentHealthStatus |AgentHealthStatus |No |

-|AutoscaleEvaluationPooled |Do not use - internal testing |Yes |

-|Checkpoint |Checkpoint |No |

-|Connection |Connection |No |

-|ConnectionGraphicsData |Connection Graphics Data Logs Preview |Yes |

-|Error |Error |No |

-|HostRegistration |HostRegistration |No |

-|Management |Management |No |

-|NetworkData |Network Data Logs |Yes |

-|SessionHostManagement |Session Host Management Activity Logs |Yes |

-## Microsoft.DesktopVirtualization/scalingplans

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Autoscale |Autoscale logs |Yes |

-## Microsoft.DesktopVirtualization/workspaces

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Checkpoint |Checkpoint |No |

-|Error |Error |No |

-|Feed |Feed |No |

-|Management |Management |No |

-## Microsoft.DevCenter/devcenters

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|DataplaneAuditEvent |Dataplane audit logs |Yes |

-## Microsoft.Devices/IotHubs

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|C2DCommands |C2D Commands |No |

-|C2DTwinOperations |C2D Twin Operations |No |

-|Configurations |Configurations |No |

-|Connections |Connections |No |

-|D2CTwinOperations |D2CTwinOperations |No |

-|DeviceIdentityOperations |Device Identity Operations |No |

-|DeviceStreams |Device Streams (Preview) |No |

-|DeviceTelemetry |Device Telemetry |No |

-|DirectMethods |Direct Methods |No |

-|DistributedTracing |Distributed Tracing (Preview) |No |

-|FileUploadOperations |File Upload Operations |No |

-|JobsOperations |Jobs Operations |No |

-|Routes |Routes |No |

-|TwinQueries |Twin Queries |No |

-## Microsoft.Devices/provisioningServices

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|DeviceOperations |Device Operations |No |

-|ServiceOperations |Service Operations |No |

-## Microsoft.DigitalTwins/digitalTwinsInstances

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|DataHistoryOperation |DataHistoryOperation |Yes |

-|DigitalTwinsOperation |DigitalTwinsOperation |No |

-|EventRoutesOperation |EventRoutesOperation |No |

-|ModelsOperation |ModelsOperation |No |

-|QueryOperation |QueryOperation |No |

-|ResourceProviderOperation |ResourceProviderOperation |Yes |

-## Microsoft.DocumentDB/cassandraClusters

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|CassandraAudit |CassandraAudit |Yes |

-|CassandraLogs |CassandraLogs |Yes |

-## Microsoft.DocumentDB/DatabaseAccounts

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|CassandraRequests |CassandraRequests |No |

-|ControlPlaneRequests |ControlPlaneRequests |No |

-|DataPlaneRequests |DataPlaneRequests |No |

-|GremlinRequests |GremlinRequests |No |

-|MongoRequests |MongoRequests |No |

-|PartitionKeyRUConsumption |PartitionKeyRUConsumption |No |

-|PartitionKeyStatistics |PartitionKeyStatistics |No |

-|QueryRuntimeStatistics |QueryRuntimeStatistics |No |

-|TableApiRequests |TableApiRequests |Yes |

-## Microsoft.EventGrid/domains

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|DataPlaneRequests |Data plane operations logs |Yes |

-|DeliveryFailures |Delivery Failure Logs |No |

-|PublishFailures |Publish Failure Logs |No |

-## Microsoft.EventGrid/partnerNamespaces

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|DataPlaneRequests |Data plane operations logs |Yes |

-|PublishFailures |Publish Failure Logs |No |

-## Microsoft.EventGrid/partnerTopics

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|DeliveryFailures |Delivery Failure Logs |No |

-## Microsoft.EventGrid/systemTopics

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|DeliveryFailures |Delivery Failure Logs |No |

-## Microsoft.EventGrid/topics

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|DataPlaneRequests |Data plane operations logs |Yes |

-|DeliveryFailures |Delivery Failure Logs |No |

-|PublishFailures |Publish Failure Logs |No |

-## Microsoft.EventHub/Namespaces

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ApplicationMetricsLogs |Application Metrics Logs |Yes |

-|ArchiveLogs |Archive Logs |No |

-|AutoScaleLogs |Auto Scale Logs |No |

-|CustomerManagedKeyUserLogs |Customer Managed Key Logs |No |

-|EventHubVNetConnectionEvent |VNet/IP Filtering Connection Logs |No |

-|KafkaCoordinatorLogs |Kafka Coordinator Logs |No |

-|KafkaUserErrorLogs |Kafka User Error Logs |No |

-|OperationalLogs |Operational Logs |No |

-|RuntimeAuditLogs |Runtime Audit Logs |Yes |

-## Microsoft.HealthcareApis/services

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AuditLogs |Audit logs |No |

-|DiagnosticLogs |Diagnostic logs |Yes |

-## Microsoft.HealthcareApis/workspaces/analyticsconnectors

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|DiagnosticLogs |Diagnostic logs for Analytics Connector |Yes |

-## Microsoft.HealthcareApis/workspaces/dicomservices

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AuditLogs |Audit logs |Yes |

-|DiagnosticLogs |Diagnostic logs |Yes |

-## Microsoft.HealthcareApis/workspaces/fhirservices

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AuditLogs |FHIR Audit logs |Yes |

-## Microsoft.HealthcareApis/workspaces/iotconnectors

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|DiagnosticLogs |Diagnostic logs |Yes |

-## microsoft.insights/autoscalesettings

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AutoscaleEvaluations |Autoscale Evaluations |No |

-|AutoscaleScaleActions |Autoscale Scale Actions |No |

-## microsoft.insights/components

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AppAvailabilityResults |Availability results |No |

-|AppBrowserTimings |Browser timings |No |

-|AppDependencies |Dependencies |No |

-|AppEvents |Events |No |

-|AppExceptions |Exceptions |No |

-|AppMetrics |Metrics |No |

-|AppPageViews |Page views |No |

-|AppPerformanceCounters |Performance counters |No |

-|AppRequests |Requests |No |

-|AppSystemEvents |System events |No |

-|AppTraces |Traces |No |

-## Microsoft.Insights/datacollectionrules

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|LogErrors |Log Errors |Yes |

-|LogTroubleshooting |Log Troubleshooting |Yes |

-## microsoft.keyvault/managedhsms

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AuditEvent |Audit Event |No |

-## Microsoft.KeyVault/vaults

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AuditEvent |Audit Logs |No |

-|AzurePolicyEvaluationDetails |Azure Policy Evaluation Details |Yes |

-## Microsoft.Kusto/clusters

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Command |Command |No |

-|FailedIngestion |Failed ingestion |No |

-|IngestionBatching |Ingestion batching |No |

-|Journal |Journal |Yes |

-|Query |Query |No |

-|SucceededIngestion |Succeeded ingestion |No |

-|TableDetails |Table details |No |

-|TableUsageStatistics |Table usage statistics |No |

-## microsoft.loadtestservice/loadtests

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|OperationLogs |Azure Load Testing Operations |Yes |

-## Microsoft.Logic/IntegrationAccounts

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|IntegrationAccountTrackingEvents |Integration Account track events |No |

-## Microsoft.Logic/Workflows

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|WorkflowRuntime |Workflow runtime diagnostic events |No |

-## Microsoft.MachineLearningServices/registries

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|RegistryAssetReadEvent |Registry Asset Read Event |Yes |

-|RegistryAssetWriteEvent |Registry Asset Write Event |Yes |

-## Microsoft.MachineLearningServices/workspaces

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AmlComputeClusterEvent |AmlComputeClusterEvent |No |

-|AmlComputeClusterNodeEvent |AmlComputeClusterNodeEvent |Yes |

-|AmlComputeCpuGpuUtilization |AmlComputeCpuGpuUtilization |No |

-|AmlComputeJobEvent |AmlComputeJobEvent |No |

-|AmlRunStatusChangedEvent |AmlRunStatusChangedEvent |No |

-|ComputeInstanceEvent |ComputeInstanceEvent |Yes |

-|DataLabelChangeEvent |DataLabelChangeEvent |Yes |

-|DataLabelReadEvent |DataLabelReadEvent |Yes |

-|DataSetChangeEvent |DataSetChangeEvent |Yes |

-|DataSetReadEvent |DataSetReadEvent |Yes |

-|DataStoreChangeEvent |DataStoreChangeEvent |Yes |

-|DataStoreReadEvent |DataStoreReadEvent |Yes |

-|DeploymentEventACI |DeploymentEventACI |Yes |

-|DeploymentEventAKS |DeploymentEventAKS |Yes |

-|DeploymentReadEvent |DeploymentReadEvent |Yes |

-|EnvironmentChangeEvent |EnvironmentChangeEvent |Yes |

-|EnvironmentReadEvent |EnvironmentReadEvent |Yes |

-|InferencingOperationACI |InferencingOperationACI |Yes |

-|InferencingOperationAKS |InferencingOperationAKS |Yes |

-|ModelsActionEvent |ModelsActionEvent |Yes |

-|ModelsChangeEvent |ModelsChangeEvent |Yes |

-|ModelsReadEvent |ModelsReadEvent |Yes |

-|PipelineChangeEvent |PipelineChangeEvent |Yes |

-|PipelineReadEvent |PipelineReadEvent |Yes |

-|RunEvent |RunEvent |Yes |

-|RunReadEvent |RunReadEvent |Yes |

-## Microsoft.MachineLearningServices/workspaces/onlineEndpoints

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AmlOnlineEndpointConsoleLog |AmlOnlineEndpointConsoleLog |Yes |

-|AmlOnlineEndpointEventLog |AmlOnlineEndpointEventLog (preview) |Yes |

-|AmlOnlineEndpointTrafficLog |AmlOnlineEndpointTrafficLog (preview) |Yes |

-## Microsoft.ManagedNetworkFabric/networkDevices

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AppAvailabilityResults |Availability results |Yes |

-|AppBrowserTimings |Browser timings |Yes |

-## Microsoft.Media/mediaservices

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|KeyDeliveryRequests |Key Delivery Requests |No |

-|MediaAccount |Media Account Health Status |Yes |

-## Microsoft.Media/mediaservices/liveEvents

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|LiveEventState |Live Event Operations |Yes |

-## Microsoft.Media/mediaservices/streamingEndpoints

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|StreamingEndpointRequests |Streaming Endpoint Requests |Yes |

-## Microsoft.Media/videoanalyzers

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Audit |Audit Logs |Yes |

-|Diagnostics |Diagnostics Logs |Yes |

-|Operational |Operational Logs |Yes |

-## Microsoft.NetApp/netAppAccounts/capacityPools

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|Autoscale |Capacity Pool Autoscaled |Yes |

-## Microsoft.NetApp/netAppAccounts/capacityPools/volumes

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ANFFileAccess |ANF File Access |Yes |

-## Microsoft.Network/applicationgateways

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ApplicationGatewayAccessLog |Application Gateway Access Log |No |

-|ApplicationGatewayFirewallLog |Application Gateway Firewall Log |No |

-|ApplicationGatewayPerformanceLog |Application Gateway Performance Log |No |

-## Microsoft.Network/azureFirewalls

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|AZFWApplicationRule |Azure Firewall Application Rule |Yes |

-|AZFWApplicationRuleAggregation |Azure Firewall Network Rule Aggregation (Policy Analytics) |Yes |

-|AZFWDnsQuery |Azure Firewall DNS query |Yes |

-|AZFWFatFlow |Azure Firewall Fat Flow Log |Yes |

-|AZFWFlowTrace |Azure Firewall Flow Trace Log |Yes |

-|AZFWFqdnResolveFailure |Azure Firewall FQDN Resolution Failure |Yes |

-|AZFWIdpsSignature |Azure Firewall IDPS Signature |Yes |

-|AZFWNatRule |Azure Firewall Nat Rule |Yes |

-|AZFWNatRuleAggregation |Azure Firewall Nat Rule Aggregation (Policy Analytics) |Yes |

-|AZFWNetworkRule |Azure Firewall Network Rule |Yes |

-|AZFWNetworkRuleAggregation |Azure Firewall Application Rule Aggregation (Policy Analytics) |Yes |

-|AZFWThreatIntel |Azure Firewall Threat Intelligence |Yes |

-|AzureFirewallApplicationRule |Azure Firewall Application Rule (Legacy Azure Diagnostics) |No |

-|AzureFirewallDnsProxy |Azure Firewall DNS Proxy (Legacy Azure Diagnostics) |No |

-|AzureFirewallNetworkRule |Azure Firewall Network Rule (Legacy Azure Diagnostics) |No |

-## microsoft.network/bastionHosts

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|BastionAuditLogs |Bastion Audit Logs |No |

-## Microsoft.Network/expressRouteCircuits

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|PeeringRouteLog |Peering Route Table Logs |No |

-## Microsoft.Network/frontdoors

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|FrontdoorAccessLog |Frontdoor Access Log |No |

-|FrontdoorWebApplicationFirewallLog |Frontdoor Web Application Firewall Log |No |

-## Microsoft.Network/loadBalancers

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|LoadBalancerAlertEvent |Load Balancer Alert Events |No |

-|LoadBalancerProbeHealthStatus |Load Balancer Probe Health Status |No |

-## Microsoft.Network/networkManagers

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|NetworkGroupMembershipChange |Network Group Membership Change |Yes |

-## Microsoft.Network/networksecuritygroups

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|NetworkSecurityGroupEvent |Network Security Group Event |No |

-|NetworkSecurityGroupFlowEvent |Network Security Group Rule Flow Event |No |

-|NetworkSecurityGroupRuleCounter |Network Security Group Rule Counter |No |

-## Microsoft.Network/networkSecurityPerimeters

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|NspCrossPerimeterInboundAllowed |Cross perimeter inbound access allowed by perimeter link. |Yes |

-|NspCrossPerimeterOutboundAllowed |Cross perimeter outbound access allowed by perimeter link. |Yes |

-|NspIntraPerimeterInboundAllowed |Inbound access allowed within same perimeter. |Yes |

-|NspIntraPerimeterOutboundAllowed |Outbound attempted to same perimeter. NOTE: To be deprecated in future. |Yes |

-|NspOutboundAttempt |Outbound attempted to same or different perimeter. |Yes |

-|NspPrivateInboundAllowed |Private endpoint traffic allowed. |Yes |

-|NspPublicInboundPerimeterRulesAllowed |Public inbound access allowed by NSP access rules. |Yes |

-|NspPublicInboundPerimeterRulesDenied |Public inbound access denied by NSP access rules. |Yes |

-|NspPublicInboundResourceRulesAllowed |Public inbound access allowed by PaaS resource rules. |Yes |

-|NspPublicInboundResourceRulesDenied |Public inbound access denied by PaaS resource rules. |Yes |

-|NspPublicOutboundPerimeterRulesAllowed |Public outbound access allowed by NSP access rules. |Yes |

-|NspPublicOutboundPerimeterRulesDenied |Public outbound access denied by NSP access rules. |Yes |

-|NspPublicOutboundResourceRulesAllowed |Public outbound access allowed by PaaS resource rules. |Yes |

-|NspPublicOutboundResourceRulesDenied |Public outbound access denied by PaaS resource rules |Yes |

-## Microsoft.Network/networkSecurityPerimeters/profiles

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|NSPInboundAccessAllowed |NSP Inbound Access Allowed. |Yes |

-|NSPInboundAccessDenied |NSP Inbound Access Denied. |Yes |

-|NSPOutboundAccessAllowed |NSP Outbound Access Allowed. |Yes |

-|NSPOutboundAccessDenied |NSP Outbound Access Denied. |Yes |

-## microsoft.network/p2svpngateways

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|GatewayDiagnosticLog |Gateway Diagnostic Logs |No |

-|IKEDiagnosticLog |IKE Diagnostic Logs |No |

-|P2SDiagnosticLog |P2S Diagnostic Logs |No |

-## Microsoft.Network/publicIPAddresses

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|

-||||

-|DDoSMitigationFlowLogs |Flow logs of DDoS mitigation decisions |No |

-|DDoSMitigationReports |Reports of DDoS mitigations |No |

-|DDoSProtectionNotifications |DDoS protection notifications |No |

-## Microsoft.Network/trafficManagerProfiles

-<!-- Data source : arm-->

-|Category|Category Display Name|Costs To Export|

-||||

-|ProbeHealthStatusEvents |Traffic Manager Probe Health Results Event |No |

-## microsoft.network/virtualnetworkgateways

-<!-- Data source : naam-->

-|Category|Category Display Name|Costs To Export|