+The pattern for acquiring tokens for APIs with [MSAL.js](https://github.com/AzureAD/microsoft-authentication-library-for-js) is to first attempt a silent token request by using the `acquireTokenSilent` method. When this method is called, the library first checks the cache in browser storage to see if a valid token exists and returns it. When no valid token is in the cache, it attempts to use its refresh token to get the token. If the refresh token's 24-hour lifetime has expired, MSAL.js will open a hidden iframe to silently request a new authorization code, which it will exchange for a new, valid refresh token. For more information about single sign-on (SSO) session and token lifetime values in Azure Active Directory (Azure AD), see [Token lifetimes](active-directory-configurable-token-lifetimes.md).

+The silent token requests to Azure AD might fail for reasons like a password change or updated conditional access policies. More often, failures are due to the refresh token's 24-hour lifetime expiring and [the browser blocking third party cookies](reference-third-party-cookies-spas.md), which prevents the use of hidden iframes to continue authenticating the user. In these cases, you should invoke one of the interactive methods (which may prompt the user) to acquire tokens:

+- [Pop-up window](#acquire-a-token-with-a-pop-up-window), by using `acquireTokenPopup`

+- [Redirect](#acquire-a-token-with-a-redirect), by using `acquireTokenRedirect`

+- If you don't want users to move away from your main application page during authentication, we recommend the pop-up method. Because the authentication redirect happens in a pop-up window, the state of the main application is preserved.

+- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/internet-explorer.md#popups).

+You can set the API scopes that you want the access token to include when it's building the access token request. All requested scopes might not be granted in the access token. That depends on the user's consent.

+ scopes: ["user.read"],

+ account: account,

+};

+publicClientApplication

+ .acquireTokenSilent(accessTokenRequest)

+ .then(function (accessTokenResponse) {

+ })

+ .catch(function (error) {

+ publicClientApplication

+ .acquireTokenPopup(accessTokenRequest)

+ .then(function (accessTokenResponse) {

+ // Acquire token interactive success

+ let accessToken = accessTokenResponse.accessToken;

+ // Call your API with token

+ callApi(accessToken);

+ })

+ .catch(function (error) {

+ // Acquire token interactive failure

+ console.log(error);

+ });

+ scopes: ["user.read"],

+};

+userAgentApplication

+ .acquireTokenSilent(accessTokenRequest)

+ .then(function (accessTokenResponse) {

+ })

+ .catch(function (error) {

+ userAgentApplication

+ .acquireTokenPopup(accessTokenRequest)

+ .then(function (accessTokenResponse) {

+ // Acquire token interactive success

+ })

+ .catch(function (error) {

+ // Acquire token interactive failure

+ console.log(error);

+ });

+You can specify the scopes for APIs in the `protectedResourceMap` configuration option. `MsalInterceptor` will request the specified scopes when automatically acquiring tokens.

+import { PublicClientApplication, InteractionType } from "@azure/msal-browser";

+import { MsalInterceptor, MsalModule } from "@azure/msal-angular";

+ declarations: [

+ // ...

+ ],

+ imports: [

+ // ...

+ MsalModule.forRoot(

+ new PublicClientApplication({

+ auth: {

+ clientId: "Enter_the_Application_Id_Here",

+ },

+ cache: {

+ cacheLocation: "localStorage",

+ storeAuthStateInCookie: isIE,

+ },

+ }),

+ {

+ interactionType: InteractionType.Popup,

+ authRequest: {

+ scopes: ["user.read"],

+ },

+ },

+ {

+ interactionType: InteractionType.Popup,

+ protectedResourceMap: new Map([

+ ["https://graph.microsoft.com/v1.0/me", ["user.read"]],

+ ]),

+ }

+ ),

+ ],

+ providers: [

+ {

+ provide: HTTP_INTERCEPTORS,

+ useClass: MsalInterceptor,

+ multi: true,

+ },

+ ],

+ bootstrap: [AppComponent],

+export class AppModule {}

+You can specify the scopes for APIs in the `protectedResourceMap` configuration option. `MsalInterceptor` will request the specified scopes when automatically acquiring tokens.

+ MsalModule.forRoot(

+ {

+ auth: {

+ clientId: "Enter_the_Application_Id_Here",

+ },

+ },

+ {

+ popUp: !isIE,

+ consentScopes: ["user.read", "openid", "profile"],

+ protectedResourceMap: [

+ ["https://graph.microsoft.com/v1.0/me", ["user.read"]],

+ ],

+ ),

+ multi: true,

+ },

+ bootstrap: [AppComponent],

+export class AppModule {}

+import {

+ InteractionRequiredAuthError,

+ InteractionStatus,

+} from "@azure/msal-browser";

+ const { instance, inProgress, accounts } = useMsal();

+ const [apiData, setApiData] = useState(null);

+ useEffect(() => {

+ if (!apiData && inProgress === InteractionStatus.None) {

+ const accessTokenRequest = {

+ scopes: ["user.read"],

+ account: accounts[0],

+ };

+ instance

+ .acquireTokenSilent(accessTokenRequest)

+ .then((accessTokenResponse) => {

+ // Acquire token silent success

+ let accessToken = accessTokenResponse.accessToken;

+ // Call your API with token

+ callApi(accessToken).then((response) => {

+ setApiData(response);

+ });

+ })

+ .catch((error) => {

+ if (error instanceof InteractionRequiredAuthError) {

+ instance

+ .acquireTokenPopup(accessTokenRequest)

+ .then(function (accessTokenResponse) {

+ // Acquire token interactive success

+ callApi(accessToken).then((response) => {

+ setApiData(response);

+ });

+ })

+ .catch(function (error) {

+ // Acquire token interactive failure

+ });

+ }

+ console.log(error);

+ });

+ }

+ }, [instance, accounts, inProgress, apiData]);

+ return <p>Return your protected content here: {apiData}</p>;

+ return (

+ <AuthenticatedTemplate>

+ <ProtectedComponent />

+ </AuthenticatedTemplate>

+ );

+Alternatively, if you need to acquire a token outside of a React component you can call `acquireTokenSilent` but shouldn't fall back to interaction if it fails. All interactions should take place underneath the `MsalProvider` component in your component tree.

+ scopes: ["user.read"],

+ account: account,

+};

+publicClientApplication

+ .acquireTokenSilent(accessTokenRequest)

+ .then(function (accessTokenResponse) {

+ })

+ .catch(function (error) {

+ });

+ // Acquire token silent success

+ let accessToken = redirectResponse.accessToken;

+ // Call your API with token

+ callApi(accessToken);

+ // MSAL.js v2 exposes several account APIs, logic to determine which account to use is the responsibility of the developer

+ const account = publicClientApplication.getAllAccounts()[0];

+ const accessTokenRequest = {

+ scopes: ["user.read"],

+ account: account,

+ };

+ publicClientApplication

+ .acquireTokenSilent(accessTokenRequest)

+ .then(function (accessTokenResponse) {

+ // Acquire token silent success

+ // Call API with token

+ let accessToken = accessTokenResponse.accessToken;

+ // Call your API with token

+ callApi(accessToken);

+ })

+ .catch(function (error) {

+ //Acquire token silent failure, and send an interactive request

+ console.log(error);

+ if (error instanceof InteractionRequiredAuthError) {

+ publicClientApplication.acquireTokenRedirect(accessTokenRequest);

+ }

+ // Handle redirect response

+ scopes: ["user.read"],

+};

+userAgentApplication

+ .acquireTokenSilent(accessTokenRequest)

+ .then(function (accessTokenResponse) {

+ })

+ .catch(function (error) {

+ userAgentApplication.acquireTokenRedirect(accessTokenRequest);

+ });

+- Include extra claims in tokens for your application.

+ optionalClaims: {

+ idToken: [

+ {

+ name: "auth_time",

+ essential: true,

+ },

+ ],

+ },

+ scopes: ["user.read"],

+ claimsRequest: JSON.stringify(claims),

+import { PublicClientApplication, InteractionType } from "@azure/msal-browser";

+import {

+ MsalInterceptor,

+ MsalModule,

+ MsalRedirectComponent,

+} from "@azure/msal-angular";

+ declarations: [

+ // ...

+ ],

+ imports: [

+ // ...

+ MsalModule.forRoot(

+ new PublicClientApplication({

+ auth: {

+ clientId: "Enter_the_Application_Id_Here",

+ },

+ cache: {

+ cacheLocation: "localStorage",

+ storeAuthStateInCookie: isIE,

+ },

+ }),

+ {

+ interactionType: InteractionType.Redirect,

+ authRequest: {

+ scopes: ["user.read"],

+ },

+ },

+ {

+ interactionType: InteractionType.Redirect,

+ protectedResourceMap: new Map([

+ ["https://graph.microsoft.com/v1.0/me", ["user.read"]],

+ ]),

+ }

+ ),

+ ],

+ providers: [

+ {

+ provide: HTTP_INTERCEPTORS,

+ useClass: MsalInterceptor,

+ multi: true,

+ },

+ ],

+ bootstrap: [AppComponent, MsalRedirectComponent],

+export class AppModule {}

+import {

+ InteractionRequiredAuthError,

+ InteractionStatus,

+} from "@azure/msal-browser";

+ const { instance, inProgress, accounts } = useMsal();

+ const [apiData, setApiData] = useState(null);

+ useEffect(() => {

+ const accessTokenRequest = {

+ scopes: ["user.read"],

+ account: accounts[0],

+ };

+ if (!apiData && inProgress === InteractionStatus.None) {

+ instance

+ .acquireTokenSilent(accessTokenRequest)

+ .then((accessTokenResponse) => {

+ // Acquire token silent success

+ let accessToken = accessTokenResponse.accessToken;

+ // Call your API with token

+ callApi(accessToken).then((response) => {

+ setApiData(response);

+ });

+ })

+ .catch((error) => {

+ if (error instanceof InteractionRequiredAuthError) {

+ instance.acquireTokenRedirect(accessTokenRequest);

+ }

+ console.log(error);

+ });

+ }

+ }, [instance, accounts, inProgress, apiData]);

+ return <p>Return your protected content here: {apiData}</p>;

+ return (

+ <AuthenticatedTemplate>

+ <ProtectedComponent />

+ </AuthenticatedTemplate>

+ );

+Alternatively, if you need to acquire a token outside of a React component you can call `acquireTokenSilent` but shouldn't fall back to interaction if it fails. All interactions should take place underneath the `MsalProvider` component in your component tree.

+ scopes: ["user.read"],

+ account: account,

+};

+publicClientApplication

+ .acquireTokenSilent(accessTokenRequest)

+ .then(function (accessTokenResponse) {

+ })

+ .catch(function (error) {

+ });

+The order of the parts within an expression is important to avoid syntax errors.

+| city |Any string value or *null* | user.city -eq "value" |

+| country |Any string value or *null* | user.country -eq "value" |

+| companyName | Any string value or *null* | user.companyName -eq "value" |

+| department |Any string value or *null* | user.department -eq "value" |

+| displayName |Any string value | user.displayName -eq "value" |

+| employeeId |Any string value | user.employeeId -eq "value"<br>user.employeeId -ne *null* |

+| facsimileTelephoneNumber |Any string value or *null* | user.facsimileTelephoneNumber -eq "value" |

+| givenName |Any string value or *null* | user.givenName -eq "value" |

+| jobTitle |Any string value or *null* | user.jobTitle -eq "value" |

+| mail |Any string value or *null* (SMTP address of the user) | user.mail -eq "value" |

+| mailNickName |Any string value (mail alias of the user) | user.mailNickName -eq "value" |

+| memberOf | Any string value (valid group object ID) | user.memberof -any (group.objectId -in ['value']) |

+| mobile |Any string value or *null* | user.mobile -eq "value" |

+| objectId |GUID of the user object | user.objectId -eq "11111111-1111-1111-1111-111111111111" |

+| onPremisesDistinguishedName (preview)| Any string value or *null* | user.onPremisesDistinguishedName -eq "value" |

+| onPremisesSecurityIdentifier | On-premises security identifier (SID) for users who were synchronized from on-premises to the cloud. | user.onPremisesSecurityIdentifier -eq "S-1-1-11-1111111111-1111111111-1111111111-1111111" |

+| passwordPolicies |None<br>DisableStrongPassword<br>DisablePasswordExpiration<br>DisablePasswordExpiration, DisableStrongPassword | user.passwordPolicies -eq "DisableStrongPassword" |

+| physicalDeliveryOfficeName |Any string value or *null* | user.physicalDeliveryOfficeName -eq "value" |

+| postalCode |Any string value or *null* | user.postalCode -eq "value" |

+| preferredLanguage |ISO 639-1 code | user.preferredLanguage -eq "en-US" |

+| sipProxyAddress |Any string value or *null* | user.sipProxyAddress -eq "value" |

+| state |Any string value or *null* | user.state -eq "value" |

+| streetAddress |Any string value or *null* | user.streetAddress -eq "value" |

+| surname |Any string value or *null* | user.surname -eq "value" |

+| telephoneNumber |Any string value or *null* | user.telephoneNumber -eq "value" |

+| usageLocation |Two lettered country/region code | user.usageLocation -eq "US" |

+| userPrincipalName |Any string value | user.userPrincipalName -eq "alias@domain" |

+| userType |member guest *null* | user.userType -eq "Member" |

+| Properties | Allowed values | Example |

+| otherMails |Any string value | user.otherMails -contains "alias@domain" |

+| proxyAddresses |SMTP: alias@domain smtp: alias@domain | user.proxyAddresses -contains "SMTP: alias@domain" |

+`Da`, `Dav`, `David` evaluate to true, aDa evaluates to false.

+`David` evaluates to true, `Da` evaluates to false.

+The following expression selects all users who have no assigned service plan:

+ accountEnabled | true false | device.accountEnabled -eq true

+ displayName | any string value | device.displayName -eq "Rob iPhone"

+ deviceOSType | any string value | (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone")<br>device.deviceOSType -contains "AndroidEnterprise"<br>device.deviceOSType -eq "AndroidForWork"<br>device.deviceOSType -eq "Windows"

+ deviceOSVersion | any string value | device.deviceOSVersion -eq "9.1"<br>device.deviceOSVersion -startsWith "10.0.1"

+ deviceCategory | a valid device category name | device.deviceCategory -eq "BYOD"

+ deviceManufacturer | any string value | device.deviceManufacturer -eq "Samsung"

+ deviceModel | any string value | device.deviceModel -eq "iPad Air"

+ deviceOwnership | Personal, Company, Unknown | device.deviceOwnership -eq "Company"

+ enrollmentProfileName | Apple Device Enrollment Profile name, Android Enterprise Corporate-owned dedicated device Enrollment Profile name, or Windows Autopilot profile name | device.enrollmentProfileName -eq "DEP iPhones"

+ isRooted | true false | device.isRooted -eq true

+ managementType | MDM (for mobile devices) | device.managementType -eq "MDM"

+ memberOf | Any string value (valid group object ID) | device.memberof -any (group.objectId -in ['value'])

+ deviceId | a valid Azure AD device ID | device.deviceId -eq "d4fe7726-5966-431c-b3b8-cddc8fdb717d"

+ objectId | a valid Azure AD object ID | device.objectId -eq "76ad43c9-32c5-45e8-a272-7b58b58f596d"

+ devicePhysicalIds | any string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderID | device.devicePhysicalIDs -any _ -contains "[ZTDId]"<br>(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881"<br>(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342"

+ systemLabels | any string matching the Intune device property for tagging Modern Workplace devices | device.systemLabels -contains "M365Managed"

+> [!NOTE]

+> B2B direct connect is not supported for collaboration with Azure AD tenants in a different Microsoft cloud.

+> [!NOTE]

+> B2B direct connect is not supported for collaboration with Azure AD tenants in a different Microsoft cloud.

+To access identity secure score, you must be assigned one of the following roles in Azure Active Directory.

+#### Read and write roles

+With read and write access, you can make changes and directly interact with identity secure score.

+* Global administrator

+* Security administrator

+* Exchange administrator

+* SharePoint administrator

+#### Read-only roles

+With read-only access, you aren't able to edit status for an improvement action.

+* Helpdesk administrator

+* User administrator

+* Service support administrator

+* Security reader

+* Security operator

+* Global reader

+The Azure AD Connect server must be treated as a Tier 0 component as documented in the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material). We recommend hardening the Azure AD Connect server as a Control Plane asset by following the guidance provided in [Secure Privileged Access](/security/compass/overview)

+- We recommend hardening the Azure AD Connect server as a Control Plane (formerly Tier 0) asset by following the guidance provided in [Secure Privileged Access](/security/compass/overview) and [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material).

+- [AWS](../saas-apps/aws-clientvpn-tutorial.md)

+- [Check Point](../saas-apps/check-point-remote-access-vpn-tutorial.md)

+As an IT admin, you need powerful tools to turn the data about your Azure AD tenant into a visual representation that enables you to understand how your identity management environment is doing. Azure Monitor workbooks are an example for such a tool.

+This article gives you an overview of how you can use Azure Monitor workbooks for Azure Active Directory reports to analyze your Azure AD tenant.

+## What it is

+Azure AD tracks all activities in your Azure AD in the activity logs. The data in your Azure AD logs enables you to assess how your Azure AD is doing. The Azure Active Directory portal gives you access to three activity logs:

+- **[Sign-ins](concept-sign-ins.md)** ΓÇô Information about sign-ins and how your resources are used by your users.

+- **[Audit](concept-audit-logs.md)** ΓÇô Information about changes applied to your tenant such as users and group management or updates applied to your tenantΓÇÖs resources.

+- **[Provisioning](concept-provisioning-logs.md)** ΓÇô Activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.

+Using the access capabilities provided by the Azure portal, you can review the information that is tracked in your activity logs. This option is helpful if you need to do a quick investigation of an event with a limited scope. For example, a user had trouble signing in during a period of a few hours. In this scenario, reviewing the recent records of this user in the sign-in logs can help to shed light on this issue.

+For one-off investigations with a limited scope, the Azure portal is often the easiest way to find the data you need. However, there are also business problems requiring a more complex analysis of the data in your activity logs. This is, for example, true if you're watching for trends in signals of interest. One common example for a scenario that requires a trend analysis is related to blocking legacy authentication in your Azure AD tenant.

+Azure AD supports several of the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication refers to basic authentication, a widely used industry-standard method for collecting user name and password information. Examples of applications that commonly or only use legacy authentication are:

+- Microsoft Office 2013 or older.

+- Apps using mail protocols like POP, IMAP, and SMTP AUTH.

+Typically, legacy authentication clients can't enforce any type of second factor authentication. However, multi-factor authentication (MFA) is a common requirement in many environments to provide a high level of protection.

+How can you determine whether it is safe to block legacy authentication in an environment? Answering this question requires an analysis of the sign-ins in your environment for a certain timeframe. This is a scenario where Azure Monitor workbooks can help you.

+Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences.

+With Azure Monitor workbooks, you can:

+- Query data from multiple sources in Azure

+- Visualize data for reporting and analysis

+- Combine multiple elements into a single interactive experience

+For more information, see [Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md).

+## How does it help me?

+Common scenarios for using workbooks include:

+- Get shareable, at-a-glance summary reports about your Azure AD tenant, and build your own custom reports.

+- Find and diagnose sign-in failures, and get a trending view of your organization's sign-in health.

+- Monitor Azure AD logs for sign-ins, tenant administrator actions, provisioning, and risk together in a flexible, customizable format.

+- Watch trends in your tenantΓÇÖs usage of Azure AD features such as conditional access, self-service password reset, and more.

+- Know who's using legacy authentications to sign in to your environment.

+- Understand the effect of your conditional access policies on your users' sign-in experience.

+## Who should use it?

+Typical personas for workbooks are:

+- **Reporting admin** - Someone who is responsible for creating reports on top of the available data and workbook templates

+- **Tenant admins** - People who use the available reports to get insight and take action.

+- **Workbook template builder** - Someone who ΓÇ£graduatesΓÇ¥ from the role of reporting admin by turning a workbook into a template for others with similar needs to use as a basis for creating their own workbooks.

+## How to use it

+All workbooks are stored in the workbook [gallery](../../azure-monitor/visualize/workbooks-overview.md#gallery)

+You have two options for working with workbooks:

+- Create a new workbook from scratch

+- Start with an existing workbook template from the gallery

+By using an already existing template from the gallery, you can benefit from the work others have already invested into solving the same business problem as you.

+## Prerequisites

+To use Monitor workbooks, you need:

+- An Azure Active Directory tenant with a premium (P1 or P2) license. Learn how to [get a premium license](../fundamentals/active-directory-get-started-premium.md).

+- A [Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md).

+- [Access](../../azure-monitor/logs/manage-access.md#azure-rbac) to the log analytics workspace

+- Following roles in Azure Active Directory (if you are accessing Log Analytics through Azure Active Directory portal)

+ - Security administrator

+ - Security reader

+ - Report reader

+ - Global administrator

+## Roles

+To access workbooks in Azure Active Directory, you must have access to the underlying [Log Analytics workspace](../../azure-monitor/logs/manage-access.md#azure-rbac) and be assigned to one of the following roles:

+- Global Reader

+- Reports Reader

+- Security Reader

+- Application Administrator

+- Cloud Application Administrator

+- Company Administrator

+- Security Administrator

+## Workbook access

+To access workbooks:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Azure Active Directory** > **Monitoring** > **Workbooks**.

+1. Select a report or template, or on the toolbar select **Open**.

+

+- Many email protocols that once relied on legacy authentication now support more secure modern authentication methods. If you see legacy email authentication protocols in this workbook, consider migrating to modern authentication for email instead. For more information, see [Deprecation of Basic authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online).

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Atlassian Cloud.

+documentationcenter: ''

+writer: Thwimmer

+ms.assetid: 53b804ba-b632-4c4b-a77e-ec6468536898

+ms.devlang: na

+This tutorial describes the steps you need to perform in both Atlassian Cloud and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Atlassian Cloud](https://www.atlassian.com/cloud) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+* Make sure you're an admin for an Atlassian organization. See [Organization administration.](https://support.atlassian.com/organization-administration/docs/explore-an-atlassian-organization).

+* Verify one or more or your domains in your organization. See [Domain verification](https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts).

+* Subscribe to Atlassian Access from your organization. See [Atlassian Access security policies and features](https://support.atlassian.com/security-and-access-policies/docs/understand-atlassian-access).

+* Make sure you're an admin for at least one Jira or Confluence site that you want to grant synced users access to.

+ > [!NOTE]

+ > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Atlassian Cloud](../app-provisioning/customize-application-attributes.md).

+1. Navigate to [Atlassian Admin Console](http://admin.atlassian.com/). Select your organization if you have more than one.

+1. Select **Settings > User provisioning**.

+ 

+1. Select **Create a directory**.

+1. Enter a name to identify the user directory, for example Azure AD users, then select **Create**.

+ 

+1. Copy the values for **Directory base URL** and **API key**. You'll need those for your identity provider configuration later.

+ > [!NOTE]

+ > Make sure you store these values in a safe place, as we won't show them to you again.

+ 

+ Users and groups will automatically be provisioned to your organization. See the [user provisioning](https://support.atlassian.com/provisioning-users/docs/understand-user-provisioning) page for more details on how your users and groups sync to your organization.

+Copy the **URL** and **Token**. The URL and the Token are to be inserted into the **Tenant URL** and **Secret Token** field in the Azure portal respectively.

+ Title: 'Tutorial: Azure AD SSO integration with Planview LeanKit'

+description: Learn how to configure single sign-on between Azure Active Directory and Planview LeanKit.

+# Tutorial: Azure AD SSO integration with Planview LeanKit

+In this tutorial, you'll learn how to integrate Planview LeanKit with Azure Active Directory (Azure AD). When you integrate Planview LeanKit with Azure AD, you can:

+* Control in Azure AD who has access to Planview LeanKit.

+* Enable your users to be automatically signed-in to Planview LeanKit with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Planview LeanKit single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Planview LeanKit supports **SP** and **IDP** initiated SSO.

+## Add Planview LeanKit from the gallery

+To configure the integration of Planview LeanKit into Azure AD, you need to add Planview LeanKit from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Planview LeanKit** in the search box.

+1. Select **Planview LeanKit** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Planview LeanKit

+Configure and test Azure AD SSO with Planview LeanKit using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Planview LeanKit.

+To configure and test Azure AD SSO with Planview LeanKit, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Planview LeanKit SSO](#configure-planview-leankit-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Planview LeanKit test user](#create-planview-leankit-test-user)** - to have a counterpart of B.Simon in Planview LeanKit that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Planview LeanKit** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://<HostName>.leankit.com`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<HostName>.leankit.com/Account/Membership/ExternalLogin`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<HostName>.leankit.com/login`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Planview LeanKit support team](mailto:support@leankit.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Planview LeanKit** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Planview LeanKit.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Planview LeanKit**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Planview LeanKit SSO

+To configure single sign-on on **Planview LeanKit** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Planview LeanKit support team](mailto:support@leankit.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Planview LeanKit test user

+In this section, you create a user called Britta Simon in Planview LeanKit. Work with [Planview LeanKit support team](mailto:support@leankit.com) to add the users in the Planview LeanKit platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Planview LeanKit Sign on URL where you can initiate the login flow.

+* Go to Planview LeanKit Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Planview LeanKit for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Planview LeanKit tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Planview LeanKit for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Planview LeanKit you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+> [!Note]

+> Microsoft uses v28 of the Salesforce API for automatic provisioning. Microsoft is aware of the upcoming deprecation of v21 through v30 and is working with Salesforce to migrate to a supported version prior to the deprecation date. No customer action is required.

+>

+ Title: 'Tutorial: Azure AD SSO integration with Skillcast'

+description: Learn how to configure single sign-on between Azure Active Directory and Skillcast.

+# Tutorial: Azure AD SSO integration with Skillcast

+In this tutorial, you'll learn how to integrate Skillcast with Azure Active Directory (Azure AD). When you integrate Skillcast with Azure AD, you can:

+* Control in Azure AD who has access to Skillcast.

+* Enable your users to be automatically signed-in to Skillcast with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Skillcast single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Skillcast supports **SP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Skillcast from the gallery

+To configure the integration of Skillcast into Azure AD, you need to add Skillcast from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Skillcast** in the search box.

+1. Select **Skillcast** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Skillcast

+Configure and test Azure AD SSO with Skillcast using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Skillcast.

+To configure and test Azure AD SSO with Skillcast, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Skillcast SSO](#configure-skillcast-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Skillcast test user](#create-skillcast-test-user)** - to have a counterpart of B.Simon in Skillcast that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Skillcast** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type the value:

+ `Skillcast-SP`

+ b. In the **Reply URL** textbox, type the URL:

+ `https://saml.e-learningportal.com/easyconnect/ACS/Post.aspx`

+ c. In the **Sign-on URL** text box, type a URL using the following pattern:

+ `http://<subdomain>.e-learningportal.com`

+ > [!Note]

+ > The value is not real. Update the value with the actual Sign-On URL. Contact [Skillcast Customer Success Team](https://support.skillcast.com/hc/en-gb/requests/new) to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Skillcast.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Skillcast**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Skillcast SSO

+To configure single sign-on on **Skillcast** side, you need to send the **App Federation Metadata Url** to [Skillcast Customer Success Team](https://support.skillcast.com/hc/en-gb/requests/new). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Skillcast test user

+In this section, you create a user called Britta Simon in Skillcast. Work with [Skillcast Customer Success Team](https://support.skillcast.com/hc/en-gb/requests/new) to add the users in the Skillcast platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Skillcast Sign-on URL where you can initiate the login flow.

+* Go to Skillcast Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Skillcast tile in the My Apps, this will redirect to Skillcast Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Skillcast you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+- [Resize disk PV without downtime(Preview)](#resize-a-persistent-volume-without-downtime-preview)

+## Resize a persistent volume without downtime (Preview)

+> [!IMPORTANT]

+> Azure disk CSI driver supports resizing PVCs without downtime.

+> Follow this [link][expand-an-azure-managed-disk] to register the disk online resize feature.

+This article assumes that you have an existing AKS cluster with 1.21 or later version. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

+* The *managed-csi-premium* storage class provisions a premium Azure disk.

+default (default) disk.csi.azure.com 1h

+managed-csi disk.csi.azure.com 1h

+Create a file named `azure-pvc.yaml`, and copy in the following manifest. The claim requests a disk named `azure-managed-disk` that is *5GB* in size with *ReadWriteOnce* access. The *managed-csi* storage class is specified as the storage class.

+ storageClassName: managed-csi

+> To create a disk that uses premium storage, use `storageClassName: managed-csi-premium` rather than *managed-csi*.

+Create the persistent volume claim with the [kubectl apply][kubectl-apply] command and specify your *azure-pvc.yaml* file:

+$ kubectl apply -f azure-pvc.yaml

+[use-tags]: use-tags.md

+This article assumes that you have an existing AKS cluster with 1.21 or later version. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

+> [!IMPORTANT]

+> Ensure that your AKS cluster is created with a managed identity, as cluster extensions won't work with service principal-based clusters.

+>

+> For new clusters created with `az aks create`, managed identity is configured by default. For existing service principal-based clusters that need to be switched over to managed identity, it can be enabled by running `az aks update` with the `--enable-managed-identity` flag. For more information, see [Use managed identity][use-managed-identity].

+[use-managed-identity]: ./use-managed-identity.md

+[arc-k8s-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc&regions=all

+ Title: Container Storage Interface (CSI) drivers on Azure Kubernetes Service (AKS)

+description: Learn about and deploy the Container Storage Interface (CSI) drivers for Azure disks and Azure Files in an Azure Kubernetes Service (AKS) cluster

+# Container Storage Interface (CSI) drivers on Azure Kubernetes Service (AKS)

+ - [**Azure disks**](azure-disk-csi.md) can be used to create a Kubernetes *DataDisk* resource. Disks can use Azure Premium Storage, backed by high-performance SSDs, or Azure Standard Storage, backed by regular HDDs or Standard SSDs. For most production and development workloads, use Premium Storage. Azure disks are mounted as *ReadWriteOnce*, which makes it available to one node in AKS. For storage volumes that can be accessed by multiple pods simultaneously, use Azure Files.

+ - [**Azure Files**](azure-files-csi.md) can be used to mount an SMB 3.0/3.1 share backed by an Azure storage account to pods. With Azure Files, you can share data across multiple nodes and pods. Azure Files can use Azure Standard storage backed by regular HDDs or Azure Premium storage backed by high-performance SSDs.

+>

+> *In-tree drivers* refers to the storage drivers that are part of the core Kubernetes code opposed to the CSI drivers, which are plug-ins.

+> Azure disks CSI driver v2 (preview) improves scalability and reduces pod failover latency. It uses shared disks to provision attachment replicas on multiple cluster nodes and integrates with the pod scheduler to ensure a node with an attachment replica is chosen on pod failover. Azure disks CSI driver v2 (preview) also provides the ability to fine tune performance. If you're interested in participating in the preview, submit a request: [https://aka.ms/DiskCSIv2Preview](https://aka.ms/DiskCSIv2Preview). This preview version is provided without a service level agreement, and you can occasionally expect breaking changes while in preview. The preview version isn't recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+> [!NOTE]

+> AKS provides the option to enable and disable the CSI drivers (preview) on new and existing clusters. CSI drivers are enabled by default on new clusters. You should verify that there are no existing Persistent Volumes created by Azure disks and Azure Files CSI drivers and that there is not any existing VolumeSnapshot, VolumeSnapshotClass or VolumeSnapshotContent resources before running this command on existing cluster. This preview version is provided without a service level agreement, and you can occasionally expect breaking changes while in preview. The preview version isn't recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Prerequisites

+* An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).

+* [Azure CLI installed](/cli/azure/install-azure-cli).

+### Install the `aks-preview` Azure CLI

+You also need the *aks-preview* Azure CLI extension version 0.5.78 or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.

+```azurecli-interactive

+# Install the aks-preview extension

+az extension add --name aks-preview

+# Update the extension to make sure you have the latest version installed

+az extension update --name aks-preview

+```

+## Disable CSI storage drivers on a new cluster

+`--disable-disk-driver` allows you disable the CSI driver for [Azure disks][azure-disk-csi]. `--disable-file-driver` allows you to disable the CSI driver for [Azure Files][azure-files-csi]. `--disable-snapshot-controller` allows you to disable the [snapshot controller][snapshot-controller ].

+To disable CSI storage drivers on a new cluster, use `--disable-disk-driver`, `--disable-file-driver`, and `--disable-snapshot-controller`.

+```azurecli-interactive

+az aks create -n myAKSCluster -g myResourceGroup --disable-disk-driver --disable-file-driver --disable-snapshot-controller

+```

+## Disable CSI storage drivers on an existing cluster

+To disable CSI storage drivers on an existing cluster, use `--disable-disk-driver`, `--disable-file-driver`, and `--disable-snapshot-controller`.

+```azurecli-interactive

+az aks update -n myAKSCluster -g myResourceGroup --disable-disk-driver --disable-file-driver --disable-snapshot-controller

+```

+## Enable CSI storage drivers on an existing cluster

+`--enable-disk-driver` allows you enable the CSI driver for [Azure disks][azure-disk-csi]. `--enable-file-driver` allows you to enable the CSI driver for [Azure Files][azure-files-csi]. `--enable-snapshot-controller` allows you to enable the [snapshot controller][snapshot-controller].

+To enable CSI storage drivers on an existing cluster with CSI storage drivers disabled, use `--enable-disk-driver`, `--enable-file-driver`, and `--enable-snapshot-controller`.

+```azurecli-interactive

+az aks update -n myAKSCluster -g myResourceGroup --enable-disk-driver --enable-file-driver --enable-snapshot-controller

+```

+## Migrate custom in-tree storage classes to CSI

+Migrating these storage classes involves deleting the existing ones, and re-creating them with the provisioner set to **disk.csi.azure.com** if using Azure disks, and **files.csi.azure.com** if using Azure Files.

+The CSI storage system supports the same features as the In-tree drivers, so the only change needed would be the provisioner.

+> kubectl patch pv pv-azuredisk --type merge --patch '{"spec": {"persistentVolumeReclaimPolicy": "Retain"}}'

+If you have in-tree Azure disks persistent volumes, get `diskURI` from in-tree persistent volumes and then follow this [guide][azure-disk-static-mount] to set up CSI driver persistent volumes

+If you have in-tree Azure File persistent volumes, get `secretName`, `shareName` from in-tree persistent volumes and then follow this [guide][azure-file-static-mount] to set up CSI driver persistent volumes

+[azure-disk-csi]: https://github.com/kubernetes-sigs/azuredisk-csi-driver

+[azure-files-csi]: https://github.com/kubernetes-sigs/azurefile-csi-driver

+[snapshot-controller]: https://kubernetes-csi.github.io/docs/snapshot-controller.html

+ Title: Install the Kubernetes Event-driven Autoscaling (KEDA) add-on by using an ARM template

+# Install the Kubernetes Event-driven Autoscaling (KEDA) add-on by using ARM template

+## Install the KEDA add-on with Azure Resource Manager (ARM) templates

+If you use the Azure Cloud Shell, `kubectl` is already installed. You can also install it locally using the [az aks install-cli][] command:

+To configure `kubectl` to connect to your Kubernetes cluster, use the [az aks get-credentials][] command. The following example gets credentials for the AKS cluster named *MyAKSCluster* in the *MyResourceGroup*:

+To remove the resource group, and all related resources, use the [Az PowerShell module group delete][az-group-delete] command:

+### Enabling add-on on clusters with self-managed open-source KEDA installations

+While Kubernetes only allows one metric server to be installed, you can in theory install KEDA multiple times. However, it isn't recommended given only one installation will work.

+When the KEDA add-on is installed in an AKS cluster, the previous installation of open-source KEDA will be overridden and the add-on will take over.

+This means that the customization and configuration of the self-installed KEDA deployment will get lost and no longer be applied.

+While there's a possibility that the existing autoscaling will keep on working, there's a risk given it will be configured differently and won't support features such as managed identity.

+It's recommended to uninstall existing KEDA installations before enabling the KEDA add-on given the installation will succeed without any error.

+Following error will be thrown in the operator logs but the installation of KEDA add-on will be completed.

+Error logged in now-suppressed non-participating KEDA operator pod:

+the error logged inside the already installed KEDA operator logs.

+E0520 11:51:24.868081 1 leaderelection.go:330] error retrieving resource lock default/operator.keda.sh: config maps "operator.keda.sh" is forbidden: User "system:serviceaccount:default:keda-operator" can't get resource "config maps" in API group "" in the namespace "default"

+ Title: Install the Kubernetes Event-driven Autoscaling (KEDA) add-on by using Azure CLI

+description: Use Azure CLI to deploy the Kubernetes Event-driven Autoscaling (KEDA) add-on to Azure Kubernetes Service (AKS).

+# Install the Kubernetes Event-driven Autoscaling (KEDA) add-on by using Azure CLI

+This article shows you how to install the Kubernetes Event-driven Autoscaling (KEDA) add-on to Azure Kubernetes Service (AKS) by using Azure CLI. The article includes steps to verify that it's installed and running.

+## Prerequisites

+- An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).

+- [Azure CLI installed](/cli/azure/install-azure-cli).

+### Install the extension `aks-preview`

+

+Install the `aks-preview` extension in the AKS cluster to make sure you have the latest version of AKS extension before installing KEDA add-on.

+```azurecli

+- az extension add --upgrade --name aks-preview

+```

+### Register the `AKS-KedaPreview` feature flag

+To use the KEDA, you must enable the `AKS-KedaPreview` feature flag on your subscription.

+```azurecli

+az feature register --name AKS-KedaPreview --namespace Microsoft.ContainerService

+```

+You can check on the registration status by using the `az feature list` command:

+```azurecli-interactive

+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-KedaPreview')].{Name:name,State:properties.state}"

+```

+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the `az provider register` command:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService

+```

+## Install the KEDA add-on with Azure CLI

+To install the KEDA add-on, use `--enable-keda` when creating or updating a cluster.

+The following example creates a *myResourceGroup* resource group. Then it creates a *myAKSCluster* cluster with the KEDA add-on.

+```azurecli-interactive

+az group create --name myResourceGroup --location eastus

+az aks create \

+ --resource-group myResourceGroup \

+ --name myAKSCluster \

+ --enable-keda

+```

+For existing clusters, use `az aks update` with `--enable-keda` option. The following code shows an example.

+```azurecli-interactive

+az aks update \

+ --resource-group myResourceGroup \

+ --name myAKSCluster \

+ --enable-keda

+```

+## Get the credentials for your cluster

+Get the credentials for your AKS cluster by using the `az aks get-credentials` command. The following example command gets the credentials for *myAKSCluster* in the *myResourceGroup* resource group:

+```azurecli-interactive

+az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

+```

+## Verify that the KEDA add-on is installed on your cluster

+To see if the KEDA add-on is installed on your cluster, verify that the `enabled` value is `true` for `keda` under `workloadAutoScalerProfile`.

+The following example shows the status of the KEDA add-on for *myAKSCluster* in *myResourceGroup*:

+```azurecli-interactive

+az aks show -g "myResourceGroup" --name myAKSCluster --query "workloadAutoScalerProfile.keda.enabled"

+```

+## Verify that KEDA is running on your cluster

+You can verify KEDA that's running on your cluster. Use `kubectl` to display the operator and metrics server installed in the AKS cluster under kube-system namespace. For example:

+```azurecli-interactive

+kubectl get pods -n kube-system

+```

+The following example output shows that the KEDA operator and metrics API server are installed in the AKS cluster along with its status.

+```output

+kubectl get pods -n kube-system

+keda-operator-********-k5rfv 1/1 Running 0 43m

+keda-operator-metrics-apiserver-*******-sj857 1/1 Running 0 43m

+```

+To verify the version of your KEDA, use `kubectl get crd/scaledobjects.keda.sh -o yaml `. For example:

+```azurecli-interactive

+kubectl get crd/scaledobjects.keda.sh -o yaml

+```

+The following example output shows the configuration of KEDA in the `app.kubernetes.io/version` label:

+```yaml

+kind: CustomResourceDefinition

+metadata:

+ annotations:

+ controller-gen.kubebuilder.io/version: v0.8.0

+ creationTimestamp: "2022-06-08T10:31:06Z"

+ generation: 1

+ labels:

+ addonmanager.kubernetes.io/mode: Reconcile

+ app.kubernetes.io/component: operator

+ app.kubernetes.io/name: keda-operator

+ app.kubernetes.io/part-of: keda-operator

+ app.kubernetes.io/version: 2.7.0

+ name: scaledobjects.keda.sh

+ resourceVersion: "2899"

+ uid: 85b8dec7-c3da-4059-8031-5954dc888a0b

+spec:

+ conversion:

+ strategy: None

+ group: keda.sh

+ names:

+ kind: ScaledObject

+ listKind: ScaledObjectList

+ plural: scaledobjects

+ shortNames:

+ - so

+ singular: scaledobject

+ scope: Namespaced

+ # Redacted for simplicity

+ ```

+While KEDA provides various customization options, the KEDA add-on currently provides basic common configuration.

+If you have requirement to run with another custom configurations, such as namespaces that should be watched or tweaking the log level, then you may edit the KEDA YAML manually and deploy it.

+However, when the installation is customized there will no support offered for custom configurations.

+## Disable KEDA add-on from your AKS cluster

+When you no longer need KEDA add-on in the cluster, use the `az aks update` command with--disable-keda option. This execution will disable KEDA workload auto-scaler.

+```azurecli-interactive

+az aks update \

+ --resource-group myResourceGroup \

+ --name myAKSCluster \

+ --disable-keda

+```

+### Enabling add-on on clusters with self-managed open-source KEDA installations

+While Kubernetes only allows one metric server to be installed, you can in theory install KEDA multiple times. However, it isn't recommended given only one installation will work.

+When the KEDA add-on is installed in an AKS cluster, the previous installation of open-source KEDA will be overridden and the add-on will take over.

+This means that the customization and configuration of the self-installed KEDA deployment will get lost and no longer be applied.

+While there's a possibility that the existing autoscaling will keep on working, there's a risk given it will be configured differently and won't support features such as managed identity.

+It's recommended to uninstall existing KEDA installations before enabling the KEDA add-on given the installation will succeed without any error.

+Following error will be thrown in the operator logs but the installation of KEDA add-on will be completed.

+Error logged in now-suppressed non-participating KEDA operator pod:

+the error logged inside the already installed KEDA operator logs.

+E0520 11:51:24.868081 1 leaderelection.go:330] error retrieving resource lock default/operator.keda.sh: config maps "operator.keda.sh" is forbidden: User "system:serviceaccount:default:keda-operator" can't get resource "config maps" in API group "" in the namespace "default"

+## Next steps

+This article showed you how to install the KEDA add-on on an AKS cluster using Azure CLI. The steps to verify that KEDA add-on is installed and running are included. With the KEDA add-on installed on your cluster, you can [deploy a sample application][keda-sample] to start scaling apps.

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[az aks install-cli]: /cli/azure/aks#az-aks-install-cli

+[az aks get-credentials]: /cli/azure/aks#az-aks-get-credentials

+[az aks update]: /cli/azure/aks#az-aks-update

+[az-group-delete]: /cli/azure/group#az-group-delete

+[kubectl]: https://kubernetes.io/docs/user-guide/kubectl

+[keda]: https://keda.sh/

+[keda-scalers]: https://keda.sh/docs/scalers/

+[keda-sample]: https://github.com/kedacore/sample-dotnet-worker-servicebus-queue

+> Integrations with open source projects aren't covered by the [AKS support policy][aks-support-policy].

+Ingress allows for traffic external to the mesh to be routed to services within the mesh. With OSM, you can configure most ingress solutions to work with your mesh, but OSM works best with [Web Application Routing][web-app-routing], [NGINX ingress][osm-nginx], or [Contour ingress][osm-contour]. Open source projects integrating with OSM, including NGINX ingress and Contour ingress, aren't covered by the [AKS support policy][aks-support-policy].

+Using [Azure Gateway Ingress Controller (AGIC)][agic] for ingress with OSM isn't supported and not recommended.

+Observability of metrics allows you to view the metrics of your mesh and the deployments in your mesh. With OSM, you can use [Prometheus and Grafana][osm-metrics] for metrics observability, but those integrations aren't covered by the [AKS support policy][aks-support-policy].

+OSM can integrate with certain automation projects and developer tooling to help operators and developers build and release applications. For example, OSM integrates with [Flagger][osm-flagger] for progressive delivery and [Dapr][osm-dapr] for building applications. OSM's integration with Flagger and Dapr aren't covered by the [AKS support policy][aks-support-policy].

+External authorization allows you to offload authorization of HTTP requests to an external service. OSM can use external authorization by integrating with [Open Policy Agent (OPA)][osm-opa], but that integration isn't covered by the [AKS support policy][aks-support-policy].

+OSM has several types of certificates it uses to operate on your AKS cluster. OSM includes its own certificate manager called [Tresor][osm-tresor], which is used by default. Alternatively, OSM allows you to integrate with [Hashicorp Vault][osm-hashi-vault] and [cert-manager][osm-cert-manager], but those integrations aren't covered by the [AKS support policy][aks-support-policy].

+This article explains how to set up VNet connectivity for your API Management instance in the *internal* mode. In this mode, you can only access the following API Management endpoints within a VNet whose access you control.

+Update the NSG security rules that allow the API Management resource provider to communicate with your API Management instance. For detailed instructions on how to manage an NSG, review [Create, change, or delete a network security group] in the Azure Virtual Network documentation.

+[Force tunneling traffic]: ../api-management-using-with-internal-vnet.md#force-tunnel-traffic-to-on-premises-firewall-using-expressroute-or-network-virtual-appliance

+[Create, change, or delete a network security group]: ../../virtual-network/manage-network-security-group.md

+ 

+- [Environment variables and app settings reference](reference-app-settings.md)

+In this article, you add a custom health probe to an existing application gateway through the Azure portal. Azure Application Gateway uses these health probes to monitor the health of the resources in the back-end pool.

+If you don't already have an application gateway, visit [Create an Application Gateway](./quick-create-portal.md) to create an application gateway to work with.

+ |**Host**|i.e contoso.com|This value is the name of the virtual host (different from the VM host name) running on the application server. The probe is sent to \<protocol\>://\<host name\>:\<port\>/\<urlPath\> This can also be the private IP address of the server, or the public IP address, or the DNS entry of the public IP address. The probe will attempt to access the server when used with a file based path entry, and validate a specific file exists on the server as a health check.|

+ |**Pick host name from backend HTTP settings**|Yes or No|Sets the *host* header in the probe to the host name from the HTTP settings to which this probe is associated. Specially required for multi-tenant backends such as Azure app service. [Learn more](./configuration-http-settings.md#pick-host-name-from-back-end-address)|

+ |**Pick port from backend HTTP settings**| Yes or No|Sets the *port* of the health probe to the port from HTTP settings to which this probe is associated. If you choose no, you can enter a custom destination port to use |

+ |**Path**|/ or any valid path|The remainder of the full url for the custom probe. A valid path starts with '/'. For the default path of http:\//contoso.com, just use '/'. You can also input a server path to a file for a static health check instead of web based. File paths should be used while using public / private ip, or public ip dns entry as the hostname entry.|

+ |**Interval (secs)**|30|How often the probe is run to check for health. It isn't recommended to set the lower than 30 seconds.|

+ |**Timeout (secs)**|30|The amount of time the probe waits before timing out. If a valid response isn't received within this time-out period, the probe is marked as failed. The timeout interval needs to be high enough that an http call can be made to ensure the backend health page is available. The time-out value shouldn't be more than the ΓÇÿIntervalΓÇÖ value used in this probe setting or the ΓÇÿRequest timeoutΓÇÖ value in the HTTP setting, which will be associated with this probe.|

+ |**HTTP Settings**|selection from dropdown|Probe will get associated with the HTTP settings selected here and therefore, will monitor the health of that backend pool, which is associated with the selected HTTP setting. It will use the same port for the probe request as the one being used in the selected HTTP setting. You can only choose those HTTP settings, which aren't associated with any other custom probe. <br>The only HTTP settings that are available for association are those that have the same protocol as the protocol chosen in this probe configuration, and have the same state for the *Pick Host Name From Backend HTTP setting* switch.|

+ > The probe will monitor health of the backend only when it's associated with one or more HTTP settings. It will monitor back-end resources of those back-end pools which are associated to the HTTP settings to which this probe is associated with. The probe request will be sent as \<protocol\>://\<hostName\>:\<port\>/\<urlPath\>.

+1. Select **Test** and note the result of the probe. The Application gateway tests the health of all the backend resources in the backend pools associated with the HTTP settings used for this probe.

+ > You can choose to save the probe even with unhealthy backend resources, but it isn't recommended. This is because the Application Gateway will not forward requests to the backend servers from the backend pool, which are determined to be unhealthy by the probe. In case there are no healthy resources in a backend pool, you will not be able to access your application and will get a HTTP 502 error.

+ |**Pick host name from backend HTTP settings**|Yes or No|Sets the *host* header in the probe to the host name of the back-end resource in the back-end pool associated with the HTTP Setting to which this probe is associated. Specially required for multi-tenant backends such as Azure app service. [Learn more](./configuration-http-settings.md#pick-host-name-from-back-end-address)|

+ |**Path**|/ or any valid path|The remainder of the full url for the custom probe. A valid path starts with '/'. For the default path of http:\//contoso.com, just use '/' You can also input a server path to a file for a static health check instead of web based. File paths should be used while using public / private ip, or public ip dns entry as the hostname entry.|

+ |**Interval (secs)**|30|How often the probe is run to check for health. It isn't recommended to set the lower than 30 seconds.|

+ |**Timeout (secs)**|30|The amount of time the probe waits before timing out. If a valid response isn't received within this time-out period, the probe is marked as failed. The timeout interval needs to be high enough that an http call can be made to ensure the backend health page is available. The time-out value shouldn't be more than the ΓÇÿIntervalΓÇÖ value used in this probe setting or the ΓÇÿRequest timeoutΓÇÖ value in the HTTP setting, which will be associated with this probe.|

+ > The host name isn't the same as server name. This value is the name of the virtual host running on the application server. The probe is sent to \<protocol\>://\<hostName\>:\<port from http settings\>/\<urlPath\>

+Now that the probe has been created, it's time to add it to the gateway. Probe settings are set on the backend http settings of the application gateway.

+# Back-end server certificate isn't allow-listed for an application gateway using an Internal Load Balancer with an App Service Environment

+This article troubleshoots the following issue: A certificate isn't allow-listed when you create an application gateway by using an Internal Load Balancer (ILB) together with an App Service Environment (ASE) at the back end when using end-to-end TLS in Azure.

+- **Backend Health:** Unhealthy ΓÇô Backend server certificate isn't allow-listed with Application Gateway.

+When you don't use a host name to access an HTTPS website, the back-end server will return the configured certificate on the default website, in case SNI is disabled. For an ILB ASE, the default certificate comes from the ILB certificate. If there are no configured certificates for the ILB, the certificate comes from the ASE App certificate.

+When you use a fully qualified domain name (FQDN) to access the ILB, the back-end server will return the correct certificate that's uploaded in the HTTP settings. If that isn't the case , consider the following options:

+- Use a wildcard certificate on the ILB and the back-end server, so that for all the websites, the certificate is common. However, this solution is possible only for subdomains and not if each of the websites require different hostnames.

+- Clear the **Use for App service** option for the application gateway in case you're using the IP address of the ILB.

+> * `HttpHeaders`, `InitialDelaySeconds`, `SuccessThreshold` aren't supported.

+If the above probes aren't provided, then the Ingress Controller makes an assumption that the service is reachable on the `Path` specified for `backend-path-prefix` annotation, or the `path` specified in the `ingress` definition for the service.

+For any property that can't be inferred by the readiness/liveness probe, default values are set.

+ - [**Greenfield Deployment**](ingress-controller-install-new.md): If you're starting from scratch, refer to these installation instructions, which outlines steps to deploy an AKS cluster with Application Gateway and install application gateway ingress controller on the AKS cluster.

+- If you want to use HTTPS on this application, you'll need an x509 certificate and its private key.

+The guestbook application is a canonical Kubernetes application that composes of a Web UI frontend, a backend and a Redis database. By default, `guestbook` exposes its application through a service with name `frontend` on port `80`. Without a Kubernetes Ingress Resource, the service isn't accessible from outside the AKS cluster. We'll use the application and setup Ingress Resources to access the application through HTTP and HTTPS.

+In order to expose the guestbook application, we'll be using the following ingress resource:

+Now the `guestbook` application should be available. You can check availability by visiting the public address of the Application Gateway.

+The following ingress will allow you to add other paths into this ingress and redirect those paths to other

+Your [Azure Cloud Shell](https://shell.azure.com/) already has all necessary tools. If you

+choose to use another environment, ensure the following command-line tools are installed:

+Follow the steps below to create an Azure Active Directory (Azure AD) [service principal object](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object). Record the `appId`, `password`, and `objectId` values - these values will be used in the following steps.

+- [Virtual Network](../virtual-network/virtual-networks-overview.md) with two [subnets](../virtual-network/virtual-networks-overview.md)

+- [Managed Identity](../active-directory/managed-identities-azure-resources/overview.md), which will be used by [Azure AD Pod Identity](https://github.com/Azure/aad-pod-identity/blob/master/README.md)

+1. Deploy the Azure Resource Manager template using `az cli`. The deployment might take up to 5 minutes.

+With the instructions in the previous section, we created and configured a new AKS cluster and an Application Gateway. We're now ready to deploy a sample app and an ingress controller to our new Kubernetes infrastructure.

+which we'll use to connect to our new Kubernetes cluster. [Cloud Shell](https://shell.azure.com/) has `kubectl` already installed. We'll use `az` CLI to obtain credentials for Kubernetes.

+### Install Azure AD Pod Identity

+ [Azure AD Pod Identity](https://github.com/Azure/aad-pod-identity) will add the following components to your Kubernetes cluster:

+To install Azure AD Pod Identity to your cluster:

+Kubernetes. We'll use it to install the `application-gateway-kubernetes-ingress` package:

+ - `kubernetes.watchNamespace`: Specify the namespace that AGIC should watch. The namespace value can be a single string value, or a comma-separated list of namespaces.

+ - `armAuth.identityClientID`: The Client ID of the Identity. More information about **identityClientID** is provided below.

+ > The `identityResourceID` and `identityClientID` are values that were created during the [Deploy Components](ingress-controller-install-new.md#deploy-components) steps, and could be obtained again using the following command:

+This section configures your AKS to use [LetsEncrypt.org](https://letsencrypt.org/) and automatically obtain a TLS/SSL certificate for your domain. The certificate will be installed on Application Gateway, which will perform SSL/TLS termination for your AKS cluster. The setup described here uses the [cert-manager](https://github.com/jetstack/cert-manager) Kubernetes add-on, which automates the creation and management of certificates.

+ Create a `ClusterIssuer` resource. It's required by `cert-manager` to represent the `Lets Encrypt` certificate

+ Using the non-namespaced `ClusterIssuer` resource, cert-manager will issue certificates that can be consumed from

+ Ensure your Application Gateway has a public Frontend IP configuration with a DNS name (either using the

+ Your browser may warn you of an invalid certificate authority. The staging certificate is issued by `CN=Fake LE Intermediate X1`. This warning is an indication that the system worked as expected and you're ready for your production certificate.

+ Once your staging certificate is set up successfully you can switch to a production ACME server:

+ Before the `Lets Encrypt` certificate expires, `cert-manager` will automatically update the certificate in the Kubernetes secret store. At that point, Application Gateway Ingress Controller will apply the updated secret referenced in the ingress resources it's using to configure the Application Gateway.

+description: This article provides documentation on how to troubleshoot common questions and issues with the Application Gateway Ingress Controller.

+To verify that the Application Gateway + AKS + AGIC installation is set up correctly, deploy

+Copy and paste all lines at once from the script above into a [Azure Cloud Shell](https://shell.azure.com/). Verify that the entire command is copied - starting with `cat` and including the last `EOF`.

+Get the list of pods with [Cloud Shell](https://shell.azure.com/): `kubectl get pods -o wide`. We expect for a pod named 'test-agic-app-pod' to have been created. It will have an IP address. This address must be within the VNET of the Application Gateway, which is used with AKS.

+Get the list of

+Get the list of the ingresses: `kubectl get ingress`. We expect an Ingress resource named 'test-agic-app-ingress' to have been created. The resource will have a host name 'test.agic.contoso.com'.

+One of the pods will be AGIC. `kubectl get pods` will show a list of pods, one of which will begin with 'ingress-azure'. Get all logs of that pod with `kubectl logs <name-of-ingress-controller-pod>` to verify that we've had a successful deployment. A successful deployment would have added the following lines to the log:

+Alternatively, from [Cloud Shell](https://shell.azure.com/) we can retrieve only the lines indicating successful Application Gateway configuration with `kubectl logs <ingress-azure-....> | grep 'Applied App Gateway config in'`, where `<ingress-azure....>` should be the exact name of the AGIC pod.

+Finally we can use the `cURL` command from within [Cloud Shell](https://shell.azure.com/) to establish an HTTP connection to the newly deployed app:

+The following conditions must be in place for AGIC to function as expected:

+ Verify this configuration from [Cloud Shell](https://shell.azure.com/) with `kubectl get pods -o wide --show-labels`

+ Verify this configuration from [Cloud Shell](https://shell.azure.com/) with `kubectl get services -o wide`

+ Verify this configuration from [Cloud Shell](https://shell.azure.com/) with `kubectl get ingress -o wide --show-labels`

+* Get the existing namespaces in Kubernetes cluster. What namespace is your app running in? Is AGIC watching that namespace? Refer to the [Multiple Namespace Support](./ingress-controller-multiple-namespace-support.md#enable-multiple-namespace-support) documentation on how to properly configure observed namespaces.

+* If the AGIC pod isn't healthy (`STATUS` column from the command above isn't `Running`), then:

+ - get logs for the previous instance of the pod: `kubectl logs <pod-name> --previous`

+* AGIC emits Kubernetes events for certain critical errors. You can view these events:

+AGIC has three logging levels. Level 1 is the default one and it shows minimal number of log lines. Level 5, on the other hand, would display all logs, including sanitized contents of config applied to ARM.

+The Kubernetes community has established nine levels of logging for the [kubectl](https://kubernetes.io/docs/reference/kubectl/cheatsheet/#kubectl-output-verbosity-and-debugging) tool. In this repository, we're utilizing three of these levels, with similar semantics:

+ - add `verbosityLevel: 5` on a line by itself in [helm-config.yaml](#sample-helm-config-file) and reinstall

+Before beginning the upgrade procedure, ensure that you've added the required repository:

+ The Helm chart installation from the sample response above is named **odd-billygoat**. This name will be used for the commands. Your actual deployment name will be different.

+If the Helm deployment fails, you can roll back to a previous release.

+ Based on the sample output of the **helm history** command, the last successful deployment of our **odd-billygoat** was revision **1**.

+1. Roll back to the last successful revision:

+In this quickstart, you use the Azure portal to create an [Azure Application Gateway](overview.md) and test it to make sure it works correctly. You will assign listeners to ports, create rules, and add resources to a backend pool. For the sake of simplicity, a simple setup is used with a public front-end IP address, a basic listener to host a single site on the application gateway, a basic request routing rule, and two virtual machines (VMs) in the backend pool.

+For more information about the components of an application gateway, see [Application gateway components](application-gateway-components.md).

+You can also complete this quickstart using [Azure PowerShell](quick-create-powershell.md) or [Azure CLI](quick-create-cli.md).

+An Azure account with an active subscription is required. If you don't already have an account, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+> [!IMPORTANT]

+> The [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package and Azure AD Authentication Library (ADAL) have been deprecated. No new features have been added since June 30, 2020. We strongly encourage you to upgrade, see the [migration guide](/azure/active-directory/develop/msal-migration) for more details.

+There are also further limitations. Refer to [FAQ](faq.yml#what-are-the-data-retention-and-limitations-of-metrics-advisor-) for more details.

+## Use cases for Metrics Advisor

+* [Protect your organization's growth by using Azure Metrics Advisor](https://techcommunity.microsoft.com/t5/azure-ai/protect-your-organization-s-growth-by-using-azure-metrics/ba-p/2564682)

+* [Supply chain anomaly detection and root cause analysis with Azure Metric Advisor](https://techcommunity.microsoft.com/t5/azure-ai/supply-chain-anomaly-detection-and-root-cause-analysis-with/ba-p/2871920)

+* [Customer support: How Azure Metrics Advisor can help improve customer satisfaction](https://techcommunity.microsoft.com/t5/azure-ai-blog/customer-support-how-azure-metrics-advisor-can-help-improve/ba-p/3038907)

+* [Detecting methane leaks using Azure Metrics Advisor](https://techcommunity.microsoft.com/t5/ai-cognitive-services-blog/detecting-methane-leaks-using-azure-metrics-advisor/ba-p/3254005)

+* [AIOps with Azure Metrics Advisor - OpenDataScience.com](https://opendatascience.com/aiops-with-azure-metrics-advisor/)

+description: Learn about claim rule concepts for Azure Attestation policy and the improvements made to the policy language.

+# Claim rule functions supported in policy version 1.2+

+Azure Attestation policy language is updated to enable querying of the incoming evidence in a JSON format. This article explains all the improvements made to the policy language.

+One new operator and six functions are introduced in this policy version.

+Attestation evidence, which was earlier processed to generate specific incoming claims, is now made available to the policy writer in the form of a JSON input. The policy language is also updated to use functions to extract the information. As specified in [Azure Attestation claim rule grammar](claim-rule-grammar.md), the language supports the following three value types and an implicit assignment operator:

+You can use the new function call expression to process the incoming claim set. Use the function call expression with a claim property. It's structured as:

+The function call expression starts with the name of the function, followed by parentheses that contain zero or more arguments separated by commas. Because the arguments of the function are expressions, the language allows specifying a function call as an argument to another function. The arguments are evaluated from left to right before the evaluation of the function begins.

+The following functions are implemented in the policy language.

+JmesPath is a query language for JSON. It specifies several operators and functions that you can use to search data in a JSON document. The search always returns a valid JSON as output. The JmesPath function is structured as:

+The JmesPath expression represented by the second argument is evaluated against JSON data represented by the first argument, which returns the resultant JSON as a string.

+The resultant JSON string is read-only if either of the input arguments are retrieved from read-only claims.

+The following example illustrates the concept.

+#### Literal arguments (Boolean, integer, string)

+During the evaluation of this rule, the JmesPath function is evaluated. The evaluation boils down to evaluating JmesPath query *foo* against the JSON *{ "foo" : "bar" }.* The result of this search operation is a JSON value *"bar".* So, the evaluation of the rule adds a new claim with type *"JmesPathResult"* and string value *"bar"* to the incoming claim set.

+The backslash character is used to escape the double quotation-mark character within the literal string that represents the JSON data.

+Assume the following claims are available in the incoming claim set:

+A JmesPath query can be written as:

+The evaluation of the JmesPath function boils down to evaluating the JmesPath query *values[2]* against the JSON *{"values":[0,1,2,3,4]}*. So, the evaluation of the rule adds a new claim with type *"JmesPathResult"* and string value *"2"* to the incoming claim set. So, the incoming set is updated as:

+In the policy language, a JSON value is represented as a string claim whose value is equal to the string representation of the JSON value. The **JsonToClaimValue** function is used to convert JSON values to claim values that the policy language supports. The function is structured as:

+Here's how each type of the six JSON values is converted to a claim value:

+- **Number**: If the number is an integer, the function returns a claim value with the same integer value. If the number is a fraction, an error is generated.

+- **Object**: The function doesn't support JSON objects. If the argument is a JSON object, an error is generated.

+- **Array**: The function only supports arrays of primitive (number, Boolean, string, and null) types. Such an array is converted to a set that contains a claim with the same type but with values created by converting the JSON values from the array. If the argument to the function is an array of non-primitive (object and array) types, an error is generated.

+- **Null**: If the input is a JSON null, the function returns an empty claim value. If such a claim value is used to construct a claim, the claim is an empty claim. If a rule attempts to add or issue an empty claim, no claim is added to the incoming or the outgoing claim set. In other words, a rule attempting to add or issue an empty claim results in a no-op.

+The resultant claim values are read-only if the input argument is read-only.

+The following example illustrates the concept.

+#### JSON number/Boolean/string

+Updated incoming claim set:

+#### JSON array

+Assume the following claims are available in the incoming claim set:

+Updated incoming claim set:

+The type in the claims is the same and only the value differs. If multiple entries exist with the same value in the array, multiple claims are created.

+#### JSON null

+Assume the following claims are available in the incoming claim set:

+Updated incoming claim set:

+The rule attempts to add a claim with the type *Result* and an empty value. Because it's not allowed, no claim is created, and the incoming claim set remains unchanged.

+This function is used to check if a set of claims is a subset of another set of claims. The function is structured as:

+This function requires exactly two arguments. Both arguments can be sets of any cardinality. The sets in policy language are inherently heterogeneous, so there's no restriction on which type of values can be present in the argument sets.

+The function checks if the set represented by the first argument is a subset of the set represented by the second argument. If so, it returns true. Otherwise, it returns false.

+Because the function simply creates and returns a Boolean value, the returned claim value is always non-read-only.

+Assume the following claims are available in the incoming claim set:

+Updated incoming claim set:

+This function appends the string value of the second argument to the string value of the first argument and returns the resultant string value.

+### Effect of read-only arguments on the result

+The resultant string value is considered to be read-only if either one of the arguments is retrieved from read-only claims.

+Assume the following claims are available in the incoming claim set:

+Updated incoming claim set:

+### Effect of read-only arguments on the result

+Assume the following claims are available in the incoming claim set:

+Updated incoming claim set:

+This function is used to check if a set of claims contains only a specific claim value. The function is structured as:

+This function requires exactly two arguments. The first argument can evaluate a heterogeneous set of any cardinality. The second argument must evaluate a single value of any type (Boolean, string, or integer) supported by the policy language.

+The function returns true if the set represented by the first argument isn't empty and only contains the value represented by the second argument. The function returns false if the set represented by the first argument is empty or contains any value other than the value represented by the second argument.

+### Effect of read-only arguments on the result

+Because the function simply creates and returns a Boolean value, the returned claim value is always non-read-only.

+Assume the following claims are available in the incoming claim set:

+Updated incoming claim set:

+## Not condition operator

+The rules in the policy language start with an optional list of conditions that act as filtering criteria on the incoming claim set. The conditions can be used to identify if a claim is present in the incoming claim set. But there's no way of checking if a claim is absent. So, a new operator (!) is introduced that can be applied to the individual conditions in the conditions list. This operator changes the evaluation behavior of the condition from checking the presence of a claim to checking the absence of a claim.

+Assume the following claims are available in the incoming claim set:

+This rule effectively translates to: *If a claim with type "Claim3" is not present in the incoming claim set, add a new claim with type "Claim3" and value 300 to the incoming claim set.*

+Updated incoming claim set:

+### Sample policy using policy version 1.2

+Windows [implements Measured Boot](/windows/security/information-protection/secure-the-windows-10-boot-process) and, along with attestation, the protection that's provided is greatly enhanced. You can use it to detect and protect against vulnerable and malicious boot components securely and reliably. You can now use these measurements to build the attestation policy.

+description: Learn about Azure Attestation policy version 1.0 to define what must be validated during the attestation flow.

+# Attestation policy version 1.0

+Instance owners can use the Azure Attestation policy to define what must be validated during the attestation flow. This article introduces the workings of the attestation service and the policy engine. Each attestation type has its own attestation policy. The supported grammar and processing are broadly the same.

+- The attestation service parses the evidence and creates a list of claims that's used in the attestation evaluation. These claims are logically categorized as incoming claim sets.

+Policy version 1.0 has three segments:

+- **version**: The version is the version number of the grammar that's followed.

+- **authorizationrules**: A collection of claim rules that are checked first to determine if attestation should proceed to issuancerules. Use this section to filter out calls that don't require the issuance rules to be applied. No claims can be issued from this section to the response token. These rules can be used to fail attestation.

+- **issuancerules**: A collection of claim rules that are evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the order in which they're defined. They're also optional. These rules can be used to add to the outgoing claim set and the response token. These rules can't be used to fail attestation.

+The following claims are supported by policy version 1.0 as part of the incoming claims.

+Use these claims to define authorization rules in a Trusted Platform Module (TPM) attestation policy:

+- **aikValidated**: The Boolean value that contains information if the attestation identity key (AIK) certificate has been validated or not.

+- **aikPubHash**: The string that contains the base64 (SHA256) AIK public key in DER format.

+- **tpmVersion**: The integer value that contains the TPM major version.

+- **secureBootEnabled**: The Boolean value that indicates if secure boot is enabled.

+- **iommuEnabled**:The Boolean value that indicates if the input-output memory management unit is enabled.

+- **bootDebuggingDisabled**: The Boolean value that indicates if boot debugging is disabled.

+- **notSafeMode**: The Boolean value that indicates if Windows isn't running in safe mode.

+- **notWinPE**: The Boolean value that indicates if Windows isn't running in WinPE mode.

+- **vbsEnabled**: The Boolean value that indicates if virtualization-based security (VBS) is enabled.

+- **vbsReportPresent**: The Boolean value that indicates if a VBS enclave report is available.

+Use the following claims to define authorization rules in a VBS attestation policy:

+- **enclaveAuthorId**: The string value that contains the Base64Url encoded value of the enclave author ID. It's the author identifier of the primary module for the enclave.

+- **enclaveImageId**: The string value that contains the Base64Url encoded value of the enclave image ID. It's the image identifier of the primary module for the enclave.

+- **enclaveOwnerId**: The string value that contains the Base64Url encoded value of the enclave owner ID. It's the identifier of the owner for the enclave.

+- **enclaveFamilyId**: The string value that contains the Base64Url encoded value of the enclave family ID. It's the family identifier of the primary module for the enclave.

+- **enclaveSvn**: The integer value that contains the security version number of the primary module for the enclave.

+- **enclavePlatformSvn**: The integer value that contains the security version number of the platform that hosts the enclave.

+- **enclaveFlags**: The enclaveFlags claim is an integer value that contains flags that describe the runtime policy for the enclave.

+description: Learn about Azure Attestation policy version 1.1 to define what must be validated during the attestation flow.

+# Attestation policy version 1.1

+Instance owners can use the Azure Attestation policy to define what must be validated during the attestation flow. This article introduces the workings of the attestation service and the policy engine. Each attestation type has its own attestation policy. The supported grammar and processing are broadly the same.

+- The attestation service parses the evidence and creates a list of claims that's used during rule evaluation. The claims are logically categorized as incoming claim sets.

+Policy version 1.1 has four segments:

+- **version**: The version is the version number of the grammar that's followed.

+- **configurationrules**: During policy evaluation, you might be required to control the behavior of the policy engine itself. You can use configuration rules to indicate to the policy evaluation engine how to handle some claims in the evaluation.

+- **authorizationrules**: A collection of claim rules that are checked first to determine if attestation should proceed to issuancerules. Use this section to filter out calls that don't require the issuance rules to be applied. No claims can be issued from this section to the response token. These rules can be used to fail attestation.

+- **issuancerules**: A collection of claim rules that are evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the defined order. They're also optional. These rules can also be used to add to the outgoing claim set and the response token. These rules can't be used to fail attestation.

+The following configuration rules are available to the policy author.

+| Attestation type | ConfigurationRule property name | Type | Default value | Description |

+| Trusted Platform Module (TPM), virtualization-based security (VBS) | require_valid_aik_cert | Bool | true | Indicates whether a valid attestation identity key (AIK) certificate is required. It's only applied when TPM data is present.|

+The following claims are supported as part of the incoming claims.

+Use these claims to define authorization rules in a TPM attestation policy:

+- **aikValidated**: The Boolean value that contains information if the AIK certification has been validated or not.

+- **aikPubHash**: The string that contains the base64 (SHA256) AIK public key in DER format.

+- **tpmVersion**: The integer value that contains the TPM major version.

+- **secureBootEnabled**: The Boolean value that indicates if secure boot is enabled.

+- **iommuEnabled**: The Boolean value that indicates if input-output memory management unit is enabled.

+- **bootDebuggingDisabled**: The Boolean value that indicates if boot debugging is disabled.

+- **notSafeMode**: The Boolean value that indicates if Windows isn't running in safe mode.

+- **notWinPE**: The Boolean value that indicates if Windows isn't running in WinPE mode.

+- **vbsEnabled**: The Boolean value that indicates if VBS is enabled.

+- **vbsReportPresent**: The Boolean value that indicates if a VBS enclave report is available.

+Use the following claims to define authorization rules in a VBS attestation policy:

+- **enclaveAuthorId**: The string value that contains the Base64Url encoded value of the enclave author ID. It's the author identifier of the primary module for the enclave.

+- **enclaveImageId**: The string value that contains the Base64Url encoded value of the enclave image ID. It's the image identifier of the primary module for the enclave.

+- **enclaveOwnerId**: The string value that contains the Base64Url encoded value of the enclave owner ID. It's the identifier of the owner for the enclave.

+- **enclaveFamilyId**: The string value that contains the Base64Url encoded value of the enclave family ID. It's the family identifier of the primary module for the enclave.

+- **enclaveSvn**: The integer value that contains the security version number of the primary module for the enclave.

+- **enclavePlatformSvn**: The integer value that contains the security version number of the platform that hosts the enclave.

+- **enclaveFlags**: The enclaveFlags claim is an integer value that contains flags that describe the runtime policy for the enclave.

+The `required_pcr_mask` type restricts the evaluation of PCR matches to only PCR 0, 1, 2, and 3.

+The `require_valid_aik_cert` type marked as `false` indicates that the AIK certification isn't a requirement and is later verified in `issuancerules` to determine the `PlatformAttested` state.

+description: Learn about Azure Attestation policy version 1.2 to define what must be validated during the attestation flow.

+# Attestation policy version 1.2

+Instance owners can use the Azure Attestation policy to define what must be validated during the attestation flow. This article introduces the workings of the attestation service and the policy engine. Each attestation type has its own attestation policy. The supported grammar and processing are broadly the same.

+## Policy version 1.2

+- The attestation service parses the evidence and creates a list of claims that are used in the attestation evaluation. The evidence is also parsed and maintained as a JSON format, which is used to provide a broader set of measurements to the policy writer. These claims are logically categorized as incoming claim sets.

+- The attestation policy uploaded by the owner of the attestation service instance is then used to evaluate and issue claims to the response. You can now use JmesPath-based queries to search in the evidence to create your own claims and subsequent claim rules. During the evaluation, configuration rules can also be used to indicate to the policy evaluation engine how to handle certain claims.

+- **configurationrules:** During policy evaluation, sometimes you might be required to control the behavior of the policy engine itself. You can use configuration rules to indicate to the policy evaluation engine how to handle some claims in the evaluation.

+- **authorizationrules:** A collection of claim rules that are checked first to determine if attestation should continue to issuancerules. Use this section to filter out calls that don't require issuance rules to be applied. No claims can be issued from this section to the response token. These rules can be used to fail attestation.

+- **issuancerules:** A collection of claim rules that are evaluated to add information to the attestation result as defined in the policy. The claim rules apply in the order in which they're defined. They're also optional. These rules can be used to add to the outgoing claim set and the response token. These rules can't be used to fail attestation.

+The following configuration rules are available to the policy author.

+| Attestation type | ConfigurationRule property name | Type | Default value | Description |

+| Trusted Platform Module (TPM), virtualization-based security (VBS) | require_valid_aik_cert | Bool | true | Indicates whether a valid attestation identity key certificate is required. It's only applied when TPM data is present.|

+Policy version 1.2 also introduces functions to the policy grammar. Read more about the functions in [Claim rule functions](claim-rule-functions.md). With the introduction of JmesPath-based functions, incoming claims can be generated as needed by the attestation policy author.

+Some of the key rules you can use to generate claims are listed here.

+|Feature |Description |Policy rule |

+| Secure boot |Device boots using only software that's trusted by the OEM, which is Microsoft. | `c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); => issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] \| length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); \![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);` |

+| Code integrity |Code integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory.| `// Retrieve bool propertiesc:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY")));c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true));\![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false);` |

+| Early Launch Antimalware (ELAM) | ELAM protects against loading unsigned or malicious drivers during boot. | `// Elam Driver (windows defender) Loaded.c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] \| [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') \|\| equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] \| @ != `null`")));![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="elamDriverLoaded", value=false);` |

+| Boot debugging |Allows the user to connect to a boot debugger. Can be used to bypass secure boot and other boot protections. | `// Boot debuggingc:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING")));c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false));\![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false);` |

+| Kernel debugging | Allows the user to connect a kernel debugger. Grants access to all system resources (less virtualization-based security [VBS] protected resources). | `// Kernel Debuggingc:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG")));c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false));\![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false);` |

+|Data Execution Prevention (DEP) policy | DEP policy is a set of hardware and software technologies that perform extra checks on memory to help prevent malicious code from running on a system. | `// DEP Policyc:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value \| @[-1]")));\![type=="depPolicy"] => issue(type="depPolicy", value=0);` |

+| Test and flight signing | Enables the user to run test-signed code. | `// Test Signing< c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY")); c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING"))); c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false)); ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false);//Flight Signingc:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "\[\*\].EVENT_FLIGHTSIGNING")));c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false));![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false);` |

+| Virtual Secure Mode/VBS | VBS uses the Windows hypervisor to create this virtual secure mode that's used to protect vital system and operating system resources and credentials. | `// VSM enabled c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vsmEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "\[\*\].EVENT_VBS_VSM_REQUIRED")));c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vsmEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT")));c:[type=="vsmEnabledSet", issuer=="AttestationPolicy"] => issue(type="vsmEnabled", value=ContainsOnlyValue(c.value, true));![type=="vsmEnabled", issuer=="AttestationPolicy"] => issue(type="vsmEnabled", value=false);c:[type=="vsmEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value);` |

+| Hypervisor-protected code integrity (HVCI) | HVCI is a feature that validates the integrity of a system file each time it's loaded into memory.| `// HVCIc:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY"));c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY \| @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value")));c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1));![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false);` |

+| Input-output memory management unit (IOMMU) | IOMMU translates virtual to physical memory addresses for Direct memory access-capable device peripherals. IOMMU protects sensitive memory regions. | `// IOMMUc:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED")));c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true));![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false);` |

+| PCR value evaluation | PCRs contain measurements of components that are made during the boot. These measurements can be used to verify the components against golden or known measurements. | `//PCRS are only read-only and thus cannot be used with issue operation, but they can be used to validate expected/golden measurements.c:[type == "pcrs", issuer=="AttestationService"] && c1:[type=="pcrMatchesExpectedValue", value==JsonToClaimValue(JmesPath(c.value, "PCRs[? Index == `0`].Digests.SHA1 \| @[0] == `\"KCk6Ow\"`"))] => issue(claim = c1);` |

+| Boot Manager version | The security version number of the Boot Manager that was loaded during initial boot on the attested device. | `// Find the first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN// Find the first EV_SEPARATOR in PCR 12, 13, Or 14c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `14`)] \| @[0].EventSeq"));c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` ");// Find the first EVENT_APPLICATION_SVN. That value is the Boot Manager SVNc:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] \| @[0].EventSeq"));c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value));c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN \| @[0]"));c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));` |

+| Safe mode | Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started. | `// Safe modec:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE")));c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false));![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true);` |

+| WinPE boot | Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that's used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows setup. | `// Win PEc:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `19` \|\| PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY"));c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "\[\*\].EVENT_WINPE")));c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false));![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true);` |

+| Code integrity (CI) policy | Hash of CI policy that's controlling the security of the boot environment. | `// CI Policyc :[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData")));`|

+| Secure Boot Configuration Policy Hash (SBCPHash) | SBCPHash is the fingerprint of the Custom SBCP that was loaded during boot in Windows devices, except PCs. | `// Secure Boot Custom Policyc:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData \| @[0]")));` |

+| Boot application subversion | The version of the Boot Manager that's running on the device. | `// Find the first EV_SEPARATOR in PCR 12, 13, Or 14, the ordering of the events is critical to ensure correctness.c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` \|\| PcrIndex == `13` \|\| PcrIndex == `14`)] \| @[0].EventSeq"));c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present// Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 that is before the EV_SEPARATORc1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`"));c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` \|\| ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] \| @[0].EventSeq"));c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value));// Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control.c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN \| @[0]) \|\| (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN \| @[0]))].EventSeq \| @[0]"));c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value));// Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. That value is Boot App SVNc:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN \| @[0]"));c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));` |

+| Boot revision list | Boot revision list used to direct the device to an enterprise honeypot to further monitor the device's activities. | `// Boot Rev List Info c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData \| @[0]")));` |

+// Verify if secure boot is enabled.

+//Verify if Defender ELAM is loaded.

+description: This article provides an overview of Trusted Platform Module (TPM) attestation and capabilities supported by Azure Attestation.

+# Trusted Platform Module attestation

+Devices with a Trusted Platform Module (TPM) can rely on attestation to prove that boot integrity isn't compromised along with using the Measured Boot process to detect early boot feature states.

+A growing number of device types, bootloaders, and boot stack attacks require an attestation solution to evolve accordingly. An attested state of a device is driven by the attestation policy used to verify the contents on the platform evidence.

+This article provides an overview of TPM attestation and capabilities supported by Azure Attestation.

+In general, TPM attestation is based on the following pillars.

+Validate the TPM authenticity by validating the TPM:

+- Every TPM ships with a unique asymmetric key called the endorsement key (EK). This key is burned by the manufacturer. The public portion of this key is known as EKPub. The associated private key is known as EKPriv. Some TPM chips also have an EK certificate that's issued by the manufacturer for the EKPub. This certificate is known as EKCert.

+- A certification authority (CA) establishes trust in the TPM either via EKPub or EKCert.

+- A device proves to the CA that the key for which the certificate is being requested is cryptographically bound to the EKPub and that the TPM owns the EKPriv.

+- The CA issues a certificate with a special issuance policy to denote that the key is now attested as protected by a TPM.

+Validate the measurements made during the boot by using Azure Attestation:

+- As part of Trusted Boot and Measured Boot, every step is validated and measured into the TPM. Different events are measured for different platforms. For more information about the Measured Boot process in Windows, see [Secure the Windows boot process](/windows/security/information-protection/secure-the-windows-10-boot-process).

+- At boot, an attestation identity key is generated. It's used to provide cryptographic proof to the attestation service that the TPM in use was issued a certificate after EK validation was performed.

+- Relying parties can perform an attestation against Azure Attestation, which can be used to validate measurements made during the boot process.

+

+Conceptually, TPM attestation can be visualized as shown in the preceding diagram. The relying party applies Azure Attestation to verify the integrity of the platform and any violation of promises. The verification process gives you the confidence to run workloads or provide access to resources.

+Mature attack techniques aim to infect the boot chain. A boot attack can provide the attacker with access to system resources and allow the attacker to hide from antimalware software. Trusted Boot acts as the first order of defense. Use of Trusted Boot and attestation extends the capability to relying parties. Most attackers attempt to bypass secure boot or load an unwanted binary in the boot process.

+Remote attestation allows the relying parties to verify the whole boot chain for any violation of promises. For example, the secure boot evaluation by the attestation service validates the values of the secure variables measured by UEFI.

+Measured Boot instrumentation ensures cryptographically bound measurements can't be changed after they're made and that only a trusted component can make the measurement. For this reason, validating the secure variables is sufficient to ensure the enablement.

+Azure Attestation signs the report to ensure the integrity of the attestation is also maintained to protect against man-in-the-middle attacks.

+A simple policy can be used:

+Sometimes it isn't sufficient to verify only one component in the boot. Verifying complementary features like code integrity or hypervisor-protected code integrity (HVCI) and System Guard Secure Launch adds to the protection profile of a device. You also need the ability to peer into the boot so that you can evaluate any violations and be confident about the platform.

+The following example takes advantage of policy version 1.2 to verify details about secure boot, HVCI, and System Guard Secure Launch. It also verifies that an unwanted (malicious.sys) driver isn't loaded during the boot:

+// Verify if secure boot is enabled

+- [Learn more about claim rule grammar](claim-rule-grammar.md)

+ mvn com.microsoft.azure:azure-webapp-maven-plugin:2.5.0:config

+ spring.cloud.azure.appconfiguration.stores[0].monitoring.refresh-interval= 30d

+ management.endpoints.web.exposure.include= appconfiguration-refresh

+## Build and run the app in app service

+1. Update your `pom.xml` under the `azure-webapp-maven-plugin`'s `configuration` add

+```xml

+<appSettings>

+ <AppConfigurationConnectionString>${AppConfigurationConnectionString}</AppConfigurationConnectionString>

+</appSettings>

+```

+ mvn azure-webapp:deploy

+ curl -X GET https://my-azure-webapp.azurewebsites.net

+As described in the [CI/CD workflow using GitOps](conceptual-gitops-flux2-ci-cd.md) article's example, an application developer works on application code within an application repository. This application repository also holds high-level deployment Helm and/or Kustomize templates. CI\CD pipelines:

+Learn more about creating connections between your cluster and a Git repository as a [configuration resource with Azure Arc-enabled Kubernetes](./conceptual-gitops-flux2.md)

+|Azure Extension for SQL Server |Microsoft.AzureData |WindowsAgent.SqlServer |[Install Azure extension for SQL Server](/sql/sql-server/azure-arc/connect#initiate-the-connection-from-azure) to initiate SQL Server connection to Azure. |

+|`*.servicebus.windows.net`|For Windows Admin Center and SSH scenarios|If using SSH or Windows Admin Center from Azure|Public|

+## Save the onboarding script to a remote share

+Before you can run the script to connect your machines, you'll need to save the onboarding script to the remote share. This will be referenced when creating the Group Policy Object.

+<!--1. Edit the field for `remotePath` to reflect the distributed share location with the configuration file and Connected Machine Agent.

+1. Save the modified onboarding script locally and note its location. This will be referenced when creating the Group Policy Object.-->

+# This script is used to install and configure the Azure Connected Machine Agent

+[CmdletBinding()]

+param(

+ [Parameter(Mandatory=$false)]

+ [string] $AltDownloadLocation,

+ [Parameter(Mandatory=$true)]

+ [string] $RemotePath,

+ [Parameter(Mandatory=$false)]

+ [string] $LogFile = "onboardinglog.txt",

+ [Parameter(Mandatory=$false)]

+ [string] $InstallationFolder = "$env:HOMEDRIVE\ArcDeployment",

+ [Parameter(Mandatory=$false)]

+ [string] $ConfigFilename = "ArcConfig.json"

+)

+$ErrorActionPreference="Stop"

+$ProgressPreference="SilentlyContinue"

+[string] $RegKey = "HKLM:\SOFTWARE\Microsoft\Azure Connected Machine Agent"

+# create local installation folder if it doesn't exist

+if (!(Test-Path $InstallationFolder) ) {

+ [void](New-Item -path $InstallationFolder -ItemType Directory )

+}

+# create log file and overwrite if it already exists

+$logpath = New-Item -path $InstallationFolder -Name $LogFile -ItemType File -Force

+@"

+Azure Arc-Enabled Servers Agent Deployment Group Policy Script

+Time: $(Get-Date)

+RemotePath: $RemotePath

+RegKey: $RegKey

+LogFile: $LogPath

+InstallationFolder: $InstallationFolder

+ConfigFileName: $ConfigFilename

+"@ >> $logPath

+try

+{

+ "Copying items to $InstallationFolder" >> $logPath

+ Copy-Item -Path "$RemotePath\*" -Destination $InstallationFolder -Recurse -Verbose

+ $agentData = Get-ItemProperty $RegKey -ErrorAction SilentlyContinue

+ if ($agentData) {

+ "Azure Connected Machine Agent version $($agentData.version) is already installed, proceeding to azcmagent connect" >> $logPath

+ } else {

+ # Download the installation package

+ "Downloading the installation script" >> $logPath

+ [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor [System.Net.SecurityProtocolType]::Tls12

+ Invoke-WebRequest -Uri "https://aka.ms/azcmagent-windows" -TimeoutSec 30 -OutFile "$InstallationFolder\install_windows_azcmagent.ps1"

+ # Install the hybrid agent

+ "Running the installation script" >> $logPath

+ & "$InstallationFolder\install_windows_azcmagent.ps1"

+ if ($LASTEXITCODE -ne 0) {

+ throw "Failed to install the hybrid agent: $LASTEXITCODE"

+ }

+ $agentData = Get-ItemProperty $RegKey -ErrorAction SilentlyContinue

+ if (! $agentData) {

+ throw "Could not read installation data from registry, a problem may have occurred during installation"

+ "Azure Connected Machine Agent version $($agentData.version) is already deployed, exiting without changes" >> $logPath

+ exit

+ "Installation Complete" >> $logpath

+ }

+ & "$env:ProgramW6432\AzureConnectedMachineAgent\azcmagent.exe" connect --config "$InstallationFolder\$ConfigFilename" >> $logpath

+ if ($LASTEXITCODE -ne 0) {

+ throw "Failed during azcmagent connect: $LASTEXITCODE"

+ }

+ "Connect Succeeded" >> $logpath

+ & "$env:ProgramW6432\AzureConnectedMachineAgent\azcmagent.exe" show >> $logpath

+} catch {

+ "An error occurred during installation: $_" >> $logpath

+}

+1. Under **Settings**, select **One time** and enter the date and time for the task to run. Select a date and time that is at least 2 hours after the current time to make sure that the Group Policy update will be applied.

+1. For **Add arguments (optional)**, enter `-ExecutionPolicy Bypass -command <INSERT UNC-path to PowerShell script> -remotePath <INSERT path to your Remote Share>`.

+With the Azure CLI, use the [az connectedmachine extension list](/cli/azure/connectedmachine/extension#az-connectedmachine-extension-list) command with the `--machine-name` and `--resource-group` parameters. By default, the output of Azure CLI commands is in JSON (JavaScript Object Notation). To change the default output to a list or table, for example, use [az configure --output](/cli/azure/reference-index). You can also add `--output` to any command for a one time change in output format.

+- Caches with more than one replica cannot be geo-replicated.

+description: Learn to handle errors and retry events in Azure Functions with links to specific binding errors, including information on retry policies.

+zone_pivot_groups: programming-languages-set-functions-lang-workers

+Handling errors in Azure Functions is important to avoid lost data, missed events, and to monitor the health of your application. It's also important to understand the retry behaviors of event-based triggers.

+This article describes general strategies for error handling and the available retry strategies.

+> [!IMPORTANT]

+> The retry policy support in the runtime for triggers other than Timer and Event Hubs is being removed after this feature becomes generally available (GA). Preview retry policy support for all triggers other than Timer and Event Hubs will be removed in October 2022.

+Errors raised in an Azure Functions can come from any of the following origins:

+- Use of built-in Azure Functions [triggers and bindings](functions-triggers-bindings.md).

+- Calls to APIs of underlying Azure services.

+- Calls to REST endpoints.

+- Calls to client libraries, packages, or third-party APIs.

+Good error handling practices are important to avoid loss of data or missed messages. This section describes some recommended error handling practices with links to more information.

+### Enable Application Insights

+Azure Functions integrates with Application Insights to collect error data, performance data, and runtime logs. You should use Application Insights to discover and better understand errors occurring in your function executions. To learn more, see [Monitor Azure Functions](functions-monitoring.md).

+### Use structured error handling

+Capturing and logging errors is critical to monitoring the health of your application. The top-most level of any function code should include a try/catch block. In the catch block, you can capture and log errors. For information about what errors might be raised by bindings, see [Binding error codes](#binding-error-codes).

+### Plan your retry strategy

+Several Functions bindings extensions provide built-in support for retries. In addition, the runtime lets you define retry policies for Timer and Event Hubs triggered functions. To learn more, see [Retries](#retries). For triggers that don't provide retry behaviors, you may want to implement your own retry scheme.

+### Design for idempotency

+The occurrence of errors when processing data can be a problem for your functions, especially when processing messages. You need to consider what happens when the error occurs and how to avoid duplicate processing. To learn more, see [Designing Azure Functions for identical input](functions-idempotent.md).

+## Retries

+There are two kinds of retries available for your functions: built-in retry behaviors of individual trigger extensions and retry policies. The following table indicates which triggers support retries and where the retry behavior is configured. It also links to more information about errors coming from the underlying services.

+| Trigger/binding | Retry source | Configuration |

+| - | - | -- |

+| Azure Cosmos DB | n/a | Not configurable |

+| Blob Storage | [Binding extension](functions-bindings-storage-blob-trigger.md#poison-blobs) | [host.json](functions-bindings-storage-queue.md#host-json) |

+| Event Grid | [Binding extension](../event-grid/delivery-and-retry.md) | Event subscription |

+| Event Hubs | [Retry policies](#retry-policies) | Function-level |

+| Queue Storage | [Binding extension](functions-bindings-storage-queue-trigger.md#poison-messages) | [host.json](functions-bindings-storage-queue.md#host-json) |

+| RabbitMQ | [Binding extension](functions-bindings-rabbitmq-trigger.md#dead-letter-queues) | [Dead letter queue](https://www.rabbitmq.com/dlx.html) |

+| Service Bus | [Binding extension](../service-bus-messaging/service-bus-dead-letter-queues.md) | [Dead letter queue](/service-bus-messaging/service-bus-dead-letter-queues.md#maximum-delivery-count) |

+|Timer | [Retry policies](#retry-policies) | Function-level |

+### Retry policies

+Starting with version 3.x of the Azure Functions runtime, you can define a retry policies for Timer and Event Hubs triggers that are enforced by the Functions runtime. The retry policy tells the runtime to rerun a failed execution until either successful completion occurs or the maximum number of retries is reached.

+A retry policy is evaluated when a Timer or Event Hubs triggered function raises an uncaught exception. As a best practice, you should catch all exceptions in your code and rethrow any errors that you want to result in a retry. Event Hubs checkpoints won't be written until the retry policy for the execution has completed. Because of this behavior, progress on the specific partition is paused until the current batch has completed.

+#### Retry strategies

+There are two retry strategies supported by policy that you can configure:

+# [Fixed delay](#tab/fixed-delay)

+A specified amount of time is allowed to elapse between each retry.

+# [Exponential backoff](#tab/exponential-backoff)

+The first retry waits for the minimum delay. On subsequent retries, time is added exponentially to the initial duration for each retry, until the maximum delay is reached. Exponential back-off adds some small randomization to delays to stagger retries in high-throughput scenarios.

+#### Max retry counts

+You can configure the maximum number of times function execution is retried before eventual failure. The current retry count is stored in memory of the instance. It's possible that an instance has a failure between retry attempts. When an instance fails during a retry policy, the retry count is lost. When there are instance failures, the Event Hubs trigger is able to resume processing and retry the batch on a new instance, with the retry count reset to zero. Timer trigger doesn't resume on a new instance. This behavior means that the max retry count is a best effort, and in some rare cases an execution could be retried more than the maximum. For Timer triggers, the retries can be less than the maximum requested.

+#### Retry examples

+# [In-process](#tab/in-process/fixed-delay)

+Retries require NuGet package [Microsoft.Azure.WebJobs](https://www.nuget.org/packages/Microsoft.Azure.WebJobs) >= 3.0.23

+```csharp

+[FunctionName("EventHubTrigger")]

+[FixedDelayRetry(5, "00:00:10")]

+public static async Task Run([EventHubTrigger("myHub", Connection = "EventHubConnection")] EventData[] events, ILogger log)

+{

+// ...

+}

+```

+|Property | Description |

+||-|

+|MaxRetryCount|Required. The maximum number of retries allowed per function execution. `-1` means to retry indefinitely.|

+|DelayInterval|The delay that is used between retries. Specify as a string with the format `HH:mm:ss`.|

+# [Isolated process](#tab/isolated-process/fixed-delay)

+Retry policies aren't yet supported when running in an isolated process.

+# [C# Script](#tab/csharp-script/fixed-delay)

+Here's the retry policy in the *function.json* file:

+```json

+{

+ "disabled": false,

+ "bindings": [

+ {

+ ....

+ }

+ ],

+ "retry": {

+ "strategy": "fixedDelay",

+ "maxRetryCount": 4,

+ "delayInterval": "00:00:10"

+ }

+}

+```

+|function.json property | Description |

+||-|

+|strategy|Use `fixedDelay`.|

+|maxRetryCount|Required. The maximum number of retries allowed per function execution. `-1` means to retry indefinitely.|

+|delayInterval|The delay that is used between retries. Specify as a string with the format `HH:mm:ss`.|

+# [In-process](#tab/in-process/exponential-backoff)

+Retries require NuGet package [Microsoft.Azure.WebJobs](https://www.nuget.org/packages/Microsoft.Azure.WebJobs) >= 3.0.23

+```csharp

+[FunctionName("EventHubTrigger")]

+[ExponentialBackoffRetry(5, "00:00:04", "00:15:00")]

+public static async Task Run([EventHubTrigger("myHub", Connection = "EventHubConnection")] EventData[] events, ILogger log)

+{

+// ...

+}

+```

+|Property | Description |

+||-|

+|MaxRetryCount|Required. The maximum number of retries allowed per function execution. `-1` means to retry indefinitely.|

+|MinimumInterval|The minimum retry delay. Specify as a string with the format `HH:mm:ss`.|

+|MaximumInterval|The maximum retry delay. Specify as a string with the format `HH:mm:ss`.|

+# [Isolated process](#tab/isolated-process/exponential-backoff)

+Retry policies aren't yet supported when running in an isolated process.

+# [C# Script](#tab/csharp-script/exponential-backoff)

+Here's the retry policy in the *function.json* file:

+```json

+{

+ "disabled": false,

+ "bindings": [

+ {

+ ....

+ }

+ ],

+ "retry": {

+ "strategy": "exponentialBackoff",

+ "maxRetryCount": 5,

+ "minimumInterval": "00:00:10",

+ "maximumInterval": "00:15:00"

+ }

+}

+```

+|function.json property | Description |

+||-|

+|strategy|Use `exponentialBackoff`.|

+|maxRetryCount|Required. The maximum number of retries allowed per function execution. `-1` means to retry indefinitely.|

+|minimumInterval|The minimum retry delay. Specify as a string with the format `HH:mm:ss`.|

+|maximumInterval|The maximum retry delay. Specify as a string with the format `HH:mm:ss`.|

+Here's the retry policy in the *function.json* file:

+# [Fixed delay](#tab/fixed-delay)

+```json

+{

+ "disabled": false,

+ "bindings": [

+ {

+ ....

+ }

+ ],

+ "retry": {

+ "strategy": "fixedDelay",

+ "maxRetryCount": 4,

+ "delayInterval": "00:00:10"

+ }

+}

+```

+# [Exponential backoff](#tab/exponential-backoff)

+```json

+{

+ "disabled": false,

+ "bindings": [

+ {

+ ....

+ }

+ ],

+ "retry": {

+ "strategy": "exponentialBackoff",

+ "maxRetryCount": 5,

+ "minimumInterval": "00:00:10",

+ "maximumInterval": "00:15:00"

+ }

+}

+```

+|function.json property | Description |

+||-|

+|strategy|Required. The retry strategy to use. Valid values are `fixedDelay` or `exponentialBackoff`.|

+|maxRetryCount|Required. The maximum number of retries allowed per function execution. `-1` means to retry indefinitely.|

+|delayInterval|The delay that is used between retries when using a `fixedDelay` strategy. Specify as a string with the format `HH:mm:ss`.|

+|minimumInterval|The minimum retry delay when using an `exponentialBackoff` strategy. Specify as a string with the format `HH:mm:ss`.|

+|maximumInterval|The maximum retry delay when using `exponentialBackoff` strategy. Specify as a string with the format `HH:mm:ss`.|

+Here's a Python sample to use retry context in a function:

+```Python

+import azure.functions

+import logging

+def main(mytimer: azure.functions.TimerRequest, context: azure.functions.Context) -> None:

+ logging.info(f'Current retry count: {context.retry_context.retry_count}')

+

+ if context.retry_context.retry_count == context.retry_context.max_retry_count:

+ logging.info(

+ f"Max retries of {context.retry_context.max_retry_count} for "

+ f"function {context.function_name} has been reached")

+

+```

+# [Fixed delay](#tab/fixed-delay)

+```java

+@FunctionName("TimerTriggerJava1")

+@FixedDelayRetry(maxRetryCount = 4, delayInterval = "00:00:10")

+public void run(

+ @TimerTrigger(name = "timerInfo", schedule = "0 */5 * * * *") String timerInfo,

+ final ExecutionContext context

+) {

+ context.getLogger().info("Java Timer trigger function executed at: " + LocalDateTime.now());

+}

+```

+# [Exponential backoff](#tab/exponential-backoff)

+```java

+@FunctionName("TimerTriggerJava1")

+@ExponentialBackoffRetry(maxRetryCount = 5 , maximumInterval = "00:15:00", minimumInterval = "00:00:10")

+public void run(

+ @TimerTrigger(name = "timerInfo", schedule = "0 */5 * * * *") String timerInfo,

+ final ExecutionContext context

+) {

+ context.getLogger().info("Java Timer trigger function executed at: " + LocalDateTime.now());

+}

+```

+|Element | Description |

+||-|

+|maxRetryCount|Required. The maximum number of retries allowed per function execution. `-1` means to retry indefinitely.|

+|delayInterval|The delay that is used between retries when using a `fixedDelay` strategy. Specify as a string with the format `HH:mm:ss`.|

+|minimumInterval|The minimum retry delay when using an `exponentialBackoff` strategy. Specify as a string with the format `HH:mm:ss`.|

+|maximumInterval|The maximum retry delay when using `exponentialBackoff` strategy. Specify as a string with the format `HH:mm:ss`.|

+## Next steps

+Controls the [retry policy](./functions-bindings-error-pages.md#retry-policies) options for all executions in the app.

+- Retry policies sending the same request many times.

+- Cached commands replayed to the application.

+- Application errors sending multiple identical requests.

+- Verifying of the existence of data before trying to execute a delete.

+- Checking to see if data already exists before trying to execute a create action.

+- Reconciling logic that creates eventual consistency in data.

+- Concurrency controls.

+- Duplication detection.

+- Data freshness validation.

+- Guard logic to verify input data.

+

+## Next steps

+Context for retries to the function. For more information, see [`retry-policies`](./functions-bindings-errors.md#retry-policies).

+- *Unhandled exceptions may cause you to lose messages.* Executions that result in an exception will continue to progress the pointer. Setting a [retry policy](./functions-bindings-error-pages.md#retry-policies) will delay progressing the pointer until the entire retry policy has been evaluated.

+Some exceptions are transient in nature and don't reappear when an operation is attempted again moments later. This is why the first step is always to retry the operation. You can leverage the function app [retry policies](./functions-bindings-error-pages.md#retry-policies) or author retry logic within the function execution.

+ - IMDS service is not running/accessible from the virtual machine. [Check if you can access IMDS from the machine](/azure/virtual-machines/windows/instance-metadata-service?tabs=windows). If not, [file a ticket](#file-a-ticket) with **Summary** as 'IMDS service not running' and **Problem type** as 'I need help configuring data collection from a VM'.

+ - AMA cannot access IMDS. Check if you see IMDS errors in `C:\WindowsAzure\Resources\AMADataStore.<virtual-machine-name>\Tables\MAEventTable.tsf` file. If yes, [file a ticket](#file-a-ticket) with **Summary** as 'AMA cannot access IMDS' and **Problem type** as 'I need help configuring data collection from a VM'.

+* *cpuExceededPercentage*, *memoryRssExceededPercentage*, and *memoryWorkingSetExceededPercentage* metrics are sent when the CPU, memory Rss, and Memory Working set values exceed the configured threshold (the default threshold is 95%). *cpuThresholdViolated*, *memoryRssThresholdViolated*, and *memoryWorkingSetThresholdViolated* metrics are equal to 0 is the usage percentage is below the threshold and are equal to 1 if the usage percentage is above the threshold. These thresholds are exclusive of the alert condition threshold specified for the corresponding alert rule. Meaning, if you want to collect these metrics and analyze them from [Metrics explorer](../essentials/metrics-getting-started.md), we recommend you configure the threshold to a value lower than your alerting threshold. The configuration related to the collection settings for their container resource utilization thresholds can be overridden in the ConfigMaps file under the section `[alertable_metrics_configuration_settings.container_resource_utilization_thresholds]`. See the section [Configure alertable metrics ConfigMaps](#configure-alertable-metrics-in-configmaps) for details related to configuring your ConfigMap configuration file.

+* *pvUsageExceededPercentage* metric is sent when the persistent volume usage percentage exceeds the configured threshold (the default threshold is 60%). *pvUsageThresholdViolated* metric is equal to 0 when the PV usage percentage is below the threshold and is equal 1 if the usage is above the threshold. This threshold is exclusive of the alert condition threshold specified for the corresponding alert rule. Meaning, if you want to collect these metrics and analyze them from [Metrics explorer](../essentials/metrics-getting-started.md), we recommend you configure the threshold to a value lower than your alerting threshold. The configuration related to the collection settings for persistent volume utilization thresholds can be overridden in the ConfigMaps file under the section `[alertable_metrics_configuration_settings.pv_utilization_thresholds]`. See the section [Configure alertable metrics ConfigMaps](#configure-alertable-metrics-in-configmaps) for details related to configuring your ConfigMap configuration file. Collection of persistent volume metrics with claims in the *kube-system* namespace are excluded by default. To enable collection in this namespace, use the section `[metric_collection_settings.collect_kube_system_pv_metrics]` in the ConfigMap file. See [Metric collection settings](./container-insights-agent-config.md#metric-collection-settings) for details.

+* *cpuThresholdViolated*

+* *memoryRssThresholdViolated*

+* *memoryWorkingSetThresholdViolated*

+* *pvUsageThresholdViolated*

+## Known error messages

+The table below summarizes known errors you may encounter while using Container insights.

+| Error messages | Action |

+| - | |

+| Error Message `No data for selected filters` | It may take some time to establish monitoring data flow for newly created clusters. Allow at least 10 to 15 minutes for data to appear for your cluster.<br><br>If data still doesn't show up, check if the configured log analytics workspace is configured for *disableLocalAuth = true*, if yes, update back to *disableLocalAuth = false*.<br><br>`az resource show --ids "/subscriptions/[Your subscription ID]/resourcegroups/[Your resource group]/providers/microsoft.operationalinsights/workspaces/[Your workspace name]"`<br><br>`az resource update --ids "/subscriptions/[Your subscription ID]/resourcegroups/[Your resource group]/providers/microsoft.operationalinsights/workspaces/[Your workspace name]" --api-version "2021-06-01" --set properties.features.disableLocalAuth=False` |

+| Error Message `Error retrieving data` | While Azure Kubernetes Service cluster is setting up for health and performance monitoring, a connection is established between the cluster and Azure Log Analytics workspace. A Log Analytics workspace is used to store all monitoring data for your cluster. This error may occur when your Log Analytics workspace has been deleted. Check if the workspace was deleted. If it was, you'll need to re-enable monitoring of your cluster with Container insights and either specify an existing workspace or create a new one. To re-enable, you'll need to [disable](container-insights-optout.md) monitoring for the cluster and [enable](container-insights-enable-new-cluster.md) Container insights again. |

+| `Error retrieving data` after adding Container insights through az aks cli | When enable monitoring using `az aks cli`, Container insights may not be properly deployed. Check whether the solution is deployed. To verify, go to your Log Analytics workspace and see if the solution is available by selecting **Solutions** from the pane on the left-hand side. To resolve this issue, you'll need to redeploy the solution by following the instructions on [how to deploy Container insights](container-insights-onboard.md) |

+To help diagnose the problem, we've provided a [troubleshooting script](https://github.com/microsoft/Docker-Provider/tree/ci_dev/scripts/troubleshoot).

+- VM Insights and Container Insights will stop working. Local authorization is the only authorization method supported by these features.

+* [Azure AD authentication for Application Insights (Preview)](../app/azure-ad-authentication.md)

+To manage the workspace or component access flags, use the flags `[--ingestion-access {Disabled, Enabled}]` and `[--query-access {Disabled, Enabled}]`on [az monitor log-analytics workspace](/cli/azure/monitor/log-analytics/workspace) or [az monitor app-insights component](/cli/azure/monitor/app-insights/component).

+* [Learn more about VM insights](vminsights-overview.md).

+## May, 2022

+- [Azure Monitor cost and usage](usage-estimated-costs.md) - Added standard web tests to table<br>Added explanation of billable GB calculation

+- [Azure Monitor overview](overview.md) - Updated overview diagram

+- [Azure Monitor agent extension versions](agents/azure-monitor-agent-extension-versions.md) - Update to latest extension version

+- [Azure Monitor agent overview](agents/azure-monitor-agent-overview.md) - Added supported resource types

+- [Collect text and IIS logs with Azure Monitor agent (preview)](agents/data-collection-text-log.md) - Corrected error in data collection rule

+- [Overview of the Azure monitoring agents](agents/agents-overview.md) - Added new OS supported for agent

+- [Resource Manager template samples for agents](agents/resource-manager-agent.md) - Added Bicep examples

+- [Resource Manager template samples for data collection rules](agents/resource-manager-data-collection-rules.md) - Fixed bug in sample parameter file

+- [Rsyslog data not uploaded due to Full Disk space issue on AMA Linux Agent](agents/azure-monitor-agent-troubleshoot-linux-vm-rsyslog.md) - New article

+- [Troubleshoot the Azure Monitor agent on Linux virtual machines and scale sets](agents/azure-monitor-agent-troubleshoot-linux-vm.md) - New article

+- [Troubleshoot the Azure Monitor agent on Windows Arc-enabled server](agents/azure-monitor-agent-troubleshoot-windows-arc.md) - New article

+- [Troubleshoot the Azure Monitor agent on Windows virtual machines and scale sets](agents/azure-monitor-agent-troubleshoot-windows-vm.md) - New article

+- [IT Service Management Connector - Secure Webhook in Azure Monitor - Azure Configurations](alerts/itsm-connector-secure-webhook-connections-azure-configuration.md) - Added the workflow for ITSM management and removed all references to SCSM.

+- [Overview of Azure Monitor Alerts](alerts/alerts-overview.md) - Complete rewrite

+- [Resource Manager template samples for log query alerts](alerts/resource-manager-alerts-log.md) - Bicep samples for alerting have been added to the Resource Manager template samples articles.

+- [Supported resources for metric alerts in Azure Monitor](alerts/alerts-metric-near-real-time.md) - Added a newly supported resource type

+- [Application Map in Azure Application Insights](app/app-map.md) - Application Maps Intelligent View feature

+- [Azure Application Insights for ASP.NET Core applications](app/asp-net-core.md) - telemetry.Flush() guidance is now available.

+- [Diagnose with Live Metrics Stream - Azure Application Insights](app/live-stream.md) - Updated information on using unsecure control channel.

+- [Migrate an Azure Monitor Application Insights classic resource to a workspace-based resource](app/convert-classic-resource.md) - Schema change documentation is now available here.

+- [Profile production apps in Azure with Application Insights Profiler](profiler/profiler-overview.md) - Profiler documentation now has a new home in the table of contents.

+- All references to unsupported versions of .NET and .NET CORE have been scrubbed from Application Insights product documentation. See [.NET and >NET Core Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core)

+### Change Analysis

+- [Navigate to a change using custom filters in Change Analysis](change/change-analysis-custom-filters.md) - New article

+- [Pin and share a Change Analysis query to the Azure dashboard](change/change-analysis-query.md) - New article

+- [Use Change Analysis in Azure Monitor to find web-app issues](change/change-analysis.md) - Added details enabling for web app in-guest changes

+- [Configure ContainerLogv2 schema (preview) for Container Insights](containers/container-insights-logging-v2.md) - New article describing new schema for container logs

+- [Enable Container insights](containers/container-insights-onboard.md) - General rewrite to improve clarity

+- [Resource Manager template samples for Container insights](containers/resource-manager-container-insights.md) - Added Bicep examples

+- [Troubleshoot SQL Insights (preview)](insights/sql-insights-troubleshoot.md) - Added known issue for OS computer name.

+- [Azure Monitor customer-managed key](logs/customer-managed-keys.md) - Update limitations and constraint.

+- [Design a Log Analytics workspace architecture](logs/workspace-design.md) - Complete rewrite to better describe decision criteria and include Sentinel considerations

+- [Manage access to Log Analytics workspaces](logs/manage-access.md) - Consolidated and rewrote all content on configuring workspace access

+- [Restore logs in Azure Monitor (Preview)](logs/restore.md) - Documented new Log Analytics table management configuration UI, which lets you configure a table's log plan and archive and retention policies.

+- [Migrate from VM insights guest health (preview) to Azure Monitor log alerts](vm/vminsights-health-migrate.md) - New article describing process to replace VM guest health with alert rules

+- [VM insights guest health (preview)](vm/vminsights-health-overview.md) - Added deprecation statement

+* [SAP HANA backup and recovery on Azure NetApp Files with SnapCenter Service](https://docs.netapp.com/us-en/netapp-solutions-sap/pdfs/sidebar/SAP_HANA_backup_and_recovery_on_Azure_NetApp_Files_with_SnapCenter_Service.pdf)

+* [Attach Azure NetApp Files datastores to Azure VMware Solution hosts](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md)

+* [Attach Azure NetApp Files to Azure VMware Solution VMs - Guest OS Mounts](../azure-vmware/netapp-files-with-azure-vmware-solution.md)

+Azure NetApp Files might undergo occasional planned maintenance (for example, platform updates, service or software upgrades). From a file protocol (NFS/SMB) perspective, the maintenance operations are non-disruptive, as long as the application can handle the IO pauses that might briefly occur during these events. The I/O pauses are typically short, ranging from a few seconds up to 30 seconds. The NFS protocol is especially robust, and client-server file operations continue normally. Some applications might require tuning to handle IO pauses for as long as 30-45 seconds. As such, ensure that you're aware of the applicationΓÇÖs resiliency settings to cope with the storage service maintenance events. For human interactive applications leveraging the SMB protocol, the standard protocol settings are usually sufficient.

+Yes, certain SMB-based applications require SMB Transparent Failover. SMB Transparent Failover enables maintenance operations on the Azure NetApp Files service without interrupting connectivity to server applications storing and accessing data on SMB volumes. To support SMB Transparent Failover for specific applications, Azure NetApp Files now supports the [SMB Continuous Availability shares option](azure-netapp-files-create-volumes-smb.md#continuous-availability). Using SMB Continuous Availability is only supported for workloads on:

+* Citrix App Laying

+* [FSLogix user profile containers](../virtual-desktop/create-fslogix-profile-container.md)

+* Microsoft SQL Server (not Linux SQL Server)

+## I'm running IBM MQ on Azure NetApp Files. What precautions can I take to avoid disruptions due to storage service maintenance events despite using the NFS protocol?

+If you're running the [IBM MQ application in a shared files configuration](https://www.ibm.com/docs/en/ibm-mq/9.2?topic=multiplatforms-sharing-mq-files), where the IBM MQ data and logs are stored on an Azure NetApp Files volume, the following considerations are recommended to improve resilience during storage service maintenance events:

+## I'm running Apache ActiveMQ with LevelDB or KahaDB on Azure NetApp Files. What precautions can I take to avoid disruptions due to storage service maintenance events despite using the *NFS* protocol?

+If you're running the Apache ActiveMQ, it is recommended to deploy [ActiveMQ High Availability with Pluggable Storage Lockers](https://www.openlogic.com/blog/pluggable-storage-lockers-activemq).

+## I'm running Apache ActiveMQ with LevelDB or KahaDB on Azure NetApp Files. What precautions can I take to avoid disruptions due to storage service maintenance events despites using the *SMB* protocol?

+The general industry recommendation is to [not run your KahaDB shared storage on CIFS/SMB](https://www.openlogic.com/blog/activemq-community-deprecates-leveldb-what-you-need-know). If you're having trouble maintaining accurate lock state, check out the JDBC Pluggable Storage Locker, which can provide a more reliable locking mechanism. For support or consultancy on ActiveMQ HA architectures and deployments, you should [contact OpenLogic by Perforce](https://www.openlogic.com/contact-us).

+# [Service principal](#tab/userlevel)

+Your GitHub Actions run under an identity. Use the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command to create a [service principal](../../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) for the identity.

+# [Open ID Connect](#tab/openid)

+Open ID Connect is an authentication method that uses short-lived tokens. Setting up [OpenID Connect with GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) is more complex process that offers hardened security.

+1. If you do not have an existing application, register a [new Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). Create the Active Directory application.

+ ```azurecli-interactive

+ az ad app create --display-name myApp

+ ```

+ This command will output JSON with an `appId` that is your `client-id`. Save the value to use as the `AZURE_CLIENT_ID` GitHub secret later.

+ You'll use the `objectId` value when creating federated credentials with Graph API and reference it as the `APPLICATION-OBJECT-ID`.

+1. Create a service principal. Replace the `$appID` with the appId from your JSON output.

+ This command generates JSON output with a different `objectId` and will be used in the next step. The new `objectId` is the `assignee-object-id`.

+

+ Copy the `appOwnerTenantId` to use as a GitHub secret for `AZURE_TENANT_ID` later.

+ ```azurecli-interactive

+ az ad sp create --id $appId

+ ```

+1. Create a new role assignment by subscription and object. By default, the role assignment will be tied to your default subscription. Replace `$subscriptionId` with your subscription ID, `$resourceGroupName` with your resource group name, and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli).

+ ```azurecli-interactive

+ az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal --scopes /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/

+ ```

+1. Run the following command to [create a new federated identity credential](/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) for your active directory application.

+ * Replace `APPLICATION-OBJECT-ID` with the **objectId (generated while creating app)** for your Active Directory application.

+ * Set a value for `CREDENTIAL-NAME` to reference later.

+ * Set the `subject`. The value of this is defined by GitHub depending on your workflow:

+ * Jobs in your GitHub Actions environment: `repo:< Organization/Repository >:environment:< Name >`

+ * For Jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: `repo:< Organization/Repository >:ref:< ref path>`. For example, `repo:n-username/ node_express:ref:refs/heads/my-branch` or `repo:n-username/ node_express:ref:refs/tags/my-tag`.

+ * For workflows triggered by a pull request event: `repo:< Organization/Repository >:pull_request`.

+

+ ```azurecli

+ az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:organization/repository:ref:refs/heads/main","description":"Testing","audiences":["api://AzureADTokenExchange"]}'

+ ```

+

+ To learn how to create a Create an active directory application, service principal, and federated credentials in Azure portal, see [Connect GitHub and Azure](/azure/developer/github/connect-from-azure#use-the-azure-login-action-with-openid-connect).

+

+# [Service principal](#tab/userlevel)

+# [Open ID Connect](#tab/openid)

+You need to provide your application's **Client ID**, **Tenant ID**, and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.

+1. Open your GitHub repository and go to **Settings**.

+1. Select **Settings > Secrets > New secret**.

+1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets:

+ |GitHub Secret | Active Directory Application |

+ |||

+ |AZURE_CLIENT_ID | Application (client) ID |

+ |AZURE_TENANT_ID | Directory (tenant) ID |

+ |AZURE_SUBSCRIPTION_ID | Subscription ID |

+1. Save each secret by selecting **Add secret**.

+ # [Service principal](#tab/userlevel)

+

+

+ # [OpenID Connect](#tab/openid)

+

+ ```yml

+ on: [push]

+ name: Azure ARM

+ jobs:

+ build-and-deploy:

+ runs-on: ubuntu-latest

+ steps:

+ # Checkout code

+ - uses: actions/checkout@main

+ # Log into Azure

+ - uses: azure/login@v1

+ with:

+ client-id: ${{ secrets.AZURE_CLIENT_ID }}

+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}

+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

+ # Deploy Bicep file

+ - name: deploy

+ uses: azure/arm-deploy@v1

+ with:

+ subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}

+ resourceGroupName: ${{ secrets.AZURE_RG }}

+ template: ./main.bicep

+ parameters: storagePrefix=mystore

+ failOnStdErr: false

+ ```

+

+> If you open issue in GitHub, keep your sensitive information (For example, resource ID, server/client logs) private, only send to members in Microsoft organization privately.

+>[!TIP]

+>To enable this feature for your subscription, register the ```PIPOnNSXEnabled``` flag and follow these steps to [set up the preview feature in your Azure subscription](https://docs.microsoft.com/azure/azure-resource-manager/management/preview-features?tabs=azure-portal).

+ - **Pre-script file**: Permission ΓÇ£700.ΓÇ¥ For example, only ΓÇ£rootΓÇ¥ user should have ΓÇ£readΓÇ¥, ΓÇ£writeΓÇ¥, and ΓÇ£executeΓÇ¥ permissions to this file. The file is expected to be a shell script but theoretically this script can internally spawn or refer to other scripts like a python script.

+ - **Post-script** Permission ΓÇ£700.ΓÇ¥ For example, only ΓÇ£rootΓÇ¥ user should have ΓÇ£readΓÇ¥, ΓÇ£writeΓÇ¥, and ΓÇ£executeΓÇ¥ permissions to this file. The file is expected to be a shell script but theoretically this script can internally spawn or refer to other scripts like a python script.

+Find the instances where auto-protection is enabled using the following PowerShell command.

+```azurepowershell

+Get-AzRecoveryServicesBackupProtectableItem -WorkloadType MSSQL -VaultId $testVault.ID | Where-Object {$_.IsAutoProtected -eq $true}

+```

+Then pick the relevant protectable item name and server name from the output and disable auto-protection for those instances.

+ Title: Azure Resource Manager and Bicep templates

+description: Azure Resource Manager and Bicep templates for use with Recovery Services vaults and Azure Backup features

+# Azure Resource Manager and Bicep templates for Azure Backup

+The following table includes a link to a repository of Azure Resource Manager and Bicep templates for use with Recovery Services vaults and Azure Backup features. To learn about the JSON or Bicep syntax and properties, see [Microsoft.RecoveryServices resource types](/azure/templates/microsoft.recoveryservices/allversions).

+**Direct backup of Windows machine with MARS agent** | - Files, folders <br><br> - System state | Back up to Recovery Services vault. | - Back up three times a day<br/><br/> - Back up once a day. <br><br> No app-aware backup<br/><br/> Restore file, folder, volume

+**Azure VM backup by using MARS agent** | - Files, folders <br><br> - System state | Back up to vault. | - Back up three times a day. <br><br> - Back up once a day. <br/><br/> If you want to back up specific files or folders rather than the entire VM, the MARS agent can run alongside the VM extension.

+- We strongly recommended to restore the "master" database using the [Restore as files](#restore-as-files) option and then restore [using T-SQL commands](/sql/relational-databases/backup-restore/restore-the-master-database-transact-sql).

+- For all system databases (model, msdb), stop the SQL Server Agent service before you trigger the restore.

+> [!IMPORTANT]

+> The [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package and Azure AD Authentication Library (ADAL) have been deprecated. No new features have been added since June 30, 2020. We strongly encourage you to upgrade, see the [migration guide](/azure/active-directory/develop/msal-migration) for more details.

+The [Azure IoT CLI extension](/cli/azure/iot/product?view=azure-cli-latest&preserve-view=true) lets you validate that the device implementation matches the model before you submit the device for certification through the Azure Certified Device portal.

+sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && sudo yum -y install stress-ng

+sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && sudo yum -y install stress-ng

+|*URL for public image|``|`How can I create a bot with `||

+Review batch testing [file formats](reference-tsv-format-batch-testing.md).

+description: In this quickstart, you translate speech from one language to text in another language.

+> [Learn more about speech translation](how-to-translate-speech.md)

+ Title: Use pronunciation assessment

+description: Learn about pronunciation assessment features that are currently publicly available.

+zone_pivot_groups: programming-languages-speech-sdk

+# Use pronunciation assessment

+In this article, you'll learn how to use pronunciation assessment through the Speech SDK.

+> [!NOTE]

+> pronunciation assessment is not available with the Speech SDK for Go.

+You can get pronunciation assessment scores for:

+- Full text

+- Words

+- Syllable groups

+- Phonemes in SAPI or IPA format

+> [!NOTE]

+> For information about availability of pronunciation assessment, see [supported languages](language-support.md#pronunciation-assessment) and [available regions](regions.md#speech-to-text-pronunciation-assessment-text-to-speech-and-translation).

+## Configuration parameters

+This table lists some of the key configuration parameters for pronunciation assessment.

+| Parameter | Description |

+|--|-|

+| `ReferenceText` | The text that the pronunciation will be evaluated against. |

+| `GradingSystem` | The point system for score calibration. The `FivePoint` system gives a 0-5 floating point score, and `HundredMark` gives a 0-100 floating point score. |

+| `Granularity` | The evaluation granularity. Accepted values are `Phoneme`, which shows the score on the full text, word and phoneme level, `Word`, which shows the score on the full text and word level, or `FullText`, which shows the score on the full text level only. |

+| `EnableMiscue` | Enables miscue calculation when the pronounced words are compared to the reference text. If this value is `True`, the `ErrorType` result value can be set to `Omission` or `Insertion` based on the comparison. Accepted values are `False` and `True`. Default: `False`. |

+You must create a `PronunciationAssessmentConfig` object with the reference text, grading system, and granularity. Enabling miscue and other configuration settings are optional.

+ referenceText: "good morning",

+ gradingSystem: GradingSystem.HundredMark,

+ granularity: Granularity.Phoneme,

+ enableMiscue: true);

+```

+

+```cpp

+auto pronunciationAssessmentConfig = PronunciationAssessmentConfig::CreateFromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\"}");

+```

+```Java

+PronunciationAssessmentConfig pronunciationAssessmentConfig = PronunciationAssessmentConfig.fromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\"}");

+```

+```Python

+pronunciation_assessment_config = speechsdk.PronunciationAssessmentConfig(json_string="{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\"}")

+```

+```JavaScript

+var pronunciationAssessmentConfig = SpeechSDK.PronunciationAssessmentConfig.fromJSON("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\"}");

+```

+```ObjectiveC

+SPXPronunciationAssessmentConfiguration *pronunciationAssessmentConfig =

+[[SPXPronunciationAssessmentConfiguration alloc] init:@"good morning"

+ gradingSystem:SPXPronunciationAssessmentGradingSystem_HundredMark

+ granularity:SPXPronunciationAssessmentGranularity_Phoneme

+ enableMiscue:true];

+```

+```swift

+var pronunciationAssessmentConfig: SPXPronunciationAssessmentConfiguration?

+do {

+ try pronunciationAssessmentConfig = SPXPronunciationAssessmentConfiguration.init(referenceText, gradingSystem: SPXPronunciationAssessmentGradingSystem.hundredMark, granularity: SPXPronunciationAssessmentGranularity.phoneme, enableMiscue: true)

+} catch {

+ print("error \(error) happened")

+ pronunciationAssessmentConfig = nil

+ return

+}

+```

+## Syllable groups

+For the [supported languages](language-support.md#pronunciation-assessment) in public preview, pronunciation assessment can provide syllable-level assessment results along with phonemes. Grouping in syllables is more legible and aligned with speaking habits, as a word is typically pronounced syllable by syllable rather than phoneme by phoneme.

+The following table compares example phonemes with the corresponding syllables.

+| Sample word | Phonemes | Syllables |

+|--|-|-|

+|technological|teknələdʒɪkl|tek·nə·lɑ·dʒɪkl|

+|hello|hɛloʊ|hɛ·loʊ|

+|luck|lʌk|lʌk|

+|photosynthesis|foʊtəsɪnθəsɪs|foʊ·tə·sɪn·θə·sɪs|

+To request syllable-level results along with phonemes, set the granularity [configuration parameter](#configuration-parameters) to `Phoneme`.

+## Phoneme alphabet format

+The phoneme name is provided together with the score, to help identity which phonemes were pronounced accurately or inaccurately. For the [supported languages](language-support.md#pronunciation-assessment) in public preview, you can get the phoneme name in [SAPI](/previous-versions/windows/desktop/ee431828(v=vs.85)#american-english-phoneme-table) or [IPA](https://en.wikipedia.org/wiki/IPA) format.

+The following table compares example SAPI phonemes with the corresponding IPA phonemes.

+| Sample word | SAPI Phonemes | IPA phonemes |

+|--|-|-|

+|hello|h eh l ow|h ɛ l oʊ|

+|luck|l ah k|l ʌ k|

+|photosynthesis|f ow t ax s ih n th ax s ih s|f oʊ t ə s ɪ n θ ə s ɪ s|

+To request IPA phonemes, set the phoneme alphabet to `"IPA"`. If you don't specify the alphabet, the phonemes will be in SAPI format by default.

+```csharp

+pronunciationAssessmentConfig.PhonemeAlphabet = "IPA";

+```

+

+```cpp

+auto pronunciationAssessmentConfig = PronunciationAssessmentConfig::CreateFromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\"}");

+```

+

+```Java

+PronunciationAssessmentConfig pronunciationAssessmentConfig = PronunciationAssessmentConfig.fromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\"}");

+```

+```Python

+pronunciation_assessment_config = speechsdk.PronunciationAssessmentConfig(json_string="{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\"}")

+```

+```JavaScript

+var pronunciationAssessmentConfig = SpeechSDK.PronunciationAssessmentConfig.fromJSON("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\"}");

+```

+

+```ObjectiveC

+pronunciationAssessmentConfig.phonemeAlphabet = @"IPA";

+```

+```swift

+pronunciationAssessmentConfig?.phonemeAlphabet = "IPA"

+```

+## Spoken phoneme

+> [!NOTE]

+> The spoken phoneme feature of pronunciation assessment is only generally available for the `en-US` locale.

+With spoken phonemes, you can get confidence scores indicating how likely the spoken phonemes matched the expected phonemes.

+For example, when you speak the word "hello", the expected IPA phonemes are "h ɛ l oʊ". The actual spoken phonemes could be "h ə l oʊ". In the following assessment result, the most likely spoken phoneme was `"ə"` instead of the expected phoneme `"ɛ"`. The expected phoneme `"ɛ"` only received a confidence score of 47. Other potential matches received confidence scores of 52, 17, and 2.

+```json

+{

+ "Phoneme": "ɛ",

+ "PronunciationAssessment": {

+ "AccuracyScore": 47.0,

+ "NBestPhonemes": [

+ {

+ "Phoneme": "ə",

+ "Score": 100.0

+ },

+ {

+ "Phoneme": "l",

+ "Score": 52.0

+ },

+ {

+ "Phoneme": "ɛ",

+ "Score": 47.0

+ },

+ {

+ "Phoneme": "h",

+ "Score": 17.0

+ },

+ {

+ "Phoneme": "æ",

+ "Score": 2.0

+ }

+ ]

+ },

+ "Offset": 11100000,

+ "Duration": 500000

+},

+```

+To indicate whether, and how many potential spoken phonemes to get confidence scores for, set the `NBestPhonemeCount` parameter to an integer value such as `5`.

+

+```csharp

+pronunciationAssessmentConfig.NBestPhonemeCount = 5;

+```

+

+```cpp

+auto pronunciationAssessmentConfig = PronunciationAssessmentConfig::CreateFromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\",\"nBestPhonemeCount\":5}");

+```

+

+```Java

+PronunciationAssessmentConfig pronunciationAssessmentConfig = PronunciationAssessmentConfig.fromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\",\"nBestPhonemeCount\":5}");

+```

+

+```Python

+pronunciation_assessment_config = speechsdk.PronunciationAssessmentConfig(json_string="{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\",\"nBestPhonemeCount\":5}")

+```

+```JavaScript

+var pronunciationAssessmentConfig = SpeechSDK.PronunciationAssessmentConfig.fromJSON("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"phonemeAlphabet\":\"IPA\",\"nBestPhonemeCount\":5}");

+```

+

+

+```ObjectiveC

+pronunciationAssessmentConfig.nbestPhonemeCount = 5;

+```

+```swift

+pronunciationAssessmentConfig?.nbestPhonemeCount = 5

+```

+## Get pronunciation assessment results

+When speech is recognized, you can request the pronunciation assessment results as SDK objects or a JSON string.

+```csharp

+using (var speechRecognizer = new SpeechRecognizer(

+ pronunciationAssessmentConfig.ApplyTo(speechRecognizer);

+ var speechRecognitionResult = await speechRecognizer.RecognizeOnceAsync();

+ // The pronunciation assessment result as a Speech SDK object

+ // The pronunciation assessment result as a JSON string

+ var pronunciationAssessmentResultJson = speechRecognitionResult.Properties.GetProperty(PropertyId.SpeechServiceResponse_JsonResult);

+

+Word, syllable, and phoneme results aren't available via SDK objects with the Speech SDK foc C++. Word, syllable, and phoneme results are only available in the JSON string.

+```cpp

+auto speechRecognizer = SpeechRecognizer::FromConfig(

+pronunciationAssessmentConfig->ApplyTo(speechRecognizer);

+speechRecognitionResult = speechRecognizer->RecognizeOnceAsync().get();

+// The pronunciation assessment result as a Speech SDK object

+// The pronunciation assessment result as a JSON string

+auto pronunciationAssessmentResultJson = speechRecognitionResult->Properties.GetProperty(PropertyId::SpeechServiceResponse_JsonResult);

+```

+

+For Android application development, the word, syllable, and phoneme results are available via SDK objects with the Speech SDK foc Java. The results are also available in the JSON string. For Java Runtime (JRE) application development, the word, syllable, and phoneme results are only available in the JSON string.

+```Java

+SpeechRecognizer speechRecognizer = new SpeechRecognizer(

+pronunciationAssessmentConfig.applyTo(speechRecognizer);

+Future<SpeechRecognitionResult> future = speechRecognizer.recognizeOnceAsync();

+SpeechRecognitionResult speechRecognitionResult = future.get(30, TimeUnit.SECONDS);

+// The pronunciation assessment result as a Speech SDK object

+ PronunciationAssessmentResult.fromResult(speechRecognitionResult);

+// The pronunciation assessment result as a JSON string

+String pronunciationAssessmentResultJson = speechRecognitionResult.getProperties().getProperty(PropertyId.SpeechServiceResponse_JsonResult);

+speechRecognitionResult.close();

+```JavaScript

+var speechRecognizer = SpeechSDK.SpeechRecognizer.FromConfig(speechConfig, audioConfig);

+pronunciationAssessmentConfig.applyTo(speechRecognizer);

+speechRecognizer.recognizeOnceAsync((speechRecognitionResult: SpeechSDK.SpeechRecognitionResult) => {

+ // The pronunciation assessment result as a Speech SDK object

+ var pronunciationAssessmentResult = SpeechSDK.PronunciationAssessmentResult.fromResult(speechRecognitionResult);

+ // The pronunciation assessment result as a JSON string

+ var pronunciationAssessmentResultJson = speechRecognitionResult.properties.getProperty(SpeechSDK.PropertyId.SpeechServiceResponse_JsonResult);

+},

+{});

+```

+

+speech_recognition_result = speech_recognizer.recognize_once()

+# The pronunciation assessment result as a Speech SDK object

+pronunciation_assessment_result = speechsdk.PronunciationAssessmentResult(speech_recognition_result)

+# The pronunciation assessment result as a JSON string

+pronunciation_assessment_result_json = speech_recognition_result.properties.get(speechsdk.PropertyId.SpeechServiceResponse_JsonResult)

+

+```ObjectiveC

+SPXSpeechRecognitionResult *speechRecognitionResult = [speechRecognizer recognizeOnce];

+// The pronunciation assessment result as a Speech SDK object

+SPXPronunciationAssessmentResult* pronunciationAssessmentResult = [[SPXPronunciationAssessmentResult alloc] init:speechRecognitionResult];

+// The pronunciation assessment result as a JSON string

+NSString* pronunciationAssessmentResultJson = [speechRecognitionResult.properties getPropertyByName:SPXSpeechServiceResponseJsonResult];

+```swift

+let speechRecognizer = try! SPXSpeechRecognizer(speechConfiguration: speechConfig, audioConfiguration: audioConfig)

+try! pronConfig.apply(to: speechRecognizer)

+let speechRecognitionResult = try? speechRecognizer.recognizeOnce()

+// The pronunciation assessment result as a Speech SDK object

+let pronunciationAssessmentResult = SPXPronunciationAssessmentResult(speechRecognitionResult!)

+// The pronunciation assessment result as a JSON string

+let pronunciationAssessmentResultJson = speechRecognitionResult!.properties?.getPropertyBy(SPXPropertyId.speechServiceResponseJsonResult)

+```

+### Result parameters

+This table lists some of the key pronunciation assessment results.

+### JSON result example

+Pronunciation assessment results for the spoken word "hello" are shown as a JSON string in the following example. Here's what you should know:

+- The phoneme [alphabet](#phoneme-alphabet-format) is IPA.

+- The [syllables](#syllable-groups) are returned alongside phonemes for the same word.

+- You can use the `Offset` and `Duration` values to align syllables with their corresponding phonemes. For example, the starting offset (11700000) of the second syllable ("loʊ") aligns with the third phoneme ("l").

+- There are five `NBestPhonemes` corresponding to the number of [spoken phonemes](#spoken-phoneme) requested.

+- Within `Phonemes`, the most likely [spoken phonemes](#spoken-phoneme) was `"ə"` instead of the expected phoneme `"ɛ"`. The expected phoneme `"ɛ"` only received a confidence score of 47. Other potential matches received confidence scores of 52, 17, and 2.

+ "Id": "bbb42ea51bdb46d19a1d685e635fe173",

+ "RecognitionStatus": 0,

+ "Offset": 7500000,

+ "Duration": 13800000,

+ "DisplayText": "Hello.",

+ "SNR": 34.879055,

+ "NBest": [

+ {

+ "Confidence": 0.975003,

+ "Lexical": "hello",

+ "ITN": "hello",

+ "MaskedITN": "hello",

+ "Display": "Hello.",

+ "PronunciationAssessment": {

+ "AccuracyScore": 100,

+ "FluencyScore": 100,

+ "CompletenessScore": 100,

+ "PronScore": 100

+ },

+ "Words": [

+ {

+ "Word": "hello",

+ "Offset": 7500000,

+ "Duration": 13800000,

+ "PronunciationAssessment": {

+ "AccuracyScore": 99.0,

+ "ErrorType": "None"

+ },

+ "Syllables": [

+ {

+ "Syllable": "hɛ",

+ "PronunciationAssessment": {

+ "AccuracyScore": 91.0

+ },

+ "Offset": 7500000,

+ "Duration": 4100000

+ },

+ {

+ "Syllable": "loʊ",

+ "PronunciationAssessment": {

+ "AccuracyScore": 100.0

+ },

+ "Offset": 11700000,

+ "Duration": 9600000

+ }

+ ],

+ "Phonemes": [

+ {

+ "Phoneme": "h",

+ "PronunciationAssessment": {

+ "AccuracyScore": 98.0,

+ "NBestPhonemes": [

+ {

+ "Phoneme": "h",

+ "Score": 100.0

+ },

+ {

+ "Phoneme": "oʊ",

+ "Score": 52.0

+ },

+ {

+ "Phoneme": "ə",

+ "Score": 35.0

+ },

+ {

+ "Phoneme": "k",

+ "Score": 23.0

+ },

+ {

+ "Phoneme": "æ",

+ "Score": 20.0

+ }

+ ]

+ },

+ "Offset": 7500000,

+ "Duration": 3500000

+ },

+ {

+ "Phoneme": "ɛ",

+ "PronunciationAssessment": {

+ "AccuracyScore": 47.0,

+ "NBestPhonemes": [

+ {

+ "Phoneme": "ə",

+ "Score": 100.0

+ },

+ {

+ "Phoneme": "l",

+ "Score": 52.0

+ },

+ {

+ "Phoneme": "ɛ",

+ "Score": 47.0

+ },

+ {

+ "Phoneme": "h",

+ "Score": 17.0

+ },

+ {

+ "Phoneme": "æ",

+ "Score": 2.0

+ }

+ ]

+ },

+ "Offset": 11100000,

+ "Duration": 500000

+ },

+ {

+ "Phoneme": "l",

+ "PronunciationAssessment": {

+ "AccuracyScore": 100.0,

+ "NBestPhonemes": [

+ {

+ "Phoneme": "l",

+ "Score": 100.0

+ },

+ {

+ "Phoneme": "oʊ",

+ "Score": 46.0

+ },

+ {

+ "Phoneme": "ə",

+ "Score": 5.0

+ },

+ {

+ "Phoneme": "ɛ",

+ "Score": 3.0

+ },

+ {

+ "Phoneme": "u",

+ "Score": 1.0

+ }

+ ]

+ },

+ "Offset": 11700000,

+ "Duration": 1100000

+ },

+ {

+ "Phoneme": "oʊ",

+ "PronunciationAssessment": {

+ "AccuracyScore": 100.0,

+ "NBestPhonemes": [

+ {

+ "Phoneme": "oʊ",

+ "Score": 100.0

+ },

+ {

+ "Phoneme": "d",

+ "Score": 29.0

+ },

+ {

+ "Phoneme": "t",

+ "Score": 24.0

+ },

+ {

+ "Phoneme": "n",

+ "Score": 22.0

+ },

+ {

+ "Phoneme": "l",

+ "Score": 18.0

+ }

+ ]

+ },

+ "Offset": 12900000,

+ "Duration": 8400000

+ }

+ ]

+ }

+ ]

+ }

+ ]

+- Try out [pronunciation assessment in Speech Studio](pronunciation-assessment-tool.md)

+- Try out the [pronunciation assessment demo](https://github.com/Azure-Samples/Cognitive-Speech-TTS/tree/master/PronunciationAssessment/BrowserJS) and watch the [video tutorial](https://www.youtube.com/watch?v=zFlwm7N4Awc) of pronunciation assessment.

+ Title: "How to translate speech - Speech service"

+description: Learn how to translate speech from one language to text in another language, including object construction and supported audio input formats.

+zone_pivot_groups: programming-languages-speech-services

+# How to recognize and translate speech

+## Next steps

+* [Try the speech to text quickstart](get-started-speech-to-text.md)

+* [Try the speech translation quickstart](get-started-speech-translation.md)

+* [Improve recognition accuracy with custom speech](custom-speech-overview.md)

+ Title: How to use pronunciation assessment in Speech Studio

+description: The pronunciation assessment tool in Speech Studio gives you feedback on the accuracy and fluency of your speech, no coding required.

+# Pronunciation assessment in Speech Studio

+Pronunciation assessment provides subjective and objective feedback to language learners. Practicing pronunciation and getting timely feedback are essential for improving language skills. Assessments driven by experienced teachers can take a lot of time and effort, and makes a high-quality assessment expensive for learners. Pronunciation assessment can help make the language assessment more engaging and accessible to learners of all backgrounds.

+Pronunciation assessment provides various assessment results in different granularities, from individual phonemes to the entire text input.

+- At the full-text level, pronunciation assessment offers additional Fluency and Completeness scores: Fluency indicates how closely the speech matches a native speaker's use of silent breaks between words, and Completeness indicates how many words are pronounced in the speech to the reference text input. An overall score aggregated from Accuracy, Fluency and Completeness is then given to indicate the overall pronunciation quality of the given speech.

+- At the word-level, pronunciation assessment can automatically detect miscues and provide accuracy score simultaneously, which provides more detailed information on omission, repetition, insertions, and mispronunciation in the given speech.

+- At the phoneme level, pronunciation assessment provides accuracy scores of each phoneme, helping learners to better understand the pronunciation details of their speech.

+This article describes how to use the pronunciation assessment tool through the [Speech Studio](https://speech.microsoft.com). You can get immediate feedback on the accuracy and fluency of your speech without writing any code. For information about how to integrate pronunciation assessment in your speech applications, see [How to use pronunciation assessment](how-to-pronunciation-assessment.md).

+## Try out pronunciation assessment

+You can explore and try out pronunciation assessment even without signing in.

+> [!TIP]

+> To assess more than 5 seconds of speech with your own script, sign in with an Azure account and use your Speech or Cognitive Services resource.

+Follow these steps to assess your pronunciation of the reference text:

+1. Go to **Pronunciation Assessment** in the [Speech Studio](https://aka.ms/speechstudio/pronunciationassessment).

+1. Choose a supported [language](language-support.md#pronunciation-assessment) that you want to evaluate the pronunciation.

+1. Choose from the provisioned text samples, or under the **Enter your own script** label, enter your own reference text.

+ When reading the text, you should be close to microphone to make sure the recorded voice isn't too low.

+ :::image type="content" source="media/pronunciation-assessment/pa-record.png" alt-text="Screenshot of where to record audio with a microphone.":::

+ Otherwise you can upload recorded audio for pronunciation assessment. Once successfully uploaded, the audio will be automatically evaluated by the system, as shown in the following screenshot.

+ :::image type="content" source="media/pronunciation-assessment/pa-upload.png" alt-text="Screenshot of uploading recorded audio to be assessed.":::

+## Pronunciation assessment results

+Once you've recorded the reference text or uploaded the recorded audio, the **Assessment result** will be output. The result includes your spoken audio and the feedback on the accuracy and fluency of spoken audio, by comparing a machine generated transcript of the input audio with the reference text. You can listen to your spoken audio, and download it if necessary.

+You can also check the pronunciation assessment result in JSON. The word-level, syllable-level, and phoneme-level accuracy scores are included in the JSON file.

+### Overall scores

+Pronunciation Assessment evaluates three aspects of pronunciation: accuracy, fluency, and completeness. At the bottom of **Assessment result**, you can see **Pronunciation score**, **Accuracy score**, **Fluency score**, and **Completeness score**. The **Pronunciation score** is overall score indicating the pronunciation quality of the given speech. This overall score is aggregated from **Accuracy score**, **Fluency score**, and **Completeness score** with weight.

+### Scores within words

+### [Display](#tab/display)

+The complete transcription is shown in the **Display** window. If a word is omitted, inserted, or mispronounced compared to the reference text, the word will be highlighted according to the error type. While hovering over each word, you can see accuracy scores for the whole word or specific phonemes.

+### [JSON](#tab/json)

+The complete transcription is shown in the `text` attribute. You can see accuracy scores for the whole word, syllables, and specific phonemes. You can get the same results using the Speech SDK. For information, see [How to use Pronunciation Assessment](how-to-pronunciation-assessment.md).

+```json

+{

+ "text": "Today was a beautiful day. We had a great time taking a long long walk in the morning. The countryside was in full bloom, yet the air was crisp and cold towards end of the day clouds came in forecasting much needed rain.",

+ "duration": 156100000,

+ "offset": 800000,

+ "json": {

+ "Id": "f583d7588c89425d8fce76686c11ed12",

+ "RecognitionStatus": 0,

+ "Offset": 800000,

+ "Duration": 156100000,

+ "DisplayText": "Today was a beautiful day. We had a great time taking a long long walk in the morning. The countryside was in full bloom, yet the air was crisp and cold towards end of the day clouds came in forecasting much needed rain.",

+ "SNR": 40.47014,

+ "NBest": [

+ {

+ "Confidence": 0.97532314,

+ "Lexical": "today was a beautiful day we had a great time taking a long long walk in the morning the countryside was in full bloom yet the air was crisp and cold towards end of the day clouds came in forecasting much needed rain",

+ "ITN": "today was a beautiful day we had a great time taking a long long walk in the morning the countryside was in full bloom yet the air was crisp and cold towards end of the day clouds came in forecasting much needed rain",

+ "MaskedITN": "today was a beautiful day we had a great time taking a long long walk in the morning the countryside was in full bloom yet the air was crisp and cold towards end of the day clouds came in forecasting much needed rain",

+ "Display": "Today was a beautiful day. We had a great time taking a long long walk in the morning. The countryside was in full bloom, yet the air was crisp and cold towards end of the day clouds came in forecasting much needed rain.",

+ "PronunciationAssessment": {

+ "AccuracyScore": 92,

+ "FluencyScore": 81,

+ "CompletenessScore": 93,

+ "PronScore": 85.6

+ },

+ "Words": [

+ // Words preceding "countryside" are omitted for brevity...

+ {

+ "Word": "countryside",

+ "Offset": 66200000,

+ "Duration": 7900000,

+ "PronunciationAssessment": {

+ "AccuracyScore": 30,

+ "ErrorType": "Mispronunciation"

+ },

+ "Syllables": [

+ {

+ "Syllable": "kahn",

+ "PronunciationAssessment": {

+ "AccuracyScore": 3

+ },

+ "Offset": 66200000,

+ "Duration": 2700000

+ },

+ {

+ "Syllable": "triy",

+ "PronunciationAssessment": {

+ "AccuracyScore": 19

+ },

+ "Offset": 69000000,

+ "Duration": 1100000

+ },

+ {

+ "Syllable": "sayd",

+ "PronunciationAssessment": {

+ "AccuracyScore": 51

+ },

+ "Offset": 70200000,

+ "Duration": 3900000

+ }

+ ],

+ "Phonemes": [

+ {

+ "Phoneme": "k",

+ "PronunciationAssessment": {

+ "AccuracyScore": 0

+ },

+ "Offset": 66200000,

+ "Duration": 900000

+ },

+ {

+ "Phoneme": "ah",

+ "PronunciationAssessment": {

+ "AccuracyScore": 0

+ },

+ "Offset": 67200000,

+ "Duration": 1000000

+ },

+ {

+ "Phoneme": "n",

+ "PronunciationAssessment": {

+ "AccuracyScore": 11

+ },

+ "Offset": 68300000,

+ "Duration": 600000

+ },

+ {

+ "Phoneme": "t",

+ "PronunciationAssessment": {

+ "AccuracyScore": 16

+ },

+ "Offset": 69000000,

+ "Duration": 300000

+ },

+ {

+ "Phoneme": "r",

+ "PronunciationAssessment": {

+ "AccuracyScore": 27

+ },

+ "Offset": 69400000,

+ "Duration": 300000

+ },

+ {

+ "Phoneme": "iy",

+ "PronunciationAssessment": {

+ "AccuracyScore": 15

+ },

+ "Offset": 69800000,

+ "Duration": 300000

+ },

+ {

+ "Phoneme": "s",

+ "PronunciationAssessment": {

+ "AccuracyScore": 26

+ },

+ "Offset": 70200000,

+ "Duration": 1700000

+ },

+ {

+ "Phoneme": "ay",

+ "PronunciationAssessment": {

+ "AccuracyScore": 56

+ },

+ "Offset": 72000000,

+ "Duration": 1300000

+ },

+ {

+ "Phoneme": "d",

+ "PronunciationAssessment": {

+ "AccuracyScore": 100

+ },

+ "Offset": 73400000,

+ "Duration": 700000

+ }

+ ]

+ },

+ // Words following "countryside" are omitted for brevity...

+ ]

+ }

+ ]

+ }

+}

+```

+## Next steps

+- Use [pronunciation assessment with the Speech SDK](how-to-pronunciation-assessment.md)

+- Read the blog about [use cases](https://techcommunity.microsoft.com/t5/azure-ai-blog/speech-service-update-pronunciation-assessment-is-generally/ba-p/2505501)

+In this article, you learn about the benefits and capabilities of the speech translation service, which enables real-time, multi-language speech-to-speech and speech-to-text translation of audio streams.

+By using the Speech SDK or Speech CLI, you can give your applications, tools, and devices access to source transcriptions and translation outputs for the provided audio. Interim transcription and translation results are returned as speech is detected, and the final results can be converted into synthesized speech.

+For a list of languages supported for speech translation, see [Language and voice support](language-support.md#speech-translation).

+## Get started

+As your first step, try the [Speech translation quickstart](get-started-speech-translation.md). The speech translation service is available via the [Speech SDK](speech-sdk.md) and the [Speech CLI](spx-overview.md).

+## Migration guide

+* Try the [speech translation quickstart](get-started-speech-translation.md)

+* Install the [Speech SDK](speech-sdk.md)

+* Install the [Speech CLI](spx-overview.md)

+If you see a large discrepancy between the number of sentences in the source and target documents, your documents may not be parallel. The document pairs with a large difference (>10%) of sentences on each side warrant a second look to make sure they're indeed parallel. Custom Translator shows a warning next to the document if the sentence count differs suspiciously.

+be strict and careful in designing your tuning set and your test set. Make certain your sets

+fully represent the terminology and style of material you want to

+satisfied with the translations in your system test results and have no more data to add to

+improve your trained system.

+ uploads from most recent to least recent. For each upload, it shows the document name, upload status, upload date, number of files uploaded, type of file uploaded, and language pairs.

+# View the model details

+## View the model training details

+ Title: "Legacy: What are training and modeling? - Custom Translator"

+[BLEU (Bilingual Evaluation Understudy)](https://en.wikipedia.org/wiki/BLEU) is a measurement of the difference between an automatic translation and human-created reference translations of the same source sentence.

+- If you're using a phrase dictionary, capitalization and punctuation are important. Dictionary entries will only match words and phrases in the input sentence that use exactly the same capitalization and punctuation as specified in the source dictionary file. Also the translations will reflect the capitalization and punctuation provided in the target dictionary file. For example, if you trained an English to Spanish system that uses a phrase dictionary that specifies "US" in the source file, and "EE.UU." in the target file. When you request translation of a sentence that includes the word "us" (not capitalized), it will NOT return a match from the dictionary. However, if you request translation of a sentence that contains the word "US" (capitalized), it will match the dictionary and the translation will contain "EE.UU." The capitalization and punctuation in the translation may be different than specified in the dictionary target file, and may be different from the capitalization and punctuation in the source. It follows the rules of the target language.

+- If you're using a sentence dictionary, the end of sentence punctuation is ignored. For example, if your source dictionary contains "this sentence ends with punctuation!", then any translation requests containing "this sentence ends with punctuation" would match.

+advantageous because it allows you to switch between languages when using the Translator API without worrying about a CategoryID that is unique to each project.

+language pair, use a project label to differentiate between customers.

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST API&Pillar=Language&Product=Entity-linking&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST API&Pillar=Language&Product=Key-phrase-extraction&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST API&Pillar=Language&Product=Language-detection&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=JAVA&Pillar=Language&Product=Named-entity-recognition&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=PYTHON&Pillar=Language&Product=Personally-identifying-info&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+Question answering uses CMK support from Azure search, and associates the provided CMK to encrypt the data stored in Azure search index. Please follow the steps listed in [this article](../../../../search/search-security-manage-encryption-keys.md) to configure Key Vault access for the Azure search service.

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=PYTHON&Pillar=Language&Product=Question-answering&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=PYTHON&Pillar=Language&Product=Sentiment-analysis&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=REST API&Pillar=Language&Product=Summarization&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+> [!div class="nextstepaction"]

+> <a href="https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=CSHARP&Pillar=Language&Product=Text-analytics-for-health&Page=quickstart&Section=Clean-up-resources" target="_target">I ran into an issue</a>

+ Title: Authentication for customized Teams apps

+description: Explore single-tenant and multi-tenant authentication use cases for customized Teams applications. Also learn about authentication artifacts.

+# Single-tenant and multi-tenant authentication for Teams

+ This article gives you insight into the authentication process for single-tenant and multi-tenant, *Azure Active Directory* (Azure AD) applications. You can use authentication when you build customized Teams calling experiences with the *Calling software development kit* (SDK) that *Azure Communication Services* makes available. Use cases in this article also break down individual authentication artifacts.

+## Case 1: Example of a single-tenant application

+The Fabrikam company has built a custom, Teams calling application for internal company use. All Teams users are managed by Azure Active Directory. Access to Azure Communication Services is controlled by *Azure role-based access control (Azure RBAC)*.

+

+The following sequence diagram details single-tenant authentication.

+Before we begin:

+- Alice or her Azure AD administrator needs to give the custom Teams application consent, prior to the first attempt to sign in. Learn more about [consent](../../../active-directory/develop/consent-framework.md).

+- The Azure Communication Services resource admin needs to grant Alice permission to perform her role. Learn more about [Azure RBAC role assignment](../../../role-based-access-control/role-assignments-portal.md).

+1. Authenticate Alice using Azure Active Directory: Alice is authenticated using a standard OAuth flow with *Microsoft Authentication Library (MSAL)*. If authentication is successful, the client application receives an Azure AD access token, with a value of 'A'. Tokens are outlined later in this article. Authentication from the developer perspective is explored in this [quickstart](../../quickstarts/manage-teams-identity.md).

+1. Get an access token for Alice: The customized Teams application performs control plane logic, using artifact 'A'. This produces Azure Communication Services access token 'D' and gives Alice access. This access token can also be used for data plane actions in Azure Communication Services, like Calling.

+1. Call Bob: Alice makes a call to Teams user Bob, with Fabrikam's customized Teams app. The call takes place via the Calling SDK with an Azure Communication Services access token. Learn more about [developing custom Teams clients](../../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md).

+## Case 2: Example of a multi-tenant application

+The Contoso company has built a custom Teams calling application for external customers. This application uses custom authentication within Contoso's own infrastructure. Contoso uses a connection string to retrieve tokens from Fabrikam's customized Teams application.

+

+The following sequence diagram details multi-tenant authentication.

+Before we begin:

+- Alice or her Azure AD administrator needs to give Contoso's Azure Active Directory application consent before the first attempt to sign in. Learn more about [consent](../../../active-directory/develop/consent-framework.md).

+1. Authenticate Alice using the Fabrikam application: Alice is authenticated through Fabrikam's customized Teams application. A standard OAuth flow with Microsoft Authentication Library (MSAL) is used. If authentication is successful, the client application, the Contoso app in this case, receives an Azure AD access token with a value of 'A'. Token details are outlined below. Authentication from the developer perspective is explored in this [quickstart](../../quickstarts/manage-teams-identity.md).

+1. Get an access token for Alice: The Contoso application performs control plane logic, using artifact 'A'. This generates Azure Communication Services access token 'D' for Alice within the Contoso application. This access token can be used for data plane actions in Azure Communication Services, like Calling.

+1. Call Bob: Alice makes a call to Teams user Bob, with Fabrikam's customized Teams app. The call takes place via the Calling SDK with an Azure Communication Services access token. Learn more about developing custom, Teams apps [in this quickstart](../../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md).

+The following articles may be of interest to you:

+- Try this [quickstart to authenticate Teams users](../../quickstarts/manage-teams-identity.md).

+- Try this [quickstart to call a Teams user](../../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md).

+ Title: Firewall configuration and Teams customization

+description: Learn the firewall configuration requirements that enable customized Teams calling experiences.

+# Firewall configuration for customized Teams calling experiences

+Azure Communication Services allow you to build custom Teams calling experiences.

+You can use the Calling *Software development kit* (SDK) to customize experiences. Use your Administrator account to configure your firewall based on Communication Services and Microsoft Teams guidelines. Communication Services requirements are for control plane and Teams requirements are for Calling.

+If you use an *independent software vendor* (ISV) for authentication, use instructions from that vendor and not from Communication Services.

+The following articles may be of interest to you:

+* **Email Send Mail operational logs** - provides detailed information related to the Email service send mail requests.

+* **Email Status Update operational logs** - provides message and recipient level delivery status updates related to the Email service send mail requests.

+* **Email User Engagement operational logs** - provides information related to 'open' and 'click' user engagement metrics for messages sent from the Email service.

+### Email Send Mail operational logs

+| Property | Description |

+| -- | |

+| TimeGenerated | The timestamp (UTC) of when the log was generated. |

+| Location | The region where the operation was processed. |

+| OperationName | The operation associated with log record. |

+| OperationVersion | The `api-version` associated with the operation, if the `operationName` was performed using an API. If there is no API that corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future. |

+| Category | The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. |

+| CorrelationID | The ID for correlated events. Can be used to identify correlated events between multiple tables. For all Email operational logs, the CorrelationId is mapped to the MessageId which is returned from a successful SendMail request. |

+| Size | Represents the total size in megabytes of the email body, subject, headers and attachments. |

+| ToRecipientsCount | The total # of unique email addresses on the To line. |

+| CcRecipientsCount | The total # of unique email addresses on the Cc line. |

+| BccRecipientsCount | The total # of unique email addresses on the Bcc line. |

+| UniqueRecipientsCount | This is the deduplicated total recipient count for the To, Cc and Bcc address fields. |

+| AttachmentsCount | The total # of attachments. |

+### Email Status Update operational logs

+| Property | Description |

+| -- | |

+| TimeGenerated | The timestamp (UTC) of when the log was generated. |

+| Location | The region where the operation was processed. |

+| OperationName | The operation associated with log record. |

+| OperationVersion | The `api-version` associated with the operation, if the `operationName` was performed using an API. If there is no API that corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future. |

+| Category | The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. |

+| CorrelationID | The ID for correlated events. Can be used to identify correlated events between multiple tables. For all Email operational logs, the CorrelationId is mapped to the MessageId which is returned from a successful SendMail request. |

+| RecipientId | The email address for the targeted recipient. If this is a message-level event, the property will be empty. |

+| DeliveryStatus | The terminal status of the message. |

+### Email User Engagement operational logs

+| Property | Description |

+| -- | |

+| TimeGenerated | The timestamp (UTC) of when the log was generated. |

+| Location | The region where the operation was processed. |

+| OperationName | The operation associated with log record. |

+| OperationVersion | The `api-version` associated with the operation, if the `operationName` was performed using an API. If there is no API that corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future. |

+| Category | The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. |

+| CorrelationID | The ID for correlated events. Can be used to identify correlated events between multiple tables. For all Email operational logs, the CorrelationId is mapped to the MessageId which is returned from a successful SendMail request. |

+| RecipientId | The email address for the targeted recipient. If this is a message-level event, the property will be empty. |

+| EngagementType | The type of user engagement being tracked. |

+| EngagementContext | The context represents what the user interacted with. |

+| UserAgent | The user agent string from the client. |

+ Title: How to accept or decline offers in Job Router

+description: Learn how to use Azure Communication Services SDKs to accept or decline job offers in Job Router.

+#Customer intent: As a developer, I want to accept/decline job offers when they come in.

+# Discover how to accept or decline Job Router job offers

+This guide lays out the steps you need to take to observe a Job Router offer. It also outlines how to accept or decline job offers.

+- An Azure account with an active subscription. [Create an Azure account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Observe worker offer-issued events

+After you create a job, observe the [worker offer-issued event](subscribe-events.md#microsoftcommunicationrouterworkerofferissued), which contains the worker ID and the job offer ID:

+## Accept job offers

+The worker can accept job offers by using the SDK:

+## Decline job offers

+The worker can decline job offers by using the SDK:

+ Title: Create an Azure Cosmos DB SQL API account

+description: Learn how to create a new Azure Cosmos DB SQL API account to store databases, containers, and items.

+ms.devlang: csharp

+# Create an Azure Cosmos DB SQL API account

+An Azure Cosmos DB SQL API account contains all of your Azure Cosmos DB resources: databases, containers, and items. The account provides a unique endpoint for various tools and SDKs to connect to Azure Cosmos DB and perform everyday operations. For more information about the resources in Azure Cosmos DB, see [Azure Cosmos DB resource model](../account-databases-containers-items.md).

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

+## Create an account

+Create a single Azure Cosmos DB account using the SQL API.

+#### [Azure CLI](#tab/azure-cli)

+1. Create shell variables for *accountName*, *resourceGroupName*, and *location*.

+ ```azurecli-interactive

+ # Variable for resource group name

+ resourceGroupName="msdocs-cosmos"

+ # Variable for location

+ location="westus"

+ # Variable for account name with a randomnly generated suffix

+ let suffix=$RANDOM*$RANDOM

+ accountName="msdocs-$suffix"

+ ```

+1. If you haven't already, sign in to the Azure CLI using the [``az login``](/cli/azure/reference-index#az-login) command.

+1. Use the [``az group create``](/cli/azure/group#az-group-create) command to create a new resource group in your subscription.

+ ```azurecli-interactive

+ az group create \

+ --name $resourceGroupName \

+ --location $location

+ ```

+1. Use the [``az cosmosdb create``](/cli/azure/cosmosdb#az-cosmosdb-create) command to create a new Azure Cosmos DB SQL API account with default settings.

+ ```azurecli-interactive

+ az cosmosdb create \

+ --resource-group $resourceGroupName \

+ --name $accountName \

+ --locations regionName=$location

+ ```

+#### [PowerShell](#tab/azure-powershell)

+1. Create shell variables for *ACCOUNT_NAME*, *RESOURCE_GROUP_NAME*, and **LOCATION**.

+ ```azurepowershell-interactive

+ # Variable for resource group name

+ $RESOURCE_GROUP_NAME = "msdocs-cosmos"

+ # Variable for location

+ $LOCATION = "West US"

+

+ # Variable for account name with a randomnly generated suffix

+ $SUFFIX = Get-Random

+ $ACCOUNT_NAME = "msdocs-$SUFFIX"

+ ```

+1. If you haven't already, sign in to Azure PowerShell using the [``Connect-AzAccount``](/powershell/module/az.accounts/connect-azaccount) cmdlet.

+1. Use the [``New-AzResourceGroup``](/powershell/module/az.resources/new-azresourcegroup) cmdlet to create a new resource group in your subscription.

+ ```azurepowershell-interactive

+ $parameters = @{

+ Name = $RESOURCE_GROUP_NAME

+ Location = $LOCATION

+ }

+ New-AzResourceGroup @parameters

+ ```

+1. Use the [``New-AzCosmosDBAccount``](/powershell/module/az.cosmosdb/new-azcosmosdbaccount) cmdlet to create a new Azure Cosmos DB SQL API account with default settings.

+ ```azurepowershell-interactive

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ Name = $ACCOUNT_NAME

+ Location = $LOCATION

+ }

+ New-AzCosmosDBAccount @parameters

+ ```

+#### [Portal](#tab/azure-portal)

+> [!TIP]

+> For this guide, we recommend using the resource group name ``msdocs-cosmos``.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. From the Azure portal menu or the **Home page**, select **Create a resource**.

+1. On the **New** page, search for and select **Azure Cosmos DB**.

+1. On the **Select API option** page, select the **Create** option within the **Core (SQL) - Recommend** section. Azure Cosmos DB has five APIs: SQL, MongoDB, Gremlin, Table, and Cassandra. [Learn more about the SQL API](/azure/cosmos-db/sql/introduction.md).

+ :::image type="content" source="media/create-account-portal/cosmos-api-choices.png" lightbox="media/create-account-portal/cosmos-api-choices.png" alt-text="Screenshot of select A P I option page for Azure Cosmos D B.":::

+1. On the **Create Azure Cosmos DB Account** page, enter the following information:

+ | Setting | Value | Description |

+ | | | |

+ | Subscription | Subscription name | Select the Azure subscription that you wish to use for this Azure Cosmos account. |

+ | Resource Group | Resource group name | Select a resource group, or select **Create new**, then enter a unique name for the new resource group. |

+ | Account Name | A unique name | Enter a name to identify your Azure Cosmos account. The name will be used as part of a fully qualified domain name (FQDN) with a suffix of *documents.azure.com*, so the name must be globally unique. The name can only contain lowercase letters, numbers, and the hyphen (-) character. The name must also be between 3-44 characters in length. |

+ | Location | The region closest to your users | Select a geographic location to host your Azure Cosmos DB account. Use the location that is closest to your users to give them the fastest access to the data. |

+ | Capacity mode |Provisioned throughput or Serverless|Select **Provisioned throughput** to create an account in [provisioned throughput](../set-throughput.md) mode. Select **Serverless** to create an account in [serverless](../serverless.md) mode. |

+ | Apply Azure Cosmos DB free tier discount | **Apply** or **Do not apply** |With Azure Cosmos DB free tier, you'll get the first 1000 RU/s and 25 GB of storage for free in an account. Learn more about [free tier](https://azure.microsoft.com/pricing/details/cosmos-db/). |

+ > [!NOTE]

+ > You can have up to one free tier Azure Cosmos DB account per Azure subscription and must opt-in when creating the account. If you do not see the option to apply the free tier discount, this means another account in the subscription has already been enabled with free tier.

+ :::image type="content" source="media/create-account-portal/new-cosmos-account-page.png" lightbox="media/create-account-portal/new-cosmos-account-page.png" alt-text="Screenshot of new account page for Azure Cosmos D B SQL A P I.":::

+1. Select **Review + create**.

+1. Review the settings you provide, and then select **Create**. It takes a few minutes to create the account. Wait for the portal page to display **Your deployment is complete** before moving on.

+1. Select **Go to resource** to go to the Azure Cosmos DB account page.

+ :::image type="content" source="media/create-account-portal/cosmos-deployment-complete.png" lightbox="media/create-account-portal/cosmos-deployment-complete.png" alt-text="Screenshot of deployment page for Azure Cosmos D B SQL A P I resource.":::

+## Next steps

+In this guide, you learned how to create an Azure Cosmos DB SQL API account. You can now import additional data to your Azure Cosmos DB account.

+> [!div class="nextstepaction"]

+> [Import data into Azure Cosmos DB SQL API](../import-data.md)

+ Title: Create a container in Azure Cosmos DB SQL API using .NET

+description: Learn how to create a container in your Azure Cosmos DB SQL API database using the .NET SDK.

+ms.devlang: csharp

+# Create a container in Azure Cosmos DB SQL API using .NET

+Containers in Azure Cosmos DB store sets of items. Before you can create, query, or manage items, you must first create a container.

+## Name a container

+In Azure Cosmos DB, a container is analogous to a table in a relational database. When you create a container, the container name forms a segment of the URI used to access the container resource and any child items.

+Here are some quick rules when naming a container:

+* Keep container names between 3 and 63 characters long

+* Container names can only contain lowercase letters, numbers, or the dash (-) character.

+* Container names must start with a lowercase letter or number.

+Once created, the URI for a container is in this format:

+``https://<cosmos-account-name>.documents.azure.com/dbs/<database-name>/colls/<container-name>``

+## Create a container

+To create a container, call one of the following methods:

+* [``CreateContainerAsync``](#create-a-container-asynchronously)

+* [``CreateContainerIfNotExistsAsync``](#create-a-container-asynchronously-if-it-doesnt-already-exist)

+### Create a container asynchronously

+The following example creates a container asynchronously:

+The [``Database.CreateContainerAsync``](/dotnet/api/microsoft.azure.cosmos.database.createcontainerasync) method will throw an exception if a database with the same name already exists.

+### Create a container asynchronously if it doesn't already exist

+The following example creates a container asynchronously only if it doesn't already exist on the account:

+The [``Database.CreateContainerIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.database.createcontainerifnotexistsasync) method will only create a new container if it doesn't already exist. This method is useful for avoiding errors if you run the same code multiple times.

+## Parsing the response

+In all examples so far, the response from the asynchronous request was cast immediately to the [``Container``](/dotnet/api/microsoft.azure.cosmos.container) type. You may want to parse metadata about the response including headers and the HTTP status code. The true return type for the **Database.CreateContainerAsync** and **Database.CreateContainerIfNotExistsAsync** methods is [``ContainerResponse``](/dotnet/api/microsoft.azure.cosmos.containerresponse).

+The following example shows the **Database.CreateContainerIfNotExistsAsync** method returning a **ContainerResponse**. Once returned, you can parse response properties and then eventually get the underlying **Container** object:

+## See also

+- [Get started with Azure Cosmos DB SQL API and .NET](how-to-dotnet-get-started.md)

+- [Create a database](how-to-dotnet-create-database.md)

+ Title: Create a database in Azure Cosmos DB SQL API using .NET

+description: Learn how to create a database in your Azure Cosmos DB SQL API account using the .NET SDK.

+ms.devlang: csharp

+# Create a database in Azure Cosmos DB SQL API using .NET

+Databases in Azure Cosmos DB are units of management for one or more containers. Before you can create or manage containers, you must first create a database.

+## Name a database

+In Azure Cosmos DB, a database is analogous to a namespace. When you create a database, the database name forms a segment of the URI used to access the database resource and any child resources.

+Here are some quick rules when naming a database:

+* Keep database names between 3 and 63 characters long

+* Database names can only contain lowercase letters, numbers, or the dash (-) character.

+* Database names must start with a lowercase letter or number.

+Once created, the URI for a database is in this format:

+``https://<cosmos-account-name>.documents.azure.com/dbs/<database-name>``

+## Create a database

+To create a database, call one of the following methods:

+* [``CreateDatabaseAsync``](#create-a-database-asynchronously)

+* [``CreateDatabaseIfNotExistsAsync``](#create-a-database-asynchronously-if-it-doesnt-already-exist)

+### Create a database asynchronously

+The following example creates a database asynchronously:

+The [``CosmosClient.CreateDatabaseAsync``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.createdatabaseasync) method will throw an exception if a database with the same name already exists.

+### Create a database asynchronously if it doesn't already exist

+The following example creates a database asynchronously only if it doesn't already exist on the account:

+The [``CosmosClient.CreateDatabaseIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.createdatabaseifnotexistsasync) method will only create a new database if it doesn't already exist. This method is useful for avoiding errors if you run the same code multiple times.

+## Parsing the response

+In all examples so far, the response from the asynchronous request was cast immediately to the [``Database``](/dotnet/api/microsoft.azure.cosmos.database) type. You may want to parse metadata about the response including headers and the HTTP status code. The true return type for the **CosmosClient.CreateDatabaseAsync** and **CosmosClient.CreateDatabaseIfNotExistsAsync** methods is [``DatabaseResponse``](/dotnet/api/microsoft.azure.cosmos.databaseresponse).

+The following example shows the **CosmosClient.CreateDatabaseIfNotExistsAsync** method returning a **DatabaseResponse**. Once returned, you can parse response properties and then eventually get the underlying **Database** object:

+## See also

+- [Get started with Azure Cosmos DB SQL API and .NET](how-to-dotnet-get-started.md)

+- [Create a container](how-to-dotnet-create-container.md)

+ Title: Get started with Azure Cosmos DB SQL API and .NET

+description: Get started developing a .NET application that works with Azure Cosmos DB SQL API. This article helps you learn how to set up a project and configure access to an Azure Cosmos DB SQL API endpoint.

+ms.devlang: csharp

+# Get started with Azure Cosmos DB SQL API and .NET

+This article shows you how to connect to Azure Cosmos DB SQL API using the .NET SDK. Once connected, you can perform operations on databases, containers, and items.

+[Package (NuGet)](https://www.nuget.org/packages/Microsoft.Azure.Cosmos) | [Samples](samples-dotnet.md) | [API reference](/dotnet/api/microsoft.azure.cosmos) | [Library source code](https://github.com/Azure/azure-cosmos-dotnet-v3) | [Give Feedback](https://github.com/Azure/azure-cosmos-dotnet-v3/issues)

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

+* Azure Cosmos DB SQL API account. [Create a SQL API account](how-to-create-account.md).

+* [.NET 6.0 or later](https://dotnet.microsoft.com/download)

+* [Azure Command-Line Interface (CLI)](/cli/azure/) or [Azure PowerShell](/powershell/azure/)

+## Set up your project

+### Create the .NET console application

+Create a new .NET application by using the [``dotnet new``](/dotnet/core/tools/dotnet-new) command with the **console** template.

+```dotnetcli

+dotnet new console

+```

+Import the [Microsoft.Azure.Cosmos](https://www.nuget.org/packages/Microsoft.Azure.Cosmos) NuGet package using the [``dotnet add package``](/dotnet/core/tools/dotnet-add-package) command.

+```dotnetcli

+dotnet add package Microsoft.Azure.Cosmos

+```

+Build the project with the [``dotnet build``](/dotnet/core/tools/dotnet-build) command.

+```dotnetcli

+dotnet build

+```

+## Connect to Azure Cosmos DB SQL API

+To connect to the SQL API of Azure Cosmos DB, create an instance of the [``CosmosClient``](/dotnet/api/microsoft.azure.cosmos.cosmosclient) class. This class is the starting point to perform all operations against databases. There are three core ways to connect to a SQL API account using the **CosmosClient** class:

+* [Connect with a SQL API endpoint and read/write key](#connect-with-an-endpoint-and-key)

+* [Connect with a SQL API connection string](#connect-with-a-connection-string)

+* [Connect with Azure Active Directory](#connect-using-the-microsoft-identity-platform)

+### Connect with an endpoint and key

+The most common constructor for **CosmosClient** has two parameters:

+| Parameter | Example value | Description |

+| | | |

+| ``accountEndpoint`` | ``COSMOS_ENDPOINT`` environment variable | SQL API endpoint to use for all requests |

+| ``authKeyOrResourceToken`` | ``COSMOS_KEY`` environment variable | Account key or resource token to use when authenticating |

+#### Retrieve your account endpoint and key

+##### [Azure CLI](#tab/azure-cli)

+1. Create a shell variable for *resourceGroupName*.

+ ```azurecli-interactive

+ # Variable for resource group name

+ resourceGroupName="msdocs-cosmos-dotnet-howto-rg"

+ ```

+1. Use the [``az cosmosdb list``](/cli/azure/cosmosdb#az-cosmosdb-list) command to retrieve the name of the first Azure Cosmos DB account in your resource group and store it in the *accountName* shell variable.

+ ```azurecli-interactive

+ # Retrieve most recently created account name

+ accountName=$(

+ az cosmosdb list \

+ --resource-group $resourceGroupName \

+ --query "[0].name" \

+ --output tsv

+ )

+ ```

+1. Get the SQL API endpoint *URI* for the account using the [``az cosmosdb show``](/cli/azure/cosmosdb#az-cosmosdb-show) command.

+ ```azurecli-interactive

+ az cosmosdb show \

+ --resource-group $resourceGroupName \

+ --name $accountName \

+ --query "documentEndpoint"

+ ```

+1. Find the *PRIMARY KEY* from the list of keys for the account with the[``az-cosmosdb-keys-list``](/cli/azure/cosmosdb/keys#az-cosmosdb-keys-list) command.

+ ```azurecli-interactive

+ az cosmosdb keys list \

+ --resource-group $resourceGroupName \

+ --name $accountName \

+ --type "keys" \

+ --query "primaryMasterKey"

+ ```

+1. Record the *URI* and *PRIMARY KEY* values. You'll use these credentials later.

+##### [PowerShell](#tab/azure-powershell)

+1. Create a shell variable for *RESOURCE_GROUP_NAME*.

+ ```azurepowershell-interactive

+ # Variable for resource group name

+ $RESOURCE_GROUP_NAME = "msdocs-cosmos-dotnet-howto-rg"

+ ```

+1. Use the [``Get-AzCosmosDBAccount``](/powershell/module/az.cosmosdb/get-azcosmosdbaccount) cmdlet to retrieve the name of the first Azure Cosmos DB account in your resource group and store it in the *ACCOUNT_NAME* shell variable.

+ ```azurepowershell-interactive

+ # Retrieve most recently created account name

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ }

+ $ACCOUNT_NAME = (

+ Get-AzCosmosDBAccount @parameters |

+ Select-Object -Property Name -First 1

+ ).Name

+ ```

+1. Get the SQL API endpoint *URI* for the account using the [``Get-AzCosmosDBAccount``](/powershell/module/az.cosmosdb/get-azcosmosdbaccount) cmdlet.

+ ```azurepowershell-interactive

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ Name = $ACCOUNT_NAME

+ }

+ Get-AzCosmosDBAccount @parameters |

+ Select-Object -Property "DocumentEndpoint"

+ ```

+1. Find the *PRIMARY KEY* from the list of keys for the account with the [``Get-AzCosmosDBAccountKey``](/powershell/module/az.cosmosdb/get-azcosmosdbaccountkey) cmdlet.

+ ```azurepowershell-interactive

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ Name = $ACCOUNT_NAME

+ Type = "Keys"

+ }

+ Get-AzCosmosDBAccountKey @parameters |

+ Select-Object -Property "PrimaryMasterKey"

+ ```

+1. Record the *URI* and *PRIMARY KEY* values. You'll use these credentials later.

+##### [Portal](#tab/azure-portal)

+> [!TIP]

+> For this guide, we recommend using the resource group name ``msdocs-cosmos-dotnet-howto-rg``.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to the existing Azure Cosmos DB SQL API account page.

+1. From the Azure Cosmos DB SQL API account page, select the **Keys** navigation menu option.

+ :::image type="content" source="media/get-credentials-portal/cosmos-keys-option.png" lightbox="media/get-credentials-portal/cosmos-keys-option.png" alt-text="Screenshot of an Azure Cosmos D B SQL A P I account page. The Keys option is highlighted in the navigation menu.":::

+1. Record the values from the **URI** and **PRIMARY KEY** fields. You'll use these values in a later step.

+ :::image type="content" source="media/get-credentials-portal/cosmos-endpoint-key-credentials.png" lightbox="media/get-credentials-portal/cosmos-endpoint-key-credentials.png" alt-text="Screenshot of Keys page with various credentials for an Azure Cosmos D B SQL A P I account.":::

+To use the **URI** and **PRIMARY KEY** values within your .NET code, persist them to new environment variables on the local machine running the application.

+#### [Windows](#tab/windows)

+```powershell

+$env:COSMOS_ENDPOINT = "<cosmos-account-URI>"

+$env:COSMOS_KEY = "<cosmos-account-PRIMARY-KEY>"

+```

+#### [Linux / macOS](#tab/linux+macos)

+```bash

+export COSMOS_ENDPOINT="<cosmos-account-URI>"

+export COSMOS_KEY="<cosmos-account-PRIMARY-KEY>"

+```

+#### Create CosmosClient with account endpoint and key

+Create a new instance of the **CosmosClient** class with the ``COSMOS_ENDPOINT`` and ``COSMOS_KEY`` environment variables as parameters.

+### Connect with a connection string

+Another constructor for **CosmosClient** only contains a single parameter:

+| Parameter | Example value | Description |

+| | | |

+| ``accountEndpoint`` | ``COSMOS_ENDPOINT`` environment variable | SQL API endpoint to use for all requests |

+| ``connectionString`` | ``COSMOS_CONNECTION_STRING`` environment variable | Connection string to the SQL API account |

+#### Retrieve your account connection string

+##### [Azure CLI](#tab/azure-cli)

+1. Use the [``az cosmosdb list``](/cli/azure/cosmosdb#az-cosmosdb-list) command to retrieve the name of the first Azure Cosmos DB account in your resource group and store it in the *accountName* shell variable.

+ ```azurecli-interactive

+ # Retrieve most recently created account name

+ accountName=$(

+ az cosmosdb list \

+ --resource-group $resourceGroupName \

+ --query "[0].name" \

+ --output tsv

+ )

+ ```

+1. Find the *PRIMARY CONNECTION STRING* from the list of connection strings for the account with the[``az-cosmosdb-keys-list``](/cli/azure/cosmosdb/keys#az-cosmosdb-keys-list) command.

+ ```azurecli-interactive

+ az cosmosdb keys list \

+ --resource-group $resourceGroupName \

+ --name $accountName \

+ --type "connection-strings" \

+ --query "connectionStrings[?description == \`Primary SQL Connection String\`] | [0].connectionString"

+ ```

+##### [PowerShell](#tab/azure-powershell)

+1. Use the [``Get-AzCosmosDBAccount``](/powershell/module/az.cosmosdb/get-azcosmosdbaccount) cmdlet to retrieve the name of the first Azure Cosmos DB account in your resource group and store it in the *ACCOUNT_NAME* shell variable.

+ ```azurepowershell-interactive

+ # Retrieve most recently created account name

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ }

+ $ACCOUNT_NAME = (

+ Get-AzCosmosDBAccount @parameters |

+ Select-Object -Property Name -First 1

+ ).Name

+ ```

+1. Find the *PRIMARY CONNECTION STRING* from the list of connection strings for the account with the [``Get-AzCosmosDBAccountKey``](/powershell/module/az.cosmosdb/get-azcosmosdbaccountkey) cmdlet.

+ ```azurepowershell-interactive

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ Name = $ACCOUNT_NAME

+ Type = "ConnectionStrings"

+ }

+ Get-AzCosmosDBAccountKey @parameters |

+ Select-Object -Property "Primary SQL Connection String" -First 1

+ ```

+##### [Portal](#tab/azure-portal)

+> [!TIP]

+> For this guide, we recommend using the resource group name ``msdocs-cosmos-dotnet-howto-rg``.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to the existing Azure Cosmos DB SQL API account page.

+1. From the Azure Cosmos DB SQL API account page, select the **Keys** navigation menu option.

+1. Record the value from the **PRIMARY CONNECTION STRING** field.

+To use the **PRIMARY CONNECTION STRING** value within your .NET code, persist it to a new environment variable on the local machine running the application.

+#### [Windows](#tab/windows)

+```powershell

+$env:COSMOS_CONNECTION_STRING = "<cosmos-account-PRIMARY-CONNECTION-STRING>"

+```

+#### [Linux / macOS](#tab/linux+macos)

+```bash

+export COSMOS_CONNECTION_STRING="<cosmos-account-PRIMARY-CONNECTION-STRING>"

+```

+#### Create CosmosClient with connection string

+Create a new instance of the **CosmosClient** class with the ``COSMOS_CONNECTION_STRING`` environment variable as the only parameter.

+### Connect using the Microsoft Identity Platform

+To connect to your SQL API account using the Microsoft Identity Platform and Azure AD, use a security principal. The exact type of principal will depend on where you host your application code. The table below serves as a quick reference guide.

+| Where the application runs | Security principal

+|--|--||

+| Local machine (developing and testing) | User identity or service principal |

+| Azure | Managed identity |

+| Servers or clients outside of Azure | Service principal |

+#### Import Azure.Identity

+The **Azure.Identity** NuGet package contains core authentication functionality that is shared among all Azure SDK libraries.

+Import the [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) NuGet package using the ``dotnet add package`` command.

+```dotnetcli

+dotnet add package Azure.Identity

+```

+Rebuild the project with the ``dotnet build`` command.

+```dotnetcli

+dotnet build

+```

+In your code editor, add using directives for ``Azure.Core`` and ``Azure.Identity`` namespaces.

+#### Create CosmosClient with default credential implementation

+If you're testing on a local machine, or your application will run on Azure services with direct support for managed identities, obtain an OAuth token by creating a [``DefaultAzureCredential``](/dotnet/api/azure.identity.defaultazurecredential) instance.

+For this example, we saved the instance in a variable of type [``TokenCredential``](/dotnet/api/azure.core.tokencredential) as that's a more generic type that's reusable across SDKs.

+Create a new instance of the **CosmosClient** class with the ``COSMOS_ENDPOINT`` environment variable and the **TokenCredential** object as parameters.

+#### Create CosmosClient with a custom credential implementation

+If you plan to deploy the application out of Azure, you can obtain an OAuth token by using other classes in the [Azure.Identity client library for .NET](/dotnet/api/overview/azure/identity-readme). These other classes also derive from the ``TokenCredential`` class.

+For this example, we create a [``ClientSecretCredential``](/dotnet/api/azure.identity.clientsecretcredential) instance by using client and tenant identifiers, along with a client secret.

+You can obtain the client ID, tenant ID, and client secret when you register an application in Azure Active Directory (AD). For more information about registering Azure AD applications, see [Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app).

+Create a new instance of the **CosmosClient** class with the ``COSMOS_ENDPOINT`` environment variable and the **TokenCredential** object as parameters.

+## Build your application

+As you build your application, your code will primarily interact with four types of resources:

+- The SQL API account, which is the unique top-level namespace for your Azure Cosmos DB data.

+- Databases, which organize the containers in your account.

+- Containers, which contain a set of individual items in your database.

+- Items, which represent a JSON document in your container.

+The following diagram shows the relationship between these resources.

+ Hierarchical diagram showing an Azure Cosmos D B account at the top. The account has two child database nodes. One of the database nodes includes two child container nodes. The other database node includes a single child container node. That single container node has three child item nodes.

+Each type of resource is represented by one or more associated .NET classes. Here's a list of the most common classes:

+| Class | Description |

+|||

+| [``CosmosClient``](/dotnet/api/microsoft.azure.cosmos.cosmosclient) | This class provides a client-side logical representation for the Azure Cosmos DB service. The client object is used to configure and execute requests against the service. |

+| [``Database``](/dotnet/api/microsoft.azure.cosmos.database) | This class is a reference to a database that may, or may not, exist in the service yet. The database is validated server-side when you attempt to access it or perform an operation against it. |

+| [``Container``](/dotnet/api/microsoft.azure.cosmos.container) | This class is a reference to a container that also may not exist in the service yet. The container is validated server-side when you attempt to work with it. |

+The following guides show you how to use each of these classes to build your application.

+| Guide | Description |

+|--||

+| [Create a database](how-to-dotnet-create-database.md) | Create databases |

+| [Create a container](how-to-dotnet-create-container.md) | Create containers |

+## See also

+- [Package (NuGet)](https://www.nuget.org/packages/Microsoft.Azure.Cosmos)

+- [Samples](samples-dotnet.md)

+- [API reference](/dotnet/api/microsoft.azure.cosmos)

+- [Library source code](https://github.com/Azure/azure-cosmos-dotnet-v3)

+- [Give Feedback](https://github.com/Azure/azure-cosmos-dotnet-v3/issues)

+## Next steps

+Now that you've connected to a SQL API account, use the next guide to create and manage databases.

+> [!div class="nextstepaction"]

+> [Create a database in Azure Cosmos DB SQL API using .NET](how-to-dotnet-create-database.md)

+The following settings are used to configure an Azure Cosmos DB Kafka sink connector. These configuration values determine which Kafka topics data is consumed, which Azure Cosmos DB containerΓÇÖs data is written into, and formats to serialize the data. For an example configuration file with the default values, refer to [this config](https://github.com/microsoft/kafka-connect-cosmosdb/blob/dev/src/docker/resources/sink.example.json).

+* [Reading from change feed](read-change-feed.md)

+ Title: Quickstart - Azure Cosmos DB SQL API client library for .NET

+description: Learn how to build a .NET app to manage Azure Cosmos DB SQL API account resources in this quickstart.

+ms.devlang: csharp

+# Quickstart: Azure Cosmos DB SQL API client library for .NET

+> [!div class="op_single_selector"]

+> * [.NET](quickstart-dotnet.md)

+Get started with the Azure Cosmos DB client library for .NET to create databases, containers, and items within your account. Follow these steps to install the package and try out example code for basic tasks.

+> [!NOTE]

+> The [example code snippets](https://github.com/Azure-Samples/azure-cosmos-db-dotnet-quickstart) are available on GitHub as a .NET project.

+[API reference documentation](/dotnet/api/microsoft.azure.cosmos) | [Library source code](https://github.com/Azure/azure-cosmos-dotnet-v3) | [Package (NuGet)](https://www.nuget.org/packages/Microsoft.Azure.Cosmos)

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

+* [.NET 6.0 or later](https://dotnet.microsoft.com/download)

+* [Azure Command-Line Interface (CLI)](/cli/azure/) or [Azure PowerShell](/powershell/azure/)

+### Prerequisite check

+* In a terminal or command window, run ``dotnet --version`` to check that the .NET SDK is version 6.0 or later.

+* Run ``az --version`` (Azure CLI) or ``Get-Module -ListAvailable AzureRM`` (Azure PowerShell) to check that you have the appropriate Azure command-line tools installed.

+## Setting up

+This section walks you through creating an Azure Cosmos account and setting up a project that uses Azure Cosmos DB SQL API client library for .NET to manage resources.

+### Create an Azure Cosmos DB account

+This quickstart will create a single Azure Cosmos DB account using the SQL API.

+#### [Azure CLI](#tab/azure-cli)

+1. Create shell variables for *accountName*, *resourceGroupName*, and *location*.

+ ```azurecli-interactive

+ # Variable for resource group name

+ resourceGroupName="msdocs-cosmos-dotnet-quickstart-rg"

+ location="westus"

+ # Variable for account name with a randomnly generated suffix

+ let suffix=$RANDOM*$RANDOM

+ accountName="msdocs-dotnet-$suffix"

+ ```

+1. If you haven't already, sign in to the Azure CLI using the [``az login``](/cli/azure/reference-index#az-login) command.

+1. Use the [``az group create``](/cli/azure/group#az-group-create) command to create a new resource group in your subscription.

+ ```azurecli-interactive

+ az group create \

+ --name $resourceGroupName \

+ --location $location

+ ```

+1. Use the [``az cosmosdb create``](/cli/azure/cosmosdb#az-cosmosdb-create) command to create a new Azure Cosmos DB SQL API account with default settings.

+ ```azurecli-interactive

+ az cosmosdb create \

+ --resource-group $resourceGroupName \

+ --name $accountName \

+ --locations regionName=$location

+ ```

+1. Get the SQL API endpoint *URI* for the account using the [``az cosmosdb show``](/cli/azure/cosmosdb#az-cosmosdb-show) command.

+ ```azurecli-interactive

+ az cosmosdb show \

+ --resource-group $resourceGroupName \

+ --name $accountName \

+ --query "documentEndpoint"

+ ```

+1. Find the *PRIMARY KEY* from the list of keys for the account with the[``az-cosmosdb-keys-list``](/cli/azure/cosmosdb/keys#az-cosmosdb-keys-list) command.

+ ```azurecli-interactive

+ az cosmosdb keys list \

+ --resource-group $resourceGroupName \

+ --name $accountName \

+ --type "keys" \

+ --query "primaryMasterKey"

+ ```

+1. Record the *URI* and *PRIMARY KEY* values. You'll use these credentials later.

+#### [PowerShell](#tab/azure-powershell)

+1. Create shell variables for *ACCOUNT_NAME*, *RESOURCE_GROUP_NAME*, and **LOCATION**.

+ ```azurepowershell-interactive

+ # Variable for resource group name

+ $RESOURCE_GROUP_NAME = "msdocs-cosmos-dotnet-quickstart-rg"

+ $LOCATION = "West US"

+

+ # Variable for account name with a randomnly generated suffix

+ $SUFFIX = Get-Random

+ $ACCOUNT_NAME = "msdocs-dotnet-$SUFFIX"

+ ```

+1. If you haven't already, sign in to Azure PowerShell using the [``Connect-AzAccount``](/powershell/module/az.accounts/connect-azaccount) cmdlet.

+1. Use the [``New-AzResourceGroup``](/powershell/module/az.resources/new-azresourcegroup) cmdlet to create a new resource group in your subscription.

+ ```azurepowershell-interactive

+ $parameters = @{

+ Name = $RESOURCE_GROUP_NAME

+ Location = $LOCATION

+ }

+ New-AzResourceGroup @parameters

+ ```

+1. Use the [``New-AzCosmosDBAccount``](/powershell/module/az.cosmosdb/new-azcosmosdbaccount) cmdlet to create a new Azure Cosmos DB SQL API account with default settings.

+ ```azurepowershell-interactive

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ Name = $ACCOUNT_NAME

+ Location = $LOCATION

+ }

+ New-AzCosmosDBAccount @parameters

+ ```

+1. Get the SQL API endpoint *URI* for the account using the [``Get-AzCosmosDBAccount``](/powershell/module/az.cosmosdb/get-azcosmosdbaccount) cmdlet.

+ ```azurepowershell-interactive

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ Name = $ACCOUNT_NAME

+ }

+ Get-AzCosmosDBAccount @parameters |

+ Select-Object -Property "DocumentEndpoint"

+ ```

+1. Find the *PRIMARY KEY* from the list of keys for the account with the [``Get-AzCosmosDBAccountKey``](/powershell/module/az.cosmosdb/get-azcosmosdbaccountkey) cmdlet.

+ ```azurepowershell-interactive

+ $parameters = @{

+ ResourceGroupName = $RESOURCE_GROUP_NAME

+ Name = $ACCOUNT_NAME

+ Type = "Keys"

+ }

+ Get-AzCosmosDBAccountKey @parameters |

+ Select-Object -Property "PrimaryMasterKey"

+ ```

+1. Record the *URI* and *PRIMARY KEY* values. You'll use these credentials later.

+#### [Portal](#tab/azure-portal)

+> [!TIP]

+> For this quickstart, we recommend using the resource group name ``msdocs-cosmos-dotnet-quickstart-rg``.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. From the Azure portal menu or the **Home page**, select **Create a resource**.

+1. On the **New** page, search for and select **Azure Cosmos DB**.

+1. On the **Select API option** page, select the **Create** option within the **Core (SQL) - Recommend** section. Azure Cosmos DB has five APIs: SQL, MongoDB, Gremlin, Table, and Cassandra. [Learn more about the SQL API](/azure/cosmos-db/sql/introduction.md).

+ :::image type="content" source="media/create-account-portal/cosmos-api-choices.png" lightbox="media/create-account-portal/cosmos-api-choices.png" alt-text="Screenshot of select A P I option page for Azure Cosmos D B.":::

+1. On the **Create Azure Cosmos DB Account** page, enter the following information:

+ | Setting | Value | Description |

+ | | | |

+ | Subscription | Subscription name | Select the Azure subscription that you wish to use for this Azure Cosmos account. |

+ | Resource Group | Resource group name | Select a resource group, or select **Create new**, then enter a unique name for the new resource group. |

+ | Account Name | A unique name | Enter a name to identify your Azure Cosmos account. The name will be used as part of a fully qualified domain name (FQDN) with a suffix of *documents.azure.com*, so the name must be globally unique. The name can only contain lowercase letters, numbers, and the hyphen (-) character. The name must also be between 3-44 characters in length. |

+ | Location | The region closest to your users | Select a geographic location to host your Azure Cosmos DB account. Use the location that is closest to your users to give them the fastest access to the data. |

+ | Capacity mode |Provisioned throughput or Serverless|Select **Provisioned throughput** to create an account in [provisioned throughput](../set-throughput.md) mode. Select **Serverless** to create an account in [serverless](../serverless.md) mode. |

+ | Apply Azure Cosmos DB free tier discount | **Apply** or **Do not apply** |With Azure Cosmos DB free tier, you'll get the first 1000 RU/s and 25 GB of storage for free in an account. Learn more about [free tier](https://azure.microsoft.com/pricing/details/cosmos-db/). |

+ > [!NOTE]

+ > You can have up to one free tier Azure Cosmos DB account per Azure subscription and must opt-in when creating the account. If you do not see the option to apply the free tier discount, this means another account in the subscription has already been enabled with free tier.

+ :::image type="content" source="media/create-account-portal/new-cosmos-account-page.png" lightbox="media/create-account-portal/new-cosmos-account-page.png" alt-text="Screenshot of new account page for Azure Cosmos D B SQL A P I.":::

+1. Select **Review + create**.

+1. Review the settings you provide, and then select **Create**. It takes a few minutes to create the account. Wait for the portal page to display **Your deployment is complete** before moving on.

+1. Select **Go to resource** to go to the Azure Cosmos DB account page.

+ :::image type="content" source="media/create-account-portal/cosmos-deployment-complete.png" lightbox="media/create-account-portal/cosmos-deployment-complete.png" alt-text="Screenshot of deployment page for Azure Cosmos D B SQL A P I resource.":::

+1. From the Azure Cosmos DB SQL API account page, select the **Keys** navigation menu option.

+ :::image type="content" source="media/get-credentials-portal/cosmos-keys-option.png" lightbox="media/get-credentials-portal/cosmos-keys-option.png" alt-text="Screenshot of an Azure Cosmos D B SQL A P I account page. The Keys option is highlighted in the navigation menu.":::

+1. Record the values from the **URI** and **PRIMARY KEY** fields. You'll use these values in a later step.

+ :::image type="content" source="media/get-credentials-portal/cosmos-endpoint-key-credentials.png" lightbox="media/get-credentials-portal/cosmos-endpoint-key-credentials.png" alt-text="Screenshot of Keys page with various credentials for an Azure Cosmos D B SQL A P I account.":::

+### Create a new .NET app

+Create a new .NET application in an empty folder using your preferred terminal. Use the [``dotnet new``](/dotnet/core/tools/dotnet-new) command specifying the **console** template.

+```dotnetcli

+dotnet new console

+```

+### Install the package

+Add the [Microsoft.Azure.Cosmos](https://www.nuget.org/packages/Microsoft.Azure.Cosmos) NuGet package to the .NET project. Use the [``dotnet add package``](/dotnet/core/tools/dotnet-add-package) command specifying the name of the NuGet package.

+```dotnetcli

+dotnet add package Microsoft.Azure.Cosmos

+```

+Build the project with the [``dotnet build``](/dotnet/core/tools/dotnet-build) command.

+```dotnetcli

+dotnet build

+```

+Make sure that the build was successful with no errors. The expected output from the build should look something like this:

+```output

+ Determining projects to restore...

+ All projects are up-to-date for restore.

+ dslkajfjlksd -> C:\Users\sidandrews\Demos\dslkajfjlksd\bin\Debug\net6.0\dslkajfjlksd.dll

+Build succeeded.

+ 0 Warning(s)

+ 0 Error(s)

+```

+### Configure environment variables

+To use the **URI** and **PRIMARY KEY** values within your .NET code, persist them to new environment variables on the local machine running the application. To set the environment variable, use your preferred terminal to run the following commands:

+#### [Windows](#tab/windows)

+```powershell

+$env:COSMOS_ENDPOINT = "<cosmos-account-URI>"

+$env:COSMOS_KEY = "<cosmos-account-PRIMARY-KEY>"

+```

+#### [Linux / macOS](#tab/linux+macos)

+```bash

+export COSMOS_ENDPOINT="<cosmos-account-URI>"

+export COSMOS_KEY="<cosmos-account-PRIMARY-KEY>"

+```

+## Object model

+Before you start building the application, let's look into the hierarchy of resources in Azure Cosmos DB. Azure Cosmos DB has a specific object model used to create and access resources. The Azure Cosmos DB creates resources in a hierarchy that consists of accounts, databases, containers, and items.

+ Hierarchical diagram showing an Azure Cosmos D B account at the top. The account has two child database nodes. One of the database nodes includes two child container nodes. The other database node includes a single child container node. That single container node has three child item nodes.

+For more information about the hierarchy of different resources, see [working with databases, containers, and items in Azure Cosmos DB](../account-databases-containers-items.md).

+You'll use the following .NET classes to interact with these resources:

+- [``CosmosClient``](/dotnet/api/microsoft.azure.cosmos.cosmosclient) - This class provides a client-side logical representation for the Azure Cosmos DB service. The client object is used to configure and execute requests against the service.

+- [``Database``](/dotnet/api/microsoft.azure.cosmos.database) - This class is a reference to a database that may, or may not, exist in the service yet. The database is validated server-side when you attempt to access it or perform an operation against it.

+- [``Container``](/dotnet/api/microsoft.azure.cosmos.container) - This class is a reference to a container that also may not exist in the service yet. The container is validated server-side when you attempt to work with it.

+- [``QueryDefinition``](/dotnet/api/microsoft.azure.cosmos.querydefinition) - This class represents a SQL query and any query parameters.

+- [``FeedIterator<>``](/dotnet/api/microsoft.azure.cosmos.feediterator-1) - This class represents an iterator that can track the current page of results and get a new page of results.

+- [``FeedResponse<>``](/dotnet/api/microsoft.azure.cosmos.feedresponse-1) - This class represents a single page of responses from the iterator. This type can be iterated over using a ``foreach`` loop.

+## Code examples

+- [Authenticate the client](#authenticate-the-client)

+- [Create a database](#create-a-database)

+- [Create a container](#create-a-container)

+- [Create an item](#create-an-item)

+- [Get an item](#get-an-item)

+- [Query items](#query-items)

+The sample code described in this article creates a database named ``adventureworks`` with a container named ``products``. The ``products`` database is designed to contain product details such as name, category, quantity, and a sale indicator. Each product also contains a unique identifier.

+For this sample code, the container will use the category as a logical partition key.

+### Authenticate the client

+From the project directory, open the *Program.cs* file. In your editor, add a using directive for ``Microsoft.Azure.Cosmos``.

+Define a new instance of the ``CosmosClient`` class using the constructor, and [``Environment.GetEnvironmentVariable``](/dotnet/api/system.environment.getenvironmentvariable) to read the two environment variables you created earlier.

+For more information on different ways to create a ``CosmosClient`` instance, see [Get started with Azure Cosmos DB SQL API and .NET](how-to-dotnet-get-started.md#connect-to-azure-cosmos-db-sql-api).

+### Create a database

+Use the [``CosmosClient.CreateDatabaseIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.createdatabaseifnotexistsasync) method to create a new database if it doesn't already exist. This method will return a reference to the existing or newly created database.

+For more information on creating a database, see [Create a database in Azure Cosmos DB SQL API using .NET](how-to-dotnet-create-database.md).

+### Create a container

+The [``Database.CreateContainerIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.database.createcontainerifnotexistsasync) will create a new container if it doesn't already exist. This method will also return a reference to the container.

+For more information on creating a container, see [Create a container in Azure Cosmos DB SQL API using .NET](how-to-dotnet-create-container.md).

+### Create an item

+The easiest way to create a new item in a container is to first build a C# [class](/dotnet/csharp/language-reference/keywords/class) or [record](/dotnet/csharp/language-reference/builtin-types/record) type with all of the members you want to serialize into JSON. In this example, the C# record has a unique identifier, a *category* field for the partition key, and extra *name*, *quantity*, and *sale* fields.

+Create an item in the container by calling [``Container.UpsertItemAsync``](/dotnet/api/microsoft.azure.cosmos.container.upsertitemasync). In this example, we chose to *upsert* instead of *create* a new item in case you run this sample code more than once.

+### Get an item

+In Azure Cosmos DB, you can perform a point read operation by using both the unique identifier (``id``) and partition key fields. In the SDK, call [``Container.ReadItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.readitemasync) passing in both values to return a deserialized instance of your C# type.

+### Query items

+After you insert an item, you can run a query to get all items that match a specific filter. This example runs the SQL query: ``SELECT * FROM todo t WHERE t.partitionKey = 'gear-surf-surfboards'``. This example uses the **QueryDefinition** type and a parameterized query expression for the partition key filter. Once the query is defined, call [``Container.GetItemQueryIterator<>``](/dotnet/api/microsoft.azure.cosmos.container.getitemqueryiterator) to get a result iterator that will manage the pages of results. Then, use a combination of ``while`` and ``foreach`` loops to retrieve pages of results and then iterate over the individual items.

+## Run the code

+This app creates an Azure Cosmos DB SQL API database and container. The example then creates an item and then reads the exact same item back. Finally, the example issues a query that should only return that single item. With each step, the example outputs metadata to the console about the steps it has performed.

+To run the app, use a terminal to navigate to the application directory and run the application.

+```dotnetcli

+dotnet run

+```

+The output of the app should be similar to this example:

+```output

+New database: adventureworks

+New container: products

+Created item: 68719518391 [gear-surf-surfboards]

+```

+## Clean up resources

+When you no longer need the Azure Cosmos DB SQL API account, you can delete the corresponding resource group.

+#### [Azure CLI](#tab/azure-cli)

+Use the [``az group delete``](/cli/azure/group#az-group-delete) command to delete the resource group.

+```azurecli-interactive

+az group delete --name $resourceGroupName

+```

+#### [PowerShell](#tab/azure-powershell)

+Use the [``Remove-AzResourceGroup``](/powershell/module/az.resources/remove-azresourcegroup) cmdlet to delete the resource group.

+```azurepowershell-interactive

+$parameters = @{

+ Name = $RESOURCE_GROUP_NAME

+}

+Remove-AzResourceGroup @parameters

+```

+#### [Portal](#tab/azure-portal)

+1. Navigate to the resource group you previously created in the Azure portal.

+ > [!TIP]

+ > In this quickstart, we recommended the name ``msdocs-cosmos-dotnet-quickstart-rg``.

+1. Select **Delete resource group**.

+ :::image type="content" source="media/delete-account-portal/delete-resource-group-option.png" lightbox="media/delete-account-portal/delete-resource-group-option.png" alt-text="Screenshot of the Delete resource group option in the navigation bar for a resource group.":::

+1. On the **Are you sure you want to delete** dialog, enter the name of the resource group, and then select **Delete**.

+ :::image type="content" source="media/delete-account-portal/delete-confirmation.png" lightbox="media/delete-account-portal/delete-confirmation.png" alt-text="Screenshot of the delete confirmation page for a resource group.":::

+## Next steps

+In this quickstart, you learned how to create an Azure Cosmos DB SQL API account, create a database, and create a container using the .NET SDK. You can now dive deeper into the SDK to import more data, perform complex queries, and manage your Azure Cosmos DB SQL API resources.

+> [!div class="nextstepaction"]

+> [Get started with Azure Cosmos DB SQL API and .NET](how-to-dotnet-get-started.md)

+ Title: Examples for Azure Cosmos DB SQL API SDK for .NET

+description: Find .NET SDK examples on GitHub for common tasks using the Azure Cosmos DB SQL API.

+ms.devlang: csharp

+# Examples for Azure Cosmos DB SQL API SDK for .NET

+> [!div class="op_single_selector"]

+> * [.NET](quickstart-dotnet.md)

+The [cosmos-db-sql-api-dotnet-samples](https://github.com/Azure-Samples/cosmos-db-sql-api-dotnet-samples) GitHub repository includes multiple sample projects. These projects illustrate how to perform common operations on Azure Cosmos DB SQL API resources.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

+* Azure Cosmos DB SQL API account. [Create a SQL API account](how-to-create-account.md).

+* [.NET 6.0 or later](https://dotnet.microsoft.com/download)

+* [Azure Command-Line Interface (CLI)](/cli/azure/) or [Azure PowerShell](/powershell/azure/)

+## Samples

+The sample projects are all self-contained and are designed to be ran individually without any dependencies between projects.

+### Client

+| Task | API reference |

+| : | : |

+| [Create a client with endpoint and key](https://github.com/Azure-Samples/cosmos-db-sql-api-dotnet-samples/blob/v3/101-client-endpoint-key/Program.cs#L11-L14) |[``CosmosClient(string, string)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-system-string-microsoft-azure-cosmos-cosmosclientoptions)) |

+| [Create a client with connection string](https://github.com/Azure-Samples/cosmos-db-sql-api-dotnet-samples/blob/v3/102-client-connection-string/Program.cs#L11-L13) |[``CosmosClient(string)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-microsoft-azure-cosmos-cosmosclientoptions)) |

+| [Create a client with ``DefaultAzureCredential``](https://github.com/Azure-Samples/cosmos-db-sql-api-dotnet-samples/blob/v3/103-client-default-credential/Program.cs#L20-L23) |[``CosmosClient(string, TokenCredential)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-azure-core-tokencredential-microsoft-azure-cosmos-cosmosclientoptions)) |

+| [Create a client with custom ``TokenCredential``](https://github.com/Azure-Samples/cosmos-db-sql-api-dotnet-samples/blob/v3/104-client-secret-credential/Program.cs#L25-L28) |[``CosmosClient(string, TokenCredential)``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.-ctor#microsoft-azure-cosmos-cosmosclient-ctor(system-string-azure-core-tokencredential-microsoft-azure-cosmos-cosmosclientoptions)) |

+### Databases

+| Task | API reference |

+| : | : |

+| [Create a database](https://github.com/Azure-Samples/cosmos-db-sql-api-dotnet-samples/blob/v3/200-create-database/Program.cs#L19-L21) |[``CosmosClient.CreateDatabaseIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.cosmosclient.createdatabaseifnotexistsasync) |

+### Containers

+| Task | API reference |

+| : | : |

+| [Create a container](https://github.com/Azure-Samples/cosmos-db-sql-api-dotnet-samples/blob/v3/225-create-container/Program.cs#L26-L30) |[``Database.CreateContainerIfNotExistsAsync``](/dotnet/api/microsoft.azure.cosmos.database.createcontainerifnotexistsasync) |

+### Items

+| Task | API reference |

+| : | : |

+| [Create an item](https://github.com/Azure-Samples/cosmos-db-sql-api-dotnet-samples/blob/v3/250-create-item/Program.cs#L35-L46) |[``Container.CreateItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.createitemasync) |

+| [Point read an item](https://github.com/Azure-Samples/cosmos-db-sql-api-dotnet-samples/blob/v3/275-read-item/Program.cs#L51-L54) |[``Container.ReadItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.readitemasync) |

+| [Query multiple items](https://github.com/Azure-Samples/cosmos-db-sql-api-dotnet-samples/blob/v3/300-query-items/Program.cs#L64-L80) |[``Container.GetItemQueryIterator<>``](/dotnet/api/microsoft.azure.cosmos.container.getitemqueryiterator) |

+## Next steps

+Dive deeper into the SDK to import more data, perform complex queries, and manage your Azure Cosmos DB SQL API resources.

+> [!div class="nextstepaction"]

+> [Get started with Azure Cosmos DB SQL API and .NET >](how-to-dotnet-get-started.md)

+## Create an anomaly alert

+You can create an anomaly alert to automatically get notified when an anomaly is detected. All email recipients get notified when a subscription cost anomaly is detected.

+An anomaly alert email includes a summary of changes in resource group count and cost. It also includes the top resource group changes for the day compared to the previous 60 days. And, it has a direct link to the Azure portal so that you can review the cost and investigate further.

+1. Start on a subscription scope.

+1. In the left menu, select **Cost alerts**.

+1. On the Cost alerts page, select **+ Add** > **Add anomaly alert**.

+1. On the Subscribe to emails page, enter required information and then select **Save**.

+ :::image type="content" source="./media/analyze-unexpected-charges/subscribe-emails.png" alt-text="Screenshot showing the Subscribe to emails page where you enter notification information for an alert." lightbox="./media/analyze-unexpected-charges/subscribe-emails.png" :::

+Here's an example email generated for an anomaly alert.

+## Create a linked service to Dynamics 365 (Microsoft Dataverse) or Dynamics CRM using UI

+2. Search for Dynamics or Dataverse and select the Dynamics 365 (Microsoft Dataverse) or Dynamics CRM connector.

+ :::image type="content" source="media/connector-dynamics-crm-office-365/dataverse-connector.png" alt-text="Screenshot of the Dataverse connector.":::

+## Direct assert row failures

+When an assertion fails, you can optionally direct those error rows to a file in Azure by using the "Errors" tab on the sink transformation.

+## Fuzzy join

+You can choose to join based on fuzzy join logic instead of exact column value matching by turning on the "Use fuzzy matching" checkbox option.

+* Combine text parts: Use this option to find matches by remove space between words. For example, Data Factory is matched with DataFactory if this option is enabled.

+* Similarity score column: You can optionally choose to store the matching score for each row in a column by entering a new column name here to store that value.

+* Similarity threshold: Choose a value between 60 and 100 as a percentage match between values in the columns you've selected.

+1. Choose which key columns you want to match on for your join condition. By default, data flow looks for equality between one column in each stream. To compare via a computed value, hover over the column dropdown and select **Computed column**.

+## Errors

+On the sink errors tab you can configure error row handling to capture and redirect output for database driver errors and failed assertions.

+For assert failure rows, you can use the Assert transformation upstream in your data flow and then redirect failed assertions to an output file here in the sink errors tab.

+You can also rerun a pipeline and change the parameters. Select the **New parameters** button to change the parameters.

+> [!NOTE]

+> Rerunning a pipeline with new parameters will be considered a new pipeline run so will not show under the rerun groupings for a pipeline run.

+ :::image type="content" source="media/monitor-visually/new-alerts.png" alt-text="Screenshot of New Alert Rule button.":::

+ :::image type="content" source="media/monitor-visually/name-and-severity.png" alt-text="Screenshot of boxes for rule name and severity.":::

+ :::image type="content" source="media/monitor-visually/add-criteria-1.png" alt-text="Screenshot of box for target criteria.":::

+ :::image type="content" source="media/monitor-visually/add-criteria-3.png" alt-text="Screenshot of list of criteria.":::

+ :::image type="content" source="media/monitor-visually/alert-logic.png" alt-text="Screenshot of options for configuring alert logic.":::

+ :::image type="content" source="media/monitor-visually/configure-notification-1.png" alt-text="Screenshot of options for configuring notifications.":::

+ :::image type="content" source="media/monitor-visually/configure-notification-2.png" alt-text="Screenshot of options for adding a notification.":::

+ :::image type="content" source="media/monitor-visually/create-alert-rule.png" alt-text="Screenshot of options for creating an alert rule.":::

+- Azure Data Lake Storage Gen1

+- Azure Database for PostgreSQL

+- PostgreSQL

+ Inner,

+ LeftOuter,

+ RightOuter,

+ FullOuter

+ - You've uploaded your own or generated the device certificates on your device if you changed the device name or the DNS domain via the **Device** page. If you haven't done this step, you'll see an error during the device activation and the activation will be blocked. For more information, go to [Configure certificates](azure-stack-edge-gpu-deploy-configure-certificates.md).

+ 

+ 

+5. First the device is activated. You're then prompted to download the key file.

+ 

+ |`DataVolumeBitLockerExternalKeys`|These are the BitLocker keys for the data disks and are used to recover the local data on your device.|

+ |`ServiceEncryptionKey`| This key protects the data flowing through the Azure service. This key ensures that a compromise of the Azure service won't result in a compromise of stored information. |

+ 

+After you've activated the device, the next step is to deploy workloads.

+To configure a client to access Kubernetes cluster, you'll need the Kubernetes endpoint. Follow these steps to get Kubernetes API endpoint from the local UI of your Azure Stack Edge Pro device.

+ 

+3. Save the endpoint string. You'll use this endpoint string later when configuring a client to access the Kubernetes cluster via kubectl.

+ - If you've been provided a key from Microsoft (select users may have a key), go to Kubernetes API, select **Advanced config**, and download an advanced configuration file for Kubernetes.

+ 

+ 

+ 

+ 

+ If you've changed the device name and the DNS domain, the automatically generated self-signed certificates on the device won't work. You'll need to regenerate device certificates or bring your own certificates.

+ 

+ 

+ 

+ 

+With a digital twin graph and curated 3D model, subject matter experts can leverage the studio's low-code builder to map the 3D elements to digital twins, and define UI interactivity and business logic for a 3D visualization of a business environment. The 3D scenes can then be consumed in the hosted [3D Scenes Studio](concepts-azure-digital-twins-explorer.md), or in a custom application that leverages the embeddable 3D viewer component.

+## Open modeling language

+## Live execution environment

+## Input from IoT and business systems

+## Output data for storage and analytics

+## Resources

+Here are some resources that may be useful while working with Azure Digital Twins. You can view more resources under the **Resources** header in the table of contents for this documentation set.

+### Service limits

+### Terminology

+ Title: 'Tutorial: Create an alias record to support domain name apex with Traffic Manager'

+description: In this tutorial, you learn how to create and configure an Azure DNS alias record to support using your domain name apex with Traffic Manager.

+#Customer intent: As an experienced network administrator, I want to configure Azure DNS alias records to use my domain name apex with Traffic Manager.

+# Tutorial: Create an alias record to support domain name apex with Traffic Manager

+You can create an alias record for your domain name apex to reference an Azure Traffic Manager profile. Instead of using a redirecting service, you configure Azure DNS to reference a Traffic Manager profile directly from your zone.

+> * Create a virtual network and a subnet.

+> * Create a web server virtual machine with a public IP.

+> * Add a DNS label to a public IP.

+* An Azure account with an active subscription.

+* A domain name hosted in Azure DNS. If you don't have an Azure DNS zone, you can [create a DNS zone](./dns-delegate-domain-azure-dns.md#create-a-dns-zone), then [delegate your domain](dns-delegate-domain-azure-dns.md#delegate-the-domain) to Azure DNS.

+> [!NOTE]

+> In this tutorial, `contoso.com` is used as an example domain name. Replace `contoso.com` with your own domain name.

+## Sign in to Azure

+Sign in to the Azure portal at https://portal.azure.com.

+Create a virtual network and a subnet to place your web servers in.

+1. In the Azure portal, enter *virtual network* in the search box at the top of the portal, and then select **Virtual networks** from the search results.

+1. In **Virtual networks**, select **+ Create**.

+1. In **Create virtual network**, enter or select the following information in the **Basics** tab:

+ | **Setting** | **Value** |

+ |-|-|

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **Create new** </br> In **Name**, enter *TMResourceGroup* </br> Select **OK** |

+ | **Instance details** | |

+ | Name | Enter *myTMVNet* |

+ | Region | Select your region |

+1. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

+1. In the **IP Addresses** tab, enter the following information:

+ | Setting | Value |

+ |-|-|

+ | IPv4 address space | Enter *10.10.0.0/16* |

+1. Select **+ Add subnet**, and enter this information in the **Add subnet**:

+ | Setting | Value |

+ |-|-|

+ | Subnet name | Enter *WebSubnet* |

+ | Subnet address range | Enter *10.10.0.0/24* |

+1. Select **Add**.

+1. Select the **Review + create** tab or select the **Review + create** button.

+1. Select **Create**.

+## Create web server virtual machines

+Create two Windows Server virtual machines, and install IIS web server on them, and then add DNS labels to their public IPs.

+### Create the virtual machines

+Create two Windows Server 2019 virtual machines.

+1. In the Azure portal, enter *virtual machine* in the search box at the top of the portal, and then select **Virtual machines** from the search results.

+1. In **Virtual machines**, select **+ Create** and then select **Azure virtual machine**.

+1. In **Create a virtual machine**, enter or select the following information in the **Basics** tab:

+ | **Setting** | **Value** |

+ |||

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **TMResourceGroup** |

+ | **Instance details** | |

+ | Virtual machine name | Enter *Web-01* |

+ | Region | Select **(US) East US** |

+ | Availability options | Select **No infrastructure redundancy required** |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2019 Datacenter - Gen2** |

+ | Size | Select your VM size |

+ | **Administrator account** | |

+ | Username | Enter a username |

+ | Password | Enter a password |

+ | Confirm password | Reenter password |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None** |

+1. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.

+1. In the **Networking** tab, enter or select the following information:

+ | Setting | Value |

+ ||-|

+ | **Network interface** | |

+ | Virtual network | Select **myTMVNet** |

+ | Subnet | Select **WebSubnet** |

+ | Public IP | Select **Create new**, and then enter *Web-01-ip* in **Name** </br> Select **Basic** for the **SKU**, and **Static** for the **Assignment** |

+ | NIC network security group | Select **Basic**|

+ | Public inbound ports | Select **Allow selected ports** |

+ | Select inbound ports | Select **HTTP (80)**, **HTTPS (443)** and **RDP (3389)** |

+1. Select **Review + create**.

+1. Review the settings, and then select **Create**.

+1. Repeat previous steps to create the second virtual machine. Enter *Web-02* in the **Virtual machine name** and *Web-02-ip* in the **Name** of **Public IP**. For the other settings, use the same information from the previous steps used with first virtual machine.

+Each virtual machine deployment may take a few minutes to complete.

+### Install IIS web server

+Install IIS on both **Web-01** and **Web-02** virtual machines.

+1. In the **Connect** page of **Web-01** virtual machine, select **RDP** and then **Download RDP File**.

+1. Open *Web-01.rdp* file, and select **Connect**.

+1. Enter the username and password entered during virtual machine creation.

+1. On the **Server Manager** dashboard, select **Manage** then **Add Roles and Features**.

+1. Select **Server Roles** or select **Next** three times. On the **Server Roles** page, select **Web Server (IIS)**.

+1. Select **Add Features**, and then select **Next**.

+ :::image type="content" source="./media/tutorial-alias-tm/iis-web-server-installation.png" alt-text="Screenshot of Add Roles and Features Wizard in Windows Server 2019 showing how to add the I I S Web Server.":::

+1. Select **Confirmation** or select **Next** three times, and then select **Install**. The installation process takes a few minutes to finish.

+1. After the installation finishes, select **Close**.

+1. Go to *C:\inetpub\wwwroot* and open *iisstart.htm* with Notepad or any editor of your choice.

+1. Replace `IIS Windows Server` in the title with the virtual machine name `Web-01` and save the file.

+1. Open a web browser. Browse to **localhost** to verify that the default IIS welcome page appears.

+ :::image type="content" source="./media/tutorial-alias-tm/iis-on-web-01-vm-in-web-browser.png" alt-text="Screenshot of Internet Explorer showing the I I S Web Server Welcome page.":::

+1. Repeat previous steps to install IIS web server on **Web-02** virtual machine. Use `Web-02` in the title of *iisstart.htm*.

+1. In the Azure portal, enter *TMResourceGroup* in the search box at the top of the portal, and then select **TMResourceGroup** from the search results.

+1. In the **TMResourceGroup** resource group, select the **Web-01-ip** public IP address.

+1. Under **Settings**, select **Configuration**.

+1. Enter *web01pip* in the **DNS name label**.

+1. Select **Save**.

+ :::image type="content" source="./media/tutorial-alias-tm/ip-dns-name-label-inline.png" alt-text="Screenshot of the Configuration page of Azure Public IP Address showing D N S name label." lightbox="./media/tutorial-alias-tm/ip-dns-name-label-expanded.png":::

+1. Repeat the previous steps for the **Web-02-ip** public IP address and enter *web02pip* in the **DNS name label**.

+## Create a Traffic Manager profile

+1. In the **Overview** page of **Web-01-ip** public IP address, note the IP address for later use. Repeat this step for the **Web-02-ip** public IP address.

+1. In the Azure portal, enter *Traffic Manager profile* in the search box at the top of the portal, and then select **Traffic Manager profiles**.

+1. Select **+ Create**.

+1. In the **Create Traffic Manager profile** page, enter or select the following information:

+ | Setting | Value |

+ |--||

+ | Name | Enter *TM-alias-test* |

+ | Routing method | Select **Priority** |

+ | Subscription | Select your Azure subscription |

+ | Resource group | Select **TMResourceGroup** |

+ :::image type="content" source="./media/tutorial-alias-tm/create-traffic-manager-profile.png" alt-text="Screenshot of the Create Traffic Manager profile page showing the selected settings.":::

+1. Select **Create**.

+1. After **TM-alias-test** deployment finishes, select **Go to resource**.

+1. In the **Endpoints** page of **TM-alias-test** Traffic Manager profile, select **+ Add** and enter or select the following information:

+ | Setting | Value |

+ |--||

+ | Type | Select **External endpoint** |

+ | Name | Enter *EP-Web01* |

+ | Fully qualified domain name (FQDN) or IP | Enter the IP address for **Web-01-ip** that you noted previously |

+ | Priority | Enter *1* |

+ :::image type="content" source="./media/tutorial-alias-tm/add-endpoint-tm-inline.png" alt-text="Screenshot of the Endpoints page in Traffic Manager profile showing selected settings for adding an endpoint." lightbox="./media/tutorial-alias-tm/add-endpoint-tm-expanded.png":::

+1. Select **Add**.

+1. Repeat the last two steps to create the second endpoint. Enter or select the following information:

+ | Setting | Value |

+ |--||

+ | Type | Select **External endpoint** |

+ | Name | Enter *EP-Web02* |

+ | Fully qualified domain name (FQDN) or IP | Enter the IP address for **Web-02-ip** that you noted previously |

+ | Priority | Enter *2* |

+1. In the Azure portal, enter *contoso.com* in the search box at the top of the portal, and then select **contoso.com** DNS zone from the search results.

+1. In the **Overview** page of **contoso.com** DNS zone, select the **+ Record set** button.

+1. In the **Add record set**, leave the **Name** box empty to represent the domain name apex. An example is `contoso.com`.

+1. Select **A** for the **Type**.

+1. Select **Yes** for the **Alias record set**, and then select the **Azure Resource** for the **Alias type**.

+1. Select the **TM-alias-test** Traffic Manager profile for the **Azure resource**.

+1. Select **OK**.

+ :::image type="content" source="./media/tutorial-alias-tm/add-record-set-tm-inline.png" alt-text="Screenshot of adding an alias record to refer to the Traffic Manager profile." lightbox="./media/tutorial-alias-tm/add-record-set-tm-expanded.png":::

+1. From a web browser, browse to `contoso.com` or your domain name apex. You see the IIS default welcome page with `Web-01` in the title of the browser page. The Traffic Manager directed traffic to **Web-01** IIS web server because it has the highest priority. Close the web browser and shut down **Web-01** virtual machine. Wait a few minutes for it to completely shut down.

+1. Open a new web browser, and browse again to `contoso.com` or your domain name apex.

+1. You see the IIS default welcome page again but with `Web-02` in the title of the browser page. The Traffic Manager handled the situation and directed traffic to the second IIS server after shutting down the first server that has the highest priority.

+When no longer needed, you can delete all resources created in this tutorial by following these steps:

+1. On the Azure portal menu, select **Resource groups**.

+1. Select the **TMResourceGroup** resource group.

+1. Select **Delete resource group**.

+1. Enter *TMResourceGroup* and select **Delete**.

+1. On the Azure portal menu, select **All resources**.

+1. Select **contoso.com** DNS zone.

+1. Select the **@** record created in this tutorial.

+1. Select **Delete** and then **Yes**.

+In this tutorial, you created an alias record to use your apex domain name to reference a Traffic Manager profile.

+- Learn more about [alias records](dns-alias.md).

+- Learn more about [zones and records](dns-zones-records.md).

+- Learn more about [Traffic Manager routing methods](../traffic-manager/traffic-manager-routing-methods.md).

+ Title: Monitor virtual machines changes with Azure Event Grid

+description: Check for changes in virtual machines (VMs) by using Azure Event Grid and Azure Logic Apps.

+# Tutorial: Monitor virtual machine changes by using Azure Event Grid and Azure Logic Apps

+You can monitor and respond to specific events that happen in Azure resources or external resources by using Azure Event Grid and Azure Logic Apps. You can create an automated [Consumption logic app workflow](../logic-apps/logic-apps-overview.md) with minimal code using Azure Logic Apps. You can have these resources publish events to [Azure Event Grid](../event-grid/overview.md). In turn, Azure Event Grid pushes those events to subscribers that have queues, webhooks, or [event hubs](../event-hubs/event-hubs-about.md) as endpoints. As a subscriber, your workflow waits for these events to arrive in Azure Event Grid before running the steps to process the events.

+For example, here are some events that publishers can send to subscribers through Azure Event Grid:

+This tutorial creates a Consumption logic app resource that runs in [*multi-tenant* Azure Logic Apps](../logic-apps/logic-apps-overview.md) and is based on the [Consumption pricing model](../logic-apps/logic-apps-pricing.md#consumption-pricing). Using this logic app resource, you create a workflow that monitors changes to a virtual machine, and sends emails about those changes. When you create a workflow that has an event subscription to an Azure resource, events flow from that resource through Azure Event Grid to the workflow.

+> * Create a logic app resource and workflow that monitors events from Azure Event Grid.

+* If you have a firewall that limits traffic to specific IP addresses, you have to set up your firewall to allow access for Azure Logic Apps to communicate through the firewall. You need to allow access for both the [inbound](../logic-apps/logic-apps-limits-and-config.md#inbound) and [outbound](../logic-apps/logic-apps-limits-and-config.md#outbound) IP addresses used by Azure Logic Apps in the Azure region where you create your logic app.

+ | **Plan type** | Yes | Consumption | The resource type for your logic app. For this tutorial, make sure that you select **Consumption**. |

+ >

+ > If you later want to use the Azure Event Grid operations with a Standard logic app resource instead,

+ > make sure that you create a *stateful* workflow, not a stateless workflow. This tutorial applies only

+ > to Consumption logic apps, which follow a different user experience. To add Azure Event Grid operations

+ > to your workflow in the designer, on the operations picker pane, make sure that you select the **Azure** tab.

+ > [!NOTE]

+ >

+ > The workflow templates gallery is available only for Consumption logic apps, not Standard logic apps.

+ 

+ The workflow designer now shows you the [*triggers*](../logic-apps/logic-apps-overview.md#logic-app-concepts) that you can use to start your logic app. Every workflow must start with a trigger, which fires when a specific event happens or when a specific condition is met. Each time the trigger fires, Azure Logic Apps creates a workflow instance that runs your logic app.

+## Add an Azure Event Grid trigger

+Now add the Azure Event Grid trigger, which you use to monitor the resource group for your virtual machine.

+ 

+ 

+ >

+ > the Azure Event Grid trigger might not appear correctly. As a workaround, select

+ | **Event Type Item** | No | <*event-types*> | Select one or more specific event types to filter and send to Azure Event Grid. For example, you can optionally add these event types to detect when resources are changed or deleted: <p><p>- `Microsoft.Resources.ResourceActionSuccess` <br>- `Microsoft.Resources.ResourceDeleteSuccess` <br>- `Microsoft.Resources.ResourceWriteSuccess` <p>For more information, see these topics: <p><p>- [Azure Event Grid event schema for resource groups](../event-grid/event-schema-resource-groups.md) <br>- [Understand event filtering](../event-grid/event-filtering.md) <br>- [Filter events for Azure Event Grid](../event-grid/how-to-filter-events.md) |

+1. Save your logic app workflow. On the designer toolbar, select **Save**. To collapse and hide an action's details in your workflow, select the action's title bar.

+ When you save your logic app workflow with an Azure Event Grid trigger, Azure automatically creates an event subscription for your logic app to your selected resource. So when the resource publishes an event to the Azure Event Grid service, the service automatically pushes the event to your logic app. This event triggers and runs the logic app workflow you define in these next steps.

+Your logic app is now live and listens to events from Azure Event Grid, but doesn't do anything until you add actions to the workflow.

+If you want to your logic app workflow to run only when a specific event or operation happens, add a condition that checks for the **Microsoft.Compute/virtualMachines/write** operation. When this condition is true, your logic app workflow sends you an email, which has details about the updated virtual machine.

+1. In the workflow designer, under the Azure Event Grid trigger, select **New step**.

+ The workflow designer adds an empty condition to your workflow, including action paths to follow based whether the condition is true or false.

+1. Create a condition that checks the event `body` for a `data` object where the `operationName` property is equal to the `Microsoft.Compute/virtualMachines/write` operation. Learn more about [Azure Event Grid event schema](../event-grid/event-schema.md).

+ 

+ > the action that references the array. That way, your logic app workflow performs that action on each array item.

+ And your finished logic app workflow might look like the following example:

+ 

+ Your logic app is now live, but waits for changes to your virtual machine before doing anything. To test your workflow now, continue to the next section.

+1. To check that your workflow is getting the specified events, update your virtual machine.

+Congratulations, you've created and run a logic app workflow that monitors resource events through Azure Event Grid and emails you when those events happen. You also learned how easily you can create workflows that automate processes and integrate systems and cloud services.

+* To stop running your workflow without deleting your work, disable your app. On your logic app menu, select **Overview**. On the toolbar, select **Disable**.

+* [Create and route custom events with Azure Event Grid](../event-grid/custom-event-quickstart.md)

+See the following samples to learn about publishing events to and consuming events from Azure Event Grid using different programming languages.

+Azure Event Grid's **Partner Events** allows customers to **subscribe to events** that originate in a registered system using the same mechanism they would use for any other event source on Azure, such as an Azure service. Those registered systems integrate with Event Grid are known as "partners".

+This feature also enables customers to **send events** to partner systems that support receiving and routing events to customer's solutions/endpoints in their platform. Typically, partners are software-as-a-service (SaaS) or [ERP](https://en.wikipedia.org/wiki/Enterprise_resource_planning) providers, but they might be corporate platforms wishing to make their events available to internal teams.

+They purposely integrate with Event Grid to realize end-to-end customer use cases that end on Azure (customers subscribe to events sent by partner) or end on a partner system (customers subscribe to Microsoft events sent by Azure Event Grid). Customers bank on Azure Event Grid to send events published by a partner to supported destinations such as webhooks, Azure Functions, Azure Event Hubs, or Azure Service Bus, to name a few.

+Customers also rely on Azure Event Grid to route events that originate in Microsoft services, such as Azure Storage, Outlook, Teams, or Azure AD, to partner systems where customer's solutions can react to them.

+With Partner Events, customers can build event-driven solutions across platforms and network boundaries to receive or send events reliably, securely and at a scale.

+- You want to take advantage of the rich set Event Grid's [destinations/event handlers](overview.md#event-handlers) that react to events from partners.

+**User Defined Routes (UDR)** - FastPath will honor UDRs configured on the GatewaySubnet and send traffic directly to an Azure Firewall or third party NVA.

+Available in all regions.

+> If you have an existing gateway that is not zone-redundant (meaning it is Standard, High Performance, or Ultra Performance SKU) **and** uses a Basic public IP address, you will need to delete and [recreate the gateway](expressroute-howto-add-gateway-portal-resource-manager.md#create-the-virtual-network-gateway) using any SKU and a Standard, Static public IP address.

+### FastPath virtual network peering and user defined routes (UDRs).

+With FastPath and UDR, you can configure a UDR on the GatewaySubnet to direct ExpressRoute traffic to an Azure Firewall or third party NVA. FastPath will honor the UDR and send traffic directly to the target Azure Firewall or NVA, bypassing the ExpressRoute virtual network gateway in the data path.

+> [!NOTE]

+> The previews for virtual network peering and user defined routes (UDRs) are offered together. You cannot enable only one scenario.

+>

+To enroll in these previews, run the follow Azure PowerShell command in the target Azure subscription:

+ Title: 'Connect Azure Front Door Premium to an App Service origin with Private Link'

+# Connect Azure Front Door Premium to an App Service origin with Private Link

+> Private endpoints requires your App Service plan or function hosting plan to meet some requirements. For more information, see [Using Private Endpoints for Azure Web App](../../app-service/networking/private-endpoint.md).

+description: When a resource is non-compliant, there are many possible reasons. Discover what caused the non-compliance quickly and easily.

+#### Azure Policy Resource Provider mode compliance reasons

+The following table maps each `Microsoft.PolicyInsights`

+[Resource Provider mode](../concepts/definition-structure.md#resource-provider-modes) reason code to

+its corresponding explanation:

+|Compliance reason code |Error message and explanation |

+|-|-|

+|NonModifiablePolicyAlias |NonModifiableAliasConflict: The alias '{alias}' is not modifiable in requests using API version '{apiVersion}'. This error happens when a request using an API version where the alias does not support the 'modify' effect or only supports the 'modify' effect with a different token type. |

+|AppendPoliciesNotApplicable |AppendPoliciesUnableToAppend: The aliases: '{ aliases }' are not modifiable in requests using API version: '{ apiVersion }'. This can happen in requests using API versions for which the aliases do not support the 'modify' effect, or support the 'modify' effect with a different token type. |

+|ConflictingAppendPolicies |ConflictingAppendPolicies: Found conflicting policy assignments that modify the '{notApplicableFields}' field. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policy assignments.

+ |

+|AppendPoliciesFieldsExist |AppendPoliciesFieldsExistWithDifferentValues: Policy assignments attempted to append fields which already exist in the request with different values. Fields: '{existingFields}'. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policies.

+ |

+|AppendPoliciesUndefinedFields |AppendPoliciesUndefinedFields: Found policy definition that refer to an undefined field property for API version '{apiVersion}'. Fields: '{nonExistingFields}'. Policy identifiers: '{policy}'. Please contact the subscription administrator to update the policies.

+ |

+|MissingRegistrationForType |MissingRegistrationForResourceType: The subscription is not registered for the resource type '{ResourceType}'. Please check that the resource type exists and that the resource type is registered.

+ |

+|AmbiguousPolicyEvaluationPaths |The request content has one or more ambiguous paths: '{0}' required by policies: '{1}'. |

+|InvalidResourceNameWildcardPosition |The policy assignment '{0}' associated with the policy definition '{1}' could not be evaluated. The resource name '{2}' within an ifNotExists condition contains the wildcard '?' character in an invalid position. Wildcards can only be located at the end of the name in a segment by themselves (ex. TopLevelResourceName/?). Please either fix the policy or remove the policy assignment to unblock. |

+|TooManyResourceNameSegments |The policy assignment '{0}' associated with the policy definition '{1}' could not be evaluated. The resource name '{2}' within an ifNotExists condition contains too many name segments. The number of name segments must be equal to or less than the number of type segments (excluding the resource provider namespace). Please either fix the policy definition or remove the policy assignment to unblock. |

+|InvalidPolicyFieldPath |The field path '{0}' within the policy definition is invalid. Field paths must contain no empty segments. They may contain only alphanumeric characters with the exception of the '.' character for splitting segments and the '[*]' character sequence to access array properties.

+Finally, you can publish the policy definitions using the New-AzPolicyDefinition cmdlet. The below commands will publish your guest configuration policy to the policy center.

+To run the New-AzPolicyDefinition command, you need access to create policy definitions in Azure. The specific authorization

+New-AzPolicyDefinition -Name 'mypolicydefinition' -Policy '.\policies'

+New-AzStorageAccount -ResourceGroupName myResourceGroupName -Name mystorageaccount -SkuName 'Standard_LRS' -Location 'WestUs' | New-AzStorageContainer -Name guestconfiguration -Permission Blob

+To publish your configuration package to Azure blob storage, you can follow the below steps which leverages the Az.Storage module.

+First, obtain the context of the storage account in which the package will be stored. This example creates a context by specifying a connection string and saves the context in the variable $Context.

+```powershell

+$Context = New-AzStorageContext -ConnectionString "DefaultEndpointsProtocol=https;AccountName=ContosoGeneral;AccountKey=< Storage Key for ContosoGeneral ends with == >;"

+```

+Next, add the configuration package to the storage account. This example uploads the zip file ./MyConfig.zip to the blob "guestconfiguration".

+```powershell

+Set-AzStorageBlobContent -Container "guestconfiguration" -File ./MyConfig.zip -Blob "guestconfiguration" -Context $Context

+```

+Optionally, you can add a SAS token in the URL, this ensures that the content package will be accessed securely. The below example generates a blob SAS token with full blob permission and returns the full blob URI with the shared access signature token.

+$contenturi = New-AzStorageBlobSASToken -Context $Context -FullUri -Container guestconfiguration -Blob "guestconfiguration" -Permission rwd

+|Ubuntu 18|[PowerShell 7.2.4](https://github.com/PowerShell/PowerShell/releases/tag/v7.2.4)|

+## May 2022

+### **Enhancement**

+|Enhancement |Related information |

+| :-- | : |

+|Prevent no impact updates from creating version - SQL |If a user updates a record that already exists and nothing has changed in the content, then the user should get a 200 but nothing should update the record. We updated the UpsertAsync method to add validations in the code instead of in UpsertResource SP and check the existing resource rawData with new resource rawData by ignoring meta.versionId and meta.lastUpdated. If it's an absolute match, then we return Ok with existing resource information without updating VersionId and lastUpdated. If the strings don't match, then we proceed with further steps of creating a new version. For more information, see [#2519](https://github.com/microsoft/fhir-server/pull/2519). |

+|Enhancements |Related information |

+| :-- | : |

+| :-- | : |

+|Feature |Related information |

+| :-- | : |

+| :-- | : |

+|Enhancements |Related information |

+| :-- | : |

+| :-- | : |

+|Enhancements |Related information |

+| :- | : |

+| :-- | : |

+|Enhancements |Related information |

+| :- | : |

+| :-- | : |

+| :-- | :- |

+|Enhancements |Related information |

+| :- | : |

+| :-- | : |

+| :-- | : |

+| :-- | : |

+| :-- | : |

+| :-- | : |

+| :-- | : |

+| :-- | : |

+|Bug fixes |Related information |

+| :-- | : |

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+|Using [token type](https://www.hl7.org/fhir/search.html#token) fields of length more than 128 characters can result in undesired behavior on create, search, update, and delete operations. | May 2022 |No workaround | Not resolved |

+|The SQL provider will cause the `RawResource` column in the database to save incorrectly. This occurs in a small number of cases when a transient exception occurs that causes the provider to use its retry logic.ΓÇ»|April 2022 |Resolved [#2571](https://github.com/microsoft/fhir-server/pull/2571)|May 2022 |

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+## May 2022

+### FHIR service

+#### **Bug fixes**

+|Bug fixes |Related information |

+| :-- | : |

+|Removes SQL retry on upsert |Removes retry on SQL command for upsert. The error still occurs, but data is saved correctly in success cases. For more information, see [#2571](https://github.com/microsoft/fhir-server/pull/2571). |

+|Added handling for SqlTruncate errors |Added a check for SqlTruncate exceptions and tests. In particular, this will catch SqlTruncate exceptions for Decimal type based on the specified precision and scale. For more information, see [#2553](https://github.com/microsoft/fhir-server/pull/2553). |

+### DICOM service

+#### **Features**

+|Enhancements | Related information |

+| : | :- |

+|DICOM service supports cross-origin resource sharing (CORS) |DICOM service now supports [CORS](./../healthcare-apis/fhir/configure-cross-origin-resource-sharing.md). CORS allows you to configure settings so that applications from one domain (origin) can access resources from a different domain, known as a cross-domain request. |

+|DICOMcast supports Private Link |DICOMcast has been updated to support Azure Health Data Services workspaces that have been configured to use [Private Link](./../healthcare-apis/healthcare-apis-configure-private-link.md). |

+|UPS-RS supports Change and Retrieve work item |Modality worklist (UPS-RS) endpoints have been added to support Change and Retrieve operations for work items. |

+|API version is now required as part of the URI |All REST API requests to the DICOM service must now include the API version in the URI. For more details, see [API versioning for DICOM service](./../healthcare-apis/dicom/api-versioning-dicom-service.md). |

+#### **Bug fixes**

+|Bug fixes |Related information |

+| :-- | : |

+|Index the first value for DICOM tags that incorrectly specify multiple values |Attributes that are defined to have a single value but have specified multiple values will now be leniently accepted. The first value for such attributes will be indexed. |

+#### **Features and enhancements**

+|Enhancements |Related information |

+| :- | : |

+#### **Bug fixes**

+| :-- | : |

+#### **Known issues**

+#### **Bug fixes**

+| :-- | : |

+#### **Features**

+|Feature |Related information |

+| :- | : |

+#### **Features**

+| : | :- |

+#### **Bug fixes**

+| :-- | : |

+#### **Features and enhancements**

+| : | :- |

+#### **Features and enhancements**

+|Enhancement |Related information |

+| :- | : |

+| : | :- |

+#### **Features and enhancements**

+|Enhancements |Related information |

+| :- | : |

+#### **Features and enhancements**

+| : | :- |

+#### **Bug fixes**

+| :-- | : |

+| Enhancements | Related information |

+| :- | :-- |

+#### **Bug fixes**

+| :-- | : |

+| : | :- |

+| Enhancements | Related information |

+| :- | :-- |

+| : | :- |

+| : | :- |

+| : | :- |

+| : | :- |

+| :- | :- |

+| :- | :-|

+| :- | :-|

+| :- | :-- |

+| :- | :- |

+| :- | :- |

+| :- | :- |

+#### **Bug fixes**

+| :- | :- |

+| :- | :- |

+#### **Bug fixes**

+| :- | :- |

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+Specify the DNS server for your environment in the container engine settings, which will apply to all container modules started by the engine. Create a file named `daemon.json`, then specify the DNS server to use. For example:

+This DNS server is set to a publicly accessible DNS service. However some networks, such as corporate networks, have their own DNS servers installed and won't allow access to public DNS servers. Therefore, if your edge device can't access a public DNS server, replace it with an accessible DNS server address.

+- [Frequently asked questions: Integrate Key Vault with Integrated Certificate Authorities](faq.yml)

+- [Azure Key Vault certificate renewal frequently as questions](faq.yml)

+- [Integrate Key Vault with DigiCert certificate authority](how-to-integrate-certificate-authority.md)

+- [Tutorial: Configure certificate autorotation in Key Vault](tutorial-rotate-certificates.md)

+## Establish a private link connection to Key Vault using the Azure portal

+1. Sign in to the Azure portal.

+1. In the search bar, type in "key vaults".

+1. Select the "Networking" tab under Settings.

+1. Select the "Private endpoint connections" tab at the top of the page.

+1. Select the "+ Create" button at the top of the page.

+1. Under "Project Details", select the Resource Group that contains the virtual network that you created as a prerequisite for this tutorial. Under "Instance details", enter "myPrivateEndpoint" as the Name, and select the same location as the virtual network that you created as a prerequisite for this tutorial.

+ You can choose to create a private endpoint for any Azure resource in using this blade. You can either use the dropdown menus to select a resource type and select a resource in your directory, or you can connect to any Azure resource using a resource ID. Leave the "integrate with the private zone DNS" option unchanged.

+1. Advance to the "Resources" blade. For "Resource type", select "Microsoft.KeyVault/vaults"; for "Resource", select the key vault you created as a prerequisite for this tutorial. "Target sub-resource" will auto-populate with "vault".

+1. Advance to the "Virtual Network". Select the virtual network and subnet that you created as a prerequisite for this tutorial.

+1. Advance through the "DNS" and "Tags" blades, accepting the defaults.

+1. On the "Review + Create" blade, select "Create".

+| Service action | Service consumer private endpoint state | Description |

+#### GPU drivers

+When you create the lab, we recommend that you install the GPU drivers by selecting the **Install GPU drivers** option in the lab creation wizard. You should also validate that the GPU drivers are correctly installed. For more information, read the following sections:

+- [Ensure that the appropriate GPU drivers are installed](../lab-services/how-to-setup-lab-gpu.md#ensure-that-the-appropriate-gpu-drivers-are-installed)

+- [Validate the installed drivers](../lab-services/how-to-setup-lab-gpu.md#validate-the-installed-drivers)

+### Troubleshooting

+Adobe Creative Cloud may show an error saying *Your graphics processor is incompatible* when the GPU drivers or the GPU is not configured correctly.

+To fix this issue:

+- Ensure that you selected the Small GPU *(Visualization)* size when you created your lab. You can see the VM size used by the lab on the lab's [Template page](../lab-services/how-to-create-manage-template.md).

+- Try [manually installing the Small GPU Visualization drivers](../lab-services/how-to-setup-lab-gpu.md#install-the-small-gpu-visualization-drivers).

+### Processor compatibility

+The nested virtualization VM sizes may use different processors as shown in the following table:

+ Size | Series | Processor |

+| - | -- | -- |

+| Medium (nested virtualization) | [Standard_D4s_v4](../virtual-machines/dv4-dsv4-series.md) | 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake) or the Intel® Xeon® Platinum 8272CL (Cascade Lake) |

+| Large (nested virtualization) | [Standard_D8s_v4](../virtual-machines/dv4-dsv4-series.md) | 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake) or the Intel® Xeon® Platinum 8272CL (Cascade Lake) |

+Each time that a template VM or a student VM is stopped and started, the underlying processor may change. To help ensure that nested VMs work consistently across processors, try enabling [processor compatibility mode](/windows-server/virtualization/hyper-v/manage/processor-compatibility-mode-hyper-v) on the nested VMs. It's recommended to enable **Processor Compatibility** mode on the template VM's nested VMs before publishing or exporting the image. You should also test the performance of the nested VMs with the **Processor Compatibility** mode enabled to ensure performance isn't negatively impacted. For more information, see [ramifications of using processor compatibility mode](/windows-server/virtualization/hyper-v/manage/processor-compatibility-mode-hyper-v.md#ramifications-of-using-processor-compatibility-mode).

+- Insufficient permissions to create lab.

+ In Canvas, an educator will see a message indicating that they don't have sufficient permission. Educators should contact their Azure admin so they can be [added as a **Lab Creator**](tutorial-setup-lab-plan.md#add-a-user-to-the-lab-creator-role). For example, educators can be added as a **Lab Creator** to the resource group that contains their lab.

+- Message that there isn't enough capacity to create lab VMs.

+ [Request a limit increase](capacity-limits.md#request-a-limit-increase) which needs to be done by an Azure Labs Services administrator.

+- Student or educator is prompted to grant access.

+ Before a student or educator can first access their lab, some browsers require that they first grant Azure Lab Services access to the browser's local storage. To grant access, educators and students should click the **Grant access** button when they are prompted:

+ :::image type="content" source="./media/how-to-get-started-create-labs-within-canvas/canvas-grant-access-prompt.png" alt-text="Screenshot of page to grant Azure Lab Services access to use local storage for the browser.":::

+ Educators and students will see the message **Access granted** when access is successfully granted to Azure Lab Services. The educator or student should then reload the browser window to start using Azure Lab Services.

+ :::image type="content" source="./media/how-to-get-started-create-labs-within-canvas/canvas-access-granted-success.png" alt-text="Screenshot of access granted page in Azure Lab Services.":::

+ > [!IMPORTANT]

+ > Ensure that students and educators are using an up-to-date version of their browser. For older browser versions, students and educators may experience issues with being able to successfully grant access to Azure Lab Services.

+ - Educator isn't prompted for their credentials after they click sign-in.

+

+ When an educator accesses Azure Lab Services within their course, they may be prompted to sign in. Ensure that the browser's settings allow popups from the url of your Canvas instance, otherwise the popup may be blocked by default.

+ :::image type="content" source="./media/how-to-get-started-create-labs-within-canvas/canvas-sign-in.png" alt-text="Azure Lab Services sign-in screen.":::

+ Title: Set up a lab with GPUs in Azure Lab Services when using lab accounts | Microsoft Docs

+description: Learn how to set up a lab with graphics processing unit (GPU) virtual machines when using lab accounts.

+# Set up GPU virtual machines in labs contained within lab accounts

+This article shows you how to do the following tasks:

+- Choose between *visualization* and *compute* graphics processing units (GPUs).

+- Ensure that the appropriate GPU drivers are installed.

+## Choose between visualization and compute GPU sizes

+On the first page of the lab creation wizard, in the **Which virtual machine size do you need?** drop-down list, you select the size of the VMs that are needed for your class.

+

+In this process, you have the option of selecting either **Visualization** or **Compute** GPUs. It's important to choose the type of GPU that's based on the software that your students will use.

+As described in the following table, the *compute* GPU size is intended for compute-intensive applications. For example, the [Deep Learning in Natural Language Processing class type](./class-type-deep-learning-natural-language-processing.md) uses the **Small GPU (Compute)** size. The compute GPU is suitable for this type of class, because students use deep learning frameworks and tools that are provided by the [Data Science Virtual Machine image](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804) to train deep learning models with large sets of data.

+| Size | vCPUs | RAM | Description |

+| - | -- | | -- |

+| Small GPU (Compute) | 6 vCPUs | 56 GB RAM | [Standard_NC6](../virtual-machines/nc-series.md). This size is best suited for compute-intensive applications such as artificial intelligence (AI) and deep learning. |

+The *visualization* GPU sizes are intended for graphics-intensive applications. For example, the [SOLIDWORKS engineering class type](./class-type-solidworks.md) shows using the **Small GPU (Visualization)** size. The visualization GPU is suitable for this type of class, because students interact with the SOLIDWORKS 3D computer-aided design (CAD) environment for modeling and visualizing solid objects.

+| Size | vCPUs | RAM | Description |

+| - | -- | | -- |

+| Small GPU (Visualization) | 6 vCPUs | 56 GB RAM | [Standard_NV6](../virtual-machines/nv-series.md). This size is best suited for remote visualization, streaming, gaming, and encoding that use frameworks such as OpenGL and DirectX. |

+| Medium GPU (Visualization) | 12 vCPUs | 112 GB RAM | [Standard_NV12](../virtual-machines/nv-series.md?bc=%2fazure%2fvirtual-machines%2flinux%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json). This size is best suited for remote visualization, streaming, gaming, and encoding that use frameworks such as OpenGL and DirectX. |

+> [!NOTE]

+> You may not see some of these VM sizes in the list when creating a lab. The list is populated based on the current capacity of the lab's location. For availability of VMs, see [Products available by region](https://azure.microsoft.com/regions/services/?products=virtual-machines).

+## Ensure that the appropriate GPU drivers are installed

+To take advantage of the GPU capabilities of your lab VMs, ensure that the appropriate GPU drivers are installed. In the lab creation wizard, when you select a GPU VM size, you can select the **Install GPU drivers** option.

+

+As shown in the preceding image, this option is enabled by default, which ensures that recently released drivers are installed for the type of GPU and image that you selected:

+- When you select a *compute* GPU size, your lab VMs are powered by the [NVIDIA Tesla K80](https://www.nvidia.com/content/dam/en-zz/Solutions/Data-Center/tesla-product-literature/Tesla-K80-BoardSpec-07317-001-v05.pdf) GPU. In this case, recent [Compute Unified Device Architecture (CUDA)](http://developer.download.nvidia.com/compute/cuda/2_0/docs/CudaReferenceManual_2.0.pdf) drivers are installed, which enables high-performance computing.

+- When you select a *visualization* GPU size, your lab VMs are powered by the [NVIDIA Tesla M60](https://images.nvidia.com/content/tesla/pdf/188417-Tesla-M60-DS-A4-fnl-Web.pdf) GPU and [GRID technology](https://www.nvidia.com/content/dam/en-zz/Solutions/design-visualization/solutions/resources/documents1/NVIDIA_GRID_vPC_Solution_Overview.pdf). In this case, recent GRID drivers are installed, which enables the use of graphics-intensive applications.

+> [!IMPORTANT]

+> The **Install GPU drivers** option only installs the drivers when they aren't present on your lab's image. For example, the GPU drivers are already installed on the Azure marketplace's [Data Science image](../machine-learning/data-science-virtual-machine/overview.md#whats-included-on-the-dsvm). If you create a lab using the Data Science image and choose to **Install GPU drivers**, the drivers won't be updated to a more recent version. To update the drivers, you will need to manually install them as explained in the next section.

+### Install the drivers manually

+You might need to install a different version of the drivers than the version that Azure Lab Services installs for you. This section shows how to manually install the appropriate drivers, depending on whether you're using a *compute* GPU or a *visualization* GPU.

+#### Install the compute GPU drivers

+To manually install drivers for the *compute* GPU size, by doing the following steps:

+1. In the lab creation wizard, when you're [creating your lab](./how-to-manage-labs.md), disable the **Install GPU drivers** setting.

+1. After your lab is created, connect to the template VM to install the appropriate drivers.

+ 

+ a. In a browser, go to the [NVIDIA Driver Downloads page](https://www.nvidia.com/Download/index.aspx).

+ b. Set the **Product Type** to **Tesla**.

+ c. Set the **Product Series** to **K-Series**.

+ d. Set the **Operating System** according to the type of base image you selected when you created your lab.

+ e. Set the **CUDA Toolkit** to the version of CUDA driver that you need.

+ f. Select **Search** to look for your drivers.

+ g. Select **Download** to download the installer.

+ h. Run the installer so that the drivers are installed on the template VM.

+1. Validate that the drivers are installed correctly by following the instructions in the [Validate the installed drivers](how-to-setup-lab-gpu.md#validate-the-installed-drivers) section.

+1. After you've installed the drivers and other software that are required for your class, select **Publish** to create your students' VMs.

+> [!NOTE]

+> If you're using a Linux image, after you've downloaded the installer, install the drivers by following the instructions in [Install CUDA drivers on Linux](../virtual-machines/linux/n-series-driver-setup.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json#install-cuda-drivers-on-n-series-vms).

+#### Install the visualization GPU drivers

+To manually install drivers for the *visualization* GPU sizes, follow these steps:

+1. In the lab creation wizard, when you're [creating your lab](./how-to-manage-labs.md), disable the **Install GPU drivers** setting.

+1. After your lab is created, connect to the template VM to install the appropriate drivers.

+1. Install the GRID drivers that are provided by Microsoft on the template VM by following the instructions for your operating system:

+ - [Windows NVIDIA GRID drivers](../virtual-machines/windows/n-series-driver-setup.md#nvidia-grid-drivers)

+ - [Linux NVIDIA GRID drivers](../virtual-machines/linux/n-series-driver-setup.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json#nvidia-grid-drivers)

+

+1. Restart the template VM.

+1. Validate that the drivers are installed correctly by following the instructions in the [Validate the installed drivers](how-to-setup-lab-gpu.md#validate-the-installed-drivers) section.

+1. After you've installed the drivers and other software that are required for your class, select **Publish** to create your students' VMs.

+### Validate the installed drivers

+This section describes how to validate that your GPU drivers are properly installed.

+#### Windows images

+1. Follow the instructions in the "Verify driver installation" section of [Install NVIDIA GPU drivers on N-series VMs running Windows](../virtual-machines/windows/n-series-driver-setup.md#verify-driver-installation).

+1. If you're using a *visualization* GPU, you can also:

+ - View and adjust your GPU settings in the NVIDIA Control Panel. To do so, in **Windows Control Panel**, select **Hardware**, and then select **NVIDIA Control Panel**.

+ 

+ - View your GPU performance by using **Task Manager**. To do so, select the **Performance** tab, and then select the **GPU** option.

+ 

+ > [!IMPORTANT]

+ > The NVIDIA Control Panel settings can be accessed only for *visualization* GPUs. If you attempt to open the NVIDIA Control Panel for a compute GPU, you'll get the following error: "NVIDIA Display settings are not available. You are not currently using a display attached to an NVIDIA GPU." Similarly, the GPU performance information in Task Manager is provided only for visualization GPUs.

+ Depending on your scenario, you may also need to do additional validation to ensure the GPU is properly configured. Read the class type about [Python and Jupyter Notebooks](class-type-jupyter-notebook.md#template-machine-configuration) that explains an example where specific versions of drivers are needed.

+#### Linux images

+Follow the instructions in the "Verify driver installation" section of [Install NVIDIA GPU drivers on N-series VMs running Linux](../virtual-machines/linux/n-series-driver-setup.md#verify-driver-installation).

+## Next steps

+See the following articles:

+- [Create and manage labs](how-to-manage-labs.md)

+- [SOLIDWORKS computer-aided design (CAD) class type](class-type-solidworks.md)

+- [MATLAB (matrix laboratory) class type](class-type-matlab.md)

+On the first page of the lab creation wizard, in the **Virtual machine size** drop-down list, you select the size of the VMs that are needed for your class.

+| Small GPU (Compute) | 6 vCPUs | 112 GB RAM | [Standard_NC6s_v3](../virtual-machines/ncv3-series.md). This size supports both Windows and Linux and is best suited for compute-intensive applications such as artificial intelligence (AI) and deep learning. |

+| Small GPU (Visualization) | 8 vCPUs | 28 GB RAM | [Standard_NV8as_v4](../virtual-machines/nvv4-series.md). This size is best suited for remote visualization, streaming, gaming, and encoding that use frameworks such as OpenGL and DirectX. Currently, this size supports Windows only. |

+| Medium GPU (Visualization) | 12 vCPUs | 112 GB RAM | [Standard_NV12s_v3](../virtual-machines/nvv3-series.md). This size supports both Windows and Linux. It's best suited for remote visualization, streaming, gaming, and encoding that use frameworks such as OpenGL and DirectX. |

+> You may not see some of these VM sizes in the list when creating a lab. This list is populated based on the capacity assigned to your Microsoft-managed Azure subscription. For more information about capacity, see [Capacity limits in Azure Lab Services](../lab-services/capacity-limits.md). For availability of VM sizes, see [Products available by region](https://azure.microsoft.com/regions/services/?products=virtual-machines).

+To take advantage of the GPU capabilities of your lab VMs, ensure that the appropriate GPU drivers are installed. In the lab creation wizard, when you select a GPU VM size, you can select the **Install GPU drivers** option. This option is enabled by default.

+Selecting **Install GPU drivers** ensures that recently released drivers are installed for the type of GPU and image that you selected.

+- When you select the Small GPU *(Compute)* size, your lab VMs are powered by the [NVIDIA Tesla V100 GPU](https://www.nvidia.com/en-us/data-center/v100/) GPU. In this case, recent Compute Unified Device Architecture (CUDA) drivers are installed, which enables high-performance computing.

+- When you select the Small GPU *(Visualization)* size, your lab VMs are powered by the [AMD Raedon Instinct MI25 Accelerator GPU](https://www.amd.com/en/products/professional-graphics/instinct-mi25). In this case, recent AMD GPU drivers are installed, which enables the use of graphics-intensive applications.

+- When you select the Medium GPU *(Visualization)* size, your lab VMs are powered by the [NVIDIA Tesla M60](https://images.nvidia.com/content/tesla/pdf/188417-Tesla-M60-DS-A4-fnl-Web.pdf) GPU and [GRID technology](https://www.nvidia.com/content/dam/en-zz/Solutions/design-visualization/solutions/resources/documents1/NVIDIA_GRID_vPC_Solution_Overview.pdf). In this case, recent GRID drivers are installed, which enables the use of graphics-intensive applications.

+> The **Install GPU drivers** option only installs the drivers when they aren't present on your lab's image. For example, NVIDIA GPU drivers are already installed on the Azure marketplace's [Data Science image](../machine-learning/data-science-virtual-machine/overview.md#whats-included-on-the-dsvm). If you create a Small GPU (Compute) lab using the Data Science image and choose to **Install GPU drivers**, the drivers won't be updated to a more recent version. To update the drivers, you will need to manually install them as explained in the next section.

+You might need to install a different version of the drivers than the version that Azure Lab Services installs for you. This section shows how to manually install the appropriate drivers.

+#### Install the Small GPU (Compute) drivers

+To manually install drivers for the Small GPU *(Compute)* size, follow these steps:

+1. After your lab is created, connect to the template VM to install the appropriate drivers. Read [NVIDIA Tesla (CUDA) drivers](../virtual-machines/windows/n-series-driver-setup.md#nvidia-tesla-cuda-drivers) for more information about specific driver versions that are recommended depending on the Windows OS version being used. Otherwise, follow the below steps to install the latest NVIDIA drivers:

+ Otherwise, follow the below steps to install the latest NVIDIA drivers:

+ a. In a browser, go to the [NVIDIA Driver Downloads page](https://www.nvidia.com/Download/index.aspx).

+ b. Set the **Product Type** to **Tesla**.

+ c. Set the **Product Series** to **V-Series**.

+ d. Set the **Operating System** according to the type of base image you selected when you created your lab.

+ e. Set the **CUDA Toolkit** to the version of CUDA driver that you need.

+ f. Select **Search** to look for your drivers.

+ g. Select **Download** to download the installer.

+ h. Run the installer so that the drivers are installed on the template VM.

+1. Validate that the drivers are installed correctly by following instructions in the [Validate the installed drivers](how-to-setup-lab-gpu.md#validate-the-installed-drivers) section.

+1. After you've installed the drivers and other software that is required for your class, select **Publish** to create your students' VMs.

+#### Install the Small GPU (Visualization) drivers

+To manually install drivers for the Small GPU *(visualization)* size, doing the following steps:

+1. In the lab creation wizard, when you're [creating your lab](./how-to-manage-labs.md), disable the **Install GPU drivers** setting.

+1. After your lab is created, connect to the template VM to install the appropriate drivers.

+1. Install the AMD drivers template VM by following instructions in the [Install AMD GPU drivers on N-series VMs running Windows](../virtual-machines/windows/n-series-amd-driver-setup.md) article.

+1. Restart the template VM.

+1. Validate that the drivers are installed correctly by following the instructions in the [Validate the installed drivers](./how-to-setup-lab-gpu.md#validate-the-installed-drivers) section.

+1. After you've installed the drivers and other software that are required for your class, select **Publish** to create your students' VMs.

+#### Install the Medium GPU (Visualization) drivers

+#### Small GPU (Visualization) Windows images

+To verify driver installation for **Small GPU (Visualization)** size, see [validate the AMD GPU drivers on N-series VMs running Windows](/virtual-machines/windows/n-series-driver-setup.md#verify-driver-installation).

+#### Small GPU (Compute) and Medium GPU (Visualization) Windows images

+To verify driver installation for **Small GPU (Visualization)** size, see [validate the NVIDIA GPU drivers on N-series VMs running Windows](../virtual-machines/windows/n-series-driver-setup.md#verify-driver-installation).

+You can also validate the NVIDIA control panel settings, which only apply to the **Medium GPU (visualization)** VM size:

+1. View and adjust your GPU settings in the NVIDIA Control Panel. To do so, in **Windows Control Panel**, select **Hardware**, and then select **NVIDIA Control Panel**.

+ :::image type="content" source="./media/how-to-setup-gpu/control-panel-nvidia-settings.png" alt-text="Screenshot of Windows Control Panel showing the NVIDIA Control Panel link.":::

+1. View your GPU performance by using **Task Manager**. To do so, select the **Performance** tab, and then select the **GPU** option.

+ :::image type="content" source="./media/how-to-setup-gpu/task-manager-gpu.png" alt-text="Screenshot of the Task Manager GPU Performance tab.":::

+ > [!IMPORTANT]

+ > The NVIDIA Control Panel settings can be accessed only for the Medium GPU (visualization) VM size. If you attempt to open the NVIDIA Control Panel for a compute GPU, you'll get the error: "NVIDIA Display settings are not available. You are not currently using a display attached to an NVIDIA GPU." Similarly, the GPU performance information in Task Manager is provided only for visualization GPUs.

+Depending on your scenario, you may also need to do more validation to ensure the GPU is properly configured. Read the class type about [Python and Jupyter Notebooks](class-type-jupyter-notebook.md#template-machine-configuration) that explains an example where specific versions of drivers are needed.

+#### Small GPU (Compute) and Medium GPU (Visualization) Linux images

+To verify driver installation for Linux images, see [verify driver installation for NVIDIA GPU drivers on N-series VMs running Linux](../virtual-machines/linux/n-series-driver-setup.md#verify-driver-installation).

+- As an administrator, [create and manage labs](how-to-manage-labs.md).

+- As an educator, create a class using [SOLIDWORKS computer-aided design (CAD)](class-type-solidworks.md) software.

+- As an educator, create a class using [MATLAB (matrix laboratory)](class-type-matlab.md) software.

+* The script cannot migrate Virtual Machine Scale Set from Basic Load Balancer's backend to Standard Load Balancer's backend. We recommend manually creating a Standard Load Balancer and follow [Update or delete a load balancer used by virtual machine scale sets](./update-load-balancer-with-vm-scale-set.md) to complete the migration.

+* The script supports an internal load balancer upgrade where outbound connectivity is required. If outbound connectivity isn't required, see [Upgrade an internal basic load balancer - Outbound connections not required](./upgrade-basicinternal-standard.md).

+* The script cannot migrate Virtual Machine Scale Set from Basic Load Balancer's backend to Standard Load Balancer's backend. We recommend manually creating a Standard Load Balancer and follow [Update or delete a load balancer used by virtual machine scale sets](./update-load-balancer-with-vm-scale-set.md) to complete the migration.

+- An existing user-assigned managed identity. For more information about creating a user-assigned managed identity, see [Manage user-assigned managed identities](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity).

+1. Follow the steps outlined in [create an Azure Load Testing resource](./quickstart-create-and-run-load-test.md#create-an-azure-load-testing-resource) to fill out the fields on the **Basics** tab.

+- Learn how to [Parameterize a load test](./how-to-parameterize-load-tests.md).

+ Title: Create a JMeter-based load test

+description: 'Learn how to load test a website by using an existing Apache JMeter script and Azure Load Testing.'

+# Load test a website by using an existing JMeter script in Azure Load Testing Preview

+Learn how to use an Apache JMeter script to load test a web application with Azure Load Testing Preview from the Azure portal.

+Azure Load Testing enables you to take an existing Apache JMeter script, and use it to run a load test at cloud scale. Alternatively, you can also [create a URL-based load test in the Azure portal](./quickstart-create-and-run-load-test.md).

+Use cases for creating a load test with an existing JMeter script include:

+- You want to reuse existing JMeter scripts to test your application.

+- You want to test multiple endpoints in a single load test.

+- You have a data-driven load test. For example, you want to [read CSV data in a load test](./how-to-read-csv-data.md).

+If you don't have an existing Apache JMeter script, you'll create a sample script to load test a single web application endpoint. If you already have a script, you can skip to [Create a load test](#create-a-load-test).

+ This script simulates a load test of five virtual users that simultaneously access a web endpoint, and takes 2 minutes to complete.

+ <ThreadGroup guiclass="ThreadGroupGui" testclass="ThreadGroup" testname="Web endpoint test" enabled="true">

+ <HTTPSamplerProxy guiclass="HttpTestSampleGui" testclass="HTTPSamplerProxy" testname="HTTP request" enabled="true">

+ <stringProp name="HTTPSampler.domain"></stringProp>

+1. In the file, set the value of the `HTTPSampler.domain` node to the host name of your endpoint. For example, if you want to test the endpoint `https://www.contoso.com/app/products`, the host name is `www.contoso.com`.

+1. In the file, set the value of the `HTTPSampler.path` node to the path of your endpoint. For example, the path for the URL `https://www.contoso.com/app/products` is `/app/products`.

+To create a load test in Azure Load Testing, you have to specify a JMeter script. This script defines the [test plan](./how-to-create-manage-test.md#test-plan) for the load test. You can create multiple load tests in an Azure Load Testing resource.

+> [!NOTE]

+> When you [create a quick test by using a URL](./quickstart-create-and-run-load-test.md), Azure Load Testing automatically generates the JMeter script.

+To create a load test using an existing JMeter script in the Azure portal:

+1. Sign in to the [Azure portal](https://portal.azure.com) by using the credentials for your Azure subscription.

+1. Go to your Azure Load Testing resource, select **Tests** from the left pane, select **+ Create**, and then select **Upload a JMeter script**.

+ > You can upload additional JMeter configuration files or other files that you reference in the JMX file. For example, if your test script uses CSV data sets, you can upload the corresponding *.csv* file(s). See also how to [read data from a CSV file](./how-to-read-csv-data.md).

+When Azure Load Testing starts your load test, it will first deploy the JMeter script and any other files onto test engine instances and run the test.

+If you selected **Run test after creation**, your load test will start automatically. To manually start the load test you created earlier, perform the following steps:

+1. Go to your Load Testing resource, select **Tests** from the left pane, and then select the test that you created earlier.

+1. On the test details page, select **Run** or **Run test**. Then, select **Run** on the confirmation pane to start the load test. Optionally, provide a test run description.

+While the test runs and after it finishes, you can view the test run details, statistics, and metrics in the test run dashboard.

+- To learn more about [creating and managing tests](./how-to-create-manage-test.md).

+* An Azure Load Testing resource. To create a Load Testing resource, see [Create and run a load test](./quickstart-create-and-run-load-test.md#create-an-azure-load-testing-resource).

+* An Azure Load Testing resource. To create a Load Testing resource, see [Create and run a load test](./quickstart-create-and-run-load-test.md#create-an-azure-load-testing-resource).

+## Create an Azure Load Testing resource

+> You can download the JMeter script from the test run dashboard. Select **Download**, and then select **Input file**. To run the script locally, you have to provide environment variables to configure the URL and test parameters.

+> [Tutorial: Identify performance bottlenecks](./tutorial-identify-bottlenecks-azure-portal.md)

+> * [NVIDIA Triton Inference Server](https://aka.ms/nvidia-triton-docs) is an open-source third-party software that is integrated in Azure Machine Learning.

+> * While Azure Machine Learning online endpoints are generally available, _using Triton with an online endpoint deployment is still in preview_.

+ 1. From the __Endpoints__ page, select **Create**.

+ 1. Select the Triton model, and then select __Deploy__. When prompted, select __Deploy to real-time endpoint__.

+ :::image type="content" source="media/how-to-deploy-with-triton/deploy-from-models-page.png" lightbox="media/how-to-deploy-with-triton/deploy-from-models-page.png" alt-text="Screenshot showing how to deploy model from Models UI.":::

+- [Deploy models with REST](how-to-deploy-with-rest.md)

+- [Create and use managed online endpoints in the studio](how-to-use-managed-online-endpoint-studio.md)

+- [Safe rollout for online endpoints ](how-to-safely-rollout-managed-endpoints.md)

+- [View costs for an Azure Machine Learning managed online endpoint](how-to-view-online-endpoints-costs.md)

+- [Access Azure resources with a managed online endpoint and managed identity](how-to-access-resources-from-endpoints-managed-identities.md)