+## Issue fetching Workday attributes

+| **Applies to** |

+|--|

+| * Workday to on-premises Active Directory user provisioning <br> * Workday to Azure Active Directory user provisioning |

+| **Issue Description** |

+| You have just configured the Workday inbound provisioning app and successfully connected to the Workday tenant URL. You ran a test sync and you observed that the provisioning app is not retrieving certain attributes from Workday. Only some attributes are read and provisioned to the target. |

+| **Probable Cause** |

+| By default, the Workday provisioning app ships with attribute mapping and XPATH definitions that work with Workday Web Services (WWS) v21.1. When configuring connectivity to Workday in the provisioning app, if you explicitly specified the WWS API version (example: `https://wd3-impl-services1.workday.com/ccx/service/contoso4/Human_Resources/v34.0`), then you may run into this issue, because of the mismatch between WWS API version and the XPATH definitions. |

+| **Resolution Options** |

+| * *Option 1*: Remove the WWS API version information from the URL and use the default WWS API version v21.1 <br> * *Option 2*: Manually update the XPATH API expressions so it is compatible with your preferred WWS API version. Update the **XPATH API expressions** under **Attribute Mapping -> Advanced Options -> Edit attribute list for Workday** referring to the section [Workday attribute reference](../app-provisioning/workday-attribute-reference.md#xpath-values-for-workday-web-services-wws-api-v30) |

+## Issue fetching Workday calculated fields

+| **Applies to** |

+|--|

+| * Workday to on-premises Active Directory user provisioning <br> * Workday to Azure Active Directory user provisioning |

+| **Issue Description** |

+| You have just configured the Workday inbound provisioning app and successfully connected to the Workday tenant URL. You have an integration system configured in Workday and you have configured XPATHs that point to attributes in the Workday Integration System. However, the Azure AD provisioning app isn't fetching values associated with these integration system attributes or calculated fields. |

+| **Cause** |

+| This is a known limitation. The Workday provisioning app currently doesn't support fetching calculated fields/integration system attributes using the *Field_And_Parameter_Criteria_Data* Get_Workers request filter. |

+| **Resolution Options** |

+| You could consider a workaround of either using Workday Provisioning groups or Workday Custom ID field. See details below. |

+**Suggested workarounds**

+ * **Option 1: Using Workday Provisioning Groups**: Check if the calculated field value can be represented as a provisioning group in Workday. Using the same logic that is used for the calculated field, your Workday Admin may be able to assign a Provisioning Group to the user. Reference Workday doc that requires Workday login: [Set Up Account Provisioning Groups](https://doc.workday.com/reader/3DMnG~27o049IYFWETFtTQ/keT9jI30zCzj4Nu9pJfGeQ). Once configured, this Provisioning Group assignment can be [retrieved in the provisioning job](../app-provisioning/workday-integration-reference.md#example-3-retrieving-provisioning-group-assignments) and used in attribute mappings and scoping filter.

+* **Option 2: Using Workday Custom IDs**: Check if the calculated field value can be represented as a Custom ID on the Worker Profile. Use `Maintain Custom ID Type` task in Workday to define a new type and populate values in this custom ID. Make sure the [Workday ISU account used for the integration](../saas-apps/workday-inbound-tutorial.md#configuring-domain-security-policy-permissions) has domain security permission for `Person Data: ID Information`. For example, you can define "External_Payroll_ID" as a custom ID in Workday and retrieved it using the XPATH: `wd:Worker/wd:Worker_Data/wd:Personal_Data/wd:Identification_Data/wd:Custom_ID/wd:Custom_ID_Data[wd:ID_Type_Reference/wd:ID[@wd:type=\"Custom_ID_Type_ID\"]=\"External_Payroll_ID\"]/wd:ID/text()`

+Azure Active Directory (Azure AD) has an Application Proxy service that enables users to access on-premises applications by signing in with their Azure AD account. To learn more about Application Proxy, see [What is App Proxy?](what-is-application-proxy.md). This tutorial prepares your environment for use with Application Proxy. Once your environment is ready, you'll use the Azure portal to add an on-premises application to your Azure AD tenant.

+>

+If your organization uses proxy servers to connect to the internet, you need to configure them for Application Proxy. For more information, see [Work with existing on-premises proxy servers](./application-proxy-configure-connectors-with-proxy-servers.md).

+Now that you've prepared your environment and installed a connector, you're ready to add on-premises applications to Azure AD.

+4. Select **Add an on-premises application** button which appears about halfway down the page in the **On-premises applications** section. Alternatively, you can select **Create your own application** at the top of the page and then select **Configure Application Proxy for secure remote access to an on-premises application**.

+6. If necessary, configure **Additional settings**. For most applications, you should keep these settings in their default states.

+10. Follow the instructions at [Manage DNS records and record sets by using the Azure portal](../../dns/dns-operations-recordsets-portal.md) to add a DNS record that redirects the new external URL to the *msappproxy.net* domain in Azure DNS. If a different DNS provider is used, please contact the vendor for the instructions.

+No, this feature isn't supported for on-premises only device. The FIDO2 credential provider wouldn't show up.

+## Does Permissions Management integrate with third-party ITSM (Information Technology Service Management) tools?

+ "error_description": "AADSTS70011: The provided value for the input parameter 'scope' isn't valid. The scope https://example.contoso.com/activity.read isn't valid.\r\nTrace ID: 255d1aef-8c98-452f-ac51-23d051240864\r\nCorrelation ID: fb3d2015-bc17-4bb9-bb85-30c5cf1aaaa7\r\nTimestamp: 2016-01-09 02:02:12Z",

+| `unsupported_grant_type` | The authorization server doesn't support the authorization grant type. | Change the grant type in the request. This type of error should occur only during development and be detected during initial testing. |

+| `invalid_resource` | The target resource is invalid because it doesn't exist, Azure AD can't find it, or it's not correctly configured. | This indicates the resource, if it exists, has not been configured in the tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. During development, this usually indicates an incorrectly setup test tenant or a typo in the name of the scope being requested. |

+| AADSTS28002 | Provided value for the input parameter scope '{scope}' isn't valid when requesting an access token. Please specify a valid scope. |

+| AADSTS28003 | Provided value for the input parameter scope can't be empty when requesting an access token using the provided authorization code. Please specify a valid scope.|

+| AADSTS50001 | InvalidResource - The resource is disabled or doesn't exist. Check your app's code to ensure that you have specified the exact resource URL for the resource you're trying to access. |

+| AADSTS500021 | Access to '{tenant}' tenant is denied. AADSTS500021 indicates that the tenant restriction feature is configured and that the user is trying to access a tenant that isn't in the list of allowed tenants specified in the header `Restrict-Access-To-Tenant`. For more information, see [Use tenant restrictions to manage access to SaaS cloud applications](../manage-apps/tenant-restrictions.md).|

+| AADSTS50011 | InvalidReplyTo - The reply address is missing, misconfigured, or doesn't match reply addresses configured for the app. As a resolution ensure to add this missing reply address to the Azure Active Directory application or have someone with the permissions to manage your application in Active Directory do this for you. To learn more, see the troubleshooting article for error [AADSTS50011](/troubleshoot/azure/active-directory/error-code-aadsts50011-reply-url-mismatch).|

+| AADSTS50012 | AuthenticationFailed - Authentication failed for one of the following reasons:<ul><li>The subject name of the signing certificate isn't authorized</li><li>A matching trusted authority policy was not found for the authorized subject name</li><li>The certificate chain isn't valid</li><li>The signing certificate isn't valid</li><li>Policy isn't configured on the tenant</li><li>Thumbprint of the signing certificate isn't authorized</li><li>Client assertion contains an invalid signature</li></ul> |

+| AADSTS50013 | InvalidAssertion - Assertion is invalid because of various reasons - The token issuer doesn't match the api version within its valid time range -expired -malformed - Refresh token in the assertion isn't a primary refresh token. |

+| AADSTS50014 | GuestUserInPendingState - The user's redemption is in a pending state. The guest user account isn't fully created yet. |

+| AADSTS500212 | NotAllowedByOutboundPolicyTenant - The user's administrator has set an outbound access policy that doesn't allow access to the resource tenant. |

+| AADSTS500213 | NotAllowedByInboundPolicyTenant - The resource tenant's cross-tenant access policy doesn't allow this user to access this tenant. |

+| AADSTS50027 | InvalidJwtToken - Invalid JWT token because of the following reasons:<ul><li>doesn't contain nonce claim, sub claim</li><li>subject identifier mismatch</li><li>duplicate claim in idToken claims</li><li>unexpected issuer</li><li>unexpected audience</li><li>not within its valid time range </li><li>token format isn't proper</li><li>External ID token from issuer failed signature verification.</li></ul> |

+| AADSTS50056 | Invalid or null password: password doesn't exist in the directory for this user. The user should be asked to enter their password again. |

+| AADSTS50058 | UserInformationNotProvided - Session information isn't sufficient for single-sign-on. This means that a user isn't signed in. This is a common error that's expected when a user is unauthenticated and has not yet signed in.</br>If this error is encountered in an SSO context where the user has previously signed in, this means that the SSO session was either not found or invalid.</br>This error may be returned to the application if prompt=none is specified. |

+| AADSTS50068 | SignoutInitiatorNotParticipant - Sign out has failed. The app that initiated sign out isn't a participant in the current session. |

+| AADSTS50105 | EntitlementGrantsNotFound - The signed in user isn't assigned to a role for the signed in app. Assign the user to the app. To learn more, see the troubleshooting article for error [AADSTS50105](/troubleshoot/azure/active-directory/error-code-aadsts50105-user-not-assigned-role). |

+| AADSTS50107 | InvalidRealmUri - The requested federation realm object doesn't exist. Contact the tenant admin. |

+| AADSTS50132 | SsoArtifactInvalidOrExpired - The session isn't valid due to password expiration or recent password change. |

+| AADSTS50133 | SsoArtifactRevoked - The session isn't valid due to password expiration or recent password change. |

+| AADSTS50143 | Session mismatch - Session is invalid because user tenant doesn't match the domain hint due to different resource. [Open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) with Correlation ID, Request ID, and Error code to get more details. |

+| AADSTS50146 | MissingCustomSigningKey - This app is required to be configured with an app-specific signing key. It is either not configured with one, or the key has expired or isn't yet valid. |

+| AADSTS50147 | MissingCodeChallenge - The size of the code challenge parameter isn't valid. |

+| AADSTS501481 | The Code_Verifier doesn't match the code_challenge supplied in the authorization request.|

+| AADSTS50161 | InvalidExternalSecurityChallengeConfiguration - Claims sent by external provider isn't enough or Missing claim requested to external provider. |

+| AADSTS50169 | InvalidRequestBadRealm - The realm isn't a configured realm of the current service namespace. |

+| AADSTS50177 | ExternalChallengeNotSupportedForPassthroughUsers - External challenge isn't supported for passthrough users. |

+| AADSTS50178 | SessionControlNotSupportedForPassthroughUsers - Session control isn't supported for passthrough users. |

+| AADSTS50194 | Application '{appId}'({appName}) is n't configured as a multi-tenant application. Usage of the /common endpoint isn't supported for such applications created after '{time}'. Use a tenant-specific endpoint or configure the application to be multi-tenant. |

+| AADSTS1000104| XCB2BResourceCloudNotAllowedOnIdentityTenant - Resource cloud {resourceCloud} isn't allowed on identity tenant {identityTenant}. {resourceCloud} - cloud instance which owns the resource. {identityTenant} - is the tenant where signing-in identity is originated from. |

+| AADSTS53000 | DeviceNotCompliant - Conditional Access policy requires a compliant device, and the device isn't compliant. The user must enroll their device with an approved MDM provider like Intune. |

+| AADSTS53001 | DeviceNotDomainJoined - Conditional Access policy requires a domain joined device, and the device isn't domain joined. Have the user use a domain joined device. |

+| AADSTS53002 | ApplicationUsedIsNotAnApprovedApp - The app used isn't an approved app for Conditional Access. User needs to use one of the apps from the list of approved apps to use in order to get access. |

+| AADSTS53010 | ProofUpBlockedDueToSecurityInfoAcr - Cannot configure multi-factor authentication methods because the organization requires this information to be set from specific locations or devices. |

+| AADSTS650054 | The application asked for permissions to access a resource that has been removed or is no longer available. Make sure that all resources the app is calling are present in the tenant you're operating in. |

+| AADSTS650057 | Invalid resource. The client has requested access to a resource which isn't listed in the requested permissions in the client's application registration. Client app ID: {appId}({appName}). Resource value from request: {resource}. Resource app ID: {resourceAppId}. List of valid resources from app registration: {regList}. |

+| AADSTS70000 | InvalidGrant - Authentication failed. The refresh token isn't valid. Error may be due to the following reasons:<ul><li>Token binding header is empty</li><li>Token binding hash does not match</li></ul> |

+| AADSTS700030 | Invalid certificate - subject name in certificate isn't authorized. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are: {certificateSubjects}. |

+| AADSTS70005 | UnsupportedResponseType - The app returned an unsupported response type due to the following reasons:<ul><li>response type 'token' isn't enabled for the app</li><li>response type 'id_token' requires the 'OpenID' scope -contains an unsupported OAuth parameter value in the encoded wctx</li></ul> |

+| AADSTS700054 | Response_type 'id_token' isn't enabled for the application. The application requested an ID token from the authorization endpoint, but did not have ID token implicit grant enabled. Go to Azure Portal > Azure Active Directory > App registrations > Select your application > Authentication > Under 'Implicit grant and hybrid flows', make sure 'ID tokens' is selected.|

+| AADSTS700084 | The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of {time}, which can't be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on {issueDate}.|

+| AADSTS70018 | BadVerificationCode - Invalid verification code due to User typing in wrong user code for device code flow. Authorization isn't approved. |

+| AADSTS75003 | UnsupportedBindingError - The app returned an error related to unsupported binding (SAML protocol response can't be sent via bindings other than HTTP POST). |

+| AADSTS81005 | DesktopSsoAuthenticationPackageNotSupported - The authentication package isn't supported. |

+| AADSTS81007 | DesktopSsoTenantIsNotOptIn - The tenant isn't enabled for Seamless SSO. |

+| AADSTS90004 | InvalidRequestFormat - The request isn't properly formatted. |

+| AADSTS90005 | InvalidRequestWithMultipleRequirements - Unable to complete the request. The request isn't valid because the identifier and login hint can't be used together. |

+| AADSTS9001023 |The grant type isn't supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.|

+| AADSTS90013 | InvalidUserInput - The input from the user isn't valid. |

+| AADSTS90014 | MissingRequiredField - This error code may appear in various cases when an expected field isn't present in the credential. |

+| AADSTS90022 | AuthenticatedInvalidPrincipalNameFormat - The principal name format isn't valid, or doesn't meet the expected `name[/host][@realm]` format. The principal name is required, host and realm are optional and may be set to null. |

+| AADSTS90023 | InvalidRequest - The authentication service request isn't valid. |

+| AADSTS90033 | MsodsServiceUnavailable - The Microsoft Online Directory Service (MSODS) isn't available. |

+| AADSTS900432 | Confidential Client isn't supported in Cross Cloud request.|

+| AADSTS90081 | OrgIdWsFederationMessageInvalid - An error occurred when the service tried to process a WS-Federation message. The message isn't valid. |

+| AADSTS900382 | Confidential Client isn't supported in Cross Cloud request. |

+| AADSTS901002 | AADSTS901002: The 'resource' request parameter isn't supported. |

+| AADSTS90107 | InvalidXml - The request isn't valid. Make sure your data doesn't have invalid characters.|

+| AADSTS90124 | V1ResourceV2GlobalEndpointNotSupported - The resource isn't supported over the `/common` or `/consumers` endpoints. Use the `/organizations` or tenant-specific endpoint instead. |

+| AADSTS90126 | DebugModeEnrollTenantNotInferred - The user type isn't supported on this endpoint. The system can't infer the user's tenant from the user name. |

+| AADSTS90130 | NonConvergedAppV2GlobalEndpointNotSupported - The application isn't supported over the `/common` or `/consumers` endpoints. Use the `/organizations` or tenant-specific endpoint instead. |

+| AADSTS140000 | InvalidRequestNonce - Request nonce isn't provided. |

+| AADSTS140001 | InvalidSessionKey - The session key isn't valid.|

+| AADSTS220450 | UnsupportedAndroidWebViewVersion - The Chrome WebView version isn't supported. |

+| AADSTS221000 | DeviceOnlyTokensNotSupportedByResource - The resource isn't configured to accept device-only tokens. |

+| AADSTS1000031 | Application {appDisplayName} can't be accessed at this time. Contact your administrator. |

+| AADSTS7000114| Application 'appIdentifier' isn't allowed to make application on-behalf-of calls.|

+| AADSTS7500529 | The value ΓÇÿSAMLId-GuidΓÇÖ isn't a valid SAML ID - Azure AD uses this attribute to populate the InResponseTo attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "id" to the string representation of a GUID. For example, id6c1c178c166d486687be4aaf5e482730 is a valid ID. |

+- [ID tokens](id-tokens.md) in the Microsoft identity platform.

+- [Access tokens](access-tokens.md) in the Microsoft identity platform.

+Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for [single page apps](reference-third-party-cookies-spas.md) and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials.

+> [!IMPORTANT]

+> Refresh tokens sent to a redirect URI registered as `spa` expire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users don't have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the log-in page in a top-level frame to show the login session. This is due to [privacy features in browsers that block third party cookies](reference-third-party-cookies-spas.md).

+Refresh tokens can be revoked at any time, because of timeouts and revocations. Your app must handle rejections by the sign-in service gracefully when this occurs. This is done by sending the user to an interactive sign-in prompt to sign in again.

+Not all refresh tokens follow the rules set in the token lifetime policy. Specifically, refresh tokens used in [single page apps](reference-third-party-cookies-spas.md) are always fixed to 24 hours of activity, as if they have a `MaxAgeSessionSingleFactor` policy of 24 hours applied to them.

+Refresh tokens can be revoked by the server because of a change in credentials, user action, or admin action. Refresh tokens fall into two classes: tokens issued to confidential clients (the rightmost column) and tokens issued to public clients (all other columns).

+| Change | Password-based cookie | Password-based token | Non-password-based cookie | Non-password-based token | Confidential client token |

+| -- | | -- | - | | - |

+| Password expires | Stays alive | Stays alive | Stays alive | Stays alive | Stays alive |

+| Password changed by user | Revoked | Revoked | Stays alive | Stays alive | Stays alive |

+| User does SSPR | Revoked | Revoked | Stays alive | Stays alive | Stays alive |

+| Admin resets password | Revoked | Revoked | Stays alive | Stays alive | Stays alive |

+| User revokes their refresh tokens [via PowerShell](/powershell/module/azuread/revoke-azureadsignedinuserallrefreshtoken) | Revoked | Revoked | Revoked | Revoked | Revoked |

+| Admin revokes all refresh tokens for a user [via PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken) | Revoked | Revoked | Revoked | Revoked | Revoked |

+| Single sign-out [on web](v2-protocols-oidc.md#single-sign-out) | Revoked | Stays alive | Revoked | Stays alive | Stays alive |

+- Learn about [configurable token lifetimes](active-directory-configurable-token-lifetimes.md)

+- Check out [Primary Refresh Tokens](../devices/concept-primary-refresh-token.md) for more details on primary refresh tokens.

+- User State Migration Tool (USMT) doesn't work with device registration.

+- Azure AD registered state on any local accounts on the device isnΓÇÖt impacted by this change. Only applicable to domain accounts. Azure AD registered state on local accounts isn't removed automatically even after user logon, since the user isn't a domain user.

+- [Device writeback](../hybrid/how-to-connect-device-writeback.md) won't work. This configuration affects [Device based Conditional Access for on-premises apps that are federated using ADFS](/windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises). This configuration also affects [Windows Hello for Business deployment when using the Hybrid Cert Trust model](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust).

+- Hybrid Azure AD join is supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with hybrid Azure AD join. Microsoft doesn't provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. Contact your hardware OEM for support.

+Hybrid Azure AD join works with both, managed and federated environments depending on whether the UPN is routable or non-routable. See bottom of the page for table on supported scenarios.

+- **WS-Trust protocol:** This protocol is required to authenticate Windows current hybrid Azure AD joined devices with Azure AD.

+When you're using AD FS, you need to enable the following WS-Trust endpoints:

+ `/adfs/services/trust/2005/windowstransport`

+ `/adfs/services/trust/13/windowstransport`

+ `/adfs/services/trust/2005/usernamemixed`

+ `/adfs/services/trust/2005/certificatemixed`

+ `/adfs/services/trust/13/certificatemixed`

+> [!WARNING]

+Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. The wizard enables you to significantly simplify the configuration process. If installing the required version of Azure AD Connect isn't an option for you, see [how to manually configure device registration](hybrid-azuread-join-manual.md).

+When creating a new Access Review, choose the **Select Teams + groups** option and limit the scope to **Guest users only**. In the ΓÇ£Upon completion settingsΓÇ¥ section, for **Action to apply on denied users** you can define **Block users from signing-in for 30 days, then remove user from the tenant**.

+1. Select the catalog for which you want to add a custom extension and then in the left menu, select **Custom Extensions (Preview)**.

+ 2. Document both your on-premises and cloud Token Signing Certificate thumbprint and expiration dates.

+`PS C:\>Get-MsolFederationProperty -DomainName <domain>`

+You can also get the thumbprint by using AD FS Management, navigating to Service/Certificates, right-clicking on the certificate, select View certificate and then selecting Details.

+In this section, you will be creating **two** token-signing certificates. The first will use the **-urgent** flag, which will replace the current primary certificate immediately. The second will be used for the secondary certificate.

+ 2. Open Windows PowerShell as an administrator.

+5. Once you promoted the new certificate as the primary certificate, you should remove the old certificate because it can still be used. See the [Remove your old certificates](#remove-your-old-certificates) section below.

+In the event that you need to replace your token-signing certificate because of a compromise, you should also revoke and replace the SSL certificates for AD FS and your WAP servers.

+2. Open Windows PowerShell as an administrator.

+description: This article describes partner solutions for integrating your legacy on-premises, public cloud, or private cloud applications with Azure AD.

+- [Secure hybrid access: Secure legacy apps with Azure Active Directory](#secure-hybrid-access-secure-legacy-apps-with-azure-active-directory)

+ - [Secure hybrid access through Azure AD Application Proxy](#secure-hybrid-access-through-azure-ad-application-proxy)

+ - [Secure hybrid access through Azure AD partner integrations](#secure-hybrid-access-through-azure-ad-partner-integrations)

+Using [Application Proxy](../app-proxy/what-is-application-proxy.md) you can provide [secure remote access](../app-proxy/application-proxy-add-on-premises-application.md) to your on-premises web applications. Your users donΓÇÖt need to use a VPN. Users benefit by easily connecting to their applications from any device after a [SSO](../app-proxy/application-proxy-config-sso-how-to.md#how-to-configure-single-sign-on). Application Proxy provides remote access as a service and allows you to [easily publish your applications](../app-proxy/application-proxy-add-on-premises-application.md) to users outside the corporate network. It helps you scale your cloud access management without requiring you to modify your on-premises applications. [Plan an Azure AD Application Proxy](../app-proxy/application-proxy-deployment-plan.md) deployment as a next step.

+## Secure hybrid access through Azure AD partner integrations

+The following partners offer pre-built solutions to support **conditional access policies per application** and provide detailed guidance for integrating with Azure AD.

+- [Citrix Application Delivery Controller (ADC)](../saas-apps/citrix-netscaler-tutorial.md)

+While developers can securely store the secrets in [Azure Key Vault](../../key-vault/general/overview.md), services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials.

+4. Use the managed identity to perform access. For this, you can use the Azure SDK with the Azure.Identity library. Some "source" resources offer connectors that know how to use Managed identities for the connections. In that case you simply use the identity as a feature of that "source" resource.

+This tutorial describes the steps you need to perform in both Cisco Umbrella User Management and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Cisco Umbrella User Management](https://umbrella.cisco.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+1. Determine what data to [map between Azure AD and Cisco Umbrella User Management](../app-provisioning/customize-application-attributes.md).

+When using Microsoft Azure AD Connect, the ObjectGUID attribute of users is not synchronized from on-premises AD to Azure AD by default. To synchronize this attribute, enable the optional **Directory Extension attribute sync** and select the objectGUID attributes for users.

+1. The generated token will be displayed only once. Copy and save the URL and the token. These values will be entered in the **Tenant URL** and **Secret Token** fields respectively in the Provisioning tab of your Cisco Umbrella User Management application in the Azure portal.

+Add Cisco Umbrella User Management from the Azure AD application gallery to start managing provisioning to Cisco Umbrella User Management. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 5. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+## Step 6. Configure automatic user provisioning to Cisco Umbrella User Management

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+* Cisco Umbrella User Management supports provisioning a maximum of 200 groups. Any groups beyond this number that are in scope may not be provisioned to Cisco Umbrella.

+ `https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/login`.

+ set idp-single-sign-on-url <Azure AD Identifier>

+ Title: 'Tutorial: Azure AD SSO integration with Qlik Sense Enterprise Client-Managed'

+description: Learn how to configure single sign-on between Azure Active Directory and Qlik Sense Enterprise Client-Managed.

+# Tutorial: Azure AD SSO integration with Qlik Sense Enterprise Client-Managed

+In this tutorial, you'll learn how to integrate Qlik Sense Enterprise Client-Managed with Azure Active Directory (Azure AD). When you integrate Qlik Sense Enterprise Client-Managed with Azure AD, you can:

+Note that there are two versions of Qlik Sense Enterprise. While this tutorial covers integration with the client-managed releases, a different process is required for Qlik Sense Enterprise SaaS (Qlik Cloud version).

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Add Qlik Sense Enterprise from the gallery

+## Configure Azure AD SSO

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using one of the following patterns:

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://<Fully Qualified Domain Name>:443{/virtualproxyprefix}/hub`

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL which are explained later in this tutorial or contact [Qlik Sense Enterprise Client support team](https://www.qlik.com/us/services/support) to get these values. The default port for the URLs is 443 but you can customize it per your Organization need.

+ 

+## Test SSO

+ Title: 'Tutorial: Azure AD SSO integration with Slack'

+# Tutorial: Azure AD SSO integration with Slack

+* Slack supports **SP** initiated SSO.

+* Slack supports **Just In Time** user provisioning.

+* Slack supports [**Automated** user provisioning](./slack-provisioning-tutorial.md).

+2. click on your workspace name in the top left, then go to **Settings & administration** -> **Workspace settings**.

+ 

+3. In the **Settings & permissions** section, click the **Authentication** tab, and then click **Configure** button at SAML authentication method.

+ 

+4. On the **Configure SAML authentication for Azure** dialog, perform the below steps:

+ 

+ a. In the top right, toggle **Test** mode on.

+

+ b. In the **SAML SSO URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal.

+ c. In the **Identity provider issuer** textbox, paste the value of **Azure Ad Identifier**, which you have copied from Azure portal.

+ d. Open your downloaded certificate file in Notepad, copy the content of it into your clipboard, and then paste it to the **Public Certificate** textbox.

+1. Expand the **Advanced options** and perform the below steps:

+ 

+ a. If you need an end-to-end encryption key, tick the box **Sign AuthnRequest** to show the certificate.

+ b. Enter `https://slack.com` in the **Service provider issuer** textbox.

+ c. Choose how the SAML response from your IDP is signed from the two options.

+1. Under **Settings**, decide if members can edit their profile information (like their email or display name) after SSO is enabled. You can also choose whether SSO is required, partially required or optional.

+ 

+1. Click **Save Configuration**.

+In active-active configuration, both instances of the VPN gateway will establish S2S VPN tunnels to your on-premises VPN device. When a planned maintenance or unplanned event happens to one gateway instance, traffic will be switched over to the other active IPsec tunnel automatically.

+[different-subnet]: #specify-a-different-subnet

+KEDA can be added to your Azure Kubernetes Service (AKS) cluster by enabling the KEDA add-on using an [ARM template][keda-arm] or [Azure CLI][keda-cli].

+* [Enable the KEDA add-on with the Azure CLI][keda-cli]

+* [Troubleshoot KEDA add-on problems][keda-troubleshoot]

+[keda-cli]: keda-deploy-add-on-cli.md

+[keda-troubleshoot]: keda-troubleshoot.md

+- Firewall rules are configured to allow access to the Kubernetes API server. ([learn more][aks-firewall-requirements])

+This article showed you how to install the KEDA add-on on an AKS cluster, and then verify that it's installed and running. With the KEDA add-on installed on your cluster, you can [deploy a sample application][keda-sample] to start scaling apps.

+You can troubleshoot troubleshoot KEDA add-on problems in [this article][keda-troubleshoot].

+[keda-troubleshoot]: keda-troubleshoot.md

+[aks-firewall-requirements]: limit-egress-traffic.md#azure-global-required-network-rules

+- Firewall rules are configured to allow access to the Kubernetes API server. ([learn more][aks-firewall-requirements])

+az extension add --upgrade --name aks-preview

+You can troubleshoot troubleshoot KEDA add-on problems in [this article][keda-troubleshoot].

+[keda-troubleshoot]: keda-troubleshoot.md

+[aks-firewall-requirements]: limit-egress-traffic.md#azure-global-required-network-rules

+* [Enable the KEDA add-on with the Azure CLI][keda-cli]

+* [Troubleshoot KEDA add-on problems][keda-troubleshoot]

+[keda-cli]: keda-deploy-add-on-cli.md

+[keda-troubleshoot]: keda-troubleshoot.md

+ Title: Troubleshooting Kubernetes Event-driven Autoscaling (KEDA) add-on

+description: How to troubleshoot Kubernetes Event-driven Autoscaling add-on

+# Kubernetes Event-driven Autoscaling (KEDA) AKS add-on Troubleshooting Guides

+When you deploy the KEDA AKS add-on, you could possibly experience problems associated with configuration of the application autoscaler.

+The following guide will assist you on how to troubleshoot errors and resolve common problems with the add-on, in addition to the official KEDA [FAQ][keda-faq] & [troubleshooting guide][keda-troubleshooting].

+## Verifying and Troubleshooting KEDA components

+### Check available KEDA version

+You can check the available KEDA version by using the `kubectl` command:

+```azurecli-interactive

+kubectl get crd/scaledobjects.keda.sh -o custom-columns='APP:.metadata.labels.app\.kubernetes\.io/version'

+```

+An overview will be provided with the installed KEDA version:

+```Output

+APP

+2.7.0

+```

+### Ensuring the cluster firewall is configured correctly

+It might happen that KEDA isn't scaling applications because it can't start up.

+When checking the operator logs, you might find errors similar to the following:

+```output

+1.6545953013458195e+09 ERROR Failed to get API Group-Resources {"error": "Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"}

+sigs.k8s.io/controller-runtime/pkg/cluster.New

+/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/cluster/cluster.go:160

+sigs.k8s.io/controller-runtime/pkg/manager.New

+/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/manager/manager.go:313

+main.main

+/workspace/main.go:87

+runtime.main

+/usr/local/go/src/runtime/proc.go:255

+1.6545953013459463e+09 ERROR setup unable to start manager {"error": "Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"}

+main.main

+/workspace/main.go:97

+runtime.main

+/usr/local/go/src/runtime/proc.go:255

+```

+While in the metric server you might notice that it's not able to start up:

+```output

+I0607 09:53:05.297924 1 main.go:147] keda_metrics_adapter "msg"="KEDA Version: 2.7.1"

+I0607 09:53:05.297979 1 main.go:148] keda_metrics_adapter "msg"="KEDA Commit: "

+I0607 09:53:05.297996 1 main.go:149] keda_metrics_adapter "msg"="Go Version: go1.17.9"

+I0607 09:53:05.298006 1 main.go:150] keda_metrics_adapter "msg"="Go OS/Arch: linux/amd64"

+E0607 09:53:15.344324 1 logr.go:279] keda_metrics_adapter "msg"="Failed to get API Group-Resources" "error"="Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"

+E0607 09:53:15.344360 1 main.go:104] keda_metrics_adapter "msg"="failed to setup manager" "error"="Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"

+E0607 09:53:15.344378 1 main.go:209] keda_metrics_adapter "msg"="making provider" "error"="Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"

+E0607 09:53:15.344399 1 main.go:168] keda_metrics_adapter "msg"="unable to run external metrics adapter" "error"="Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"

+```

+This most likely means that the KEDA add-on isn't able to start up due to a misconfigured firewall.

+In order to make sure it runs correctly, make sure to configure the firewall to meet [the requirements][aks-firewall-requirements].

+### Enabling add-on on clusters with self-managed open-source KEDA installations

+While Kubernetes only allows one metric server to be installed, you can in theory install KEDA multiple times. However, it isn't recommended given only one installation will work.

+When the KEDA add-on is installed in an AKS cluster, the previous installation of open-source KEDA will be overridden and the add-on will take over.

+This means that the customization and configuration of the self-installed KEDA deployment will get lost and no longer be applied.

+While there's a possibility that the existing autoscaling will keep on working, it introduces a risk given it will be configured differently and won't support features such as managed identity.

+It's recommended to uninstall existing KEDA installations before enabling the KEDA add-on given the installation will succeed without any error.

+In order to determine which metrics adapter is being used by KEDA, use the `kubectl` command:

+```azurecli-interactive

+kubectl get APIService/v1beta1.external.metrics.k8s.io -o custom-columns='NAME:.spec.service.name,NAMESPACE:.spec.service.namespace'

+```

+An overview will be provided showing the service and namespace that Kubernetes will use to get metrics:

+```Output

+NAME NAMESPACE

+keda-operator-metrics-apiserver kube-system

+```

+> [!WARNING]

+> If the namespace is not `kube-system`, then the AKS add-on is being ignored and another metric server is being used.

+[aks-firewall-requirements]: limit-egress-traffic.md#azure-global-required-network-rules

+[keda-troubleshooting]: https://keda.sh/docs/latest/troubleshooting/

+[keda-faq]: https://keda.sh/docs/latest/faq/

+SNAPSHOT_ID=$(az aks nodepool snapshot show --name MySnapshot --resource-group myResourceGroup --query id -o tsv)

+SNAPSHOT_ID=$(az aks nodepool snapshot show --name MySnapshot --resource-group myResourceGroup --query id -o tsv)

+SNAPSHOT_ID=$(az aks nodepool snapshot show --name MySnapshot --resource-group myResourceGroup --query id -o tsv)

+In the following example, request forwarding is retried up to ten times using an exponential retry algorithm. Since `first-fast-retry` is set to false, all retry attempts are subject to exponentially increasing retry wait times (in this example, approximately 10 seconds, 20 seconds, 40 seconds, ...), up to a maximum wait of `max-interval`.

+#### Retry wait times

+* When only the `interval` is specified, **fixed** interval retries are performed.

+* When only the `interval` and `delta` are specified, a **linear** interval retry algorithm is used. The wait time between retries increases according to the following formula: `interval + (count - 1)*delta`.

+* When the `interval`, `max-interval` and `delta` are specified, an **exponential** interval retry algorithm is applied. The wait time between the retries increases exponentially according to the following formula: `interval + (2^count - 1) * random(delta * 0.8, delta * 1.2)`, up to a maximum interval set by `max-interval`.

+ For example, when `interval` and `delta` are both set to 10 seconds, and `max-interval` is 100 seconds, the approximate wait time between retries increases as follows: 10 seconds, 20 seconds, 40 seconds, 80 seconds, with 100 seconds wait time used for remaining retries.

+Azure App Service provides easy-to-use tools to quickly discover on-premises .NET web apps, assess for readiness, and migrate both the content & supported configurations to App Service.

+[Migrate an on-premises web application to Azure App Service](/learn/modules/migrate-app-service-migration-assistant/)

+Azure App Service provides tools to discover web apps deployed to on-premises web servers. You can assess these apps for readiness, then migrate them to App Service. Both the web app content and supported configuration can be migrated to App Service. These tools are developed to support a wide variety of scenarios focused on discovery, assessment, and migration.

+[Download the assistant](https://azure.microsoft.com/services/app-service/migration-assistant/) to migrate a Java app running on Apache Tomcat web server. You can also use Azure Container Registry to migrate on-premises Linux Docker containers to App Service.

+With Azure Form Recognizer containers, you can build an application architecture that's optimized to take advantage of both robust cloud capabilities and edge locality. Containers provide a minimalist, isolated environment that can be easily deployed on-premises and in the cloud. In this article, you'll learn to configure the Form Recognizer container run-time environment by using the `docker compose` command arguments. Form Recognizer features are supported by six Form Recognizer feature containersΓÇö**Layout**, **Business Card**,**ID Document**, **Receipt**, **Invoice**, **Custom**. These containers have both required and optional settings. For a few examples, see the [Example docker-compose.yml file](#example-docker-composeyml-file) section.

+ - EULA=accept

+ - EULA=accept

+| Dell EMC PowerFlex |1.21.5|v1.4.1_2022-03-08|15.0.2255.119 | Not validated |

+| PowerFlex version 3.6 |1.21.5|v1.4.1_2022-03-08|15.0.2255.119 | Not validated |

+| PowerFlex CSI version 1.4 |1.21.5|v1.4.1_2022-03-08 | Not validated |

+| PowerStore T|1.20.6|v1.0.0_2021-07-30|15.0.2148.140 |postgres 12.3 (Ubuntu 12.3-1)|

+### HPE

+|Solution and version | Kubernetes version | Azure Arc-enabled data services version | SQL engine version | PostgreSQL Hyperscale version

+|--|--|--|--|--|

+|HPE|1.20.0|v1.6.0_2022-05-02|16.0.41.7337|12.3 (Ubuntu 12.3-1)

+### Kublr

+|Solution and version | Kubernetes version | Azure Arc-enabled data services version | SQL engine version | PostgreSQL Hyperscale version

+|--|--|--|--|--|

+|Kublr |1.22.0 / 1.20.12 |v1.1.0_2021-11-02 |15.0.2195.191 |PostgreSQL 12.3 (Ubuntu 12.3-1) |

+### Lenovo

+|Solution and version | Kubernetes version | Azure Arc-enabled data services version | SQL engine version | PostgreSQL Hyperscale version

+|--|--|--|--|--|

+|Lenovo ThinkAgile MX3520 |AKS on Azure Stack HCI 21H2|v1.0.0_2021-07-30 |15.0.2148.140|Not validated|

+| Karbon 2.2<br/>AOS: 5.19.1.5<br/>AHV: 20201105.1021<br/>PC: Version pc.2021.3.02<br/> | 1.19.8-0 | v1.0.0_2021-07-30 | 15.0.2148.140|postgres 12.3 (Ubuntu 12.3-1)|

+| Platform9 Managed Kubernetes v5.3.0 | 1.20.5 | v1.0.0_2021-07-30| 15.0.2195.191 | PostgreSQL 12.3 (Ubuntu 12.3-1) |

+| Portworx Enterprise 2.7 1.22.5 | 1.20.7 | v1.1.0_2021-11-02 | 15.0.2148.140 | Not validated |

+| TKGm v1.5.1 | 1.20.5 | v1.4.1_2022-03-08 | 15.0.2255.119|postgres 12.3 (Ubuntu 12.3-1)|

+### WindRiver

+|Solution and version | Kubernetes version | Azure Arc-enabled data services version | SQL engine version | PostgreSQL Hyperscale version

+|--|--|--|--|--|

+|WindRiver| 1.18.1|v1.1.0_2021-11-02 |15.0.2195.191|postgres 12.3 (Ubuntu 12.3-1) |

+Azure Arc-enabled Kubernetes allows you to attach and configure Kubernetes clusters running anywhere. You can connect your clusters running on other public cloud providers (such as GCP or AWS) or clusters running on your on-premises data center (such as VMware vSphere or Azure Stack HCI) to Azure Arc.

+* Deploy applications and apply configuration using [GitOps-based configuration management](tutorial-use-gitops-connected-cluster.md).

+### Flux v2 - `microsoft.flux` extension installation CPU and memory limits

+The controllers installed in your Kubernetes cluster with the Microsoft.Flux extension require the following CPU and memory resource limits to properly schedule on Kubernetes cluster nodes.

+| Container Name | CPU limit | Memory limit |

+| -- | -- | -- |

+| fluxconfig-agent | 50m | 150Mi |

+| fluxconfig-controller | 100m | 150Mi |

+| fluent-bit | 20m | 150Mi |

+| helm-controller | 1000m | 1Gi |

+| source-controller | 1000m | 1Gi |

+| kustomize-controller | 1000m | 1Gi |

+| notification-controller | 1000m | 1Gi |

+| image-automation-controller | 1000m | 1Gi |

+| image-reflector-controller | 1000m | 1Gi |

+If you have enabled a custom or built-in Azure Gatekeeper Policy, such as `Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits`, that limits the resources for containers on Kubernetes clusters, you will need to either ensure that the resource limits on the policy are greater than the limits shown above or the `flux-system` namespace is part of the `excludedNamespaces` parameter in the policy assignment.

+The Microsoft SQL Server (MSSQL) storage provider persists all state into a Microsoft SQL Server database. It's compatible with both on-premises and cloud-hosted deployments of SQL Server, including [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview).

+This setting is required for Consumption and Premium plan apps on both Windows and Linux. It's not required for Dedicated plan apps, which aren't dynamically scaled by Functions.

+This setting is required for Consumption and Premium plan apps on both Windows and Linux. It's not required for Dedicated plan apps, which aren't dynamically scaled by Functions.

+ For Azure CLI 2.37.0 and newer:

+ ```azurecli-interactive

+ azureaduser=$(az ad user list --filter "userPrincipalName eq '<user-principal-name>'" --query [].id --output tsv)

+ ```

+ For older versions of Azure CLI:

+The Azure Monitor agent (AMA) collects monitoring data from the guest operating system of [supported infrastucture](#supported-resource-types) and delivers it to Azure Monitor. This article provides an overview of the Azure Monitor agent and includes information on how to install it and how to configure data collection.

+- [Telegraf agent](../essentials/collect-custom-metrics-linux-telegraf.md): Sends data to Azure Monitor Metrics (Linux only).

+In future, it will also consolidate features from the Diagnostic extensions.

+- **Cost savings:**

+- **Environment requirements:** The Azure Monitor agent supports [these operating systems](./agents-overview.md#supported-operating-systems) today. Support for future operating system versions, environment support, and networking requirements will only be provided in this new agent. If the Azure Monitor agent supports your current environment, start transitioning to it.

+- **Current and new feature requirements:** The Azure Monitor agent introduces several new capabilities, such as filtering, scoping, and multi-homing. But it isn't at parity yet with the current agents for other functionality. View [current limitations](#current-limitations) and [supported solutions](#supported-services-and-features).

+ That said, most new capabilities in Azure Monitor will be made available only with the Azure Monitor agent. Review whether the Azure Monitor agent has the features you require and if there are some features that you can temporarily do without to get other important features in the new agent.

+- **Tolerance for rework:** If you're setting up a new environment with resources such as deployment scripts and onboarding templates, assess the effort involved. If the setup will take a significant amount of work, consider setting up your new environment with the new agent as it's now generally available.

+- Running two telemetry agents on the same machine would result in double the resource consumption, including but not limited to CPU, memory, storage space and network bandwidth.

+| On-premises servers (Arc-enabled servers) | [Virtual machine extension](./azure-monitor-agent-manage.md#virtual-machine-extension-details) (after installing [Arc agent](../../azure-arc/servers/deployment-options.md)) | Installs the agent using Azure extension framework, provided for on-premises by first installing [Arc agent](../../azure-arc/servers/deployment-options.md) |

+¹ [Click here](../essentials/metrics-custom-overview.md#quotas-and-limits) to review other limitations of using Azure Monitor Metrics. On Linux, using Azure Monitor Metrics as the only destination is supported in v1.10.9.0 or higher.

+The following table shows the current support for the Azure Monitor agent with other Azure services.

+| Azure Commercial |global.handler.control.monitor.azure.com |Access control service|Port 443 |Outbound|Yes |

+| Azure Commercial |`<virtual-machine-region-name>`.handler.control.monitor.azure.com |Fetch data collection rules for specific machine |Port 443 |Outbound|Yes |

+| Azure Commercial |`<log-analytics-workspace-id>`.ods.opinsights.azure.com |Ingest logs data |Port 443 |Outbound|Yes |

+| Azure Government |global.handler.control.monitor.azure.us |Access control service|Port 443 |Outbound|Yes |

+| Azure Government |`<virtual-machine-region-name>`.handler.control.monitor.azure.us |Fetch data collection rules for specific machine |Port 443 |Outbound|Yes |

+| Azure Government |`<log-analytics-workspace-id>`.ods.opinsights.azure.us |Ingest logs data |Port 443 |Outbound|Yes |

+| Azure China |global.handler.control.monitor.azure.cn |Access control service|Port 443 |Outbound|Yes |

+| Azure China |`<virtual-machine-region-name>`.handler.control.monitor.azure.cn |Fetch data collection rules for specific machine |Port 443 |Outbound|Yes |

+| Azure China |`<log-analytics-workspace-id>`.ods.opinsights.azure.cn |Ingest logs data |Port 443 |Outbound|Yes |

+1. Follow the instructions above to configure proxy settings on the agent and provide the IP address and port number corresponding to the gateway server. If you have deployed multiple gateway servers behind a load balancer, the agent proxy configuration is the virtual IP address of the load balancer instead.

+2. Add the **configuration endpoint URL** to fetch data collection rules to the allowlist for the gateway

+ `Add-OMSGatewayAllowedHost -Host global.handler.control.monitor.azure.com`

+ `Add-OMSGatewayAllowedHost -Host <gateway-server-region-name>.handler.control.monitor.azure.com`

+ (If using private links on the agent, you must also add the [dce endpoints](../essentials/data-collection-endpoint-overview.md#components-of-a-data-collection-endpoint))

+3. Add the **data ingestion endpoint URL** to the allowlist for the gateway

+ `Add-OMSGatewayAllowedHost -Host <log-analytics-workspace-id>.ods.opinsights.azure.com`

+3. Restart the **OMS Gateway** service to apply the changes

+ `Stop-Service -Name <gateway-name>`

+ `Start-Service -Name <gateway-name>`

+To configure the agent to use private links for network communications with Azure Monitor, follow instructions to [enable network isolation](./azure-monitor-agent-data-collection-endpoint.md#enable-network-isolation-for-the-azure-monitor-agent) using [data collection endpoints](azure-monitor-agent-data-collection-endpoint.md).

+Here is a comparison between client installer and VM extension for Azure Monitor agent. It also highlights which parts are in preview:

+| Functional component | For VMs/servers via extension | For clients via installer|

+| [Networking options](./azure-monitor-agent-overview.md#networking) | Proxy support, Private link support | Proxy support only |

+| On-premise servers | No | [Virtual machine extension](./azure-monitor-agent-manage.md#virtual-machine-extension-details) (with Azure Arc agent) | Installs the agent using Azure extension framework, provided for on-premises by installing Arc agent |

+ - `<log-analytics-workspace-id>`.ods.opinsights.azure.com (example: 12345a01-b1cd-1234-e1f2-1234567g8h99.ods.opsinsights.azure.com)

+## Install the agent

+3. To install with **default settings**, run the following command:

+ | Parameter | Description |

+ | PROXYPASSWORD | Set to Proxy password. PROXYUSE and PROXYUSEAUTH must be set to "true" |

+ - Open **Control Panel** -> **Programs and Features** OR **Settings** -> **Apps** -> **Apps & Features** and ensure you see ΓÇÿAzure Monitor AgentΓÇÖ listed

+ - Open **Services** and confirm ΓÇÿAzure Monitor AgentΓÇÖ is listed and shows as **Running**.

+> The agent installed with the client installer currently doesn't support updating configuration once it is installed. Uninstall and reinstall AMA to update its configuration.

+This step grants the ability to create and link a monitored object to a user.

+| `roleAssignmentGUID` | path | string | Provide any valid guid (you can generate one using https://guidgenerator.com/) |

+**Body parameters**

+| principalId | Provide the `Object Id` of the identity of the user to which the role needs to be assigned. It may be the user who elevated at the beginning of step 1, or another user who will perform later steps. |

+After this step is complete, **reauthenticate** your session and **reacquire** your ARM bearer token.

+| `AADTenantId` | path | string | ID of the Azure AD tenant that the device(s) belong to. The MO will be created with the same ID |

+Now we associate the Data Collection Rules (DCR) to the Monitored Object by creating a Data Collection Rule Associations. If you haven't already, [follow instructions here](./data-collection-rule-azure-monitor-agent.md#create-rule-and-associationusingrestapi) to create data collection rule(s) first.

+ "properties":

+### Uninstall the agent

+- Open **Settings** > **Apps** > **Apps and Features** > **Azure Monitor Agent** and click 'Uninstall'

+### Update the agent

+2. Runtime logs are collected automatically either at the default location `C:\Resources\Azure Monitor Agent\` or at the file path mentioned during installation.

+3. The 'ServiceLogs' folder contains log from AMA Windows Service, which launches and manages AMA processes

+- Error message: "There's a problem with this Windows Installer package. A DLL required for this installer to complete could not be run. …"

+- Ensure you have installed [C++ Redistributable (>2015)](/cpp/windows/latest-supported-vc-redist?view=msvc-170&preserve-view=true) before installing AMA:

+#### Silent install from command prompt fails

+Make sure to start the installer on administrator command prompt. Silent install can only be initiated from the administrator command prompt.

+#### Uninstallation fails due to the uninstaller being unable to stop the service

+- If There's an option to try again, do try it again

+- If retry from uninstaller doesn't work, cancel the uninstall and stop Azure Monitor Agent service from Services (Desktop Application)

+- Retry uninstall

+#### Force uninstall manually when uninstaller doesn't work

+- Stop Azure Monitor Agent service. Then try uninstalling again. If it fails, then proceed with the following steps

+- Delete AMA service with "sc delete AzureMonitorAgent" from admin cmd

+- Download [this tool](https://support.microsoft.com/topic/fix-problems-that-block-programs-from-being-installed-or-removed-cca7d1b6-65a9-3d98-426b-e9f927e1eb4d) and uninstall AMA

+- Delete AMA binaries. They're stored in `Program Files\Azure Monitor Agent` by default

+- Delete AMA data/logs. They're stored in `C:\Resources\Azure Monitor Agent` by default

+- Open Registry. Check `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure Monitor Agent`. If it exists, delete the key.

+## Questions and feedback

+ Title: Manage action groups in the Azure portal

+description: Find out how to create and manage action groups. Learn about notifications and actions that action groups enable, such as email, webhooks, and Azure Functions.

+ - references_regions

+ - kr2b-contr-experiment

+When Azure Monitor data indicates that there might be a problem with your infrastructure or application, an alert is triggered. Azure Monitor, Azure Service Health, and Azure Advisor then use *action groups* to notify users about the alert and take an action. An action group is a collection of notification preferences that are defined by the owner of an Azure subscription.

+This article shows you how to create and manage action groups in the Azure portal. Depending on your requirements, you can configure various alerts to use the same action group or different action groups.

+- **Type**: The notification that's sent or action that's performed. Examples include sending a voice call, SMS, or email. You can also trigger various types of automated actions. For detailed information about notification and action types, see [Action-specific information](#action-specific-information), later in this article.

+- **Name**: A unique identifier within the action group.

+- **Details**: The corresponding details that vary by type.

+For information about how to use Azure Resource Manager templates to configure action groups, see [Action group Resource Manager templates](./action-groups-create-resource-manager-template.md).

+An action group is a **global** service, so there's no dependency on a specific Azure region. Requests from clients can be processed by action group services in any region. For instance, if one region of the action group service is down, the traffic is automatically routed and processed by other regions. As a global service, an action group helps provide a **disaster recovery** solution.

+1. Go to the [Azure portal](https://portal.azure.com).

+1. Search for and select **Monitor**. The **Monitor** pane consolidates all your monitoring settings and data in one view.

+1. Select **Alerts**, and then select **Action groups**.

+ :::image type="content" source="./media/action-groups/manage-action-groups.png" alt-text="Screenshot of the Alerts page in the Azure portal. The Action groups button is called out.":::

+1. Select **Create**.

+ :::image type="content" source="./media/action-groups/create-action-group.png" alt-text="Screenshot of the Action groups page in the Azure portal. The Create button is called out.":::

+1. Enter information as explained in the following sections.

+### Configure basic action group settings

+1. Under **Project details**, select values for **Subscription** and **Resource group**. The action group is saved in the subscription and resource group that you select.

+1. Under **Instance details**, enter values for **Action group name** and **Display name**. The display name is used in place of a full action group name when the group is used to send notifications.

+ :::image type="content" source="./media/action-groups/action-group-1-basics.png" alt-text="Screenshot of the Create action group dialog box. Values are visible in the Subscription, Resource group, Action group name, and Display name boxes.":::

+### Configure notifications

+1. To open the **Notifications** tab, select **Next: Notifications**. Alternately, at the top of the page, select the **Notifications** tab.

+1. Define a list of notifications to send when an alert is triggered. Provide the following information for each notification:

+ - **Notification type**: Select the type of notification that you want to send. The available options are:

+ - **Email Azure Resource Manager Role**: Send an email to users who are assigned to certain subscription-level Azure Resource Manager roles.

+ - **Email/SMS message/Push/Voice**: Send various notification types to specific recipients.

+ - **Name**: Enter a unique name for the notification.

+ - **Details**: Based on the selected notification type, enter an email address, phone number, or other information.

+ - **Common alert schema**: You can choose to turn on the common alert schema, which provides the advantage of having a single extensible and unified alert payload across all the alert services in Monitor. For more information about this schema, see [Common alert schema](./alerts-common-schema.md).

+ :::image type="content" source="./media/action-groups/action-group-2-notifications.png" alt-text="Screenshot of the Notifications tab of the Create action group dialog box. Configuration information for an email notification is visible.":::

+1. Select OK.

+1. To open the **Actions** tab, select **Next: Actions**. Alternately, at the top of the page, select the **Actions** tab.

+1. Define a list of actions to trigger when an alert is triggered. Provide the following information for each action:

+ - **Action type**: Select from the following types of actions:

+ - An Azure Automation runbook

+ - An Azure Functions function

+ - A notification that's sent to Azure Event Hubs

+ - A notification that's sent to an IT service management (ITSM) tool

+ - An Azure Logic Apps workflow

+ - A secure webhook

+ - A webhook

+ - **Name**: Enter a unique name for the action.

+ - **Details**: Enter appropriate information for your selected action type. For instance, you might enter a webhook URI, the name of an Azure app, an ITSM connection, or an Automation runbook. For an ITSM action, also enter values for **Work item** and other fields that your ITSM tool requires.

+ - **Common alert schema**: You can choose to turn on the common alert schema, which provides the advantage of having a single extensible and unified alert payload across all the alert services in Monitor. For more information about this schema, see [Common alert schema](./alerts-common-schema.md).

+ :::image type="content" source="./media/action-groups/action-group-3-actions.png" alt-text="Screenshot of the Actions tab of the Create action group dialog box. Several options are visible in the Action type list.":::

+1. If you'd like to assign a key-value pair to the action group, select **Next: Tags** or the **Tags** tab. Otherwise, skip this step. By using tags, you can categorize your Azure resources. Tags are available for all Azure resources, resource groups, and subscriptions.

+ :::image type="content" source="./media/action-groups/action-group-4-tags.png" alt-text="Screenshot of the Tags tab of the Create action group dialog box. Values are visible in the Name and Value boxes.":::

+1. To review your settings, select **Review + create**. This step quickly checks your inputs to make sure you've entered all required information. If there are issues, they're reported here. After you've reviewed the settings, select **Create** to create the action group.

+ :::image type="content" source="./media/action-groups/action-group-5-review.png" alt-text="Screenshot of the Review + create tab of the Create action group dialog box. All configured values are visible.":::

+>

+> When you configure an action to notify a person by email or SMS, they receive a confirmation indicating that they have been added to the action group.

+### Test an action group in the Azure portal (preview)

+When you create or update an action group in the Azure portal, you can **test** the action group.

+1. Define an action, as described in the previous few sections. Then select **Review + create**.

+1. On the page that lists the information that you entered, select **Test action group**.

+ :::image type="content" source="./media/action-groups/test-action-group.png" alt-text="Screenshot of the Review + create tab of the Create action group dialog box. A Test action group button is visible.":::

+1. Select a sample type and the notification and action types that you want to test. Then select **Test**.

+ :::image type="content" source="./media/action-groups/test-sample-action-group.png" alt-text="Screenshot of the Test sample action group page. An email notification type and a webhook action type are visible.":::

+1. If you close the window or select **Back to test setup** while the test is running, the test is stopped, and you don't get test results.

+ :::image type="content" source="./media/action-groups/stop-running-test.png" alt-text="Screenshot of the Test sample action group page. A dialog box contains a Stop button and asks the user about stopping the test.":::

+1. When the test is complete, a test status of either **Success** or **Failed** appears. If the test failed and you'd like to get more information, select **View details**.

+ :::image type="content" source="./media/action-groups/test-sample-failed.png" alt-text="Screenshot of the Test sample action group page. Error details are visible, and a white X on a red background indicates that a test failed.":::

+You can use the information in the **Error details** section to understand the issue. Then you can edit and test the action group again.

+When you run a test and select a notification type, you get a message with "Test" in the subject. The tests provide a way to check that your action group works as expected before you enable it in a production environment. All the details and links in test email notifications are from a sample reference set.

+The following table describes the role membership requirements that are needed for the *test actions* functionality:

+| User's role membership | Existing action group | Existing resource group and new action group | New resource group and new action group |

+| - | - | -- | - |

+| Subscription contributor | Supported | Supported | Supported |

+| Resource group contributor | Supported | Supported | Not applicable |

+| Action group resource contributor | Supported | Not applicable | Not applicable |

+| Azure Monitor contributor | Supported | Supported | Not applicable |

+| Custom role | Supported | Supported | Not applicable |

+> You can run a limited number of tests per time period. To check which limits apply to your situation, see [Rate limiting for voice, SMS, emails, Azure App push notifications, and webhook posts](./alerts-rate-limiting.md).

+>

+> When you configure an action group in the portal, you can opt in or out of the common alert schema.

+>

+> - To find common schema samples for all sample types, see [Common alert schema definitions for Test Action Group](./alerts-common-schema-test-action-definitions.md).

+> - To find non-common schema alert definitions, see [Non-common alert schema definitions for Test Action Group](./alerts-non-common-schema-definitions.md).

+After you create an action group, you can view it in the portal:

+1. From the **Monitor** page, select **Alerts**.

+1. Select **Manage actions**.

+1. Select the action group that you want to manage. You can:

+ - Add, edit, or remove actions.

+ - Delete the action group.

+The following sections provide information about the various actions and notifications that you can configure in an action group.

+>

+> To check numeric limits on each type of action or notification, see [Subscription service limits for monitoring](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-monitor-limits).

+### Automation runbook

+To check limits on Automation runbook payloads, see [Automation limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#automation-limits).

+You may have a limited number of runbook actions per action group.

+### Azure app push notifications

+To enable push notifications to the Azure mobile app, provide the email address that you use as your account ID when you configure the Azure mobile app. For more information about the Azure mobile app, see [Get the Azure mobile app](https://azure.microsoft.com/features/azure-portal/mobile-app/).

+You might have a limited number of Azure app actions per action group.

+Ensure that your email filtering is configured appropriately. Emails are sent from the following email addresses:

+

+You may have a limited number of email actions per action group. For information about rate limits, see [Rate limiting for voice, SMS, emails, Azure App push notifications, and webhook posts](./alerts-rate-limiting.md).

+### Email Azure Resource Manager role

+When you use this type of notification, you can send email to the members of a subscription's role. Email is only sent to Azure Active Directory (Azure AD) **user** members of the role. Email isn't sent to Azure AD groups or service principals.

+If your *primary email* doesn't receive notifications, take the following steps:

+1. In the Azure portal, go to **Active Directory**.

+1. On the left, select **All users**. On the right, a list of users appears.

+1. Select the user whose *primary email* you'd like to review.

+ :::image type="content" source="media/action-groups/active-directory-user-profile.png" alt-text="Screenshot of the All users page in the Azure portal. On the left, the All users item is selected. Information about one user is visible but is indecipherable." border="true":::

+1. In the user profile, look under **Contact info** for an **Email** value. If it's blank:

+ 1. At the top of the page, select **Edit**.

+ 1. Enter an email address.

+ 1. At the top of the page, select **Save**.

+ :::image type="content" source="media/action-groups/active-directory-add-primary-email.png" alt-text="Screenshot of a user profile page in the Azure portal. The Edit button and the Email box are called out." border="true":::

+You may have a limited number of email actions per action group. To check which limits apply to your situation, see [Rate limiting for voice, SMS, emails, Azure App push notifications, and webhook posts](./alerts-rate-limiting.md).

+When you set up the Azure Resource Manager role:

+1. Assign an entity of type **"User"** to the role.

+1. Make the assignment at the **subscription** level.

+1. Make sure an email address is configured for the user in their **Azure AD profile**.

+>

+> It can take up to **24 hours** for a customer to start receiving notifications after they add a new Azure Resource Manager role to their subscription.

+### Event Hubs

+An Event Hubs action publishes notifications to Event Hubs. For more information about Event Hubs, see [Azure Event HubsΓÇöA big data streaming platform and event ingestion service](../../event-hubs/event-hubs-about.md). You can subscribe to the alert notification stream from your event receiver.

+### Functions

+An action that uses Functions calls an existing HTTP trigger endpoint in Functions. For more information about Functions, see [Azure Functions](../../azure-functions/functions-get-started.md). To handle a request, your endpoint must handle the HTTP POST verb.

+When you define the function action, the function's HTTP trigger endpoint and access key are saved in the action definition, for example, `https://azfunctionurl.azurewebsites.net/api/httptrigger?code=<access_key>`. If you change the access key for the function, you need to remove and recreate the function action in the action group.

+You may have a limited number of function actions per action group.

+An ITSM action requires an ITSM connection. To learn how to create an ITSM connection, see [ITSM integration](./itsmc-overview.md).

+You might have a limited number of ITSM actions per action group.

+### Logic Apps

+You may have a limited number of Logic Apps actions per action group.

+### Secure webhook

+When you use a secure webhook action, you can use Azure AD to secure the connection between your action group and your protected web API, which is your webhook endpoint. For an overview of Azure AD applications and service principals, see [Microsoft identity platform (v2.0) overview](../../active-directory/develop/v2-overview.md). Follow these steps to take advantage of the secure webhook functionality.

+>

+> If you use the webhook action, your target webhook endpoint needs to be able to process the various JSON payloads that different alert sources emit. If the webhook endpoint expects a specific schema, for example, the Microsoft Teams schema, use the Logic Apps action to transform the alert schema to meet the target webhook's expectations.

+1. Create an Azure AD application for your protected web API. For detailed information, see [Protected web API: App registration](../../active-directory/develop/scenario-protected-web-api-app-registration.md). Configure your protected API to be called by a daemon app, and expose application permissions, not delegated permissions. For more information about these permissions, see [If your web API is called by a service or daemon app](../../active-directory/develop/scenario-protected-web-api-app-registration.md#if-your-web-api-is-called-by-a-service-or-daemon-app).

+ > [!NOTE]

+ >

+ > Configure your protected web API to accept V2.0 access tokens. For detailed information about this setting, see [Azure Active Directory app manifest](../../active-directory/develop/reference-app-manifest.md#accesstokenacceptedversion-attribute).

+1. To enable the action group to use your Azure AD application, use the PowerShell script that follows this procedure.

+ > [!NOTE]

+ >

+ > You must be assigned the [Azure AD Application Administrator role](../../active-directory/roles/permissions-reference.md#all-roles) to run this script.

+ 1. Modify the PowerShell script's `Connect-AzureAD` call to use your Azure AD tenant ID.

+ 1. Modify the PowerShell script's `$myAzureADApplicationObjectId` variable to use the Object ID of your Azure AD application.

+ 1. Run the modified script.

+ > [!NOTE]

+ >

+ > The service principle needs to be assigned an **owner role** of the Azure AD application to be able to create or modify the secure webhook action in the action group.

+1. Configure the secure webhook action.

+ 1. Copy the `$myApp.ObjectId` value that's in the script.

+ 1. In the webhook action definition, in the **Object Id** box, enter the value that you copied.

+ :::image type="content" source="./media/action-groups/action-groups-secure-webhook.png" alt-text="Screenshot of the Secured Webhook dialog box in the Azure portal. The Object ID box is visible." border="true":::

+#### Secure webhook PowerShell script

+# Define your Azure AD application's ObjectId.

+# Define the action group Azure AD AppId.

+# Define the name of the new role that gets added to your Azure AD application.

+# Create an application role with the given name and description.

+# Get your Azure AD application, its roles, and its service principal.

+# Create the role if it doesn't exist.

+ # Add the new role to the Azure AD application.

+# Create the service principal if it doesn't exist.

+ # Create a service principal for the action group Azure AD application and add it to the role.

+For information about rate limits, see [Rate limiting for voice, SMS, emails, Azure App push notifications, and webhook posts](./alerts-rate-limiting.md).

+For important information about using SMS notifications in action groups, see [SMS alert behavior in action groups](./alerts-sms-behavior.md).

+You might have a limited number of SMS actions per action group.

+>

+> If you can't select your country/region code in the Azure portal, SMS isn't supported for your country/region. If your country/region code isn't available, you can vote to have your country/region added at [Share your ideas](https://feedback.azure.com/d365community/idea/e527eaa6-2025-ec11-b6e6-000d3a4f09d0). In the meantime, as a workaround, configure your action group to call a webhook to a third-party SMS provider that offers support in your country/region.

+For information about pricing for supported countries/regions, see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/).

+#### Countries with SMS notification support

+| Country code | Country |

+For important information about rate limits, see [Rate limiting for voice, SMS, emails, Azure App push notifications, and webhook posts](./alerts-rate-limiting.md).

+You might have a limited number of voice actions per action group.

+>

+> If you can't select your country/region code in the Azure portal, voice calls aren't supported for your country/region. If your country/region code isn't available, you can vote to have your country/region added at [Share your ideas](https://feedback.azure.com/d365community/idea/e527eaa6-2025-ec11-b6e6-000d3a4f09d0). In the meantime, as a workaround, configure your action group to call a webhook to a third-party voice call provider that offers support in your country/region.

+>

+> The only country code that action groups currently support for voice notification is +1 for the United States.

+For information about pricing for supported countries/regions, see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/).

+>

+> If you use the webhook action, your target webhook endpoint needs to be able to process the various JSON payloads that different alert sources emit. If the webhook endpoint expects a specific schema, for example, the Microsoft Teams schema, use the Logic Apps action to transform the alert schema to meet the target webhook's expectations.

+Webhook action groups use the following rules:

+- A webhook call is attempted at most three times.

+- The first call waits 10 seconds for a response.

+- The second and third attempts wait 30 seconds for a response.

+- The call is retried if any of the following conditions are met:

+ - A response isn't received within the timeout period.

+ - One of the following HTTP status codes is returned: 408, 429, 503, or 504.

+- If three attempts to call the webhook fail, no action group calls the endpoint for 15 minutes.

+For source IP address ranges, see [Action group IP addresses](../app/ip-addresses.md).

+- Learn more about [SMS alert behavior](./alerts-sms-behavior.md).

+- Gain an [understanding of the activity log alert webhook schema](./activity-log-alerts-webhook.md).

+- Learn more about [ITSM Connector](./itsmc-overview.md).

+- Learn more about [rate limiting](./alerts-rate-limiting.md) on alerts.

+- Get an [overview of activity log alerts](./alerts-overview.md), and learn how to receive alerts.

+- Learn how to [configure alerts whenever a Service Health notification is posted](../../service-health/alerts-activity-log-service-notifications-portal.md).

+> With ASP.NET Core and with Microsoft.ApplicationInsights.AspNetCore >= 2.15.0 you can configure AppInsights options via appsettings.json

+|Requests Failure Count|Count| `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version`, `Endpoint`, `Host`, `Status Code`|

+|Retry Count|Count| `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version`, `Endpoint`, `Host`, , `Status Code`|

+|Throttle Count|Count| `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version`, `Endpoint`, `Host`, `Status Code`|

+|Exception Count|Count| `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version`, `Endpoint`, `Host`, `Exception Type`|

+Not supported yet.

+Not supported yet.

+## Microsoft.AAD/DomainServices

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|\DirectoryServices(NTDS)\LDAP Searches/sec|Yes|NTDS - LDAP Searches/sec|CountPerSecond|Average|This metric indicates the average number of searches per second for the NTDS object. It is backed by performance counter data from the domain controller, and can be filtered or splitted by role instance.|No Dimensions|

+|\DirectoryServices(NTDS)\LDAP Successful Binds/sec|Yes|NTDS - LDAP Successful Binds/sec|CountPerSecond|Average|This metric indicates the number of LDAP successful binds per second for the NTDS object. It is backed by performance counter data from the domain controller, and can be filtered or splitted by role instance.|No Dimensions|

+|\DNS\Total Query Received/sec|Yes|DNS - Total Query Received/sec|CountPerSecond|Average|This metric indicates the average number of queries received by DNS server in each second. It is backed by performance counter data from the domain controller, and can be filtered or splitted by role instance.|No Dimensions|

+|\DNS\Total Response Sent/sec|Yes|Total Response Sent/sec|CountPerSecond|Average|This metric indicates the average number of reponses sent by DNS server in each second. It is backed by performance counter data from the domain controller, and can be filtered or splitted by role instance.|No Dimensions|

+|\Memory\% Committed Bytes In Use|Yes|% Committed Bytes In Use|Percent|Average|This metric indicates the ratio of Memory\Committed Bytes to the Memory\Commit Limit. Committed memory is the physical memory in use for which space has been reserved in the paging file should it need to be written to disk. The commit limit is determined by the size of the paging file. If the paging file is enlarged, the commit limit increases, and the ratio is reduced. This counter displays the current percentage value only; it is not an average. It is backed by performance counter data from the domain controller, and can be filtered or splitted by role instance.|No Dimensions|

+|\Process(dns)\% Processor Time|Yes|% Processor Time (dns)|Percent|Average|This metric indicates the percentage of elapsed time that all of dns process threads used the processor to execute instructions. An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is the object created when a program is run. Code executed to handle some hardware interrupts and trap conditions are included in this count. It is backed by performance counter data from the domain controller, and can be filtered or splitted by role instance.|No Dimensions|

+|\Process(lsass)\% Processor Time|Yes|% Processor Time (lsass)|Percent|Average|This metric indicates the percentage of elapsed time that all of lsass process threads used the processor to execute instructions. An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is the object created when a program is run. Code executed to handle some hardware interrupts and trap conditions are included in this count. It is backed by performance counter data from the domain controller, and can be filtered or splitted by role instance.|No Dimensions|

+|\Processor(_Total)\% Processor Time|Yes|Total Processor Time|Percent|Average|This metric indicates the percentage of elapsed time that the processor spends to execute a non-Idle thread. It is calculated by measuring the percentage of time that the processor spends executing the idle thread and then subtracting that value from 100%. (Each processor has an idle thread that consumes cycles when no other threads are ready to run). This counter is the primary indicator of processor activity, and displays the average percentage of busy time observed during the sample interval. It should be noted that the accounting calculation of whether the processor is idle is performed at an internal sampling interval of the system clock (10ms). On todays fast processors, % Processor Time can therefore underestimate the processor utilization as the processor may be spending a lot of time servicing threads between the system clock sampling interval. Workload based timer applications are one example of applications which are more likely to be measured inaccurately as timers are signaled just after the sample is taken. It is backed by performance counter data from the domain controller, and can be filtered or splitted by role instance.|No Dimensions|

+|\Security System-Wide Statistics\Kerberos Authentications|Yes|Kerberos Authentications|CountPerSecond|Average|This metric indicates the number of times that clients use a ticket to authenticate to this computer per second. It is backed by performance counter data from the domain controller, and can be filtered or splitted by role instance.|No Dimensions|

+|\Security System-Wide Statistics\NTLM Authentications|Yes|NTLM Authentications|CountPerSecond|Average|This metric indicates the number of NTLM authentications processed per second for the Active Directory on this domain contrller or for local accounts on this member server. It is backed by performance counter data from the domain controller, and can be filtered or splitted by role instance.|No Dimensions|

+|CACompliantDeviceSuccessCount|Yes|CACompliantDeviceSuccessCount|Count|Count|CA comliant device scuccess count for Azure AD|No Dimensions|

+|CAManagedDeviceSuccessCount|No|CAManagedDeviceSuccessCount|Count|Count|CA domain join device success count for Azure AD|No Dimensions|

+|MFAAttemptCount|No|MFAAttemptCount|Count|Count|MFA attempt count for Azure AD|No Dimensions|

+|MFAFailureCount|No|MFAFailureCount|Count|Count|MFA failure count for Azure AD|No Dimensions|

+|MFASuccessCount|No|MFASuccessCount|Count|Count|MFA success count for Azure AD|No Dimensions|

+## Microsoft.App/containerapps

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|Replicas|Yes|Replica Count|Count|Maximum|Number of replicas count of container app|revisionName|

+|Requests|Yes|Requests|Count|Total|Requests processed|revisionName, podName, statusCodeCategory, statusCode|

+|RestartCount|Yes|Replica Restart Count|Count|Maximum|Restart count of container app replicas|revisionName, podName|

+|RxBytes|Yes|Network In Bytes|Bytes|Total|Network received bytes|revisionName, podName|

+|TxBytes|Yes|Network Out Bytes|Bytes|Total|Network transmitted bytes|revisionName, podName|

+|UsageNanoCores|Yes|CPU Usage|NanoCores|Average|CPU consumed by the container app, in nano cores. 1,000,000,000 nano cores = 1 core|revisionName, podName|

+|WorkingSetBytes|Yes|Memory Working Set Bytes|Bytes|Average|Container App working set memory used in bytes.|revisionName, podName|

+|APIRequestCallRecording|Yes|Call Recording API Requests|Count|Count|Count of all requests against the Communication Services Call Recording endpoint.|Operation, StatusCode, StatusCodeClass|

+|Composite Disk Read Bytes/sec|No|Disk Read Bytes/sec(Preview)|BytesPerSecond|Average|Bytes/sec read from disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available|No Dimensions|

+|Composite Disk Read Operations/sec|No|Disk Read Operations/sec(Preview)|CountPerSecond|Average|Number of read IOs performed on a disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available|No Dimensions|

+|Composite Disk Write Bytes/sec|No|Disk Write Bytes/sec(Preview)|BytesPerSecond|Average|Bytes/sec written to disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available|No Dimensions|

+|Composite Disk Write Operations/sec|No|Disk Write Operations/sec(Preview)|CountPerSecond|Average|Number of Write IOs performed on a disk during monitoring period, please note, this metric is in preview and is subject to change before becoming generally available|No Dimensions|

+|DiskPaidBurstIOPS|No|Disk On-demand Burst Operations(Preview)|Count|Average|The accumulated operations of burst transactions used for disks with on-demand burst enabled. Emitted on an hour interval|No Dimensions|

+|VmAvailabilityMetric|Yes|VM Availability Metric (Preview)|Count|Average|Measure of Availability of Virtual machines over time. Note: This metric is previewed to only a small set of customers at the moment, as we prioritize improving data quality and consistency. As we improve our data standard, we will be rolling out this feature fleetwide in a phased manner.|No Dimensions|

+## Microsoft.Compute/virtualmachineScaleSets

+|VmAvailabilityMetric|Yes|VM Availability Metric (Preview)|Count|Average|Measure of Availability of Virtual machines over time. Note: This metric is previewed to only a small set of customers at the moment, as we prioritize improving data quality and consistency. As we improve our data standard, we will be rolling out this feature fleetwide in a phased manner.|VMName|

+|hitRatio|Yes|Cache Efficiency|Percent|Average|Cache Efficiency|cachenodeid|

+## Microsoft.DataProtection/BackupVaults

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|BackupHealthEvent|Yes|Backup Health Events (preview)|Count|Count|The count of health events pertaining to backup job health|dataSourceURL, backupInstanceUrl, dataSourceType, healthStatus, backupInstanceName|

+|RestoreHealthEvent|Yes|Restore Health Events (preview)|Count|Count|The count of health events pertaining to restore job health|dataSourceURL, backupInstanceUrl, dataSourceType, healthStatus, backupInstanceName|

+|DedicatedGatewayCPUUsage|No|DedicatedGatewayCPUUsage|Percent|Average|CPU usage across dedicated gateway instances|Region, ApplicationType|

+|DedicatedGatewayMemoryUsage|No|DedicatedGatewayMemoryUsage|Bytes|Average|Memory usage across dedicated gateway instances|Region, ApplicationType|

+|PhysicalPartitionThroughputInfo|No|Physical Partition Throughput|Count|Maximum|Physical Partition Throughput|CollectionName, DatabaseName, PhysicalPartitionId, OfferOwnerRid, Region|

+|TotalRequestsPreview|No|Total Requests (Preview)|Count|Count|Number of requests made with CapacityType|DatabaseName, CollectionName, Region, StatusCode, OperationType, Status, CapacityType|

+|TotalRequestUnitsPreview|No|Total Request Units (Preview)|Count|Total|Request Units consumed with CapacityType|DatabaseName, CollectionName, Region, StatusCode, OperationType, Status, CapacityType|

+## microsoft.edgezones/edgezones

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|TotalVcoreCapacity|Yes|Total VCore Capacity|Count|Average|The total capacity of the General-Purpose Compute vcore in Edge Zone Enterprise site. |No Dimensions|

+|VcoresUsage|Yes|Vcore Usage Percentage|Percent|Average|The utilization of the General-Purpose Compute vcores in Edge Zone Enterprise site |No Dimensions|

+|ActiveConnections|No|ActiveConnections|Count|Average|Total Active Connections for Microsoft.EventHub.|No Dimensions|

+|ConnectionsClosed|No|Connections Closed.|Count|Average|Connections Closed for Microsoft.EventHub.|No Dimensions|

+|ConnectionsOpened|No|Connections Opened.|Count|Average|Connections Opened for Microsoft.EventHub.|No Dimensions|

+|QuotaExceededErrors|No|Quota Exceeded Errors.|Count|Total|Quota Exceeded Errors for Microsoft.EventHub.|OperationResult|

+|ServerErrors|No|Server Errors.|Count|Total|Server Errors for Microsoft.EventHub.|OperationResult|

+|SuccessfulRequests|No|Successful Requests|Count|Total|Successful Requests for Microsoft.EventHub.|OperationResult|

+|ThrottledRequests|No|Throttled Requests.|Count|Total|Throttled Requests for Microsoft.EventHub.|OperationResult|

+|UserErrors|No|User Errors.|Count|Total|User Errors for Microsoft.EventHub.|OperationResult|

+|HyperVVirtualProcessorUtilization|Yes|Average CPU Utilization|Percent|Average|Total average percentage of virtual CPU utilization at one minute interval. The total number of virtual CPU is based on user configured value in SKU definition. Further filter can be applied based on RoleName defined in SKU.|InstanceName|

+## Microsoft.Kusto/clusters

+|QueryDuration|Yes|Query duration|MilliSeconds|Average|Queries' duration in seconds|QueryStatus|

+|StreamingIngestDuration|Yes|Streaming Ingest Duration|MilliSeconds|Average|Streaming ingest duration in milliseconds|No Dimensions|

+## Microsoft.Logic/IntegrationServiceEnvironments

+|ConnectionLifetime|No|Connection Lifetime|MilliSeconds|Average|Average time duration from the start of a new connection to its termination|Listener|

+## Microsoft.Network/dnsForwardingRulesets

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|ForwardingRuleCount|Yes|Forwarding Rule Count|Count|Maximum|This metric indicates the number of forwarding rules present in each DNS forwarding ruleset.|No Dimensions|

+|VirtualNetworkLinkCount|Yes|Virtual Network Link Count|Count|Maximum|This metric indicates the number of associated virtual network links to a DNS forwarding ruleset.|No Dimensions|

+## Microsoft.Network/dnsResolvers

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|InboundEndpointCount|Yes|Inbound Endpoint Count|Count|Maximum|This metric indicates the number of inbound endpoints created for a DNS Resolver.|No Dimensions|

+|OutboundEndpointCount|Yes|Outbound Endpoint Count|Count|Maximum|This metric indicates the number of outbound endpoints created for a DNS Resolver.|No Dimensions|

+## microsoft.network/expressroutegateways

+|ErGatewayConnectionBitsInPerSecond|No|Bits In Per Second|BitsPerSecond|Average|Bits per second ingressing Azure via ExpressRoute Gateway which can be further split for specific connections|ConnectionName|

+|ErGatewayConnectionBitsOutPerSecond|No|Bits Out Per Second|BitsPerSecond|Average|Bits per second egressing Azure via ExpressRoute Gateway which can be further split for specific connections|ConnectionName|

+|ExpressRouteGatewayBitsPerSecond|No|Bits Received Per second|BitsPerSecond|Average|Total Bits received on ExpressRoute Gateway per second|roleInstance|

+|ExpressRouteGatewayCountOfRoutesAdvertisedToPeer|Yes|Count Of Routes Advertised to Peer|Count|Maximum|Count Of Routes Advertised To Peer by ExpressRoute Gateway|roleInstance|

+|ExpressRouteGatewayCountOfRoutesLearnedFromPeer|Yes|Count Of Routes Learned from Peer|Count|Maximum|Count Of Routes Learned From Peer by ExpressRoute Gateway|roleInstance|

+|ExpressRouteGatewayPacketsPerSecond|No|Packets received per second|CountPerSecond|Average|Total Packets received on ExpressRoute Gateway per second|roleInstance|

+|VirtualHubDataProcessed|No|Data Processed by the Virtual Hub Router|Bytes|Total|Data Processed by the Virtual Hub Router|No Dimensions|

+|Average_% Available Memory|Yes|% Available Memory|Count|Average|Average_% Available Memory. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Available Swap Space|Yes|% Available Swap Space|Count|Average|Average_% Available Swap Space. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Committed Bytes In Use|Yes|% Committed Bytes In Use|Count|Average|Average_% Committed Bytes In Use. Supported for: Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% DPC Time|Yes|% DPC Time|Count|Average|Average_% DPC Time. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Free Inodes|Yes|% Free Inodes|Count|Average|Average_% Free Inodes. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Free Space|Yes|% Free Space|Count|Average|Average_% Free Space. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Idle Time|Yes|% Idle Time|Count|Average|Average_% Idle Time. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Interrupt Time|Yes|% Interrupt Time|Count|Average|Average_% Interrupt Time. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% IO Wait Time|Yes|% IO Wait Time|Count|Average|Average_% IO Wait Time. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Nice Time|Yes|% Nice Time|Count|Average|Average_% Nice Time. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Privileged Time|Yes|% Privileged Time|Count|Average|Average_% Privileged Time. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Processor Time|Yes|% Processor Time|Count|Average|Average_% Processor Time. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Used Inodes|Yes|% Used Inodes|Count|Average|Average_% Used Inodes. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Used Memory|Yes|% Used Memory|Count|Average|Average_% Used Memory. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Used Space|Yes|% Used Space|Count|Average|Average_% Used Space. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% Used Swap Space|Yes|% Used Swap Space|Count|Average|Average_% Used Swap Space. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_% User Time|Yes|% User Time|Count|Average|Average_% User Time. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Available MBytes|Yes|Available MBytes|Count|Average|Average_Available MBytes. Supported for: Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Available MBytes Memory|Yes|Available MBytes Memory|Count|Average|Average_Available MBytes Memory. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Available MBytes Swap|Yes|Available MBytes Swap|Count|Average|Average_Available MBytes Swap. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Avg. Disk sec/Read|Yes|Avg. Disk sec/Read|Count|Average|Average_Avg. Disk sec/Read. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Avg. Disk sec/Transfer|Yes|Avg. Disk sec/Transfer|Count|Average|Average_Avg. Disk sec/Transfer. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Avg. Disk sec/Write|Yes|Avg. Disk sec/Write|Count|Average|Average_Avg. Disk sec/Write. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric). |Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Bytes Received/sec|Yes|Bytes Received/sec|Count|Average|Average_Bytes Received/sec. Supported for: Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Bytes Sent/sec|Yes|Bytes Sent/sec|Count|Average|Average_Bytes Sent/sec. Supported for: Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Bytes Total/sec|Yes|Bytes Total/sec|Count|Average|Average_Bytes Total/sec. Supported for: Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Current Disk Queue Length|Yes|Current Disk Queue Length|Count|Average|Average_Current Disk Queue Length. Supported for: Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Disk Read Bytes/sec|Yes|Disk Read Bytes/sec|Count|Average|Average_Disk Read Bytes/sec. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Disk Reads/sec|Yes|Disk Reads/sec|Count|Average|Average_Disk Reads/sec. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Disk Transfers/sec|Yes|Disk Transfers/sec|Count|Average|Average_Disk Transfers/sec. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Disk Write Bytes/sec|Yes|Disk Write Bytes/sec|Count|Average|Average_Disk Write Bytes/sec. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Disk Writes/sec|Yes|Disk Writes/sec|Count|Average|Average_Disk Writes/sec. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Free Megabytes|Yes|Free Megabytes|Count|Average|Average_Free Megabytes. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Free Physical Memory|Yes|Free Physical Memory|Count|Average|Average_Free Physical Memory. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric). |Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Free Space in Paging Files|Yes|Free Space in Paging Files|Count|Average|Average_Free Space in Paging Files. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Free Virtual Memory|Yes|Free Virtual Memory|Count|Average|Average_Free Virtual Memory. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Logical Disk Bytes/sec|Yes|Logical Disk Bytes/sec|Count|Average|Average_Logical Disk Bytes/sec. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Page Reads/sec|Yes|Page Reads/sec|Count|Average|Average_Page Reads/sec. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Page Writes/sec|Yes|Page Writes/sec|Count|Average|Average_Page Writes/sec. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Pages/sec|Yes|Pages/sec|Count|Average|Average_Pages/sec. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Pct Privileged Time|Yes|Pct Privileged Time|Count|Average|Average_Pct Privileged Time. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Pct User Time|Yes|Pct User Time|Count|Average|Average_Pct User Time. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Physical Disk Bytes/sec|Yes|Physical Disk Bytes/sec|Count|Average|Average_Physical Disk Bytes/sec. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Processes|Yes|Processes|Count|Average|Average_Processes. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Processor Queue Length|Yes|Processor Queue Length|Count|Average|Average_Processor Queue Length. Supported for: Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric). |Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Size Stored In Paging Files|Yes|Size Stored In Paging Files|Count|Average|Average_Size Stored In Paging Files. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Total Bytes|Yes|Total Bytes|Count|Average|Average_Total Bytes. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Total Bytes Received|Yes|Total Bytes Received|Count|Average|Average_Total Bytes Received. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Total Bytes Transmitted|Yes|Total Bytes Transmitted|Count|Average|Average_Total Bytes Transmitted. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Total Collisions|Yes|Total Collisions|Count|Average|Average_Total Collisions. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Total Packets Received|Yes|Total Packets Received|Count|Average|Average_Total Packets Received. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Total Packets Transmitted|Yes|Total Packets Transmitted|Count|Average|Average_Total Packets Transmitted. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Total Rx Errors|Yes|Total Rx Errors|Count|Average|Average_Total Rx Errors. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Total Tx Errors|Yes|Total Tx Errors|Count|Average|Average_Total Tx Errors. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Uptime|Yes|Uptime|Count|Average|Average_Uptime. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Used MBytes Swap Space|Yes|Used MBytes Swap Space|Count|Average|. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Used Memory kBytes|Yes|Used Memory kBytes|Count|Average|Average_Used Memory kBytes. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Used Memory MBytes|Yes|Used Memory MBytes|Count|Average|Average_Used Memory MBytes. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Users|Yes|Users|Count|Average|Average_Users. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Average_Virtual Shared Memory|Yes|Virtual Shared Memory|Count|Average|Average_Virtual Shared Memory. Supported for: Linux. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, ObjectName, InstanceName, CounterPath, SourceSystem|

+|Event|Yes|Event|Count|Average|Event. Supported for: Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Source, EventLog, Computer, EventCategory, EventLevel, EventLevelName, EventID|

+|Heartbeat|Yes|Heartbeat|Count|Total|Heartbeat. Supported for: Linux, Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, OSType, Version, SourceComputerId|

+|Update|Yes|Update|Count|Average|Update. Supported for: Windows. Part of [metric alerts for logs feature](https://aka.ms/am-log-to-metric).|Computer, Product, Classification, UpdateState, Optional, Approved|

+## microsoft.securitydetonation/chambers

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|CapacityUtilization|No|Capacity Utilization|Percent|Maximum|The percentage of the allocated capacity the resource is actively using.|Region|

+|CpuUtilization|No|CPU Utilization|Percent|Average|The percentage of the CPU that is being utilized across the resource.|Region|

+|CreateSubmissionApiResult|No|CreateSubmission Api Results|Count|Count|The total number of CreateSubmission API requests, with return code.|OperationName, ServiceTypeName, Region, HttpReturnCode|

+|PercentFreeDiskSpace|No|Available Disk Space|Percent|Average|The percent amount of available disk space across the resource.|Region|

+|SubmissionDuration|No|Submission Duration|MilliSeconds|Maximum|The submission duration (processing time), from creation to completion.|Region|

+|SubmissionsCompleted|No|Completed Submissions / Hr|Count|Maximum|The number of completed submissions / Hr.|Region|

+|SubmissionsFailed|No|Failed Submissions / Hr|Count|Maximum|The number of failed submissions / Hr.|Region|

+|SubmissionsOutstanding|No|Outstanding Submissions|Count|Average|The average number of outstanding submissions that are queued for processing.|Region|

+|SubmissionsSucceeded|No|Successful Submissions / Hr|Count|Maximum|The number of successful submissions / Hr.|Region|

+|ServerLoad|No|Server Load|Percent|Maximum|SignalR server load.|No Dimensions|

+|ServerLoad|No|Server Load|Percent|Maximum|SignalR server load.|No Dimensions|

+|delta_num_of_bytes_read|Yes|Remote data reads|Bytes|Total|Remote data reads in bytes|No Dimensions|

+|delta_num_of_bytes_total|Yes|Total remote bytes read and written|Bytes|Total|Total remote bytes read and written by compute|No Dimensions|

+|delta_num_of_bytes_written|Yes|Remote log writes|Bytes|Total|Remote log writes in bytes|No Dimensions|

+|SuccessE2ELatency|Yes|Success E2E Latency|MilliSeconds|Average|The average end-to-end latency of successful requests made to a storage service or the specified API operation, in milliseconds. This value includes the required processing time within Azure Storage to read the request, send the response, and receive acknowledgment of the response.|GeoType, ApiName, Authentication|

+|SuccessServerLatency|Yes|Success Server Latency|MilliSeconds|Average|The average time used to process a successful request by Azure Storage. This value does not include the network latency specified in SuccessE2ELatency.|GeoType, ApiName, Authentication|

+|Transactions|Yes|Transactions|Count|Total|The number of requests made to a storage service or the specified API operation. This number includes successful and failed requests, as well as requests which produced errors. Use ResponseType dimension for the number of different type of response.|ResponseType, GeoType, ApiName, Authentication, TransactionType|

+|Requests|No|Requests|Count|Total|API Connection Requests|HttpStatusCode, ClientIPAddress|

+## Microsoft.Web/containerapps

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|Replicas|Yes|Replica Count|Count|Maximum|Number of replicas count of container app|revisionName, deploymentName|

+|Requests|Yes|Requests|Count|Total|Requests processed|revisionName, podName, statusCodeCategory, statusCode|

+|RestartCount|Yes|Replica Restart Count|Count|Maximum|Restart count of container app replicas|revisionName, podName|

+|RxBytes|Yes|Network In Bytes|Bytes|Total|Network received bytes|revisionName, podName|

+|TxBytes|Yes|Network Out Bytes|Bytes|Total|Network transmitted bytes|revisionName, podName|

+|UsageNanoCores|Yes|CPU Usage Nanocores|NanoCores|Average|CPU consumed by the container app, in nano cores. 1,000,000,000 nano cores = 1 core|revisionName, podName|

+|WorkingSetBytes|Yes|Memory Working Set Bytes|Bytes|Average|Container App working set memory used in bytes.|revisionName, podName|

+|EmailSendMailOperational|Email Service Send Mail Logs|Yes|

+|EmailStatusUpdateOperational|Email Service Delivery Status Update Logs|Yes|

+|EmailUserEngagementOperational|Email Service User Engagement Logs|Yes|

+|NetworkTraversalDiagnostics|Network Traversal Relay Diagnostic Logs|Yes|

+## Microsoft.Kusto/clusters

+|FailedIngestion|Failed ingestion|No|

+|SucceededIngestion|Succeeded ingestion|No|

+## microsoft.loadtestservice/loadtests

+|OperationLogs|Azure Load Testing Operations|Yes|

+|NspIntraPerimeterInboundAllowed|Inbound access allowed within same perimeter.|Yes|

+|NspIntraPerimeterOutboundAllowed|Outbound attempted to same perimeter.|Yes|

+|NspPrivateInboundAllowed|Private endpoint traffic allowed.|Yes|

+|NspPublicInboundPerimeterRulesAllowed|Public inbound access allowed by NSP access rules.|Yes|

+|NspPublicInboundPerimeterRulesDenied|Public inbound access denied by NSP access rules.|Yes|

+|NspPublicInboundResourceRulesAllowed|Public inbound access allowed by PaaS resource rules.|Yes|

+|NspPublicInboundResourceRulesDenied|Public inbound access denied by PaaS resource rules.|Yes|

+|NspPublicOutboundPerimeterRulesAllowed|Public outbound access allowed by NSP access rules.|Yes|

+|NspPublicOutboundPerimeterRulesDenied|Public outbound access denied by NSP access rules.|Yes|

+|NspPublicOutboundResourceRulesAllowed|Public outbound access allowed by PaaS resource rules.|Yes|

+|NspPublicOutboundResourceRulesDenied|Public outbound access denied by PaaS resource rules|Yes|

+|ElasticOperatorLogs|Elastic Operator Logs|Yes|

+|ElasticsearchLogs|Elasticsearch Logs|Yes|

+## Microsoft.Security/antiMalwareSettings

+|Category|Category Display Name|Costs To Export|

+||||

+|ScanResults|AntimalwareScanResults|Yes|

+ Title: Release Notes for Microsoft.ApplicationInsights.SnapshotCollector NuGet package - Application Insights

+description: Release notes for the Microsoft.ApplicationInsights.SnapshotCollector NuGet package used by the Application Insights Snapshot Debugger.

+# Release notes for Microsoft.ApplicationInsights.SnapshotCollector

+This article contains the releases notes for the Microsoft.ApplicationInsights.SnapshotCollector NuGet package for .NET applications, which is used by the Application Insights Snapshot Debugger.

+[Learn](./snapshot-debugger.md) more about the Application Insights Snapshot Debugger for .NET applications.

+For bug reports and feedback, open an issue on GitHub at https://github.com/microsoft/ApplicationInsights-SnapshotCollector

+## Release notes

+## [1.4.3](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.4.3)

+A point release to address user-reported bugs.

+### Bug fixes

+- Fix [Hide the IDMS dependency from dependency tracker.](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/17)

+- Fix [ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor.](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/19)

+<br>Snapshot Collector used via SDK is not supported when Interop feature is enabled. [See more not supported scenarios.](./snapshot-debugger-troubleshoot.md#not-supported-scenarios)

+## [1.4.2](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.4.2)

+A point release to address a user-reported bug.

+### Bug fixes

+- Fix [ArgumentException: Delegates must be of the same type.](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/16)

+## [1.4.1](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.4.1)

+A point release to revert a breaking change introduced in 1.4.0.

+### Bug fixes

+- Fix [Method not found in WebJobs](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/15)

+## [1.4.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.4.0)

+Address multiple improvements and added support for Azure Active Directory (AAD) authentication for Application Insights ingestion.

+### Changes

+- Snapshot Collector package size reduced by 60%. From 10.34 MB to 4.11 MB.

+- Target netstandard2.0 only in Snapshot Collector.

+- Bump Application Insights SDK dependency to 2.15.0.

+- Add back MinidumpWithThreadInfo when writing dumps.

+- Add CompatibilityVersion to improve synchronization between Snapshot Collector agent and uploader on breaking changes.

+- Change SnapshotUploader LogFile naming algorithm to avoid excessive file I/O in App Service.

+- Add pid, role name, and process start time to uploaded blob metadata.

+- Use System.Diagnostics.Process where possible in Snapshot Collector and Snapshot Uploader.

+### New features

+- Add Azure Active Directory authentication to SnapshotCollector. Learn more about Azure AD authentication in Application Insights [here](../app/azure-ad-authentication.md).

+## [1.3.7.5](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.7.5)

+A point release to backport a fix from 1.4.0-pre.

+### Bug fixes

+- Fix [ObjectDisposedException on shutdown](https://github.com/microsoft/ApplicationInsights-dotnet/issues/2097).

+## [1.3.7.4](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.7.4)

+A point release to address a problem discovered in testing Azure App Service's codeless attach scenario.

+### Changes

+- The netcoreapp3.0 target now depends on Microsoft.ApplicationInsights.AspNetCore >= 2.1.1 (previously >= 2.1.2).

+## [1.3.7.3](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.7.3)

+A point release to address a couple of high-impact issues.

+### Bug fixes

+- Fixed PDB discovery in the wwwroot/bin folder, which was broken when we changed the symbol search algorithm in 1.3.6.

+- Fixed noisy ExtractWasCalledMultipleTimesException in telemetry.

+## [1.3.7](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.7)

+### Changes

+- The netcoreapp2.0 target of SnapshotCollector depends on Microsoft.ApplicationInsights.AspNetCore >= 2.1.1 (again). This reverts behavior to how it was before 1.3.5. We tried to upgrade it in 1.3.6, but it broke some Azure App Service scenarios.

+### New features

+- Snapshot Collector reads and parses the ConnectionString from the APPLICATIONINSIGHTS_CONNECTION_STRING environment variable or from the TelemetryConfiguration. Primarily, this is used to set the endpoint for connecting to the Snapshot service. For more information, see the [Connection strings documentation](../app/sdk-connection-string.md).

+### Bug fixes

+- Switched to using HttpClient for all targets except net45 because WebRequest was failing in some environments due to an incompatible SecurityProtocol (requires TLS 1.2).

+## [1.3.6](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.6)

+### Changes

+- SnapshotCollector now depends on Microsoft.ApplicationInsights >= 2.5.1 for all target frameworks. This may be a breaking change if your application depends on an older version of the Microsoft.ApplicationInsights SDK.

+- Remove support for TLS 1.0 and 1.1 in Snapshot Uploader.

+- Period of PDB scans now defaults 24 hours instead of 15 minutes. Configurable via PdbRescanInterval on SnapshotCollectorConfiguration.

+- PDB scan searches top-level folders only, instead of recursive. This may be a breaking change if your symbols are in subfolders of the binary folder.

+### New features

+- Log rotation in SnapshotUploader to avoid filling the logs folder with old files.

+- Deoptimization support (via ReJIT on attach) for .NET Core 3.0 applications.

+- Add symbols to NuGet package.

+- Set additional metadata when uploading minidumps.

+- Added an Initialized property to SnapshotCollectorTelemetryProcessor. It's a CancellationToken, which will be canceled when the Snapshot Collector is completely initialized and connected to the service endpoint.

+- Snapshots can now be captured for exceptions in dynamically generated methods. For example, the compiled expression trees generated by Entity Framework queries.

+### Bug fixes

+- AmbiguousMatchException loading Snapshot Collector due to Status Monitor.

+- GetSnapshotCollector extension method now searches all TelemetrySinks.

+- Don't start the Snapshot Uploader on unsupported platforms.

+- Handle InvalidOperationException when deoptimizing dynamic methods (for example, Entity Framework)

+## [1.3.5](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.5)

+- Add support for Sovereign clouds (Older versions won't work in sovereign clouds)

+- Adding snapshot collector made easier by using AddSnapshotCollector(). More information can be found [here](./snapshot-debugger-app-service.md).

+- Use FISMA MD5 setting for verifying blob blocks. This avoids the default .NET MD5 crypto algorithm, which is unavailable when the OS is set to FIPS-compliant mode.

+- Ignore .NET Framework frames when deoptimizing function calls. This behavior can be controlled by the DeoptimizeIgnoredModules configuration setting.

+- Add `DeoptimizeMethodCount` configuration setting that allows deoptimization of more than one function call. More information here

+## [1.3.4](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.4)

+- Allow structured Instrumentation Keys.

+- Increase SnapshotUploader robustness - continue startup even if old uploader logs can't be moved.

+- Re-enabled reporting additional telemetry when SnapshotUploader.exe exits immediately (was disabled in 1.3.3).

+- Simplify internal telemetry.

+- _Experimental feature_: Snappoint collection plans: Add "snapshotOnFirstOccurence". More information available [here](https://gist.github.com/alexaloni/5b4d069d17de0dabe384ea30e3f21dfe).

+## [1.3.3](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.3)

+- Fixed bug that was causing SnapshotUploader.exe to stop responding and not upload snapshots for .NET Core apps.

+## [1.3.2](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.2)

+- _Experimental feature_: Snappoint collection plans. More information available [here](https://gist.github.com/alexaloni/5b4d069d17de0dabe384ea30e3f21dfe).

+- SnapshotUploader.exe will exit when the runtime unloads the AppDomain from which SnapshotCollector is loaded, instead of waiting for the process to exit. This improves the collector reliability when hosted in IIS.

+- Add configuration to allow multiple SnapshotCollector instances that are using the same Instrumentation Key to share the same SnapshotUploader process: ShareUploaderProcess (defaults to `true`).

+- Report additional telemetry when SnapshotUploader.exe exits immediately.

+- Reduced the number of support files SnapshotUploader.exe needs to write to disk.

+## [1.3.1](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.1)

+- Remove support for collecting snapshots with the RtlCloneUserProcess API and only support PssCaptureSnapshots API.

+- Increase the default limit on how many snapshot can be captured in 10 minutes from 1 to 3.

+- Allow SnapshotUploader.exe to negotiate TLS 1.1 and 1.2

+- Report additional telemetry when SnapshotUploader logs a warning or an error

+- Stop taking snapshots when the backend service reports the daily quota was reached (50 snapshots per day)

+- Add extra check in SnapshotUploader.exe to not allow two instances to run in the same time.

+## [1.3.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.0)

+### Changes

+- For applications targeting .NET Framework, Snapshot Collector now depends on Microsoft.ApplicationInsights version 2.3.0 or above.

+It used to be 2.2.0 or above.

+We believe this won't be an issue for most applications, but let us know if this change prevents you from using the latest Snapshot Collector.

+- Use exponential back-off delays in the Snapshot Uploader when retrying failed uploads.

+- Use ServerTelemetryChannel (if available) for more reliable reporting of telemetry.

+- Use 'SdkInternalOperationsMonitor' on the initial connection to the Snapshot Debugger service so that it's ignored by dependency tracking.

+- Improve telemetry around initial connection to the Snapshot Debugger service.

+- Report additional telemetry for:

+ - Azure App Service version.

+ - Azure compute instances.

+ - Containers.

+ - Azure Function app.

+### Bug fixes

+- When the problem counter reset interval is set to 24 days, interpret that as 24 hours.

+- Fixed a bug where the Snapshot Uploader would stop processing new snapshots if there was an exception while disposing a snapshot.

+## [1.2.3](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.2.3)

+- Fix strong-name signing with Snapshot Uploader binaries.

+## [1.2.2](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.2.2)

+### Changes

+- The files needed for SnapshotUploader(64).exe are now embedded as resources in the main DLL. That means the SnapshotCollectorFiles folder is no longer created, simplifying build and deployment and reducing clutter in Solution Explorer. Take care when upgrading to review the changes in your `.csproj` file. The `Microsoft.ApplicationInsights.SnapshotCollector.targets` file is no longer needed.

+- Telemetry is logged to your Application Insights resource even if ProvideAnonymousTelemetry is set to false. This is so we can implement a health check feature in the Azure portal. ProvideAnonymousTelemetry affects only the telemetry sent to Microsoft for product support and improvement.

+- When the TempFolder or ShadowCopyFolder are redirected to environment variables, keep the collector idle until those environment variables are set.

+- For applications that connect to the Internet via a proxy server, Snapshot Collector will now autodetect any proxy settings and pass them on to SnapshotUploader.exe.

+- Lower the priority of the SnapshotUplaoder process (where possible). This priority can be overridden via the IsLowPrioirtySnapshotUploader option.

+- Added a GetSnapshotCollector extension method on TelemetryConfiguration for scenarios where you want to configure the Snapshot Collector programmatically.

+- Set the Application Insights SDK version (instead of the application version) in customer-facing telemetry.

+- Send the first heartbeat event after two minutes.

+### Bug fixes

+- Fix NullReferenceException when exceptions have null or immutable Data dictionaries.

+- In the uploader, retry PDB matching a few times if we get a sharing violation.

+- Fix duplicate telemetry when more than one thread calls into the telemetry pipeline at startup.

+## [1.2.1](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.2.1)

+### Changes

+- XML Doc comment files are now included in the NuGet package.

+- Added an ExcludeFromSnapshotting extension method on `System.Exception` for scenarios where you know you have a noisy exception and want to avoid creating snapshots for it.

+- Added an IsEnabledWhenProfiling configuration property, defaults to true. This is a change from previous versions where snapshot creation was temporarily disabled if the Application Insights Profiler was performing a detailed collection. The old behavior can be recovered by setting this property to false.

+### Bug fixes

+- Sign SnapshotUploader64.exe properly.

+- Protect against double-initialization of the telemetry processor.

+- Prevent double logging of telemetry in apps with multiple pipelines.

+- Fix a bug with the expiration time of a collection plan, which could prevent snapshots after 24 hours.

+## [1.2.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.2.0)

+The biggest change in this version (hence the move to a new minor version number) is a rewrite of the snapshot creation and handling pipeline. In previous versions, this functionality was implemented in native code (ProductionBreakpoints*.dll and SnapshotHolder*.exe). The new implementation is all managed code with P/Invokes. For this first version using the new pipeline, we haven't strayed far from the original behavior. The new implementation allows for better error reporting and sets us up for future improvements.

+### Other changes in this version

+- MinidumpUploader.exe has been renamed to SnapshotUploader.exe (or SnapshotUploader64.exe).

+- Added timing telemetry to DeOptimize/ReOptimize requests.

+- Added gzip compression for minidump uploads.

+- Fixed a problem where PDBs were locked preventing site upgrade.

+- Log the original folder name (SnapshotCollectorFiles) when shadow-copying.

+- Adjust memory limits for 64-bit processes to prevent site restarts due to OOM.

+- Fix an issue where snapshots were still collected even after disabling.

+- Log heartbeat events to customer's AI resource.

+- Improve snapshot speed by removing "Source" from Problem ID.

+## [1.1.2](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.1.2)

+### Changes

+Augmented usage telemetry

+- Detect and report .NET version and OS

+- Detect and report additional Azure Environments (Cloud Service, Service Fabric)

+- Record and report exception metrics (number of 1st chance exceptions and number of TrackException calls) in Heartbeat telemetry.

+### Bug fixes

+- Correct handling of SqlException where the inner exception (Win32Exception) isn't thrown.

+- Trim trailing spaces on symbol folders, which caused an incorrect parse of command-line arguments to the MinidumpUploader.

+- Prevent infinite retry of failed connections to the Snapshot Debugger agent's endpoint.

+## [1.1.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.1.0)

+### Changes

+- Added host memory protection. This feature reduces the impact on the host machine's memory.

+- Improve the Azure portal snapshot viewing experience.

+ Title: Enable Snapshot Debugger for .NET apps in Azure App Service | Microsoft Docs

+description: Enable Snapshot Debugger for .NET apps in Azure App Service

+# Enable Snapshot Debugger for .NET apps in Azure App Service

+Snapshot Debugger currently supports ASP.NET and ASP.NET Core apps that are running on Azure App Service on Windows service plans.

+We recommend you run your application on the Basic service tier, or higher, when using snapshot debugger.

+For most applications, the Free and Shared service tiers don't have enough memory or disk space to save snapshots.

+## <a id="installation"></a> Enable Snapshot Debugger

+To enable Snapshot Debugger for an app, follow the instructions below.

+If you're running a different type of Azure service, here are instructions for enabling Snapshot Debugger on other supported platforms:

+* [Azure Function](snapshot-debugger-function-app.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Cloud Services](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Service Fabric services](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Virtual Machines and virtual machine scale sets](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [On-premises virtual or physical machines](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+> [!NOTE]

+> If you're using a preview version of .NET Core, or your application references Application Insights SDK, directly or indirectly via a dependent assembly, follow the instructions for [Enable Snapshot Debugger for other environments](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) to include the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package with the application, and then complete the rest of the instructions below.

+>

+> Codeless installation of Application Insights Snapshot Debugger follows the .NET Core support policy.

+> For more information about supported runtimes, see [.NET Core Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).

+Snapshot Debugger is pre-installed as part of the App Services runtime, but you need to turn it on to get snapshots for your App Service app.

+Once you've deployed an app, follow the steps below to enable the snapshot debugger:

+1. Navigate to the Azure control panel for your App Service.

+2. Go to the **Settings > Application Insights** page.

+ 

+3. Either follow the instructions on the page to create a new resource or select an existing App Insights resource to monitor your app. Also make sure both switches for Snapshot Debugger are **On**.

+ ![Add App Insights site extension][Enablement UI]

+4. Snapshot Debugger is now enabled using an App Services App Setting.

+ ![App Setting for Snapshot Debugger][snapshot-debugger-app-setting]

+## Enable Snapshot Debugger for other clouds

+Currently the only regions that require endpoint modifications are [Azure Government](../../azure-government/compare-azure-government-global-azure.md#application-insights) and [Azure China](/azure/china/resources-developer-guide) through the Application Insights Connection String.

+|Connection String Property | US Government Cloud | China Cloud |

+|||-|

+|SnapshotEndpoint | `https://snapshot.monitor.azure.us` | `https://snapshot.monitor.azure.cn` |

+For more information about other connection overrides, see [Application Insights documentation](../app/sdk-connection-string.md?tabs=net#connection-string-with-explicit-endpoint-overrides).

+## Enable Azure Active Directory authentication for snapshot ingestion

+Application Insights Snapshot Debugger supports Azure AD authentication for snapshot ingestion. This means, for all snapshots of your application to be ingested, your application must be authenticated and provide the required application settings to the Snapshot Debugger agent.

+As of today, Snapshot Debugger only supports Azure AD authentication when you reference and configure Azure AD using the Application Insights SDK in your application.

+Below you can find all the steps required to enable Azure AD for profiles ingestion:

+1. Create and add the managed identity you want to use to authenticate against your Application Insights resource to your App Service.

+ a. For System-Assigned Managed identity, see the following [documentation](../../app-service/overview-managed-identity.md?tabs=portal%2chttp#add-a-system-assigned-identity)

+ b. For User-Assigned Managed identity, see the following [documentation](../../app-service/overview-managed-identity.md?tabs=portal%2chttp#add-a-user-assigned-identity)

+2. Configure and enable Azure AD in your Application Insights resource. For more information, see the following [documentation](../app/azure-ad-authentication.md?tabs=net#configuring-and-enabling-azure-ad-based-authentication)

+3. Add the following application setting, used to let Snapshot Debugger agent know which managed identity to use:

+For System-Assigned Identity:

+|App Setting | Value |

+||-|

+|APPLICATIONINSIGHTS_AUTHENTICATION_STRING | Authorization=AAD |

+For User-Assigned Identity:

+|App Setting | Value |

+||-|

+|APPLICATIONINSIGHTS_AUTHENTICATION_STRING | Authorization=AAD;ClientId={Client id of the User-Assigned Identity} |

+## Disable Snapshot Debugger

+Follow the same steps as for **Enable Snapshot Debugger**, but switch both switches for Snapshot Debugger to **Off**.

+We recommend you have Snapshot Debugger enabled on all your apps to ease diagnostics of application exceptions.

+## Azure Resource Manager template

+For an Azure App Service, you can set app settings within the Azure Resource Manager template to enable Snapshot Debugger and Profiler, see the below template snippet:

+```json

+{

+ "apiVersion": "2015-08-01",

+ "name": "[parameters('webSiteName')]",

+ "type": "Microsoft.Web/sites",

+ "location": "[resourceGroup().location]",

+ "dependsOn": [

+ "[variables('hostingPlanName')]"

+ ],

+ "tags": {

+ "[concat('hidden-related:', resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName')))]": "empty",

+ "displayName": "Website"

+ },

+ "properties": {

+ "name": "[parameters('webSiteName')]",

+ "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]"

+ },

+ "resources": [

+ {

+ "apiVersion": "2015-08-01",

+ "name": "appsettings",

+ "type": "config",

+ "dependsOn": [

+ "[parameters('webSiteName')]",

+ "[concat('AppInsights', parameters('webSiteName'))]"

+ ],

+ "properties": {

+ "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.Insights/components', concat('AppInsights', parameters('webSiteName'))), '2014-04-01').InstrumentationKey]",

+ "APPINSIGHTS_PROFILERFEATURE_VERSION": "1.0.0",

+ "APPINSIGHTS_SNAPSHOTFEATURE_VERSION": "1.0.0",

+ "DiagnosticServices_EXTENSION_VERSION": "~3",

+ "ApplicationInsightsAgent_EXTENSION_VERSION": "~2"

+ }

+ }

+ ]

+},

+```

+## Not Supported Scenarios

+Below you can find scenarios where Snapshot Collector is not supported:

+|Scenario | Side Effects | Recommendation |

+||--|-|

+|When using the Snapshot Collector SDK in your application directly (.csproj) and you have enabled the advance option "Interop".| The local Application Insights SDK (including Snapshot Collector telemetry) will be lost, therefore, no Snapshots will be available.<br /><br />Your application could crash at startup with `System.ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor.`<br /><br />For more information about the Application Insights feature "Interop", see the [documentation.](../app/azure-web-apps-net-core.md#troubleshooting) | If you are using the advance option "Interop", use the codeless Snapshot Collector injection (enabled thru the Azure Portal UX) |

+## Next steps

+- Generate traffic to your application that can trigger an exception. Then, wait 10 to 15 minutes for snapshots to be sent to the Application Insights instance.

+- See [snapshots](snapshot-debugger.md?toc=/azure/azure-monitor/toc.json#view-snapshots-in-the-portal) in the Azure portal.

+- For help with troubleshooting Snapshot Debugger issues, see [Snapshot Debugger troubleshooting](snapshot-debugger-troubleshoot.md?toc=/azure/azure-monitor/toc.json).

+[Enablement UI]: ./media/snapshot-debugger/enablement-ui.png

+[snapshot-debugger-app-setting]:./media/snapshot-debugger/snapshot-debugger-app-setting.png

+ Title: Enable Snapshot Debugger for .NET and .NET Core apps in Azure Functions | Microsoft Docs

+description: Enable Snapshot Debugger for .NET and .NET Core apps in Azure Functions

+# Enable Snapshot Debugger for .NET and .NET Core apps in Azure Functions

+Snapshot Debugger currently works for ASP.NET and ASP.NET Core apps that are running on Azure Functions on Windows Service Plans.

+We recommend you run your application on the Basic service tier or higher when using Snapshot Debugger.

+For most applications, the Free and Shared service tiers don't have enough memory or disk space to save snapshots.

+## Prerequisites

+* [Enable Application Insights monitoring in your Function App](../../azure-functions/configure-monitoring.md#add-to-an-existing-function-app)

+## Enable Snapshot Debugger

+If you're running a different type of Azure service, here are instructions for enabling Snapshot Debugger on other supported platforms:

+* [Azure App Service](snapshot-debugger-app-service.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Cloud Services](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Service Fabric services](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Virtual Machines and virtual machine scale sets](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [On-premises virtual or physical machines](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+To enable Snapshot Debugger in your Function app, you have to update your `host.json` file by adding the property `snapshotConfiguration` as defined below and redeploy your function.

+```json

+{

+ "version": "2.0",

+ "logging": {

+ "applicationInsights": {

+ "snapshotConfiguration": {

+ "isEnabled": true

+ }

+ }

+ }

+}

+```

+Snapshot Debugger is pre-installed as part of the Azure Functions runtime, which by default it's disabled.

+Since Snapshot Debugger it's included in the Azure Functions runtime, it isn't needed to add extra NuGet packages nor application settings.

+Just as reference, for a simple Function app (.NET Core), below is how it will look the `.csproj`, `{Your}Function.cs`, and `host.json` after enabled Snapshot Debugger on it.

+Project csproj

+```xml

+<Project Sdk="Microsoft.NET.Sdk">

+<PropertyGroup>

+ <TargetFramework>netcoreapp2.1</TargetFramework>

+ <AzureFunctionsVersion>v2</AzureFunctionsVersion>

+</PropertyGroup>

+<ItemGroup>

+ <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="1.0.31" />

+</ItemGroup>

+<ItemGroup>

+ <None Update="host.json">

+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

+ </None>

+ <None Update="local.settings.json">

+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

+ <CopyToPublishDirectory>Never</CopyToPublishDirectory>

+ </None>

+</ItemGroup>

+</Project>

+```

+Function class

+```csharp

+using System;

+using System.Threading.Tasks;

+using Microsoft.AspNetCore.Mvc;

+using Microsoft.Azure.WebJobs;

+using Microsoft.Azure.WebJobs.Extensions.Http;

+using Microsoft.AspNetCore.Http;

+using Microsoft.Extensions.Logging;

+namespace SnapshotCollectorAzureFunction

+{

+ public static class ExceptionFunction

+ {

+ [FunctionName("ExceptionFunction")]

+ public static Task<IActionResult> Run(

+ [HttpTrigger(AuthorizationLevel.Function, "get", Route = null)] HttpRequest req,

+ ILogger log)

+ {

+ log.LogInformation("C# HTTP trigger function processed a request.");

+ throw new NotImplementedException("Dummy");

+ }

+ }

+}

+```

+Host file

+```json

+{

+ "version": "2.0",

+ "logging": {

+ "applicationInsights": {

+ "samplingExcludedTypes": "Request",

+ "samplingSettings": {

+ "isEnabled": true

+ },

+ "snapshotConfiguration": {

+ "isEnabled": true

+ }

+ }

+ }

+}

+```

+## Enable Snapshot Debugger for other clouds

+Currently the only regions that require endpoint modifications are [Azure Government](../../azure-government/compare-azure-government-global-azure.md#application-insights) and [Azure China](/azure/china/resources-developer-guide).

+Below is an example of the `host.json` updated with the US Government Cloud agent endpoint:

+```json

+{

+ "version": "2.0",

+ "logging": {

+ "applicationInsights": {

+ "samplingExcludedTypes": "Request",

+ "samplingSettings": {

+ "isEnabled": true

+ },

+ "snapshotConfiguration": {

+ "isEnabled": true,

+ "agentEndpoint": "https://snapshot.monitor.azure.us"

+ }

+ }

+ }

+}

+```

+Below are the supported overrides of the Snapshot Debugger agent endpoint:

+|Property | US Government Cloud | China Cloud |

+|||-|

+|AgentEndpoint | `https://snapshot.monitor.azure.us` | `https://snapshot.monitor.azure.cn` |

+## Disable Snapshot Debugger

+To disable Snapshot Debugger in your Function app, you just need to update your `host.json` file by setting to `false` the property `snapshotConfiguration.isEnabled`.

+```json

+{

+ "version": "2.0",

+ "logging": {

+ "applicationInsights": {

+ "snapshotConfiguration": {

+ "isEnabled": false

+ }

+ }

+ }

+}

+```

+We recommend you have Snapshot Debugger enabled on all your apps to ease diagnostics of application exceptions.

+## Next steps

+- Generate traffic to your application that can trigger an exception. Then, wait 10 to 15 minutes for snapshots to be sent to the Application Insights instance.

+- [View snapshots](snapshot-debugger.md?toc=/azure/azure-monitor/toc.json#view-snapshots-in-the-portal) in the Azure portal.

+- Customize Snapshot Debugger configuration based on your use-case on your Function app. For more info, see [snapshot configuration in host.json](../../azure-functions/functions-host-json.md#applicationinsightssnapshotconfiguration).

+- For help with troubleshooting Snapshot Debugger issues, see [Snapshot Debugger troubleshooting](snapshot-debugger-troubleshoot.md?toc=/azure/azure-monitor/toc.json).

+ Title: Troubleshoot Azure Application Insights Snapshot Debugger

+description: This article presents troubleshooting steps and information to help developers enable and use Application Insights Snapshot Debugger.

+# <a id="troubleshooting"></a> Troubleshoot problems enabling Application Insights Snapshot Debugger or viewing snapshots

+If you enabled Application Insights Snapshot Debugger for your application, but aren't seeing snapshots for exceptions, you can use these instructions to troubleshoot.

+There can be many different reasons why snapshots aren't generated. You can start by running the snapshot health check to identify some of the possible common causes.

+## Not Supported Scenarios

+Below you can find scenarios where Snapshot Collector is not supported:

+|Scenario | Side Effects | Recommendation |

+||--|-|

+|When using the Snapshot Collector SDK in your application directly (.csproj) and you have enabled the advance option "Interop".| The local Application Insights SDK (including Snapshot Collector telemetry) will be lost, therefore, no Snapshots will be available.<br /><br />Your application could crash at startup with `System.ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor.`<br /><br />For more information about the Application Insights feature "Interop", see the [documentation.](../app/azure-web-apps-net-core.md#troubleshooting) | If you are using the advance option "Interop", use the codeless Snapshot Collector injection (enabled thru the Azure Portal UX) |

+## Make sure you're using the appropriate Snapshot Debugger Endpoint

+Currently the only regions that require endpoint modifications are [Azure Government](../../azure-government/compare-azure-government-global-azure.md#application-insights) and [Azure China](/azure/china/resources-developer-guide).

+For App Service and applications using the Application Insights SDK, you have to update the connection string using the supported overrides for Snapshot Debugger as defined below:

+|Connection String Property | US Government Cloud | China Cloud |

+|||-|

+|SnapshotEndpoint | `https://snapshot.monitor.azure.us` | `https://snapshot.monitor.azure.cn` |

+For more information about other connection overrides, see [Application Insights documentation](../app/sdk-connection-string.md?tabs=net#connection-string-with-explicit-endpoint-overrides).

+For Function App, you have to update the `host.json` using the supported overrides below:

+|Property | US Government Cloud | China Cloud |

+|||-|

+|AgentEndpoint | `https://snapshot.monitor.azure.us` | `https://snapshot.monitor.azure.cn` |

+Below is an example of the `host.json` updated with the US Government Cloud agent endpoint:

+```json

+{

+ "version": "2.0",

+ "logging": {

+ "applicationInsights": {

+ "samplingExcludedTypes": "Request",

+ "samplingSettings": {

+ "isEnabled": true

+ },

+ "snapshotConfiguration": {

+ "isEnabled": true,

+ "agentEndpoint": "https://snapshot.monitor.azure.us"

+ }

+ }

+ }

+}

+```

+## Use the snapshot health check

+Several common problems result in the Open Debug Snapshot not showing up. Using an outdated Snapshot Collector, for example; reaching the daily upload limit; or perhaps the snapshot is just taking a long time to upload. Use the Snapshot Health Check to troubleshoot common problems.

+There's a link in the exception pane of the end-to-end trace view that takes you to the Snapshot Health Check.

+

+The interactive, chat-like interface looks for common problems and guides you to fix them.

+

+If that doesn't solve the problem, then refer to the following manual troubleshooting steps.

+## Verify the instrumentation key

+Make sure you're using the correct instrumentation key in your published application. Usually, the instrumentation key is read from the ApplicationInsights.config file. Verify the value is the same as the instrumentation key for the Application Insights resource that you see in the portal.

+## <a id="SSL"></a>Check TLS/SSL client settings (ASP.NET)

+If you have an ASP.NET application that it is hosted in Azure App Service or in IIS on a virtual machine, your application could fail to connect to the Snapshot Debugger service due to a missing SSL security protocol.

+[The Snapshot Debugger endpoint requires TLS version 1.2](snapshot-debugger-upgrade.md?toc=/azure/azure-monitor/toc.json). The set of SSL security protocols is one of the quirks enabled by the httpRuntime targetFramework value in the system.web section of web.config.

+If the httpRuntime targetFramework is 4.5.2 or lower, then TLS 1.2 isn't included by default.

+> [!NOTE]

+> The httpRuntime targetFramework value is independent of the target framework used when building your application.

+To check the setting, open your web.config file and find the system.web section. Ensure that the `targetFramework` for `httpRuntime` is set to 4.6 or above.

+ ```xml

+ <system.web>

+ ...

+ <httpRuntime targetFramework="4.7.2" />

+ ...

+ </system.web>

+ ```

+> [!NOTE]

+> Modifying the httpRuntime targetFramework value changes the runtime quirks applied to your application and can cause other, subtle behavior changes. Be sure to test your application thoroughly after making this change. For a full list of compatibility changes, see [Retargeting changes](/dotnet/framework/migration-guide/application-compatibility#retargeting-changes).

+> [!NOTE]

+> If the targetFramework is 4.7 or above then Windows determines the available protocols. In Azure App Service, TLS 1.2 is available. However, if you are using your own virtual machine, you may need to enable TLS 1.2 in the OS.

+## Preview Versions of .NET Core

+If you're using a preview version of .NET Core or your application references Application Insights SDK, directly or indirectly via a dependent assembly, follow the instructions for [Enable Snapshot Debugger for other environments](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json).

+## Check the Diagnostic Services site extension' Status Page

+If Snapshot Debugger was enabled through the [Application Insights pane](snapshot-debugger-app-service.md?toc=/azure/azure-monitor/toc.json) in the portal, it was enabled by the Diagnostic Services site extension.

+> [!NOTE]

+> Codeless installation of Application Insights Snapshot Debugger follows the .NET Core support policy.

+> For more information about supported runtimes, see [.NET Core Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).

+You can check the Status Page of this extension by going to the following url:

+`https://{site-name}.scm.azurewebsites.net/DiagnosticServices`

+> [!NOTE]

+> The domain of the Status Page link will vary depending on the cloud.

+This domain will be the same as the Kudu management site for App Service.

+This Status Page shows the installation state of the Profiler and Snapshot Collector agents. If there was an unexpected error, it will be displayed and show how to fix it.

+You can use the Kudu management site for App Service to get the base url of this Status Page:

+1. Open your App Service application in the Azure portal.

+2. Select **Advanced Tools**, or search for **Kudu**.

+3. Select **Go**.

+4. Once you are on the Kudu management site, in the URL, **append the following `/DiagnosticServices` and press enter**.

+ It will end like this: `https://<kudu-url>/DiagnosticServices`

+## Upgrade to the latest version of the NuGet package

+Based on how Snapshot Debugger was enabled, see the following options:

+* If Snapshot Debugger was enabled through the [Application Insights pane in the portal](snapshot-debugger-app-service.md?toc=/azure/azure-monitor/toc.json), then your application should already be running the latest NuGet package.

+* If Snapshot Debugger was enabled by including the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package, use Visual Studio's NuGet Package Manager to make sure you're using the latest version of Microsoft.ApplicationInsights.SnapshotCollector.

+For the latest updates and bug fixes [consult the release notes](./snapshot-collector-release-notes.md).

+## Check the uploader logs

+After a snapshot is created, a minidump file (.dmp) is created on disk. A separate uploader process creates that minidump file and uploads it, along with any associated PDBs, to Application Insights Snapshot Debugger storage. After the minidump has uploaded successfully, it's deleted from disk. The log files for the uploader process are kept on disk. In an App Service environment, you can find these logs in `D:\Home\LogFiles`. Use the Kudu management site for App Service to find these log files.

+1. Open your App Service application in the Azure portal.

+2. Select **Advanced Tools**, or search for **Kudu**.

+3. Select **Go**.

+4. In the **Debug console** drop-down list box, select **CMD**.

+5. Select **LogFiles**.

+You should see at least one file with a name that begins with `Uploader_` or `SnapshotUploader_` and a `.log` extension. Select the appropriate icon to download any log files or open them in a browser.

+The file name includes a unique suffix that identifies the App Service instance. If your App Service instance is hosted on more than one machine, there are separate log files for each machine. When the uploader detects a new minidump file, it's recorded in the log file. Here's an example of a successful snapshot and upload:

+```

+SnapshotUploader.exe Information: 0 : Received Fork request ID 139e411a23934dc0b9ea08a626db16c5 from process 6368 (Low pri)

+ DateTime=2018-03-09T01:42:41.8571711Z

+SnapshotUploader.exe Information: 0 : Creating minidump from Fork request ID 139e411a23934dc0b9ea08a626db16c5 from process 6368 (Low pri)

+ DateTime=2018-03-09T01:42:41.8571711Z

+SnapshotUploader.exe Information: 0 : Dump placeholder file created: 139e411a23934dc0b9ea08a626db16c5.dm_

+ DateTime=2018-03-09T01:42:41.8728496Z

+SnapshotUploader.exe Information: 0 : Dump available 139e411a23934dc0b9ea08a626db16c5.dmp

+ DateTime=2018-03-09T01:42:45.7525022Z

+SnapshotUploader.exe Information: 0 : Successfully wrote minidump to D:\local\Temp\Dumps\c12a605e73c44346a984e00000000000\139e411a23934dc0b9ea08a626db16c5.dmp

+ DateTime=2018-03-09T01:42:45.7681360Z

+SnapshotUploader.exe Information: 0 : Uploading D:\local\Temp\Dumps\c12a605e73c44346a984e00000000000\139e411a23934dc0b9ea08a626db16c5.dmp, 214.42 MB (uncompressed)

+ DateTime=2018-03-09T01:42:45.7681360Z

+SnapshotUploader.exe Information: 0 : Upload successful. Compressed size 86.56 MB

+ DateTime=2018-03-09T01:42:59.6184651Z

+SnapshotUploader.exe Information: 0 : Extracting PDB info from D:\local\Temp\Dumps\c12a605e73c44346a984e00000000000\139e411a23934dc0b9ea08a626db16c5.dmp.

+ DateTime=2018-03-09T01:42:59.6184651Z

+SnapshotUploader.exe Information: 0 : Matched 2 PDB(s) with local files.

+ DateTime=2018-03-09T01:42:59.6809606Z

+SnapshotUploader.exe Information: 0 : Stamp does not want any of our matched PDBs.

+ DateTime=2018-03-09T01:42:59.8059929Z

+SnapshotUploader.exe Information: 0 : Deleted D:\local\Temp\Dumps\c12a605e73c44346a984e00000000000\139e411a23934dc0b9ea08a626db16c5.dmp

+ DateTime=2018-03-09T01:42:59.8530649Z

+```

+> [!NOTE]

+> The example above is from version 1.2.0 of the Microsoft.ApplicationInsights.SnapshotCollector NuGet package. In earlier versions, the uploader process is called `MinidumpUploader.exe` and the log is less detailed.

+In the previous example, the instrumentation key is `c12a605e73c44346a984e00000000000`. This value should match the instrumentation key for your application.

+The minidump is associated with a snapshot with the ID `139e411a23934dc0b9ea08a626db16c5`. You can use this ID later to locate the associated exception record in Application Insights Analytics.

+The uploader scans for new PDBs about once every 15 minutes. Here's an example:

+```

+SnapshotUploader.exe Information: 0 : PDB rescan requested.

+ DateTime=2018-03-09T01:47:19.4457768Z

+SnapshotUploader.exe Information: 0 : Scanning D:\home\site\wwwroot for local PDBs.

+ DateTime=2018-03-09T01:47:19.4457768Z

+SnapshotUploader.exe Information: 0 : Local PDB scan complete. Found 2 PDB(s).

+ DateTime=2018-03-09T01:47:19.4614027Z

+SnapshotUploader.exe Information: 0 : Deleted PDB scan marker : D:\local\Temp\Dumps\c12a605e73c44346a984e00000000000\6368.pdbscan

+ DateTime=2018-03-09T01:47:19.4614027Z

+```

+For applications that _aren't_ hosted in App Service, the uploader logs are in the same folder as the minidumps: `%TEMP%\Dumps\<ikey>` (where `<ikey>` is your instrumentation key).

+## Troubleshooting Cloud Services

+In Cloud Services, the default temporary folder could be too small to hold the minidump files, leading to lost snapshots.

+The space needed depends on the total working set of your application and the number of concurrent snapshots.

+The working set of a 32-bit ASP.NET web role is typically between 200 MB and 500 MB. Allow for at least two concurrent snapshots.

+For example, if your application uses 1 GB of total working set, you should make sure there is at least 2 GB of disk space to store snapshots.

+Follow these steps to configure your Cloud Service role with a dedicated local resource for snapshots.

+1. Add a new local resource to your Cloud Service by editing the Cloud Service definition (.csdef) file. The following example defines a resource called `SnapshotStore` with a size of 5 GB.

+ ```xml

+ <LocalResources>

+ <LocalStorage name="SnapshotStore" cleanOnRoleRecycle="false" sizeInMB="5120" />

+ </LocalResources>

+ ```

+2. Modify your role's startup code to add an environment variable that points to the `SnapshotStore` local resource. For Worker Roles, the code should be added to your role's `OnStart` method:

+ ```csharp

+ public override bool OnStart()

+ {

+ Environment.SetEnvironmentVariable("SNAPSHOTSTORE", RoleEnvironment.GetLocalResource("SnapshotStore").RootPath);

+ return base.OnStart();

+ }

+ ```

+ For Web Roles (ASP.NET), the code should be added to your web application's `Application_Start` method:

+ ```csharp

+ using Microsoft.WindowsAzure.ServiceRuntime;

+ using System;

+ namespace MyWebRoleApp

+ {

+ public class MyMvcApplication : System.Web.HttpApplication

+ {

+ protected void Application_Start()

+ {

+ Environment.SetEnvironmentVariable("SNAPSHOTSTORE", RoleEnvironment.GetLocalResource("SnapshotStore").RootPath);

+ // TODO: The rest of your application startup code

+ }

+ }

+ }

+ ```

+3. Update your role's ApplicationInsights.config file to override the temporary folder location used by `SnapshotCollector`

+ ```xml

+ <TelemetryProcessors>

+ <Add Type="Microsoft.ApplicationInsights.SnapshotCollector.SnapshotCollectorTelemetryProcessor, Microsoft.ApplicationInsights.SnapshotCollector">

+ <!-- Use the SnapshotStore local resource for snapshots -->

+ <TempFolder>%SNAPSHOTSTORE%</TempFolder>

+ <!-- Other SnapshotCollector configuration options -->

+ </Add>

+ </TelemetryProcessors>

+ ```

+## Overriding the Shadow Copy folder

+When the Snapshot Collector starts up, it tries to find a folder on disk that is suitable for running the Snapshot Uploader process. The chosen folder is known as the Shadow Copy folder.

+The Snapshot Collector checks a few well-known locations, making sure it has permissions to copy the Snapshot Uploader binaries. The following environment variables are used:

+- Fabric_Folder_App_Temp

+- LOCALAPPDATA

+- APPDATA

+- TEMP

+If a suitable folder can't be found, Snapshot Collector reports an error saying _"Couldn't find a suitable shadow copy folder."_

+If the copy fails, Snapshot Collector reports a `ShadowCopyFailed` error.

+If the uploader can't be launched, Snapshot Collector reports an `UploaderCannotStartFromShadowCopy` error. The body of the message often contains `System.UnauthorizedAccessException`. This error usually occurs because the application is running under an account with reduced permissions. The account has permission to write to the shadow copy folder, but it doesn't have permission to execute code.

+Since these errors usually happen during startup, they'll usually be followed by an `ExceptionDuringConnect` error saying _"Uploader failed to start."_

+To work around these errors, you can specify the shadow copy folder manually via the `ShadowCopyFolder` configuration option. For example, using ApplicationInsights.config:

+ ```xml

+ <TelemetryProcessors>

+ <Add Type="Microsoft.ApplicationInsights.SnapshotCollector.SnapshotCollectorTelemetryProcessor, Microsoft.ApplicationInsights.SnapshotCollector">

+ <!-- Override the default shadow copy folder. -->

+ <ShadowCopyFolder>D:\SnapshotUploader</ShadowCopyFolder>

+ <!-- Other SnapshotCollector configuration options -->

+ </Add>

+ </TelemetryProcessors>

+ ```

+Or, if you're using appsettings.json with a .NET Core application:

+ ```json

+ {

+ "ApplicationInsights": {

+ "InstrumentationKey": "<your instrumentation key>"

+ },

+ "SnapshotCollectorConfiguration": {

+ "ShadowCopyFolder": "D:\\SnapshotUploader"

+ }

+ }

+ ```

+## Use Application Insights search to find exceptions with snapshots

+When a snapshot is created, the throwing exception is tagged with a snapshot ID. That snapshot ID is included as a custom property when the exception is reported to Application Insights. Using **Search** in Application Insights, you can find all records with the `ai.snapshot.id` custom property.

+1. Browse to your Application Insights resource in the Azure portal.

+2. Select **Search**.

+3. Type `ai.snapshot.id` in the Search text box and press Enter.

+

+If this search returns no results, then, no snapshots were reported to Application Insights in the selected time range.

+To search for a specific snapshot ID from the Uploader logs, type that ID in the Search box. If you can't find records for a snapshot that you know was uploaded, follow these steps:

+1. Double-check that you're looking at the right Application Insights resource by verifying the instrumentation key.

+2. Using the timestamp from the Uploader log, adjust the Time Range filter of the search to cover that time range.

+If you still don't see an exception with that snapshot ID, then the exception record wasn't reported to Application Insights. This situation can happen if your application crashed after it took the snapshot but before it reported the exception record. In this case, check the App Service logs under `Diagnose and solve problems` to see if there were unexpected restarts or unhandled exceptions.

+## Edit network proxy or firewall rules

+If your application connects to the Internet via a proxy or a firewall, you may need to update the rules to communicate with the Snapshot Debugger service.

+The IPs used by Application Insights Snapshot Debugger are included in the Azure Monitor service tag. For more information, see [Service Tags documentation](../../virtual-network/service-tags-overview.md).

+ Title: Upgrading Azure Application Insights Snapshot Debugger

+description: How to upgrade Snapshot Debugger for .NET apps to the latest version on Azure App Services, or via Nuget packages

+# Upgrading the Snapshot Debugger

+To provide the best possible security for your data, Microsoft is moving away from TLS 1.0 and TLS 1.1, which have been shown to be vulnerable to determined attackers. If you're using an older version of the site extension, it will require an upgrade to continue working. This document outlines the steps needed to upgrade your Snapshot debugger to the latest version.

+There are two primary upgrade paths depending on if you enabled the Snapshot Debugger using a site extension or if you used an SDK/Nuget added to your application. Both upgrade paths are discussed below.

+## Upgrading the site extension

+> [!IMPORTANT]

+> Older versions of Application Insights used a private site extension called _Application Insights extension for Azure App Service_. The current Application Insights experience is enabled by setting App Settings to light up a pre-installed site extension.

+> To avoid conflicts, which may cause your site to stop working, it is important to delete the private site extension first. See step 4 below.

+If you enabled the Snapshot debugger using the site extension, you can upgrade using the following procedure:

+1. Sign in to the Azure portal.

+2. Navigate to your resource that has Application Insights and Snapshot debugger enabled. For example, for a Web App, navigate to the App Service resource:

+ 

+3. Once you've navigated to your resource, click on the Extensions blade and wait for the list of extensions to populate:

+ 

+4. If any version of _Application Insights extension for Azure App Service_ is installed, then select it and click Delete. Confirm **Yes** to delete the extension and wait for the delete to complete before moving to the next step.

+ 

+5. Go to the Overview blade of your resource and click on Application Insights:

+ 

+6. If this is the first time you've viewed the Application Insights blade for this App Service, you'll be prompted to turn on Application Insights. Select **Turn on Application Insights**.

+

+ 

+7. The current Application Insights settings are displayed. Unless you want to take the opportunity to change your settings, you can leave them as is. The **Apply** button on the bottom of the blade isn't enabled by default and you'll have to toggle one of the settings to activate the button. You donΓÇÖt have to change any actual settings, rather you can change the setting and then immediately change it back. We recommend toggling the Profiler setting and then selecting **Apply**.

+ 

+8. Once you click **Apply**, you'll be asked to confirm the changes.

+ > [!NOTE]

+ > The site will be restarted as part of the upgrade process.

+ 

+9. Click **Yes** to apply the changes and wait for the process to complete.

+The site has now been upgraded and is ready to use.

+## Upgrading Snapshot Debugger using SDK/Nuget

+If the application is using a version of `Microsoft.ApplicationInsights.SnapshotCollector` below version 1.3.1, it will need to be upgraded to a [newer version](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) to continue working.

+ Title: Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Cloud Service, and Virtual Machines | Microsoft Docs

+description: Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Cloud Service, and Virtual Machines

+# Enable Snapshot Debugger for .NET apps in Azure Service Fabric, Cloud Service, and Virtual Machines

+If your ASP.NET or ASP.NET core application runs in Azure App Service, it's highly recommended to [enable Snapshot Debugger through the Application Insights portal page](snapshot-debugger-app-service.md?toc=/azure/azure-monitor/toc.json). However, if your application requires a customized Snapshot Debugger configuration, or a preview version of .NET core, then this instruction should be followed ***in addition*** to the instructions for [enabling through the Application Insights portal page](snapshot-debugger-app-service.md?toc=/azure/azure-monitor/toc.json).

+If your application runs in Azure Service Fabric, Cloud Service, Virtual Machines, or on-premises machines, the following instructions should be used.

+## Configure snapshot collection for ASP.NET applications

+1. [Enable Application Insights in your web app](../app/asp-net.md), if you haven't done it yet.

+2. Include the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package in your app.

+3. If needed, customized the Snapshot Debugger configuration added to [ApplicationInsights.config](../app/configuration-with-applicationinsights-config.md). The default Snapshot Debugger configuration is mostly empty and all settings are optional. Here is an example showing a configuration equivalent to the default configuration:

+ ```xml

+ <TelemetryProcessors>

+ <Add Type="Microsoft.ApplicationInsights.SnapshotCollector.SnapshotCollectorTelemetryProcessor, Microsoft.ApplicationInsights.SnapshotCollector">

+ <!-- The default is true, but you can disable Snapshot Debugging by setting it to false -->

+ <IsEnabled>true</IsEnabled>

+ <!-- Snapshot Debugging is usually disabled in developer mode, but you can enable it by setting this to true. -->

+ <!-- DeveloperMode is a property on the active TelemetryChannel. -->

+ <IsEnabledInDeveloperMode>false</IsEnabledInDeveloperMode>

+ <!-- How many times we need to see an exception before we ask for snapshots. -->

+ <ThresholdForSnapshotting>1</ThresholdForSnapshotting>

+ <!-- The maximum number of examples we create for a single problem. -->

+ <MaximumSnapshotsRequired>3</MaximumSnapshotsRequired>

+ <!-- The maximum number of problems that we can be tracking at any time. -->

+ <MaximumCollectionPlanSize>50</MaximumCollectionPlanSize>

+ <!-- How often we reconnect to the stamp. The default value is 15 minutes.-->

+ <ReconnectInterval>00:15:00</ReconnectInterval>

+ <!-- How often to reset problem counters. -->

+ <ProblemCounterResetInterval>1.00:00:00</ProblemCounterResetInterval>

+ <!-- The maximum number of snapshots allowed in ten minutes.The default value is 1. -->

+ <SnapshotsPerTenMinutesLimit>3</SnapshotsPerTenMinutesLimit>

+ <!-- The maximum number of snapshots allowed per day. -->

+ <SnapshotsPerDayLimit>30</SnapshotsPerDayLimit>

+ <!-- Whether or not to collect snapshot in low IO priority thread. The default value is true. -->

+ <SnapshotInLowPriorityThread>true</SnapshotInLowPriorityThread>

+ <!-- Agree to send anonymous data to Microsoft to make this product better. -->

+ <ProvideAnonymousTelemetry>true</ProvideAnonymousTelemetry>

+ <!-- The limit on the number of failed requests to request snapshots before the telemetry processor is disabled. -->

+ <FailedRequestLimit>3</FailedRequestLimit>

+ </Add>

+ </TelemetryProcessors>

+ ```

+4. Snapshots are collected only on exceptions that are reported to Application Insights. In some cases (for example, older versions of the .NET platform), you might need to [configure exception collection](../app/asp-net-exceptions.md#exceptions) to see exceptions with snapshots in the portal.

+## Configure snapshot collection for applications using ASP.NET Core LTS or above

+1. [Enable Application Insights in your ASP.NET Core web app](../app/asp-net-core.md), if you haven't done it yet.

+ > [!NOTE]

+ > Be sure that your application references version 2.1.1, or newer, of the Microsoft.ApplicationInsights.AspNetCore package.

+2. Include the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package in your app.

+3. Modify your application's `Startup` class to add and configure the Snapshot Collector's telemetry processor.

+ 1. If [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package version 1.3.5 or above is used, then add the following using statements to `Startup.cs`.

+ ```csharp

+ using Microsoft.ApplicationInsights.SnapshotCollector;

+ ```

+ Add the following at the end of the ConfigureServices method in the `Startup` class in `Startup.cs`.

+ ```csharp

+ services.AddSnapshotCollector((configuration) => Configuration.Bind(nameof(SnapshotCollectorConfiguration), configuration));

+ ```

+ 2. If [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package version 1.3.4 or below is used, then add the following using statements to `Startup.cs`.

+ ```csharp

+ using Microsoft.ApplicationInsights.SnapshotCollector;

+ using Microsoft.Extensions.Options;

+ using Microsoft.ApplicationInsights.AspNetCore;

+ using Microsoft.ApplicationInsights.Extensibility;

+ ```

+ Add the following `SnapshotCollectorTelemetryProcessorFactory` class to `Startup` class.

+ ```csharp

+ class Startup

+ {

+ private class SnapshotCollectorTelemetryProcessorFactory : ITelemetryProcessorFactory

+ {

+ private readonly IServiceProvider _serviceProvider;

+ public SnapshotCollectorTelemetryProcessorFactory(IServiceProvider serviceProvider) =>

+ _serviceProvider = serviceProvider;

+ public ITelemetryProcessor Create(ITelemetryProcessor next)

+ {

+ var snapshotConfigurationOptions = _serviceProvider.GetService<IOptions<SnapshotCollectorConfiguration>>();

+ return new SnapshotCollectorTelemetryProcessor(next, configuration: snapshotConfigurationOptions.Value);

+ }

+ }

+ ...

+ ```

+ Add the `SnapshotCollectorConfiguration` and `SnapshotCollectorTelemetryProcessorFactory` services to the startup pipeline:

+ ```csharp

+ // This method gets called by the runtime. Use this method to add services to the container.

+ public void ConfigureServices(IServiceCollection services)

+ {

+ // Configure SnapshotCollector from application settings

+ services.Configure<SnapshotCollectorConfiguration>(Configuration.GetSection(nameof(SnapshotCollectorConfiguration)));

+ // Add SnapshotCollector telemetry processor.

+ services.AddSingleton<ITelemetryProcessorFactory>(sp => new SnapshotCollectorTelemetryProcessorFactory(sp));

+ // TODO: Add other services your application needs here.

+ }

+ }

+ ```

+4. If needed, customized the Snapshot Debugger configuration by adding a SnapshotCollectorConfiguration section to appsettings.json. All settings in the Snapshot Debugger configuration are optional. Here is an example showing a configuration equivalent to the default configuration:

+ ```json

+ {

+ "SnapshotCollectorConfiguration": {

+ "IsEnabledInDeveloperMode": false,

+ "ThresholdForSnapshotting": 1,

+ "MaximumSnapshotsRequired": 3,

+ "MaximumCollectionPlanSize": 50,

+ "ReconnectInterval": "00:15:00",

+ "ProblemCounterResetInterval":"1.00:00:00",

+ "SnapshotsPerTenMinutesLimit": 1,

+ "SnapshotsPerDayLimit": 30,

+ "SnapshotInLowPriorityThread": true,

+ "ProvideAnonymousTelemetry": true,

+ "FailedRequestLimit": 3

+ }

+ }

+ ```

+## Configure snapshot collection for other .NET applications

+1. If your application isn't already instrumented with Application Insights, get started by [enabling Application Insights and setting the instrumentation key](../app/windows-desktop.md).

+2. Add the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package in your app.

+3. Snapshots are collected only on exceptions that are reported to Application Insights. You may need to modify your code to report them. The exception handling code depends on the structure of your application, but an example is below:

+ ```csharp

+ TelemetryClient _telemetryClient = new TelemetryClient();

+ void ExampleRequest()

+ {

+ try

+ {

+ // TODO: Handle the request.

+ }

+ catch (Exception ex)

+ {

+ // Report the exception to Application Insights.

+ _telemetryClient.TrackException(ex);

+ // TODO: Rethrow the exception if desired.

+ }

+ }

+ ```

+## Next steps

+- Generate traffic to your application that can trigger an exception. Then, wait 10 to 15 minutes for snapshots to be sent to the Application Insights instance.

+- See [snapshots](snapshot-debugger.md?toc=/azure/azure-monitor/toc.json#view-snapshots-in-the-portal) in the Azure portal.

+- For help with troubleshooting Snapshot Debugger issues, see [Snapshot Debugger troubleshooting](snapshot-debugger-troubleshoot.md?toc=/azure/azure-monitor/toc.json).

+ Title: Azure Application Insights Snapshot Debugger for .NET apps

+description: Debug snapshots are automatically collected when exceptions are thrown in production .NET apps

+# Debug snapshots on exceptions in .NET apps

+When an exception occurs, you can automatically collect a debug snapshot from your live web application. The snapshot shows the state of source code and variables at the moment the exception was thrown. The Snapshot Debugger in [Azure Application Insights](../app/app-insights-overview.md) monitors exception telemetry from your web app. It collects snapshots on your top-throwing exceptions so that you have the information you need to diagnose issues in production. Include the [Snapshot collector NuGet package](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) in your application, and optionally configure collection parameters in [ApplicationInsights.config](../app/configuration-with-applicationinsights-config.md). Snapshots appear on [exceptions](../app/asp-net-exceptions.md) in the Application Insights portal.

+You can view debug snapshots in the portal to see the call stack and inspect variables at each call stack frame. To get a more powerful debugging experience with source code, open snapshots with Visual Studio 2019 Enterprise. In Visual Studio, you can also [set Snappoints to interactively take snapshots](/visualstudio/debugger/debug-live-azure-applications) without waiting for an exception.

+Debug snapshots are stored for 15 days. This retention policy is set on a per-application basis. If you need to increase this value, you can request an increase by opening a support case in the Azure portal.

+## Enable Application Insights Snapshot Debugger for your application

+Snapshot collection is available for:

+* .NET Framework and ASP.NET applications running .NET Framework [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) or later.

+* .NET Core and ASP.NET Core applications running .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) on Windows.

+* .NET [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) applications on Windows.

+We don't recommend using .NET Core versions prior to LTS since they're out of support.

+The following environments are supported:

+* [Azure App Service](snapshot-debugger-app-service.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Function](snapshot-debugger-function-app.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Cloud Services](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) running OS family 4 or later

+* [Azure Service Fabric services](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) running on Windows Server 2012 R2 or later

+* [Azure Virtual Machines and virtual machine scale sets](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) running Windows Server 2012 R2 or later

+* [On-premises virtual or physical machines](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) running Windows Server 2012 R2 or later or Windows 8.1 or later

+> [!NOTE]

+> Client applications (for example, WPF, Windows Forms or UWP) are not supported.

+If you've enabled Snapshot Debugger but aren't seeing snapshots, check our [Troubleshooting guide](snapshot-debugger-troubleshoot.md?toc=/azure/azure-monitor/toc.json).

+## Grant permissions

+Access to snapshots is protected by Azure role-based access control (Azure RBAC). To inspect a snapshot, you must first be added to the necessary role by a subscription owner.

+> [!NOTE]

+> Owners and contributors do not automatically have this role. If they want to view snapshots, they must add themselves to the role.

+Subscription owners should assign the `Application Insights Snapshot Debugger` role to users who will inspect snapshots. This role can be assigned to individual users or groups by subscription owners for the target Application Insights resource or its resource group or subscription.

+1. Assign the Debugger role to the **Application Insights Snapshot**.

+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+> [!IMPORTANT]

+> Please note that snapshots may contain personal data or other sensitive information in variable and parameter values. Snapshot data is stored in the same region as your App Insights resource.

+## View Snapshots in the Portal

+After an exception has occurred in your application and a snapshot has been created, you should have snapshots to view. It can take 5 to 10 minutes from an exception occurring to a snapshot ready and viewable from the portal. To view snapshots, in the **Failure** pane, select the **Operations** button when viewing the **Operations** tab, or select the **Exceptions** button when viewing the **Exceptions** tab:

+

+Select an operation or exception in the right pane to open the **End-to-End Transaction Details** pane, then select the exception event. If a snapshot is available for the given exception, an **Open Debug Snapshot** button appears on the right pane with details for the [exception](../app/asp-net-exceptions.md).

+

+In the Debug Snapshot view, you see a call stack and a variables pane. When you select frames of the call stack in the call stack pane, you can view local variables and parameters for that function call in the variables pane.

+

+Snapshots might include sensitive information, and by default they aren't viewable. To view snapshots, you must have the `Application Insights Snapshot Debugger` role assigned to you.

+## View Snapshots in Visual Studio 2017 Enterprise or above

+1. Click the **Download Snapshot** button to download a `.diagsession` file, which can be opened by Visual Studio Enterprise.

+2. To open the `.diagsession` file, you need to have the Snapshot Debugger Visual Studio component installed. The Snapshot Debugger component is a required component of the ASP.NET workload in Visual Studio and can be selected from the Individual Component list in the Visual Studio installer. If you're using a version of Visual Studio before Visual Studio 2017 version 15.5, you'll need to install the extension from the [Visual Studio Marketplace](https://aka.ms/snapshotdebugger).

+3. After you open the snapshot file, the Minidump Debugging page in Visual Studio appears. Click **Debug Managed Code** to start debugging the snapshot. The snapshot opens to the line of code where the exception was thrown so that you can debug the current state of the process.

+ 

+The downloaded snapshot includes any symbol files that were found on your web application server. These symbol files are required to associate snapshot data with source code. For App Service apps, make sure to enable symbol deployment when you publish your web apps.

+## How snapshots work

+The Snapshot Collector is implemented as an [Application Insights Telemetry Processor](../app/configuration-with-applicationinsights-config.md#telemetry-processors-aspnet). When your application runs, the Snapshot Collector Telemetry Processor is added to your application's telemetry pipeline.

+Each time your application calls [TrackException](../app/asp-net-exceptions.md#exceptions), the Snapshot Collector computes a Problem ID from the type of exception being thrown and the throwing method.

+Each time your application calls TrackException, a counter is incremented for the appropriate Problem ID. When the counter reaches the `ThresholdForSnapshotting` value, the Problem ID is added to a Collection Plan.

+The Snapshot Collector also monitors exceptions as they're thrown by subscribing to the [AppDomain.CurrentDomain.FirstChanceException](/dotnet/api/system.appdomain.firstchanceexception) event. When that event fires, the Problem ID of the exception is computed and compared against the Problem IDs in the Collection Plan.

+If there's a match, then a snapshot of the running process is created. The snapshot is assigned a unique identifier and the exception is stamped with that identifier. After the FirstChanceException handler returns, the thrown exception is processed as normal. Eventually, the exception reaches the TrackException method again where it, along with the snapshot identifier, is reported to Application Insights.

+The main process continues to run and serve traffic to users with little interruption. Meanwhile, the snapshot is handed off to the Snapshot Uploader process. The Snapshot Uploader creates a minidump and uploads it to Application Insights along with any relevant symbol (.pdb) files.

+> [!TIP]

+> - A process snapshot is a suspended clone of the running process.

+> - Creating the snapshot takes about 10 to 20 milliseconds.

+> - The default value for `ThresholdForSnapshotting` is 1. This is also the minimum value. Therefore, your app has to trigger the same exception **twice** before a snapshot is created.

+> - Set `IsEnabledInDeveloperMode` to true if you want to generate snapshots while debugging in Visual Studio.

+> - The snapshot creation rate is limited by the `SnapshotsPerTenMinutesLimit` setting. By default, the limit is one snapshot every ten minutes.

+> - No more than 50 snapshots per day may be uploaded.

+## Limitations

+The default data retention period is 15 days. For each Application Insights instance, a maximum number of 50 snapshots are allowed per day.

+### Publish symbols

+The Snapshot Debugger requires symbol files on the production server to decode variables and to provide a debugging experience in Visual Studio.

+Version 15.2 (or above) of Visual Studio 2017 publishes symbols for release builds by default when it publishes to App Service. In prior versions, you need to add the following line to your publish profile `.pubxml` file so that symbols are published in release mode:

+```xml

+ <ExcludeGeneratedDebugSymbol>False</ExcludeGeneratedDebugSymbol>

+```

+For Azure Compute and other types, make sure that the symbol files are in the same folder of the main application .dll (typically, `wwwroot/bin`) or are available on the current path.

+> [!NOTE]

+> For more information on the different symbol options that are available, see the [Visual Studio documentation](/visualstudio/ide/reference/advanced-build-settings-dialog-box-csharp?view=vs-2019&preserve-view=true#output

+). For best results, we recommend using "Full", "Portable" or "Embedded".

+### Optimized builds

+In some cases, local variables can't be viewed in release builds because of optimizations that are applied by the JIT compiler.

+However, in Azure App Services, the Snapshot Collector can deoptimize throwing methods that are part of its Collection Plan.

+> [!TIP]

+> Install the Application Insights Site Extension in your App Service to get deoptimization support.

+## Next steps

+Enable Application Insights Snapshot Debugger for your application:

+* [Azure App Service](snapshot-debugger-app-service.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Function](snapshot-debugger-function-app.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Cloud Services](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Service Fabric services](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Virtual Machines and virtual machine scale sets](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [On-premises virtual or physical machines](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+Beyond Application Insights Snapshot Debugger:

+

+* [Set snappoints in your code](/visualstudio/debugger/debug-live-azure-applications) to get snapshots without waiting for an exception.

+* [Diagnose exceptions in your web apps](../app/asp-net-exceptions.md) explains how to make more exceptions visible to Application Insights.

+* [Smart Detection](../app/proactive-diagnostics.md) automatically discovers performance anomalies.

+| extend ResourceGroup = iff(ResourceGroup == '', 'On-premises computers', ResourceGroup), Id = strcat(_ResourceId, '::', Computer)

+ Title: Troubleshoot Azure Application Consistent Snapshot tool - Azure NetApp Files

+description: Troubleshoot communication issues, test failures, and other SAP HANA issues when using the Azure Application Consistent Snapshot (AzAcSnap) tool.

+# Troubleshoot the Azure Application Consistent Snapshot (AzAcSnap) tool

+This article describes how to troubleshoot issues when using the Azure Application Consistent Snapshot (AzAcSnap) tool for Azure NetApp Files and Azure Large Instance.

+You might encounter several common issues when running AzAcSnap commands. Follow the instructions to troubleshoot the issues. If you still have issues, open a Service Request for Microsoft Support from the Azure portal and assign the request to the SAP HANA Large Instance queue.

+## Check log files, result files, and syslog

+Some of the best sources of information for investigating AzAcSnap issues are the log files, result files, and the system log.

+### Log files

+The AzAcSnap log files are stored in the directory configured by the `logPath` parameter in the AzAcSnap configuration file. The default configuration filename is *azacsnap.json*, and the default value for `logPath` is *./logs*, which means the log files are written into the *./logs* directory relative to where the `azacsnap` command runs. If you make the `logPath` an absolute location, such as */home/azacsnap/logs*, `azacsnap` always outputs the logs into */home/azacsnap/logs*, regardless of where you run the `azacsnap` command.

+The log filename is based on the application name, `azacsnap`, the command run with `-c`, such as `backup`, `test`, or `details`, and the default configuration filename, such as *azacsnap.json*. With the `-c backup` command, a default log filename would be *azacsnap-backup-azacsnap.log*, written into the directory configured by `logPath`.

+This naming convention allows for multiple configuration files, one per database, to help locate the associated log files. If the configuration filename is *SID.json*, then the log filename when using the `azacsnap -c backup --configfile SID.json` option is *azacsnap-backup-SID.log*.

+### Result files and syslog

+For the `-c backup` command, AzAcSnap writes to a *\*.result* file and to the system log, `/var/log/messages`, by using the `logger` command. The *\*.result* filename has the same base name as the log file, and goes into the same location. The *\*.result* file is a simple one line output file, such as the following example:

+Here's example output from `/var/log/messages`:

+## Troubleshoot failed 'test storage' command

+The command `azacsnap -c test --test storage` might not complete successfully.

+### Check network firewalls

+Communication with Azure NetApp Files might fail or time out. To troubleshoot, make sure firewall rules aren't blocking outbound traffic from the system running AzAcSnap to the following addresses and TCP/IP ports:

+- `https://management.azure.com:443`

+- `https://login.microsoftonline.com:443`

+### Use Cloud Shell to validate configuration files

+You can test whether the service principal is configured correctly by using Cloud Shell through the Azure portal. Using Cloud Shell tests for correct configuration, bypassing network controls within a virtual network or virtual machine (VM).

+1. In the Azure portal, open a [Cloud Shell](../cloud-shell/overview.md) session.

+1. Make a test directory, for example `mkdir azacsnap`.

+1. Switch to the *azacsnap* directory, and download the latest version of AzAcSnap.

+ ```bash

+ wget https://aka.ms/azacsnapinstaller

+ ```

+1. Make the installer executable, for example `chmod +x azacsnapinstaller`.

+ ```bash

+ ./azacsnapinstaller -X -d .

+ ```

+ The results look like the following output:

+ ```output

+ +--+

+ | Azure Application Consistent Snapshot Tool Installer |

+ +--+

+ |-> Installer version '5.0.2_Build_20210827.19086'

+ |-> Extracting commands into ..

+ |-> Cleaning up .NET extract dir

+ ```

+1. Use the Cloud Shell Upload/Download icon to upload the service principal file, *azureauth.json*, and the AzAcSnap configuration file, such as *azacsnap.json*, for testing.

+1. Run the `storage` test.

+ ```bash

+ ./azacsnap -c test --test storage

+ ```

+ > [!NOTE]

+ > The test command can take about 90 seconds to complete.

+### Failed test on Azure Large Instance

+The following error example is from running `azacsnap` on Azure Large Instance:

+```bash

+azacsnap -c test --test storage

+```

+The authenticity of host '172.18.18.11 (172.18.18.11)' can't be established.

+ECDSA key fingerprint is SHA256:QxamHRn3ZKbJAKnEimQpVVCknDSO9uB4c9Qd8komDec.

+Are you sure you want to continue connecting (yes/no)?

+To troubleshoot this error, don't respond `yes`. Make sure that your storage IP address is correct. You can confirm the storage IP address with the Microsoft operations team.

+The error usually appears when the Azure Large Instance storage user doesn't have access to the underlying storage. To determine whether the storage user has access to storage, run the `ssh` command to validate communication with the storage platform.

+```bash

+ssh <StorageBackupname>@<Storage IP address> "volume show -fields volume"

+```

+The following example shows the expected output:

+```bash

+ssh clt1h80backup@10.8.0.16 "volume show -fields volume"

+```

+```output

+vserver volume

+

+osa33-hana-c01v250-client25-nprod hana_data_h80_mnt00001_t020_vol

+osa33-hana-c01v250-client25-nprod hana_data_h80_mnt00002_t020_vol

+```

+### Failed test with Azure NetApp Files

+The following error example is from running `azacsnap` with Azure NetApp Files:

+```bash

+azacsnap --configfile azacsnap.json.NOT-WORKING -c test --test storage

+```

+```output

+BEGIN : Test process started for 'storage'

+BEGIN : Storage test snapshots on 'data' volumes

+BEGIN : 1 task(s) to Test Snapshots for Storage Volume Type 'data'

+ERROR: Could not create StorageANF object [authFile = 'azureauth.json']

+```

+To troubleshoot this error:

+1. Check for the existence of the service principal file, *azureauth.json*, as set in the *azacsnap.json* configuration file.

+1. Check the log file, for example, *logs/azacsnap-test-azacsnap.log*, to see if the service principal file has the correct content. The following log file output shows that the client secret key is invalid.

+ ```output

+ [19/Nov/2020:18:39:49 +13:00] DEBUG: [PID:0020080:StorageANF:659] [1] Innerexception: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException AADSTS7000215: Invalid client secret is provided.

+ ```

+1. Check the log file to see if the service principal has expired. The following log file example shows that the client secret keys are expired.

+ ```output

+ [19/Nov/2020:18:41:10 +13:00] DEBUG: [PID:0020257:StorageANF:659] [1] Innerexception: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials

+ ```

+## Troubleshoot failed 'test hana' command

+The command `azacsnap -c test --test hana` might not complete successfully.

+### Command not found

+When setting up communication with SAP HANA, the `hdbuserstore` program is used to create the secure communication settings. AzAcSnap also requires the `hdbsql` program for all communications with SAP HANA. These programs are usually under */usr/sap/\<SID>/SYS/exe/hdb/* or */usr/sap/hdbclient* and must be in the users `$PATH`.

+- In the following example, the `hdbsql` command isn't in the users `$PATH`.

+ ```bash

+ hdbsql -n 172.18.18.50 - i 00 -U AZACSNAP "select version from sys.m_database"

+ ```

+ ```output

+ If 'hdbsql' is not a typo you can use command-not-found to lookup the package that contains it, like this:

+ cnf hdbsql

+ ```

+- The following example temporarily adds the `hdbsql` command to the user's `$PATH`, allowing `azacsnap` to run correctly.

+ ```bash

+ export PATH=$PATH:/hana/shared/H80/exe/linuxx86_64/hdb/

+ ```

+Make sure the installer added the location of these files to the AzAcSnap user's `$PATH`.

+> [!NOTE]

+> To permanently add to the user's `$PATH`, update the user's *$HOME/.profile* file.

+### Invalid value for key

+This command output shows that the connection key hasn't been set up correctly with the `hdbuserstore Set` command.

+ ```bash

+ hdbsql -n 172.18.18.50 -i 00 -U AZACSNAP "select version from sys.m_database"

+ ```

+ ```output

+ * -10104: Invalid value for KEY (AZACSNAP)

+ ```

+For more information on setup of the `hdbuserstore`, see [Get started with AzAcSnap](azacsnap-get-started.md).

+### Failed test

+When validating communication with SAP HANA by running a test with `azacsnap -c test --test hana`, you might get the following error:

+> azacsnap -c test --test hana

+BEGIN : Test process started for 'hana'

+BEGIN : SAP HANA tests

+CRITICAL: Command 'test' failed with error:

+Cannot get SAP HANA version, exiting with error: 127

+To troubleshoot this error:

+1. Check the configuration file, for example *azacsnap.json*, for each HANA instance, to ensure that the SAP HANA database values are correct.

+1. Run the following command to verify that the `hdbsql` command is in the path and that it can connect to the SAP HANA server.

+ ```bash

+ hdbsql -n 172.18.18.50 - i 00 -d SYSTEMDB -U AZACSNAP "\s"

+ ```

+ The following example shows the output when the command runs correctly:

+ ```output

+ host : 172.18.18.50

+ sid : H80

+ dbname : SYSTEMDB

+ user : AZACSNAP

+ kernel version: 2.00.040.00.1553674765

+ SQLDBC version: libSQLDBCHDB 2.04.126.1551801496

+ autocommit : ON

+ locale : en_US.UTF-8

+ input encoding: UTF8

+ sql port : saphana1:30013

+ ```

+### Insufficient privilege error

+If running `azacsnap` presents an error such as `* 258: insufficient privilege`, check that the user has the appropriate AZACSNAP database user privileges set up per the [installation guide](azacsnap-installation.md#enable-communication-with-database). Verify the user's privileges with the following command:

+hdbsql -U AZACSNAP "select GRANTEE,GRANTEE_TYPE,PRIVILEGE,IS_VALID,IS_GRANTABLE from sys.granted_privileges " | grep -i -e GRANTEE -e azacsnap

+The command should return the following output:

+GRANTEE,GRANTEE_TYPE,PRIVILEGE,IS_VALID,IS_GRANTABLE

+"AZACSNAP","USER","BACKUP ADMIN","TRUE","FALSE"

+"AZACSNAP","USER","CATALOG READ","TRUE","FALSE"

+"AZACSNAP","USER","CREATE ANY","TRUE","TRUE"

+The error might provide further information to help determine the required SAP HANA privileges, such as `Detailed info for this error can be found with guid '99X9999X99X9999X99X99XX999XXX999' SQLSTATE: HY000`. In this case, follow the instructions at [SAP Help Portal - GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS](https://help.sap.com/viewer/b3ee5778bc2e4a089d3299b82ec762a7/2.0.05/en-US/9a73c4c017744288b8d6f3b9bc0db043.html), which recommend using the following SQL query to determine the details of the required privilege:

+```sql

+CALL SYS.GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS ('99X9999X99X9999X99X99XX999XXX999', ?)

+```

+```output

+GUID,CREATE_TIME,CONNECTION_ID,SESSION_USER_NAME,CHECKED_USER_NAME,PRIVILEGE,IS_MISSING_ANALYTIC_PRIVILEGE,IS_MISSING_GRANT_OPTION,DATABASE_NAME,SCHEMA_NAME,OBJECT_NAME,OBJECT_TYPE

+"99X9999X99X9999X99X99XX999XXX999","2021-01-01 01:00:00.180000000",120212,"AZACSNAP","AZACSNAP","DATABASE ADMIN or DATABASE BACKUP ADMIN","FALSE","FALSE","","","",""

+```

+In the preceding example, adding the `DATABASE BACKUP ADMIN` privilege to the SYSTEMDB's AZACSNAP user should resolve the insufficient privilege error.

+- [Tips and tricks for using AzAcSnap](azacsnap-tips.md)

+- [AzAcSnap command reference](azacsnap-cmd-ref-configure.md)

+A people counting reference solution is also available. This reference solution is an open-source AI application providing edge-based people counting with user-defined zone entry/exit events. Video and AI output from the on-premises edge device is egressed to [Azure Data Lake](https://azure.microsoft.com/solutions/data-lake/), with the user interface running as an Azure website. AI inferencing is provided by an open-source AI model for people detection.

+> | communicationservices | Yes | Yes <br/><br/> Note that resources with attached phone numbers cannot be moved to subscriptions in different data locations, nor subscriptions that do not support having phone numbers. | No |

+Metrics in SignalR Service is an implementation of [Azure Monitor Metrics](../azure-monitor/essentials/data-platform-metrics.md). Understanding how Azure Monitor collects and displays metrics is helpful for using metrics in SignalR Service. Azure SignalR Service defines a collection of metrics that can be used to set up [alerts](../azure-monitor/alerts/alerts-overview.md) and [autoscale conditions](./signalr-howto-scale-autoscale.md).

+## SignalR Service metrics

+Metrics provide insights into the operational state of the service. The available metrics are:

+|**Connection Close Count**|Count|Sum|The count of connections closed for various reasons; see ConnectionCloseCategory for details.|Endpoint, ConnectionCloseCategory|

+|**Connection Count**|Count|Max or Avg|The number of connections.|Endpoint|

+|**Connection Open Count**|Count|Sum|The count of new connections opened.|Endpoint|

+|**Connection Quota Utilization**|Percent|Max or Avg|The percentage of connections to the server relative to the available quota.|No Dimensions|

+|**Inbound Traffic**|Bytes|Sum|The volume of inbound traffic to the service.|No Dimensions|

+|**Message Count**|Count|Sum|The total number of messages.|No Dimensions|

+|**Outbound Traffic**|Bytes|Sum|The volume of outbound traffic from the service.|No Dimensions|

+|**System Errors**|Percent|Avg|The percentage of system errors.|No Dimensions|

+|**User Errors**|Percent|Avg|The percentage of user errors.|No Dimensions|

+|**Server Load**|Percent|Max or Avg|The percentage of server load.|No Dimensions|

+> [!NOTE]

+> The aggregation type **Count** is the count of sampling data received. Count is defined as a general metrics aggregation type and can't be excluded from the list of available aggregation types. It's not generally useful for SignalR Service but it can sometimes be used to check if the sampling data has been sent to metrics.

+### Metrics dimensions

+A *dimension* is a name-value pair with extra data to describe the metric value. Some metrics don't have dimensions; others have multiple dimensions.

+The following two sections describe the dimensions available in SignalR Service metrics.

+#### Endpoint

+Describes the type of connection. Includes dimension values: **Client**, **Server**, and **LiveTrace**.

+#### ConnectionCloseCategory

+Gives the reason for closing the connection. Includes the following dimension values.

+| Value | Description |

+||--|

+| **Normal** | Connection closed normally.|

+|**Throttled**|With (Message count/rate or connection) throttling, check Connection Count and Message Count current usage and your resource limits.|

+|**PingTimeout**|Connection ping timeout.|

+|**NoAvailableServerConnection**|Client connection can't be established (won't even pass handshake) because there's no available server connection.|

+|**InvokeUpstreamFailed**|Upstream invoke failed.|

+|**SlowClient**|Too many unsent messages queued up at service side.|

+|**HandshakeError**|Connection terminated in the handshake phase, could be caused by the remote party closing the WebSocket connection without completing the close handshake. HandshakeError is caused by a network issue. Check browser settings to see if the client is able to create a websocket connection.|

+|**ServerConnectionNotFound**|Target hub server not available. Nothing need to be done for improvement, it's by design and reconnection should be done after this drop.|

+|**ServerConnectionClosed**|Client connection closed because the corresponding server connection was dropped. When app server uses Azure SignalR Service SDK, in the background, it initiates server connections to the remote Azure SignalR Service. Each client connection to the service is associated with one of the server connections to route traffic between the client and app server. Once a server connection is closed, all the client connections it serves will be closed with the **ServerConnectionDropped** message.|

+|**ServiceTransientError**|Internal server error.|

+|**BadRequest**|A bad request is caused by an invalid hub name, wrong payload, or a malformed request.|

+|**ClosedByAppServer**|App server asked the service to close the client.|

+|**ServiceReload**|Service reload is triggered when a connection is dropped due to an internal service component reload. This event doesn't indicate a malfunction and is part of normal service operation.|

+|**ServiceModeSwitched**|Connection closed after service mode switched, such as from Serverless mode to Default mode.|

+|**Unauthorized**|The connection is unauthorized.|

+For more information, see [multi-dimensional metrics](../azure-monitor/essentials/data-platform-metrics.md#multi-dimensional-metrics) in Azure Monitor.

+### Message Count granularity

+The minimum Message Count granularity is two KB of outbound data traffic. Every two KB is one unit for Message Count. If a client is sending small or infrequent messages totaling less than one unit in a sampling time period, the message count will be zero (0). The count is zero even though messages were sent. The way to check for a small number/size of messages is by using the metric **Outbound Traffic**, which is a count of bytes sent.

+### System errors and user errors

+The **User Errors** and **System Errors** metrics are the percentage of attempted operations (connecting, sending a message, and so on) that failed. A system error is a failure in the internal system logic. A user error is generally an application error, often related to networking. Normally, the percentage of system errors should be low, near zero.

+> In some situations, the user errors rate will be very high, especially in Serverless mode. In some browsers, when a user closes the web page the SignalR client doesn't shut down gracefully. A connection may remain open but unresponsive, until SignalR Service will finally close it because of timeout. The timeout closure will be counted in the User Error metric.

+>[!NOTE]

+> Autoscaling is a Premium Tier feature only.

+**Connection Quota Utilization** and **Server Load** show the percentage of utilization or load compared to the currently allocated unit count. These metrics are commonly used in autoscaling rules.

+For example, if the current allocation is one unit and there are 750 connections to the service, the Connection Quota Utilization is 750/1000 = 0.75. Server Load is calculated similarly, using values for compute capacity.

+To learn more about autoscaling, see [Automatically scale units of an Azure SignalR Service](./signalr-howto-scale-autoscale.md)

+- [Automatically scale units of an Azure SignalR Service](signalr-howto-scale-autoscale.md)

+- [Azure Monitor Metrics](../azure-monitor/essentials/data-platform-metrics.md)

+- [Understanding metrics aggregation](../azure-monitor/essentials/metrics-aggregation-explained.md)

+- [Use diagnostic logs to monitor SignalR Service](signalr-howto-diagnostic-logs.md)

+> Autoscaling is only available in Azure SignalR Service Premium tier.

+Azure SignalR Service Premium tier supports an *autoscale* feature, which is an implementation of [Azure Monitor autoscale](../azure-monitor/autoscale/autoscale-overview.md). Autoscale allows you to automatically scale the unit count for your SignalR Service to match the actual load on the service. Autoscale can help you optimize performance and cost for your application.

+Azure SignalR adds its own [service metrics](concept-metrics.md). However, most of the user interface is shared and common to other [Azure services that support autoscaling](../azure-monitor/autoscale/autoscale-overview.md#supported-services-for-autoscale). If you're new to the subject of Azure Monitor Metrics, review [Azure Monitor Metrics aggregation and display explained](../azure-monitor/essentials/metrics-aggregation-explained.md) before digging into SignalR Service Metrics.

+## Understanding autoscale in SignalR Service

+Autoscale allows you to set conditions that will dynamically change the units allocated to SignalR Service while the service is running. Autoscale conditions are based on metrics, such as **Server Load**. Autoscale can also be configured to run on a schedule, such as every day between certain hours.

+For example, you can implement the following scaling scenarios using autoscale.

+- Increase units when the **Connection Quota Utilization** above 70%.

+- Decrease units when the **Server Load** is below 20%.

+- Create a schedule to add more units during peak hours and reduce units during off hours.

+Multiple factors affect the performance of SignalR Service. No one metric provides a complete view of system performance. For example, if you're sending a large number of messages you might need to scale out even though the connection quota is relatively low. The combination of both **Connection Quota Utilization** and **Server Load** gives an indication of overall system load. The following guidelines apply.

+- Scale out if the connection count is over 80-90%. Scaling out before your connection count is exhausted ensures that you'll have sufficient buffer to accept new connections before scale-out takes effect.

+- Scale out if the **Server Load** is over 80-90%. Scaling early ensures that the service has enough capacity to maintain performance during the scale-out operation.

+The autoscale operation usually takes effect 3-5 minutes after it's triggered. It's important not to change the units too often. A good rule of thumb is to allow 30 minutes from the previous autoscale before performing another autoscale operation. In some cases, you might need to experiment to find the optimal autoscale interval.

+## Custom autoscale settings

+Open the autoscale settings page:

+1. Go to the [Azure portal](https://portal.azure.com).

+1. Open the **SignalR** service page.

+1. From the menu on the left, under **Settings** choose **Scale out**.

+1. Select the **Configure** tab. If you have a Premium tier SignalR instance, you'll see two options for **Choose how to scale your resource**:

+ - **Manual scale**, which lets you manually change the number of units.

+ - **Custom autoscale**, which lets you create autoscale conditions based on metrics and/or a time schedule.

+1. Choose **Custom autoscale**. Use this page to manage the autoscale conditions for your Azure SignalR service.

+### Default scale condition

+When you open custom autoscale settings for the first time, you'll see the **Default** scale condition already created for you. This scale condition is executed when none of the other scale conditions match the criteria set for them. You can't delete the **Default** condition, but you can rename it, change the rules, and change the action taken by autoscale.

+You can't set the default condition to autoscale on a specific days or date range. The default condition only supports scaling to a unit range. To scale according to a schedule, you'll need to add a new scale condition.

+Autoscale doesn't take effect until you save the default condition for the first time after selecting **Custom autoscale**.

+## Add or change a scale condition

+There are two options for how to scale your Azure SignalR resource:

+- **Scale based on a metric** - Scale within unit limits based on a dynamic metric. One or more scale rules are defined to set the criteria used to evaluate the metric.

+- **Scale to specific units** - Scale to a specific number of units based on a date range or recurring schedule.

+The following procedure shows you how to add a condition to increase units (scale out) when the Connection Quota Utilization is greater than 70% and decrease units (scale in) when the Connection Quota Utilization is less than 20%. Increments or decrements are done between available units.

+1. On the **Scale out** page, select **Custom autoscale** for the **Choose how to scale your resource** option.

+1. Select **Scale based on a metric** for **Scale mode**.

+1. Select **+ Add a rule**.

+ :::image type="content" source="./media/signalr-howto-scale-autoscale/default-autoscale.png" alt-text="Screenshot of custom rule based on a metric.":::

+ 1. Select a metric from the **Metric name** drop-down list. In this example, it's **Connection Quota Utilization**.

+ 1. Select an operator and threshold values. In this example, they're **Greater than** and **70** for **Metric threshold to trigger scale action**.

+ 1. Select an **operation** in the **Action** section. In this example, it's set to **Increase**.

+ :::image type="content" source="./media/signalr-howto-scale-autoscale/default-scale-out.png" alt-text="Screenshot of default autoscale rule screen.":::

+ 1. Select a metric from the **Metric name** drop-down list. In this example, it's **Connection Quota Utilization**.

+ 1. Select an operator and threshold values. In this example, they're **Less than** and **20** for **Metric threshold to trigger scale action**.

+ 1. Select an **operation** in the **Action** section. In this example, it's set to **Decrease**.

+ 1. Then, select **Add**

+ :::image type="content" source="./media/signalr-howto-scale-autoscale/default-scale-in.png" alt-text="Screenshot Connection Quota Utilization scale rule.":::

+1. Set the **minimum**, **maximum**, and **default** number of units.

+1. Select **Save** on the toolbar to save the autoscale setting.

+### Scale to specific units

+Follow these steps to configure the rule to scale to a specific unit range.

+1. On the **Scale out** page, select **Custom autoscale** for the **Choose how to scale your resource** option.

+1. Select **Scale to a specific units** for **Scale mode**.

+1. For **Units**, select the number of default units.

+ :::image type="content" source="./media/signalr-howto-scale-autoscale/default-specific-units.png" alt-text="Screenshot of scale rule criteria.":::

+## Add more conditions

+The previous section showed you how to add a default condition for the autoscale setting. This section shows you how to add more conditions to the autoscale setting.

+1. On the **Scale out** page, select **Custom autoscale** for the **Choose how to scale your resource** option.

+1. Select **Add a scale condition** under the **Default** block.

+ :::image type="content" source="./media/signalr-howto-scale-autoscale/additional-add-condition.png" alt-text="Screenshot of custom scale rule screen.":::

+1. Confirm that the **Scale based on a metric** option is selected.

+1. Select **+ Add a rule** to add a rule to increase units when the **Connection Quota Utilization** goes above 70%. Follow steps from the [default condition](#default-scale-condition) section.

+1. Set the **minimum** and **maximum** and **default** number of units.

+1. You can also set a **schedule** on a custom condition (but not on the default condition). You can either specify start and end dates for the condition (or) select specific days (Monday, Tuesday, and so on.) of a week.

+ 1. If you select **Specify start/end dates**, select the **Timezone**, **Start date and time** and **End date and time** (as shown in the following image) for the condition to be in effect.

+ 1. If you select **Repeat specific days**, select the days of the week, timezone, start time, and end time when the condition should apply.

+## Next steps

+For more information about managing autoscale from the Azure CLI, see [**az monitor autoscale**](/cli/azure/monitor/autoscale?view=azure-cli-latest&preserve-view=true).

+description: Learn how to create an Azure Video Indexer account by using Azure Resource Manager (ARM) template.

+In this tutorial, you will create an Azure Video Indexer account by using Azure Resource Manager (ARM) template (preview).

+> For the latest API version for Microsoft.VideoIndexer, see the [template reference](/azure/templates/microsoft.videoindexer/accounts?tabs=bicep).

+> If you would like to work with bicep format, see [Deploy by using Bicep](./deploy-with-bicep.md).

+ Title: Deploy Azure Video Indexer by using Bicep

+description: Learn how to create an Azure Video Indexer account by using a Bicep file.

+# Tutorial: deploy Azure Video Indexer by using Bicep

+In this tutorial, you create an Azure Video Indexer account by using [Bicep](../azure-resource-manager/bicep/overview.md).

+> [!NOTE]

+> This sample is *not* for connecting an existing Azure Video Indexer classic account to an ARM-based Azure Video Indexer account.

+> For full documentation on Azure Video Indexer API, visit the [Developer portal](https://aka.ms/avam-dev-portal) page.

+> For the latest API version for Microsoft.VideoIndexer, see the [template reference](/azure/templates/microsoft.videoindexer/accounts?tabs=bicep).

+## Prerequisites

+* An Azure Media Services (AMS) account. You can create one for free through the [Create AMS Account](/azure/media-services/latest/account-create-how-to).

+## Review the Bicep file

+The Bicep file used in this tutorial is:

+One Azure resource is defined in the bicep file:

+* [Microsoft.videoIndexer/accounts](/azure/templates/microsoft.videoindexer/accounts?tabs=bicep)

+Check [Azure Quickstart Templates](https://github.com/Azure/azure-quickstart-templates) for more updated Bicep samples.

+## Deploy the sample

+1. Save the Bicep file as main.bicep to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters accountName=<account-name> managedIdentityResourceId=<managed-identity> mediaServiceAccountResourceId=<media-service-account-resource-id>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -accountName "<account-name>" -managedIdentityResourceId "<managed-identity>" -mediaServiceAccountResourceId "<media-service-account-resource-id>"

+ ```

+

+ The location must be the same location as the existing Azure media service. You need to provide values for the parameters:

+ * Replace **\<account-name\>** with the name of the new Azure video indexer account.

+ * Replace **\<managed-identity\>** with the managed identity used to grant access between Azure Media Services(AMS).

+ * Replace **\<media-service-account-resource-id\>** with the existing Azure media service.

+## Reference documentation

+If you're new to Azure Video Indexer, see:

+* [Azure Video Indexer Documentation](./index.yml)

+* [Azure Video Indexer Developer Portal](https://api-portal.videoindexer.ai/)

+* After completing this tutorial, head to other Azure Video Indexer samples, described on [README.md](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/README.md)

+If you're new to Bicep deployment, see:

+* [Azure Resource Manager documentation](../azure-resource-manager/index.yml)

+* [Deploy Resources with Bicep and Azure PowerShell](../azure-resource-manager/bicep/deploy-powershell.md)

+* [Deploy Resources with Bicep and Azure CLI](../azure-resource-manager/bicep/deploy-cli.md)

+## Next steps

+[Connect an existing classic paid Azure Video Indexer account to ARM-based account](connect-classic-account-to-arm.md)

+Any existing private clouds in the above mentioned regions will also be upgraded to these versions. For more information, please see [VMware ESXi 7.0 Update 3c Release Notes](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html) and [VMware vCenter Server 7.0 Update 3c Release Notes](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3c-release-notes.html).

+description: Learn how to set up vRealize Operations for your Azure VMware Solution private cloud.

+vRealize Operations is an operations management platform that allows VMware infrastructure administrators to monitor system resources. These system resources could be application-level or infrastructure level (both physical and virtual) objects. Most VMware administrators have used vRealize Operations to monitor and manage the VMware private cloud components ΓÇô vCenter Server, ESXi, NSX-T Data Center, vSAN, and VMware HCX. Each provisioned Azure VMware Solution private cloud includes a dedicated vCenter Server, NSX-T Data Center, vSAN, and HCX deployment.

+* Review the [vRealize Operations Manager product documentation](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.vapp.doc/GUID-7FFC61A0-7562-465C-A0DC-46D092533984.html) to learn more about deploying vRealize Operations.

+* Optionally, review the [vRealize Operations Remote Controller](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.vapp.doc/GUID-263F9219-E801-4383-8A59-E84F3D01ED6B.html) product documentation for the on-premises vRealize Operations managing Azure VMware Solution deployment option.

+Most customers have an existing on-premises deployment of vRealize Operations to manage one or more on-premises vCenter Server domains. When they provision an Azure VMware Solution private cloud, they connect their on-premises environment with their private cloud using an Azure ExpressRoute or a Layer 3 VPN solution.

+To extend the vRealize Operations capabilities to the Azure VMware Solution private cloud, you create an adapter [instance for the private cloud resources](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.config.doc/GUID-640AD750-301E-4D36-8293-1BFEB67E2600.html). It collects data from the Azure VMware Solution private cloud and brings it into on-premises vRealize Operations. The on-premises vRealize Operations Manager instance can directly connect to the vCenter Server and NSX-T Manager on Azure VMware Solution. Optionally, you can deploy a vRealize Operations Remote Collector on the Azure VMware Solution private cloud. The collector compresses and encrypts the data collected from the private cloud before it's sent over the ExpressRoute or VPN network to the vRealize Operations Manager running on-premise.

+> Refer to the [VMware documentation](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.vapp.doc/GUID-7FFC61A0-7562-465C-A0DC-46D092533984.html) for step-by-step guide for installing vRealize Operations Manager.

+Another option is to deploy an instance of vRealize Operations Manager on a vSphere cluster in the private cloud.

+Once the instance has been deployed, you can configure vRealize Operations to collect data from vCenter Server, ESXi, NSX-T Data Center, vSAN, and HCX.

+- You can't sign in to vRealize Operations Manager using your Azure VMware Solution vCenter Server credentials.

+#### For Azure VM backup

+This policy:

+- Takes a weekly backup every Monday, Wednesday, Thursday at 10:00 AM Pacific Standard Time.

+- Retains the backups taken on every Monday, Wednesday, Thursday for one week.

+- Retains the backups taken on every first Wednesday and third Thursday of a month for two months (overrides the previous retention conditions, if any).

+- Retains the backups taken on fourth Monday and fourth Thursday in February and November for four years (overrides the previous retention conditions, if any).

+#### For SQL in Azure VM backup

+The following is an example request body for SQL in Azure VM backup.

+This policy:

+- Takes a full backup everyday at 13:30 UTC and a log backup every 1 hour.

+- Retains the daily full backups for 30 days and log backups for 30 days as well.

+```json

+"properties": {

+ "backupManagementType": "AzureWorkload",

+ "workLoadType": "SQLDataBase",

+ "settings": {

+ "timeZone": "UTC",

+ "issqlcompression": false,

+ "isCompression": false

+ },

+ "subProtectionPolicy": [

+ {

+ "policyType": "Full",

+ "schedulePolicy": {

+ "schedulePolicyType": "SimpleSchedulePolicy",

+ "scheduleRunFrequency": "Daily",

+ "scheduleRunTimes": [

+ "2022-02-14T13:30:00Z"

+ ],

+ "scheduleWeeklyFrequency": 0

+ },

+ "retentionPolicy": {

+ "retentionPolicyType": "LongTermRetentionPolicy",

+ "dailySchedule": {

+ "retentionTimes": [

+ "2022-02-14T13:30:00Z"

+ ],

+ "retentionDuration": {

+ "count": 30,

+ "durationType": "Days"

+ }

+ }

+ }

+ },

+ {

+ "policyType": "Log",

+ "schedulePolicy": {

+ "schedulePolicyType": "LogSchedulePolicy",

+ "scheduleFrequencyInMins": 60

+ },

+ "retentionPolicy": {

+ "retentionPolicyType": "SimpleRetentionPolicy",

+ "retentionDuration": {

+ "count": 30,

+ "durationType": "Days"

+ }

+ }

+ }

+ ],

+ "protectedItemsCount": 0

+ }

+```

+The following is an example of a policy that takes a differential backup everyday and a full backup once a week.

+```json

+"properties": {

+ "backupManagementType": "AzureWorkload",

+ "workLoadType": "SQLDataBase",

+ "settings": {

+ "timeZone": "UTC",

+ "issqlcompression": false,

+ "isCompression": false

+ },

+ "subProtectionPolicy": [

+ {

+ "policyType": "Full",

+ "schedulePolicy": {

+ "schedulePolicyType": "SimpleSchedulePolicy",

+ "scheduleRunFrequency": "Weekly",

+ "scheduleRunDays": [

+ "Sunday"

+ ],

+ "scheduleRunTimes": [

+ "2022-06-13T19:30:00Z"

+ ],

+ "scheduleWeeklyFrequency": 0

+ },

+ "retentionPolicy": {

+ "retentionPolicyType": "LongTermRetentionPolicy",

+ "weeklySchedule": {

+ "daysOfTheWeek": [

+ "Sunday"

+ ],

+ "retentionTimes": [

+ "2022-06-13T19:30:00Z"

+ ],

+ "retentionDuration": {

+ "count": 104,

+ "durationType": "Weeks"

+ }

+ },

+ "monthlySchedule": {

+ "retentionScheduleFormatType": "Weekly",

+ "retentionScheduleWeekly": {

+ "daysOfTheWeek": [

+ "Sunday"

+ ],

+ "weeksOfTheMonth": [

+ "First"

+ ]

+ },

+ "retentionTimes": [

+ "2022-06-13T19:30:00Z"

+ ],

+ "retentionDuration": {

+ "count": 60,

+ "durationType": "Months"

+ }

+ },

+ "yearlySchedule": {

+ "retentionScheduleFormatType": "Weekly",

+ "monthsOfYear": [

+ "January"

+ ],

+ "retentionScheduleWeekly": {

+ "daysOfTheWeek": [

+ "Sunday"

+ ],

+ "weeksOfTheMonth": [

+ "First"

+ ]

+ },

+ "retentionTimes": [

+ "2022-06-13T19:30:00Z"

+ ],

+ "retentionDuration": {

+ "count": 10,

+ "durationType": "Years"

+ }

+ }

+ }

+ },

+ {

+ "policyType": "Differential",

+ "schedulePolicy": {

+ "schedulePolicyType": "SimpleSchedulePolicy",

+ "scheduleRunFrequency": "Weekly",

+ "scheduleRunDays": [

+ "Monday",

+ "Tuesday",

+ "Wednesday",

+ "Thursday",

+ "Friday",

+ "Saturday"

+ ],

+ "scheduleRunTimes": [

+ "2022-06-13T02:00:00Z"

+ ],

+ "scheduleWeeklyFrequency": 0

+ },

+ "retentionPolicy": {

+ "retentionPolicyType": "SimpleRetentionPolicy",

+ "retentionDuration": {

+ "count": 30,

+ "durationType": "Days"

+ }

+ }

+ },

+ {

+ "policyType": "Log",

+ "schedulePolicy": {

+ "schedulePolicyType": "LogSchedulePolicy",

+ "scheduleFrequencyInMins": 120

+ },

+ "retentionPolicy": {

+ "retentionPolicyType": "SimpleRetentionPolicy",

+ "retentionDuration": {

+ "count": 15,

+ "durationType": "Days"

+ }

+ }

+ }

+ ],

+ "protectedItemsCount": 0

+ }

+```

+#### For SAP HANA in Azure VM backup

+The following is an example request body for SQL in Azure VM backup.

+This policy:

+- Takes a full backup every day at 19:30 UTC and a log backup every 2 hours.

+- Retains the daily backups for 180 days.

+- Retains the weekly backups for 104 weeks.

+- Retains the monthly backups for 60 months.

+- Retains the yearly backups for 10 years.

+- Retains the log backups for 15 days.

+```json

+{

+ "properties": {

+ "backupManagementType": "AzureIaasVM",

+ "timeZone": "Pacific Standard Time",

+ "schedulePolicy": {

+ "schedulePolicyType": "SimpleSchedulePolicy",

+ "scheduleRunFrequency": "Weekly",

+ "scheduleRunTimes": [

+ "2018-01-24T10:00:00Z"

+ ],

+ "scheduleRunDays": [

+ "Monday",

+ "Wednesday",

+ "Thursday"

+ ]

+ },

+ "retentionPolicy": {

+ "retentionPolicyType": "LongTermRetentionPolicy",

+ "weeklySchedule": {

+ "daysOfTheWeek": [

+ "Monday",

+ "Wednesday",

+ "Thursday"

+ ],

+ "retentionTimes": [

+ "2018-01-24T10:00:00Z"

+ ],

+ "retentionDuration": {

+ "count": 1,

+ "durationType": "Weeks"

+ }

+ },

+ "monthlySchedule": {

+ "retentionScheduleFormatType": "Weekly",

+ "retentionScheduleWeekly": {

+ "daysOfTheWeek": [

+ "Wednesday",

+ "Thursday"

+ ],

+ "weeksOfTheMonth": [

+ "First",

+ "Third"

+ ]

+ },

+ "retentionTimes": [

+ "2018-01-24T10:00:00Z"

+ ],

+ "retentionDuration": {

+ "count": 2,

+ "durationType": "Months"

+ }

+ },

+ "yearlySchedule": {

+ "retentionScheduleFormatType": "Weekly",

+ "monthsOfYear": [

+ "February",

+ "November"

+ ],

+ "retentionScheduleWeekly": {

+ "daysOfTheWeek": [

+ "Monday",

+ "Thursday"

+ ],

+ "weeksOfTheMonth": [

+ "Fourth"

+ ]

+ },

+ "retentionTimes": [

+ "2018-01-24T10:00:00Z"

+ ],

+ "retentionDuration": {

+ "count": 4,

+ "durationType": "Years"

+ }

+ }

+ }

+ }

+}

+```

+The following is an example of a policy that takes a full backup once a week and an incremental backup once a day.

+```json

+"properties": {

+ "backupManagementType": "AzureWorkload",

+ "workLoadType": "SAPHanaDatabase",

+ "settings": {

+ "timeZone": "UTC",

+ "issqlcompression": false,

+ "isCompression": false

+ },

+ "subProtectionPolicy": [

+ {

+ "policyType": "Full",

+ "schedulePolicy": {

+ "schedulePolicyType": "SimpleSchedulePolicy",

+ "scheduleRunFrequency": "Weekly",

+ "scheduleRunDays": [

+ "Sunday"

+ ],

+ "scheduleRunTimes": [

+ "2022-06-13T19:30:00Z"

+ ],

+ "scheduleWeeklyFrequency": 0

+ },

+ "retentionPolicy": {

+ "retentionPolicyType": "LongTermRetentionPolicy",

+ "weeklySchedule": {

+ "daysOfTheWeek": [

+ "Sunday"

+ ],

+ "retentionTimes": [

+ "2022-06-13T19:30:00Z"

+ ],

+ "retentionDuration": {

+ "count": 104,

+ "durationType": "Weeks"

+ }

+ },

+ "monthlySchedule": {

+ "retentionScheduleFormatType": "Weekly",

+ "retentionScheduleWeekly": {

+ "daysOfTheWeek": [

+ "Sunday"

+ ],

+ "weeksOfTheMonth": [

+ "First"

+ ]

+ },

+ "retentionTimes": [

+ "2022-06-13T19:30:00Z"

+ ],

+ "retentionDuration": {

+ "count": 60,

+ "durationType": "Months"

+ }

+ },

+ "yearlySchedule": {

+ "retentionScheduleFormatType": "Weekly",

+ "monthsOfYear": [

+ "January"

+ ],

+ "retentionScheduleWeekly": {

+ "daysOfTheWeek": [

+ "Sunday"

+ ],

+ "weeksOfTheMonth": [

+ "First"

+ ]

+ },

+ "retentionTimes": [

+ "2022-06-13T19:30:00Z"

+ ],

+ "retentionDuration": {

+ "count": 10,

+ "durationType": "Years"

+ }

+ }

+ }

+ },

+ {

+ "policyType": "Incremental",

+ "schedulePolicy": {

+ "schedulePolicyType": "SimpleSchedulePolicy",

+ "scheduleRunFrequency": "Weekly",

+ "scheduleRunDays": [

+ "Monday",

+ "Tuesday",

+ "Wednesday",

+ "Thursday",

+ "Friday",

+ "Saturday"

+ ],

+ "scheduleRunTimes": [

+ "2022-06-13T02:00:00Z"

+ ],

+ "scheduleWeeklyFrequency": 0

+ },

+ "retentionPolicy": {

+ "retentionPolicyType": "SimpleRetentionPolicy",

+ "retentionDuration": {

+ "count": 30,

+ "durationType": "Days"

+ }

+ }

+ },

+ {

+ "policyType": "Log",

+ "schedulePolicy": {

+ "schedulePolicyType": "LogSchedulePolicy",

+ "scheduleFrequencyInMins": 120

+ },

+ "retentionPolicy": {

+ "retentionPolicyType": "SimpleRetentionPolicy",

+ "retentionDuration": {

+ "count": 15,

+ "durationType": "Days"

+ }

+ }

+ }

+ ],

+ "protectedItemsCount": 0

+}

+```

+#### For Azure File share backup

+The following is an example request body for Azure File share backup.

+This policy:

+- Takes a backup every day at 15:30 UTC.

+- Retains the daily backups for 30 days.

+- Retains the backups taken every Sunday for 12 weeks.

+```json

+"properties": {

+ "backupManagementType": "AzureStorage",

+ "workloadType": "AzureFileShare",

+ "schedulePolicy": {

+ "schedulePolicyType": "SimpleSchedulePolicy",

+ "scheduleRunFrequency": "Daily",

+ "scheduleRunTimes": [

+ "2022-06-13T15:30:00Z"

+ ],

+ "scheduleWeeklyFrequency": 0

+ },

+ "retentionPolicy": {

+ "retentionPolicyType": "LongTermRetentionPolicy",

+ "dailySchedule": {

+ "retentionTimes": [

+ "2022-06-13T15:30:00Z"

+ ],

+ "retentionDuration": {

+ "count": 30,

+ "durationType": "Days"

+ }

+ },

+ "weeklySchedule": {

+ "daysOfTheWeek": [

+ "Sunday"

+ ],

+ "retentionTimes": [

+ "2022-06-13T15:30:00Z"

+ ],

+ "retentionDuration": {

+ "count": 12,

+ "durationType": "Weeks"

+ }

+ }

+ },

+ "timeZone": "UTC",

+ "protectedItemsCount": 0

+ }

+```

+It returns two responses: 202 (Accepted) when another operation is created. Then 200 (OK) when that operation completes.

+- [Get started with Azure REST API](/rest/api/azure/)

+- High-performance storage appropriate to the application (NFS, ISCSI, and Fiber Channel). Storage can also be shared across BareMetal instances to enable features like scale-out clusters or high availability pairs with STONITH.

+- A set of function-specific virtual LANs (VLANs) in an isolated environment.

+## Why BareMetal Infrastructure?

+### BareMetal benefits

+BareMetal Infrastructure is intended for critical workloads that require certification to run your enterprise applications. The BareMetal instances are dedicated only to you, and you'll have full access (root access) to the operating system (OS). You manage OS and application installation according to your needs. For security, the instances are provisioned within your Azure Virtual Network (VNet) with no internet connectivity. Only services running on your virtual machines (VMs), and other Azure services in same Tier 2 network, can communicate with your BareMetal instances.

+ - Up to 1 PB/tenant

+ - IOPS up to 1.2 million/tenant

+- Large instances ΓÇô Ranging from two-socket to four-socket systems.

+- Very Large instances ΓÇô Ranging from 4-socket to 20-socket systems.

+## Managing BareMetal instances in Azure

+Depending on your needs, the application topologies of BareMetal Infrastructure can be complex. You may deploy multiple instances in one or more locations. The instances can have shared or dedicated storage, and specialized LAN and WAN connections. So for BareMetal Infrastructure, Azure offers a consultation by a CSA/GBB in the field to work with you.

+You'll see all the BareMetal resources, and their state and attributes, in the Azure portal. You can also operate the instances and open service requests and support tickets from there.

+BareMetal Infrastructure is ISO 27001, ISO 27017, SOC 1, and SOC 2 compliant. It also uses a bring-your-own-license (BYOL) model: OS, specialized workload, and third-party applications.

+- Providing the hardware for specialized workloads.

+During the provisioning of the BareMetal instance, you can select the OS you want to install on the machines.

+BareMetal Infrastructure provides highly redundant NFS storage and Fiber Channel storage. The infrastructure offers deep integration for enterprise workloads like SAP, SQL, and more. It also provides application-consistent data protection and data-management capabilities. The self-service management tools offer space-efficient snapshot, cloning, and granular replication capabilities along with single pane of glass monitoring. The infrastructure enables zero RPO and RTO capabilities for data availability and business continuity needs.

+- Scales up to 4 PB of raw storage.

+These Data access protocols are supported:

+- iSCSI

+- NFS (v3 or v4)

+- Fiber Channel

+- NVMe over FC

+ExpressRoute lets you extend your on-premises network into the Microsoft cloud over a private connection with a connectivity provider's help. You can use **ExpressRoute Local** for cost-effective data transfer between your on-premises location and the Azure region you want. To extend connectivity across geopolitical boundaries, you can enable **ExpressRoute Premium**.

+- **Left:** Shows the customer on-premises infrastructure that runs different applications, connecting through the partner or local edge router like Equinix. For more information, see [Connectivity providers and locations: Azure ExpressRoute](../expressroute/expressroute-locations.md).

+- **Bottom:** Shows using your ExpressRoute Gateway enabled with [ExpressRoute FastPath](../expressroute/about-fastpath.md) for BareMetal connectivity offering low latency.

+|[Dv2](../virtual-machines/dv2-dsv2-series.md) | 210 - 250* |

+Containers enable you to run the Computer Vision APIs in your own environment. Containers are great for specific security and data governance requirements. In this article you'll learn how to download, install, and run the Read (OCR) container.

+The Read container allows you to extract printed and handwritten text from images and documents with support for JPEG, PNG, BMP, PDF, and TIFF file formats. For more information, see the [Read API how-to guide](how-to/call-read-api.md).

+The Read 3.2 OCR container is the latest GA model and provides:

+|Docker Engine| You need the Docker Engine installed on a [host computer](#host-computer-requirements). Docker provides packages that configure the Docker environment on [macOS](https://docs.docker.com/docker-for-mac/), [Windows](https://docs.docker.com/docker-for-windows/), and [Linux](https://docs.docker.com/engine/install/#server). For a primer on Docker and container basics, see the [Docker overview](https://docs.docker.com/engine/docker-overview/).<br><br> Docker must be configured to allow the containers to connect with and send billing data to Azure. <br><br> **On Windows**, Docker must also be configured to support Linux containers.<br><br>|

+### Host computer requirements

+Once the container is on the [host computer](#host-computer-requirements), use the following process to work with the container.

+The exact syntax of the host mount location varies depending on the host operating system. Additionally, the [host computer](computer-vision-how-to-install-containers.md#host-computer-requirements)'s mount location may not be accessible due to a conflict between permissions used by the Docker service account and the host mount location permissions.

+The following JSON response illustrates what the Analyze API returns when describing the example image based on its visual features.

+* [Quickstart: Image Analysis REST API or client libraries](./quickstarts-sdk/image-analysis-client-library.md?pivots=programming-language-csharp)

+# Face detection with Image Analysis

+Image Analysis can detect human faces within an image and generate rectangle coordinates for each detected face.

+> This feature is also offered by the dedicated [Face](./overview-identity.md) service. Use this alternative for more detailed face analysis, including face identification and head pose detection.

+The following example demonstrates the JSON response returned by Analyze API for an image containing a single human face.

+The following JSON response illustrates what the Analyze API returns when detecting objects in the example image.

+Image Analysis can return content tags for thousands of recognizable objects, living beings, scenery, and actions that appear in images. Tags are not organized as a taxonomy and do not have inheritance hierarchies. A collection of content tags forms the foundation for an image [description](./concept-describing-images.md) displayed as human readable language formatted in complete sentences. When tags are ambiguous or not common knowledge, the API response provides hints to clarify the meaning of the tag in context of a known setting.

+After you upload an image or specify an image URL, the Analyze API can output tags based on the objects, living beings, and actions identified in the image. Tagging is not limited to the main subject, such as a person in the foreground, but also includes the setting (indoor or outdoor), furniture, tools, plants, animals, accessories, gadgets, and so on.

+* [Quickstart: Image Analysis REST API or client libraries](./quickstarts-sdk/image-analysis-client-library.md?pivots=programming-language-csharp)

+You can use Computer Vision Spatial Analysis to ingest streaming video from cameras, extract insights, and generate events to be used by other systems. The service detects the presence and movements of people in video. It can do things like count the number of people entering a space or measure compliance with face mask and social distancing guidelines. By processing video streams from physical spaces, you're able to learn how people use them and maximize the space's value to your organization.

+This feature analyzes how well people follow social distancing requirements in a space. The system uses the PersonDistance operation to automatically calibrates itself as people walk around in the space. Then it identifies when people violate a specific distance threshold (6 ft. or 10 ft.).

+**Identity verification**: Verify someone's identity against a government-issued ID card like a passport or driver's license or other enrollment image. You can use this verification to grant access to digital or physical services or to recover an account. Specific access scenarios include opening a new account, verifying a worker, or administering an online assessment. Identity verification can be done once when a person is onboarded, and repeated when they access a digital or physical service.

+Detect faces in an image and provide information about each detected face. Computer Vision returns the coordinates, rectangle, gender, and age for each detected face. [Detect faces](concept-detecting-faces.md)

+You can also use the dedicated [Face API](./index-identity.yml) for these purposes. It provides more detailed analysis, such as facial identification and pose detection.

+* For PDF and TIFF files, up to 2000 pages (only the first two pages for the free tier) are processed.

+* The file size of images must be less than 500 MB (4 MB for the free tier) and dimensions at least 50 x 50 pixels and at most 10000 x 10000 pixels. PDF files do not have a size limit.

+* The minimum height of the text to be extracted is 12 pixels for a 1024 x 768 image. This corresponds to about 8 font point text at 150 DPI.

+Get started with the Computer Vision Read REST API or client libraries. The Read API provides you with AI algorithms for extracting text from images and returning it as structured strings. Follow these steps to install a package to your application and try out the sample code for basic tasks.

+* Once you have your Azure subscription, <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesComputerVision" title="Create a Computer Vision resource" target="_blank">create a Computer Vision resource </a> for the Standard S1 tier in the Azure portal to get your key and endpoint. After it deploys, select **Go to resource**.

+ * You'll need the key and endpoint from the resource you create to run the Spatial Analysis container. You'll use your key and endpoint later.

+To run the Spatial Analysis container, you need a compute device with an NVIDIA CUDA Compute Capable GPU 6.0 or higher (for example, [NVIDIA Tesla T4](https://www.nvidia.com/en-us/data-center/tesla-t4/), 1080Ti, or 2080Ti). We recommend that you use [Azure Stack Edge](https://azure.microsoft.com/products/azure-stack/edge/) with GPU acceleration, however the container runs on any other desktop machine that meets the minimum requirements. We'll refer to this device as the host computer.

+* 4 GB of system RAM

+* One NVIDIA CUDA Compute Capable GPU 6.0 or higher (for example, [NVIDIA Tesla T4](https://www.nvidia.com/en-us/data-center/tesla-t4/), 1080Ti, or 2080Ti)

+* 32 GB of system RAM

+* Two NVIDIA CUDA Compute Capable GPUs 6.0 or higher (for example, [NVIDIA Tesla T4](https://www.nvidia.com/en-us/data-center/tesla-t4/), 1080Ti, or 2080Ti)

+In this article, you'll download and install the following software packages. The host computer must be able to run the following (see below for instructions):

+In our example, we'll utilize an [NC series VM](../../virtual-machines/nc-series.md?bc=%2fazure%2fvirtual-machines%2flinux%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json) that has one K80 GPU.

+| Camera | The Spatial Analysis container isn't tied to a specific camera brand. The camera device needs to: support Real-Time Streaming Protocol(RTSP) and H.264 encoding, be accessible to the host computer, and be capable of streaming at 15FPS and 1080p resolution. |

+We recommend that you use an Azure Stack Edge device for your host computer. Select **Desktop Machine** if you're configuring a different device, or **Virtual Machine** if you're utilizing a VM.

+ 2. Select a network interface that you want to enable for compute, then select **Enable**. This will create a virtual switch on your device, on that network interface.

+ 4. Select **Apply**. This operation may take about two minutes.

+### Set up Azure Stack Edge role and create an IoT Hub resource

+In the [Azure portal](https://portal.azure.com/), navigate to your Azure Stack Edge resource. On the **Overview** page or navigation list, select the Edge compute **Get started** button. In the **Configure Edge compute** tile, select **Configure**.

+Select **Create**. The IoT Hub resource creation may take a couple of minutes. After the IoT Hub resource is created, the **Configure Edge compute** tile will update to show the new configuration. To confirm that the Edge compute role has been configured, select **View config** on the **Configure compute** tile.

+You'll need to install [Azure IoT Edge](../../iot-edge/how-to-provision-single-device-linux-symmetric.md) version 1.0.9. Follow these steps to download the correct version:

+Next, Create the VM. Once created, navigate to the VM resource in the Azure portal and select `Extensions` from the left pane. Select on "Add" to bring up the extensions window with all available extensions. Search for and select `NVIDIA GPU Driver Extension`, click create, and complete the wizard.

+You'll need to install [Azure IoT Edge](../../iot-edge/how-to-provision-single-device-linux-symmetric.md) version 1.0.9. Follow these steps to download the correct version:

+You'll need to use [Spatial Analysis operations](spatial-analysis-operations.md) to configure the container to use connected cameras, configure the operations, and more. For each camera device you configure, the operations for Spatial Analysis will generate an output stream of JSON messages, sent to your instance of Azure IoT Hub.

+* Use the Azure Event Hubs SDK for your chosen programming language to connect to the Azure IoT Hub endpoint and receive the events. For more information, see [Read device-to-cloud messages from the built-in endpoint](../../iot-hub/iot-hub-devguide-messages-read-builtin.md).

+Select on **Generate SAS Token and URL** and copy the Blob SAS URL. Replace the starting `https` with `http` and test the URL in a browser that supports video playback.

+If you encounter issues when starting or running the container, see [Telemetry and troubleshooting](spatial-analysis-logging.md) for steps for common issues. This article also contains information on generating and collecting logs and collecting system health.

+Azure Cognitive Services containers aren't licensed to run without being connected to the metering / billing endpoint. You must always enable the containers to communicate billing information with the billing endpoint. Cognitive Services containers don't send customer data, such as the video or image that's being analyzed, to Microsoft.

+* [OCR (Read)](./overview-ocr.md) also available as a [Distroless container](./computer-vision-how-to-install-containers.md?tabs=version-3-2) for on-premises deployment.

+* In order to perform face recognition operations such as Identify and Find Similar, Face API customers need to create an assorted list of **Person** objects. The new **PersonDirectory** is a data structure that contains unique IDs, optional name strings, and optional user metadata strings for each **Person** identity added to the directory. Currently, the Face API offers the **LargePersonGroup** structure which has similar functionality but is limited to 1 million identities. The **PersonDirectory** structure can scale up to 75 million identities.

+* Available as a [Distroless container](./computer-vision-how-to-install-containers.md?tabs=version-3-2) for on-premises deployment.

+* The team published a sample Face enrollment app to demonstrate best practices for establishing meaningful consent and creating high-accuracy face recognition systems through high-quality enrollments. The open-source sample can be found in the [Build an enrollment app](Tutorials/build-enrollment-app.md) guide and on [GitHub](https://github.com/Azure-Samples/cognitive-services-FaceAPIEnrollmentSample), ready for developers to deploy or customize.

+* Improved overall accuracy of the `age` and `headPose` attributes. The `headPose` attribute is also updated with the `pitch` value enabled now. Use these attributes by specifying them in the `returnFaceAttributes` parameter of [Face - Detect](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) `returnFaceAttributes` parameter.

+ Title: Migrate from QnA Maker to Question Answering

+description: Details on features, requirements, and examples for migrating from QnA Maker to Question Answering

+# Migrate from QnA Maker to Question Answering

+**Purpose of this document:** This article aims to provide information that can be used to successfully migrate applications that use QnA Maker to Question Answering. Using this article, we hope customers will gain clarity on the following:

+ - Comparison of features across QnA Maker and Question Answering

+ - Pricing

+ - Simplified Provisioning and Development Experience

+ - Migration phases

+ - Common migration scenarios

+ - Migration steps

+**Intended Audience:** Existing QnA Maker customers

+> [!IMPORTANT]

+> Question Answering, a feature of Azure Cognitive Service for Language was introduced in November 2021 with several new capabilities including enhanced relevance using a deep learning ranker, precise answers, and end-to-end region support. Each question answering project is equivalent to a knowledge base in QnA Maker. Resource level settings such as Role-based access control (RBAC) are not migrated to the new resource. These resource level settings would have to be reconfigured for the language resource post migration:

+>

+> - Automatic RBAC to Language project (not resource)

+> - Automatic enabling of analytics.

+You will also need to [re-enable analytics](analytics.md) for the language resource.

+## Comparison of features

+In addition to a new set of features, Question Answering provides many technical improvements to common features.

+|Feature|QnA Maker|Question Answering|Details|

+|-|||-|

+|State of the art transformer-based models|➖|✔️|Turing based models which enables to search QnA at web scale.|

+|Pre-built capability|➖|✔️|Using this capability one can leverage the power of question answering without having to ingest content and manage resources.|

+|Precise answering|➖|✔️|Question Answering supports precise answering with the help of SOTA models.|

+|Smart URL Refresh|➖|✔️|Question Answering provides a means to refresh ingested content from public sources with a single click.|

+|Q&A over knowledge base (hierarchical extraction)|✔️|✔️| |

+|Active learning|✔️|✔️|Question Answering has an improved active learning model.|

+|Alternate Questions|✔️|✔️|The improved models in question answering reduces the need to add alternate questions.|

+|Synonyms|✔️|✔️| |

+|Metadata|✔️|✔️| |

+|Question Generation (private preview)|➖|✔️|This new feature will allow generation of questions over text.|

+|Support for unstructured documents|➖|✔️|Users can now ingest unstructured documents as input sources and query the content for responses|

+|.NET SDK|✔️|✔️| |

+|API|✔️|✔️| |

+|Unified Authoring experience|➖|✔️|A single authoring experience across all Azure Cognitive Services for Language|

+|Multi region support|➖|✔️|

+## Pricing

+When you are looking at migrating to Question Answering, please consider the following:

+- Knowledge base/project content or size has no implications on pricing

+- ΓÇ£Text RecordsΓÇ¥ in Question Answering features refer to the query submitted by the user to the runtime, and it is a concept common to all features within Language Service

+Here you can find the pricing details for [Question Answering](https://azure.microsoft.com/pricing/details/cognitive-services/language-service/) and [QnA Maker](https://azure.microsoft.com/pricing/details/cognitive-services/qna-maker/).

+The [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/) can provide even more detail.

+## Simplified Provisioning and Development Experience

+With the Language service, QnA Maker customers now benefit from a single service that provides Text Analytics, LUIS and Question Answering as features of the language resource. The Language service provides:

+- One Language resource to access all above capabilities

+- A single pane of authoring experience across capabilities

+- A unified set of APIs across all the capabilities

+- A cohesive, simpler, and powerful product

+Learn how to get started in [Language Studio](../../language-studio.md)

+## Migration Phases

+If you or your organization have applications in development or production that use QnA Maker, you should update them to use Question Answering as soon as possible. See the following links for available APIs, SDKs, Bot SDKs and code samples.

+Following are the broad migration phases to consider:

+

+Additional links which can help you are given below:

+- [Authoring portal](https://language.cognitive.azure.com/home)

+- [API](authoring.md)

+- [SDK](https://docs.microsoft.com/dotnet/api/microsoft.azure.cognitiveservices.knowledge.qnamaker)

+- Bot SDK: For bots to use custom question answering, use the [Bot.Builder.AI.QnA](https://www.nuget.org/packages/Microsoft.Bot.Builder.AI.QnA/) SDK ΓÇô We recommend customers to continue to use this for their Bot integrations. Here are some sample usages of the same in the botΓÇÖs code: [Sample 1](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/48.customQABot-all-features) [Sample 2](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/12.customQABot)

+## Common migration scenarios

+This topic compares two hypothetical scenarios when migrating from QnA Maker to Question Answering. These scenarios can help you to determine the right set of migration steps to execute for the given scenario.

+> [!NOTE]

+> An attempt has been made to ensure these scenarios are representative of real customer migrations, however, individual customer scenarios will of course differ. Also, this article doesn't include pricing details. Click here for [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/language-service/)

+> [!IMPORTANT]

+> Each question answering project is equivalent to a knowledge base in QnA Maker. Resource level settings such as Role-based access control (RBAC) are not migrated to the new resource. These resource level settings would have to be reconfigured for the language resource post migration. You will also need to [re-enable analytics](analytics.md) for the language resource.

+### Migration scenario 1: No custom authoring portal

+In the first migration scenario, the customer uses qnamaker.ai as the authoring portal and they want to migrate their QnA Maker knowledge bases to Custom Question Answering.

+[Migrate your project from QnA Maker to Question Answering](migrate-qnamaker.md)

+Once migrated to Question Answering:

+- The resource level settings need to be reconfigured for the language resource

+- Customer validations should start on the migrated knowledge bases on:

+ - Size validation

+ - Number of QnA pairs in all KBs to match pre and post migration

+- Customers need to establish new thresholds for their knowledge bases in custom question answering as the Confidence score mapping is different when compared to QnA Maker.

+ - Answers for sample questions in pre and post migration

+ - Response time for Questions answered in v1 vs v2

+ - Retaining of prompts

+ - Customers can use the batch testing tool post migration to test the newly created project in custom question answering.

+Old QnA Maker resources need to be manually deleted.

+Here are some [detailed steps](migrate-qnamaker.md) on migration scenario 1.

+### Migration scenario 2

+In this migration scenario, the customer may have created their own authoring frontend leveraging the QnA Maker authoring APIs or QnA Maker SDKs.

+They should perform these steps required for migration of SDKs:

+This [SDK Migration Guide](https://github.com/Azure/azure-sdk-for-net/blob/Azure.AI.Language.QuestionAnswering_1.1.0-beta.1/sdk/cognitivelanguage/Azure.AI.Language.QuestionAnswering/MigrationGuide.md) is intended to assist in the migration to the new Question Answering client library, [Azure.AI.Language.QuestionAnswering](https://www.nuget.org/packages/Azure.AI.Language.QuestionAnswering), from the old one, [Microsoft.Azure.CognitiveServices.Knowledge.QnAMaker](https://www.nuget.org/packages/Microsoft.Azure.CognitiveServices.Knowledge.QnAMaker). It will focus on side-by-side comparisons for similar operations between the two packages.

+They should perform the steps required for migration of Knowledge bases to the new Project within Language resource.

+Once migrated to Question Answering:

+- The resource level settings need to be reconfigured for the language resource

+- Customer validations should start on the migrated knowledge bases on

+ - Size validation

+ - Number of QnA pairs in all KBs to match pre and post migration

+ - Confidence score mapping

+ - Answers for sample questions in pre and post migration

+ - Response time for Questions answered in v1 vs v2

+ - Retaining of prompts

+ - Batch testing pre and post migration

+- Old QnA Maker resources need to be manually deleted.

+Additionally, for customers who have to migrate and upgrade Bot, upgrade bot code is published as NuGet package.

+Here you can find some code samples: [Sample 1](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/48.customQABot-all-features) [Sample 2](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/12.customQABot)

+Here are [detailed steps on migration scenario 2](https://github.com/Azure/azure-sdk-for-net/blob/Azure.AI.Language.QuestionAnswering_1.1.0-beta.1/sdk/cognitivelanguage/Azure.AI.Language.QuestionAnswering/MigrationGuide.md)

+Learn more about the [pre-built API](../../../QnAMaker/How-To/using-prebuilt-api.md)

+Learn more about the [Question Answering Get Answers REST API](https://docs.microsoft.com/rest/api/cognitiveservices/questionanswering/question-answering/get-answers)

+## Migration steps

+Please note that some of these steps are needed depending on the customers existing architecture. Kindly look at migration phases given above for getting more clarity on which steps are needed by you for migration.

+

+We know that securing your cloud data is important. We hear your concerns. Here's just a few questions that our customers may have when moving sensitive workloads to the cloud:

+## Introduction to confidential computing

+A TEE is an environment that enforces execution of only authorized code. Any data in the TEE can't be read or tampered with by any code outside that environment.

+**Hardware vendors**: Trust hardware by using on-premises hardware or in-house hardware.

+**Infrastructure providers**: Trust cloud providers or manage your own on-premises data centers.

+When initializing, code samples get the node certificate by querying Identity Service. After retrieving the node certificate, a code sample will query the ledger network to get a quote, which is then validated using the Host Verify binaries. If the verification succeeds, the code sample proceeds to ledger operations.

+Users can validate the authenticity of Azure confidential ledger nodes to confirm they are indeed interfacing with their ledgerΓÇÖs enclave. You can build trust in Azure confidential ledger nodes in a few ways, which can be stacked on one another to increase the overall level of confidence. As such, Steps 1-2 help build confidence in that Azure confidential ledger enclave as part of the initial TLS handshake and authentication within functional workflows. Beyond that, a persistent client connection is maintained between the user's client and the confidential ledger.

+- **Validating a confidential ledger node**: This is accomplished by querying the identity service hosted by Microsoft, which provides a network cert and thus helps verify that the ledger node is presenting a cert endorsed/signed by the network cert for that specific instance. Similar to PKI-based HTTPS, a serverΓÇÖs cert is signed by a well-known Certificate Authority (CA) or intermediate CA. In the case of Azure confidential ledger, the CA cert is returned by an Identity service in the form of a network cert. This is an important confidence building measure for users of confidential ledger. If this node cert isnΓÇÖt signed by the returned network cert, the client connection should fail (as implemented in the sample code).

+The Azure confidential ledger APIs require client certificate-based authentication. Only those certificates added to an allowlist during ledger creation or a ledger update can be used to call the confidential ledger Functional APIs.

+You will need a certificate in PEM format. You can create more than one certificate and add or delete them using ledger Update API.

+Microsoft Azure confidential ledger (ACL) is a new and highly secure service for managing sensitive data records. It runs exclusively on hardware-backed secure enclaves, a heavily monitored and isolated runtime environment which keeps potential attacks at bay. Furthermore, Azure confidential ledger runs on a minimalistic Trusted Computing Base (TCB), which ensures that no oneΓüáΓÇönot even MicrosoftΓüáΓÇöis "above" the ledger.

+As its name suggests, Azure confidential ledger utilizes the [Azure Confidential Computing platform](../confidential-computing/index.yml) and the [Confidential Consortium Framework](https://www.microsoft.com/research/project/confidential-consortium-framework) to provide a high integrity solution that is tamper-protected and evident. One ledger spans across three or more identical instances, each of which run in a dedicated, fully attested hardware-backed enclave. The ledger's integrity is maintained through a consensus-based blockchain.

+Azure confidential ledger offers unique data integrity advantages, including immutability, tamper-proofing, and append-only operations. These features, which ensure that all records are kept intact, are ideal when critical metadata records must not be modified, such as for regulatory compliance and archival purposes.

+Here are a few examples of things you can store on your ledger:

+The confidential ledger is exposed through REST APIs which can be integrated into new or existing applications. The confidential ledger can be managed by administrators utilizing Administrative APIs (Control Plane). It can also be called directly by application code through Functional APIs (Data Plane). The Administrative APIs support basic operations such as create, update, get and, delete. The Functional APIs allow direct interaction with your instantiated ledger and include operations such as put and get data.

+This section defines the security protections for the ledger. The ledger APIs use client certificate-based authentication. Currently, the ledger supports certificate-based authentication process with owner roles. We will be adding support for Azure Active Directory (AAD) based authentication and also role-based access (for example, owner, reader, and contributor).

+The data to the ledger is sent through TLS 1.2 connection and the TLS 1.2 connection terminates inside the hardware backed security enclaves (Intel® SGX enclaves). This ensures that no one can intercept the connection between a customer's client and the confidential ledger server nodes.

+## Constraints

+- Once a confidential ledger is created, you cannot change the ledger type.

+| Commit | A confirmation that a transaction has been locally committed to a node. A local commit by itself does not guarantee that a transaction is part of the ledger. |

+| Global commit | A confirmation that transaction was globally committed and is part of the ledger. |

+| Receipt | Proof that the transaction was processed by the ledger. |

+ Title: Quickstart ΓÇô Microsoft Azure confidential ledger with Azure PowerShell

+description: Learn to use the Microsoft Azure confidential ledger through Azure PowerShell

+# Quickstart: Create a confidential ledger using Azure PowerShell

+Azure confidential ledger is a cloud service that provides a high integrity store for sensitive data logs and records that must be kept intact. In this quickstart you will use [Azure PowerShell](/powershell/azure/) to create a confidential ledger, view and update its properties, and delete it. For more information on Azure confidential ledger, and for examples of what can be stored in a confidential ledger, see [About Microsoft Azure confidential ledger](overview.md).

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+In this quickstart, you create a confidential ledger with [Azure PowerShell](/powershell/azure/). If you choose to install and use PowerShell locally, this tutorial requires Azure PowerShell module version 1.0.0 or later. Type `$PSVersionTable.PSVersion` to find the version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-az-ps). If you are running PowerShell locally, you also need to run `Login-AzAccount` to create a connection with Azure.

+## Create a resource group

+## Get your principal ID and tenant ID

+To create a confidential ledger, you'll need your Azure Active Directory principal ID (also called your object ID). To obtain your principal ID, use the Azure PowerShell [Get-AzADUser](/powershell/module/az.resources/get-azaduser) cmdlet, with the `-SignedIn` flag:

+```azurepowershell

+Get-AzADUser -SignedIn

+```

+Your result will be listed under "Id", in the format `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`.

+## Create a confidential ledger

+Use the Azure Powershell [New-AzConfidentialLedger](/powershell/module/az.confidentialledger/new-azconfidentialledger) command to create a confidential ledger in your new resource group.

+```azurepowershell

+New-AzConfidentialLedger -Name "myLedger" -ResourceGroupName "myResourceGroup" -Location "EastUS" -LedgerType "Public" -AadBasedSecurityPrincipal @{ LedgerRoleName="Administrator"; PrincipalId="34621747-6fc8-4771-a2eb-72f31c461f2e"; }

+```

+A successful operation will return the properties of the newly created ledger. Take note of the **ledgerUri**. In the example above, this URI is "https://myledger.confidential-ledger.azure.com".

+You'll need this URI to transact with the confidential ledger from the data plane.

+## View and update your confidential ledger properties

+You can view the properties associated with your newly created confidential ledger using the Azure PowerShell [Get-AzConfidentialLedger](/powershell/module/az.confidentialledger/get-azconfidentialledger) cmdlet.

+```azurepowershell

+Get-AzConfidentialLedger -Name "myLedger" -ResourceGroupName "myResourceGroup"

+```

+To update the properties of a confidential ledger, use do so, use the Azure PowerShell [Update-AzConfidentialLedger](/powershell/module/az.confidentialledger/update-azconfidentialledger) cmdlet. For instance, to update your ledger to change your role to "Reader", run:

+```azurepowershell

+Update-AzConfidentialLedger -Name "myLedger" -ResourceGroupName "myResourceGroup" -Location "EastUS" -LedgerType "Public" -AadBasedSecurityPrincipal @{ LedgerRoleName="Reader"; PrincipalId="34621747-6fc8-4771-a2eb-72f31c461f2e"; }

+```

+If you again run [Get-AzConfidentialLedger](/powershell/module/az.confidentialledger/get-azconfidentialledger), you'll see that the role has been updated.

+```json

+"ledgerRoleName": "Reader",

+```

+## Clean up resources

+## Next steps

+In this quickstart, you created a confidential ledger by using the Azure PowerShell. To learn more about Azure confidential ledger and how to integrate it with your applications, continue on to the articles below.

+- [Overview of Microsoft Azure confidential ledger](overview.md)

+[API reference documentation](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-confidentialledger/latest/azure.confidentialledger.html) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/confidentialledger) | [Package (Python Package Index) Management Library](https://pypi.org/project/azure-mgmt-confidentialledger/)| [Package (Python Package Index) Client Library](https://pypi.org/project/azure-confidentialledger/)

+* Use actions to get a row of data, insert a new row, and even delete. For example, when a record is created in Dynamics CRM Online (a trigger), then insert a row in an Oracle Database (an action).

+* Supported Oracle versions:

+* Install the on-premises data gateway. [Connect to on-premises data from logic apps](../logic-apps/logic-apps-gateway-connection.md) lists the steps. The gateway is required to connect to an on-premises Oracle Database, or an Azure VM with Oracle DB installed.

+* Install the Oracle Client on the machine where you installed the on-premises data gateway. Make sure that you install the 64-bit Oracle Data Provider for .NET from Oracle, and select the Windows installer version because the `xcopy` version doesn't work with the on-premises data gateway:

+> This connector does not have any triggers. It has only actions. So when you create your logic app, add another trigger to start your logic app, such as **Schedule - Recurrence**, or **Request / Response - Response**.

+2. At the start of your logic app, select the **Request / Response - Request** trigger:

+3. Select **Save**. When you save, a request URL is automatically generated.

+4. Select **New step**, and select **Add an action**. Type in `oracle` to see the available actions:

+ > This is also the quickest way to see the triggers and actions available for any connector. Type in part of the connector name, such as `oracle`. The designer lists any triggers and any actions.

+ 

+ In the following example, job data is being returned from a Human Resources database:

+**Cause**: The Oracle client SDK is not installed on the machine where the on-premises data gateway is running. 

+**Cause**: The table does not have any primary key. 

+View any triggers and actions defined in the swagger, and also see any limits in the [connector details](/connectors/oracle/).

+The [Microsoft Q&A question page for Azure Logic Apps](/answers/topics/azure-logic-apps.html) is a great place to ask questions, answer questions, and see what other Logic Apps users are doing.

+You can help improve Logic Apps and connectors by voting and submitting your ideas at [https://aka.ms/logicapps-wish](https://aka.ms/logicapps-wish).

+[cloud-shell-bash]: /azure/cloud-shell/overview

+### Set up PostgreSQL database if you haven't already.

+This could be an existing on-premises database or you could [download and install one](https://www.postgresql.org/download/) on your local machine. It's also possible to use a [Docker container](https://hub.docker.com/_/postgres).

+### Setup Apache Kafka

+* [Provision throughput on containers and databases](../set-throughput.md)

+The [.NET V3](sql-api-sdk-dotnet-standard.md), [Java V4](sql-api-sdk-java-v4.md), [JavaScript V3](sql-api-sdk-node.md) and [Python V4.3+](sql-api-sdk-python.md) SDKs are currently supported.

+| TotalRequestUnits (Total Request Units)| Count (Total) | Request Units consumed| DatabaseName, CollectionName, Region, StatusCode |All| TotalRequestUnits| Used to monitor Total RU usage at a minute granularity. To get average RU consumed per second, use Sum aggregation at minute interval/level and divide by 60.|

+| **requestCharge** | **requestCharge_s** | The number of RUs that are used by the operation |

+* Azure Cosmos DB ships with the [Change feed feature](../change-feed.md) which tracks persistent record of changes to a container in the order they occur. It then outputs the sorted list of documents that were changed in the order in which they were modified.

+!describe <Table Name>

+!primarykeys <Table Name>

+1. Next, define a method to get the data from the HBase Contacts table as a DataFrame.

+Configuration config = HBaseConfiguration.create();

+config.set("hbase.zookeeper.quorum","zookeepernode0,zookeepernode1,zookeepernode2");

+config.set("hbase.zookeeper.property.clientPort", "2181");

+config.set("hbase.cluster.distributed", "true");

+//Use JDBC to get a connection to an HBase cluster

+// Create sync client

+client = new CosmosClientBuilder()

+ .endpoint(AccountSettings.HOST)

+ .key(AccountSettings.MASTER_KEY)

+ .consistencyLevel(ConsistencyLevel.{ConsistencyLevel})

+ .contentResponseOnWriteEnabled(true)

+// create an admin object using the config

+HBaseAdmin admin = new HBaseAdmin(config);

+// create the table...

+HTableDescriptor tableDescriptor = new HTableDescriptor(TableName.valueOf("FamilyTable"));

+// ... with single column families

+tableDescriptor.addFamily(new HColumnDescriptor("ColFam"));

+// Create database if not exists

+CosmosDatabaseResponse databaseResponse = client.createDatabaseIfNotExists(databaseName);

+database = client.getDatabase(databaseResponse.getProperties().getId());

+// Create container if not exists

+CosmosContainerProperties containerProperties = new CosmosContainerProperties("FamilyContainer", "/lastName");

+// Provision throughput

+ThroughputProperties throughputProperties = ThroughputProperties.createManualThroughput(400);

+// Create container with 400 RU/s

+CosmosContainerResponse databaseResponse = database.createContainerIfNotExists(containerProperties, throughputProperties);

+>

+>

+[API reference documentation](/dotnet/api/microsoft.azure.cosmos) | [Library source code](https://github.com/Azure/azure-cosmos-dotnet-v3) | [Package (NuGet)](https://www.nuget.org/packages/Microsoft.Azure.Cosmos) | [Samples](samples-dotnet.md)

+This section walks you through creating an Azure Cosmos account and setting up a project that uses Azure Cosmos DB SQL API client library for .NET to manage resources.

+1. Use the [``New-AzResourceGroup``](/powershell/module/az.resources/new-azresourcegroup) cmdlet to create a new resource group in your subscription.

+1. Use the [``New-AzCosmosDBAccount``](/powershell/module/az.cosmosdb/new-azcosmosdbaccount) cmdlet to create a new Azure Cosmos DB SQL API account with default settings.

+1. Select **Go to resource** to go to the Azure Cosmos DB account page.

+#### [Resource Manager template](#tab/azure-resource-manager)

+> [!NOTE]

+> Azure Resource Manager templates are written in two syntaxes, JSON and Bicep. This sample uses the [Bicep](../../azure-resource-manager/bicep/overview.md) syntax. To learn more about the two syntaxes, see [comparing JSON and Bicep for templates](../../azure-resource-manager/bicep/compare-template-syntax.md).

+1. Create shell variables for *accountName*, *resourceGroupName*, and *location*.

+ ```azurecli-interactive

+ # Variable for resource group name

+ resourceGroupName="msdocs-cosmos"

+ # Variable for location

+ location="westus"

+ # Variable for account name with a randomnly generated suffix

+ let suffix=$RANDOM*$RANDOM

+ accountName="msdocs-$suffix"

+ ```

+1. If you haven't already, sign in to the Azure CLI using the [``az login``](/cli/azure/reference-index#az-login) command.

+1. Use the [``az group create``](/cli/azure/group#az-group-create) command to create a new resource group in your subscription.

+ ```azurecli-interactive

+ az group create \

+ --name $resourceGroupName \

+ --location $location

+ ```

+1. Create a new ``.bicep`` file with the deployment template in the Bicep syntax.

+ :::code language="bicep" source="~/quickstart-templates/quickstarts/microsoft.documentdb/cosmosdb-sql-minimal/main.bicep":::

+1. Deploy the Azure Resource Manager (ARM) template with [``az deployment group create``](/cli/azure/deployment/group#az-deployment-group-create)

+specifying the filename using the **template-file** parameter and the name ``initial-bicep-deploy`` using the **name** parameter.

+ ```azurecli-interactive

+ az deployment group create \

+ --resource-group $resourceGroupName \

+ --name initial-bicep-deploy \

+ --template-file main.bicep \

+ --parameters accountName=$accountName

+ ```

+ > [!NOTE]

+ > In this example, we assume that the name of the Bicep file is **main.bicep**.

+1. Validate the deployment by showing metadata from the newly created account using [``az cosmosdb show``](/cli/azure/cosmosdb#az-cosmosdb-show).

+ ```azurecli-interactive

+ az cosmosdb show \

+ --resource-group $resourceGroupName \

+ --name $accountName

+ ```

+* [``CosmosClient``](/dotnet/api/microsoft.azure.cosmos.cosmosclient) - This class provides a client-side logical representation for the Azure Cosmos DB service. The client object is used to configure and execute requests against the service.

+* [``Database``](/dotnet/api/microsoft.azure.cosmos.database) - This class is a reference to a database that may, or may not, exist in the service yet. The database is validated server-side when you attempt to access it or perform an operation against it.

+* [``Container``](/dotnet/api/microsoft.azure.cosmos.container) - This class is a reference to a container that also may not exist in the service yet. The container is validated server-side when you attempt to work with it.

+* [``QueryDefinition``](/dotnet/api/microsoft.azure.cosmos.querydefinition) - This class represents a SQL query and any query parameters.

+* [``FeedIterator<>``](/dotnet/api/microsoft.azure.cosmos.feediterator-1) - This class represents an iterator that can track the current page of results and get a new page of results.

+* [``FeedResponse<>``](/dotnet/api/microsoft.azure.cosmos.feedresponse-1) - This class represents a single page of responses from the iterator. This type can be iterated over using a ``foreach`` loop.

+* [Authenticate the client](#authenticate-the-client)

+* [Create a database](#create-a-database)

+* [Create a container](#create-a-container)

+* [Create an item](#create-an-item)

+* [Get an item](#get-an-item)

+* [Query items](#query-items)

+The sample code described in this article creates a database named ``adventureworks`` with a container named ``products``. The ``products`` table is designed to contain product details such as name, category, quantity, and a sale indicator. Each product also contains a unique identifier.

+### [Azure CLI / Resource Manager template](#tab/azure-cli+azure-resource-manager)

+### [PowerShell](#tab/azure-powershell)

+### [Portal](#tab/azure-portal)

+1. Select one or more **Subscription owners**. You can select only users or service principals in the selected subscription directory. You can't select guest directory users. If you select a service principal, enter its App ID.

+- [Cancel your Azure subscription](cancel-azure-subscription.md)

+### Template parameters in the parameters file aren't valid

+

+There are several scenarios, which can trigger this behavior, all of which involve a new version of a dependent resource being called by the old version of the parent resource. For example, suppose an existing child pipeline called by ΓÇ£Execute pipelineΓÇ¥ is updated to have required parameters and the existing parent pipeline is updated to pass these parameters. If the deployment occurs during a parent pipeline execution, but before the **Execute Pipeline** activity, the old version of the pipeline will call the new version of the child pipeline, and the expected parameters will not be passed. This will cause the pipeline to fail with a *UserError*. This can also occur with other types of dependencies, such as if a breaking change is made to linked service during a pipeline run that references it.

+This feature isn't supported.

+Parameterizing an entity reference (Integration runtime in Linked service, Dataset in activity, Linked Service in dataset) isn't supported. Changing the runtime name during deployment will cause the depended resource (Resource referencing the Integration runtime) to become malformed with invalid reference.

+ARM template deployment fails with an error such as DataFactoryPropertyUpdateNotSupported: Updating property type isn't supported.

+The ARM template deployment is attempting to change the type of an existing integration runtime. This isn't allowed and will cause a deployment failure because data factory requires the same name and type of integration runtime across all stages of CI/CD.

+When you've 1000 s of old temporary ARM json files in PartialTemplates folder, publish may fail.

+If you put all of your logic inside of a single data flow, the service will execute the entire job on a single Spark instance. While this may seem like a way to reduce costs, it mixes together different logical flows and can be difficult to monitor and debug. If one component fails, all other parts of the job will fail as well. Organizing data flows by independent flows of business logic is recommended. If your data flow becomes too large, splitting it into separate components will make monitoring and debugging easier. While there is no hard limit on the number of transformations in a data flow, having too many will make the job complex.

+>This function supports copy of any schema from the above mentioned Salesforce environments, including the [Nonprofit Success Pack](https://www.salesforce.org/products/nonprofit-success-pack/) (NPSP).

+A vital security goal of an organization is to protect their data stores from random access over the internet, may it be an on-premises or a Cloud/ SaaS data store.

+> [!NOTE]

+> The IP address ranges are blocked for Azure Integration Runtime and is currently only used for Data Movement, pipeline and external activities. Dataflows and Azure Integration Runtime that enable Managed Virtual Network now do not use these IP ranges.

+This should work in many scenarios, and we do understand that a unique Static IP address per integration runtime would be desirable, but this wouldn't be possible using Azure Integration Runtime currently, which is serverless. If necessary, you can always set up a Self-hosted Integration Runtime and use your Static IP with it.

+* **[Trusted Service](../storage/common/storage-network-security.md#exceptions)** - Azure Storage (Blob, ADLS Gen2) supports firewall configuration that enables select trusted Azure platform services to access the storage account securely. Trusted Services enforces Managed Identity authentication, which ensures no other data factory can connect to this storage unless approved to do so using it's managed identity. You can find more details in **[this blog](https://techcommunity.microsoft.com/t5/azure-data-factory/data-factory-is-now-a-trusted-service-in-azure-storage-and-azure/ba-p/964993)**. Hence, this is extremely secure and recommended.

+* **Unique Static IP** - You will need to set up a self-hosted integration runtime to get a Static IP for Data Factory connectors. This mechanism ensures you can block access from all other IP addresses.

+* **Allow Azure Services** - Some services lets you allow all Azure services to connect to it in case you choose this option.

+For more information about supported network security mechanisms on data stores in Azure Integration Runtime and Self-hosted Integration Runtime, see below two tables.

+ | Azure IaaS | SQL Server, Oracle, etc. | - | - | Yes | Yes | - |

+ | On-premises IaaS | SQL Server, Oracle, etc. | - | - | Yes | - | - |

+ **Applicable only when Azure Data Explorer is virtual network injected, and IP range can be applied on NSG/ Firewall.*

+* **Self-hosted Integration Runtime (in VNet/on-premises)**

+ | On-premise laaS | SQL Server, Oracle, etc. | Yes | - |

+ Title: Encrypt credentials in Azure Data Factory

+description: Learn how to encrypt and store credentials for your on-premises data stores on a machine with self-hosted integration runtime.

+This example shows how to create a linked service to an on-premises SQL Server data source with encrypted credentials.

+Create a JSON file named **SqlServerLinkedService.json** in any folder with the following content:

+Replace `<servername>`, `<databasename>`, `<username>`, and `<password>` with values for your SQL Server before saving the file. And, replace `<integration runtime name>` with the name of your integration runtime.

+Set-AzDataFactoryV2LinkedService -DataFactoryName $dataFactoryName -ResourceGroupName $ResourceGroupName -Name "EncryptedSqlServerLinkedService" -DefinitionFile ".\encryptedSqlServerLinkedService.json"

+| Auto Compact | After any write operation has completed, Spark will automatically execute the ```OPTIMIZE``` command to re-organize the data, resulting in more partitions if necessary, for better reading performance in the future | no | `true` or `false` | autoCompact: true |

+### Delta sink with partition pruning

+With this option under Update method above (i.e. update/upsert/delete), you can limit the number of partitions that are inspected. Only partitions satisfying this condition will be fetched from the target store. You can specify fixed set of values that a partition column may take.

+### Delta sink script example with partition pruning

+A sample script is given as below.

+```

+DerivedColumn1 sink(

+ input(movieId as integer,

+ title as string

+ ),

+ allowSchemaDrift: true,

+ validateSchema: false,

+ format: 'delta',

+ container: 'deltaContainer',

+ folderPath: 'deltaPath',

+ mergeSchema: false,

+ autoCompact: false,

+ optimizedWrite: false,

+ vacuum: 0,

+ deletable:false,

+ insertable:true,

+ updateable:true,

+ upsertable:false,

+ keys:['movieId'],

+ pruneCondition:['part_col' -> ([5, 8])],

+ skipDuplicateMapInputs: true,

+ skipDuplicateMapOutputs: true) ~> sink2

+

+```

+Delta will only read 2 partitions where **part_col == 5 and 8** from the target delta store instead of all partitions. *part_col* is a column that the target delta data is partitioned by. It need not be present in the source data.

+### Delta sink optimization options

+In Settings tab, you will find three more options to optimize delta sink transformation.

+* When **Merge schema** option is enabled, any columns that are present in the previous stream, but not in the Delta table, are automatically added on to the end of the schema.

+* When **Auto compact** is enabled, after an individual write, transformation checks if files can further be compacted, and runs a quick OPTIMIZE job (with 128 MB file sizes instead of 1GB) to further compact files for partitions that have the most number of small files. Auto compaction helps in coalescing a large number of small files into a smaller number of large files. Auto compaction only kicks in when there are at least 50 files. Once a compaction operation is performed, it creates a new version of the table, and writes a new file containing the data of several previous files in a compact compressed form.

+* When **Optimize write** is enabled, sink transformation dynamically optimizes partition sizes based on the actual data by attempting to write out 128 MB files for each table partition. This is an approximate size and can vary depending on dataset characteristics. Optimized writes improve the overall efficiency of the *writes and subsequent reads*. It organizes partitions such that the performance of subsequent reads will improve.

+Azure Data Box is a hybrid solution that allows you to move data out of Azure into your location. This tutorial describes how to create an export order for Azure Data Box. The main reason to create an export order is for disaster recovery, in case on-premises storage gets compromised and a back-up needs to be restored.

+ A user-assigned managed identity is a stand-alone Azure resource that can be used to manage multiple resources. For more information, see [Managed identity types](../active-directory/managed-identities-azure-resources/overview.md).

+16. If you want to enable software-based double encryption, expand **Double encryption (for high-security environments)**, and select **Enable double encryption for the order**.

+This sample XML file includes examples of each XML tag that is used to select blobs and files for export in a Data Box export order.

+The data export from Azure Storage to your Data Box can sometimes fail. Make sure that the blobs aren't archive blobs as export of these blobs is not supported.

+Once the copy is complete, order status updates to **Completed**. The **DATA COPY DETAILS** show the path to the copy log, which reports any errors during the data copy.

+As of March 2022, you can choose **View by Storage Account(s)** or **View by Managed Disk(s)** to display the data copy details.

+[](media/data-box-disk-deploy-picked-up/data-box-portal-completed-inline.png#lightbox)

+If you have an order from before March 2022, the data copy details will be shown as below:

+ Title: Track and log Azure Data Box, Azure Data Box Heavy events for export order| Microsoft Docs

+- **Data Box Contributor** - can only create an order to transfer data to a given storage account *if they already have write access to a storage account*. If they do not have access to a storage account, they can't even create a Data Box order to copy data to the account. This role does not define any Storage account related permissions nor grants access to storage accounts.

+- Your Data Box arrives on your premises in a locked state. You can use the device credentials available in the Azure portal for your order.

+Before you copy data from your Data Box, you can download and review *copy log* and *verbose log* for the data that was copied to the Data Box. These logs are generated when the data is copied from your Storage account in Azure to your Data Box.

+```

+</CopyLog>

+You have the following options to export those files:

+- You can transfer the files that could not be copied over the network.

+Here is a sample output of the verbose log.

+You can use these logs to verify that files copied from Azure match the data that was copied to your on-premises server.

+- To verify that the *crc64* corresponds to a non-zero string. A Cyclic Redundancy Check (CRC) computation is done during the export from Azure. The CRCs from the export and after the data is copied from Data Box to on-premises server can be compared. A CRC mismatch indicates that the corresponding files failed to copy properly.

+ Process Name:

+This event is generated when a logon session is created. It is generated on the computer that was accessed.

+The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

+Name : gus-poland

+StartTime(UTC) : 9/19/2018 8:49:23 AM +00:00

+DeviceType : DataBox

+10/3/2018 1:36:43 PM | ShippingToCustomer | InProgress | Shipment picked up. Local Time : 10/3/2018 1:36:43 PM at AMSTERDAM-NLD

+10/4/2018 8:23:30 PM | ShippingToCustomer | InProgress | Processed at AMSTERDAM-NLD. Local Time : 10/4/2018 8:23:30 PM at AMSTERDAM-NLD

+10/5/2018 8:13:49 AM | ShippingToCustomer | InProgress | Arrived at Delivery Facility in BRIGHTON-GBR. Local Time : 10/5/2018 8:13:49 AM at LAMBETH-GBR

+10/5/2018 9:13:24 AM | ShippingToCustomer | InProgress | With delivery courier. Local Time : 10/5/2018 9:13:24 AM at BRIGHTON-GBR

+10/5/2018 12:03:04 PM | ShippingToCustomer | Completed | Delivered - Signed for by. Local Time : 10/5/2018 12:03:04 PM at BRIGHTON-GBR

+1/25/2019 3:19:25 PM | ShippingToDataCenter | InProgress | Shipment picked up. Local Time : 1/25/2019 3:19:25 PM at BRIGHTON-GBR

+1/25/2019 8:03:55 PM | ShippingToDataCenter | InProgress | Processed at BRIGHTON-GBR. Local Time : 1/25/2019 8:03:55 PM at LAMBETH-GBR

+1/25/2019 8:04:58 PM | ShippingToDataCenter | InProgress | Departed Facility in BRIGHTON-GBR. Local Time : 1/25/2019 8:04:58 PM at BRIGHTON-GBR

+1/25/2019 9:06:09 PM | ShippingToDataCenter | InProgress | Arrived at Sort Facility LONDON-HEATHROW-GBR. Local Time : 1/25/2019 9:06:09 PM at LONDON-HEATHROW-GBR

+1/25/2019 9:48:54 PM | ShippingToDataCenter | InProgress | Processed at LONDON-HEATHROW-GBR. Local Time : 1/25/2019 9:48:54 PM at LONDON-HEATHROW-GBR

+1/28/2019 7:11:35 AM | ShippingToDataCenter | InProgress | Arrived at Delivery Facility in AMSTERDAM-NLD. Local Time : 1/28/2019 7:11:35 AM at AMSTERDAM-NLD

+1/28/2019 9:07:57 AM | ShippingToDataCenter | InProgress | With delivery courier. Local Time : 1/28/2019 9:07:57 AM at AMSTERDAM-NLD

+1/28/2019 1:35:56 PM | ShippingToDataCenter | InProgress | Scheduled for delivery. Local Time : 1/28/2019 1:35:56 PM at AMSTERDAM-NLD

+The alert is now tuned to generate only for authenticated access, which results in higher accuracy and confidence that the activity is malicious. This enhancement reduces the benign positive rate.

+- [Vulnerability assessment for on-premises and multicloud machines is released for general availability (GA)](#vulnerability-assessment-for-on-premises-and-multicloud-machines-is-released-for-general-availability-ga)

+### Vulnerability assessment for on-premises and multicloud machines is released for general availability (GA)

+- **Findings** ΓÇô a vulnerability assessment service that continuously monitors Azure SQL configurations and helps remediate vulnerabilities. Assessment scans provide an overview of Azure SQL security states together with detailed security findings.

+- [Vulnerability assessment for on-premises and multicloud machines (preview)](#vulnerability-assessment-for-on-premises-and-multicloud-machines-preview)

+### Vulnerability assessment for on-premises and multicloud machines (preview)

+SecurityResources

+| where name in ({vmnames})

+| where resourceName in ({vmnames})

+We've now also added the option to edit the custom recommendation metadata. Metadata options include severity, remediation steps, threats information, and more.

+In addition, we've recently added the [Azure Security Benchmark](/security/benchmark/azure/introduction), the Microsoft-authored Azure-specific guidelines for security and compliance best practices based on common compliance frameworks. Additional standards will be supported in the dashboard as they become available.

+| [Just-in-time VM access](just-in-time-access-usage.md) | Γ£ö (Preview) | - |

+1. Navigate to the Azure portal and select **Sites and Sensors**.

+ > When you sign in to a sensor or on-premises management console for the first time it will be linked to the subscription you connected it to. If you need to reset the password for the CyberX, or Support user you will need to select that subscription. For more information on recovering a CyberX, or Support user password, see [Recover the password for the on-premises management console, or the sensor](how-to-create-and-manage-users.md#recover-the-password-for-the-on-premises-management-console-or-the-sensor).

+An indicator appears at the top of the console when the sensor recognizes that there's no traffic on one of the configured ports. This indicator is visible to all users. When this message appears, you can investigate where there's no traffic. Make sure the span cable is connected and there was no change in the span architecture.

+1. In **Data Mining**, generate a report.

+### Investigate a lack of expected alerts

+1. Right-click the cloud icon on the device map and select **Export IP Addresses**.

+- Verify that you did not exclude this alert by using the **Alert Exclusion** rules in the on-premises management console.

+The default is 50. This means that in one communication session between an appliance and the on-premises management console, there will be no more than 50 alerts to external systems.

+You'll also need to download a sample glTF (Graphics Language Transmission Format) 3D file to use for the scene in this quickstart. [Select this link to download RobotArms.glb](https://cardboardresources.blob.core.windows.net/public/RobotArms.glb).

+> [Code a client app](tutorial-code.md)

+description: Learn to migrate an on-premises MySQL database to Azure Database for MySQL by using Azure Database Migration Service through PowerShell script.

+# Partner Events overview for partners - Azure Event Grid

+ - It's the resource type that allows you to create partner resources on a customer's Azure subscription. When you create a channel of type `partner topic`, a partner topic is created on a customer's Azure subscription. A partner topic is the customer's resource where events from a partner system. Similarly, when a channel of type `partner destination` is created, a partner destination is created on a customer's Azure subscription. Partner destinations are resources that represent a partner system endpoint to where events are delivered. A channel along with partner topics and partner destinations enables bi-directional event integration.

+ * [Swagger](https://github.com/ahamad-MS/azure-rest-api-specs/blob/main/specification/eventgrid/resource-manager/Microsoft.EventGrid/stable/2022-06-15/EventGrid.json)

+ * [ARM template schema](https://github.com/Azure/azure-resource-manager-schemas/blob/main/schemas/2022-06-15/Microsoft.EventGrid.json)

+ * [REST APIs](/rest/api/eventgrid/controlplane-version2021-10-15-preview/partner-namespaces)

+ * [Python](https://pypi.org/project/azure-mgmt-eventgrid/)

+ * [Java](https://search.maven.org/search?q=azure-mgmt-eventgrid)

+ * [Ruby](https://rubygems.org/gems/azure_mgmt_event_grid/)

+ * [JS](https://www.npmjs.com/package/@azure/arm-eventgrid)

+# Partner Events overview for customers - Azure Event Grid

+You can enable the Auto-inflate feature **when creating an Event Hubs namespace**. The following image shows you how to enable the auto-inflate feature for a standard tier namespace and configure TUs to start with and the maximum number of TUs.

+To enable the Auto-inflate feature and modify its settings for an existing namespace, follow these steps:

+You can enable the Auto-inflate feature during an Azure Resource Manager template deployment. For example, set the

+description: Learn how to use Azure Firewall policy to define a rule hierarchy and enforce compliance.

+Security administrators need to manage firewalls and ensure compliance across on-premises and cloud deployments. A key component is the ability to provide application teams with flexibility to implement CI/CD pipelines to create firewall rules in an automated way.

+- Use an Azure custom role definition to prevent inadvertent base policy removal and provide selective access to rule collection groups within a subscription or resource group.

+1. Create a base firewall policy in the security team resource group.

+4. Create application team policies that inherit the base policy.

+### Create custom roles to access the rule collection groups

+3. Use the Get-AzRoleDefinition command to output the Reader role in JSON format.

+ {

+ΓÇ» "Name": "Reader",

+ΓÇ» "Id": "acdd72a7-3385-48ef-bd42-f606fba81ae7",

+ΓÇ» "IsCustom": false,

+ΓÇ» "Description": "Lets you view everything, but not make any changes.",

+ΓÇ» "Actions": [

+     "*/read"

+ΓÇ» ],

+ΓÇ» "NotActions": [],

+ΓÇ» "DataActions": [],

+ΓÇ» "NotDataActions": [],

+ΓÇ» "AssignableScopes": [

+     "/"

+ΓÇ» ]

+ }

+ `*/read", "Microsoft.Network/*/read", "Microsoft.Network/firewallPolicies/ruleCollectionGroups/write`

+{

+    "Name":  "AZFM Rule Collection Group Author",

+    "IsCustom":  true,

+    "Description":  "Users in this role can edit Firewall Policy rule collection groups",

+    "Actions":  [

+                    "*/read",

+                    "Microsoft.Network/*/read",

+                     "Microsoft.Network/firewallPolicies/ruleCollectionGroups/write"

+                ],

+    "NotActions":  [

+                   ],

+    "DataActions":  [

+                    ],

+    "NotDataActions":  [

+                       ],

+    "AssignableScopes":  [

+                             "/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx"]

+}

+9. To create the new custom role, use the New-AzRoleDefinition command and specify the JSON role definition file.

+Security administrators can use base policy to enforce guardrails and block certain types of traffic (for example ICMP) as required by their enterprise.

+description: In this tutorial, you learn how to secure your virtual network with Azure Firewall Manager using the Azure portal.

+A hybrid network uses the hub-and-spoke architecture model to route traffic between Azure VNets and on-premises networks. The hub-and-spoke architecture has the following requirements:

+- Set **AllowGatewayTransit** when peering VNet-Hub to VNet-Spoke. In a hub-and-spoke network architecture, a gateway transit allows the spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network.

+1. For **Subnet address range**, type **10.5.0.0/26**.

+1. For **Subnet address range**, type **10.6.0.0/24**.

+1. For **Subnet address range**, type **192.168.1.0/24**.

+ Title: Create an Azure Front Door Standard/Premium with the Azure CLI

+description: Learn how to create an Azure Front Door Standard/Premium with Azure CLI. Use Azure Front Door to deliver content to your global user base and protect your web apps against vulnerabilities.

+# Quickstart: Create an Azure Front Door Standard/Premium - Azure CLI

+In this quickstart, you'll learn how to create an Azure Front Door Standard/Premium profile using Azure CLI. You'll create this profile using two Web Apps as your origin, and add a WAF security policy. You can then verify connectivity to your Web Apps using the Azure Front Door endpoint hostname.

+## Create a resource group

+In Azure, you allocate related resources to a resource group. You can either use an existing resource group or create a new one.

+Run [az group create](/cli/azure/group) to create resource groups.

+```azurecli

+az group create --name myRGFD --location centralus

+```

+## Create an Azure Front Door profile

+Run [az afd profile create](/cli/azure/afd/profile#az-afd-profile-create) to create an Azure Front Door profile.

+> [!NOTE]

+> If you want to deploy Azure Front Door Standard instead of Premium substitute the value of the sku parameter with Standard_AzureFrontDoor. You won't be able to deploy managed rules with WAF Policy, if you choose Standard SKU. For detailed comparison, view [Azure Front Door tier comparison](standard-premium/tier-comparison.md).

+```azurecli

+az afd profile create \

+ --profile-name contosoafd \

+ --resource-group myRGFD \

+ --sku Premium_AzureFrontDoor

+```

+## Create two instances of a web app

+You need two instances of a web application that run in different Azure regions for this tutorial. Both the web application instances run in Active/Active mode, so either one can service traffic.

+If you don't already have a web app, use the following script to set up two example web apps.

+### Create app service plans

+Before you can create the web apps you'll need two app service plans, one in *Central US* and the second in *East US*.

+Run [az appservice plan create](/cli/azure/appservice/plan#az-appservice-plan-create&preserve-view=true) to create your app service plans.

+```azurecli

+az appservice plan create \

+ --name myAppServicePlanCentralUS \

+ --resource-group myRGFD

+az appservice plan create \

+ --name myAppServicePlanEastUS \

+ --resource-group myRGFD

+```

+### Create web apps

+Run [az webapp create](/cli/azure/webapp#az-webapp-create&preserve-view=true) to create a web app in each of the app service plans in the previous step. Web app names have to be globally unique.

+```azurecli

+az webapp create \

+ --name WebAppContoso-01 \

+ --resource-group myRGFD \

+ --plan myAppServicePlanCentralUS

+az webapp create \

+ --name WebAppContoso-02 \

+ --resource-group myRGFD \

+ --plan myAppServicePlanEastUS

+```

+Make note of the default host name of each web app so you can define the backend addresses when you deploy the Front Door in the next step.

+## Add an endpoint

+Run [az afd endpoint create](/cli/azure/afd/endpoint#az-afd-endpoint-create) to create an endpoint in your profile. You can create multiple endpoints in your profile after finishing the create experience.

+```azurecli

+az afd endpoint create \

+ --resource-group myRGFD \

+ --endpoint-name contosofrontend \

+ --profile-name contosoafd \

+ --enabled-state Enabled

+```

+## Create an origin group

+Run [az afd origin-group create](/cli/azure/afd/origin-group#az-afd-origin-group-create) to create an origin group that contains your two web apps.

+```azurecli

+az afd origin-group create \

+ --resource-group myRGFD \

+ --origin-group-name og2 \

+ --profile-name contosoafd \

+ --probe-request-type GET \

+ --probe-protocol Http \

+ --probe-interval-in-seconds 60 \

+ --probe-path / \

+ --sample-size 4 \

+ --successful-samples-required 3 \

+ --additional-latency-in-milliseconds 50

+```

+## Add an origin to the group

+Run [az afd origin create](/cli/azure/afd/origin#az-afd-origin-create) to add an origin to your origin group.

+```azurecli

+az afd origin create \

+ --resource-group myRGFD \

+ --host-name webappcontoso-01.azurewebsites.net \

+ --profile-name contosoafd \

+ --origin-group-name og \

+ --origin-name contoso1 \

+ --origin-host-header webappcontoso-01.azurewebsites.net \

+ --priority 1 \

+ --weight 1000 \

+ --enabled-state Enabled \

+ --http-port 80 \

+ --https-port 443

+```

+Repeat this step and add your second origin.

+```azurecli

+az afd origin create \

+ --resource-group myRGFD \

+ --host-name webappcontoso-02.azurewebsites.net \

+ --profile-name contosoafd \

+ --origin-group-name og \

+ --origin-name contoso2 \

+ --origin-host-header webappcontoso-02.azurewebsites.net \

+ --priority 1 \

+ --weight 1000 \

+ --enabled-state Enabled \

+ --http-port 80 \

+ --https-port 443

+```

+## Add a route

+Run [az afd route create](/cli/azure/afd/route#az-afd-route-create) to map your endpoint to the origin group. This route forwards requests from the endpoint to your origin group.

+```azurecli

+az afd route create \

+ --resource-group myRGFD \

+ --profile-name contosoafd \

+ --endpoint-name contosofrontend \

+ --forwarding-protocol MatchRequest \

+ --route-name route \

+ --https-redirect Enabled \

+ --origin-group og \

+ --supported-protocols Http Https \

+ --link-to-default-domain Enabled

+```

+## Create a new security policy

+### Create a WAF policy

+Run [az network front-door waf-policy create](/cli/azure/network/front-door/waf-policy#az-network-front-door-waf-policy-create) to create a new WAF policy for your Front Door. This example creates a policy that is enabled and in prevention mode.

+> [!NOTE]

+> Managed rules will only work with Front Door Premium SKU. You can opt for Standard SKU below to use custom rules.

+

+```azurecli

+az network front-door waf-policy create \

+ --name contosoWAF \

+ --resource-group myRGFD \

+ --sku Premium_AzureFrontDoor \

+ --disabled false \

+ --mode Prevention

+```

+> [!NOTE]

+> If you select `Detection` mode, your WAF doesn't block any requests.

+### Assign managed rules to the WAF policy

+Run [az network front-door waf-policy managed-rules add](/cli/azure/network/front-door/waf-policy/managed-rules#az-network-front-door-waf-policy-managed-rules-add) to add managed rules to your WAF Policy. This example adds Microsoft_DefaultRuleSet_1.2 and Microsoft_BotManagerRuleSet_1.0 to your policy.

+```azurecli

+az network front-door waf-policy managed-rules add \

+ --policy-name contosoWAF \

+ --resource-group myRGFD \

+ --type Microsoft_DefaultRuleSet \

+ --version 1.2

+```

+```azurecli

+az network front-door waf-policy managed-rules add \

+ --policy-name contosoWAF \

+ --resource-group myRGFD \

+ --type Microsoft_BotManagerRuleSet \

+ --version 1.0

+```

+### Create the security policy

+Run [az afd security-policy create](/cli/azure/afd/security-policy#az-afd-security-policy-create) to apply your WAF policy to the endpoint's default domain.

+> [!NOTE]

+> Substitute 'mysubscription' with your Azure Subscription ID in the domains and waf-policy parameters below. Run [az account subscription list](/cli/azure/aaccount/subscription#az-account-subscription-list) to get Subscription ID details.

+```azurecli

+az afd security-policy create \

+ --resource-group myRGFD \

+ --profile-name contosoafd \

+ --security-policy-name contososecurity \

+ --domains /subscriptions/mysubscription/resourcegroups/myRGFD/providers/Microsoft.Cdn/profiles/contosoafd/afdEndpoints/contosofrontend \

+ --waf-policy /subscriptions/mysubscription/resourcegroups/myRGFD/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/contosoWAF

+```

+## Verify Azure Front Door

+When you create the Azure Front Door Standard/Premium profile, it takes a few minutes for the configuration to be deployed globally. Once completed, you can access the frontend host you created.

+Run [az afd endpoint show](/cli/azure/afd/endpoint#az-afd-endpoint-show) to get the hostname of the Front Door endpoint.

+```azurecli

+az afd endpoint show --resource-group myRGFD --profile-name contosoafd --endpoint-name contosofrontend

+```

+In a browser, go to the endpoint hostname: `contosofrontend-<hash>.z01.azurefd.net`. Your request will automatically get routed to the least latent Web App in the origin group.

+To test instant global failover, we'll use the following steps:

+1. Open a browser, as described above, and go to the endpoint hostname: `contosofrontend-<hash>.z01.azurefd.net`.

+2. Stop one of the Web Apps by running [az webapp stop](/cli/azure/webapp#az-webapp-stop&preserve-view=true)

+ ```azurecli

+ az webapp stop --name WebAppContoso-01 --resource-group myRGFD

+ ```

+3. Refresh your browser. You should see the same information page.

+> [!TIP]

+> There is a little bit of delay for these actions. You might need to refresh again.

+4. Find the other web app, and stop it as well.

+ ```azurecli

+ az webapp stop --name WebAppContoso-02 --resource-group myRGFD

+ ```

+5. Refresh your browser. This time, you should see an error message.

+ :::image type="content" source="./media/create-front-door-portal/web-app-stopped-message.png" alt-text="Screenshot of the message: Both instances of the web app stopped":::

+6. Restart one of the Web Apps by running [az webapp start](/cli/azure/webapp#az-webapp-start&preserve-view=true). Refresh your browser and the page will go back to normal.

+ ```azurecli

+ az webapp start --name WebAppContoso-01 --resource-group myRGFD

+ ```

+## Clean up resources

+When you don't need the resources for the Front Door, delete both resource groups. Deleting the resource groups also deletes the Front Door and all its related resources.

+Run [az group delete](/cli/azure/group#az-group-delete&preserve-view=true):

+```azurecli

+az group delete --name myRGFD

+```

+## Next steps

+Advance to the next article to learn how to add a custom domain to your Front Door.

+> [!div class="nextstepaction"]

+> [Add a custom domain](standard-premium/how-to-add-custom-domain.md)

+> *Origin* and *origin group* in this article refers to the backend and backend pool of the Azure Front Door (classic) configuration.

+1. On the top left-hand side of the screen, select **Create a resource** > **Web App**.

+ :::image type="content" source="media/quickstart-create-front-door/front-door-create-web-app.png" alt-text="Create a web app in the Azure portal." lightbox="./media/quickstart-create-front-door/front-door-create-web-app.png":::

+ | **Runtime stack** | Select **.NET Core 3.1 (LTS)**. |

+ :::image type="content" source="media/quickstart-create-front-door/create-web-app.png" alt-text="Review summary for web app." lightbox="./media/quickstart-create-front-door/create-web-app.png":::

+1. From the home page or the Azure menu, select **Create a resource**. Select **Networking** > **See All** > **Front Door and CDN profiles**.

+1. On the Compare offerings page, select **Explore other offerings**. Then select **Azure Front Door (classic)**. Then select **Continue**.

+ :::image type="content" source="media/quickstart-create-front-door/add-frontend-host-azure-front-door.png" alt-text="Add a frontend host for Azure Front Door." lightbox="./media/quickstart-create-front-door/add-frontend-host-azure-front-door.png":::

+ :::image type="content" source="media/quickstart-create-front-door/front-door-add-backend-pool.png" alt-text="Add a backend pool." lightbox="./media/quickstart-create-front-door/front-door-add-backend-pool.png":::

+1. In the **Add a backend** pane, select the following information and select **Add**.

+ **Leave all other fields default.**

+ :::image type="content" source="media/quickstart-create-front-door/front-door-add-a-backend.png" alt-text="Add a backend host to your Front Door." lightbox="./media/quickstart-create-front-door/front-door-add-a-backend.png":::

+ **Leave all other fields default.**

+1. Select **Add** on the **Add a backend pool** pane to complete the configuration of the backend pool.

+ :::image type="content" source="media/quickstart-create-front-door/front-door-add-backend-pool-complete.png" alt-text="Add a backend pool for Azure Front Door." lightbox="./media/quickstart-create-front-door/front-door-add-backend-pool-complete.png":::

+ :::image type="content" source="media/quickstart-create-front-door/front-door-add-a-rule.png" alt-text="Add a rule to your Front Door." lightbox="./media/quickstart-create-front-door/front-door-add-a-rule.png":::

+ :::image type="content" source="media/quickstart-create-front-door/configuration-azure-front-door.png" alt-text="Configured Azure Front Door." lightbox="./media/quickstart-create-front-door/configuration-azure-front-door.png":::

+Once you create a Front Door, it takes a few minutes for the configuration to be deployed globally. Once complete, access the frontend host you created. In a browser, go to your frontend host address. Your request will automatically get routed to the nearest server to you from the specified servers in the backend pool.

+1. Open the resource group **FrontDoorQS_rg0** and select the frontend service.

+ :::image type="content" source="./media/quickstart-create-front-door/front-door-view-frontend-service.png" alt-text="Screenshot of frontend service." lightbox="./media/quickstart-create-front-door/front-door-view-frontend-service.png":::

+1. From the **Overview** page, copy the **Frontend host** address.

+ :::image type="content" source="./media/quickstart-create-front-door/front-door-view-frontend-host-address.png" alt-text="Screenshot of frontend host address." lightbox="./media/quickstart-create-front-door/front-door-view-frontend-host-address.png":::

+1. Open a browser, as described above, and go to your frontend address.

+ :::image type="content" source="media/quickstart-create-front-door/web-app-stopped-message.png" alt-text="Both instances of the web app stopped." lightbox="./media/quickstart-create-front-door/web-app-stopped-message.png":::

+ >This action is irreversible.

+Session affinity can be enabled the origin group level in Azure Front Door Standard and Premium tier and front end host level in Azure Front Door (classic) for each of your configured domains (or subdomains). Once enabled, Azure Front Door adds a cookie to the user's session. The cookies are called ASLBSA and ASLBSACORS. Cookie-based session affinity allows Front Door to identify different users even if behind the same IP address, which in turn allows a more even distribution of traffic between your different origins.

+> Session affinity will be established in the following circumstances:

+> - The response must include the `Cache-Control` header of *no-store*.

+> - If the response contains an `Authorization` header, it must not be expired.

+> - The response is an HTTP 302 status code.

+| Property | Supported values |

+|-|-|

+| Operator | <ul><li>Any operator from the [standard operator list](#operator-list).</li><li>**Wildcard**: Matches when the request path matches a wildcard expression. A wildcard expression can include the `*` character to match zero or more characters within the path. For example, the wildcard expression `files/customer*/file.pdf` matches the paths `files/customer1/file.pdf`, `files/customer109/file.pdf`, and `files/customer/file.pdf`, but does not match `files/customer2/anotherfile.pdf`.<ul><li>In the Azure portal: `Wildcards`, `Not Wildcards`</li><li>In ARM templates: `Wildcard`; use the `negateCondition` property to specify _Not Wildcards_</li></ul></li></ul> |

+| Value | One or more string or integer values representing the value of the request path to match. Don't include the leading slash. If multiple values are specified, they're evaluated using OR logic. |

+| Case transform | Any transform from the [standard string transforms list](#string-transform-list). |

+ 1. Consult the list of published service tags in [Network security group (NSG) service tags for Azure HDInsight](hdinsight-service-tags.md).

+Forced tunneling is a user-defined routing configuration where all traffic from a subnet is forced to a specific network or location, such as your on-premises network or Firewall. Forced tunneling of all data transfer back to on-premises is _not_ recommended due to large volumes of data transfer and potential performance impact.

+Customers who are interested to setup forced tunneling, should use [custom metastores](./hdinsight-use-external-metadata-stores.md) and setup the appropriate connectivity from the cluster subnet or on-premises network to these custom metastores.

+HDInsight can't depend on on-premises domain controllers or custom domain controllers, as it introduces too many fault points, credential sharing, DNS permissions, and so on. For more information, see [Azure AD DS FAQs](../../active-directory-domain-services/faqs.yml).

+* On-premises to Azure AD has to be enabled through AD Connect

+description: In this article, you'll learn how to use the MedTech service and Power BI

+The reference architecture below shows the basic components of using Microsoft cloud services to enable Power BI on top of Internet of Medical Things (IoMT) and Fast Healthcare Interoperability Resources (FHIR&#174;) data.

+MedTech service can ingest IoT data from most IoT devices or gateways whatever the location, data center, or cloud.

+Azure IoT Edge can be used in with IoT Hub to create an on-premises endpoint for devices and/or in-device connectivity.

+description: In this article, you'll learn how to use the MedTech service and Teams notifications

+When combining MedTech service, a Fast Healthcare Interoperability Resources (FHIR&#174;) service, and Teams, you can enable multiple care solutions.

+Below is the MedTech service to Teams notifications conceptual architecture for enabling the MedTech service, FHIR, and Teams Patient App.

+The MedTech service for can ingest IoT data from most IoT devices or gateways regardless of location, data center, or cloud.

+Azure IoT Edge can be used in with IoT Hub to create an on-premises end point for devices and/or in-device connectivity.

+| 404 | The Device Provisioning Service instance, or a resource (e.g. an enrollment) does not exist. | 404 Not Found|

+| 405 | The client service knows the request method, but the target service doesn't recognize this method; for example, a rest operations is missing the enrollment or registration Id parameters | 405 Method Not Allowed |

+| 409 | The request could not be completed due to a conflict with the current state of the target Device Provisioning Service instance; for example, the customer has already created the data point and is attempting to recreate the same datapoint again. | 409 Conflict |

+| 415 | The server refuses to accept the request because the payload format is in an unsupported format. For supported formats, see [Iot Hub Device Provisioning Service REST API](/rest/api/iot-dps/) | 415 Unsupported Media Type |

+For more information about Windows ARM64 supported processors, see [Windows Processor Requirements](/windows-hardware/design/minimum/windows-processor-requirements).

+| Size | Maximum direct method payload size is 128 KB for the request and 128 KB for the response. | Maximum desired properties size is 32 KB. | Up to 64 KB messages. |

+| Direct method¹ | Maximum direct method payload size is 128 KB for the request and 128 KB for the response. |

+- You may have a complex scenario that involves custom DNS servers and integration with on-premises networks. In that case, you need to control how names are translated to IP addresses.

+- To maintain separation of duties avoid assigning multiple roles to same principals.

+- Make sure you take regular backups of your HSM. Backups can be done at the HSM level and for specific keys.

+- To ensure long term portability and key durability, generate keys in your on-premise HSM and [import them to Managed HSM](hsm-protected-keys-byok.md). You will have a copy of your key securely stored in your on-premises HSM for future use.

+The example below shows how to create a 3072-bit **RSA** key that will be only used for **wrapKey, unwrapKey** operations (--ops).

+To import a key from your on-premises HSM to managed HSM, see [Import HSM-protected keys to Managed HSM (BYOK)](hsm-protected-keys-byok.md)

+Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using **FIPS 140-2 Level 3** validated HSMs.

+> [!NOTE]

+- **Fully managed**: HSM provisioning, configuration, patching, and maintenance is handled by the service.

+### Integrated with Azure and Microsoft PaaS/SaaS services

+### Import keys from your on-premises HSMs

+If you're using a [campus-wide license](https://www.mathworks.com/academia/tah-support-program/administrators.html), see directions at [download MATLAB installation files](https://www.mathworks.com/matlabcentral/answers/259632-how-can-i-get-matlab-installation-files-for-use-on-an-offline-machine) to download the MATLAB installer files on the template machine.

+Assuming the license server is located in an on-premises network or a private network within Azure, youΓÇÖll need to [Connect to your virtual network in Azure Lab Services](how-to-connect-vnet-injection.md) when creating your [lab plan](./tutorial-setup-lab-plan.md).

+1. Start the installer.

+1. On the **Confirm Selections and Download** page, select **Begin Download**.

+> Cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+description: Learn how to set up a lab for engineering courses using SOLIDWORKS.

+SOLIDWORKS Network Licensing requires that you have SolidNetWork License Manager installed and activated on your license server. This license server is typically located in either your on-premises network or a private network within Azure. For more information on how to set up SolidNetWork License Manager on your server, see [Installing and Activating a License Manager](https://help.solidworks.com/2019/English/Installation/install_guide/t_installing_snl_lic_mgr.htm) in the SOLIDWORKS install guide. Remember the **port number** and [**serial number**](https://help.solidworks.com/2019/english/installation/install_guide/r_hid_state_serial_number.htm) that are used since they'll be needed in later steps.

+> You should verify that the appropriate ports are opened on your firewalls to allow communication between the lab virtual machines and the license server.

+| Virtual Machine Size | **Small GPU (Visualization)**. This VM is best suited for remote visualization, streaming, gaming, encoding using frameworks such as OpenGL and DirectX.|

+> Cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).

+Before you choose which resource type to use, review this article to learn how the resources types and service environments compare to each other. You can then decide the type that's best for your scenario's needs, solution requirements, and the environment where you want to deploy and run your workflows.

+The following table briefly summarizes differences between the **Logic App (Standard)** resource type and the **Logic App (Consumption)** resource type. You also learn how the *single-tenant* environment differs from the *multi-tenant* environment and *integration service environment (ISE)* for deploying, hosting, and running your logic app workflows.

+These capabilities provide major improvements and substantial benefits compared to the multi-tenant model, which requires you to develop against an existing running resource in Azure. Also, the multi-tenant model for automating **Logic App (Consumption)** resource deployment is based on Azure Resource Manager templates (ARM templates), which combine and handle resource provisioning for both apps and infrastructure.

+By using standard build and deploy options, you can focus on app development separately from infrastructure deployment. As a result, you get a more generic project model where you can apply many similar or the same deployment options that you use for a generic app. You also benefit from a more consistent experience when you build deployment pipelines for your apps and when you run the required tests and validations before you publish to production.

+| Azure CLI | Logic Apps Azure CLI extension | [az logicapp](/cli/azure/logicapp) |

+| Azure Resource Manager | - [Local](https://github.com/Azure/logicapps/tree/master/azure-devops-sample#local) <br>- [DevOps](https://github.com/Azure/logicapps/tree/master/azure-devops-sample#devops) | [Single-tenant Azure Logic Apps](https://github.com/Azure/logicapps/tree/master/azure-devops-sample) |

+| Azure Arc-enabled Logic Apps | [Azure Arc-enabled Logic Apps sample](https://github.com/Azure/logicapps/tree/master/arc-enabled-logic-app-sample) | - [What is Azure Arc-enabled Logic Apps?](azure-arc-enabled-logic-apps-overview.md) <br><br>- [Create and deploy single-tenant based logic app workflows with Azure Arc-enabled Logic Apps](azure-arc-enabled-logic-apps-create-deploy-workflows.md) |

+For example, in the Azure portal, the **Logic apps** page shows both **Consumption** and **Standard** logic app resource types. In Visual Studio Code, deployed logic apps appear under your Azure subscription, but they're grouped by the extension that you used, namely **Azure: Logic Apps (Consumption)** and **Azure: Logic Apps (Standard)**.

+ Create a stateful workflow when you need to keep, review, or reference data from previous events. These workflows save all the operations' inputs, outputs, and states to external storage. This information makes reviewing the workflow run details and history possible after each run finishes. Stateful workflows provide high resiliency if outages happen. After services and systems are restored, you can reconstruct interrupted runs from the saved state and rerun the workflows to completion. Stateful workflows can continue running for much longer than stateless workflows.

+ By default, stateful workflows in both multi-tenant and single-tenant Azure Logic Apps run asynchronously. All HTTP-based actions follow the standard [asynchronous operation pattern](/azure/architecture/patterns/async-request-reply). After an HTTP action calls or sends a request to an endpoint, service, system, or API, the request receiver immediately returns a ["202 ACCEPTED"](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.3) response. This code confirms that the receiver accepted the request but hasn't finished processing. The response can include a `location` header that specifies the URI and a refresh ID that the caller can use to poll or check the status for the asynchronous request until the receiver stops processing and returns a ["200 OK"](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) success response or other non-202 response. However, the caller doesn't have to wait for the request to finish processing and can continue to run the next action. For more information, see [Asynchronous microservice integration enforces microservice autonomy](/azure/architecture/microservices/design/interservice-communication#synchronous-versus-asynchronous-messaging).

+ Create a stateless workflow when you don't need to keep, review, or reference data from previous events in external storage after each run finishes for later review. These workflows save all the inputs and outputs for each action and their states *in memory only*, not in external storage. As a result, stateless workflows have shorter runs that usually finish in 5 minutes or less, faster performance with quicker response times, higher throughput, and reduced running costs because external storage doesn't save the workflow run details and history. However, if outages happen, interrupted runs aren't automatically restored, so the caller needs to manually resubmit interrupted runs.

+ A stateless workflow provides the best performance when handling data or content that doesn't exceed 64 KB in *total* size, such as a file. Larger content sizes, such as multiple large attachments, might significantly slow your workflow's performance or even cause your workflow to crash due to out-of-memory exceptions. If your workflow might have to handle larger content sizes, use a stateful workflow instead.

+| Handles large messages | Best for handling small message sizes (under 64 KB) |

+ * You can create your own built-in connectors for any service that you need by using the [single-tenant Azure Logic Apps extensibility framework](https://techcommunity.microsoft.com/t5/integrations-on-azure/azure-logic-apps-running-anywhere-built-in-connector/ba-p/1921272). Similar to built-in connectors such as Azure Service Bus and SQL Server, custom built-in connectors provide higher throughput, low latency, and local connectivity because they run in the same process as the single-tenant runtime. However, custom built-in connectors aren't similar to [custom managed connectors](../connectors/apis-list.md#custom-connectors-and-apis), which aren't currently supported.

+For the **Logic App (Standard)** resource, these capabilities have changed, or they're currently limited, unavailable, or unsupported:

+There are two types of online endpoints: **managed online endpoints** and **Kubernetes online endpoints**.

+Managed online endpoints help to deploy your ML models in a turnkey manner. Managed online endpoints work with powerful CPU and GPU machines in Azure in a scalable, fully managed way. Managed online endpoints take care of serving, scaling, securing, and monitoring your models, freeing you from the overhead of setting up and managing the underlying infrastructure. The main example in this doc uses managed online endpoints for deployment.

+Kubernetes online endpoint allows you to deploy models and serve online endpoints at your fully configured and managed [Kubernetes cluster anywhere](./how-to-attach-kubernetes-anywhere.md),with CPUs or GPUs.

+| **Out-of-box monitoring** | [Azure Monitoring](how-to-monitor-online-endpoints.md) <br> (includes key metrics like latency and throughput) | Supported |

+| **Out-of-box logging** | [Azure Logs and Log Analytics at endpoint level](how-to-deploy-managed-online-endpoints.md#optional-integrate-with-log-analytics) | Unsupported |

+ Title: Configure Kubernetes cluster

+# Configure Kubernetes cluster for Azure Machine Learning

+Azure Machine Learning Kubernetes compute enables you to run training jobs such as AutoML, pipeline, and distributed jobs, or to deploy models as online endpoint or batch endpoint. Azure ML Kubernetes compute supports two kinds of Kubernetes cluster:

+* **[Azure Kubernetes Services](https://azure.microsoft.com/services/kubernetes-service/)** (AKS) cluster in Azure. With your own managed AKS cluster in Azure, you can gain security and controls to meet compliance requirement as well as flexibility to manage teams' ML workload.

+* **[Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md)** (Arc Kubernetes) cluster. With Arc Kubernetes cluster, you can train or deploy models in any infrastructure on-premises, across multi-cloud, or the edge.

+In this article, you can learn about steps to configure an existing Kubernetes cluster for Azure Machine Learning:

+* [Deploy AzureML extension to Kubernetes cluster](#deploy-azureml-extension-to-kubernetes-cluster)

+* [Attach Kubernetes cluster to Azure ML workspace](#attach-a-kubernetes-cluster-to-an-azure-ml-workspace)

+* [Create instance types for efficient compute resource utilization](#create-and-use-instance-types-for-efficient-compute-resource-utilization)

+* An AKS cluster is up and running in Azure.

+* or an Arc Kubernetes cluster is up and running. Follow instructions in [connect existing Kubernetes cluster to Azure Arc](../azure-arc/kubernetes/quickstart-connect-cluster.md).

+ * if this is Azure RedHat OpenShift Service (ARO) cluster or OpenShift Container Platform (OCP) cluster, please ensure to satisfy additional prerequisite step [here](./reference-kubernetes.md#prerequisites-for-aro-or-ocp-clusters).

+* The Kubernetes cluster must have minimum of 4 vCPU cores and 8GB memory.

+* Cluster running behind an outbound proxy server or firewall needs additional [network configurations](./how-to-access-azureml-behind-firewall.md#kubernetes-compute)

+* Install or upgrade Azure CLI to version 2.24.0 or higher.

+* Install or upgrade Azure CLI extension ```k8s-extension``` to version 1.2.3 or higher.

+## Deploy AzureML extension to Kubernetes cluster

+AzureML extension consists of a set of system components deployed to your Kubernetes cluster in `azureml` namespace, so you can enable your cluster to run an Azure ML workload - model training jobs or model endpoints. You can use an Azure CLI command ```k8s-extension create``` to deploy AzureML extension. General available (GA) version of AzureML extension is version 1.1.1 or higher.

+- **Use AKS cluster in Azure for a quick proof of concept, to run training jobs or to deploy models as online/batch endpoints**

+ For AzureML extension deployment on AKS cluster, make sure to specify ```managedClusters``` value for ```--cluster-type``` parameter. Run the following Azure CLI command to deploy AzureML extension:

+- **Use Arc Kubernetes cluster outside of Azure for a quick proof of concept, to run training jobs only**

+ For AzureML extension deployment on [Arc Kubernetes](../azure-arc/kubernetes/overview.md) cluster, you would need to specify ```connectedClusters``` value for ```--cluster-type``` parameter. Run the following Azure CLI command to deploy AzureML extension:

+ For AzureML extension deployment on AKS, make sure to specify ```managedClusters``` value for ```--cluster-type``` parameter. Assuming your cluster has more than 3 nodes, and you will use an Azure public load balancer and HTTPS for inference workload support. Run the following Azure CLI command to deploy AzureML extension:

+- **Enable an [Arc Kubernetes](../azure-arc/kubernetes/overview.md) cluster anywhere for production training and inference workload using NVIDIA GPUs**

+ For AzureML extension deployment on [Arc Kubernetes](../azure-arc/kubernetes/overview.md) cluster, make sure to specify ```connectedClusters``` value for ```--cluster-type``` parameter. Assuming your cluster has more than 3 nodes, you will use a NodePort service type and HTTPS for inference workload support, run following Azure CLI command to deploy AzureML extension:

+The UI experience to deploy extension is only available for **[Arc Kubernetes](../azure-arc/kubernetes/overview.md)**. If you have an AKS cluster without Azure Arc connection, you need to use CLI to deploy AzureML extension.

+1. Follow the prompts to deploy the extension. You can customize the installation by configuring the installation in the tab of **Basics**, **Configurations** and **Advanced**. For a detailed list of AzureML extension configuration settings, see [AzureML extension configuration settings](#review-azureml-extension-configuration-settings).

+### Key considerations for AzureML extension deployment

+AzureML extension deployment allows you to specify configuration settings needed for different workload support. Before AzureML extension deployment, **please read following carefully to avoid unnecessary extension deployment errors**:

+ * Type of workload to enable for your cluster. ```enableTraining``` and ```enableInference``` config settings are your convenient choices here; `enableTraining` will enable **training** and **batch scoring** workload, `enableInference` will enable **real-time inference** workload.

+ * For real-time inference support, it requires ```azureml-fe``` router service to be deployed for routing incoming inference requests to model pod, and you would need to specify ```inferenceRouterServiceType``` config setting for ```azureml-fe```. ```azureml-fe``` can be deployed with one of following ```inferenceRouterServiceType```:

+ * Type ```LoadBalancer```. Exposes ```azureml-fe``` externally using a cloud provider's load balancer. To specify this value, ensure that your cluster supports load balancer provisioning. Note most on-premises Kubernetes clusters might not support external load balancer.

+ * Type ```NodePort```. Exposes ```azureml-fe``` on each Node's IP at a static port. You'll be able to contact ```azureml-fe```, from outside of cluster, by requesting ```<NodeIP>:<NodePort>```. Using ```NodePort``` also allows you to set up your own load balancing solution and SSL termination for ```azureml-fe```.

+ * Type ```ClusterIP```. Exposes ```azureml-fe``` on a cluster-internal IP, and it makes ```azureml-fe``` only reachable from within the cluster. For ```azureml-fe``` to serve inference requests coming outside of cluster, it requires you to set up your own load balancing solution and SSL termination for ```azureml-fe```.

+ * For real-time inference support, to ensure high availability of ```azureml-fe``` routing service, AzureML extension deployment by default creates 3 replicas of ```azureml-fe``` for clusters having 3 nodes or more. If your cluster has **less than 3 nodes**, set ```inferenceLoadbalancerHA=False```.

+ * For real-time inference support, you would also want to consider using **HTTPS** to restrict access to model endpoints and secure the data that clients submit. For this purpose, you would need to specify either ```sslSecret``` config setting or combination of ```sslKeyPemFile``` and ```sslCertPemFile``` config settings. By default, AzureML extension deployment expects **HTTPS** support required, and you would need to provide above config setting. For development or testing purposes, **HTTP** support is conveniently provided through config setting ```allowInsecureConnections=True```.

+For a complete list of configuration settings available to choose at AzureML deployment time, see [Review AzureML extension config settings](#review-azureml-extension-configuration-settings)

+### Review AzureML extension configuration settings

+ |```enableTraining``` |```True``` or ```False```, default ```False```. **Must** be set to ```True``` for AzureML extension deployment with Machine Learning model training and batch scoring support. | **&check;**| N/A | **&check;** |

+ | ```allowInsecureConnections``` |```True``` or ```False```, default `False`. **Can** be set to ```True``` to use inference HTTP endpoints for development or test purposes. |N/A| Optional | Optional |

+ | ```inferenceRouterHA``` |```True``` or ```False```, default ```True```. By default, AzureML extension will deploy 3 inference router replicas for high availability, which requires at least 3 worker nodes in a cluster. Set to ```False``` if your cluster has fewer than 3 worker nodes, in this case only one inference router service is deployed. | N/A| Optional | Optional |

+ | ```sslCertPemFile```, ```sslKeyPemFile``` |Path to SSL certificate and key file (PEM-encoded), required for AzureML extension deployment with inference HTTPS endpoint support, when ``allowInsecureConnections`` is set to False. **Note** PEM file with pass phrase protected is not supported | N/A| Optional | Optional |

+## Attach a Kubernetes cluster to an Azure ML workspace

+Once AzureML extension is deployed on AKS or Arc Kubernetes cluster, you can attach the Kubernetes cluster to Azure ML workspace and create compute targets for ML professionals to use. Each attach operation creates a compute target in Azure ML workspace, and multiple attach operations on the same cluster will create multiple compute targets in a single Azure ML workspace or multiple Azure ML workspace.

+**AKS cluster**

+**Arc Kubernetes cluster**

+Attaching a Kubernetes cluster makes it available to your workspace for training or inferencing.

+1. Enter a compute name and select your Kubernetes cluster from the dropdown.

+## Create and use instance types for efficient compute resource utilization

+### What are instance types?

+Instance types are an Azure Machine Learning concept that allows targeting certain types of

+compute nodes for training and inference workloads. For an Azure VM, an example for an

+instance type is `STANDARD_D2_V3`.

+In Kubernetes clusters, instance types are represented in a custom resource definition (CRD) that is installed with the AzureML extension. Instance types are represented by two elements in AzureML extension:

+[nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)

+and [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).

+In short, a `nodeSelector` lets us specify which node a pod should run on. The node must have a

+corresponding label. In the `resources` section, we can set the compute resources (CPU, memory and

+NVIDIA GPU) for the pod.

+### Default instance type

+By default, a `defaultinstancetype` with following definition is created when you attach Kuberenetes cluster to AzureML workspace:

+- No `nodeSelector` is applied, meaning the pod can get scheduled on any node.

+- The workload's pods are assigned default resources with 0.6 cpu cores, 1536Mi memory and 0 GPU:

+```yaml

+resources:

+ requests:

+ cpu: "0.6"

+ memory: "1536Mi"

+ limits:

+ cpu: "0.6"

+ memory: "1536Mi"

+ nvidia.com/gpu: null

+```

+> [!NOTE]

+> - The default instance type purposefully uses little resources. To ensure all ML workloads

+run with appropriate resources, for example GPU resource, it is highly recommended to create custom instance types.

+> - `defaultinstancetype` will not appear as an InstanceType custom resource in the cluster when running the command ```kubectl get instancetype```, but it will appear in all clients (UI, CLI, SDK).

+> - `defaultinstancetype` can be overridden with a custom instance type definition having the same name as `defaultinstancetype` (see [Create custom instance types](#create-custom-instance-types) section)

+### Create custom instance types

+To create a new instance type, create a new custom resource for the instance type CRD. For example:

+```bash

+kubectl apply -f my_instance_type.yaml

+```

+With `my_instance_type.yaml`:

+```yaml

+apiVersion: amlarc.azureml.com/v1alpha1

+kind: InstanceType

+metadata:

+ name: myinstancetypename

+spec:

+ nodeSelector:

+ mylabel: mylabelvalue

+ resources:

+ limits:

+ cpu: "1"

+ nvidia.com/gpu: 1

+ memory: "2Gi"

+ requests:

+ cpu: "700m"

+ memory: "1500Mi"

+```

+The following steps will create an instance type with the labeled behavior:

+- Pods will be scheduled only on nodes with label `mylabel: mylabelvalue`.

+- Pods will be assigned resource requests of `700m` CPU and `1500Mi` memory.

+- Pods will be assigned resource limits of `1` CPU, `2Gi` memory and `1` NVIDIA GPU.

+> [!NOTE]

+> - NVIDIA GPU resources are only specified in the `limits` section as integer values. For more information,

+ see the Kubernetes [documentation](https://kubernetes.io/docs/tasks/manage-gpus/scheduling-gpus/#using-device-plugins).

+> - CPU and memory resources are string values.

+> - CPU can be specified in millicores, for example `100m`, or in full numbers, for example `"1"`

+ is equivalent to `1000m`.

+> - Memory can be specified as a full number + suffix, for example `1024Mi` for 1024 MiB.

+It's also possible to create multiple instance types at once:

+```bash

+kubectl apply -f my_instance_type_list.yaml

+```

+With `my_instance_type_list.yaml`:

+```yaml

+apiVersion: amlarc.azureml.com/v1alpha1

+kind: InstanceTypeList

+items:

+ - metadata:

+ name: cpusmall

+ spec:

+ resources:

+ requests:

+ cpu: "100m"

+ memory: "100Mi"

+ limits:

+ cpu: "1"

+ nvidia.com/gpu: 0

+ memory: "1Gi"

+ - metadata:

+ name: defaultinstancetype

+ spec:

+ resources:

+ requests:

+ cpu: "1"

+ memory: "1Gi"

+ limits:

+ cpu: "1"

+ nvidia.com/gpu: 0

+ memory: "1Gi"

+```

+The above example creates two instance types: `cpusmall` and `defaultinstancetype`. This `defaultinstancetype` definition will override the `defaultinstancetype` definition created when Kubernetes cluster was attached to AzureML workspace.

+If a training or inference workload is submitted without an instance type, it uses the `defaultinstancetype`. To specify a default instance type for a Kubernetes cluster, create an instance type with name `defaultinstancetype`. It will automatically be recognized as the default.

+### Select instance type to submit training job

+To select an instance type for a training job using CLI (V2), specify its name as part of the

+`resources` properties section in job YAML. For example:

+```yaml

+command: python -c "print('Hello world!')"

+environment:

+ image: library/python:latest

+compute: azureml:<compute_target_name>

+resources:

+ instance_type: <instance_type_name>

+```

+In the above example, replace `<compute_target_name>` with the name of your Kubernetes compute

+target and `<instance_type_name>` with the name of the instance type you wish to select. If there's no `instance_type` property specified, the system will use `defaultinstancetype` to submit job.

+### Select instance type to deploy model

+To select an instance type for a model deployment using CLI (V2), specify its name for `instance_type` property in deployment YAML. For example:

+```yaml

+name: blue

+app_insights_enabled: true

+endpoint_name: <endpoint name>

+model:

+ path: ./model/sklearn_mnist_model.pkl

+code_configuration:

+ code: ./script/

+ scoring_script: score.py

+instance_type: <instance type name>

+environment:

+ conda_file: file:./model/conda.yml

+ image: mcr.microsoft.com/azureml/openmpi3.1.2-ubuntu18.04:20210727.v1

+```

+In the above example, replace `<instance_type_name>` with the name of the instance type you wish to select. If there's no `instance_type` property specified, the system will use `defaultinstancetype` to deploy model.

+## Recommended best practices

+**Separation of responsibilities between the IT-operations team and data-science team.** Managing your own Kubernetes compute and infrastructure for ML workload requires Kubernetes admin privilege and expertise, and it is best to be done by IT-operations team so data-science team can focus on ML models for organizational efficiency.

+

+**Create and manage instance types for different ML workload scenarios.** Each ML workload uses different amounts of compute resources such as CPU/GPU and memory. Azure ML implements instance type as Kubernetes custom resource definition (CRD) with properties of nodeSelector and resource request/limit. With a carefully curated list of instance types, IT-operations can target ML workload on specific node(s) and manage compute resource utilization efficiently.

+**Multiple Azure ML workspaces share the same Kubernetes cluster.** You can attach Kubernetes cluster multiple times to the same Azure ML workspace or different Azure ML workspaces, creating multiple compute targets in one workspace or multiple workspaces. Since many customers organize data science projects around Azure ML workspace, multiple data science projects can now share the same Kubernetes cluster. This significantly reduces ML infrastructure management overheads as well as IT cost saving.

+**Team/project workload isolation using Kubernetes namespace.** When you attach Kubernetes cluster to Azure ML workspace, you can specify a Kubernetes namespace for the compute target and all workloads run by the compute target will be placed under the specified namespace.

+### Additional resources

+- [Kubernetes version and region availability](./reference-kubernetes.md#supported-kubernetes-version-and-region)

+- [Work with custom data storage](./reference-kubernetes.md#azureml-jobs-connect-with-custom-data-storage)

+| Databricks Runtime Version |always| 9.1 LTS|

+ * [Kubernetes](./how-to-attach-kubernetes-anywhere.md#attach-a-kubernetes-cluster-to-an-azure-ml-workspace)

+- ```ml-<workspace-name, truncated>-<region>-<per-workspace globally-unique identifier>.<region>.notebooks.azure.net```

+* `ml-<workspace-name, truncated>-<region>-<workspace-guid>.<region>.notebooks.azure.net`

+> 1. Create and attach your Kubernetes cluster as a compute target to your Azure Machine Learning workspace by using [Azure Machine Learning studio](how-to-attach-kubernetes-anywhere.md?&tabs=studio#attach-a-kubernetes-cluster-to-an-azure-ml-workspace).

+Kubernetes deployments are supported in v2 through AKS or Azure Arc, enabling Azure cloud and on-premises deployments managed by your organization.

+ Title: Reference for configuring Kubernetes cluster for Azure Machine Learning

+# Reference for configuring Kubernetes cluster for Azure Machine Learning

+## AzureML jobs connect with custom data storage

+| `instance_type` | string | The instance type used to place the inference workload. If omitted, the inference workload will be placed on the default instance type of the Kubernetes cluster specified in the endpoint's `compute` field. If specified, the inference workload will be placed on that selected instance type. <br><br> Note that the set of instance types for a Kubernetes cluster is configured via the Kubernetes cluster custom resource definition (CRD), hence they are not part of the Azure ML YAML schema for attaching Kubernetes compute.For more information, see [Create and select Kubernetes instance types](how-to-attach-kubernetes-anywhere.md#create-and-use-instance-types-for-efficient-compute-resource-utilization). | | |

+When you're ready to use the data in your cloud-based storage solution, we recommend the following data delivery workflow. This workflow assumes you have an [Azure storage account](/azure/storage/common/storage-account-create?tabs=azure-portal) and data in a cloud-based storage service in Azure.

+This quickstart demonstrates how to use the Azure CLI commands to configure a hybrid cluster. If you have existing datacenters in an on-premises or self-hosted environment, you can use Azure Managed Instance for Apache Cassandra to add other datacenters to that cluster and maintain them.

+* [Azure Virtual Network](../virtual-network/virtual-networks-overview.md) with connectivity to your self-hosted or on-premises environment. For more information on connecting on premises environments to Azure, see the [Connect an on-premises network to Azure](/azure/architecture/reference-architectures/hybrid-networking/) article.

+ > The Deployment of a Azure Managed Instance for Apache Cassandra requires internet access. Deployment fails in environments where internet access is restricted. Make sure you aren't blocking access within your VNet to the following vital Azure services that are necessary for Managed Cassandra to work properly. You can also find an extensive list of IP address and port dependencies [here](network-rules.md).

+1. Next, we will configure resources for our hybrid cluster. Since you already have a cluster, the cluster name here will only be a logical resource to identify the name of your existing cluster. Make sure to use the name of your existing cluster when defining `clusterName` and `clusterNameOverride` variables in the following script.

+ # --client-certificates /usr/csuser/clouddrive/rootCa.pem /usr/csuser/clouddrive/nodeKeyStore.crt_signed

+ > If your cluster already has node-to-node and client-to-node encryption, you should know where your existing client and/or gossip SSL certificates are kept. If you are uncertain, you should be able to run `keytool -list -keystore <keystore-path> -rfc -storepass <password>` to print the certs.

+ --node-count 9

+ > - Standard_E16s_v4

+ > - Standard_E32s_v4

+ > - Standard_D32s_v4

+ >

+ > Availability zones are not supported in all regions. Deployments will fail if you select a region where Availability zones are not supported. See [here](../availability-zones/az-overview.md#azure-regions-with-availability-zones) for supported regions. The successful deployment of availability zones is also subject to the availability of compute resources in all of the zones in the given region. Deployments may fail if the SKU you have selected, or capacity, is not available across all zones.

+ --data-center-name $dataCenterName

+1. The previous command outputs the new datacenter's seed nodes:

+ > If you want to add more datacenters, you can repeat the above steps, but you only need the seed nodes.

+ > If you are using hybrid cluster as a method of migrating historic data into the new Azure Managed Instance Cassandra data centers, ensure that you run `nodetool repair --full` on all the nodes in your existing cluster's data center. You should run this only after all of the above steps have been taken. This should ensure that all historical data is replicated to your new data centers in Azure Managed Instance for Apache Cassandra. If you have a very large amount of data in your existing cluster, it may be necessary to run the repairs at the keyspace or even table level - see [here](https://cassandra.apache.org/doc/latest/cassandra/operating/repair.html) for more details on running repairs in Cassandra. Prior to changing the replication settings, you should also make sure that any application code that connects to your existing Cassandra cluster is using LOCAL_QUORUM. You should leave it at this setting during the migration (it can be switched back afterwards if required).

+> [!NOTE]

+> The Azure Cosmos DB role assignment is used for deployment purposes only. Azure Managed Instanced for Apache Cassandra has no backend dependencies on Azure Cosmos DB.

+* [Azure Virtual Network](../virtual-network/virtual-networks-overview.md) with connectivity to your self-hosted or on-premises environment. For more information on connecting on premises environments to Azure, see the [Connect an on-premises network to Azure](/azure/architecture/reference-architectures/hybrid-networking/) article.

+ > - Standard_E16s_v4

+ > - Standard_E32s_v4

+ > - Standard_D32s_v4

+ >

+ > Availability zones are not supported in all regions. Deployments will fail if you select a region where Availability zones are not supported. See [here](../availability-zones/az-overview.md#azure-regions-with-availability-zones) for supported regions. The successful deployment of availability zones is also subject to the availability of compute resources in all of the zones in the given region. Deployments may fail if the SKU you have selected, or capacity, is not available across all zones.

+ --node-count 9

+> [!NOTE]

+> The Azure Cosmos DB role assignment is used for deployment purposes only. Azure Managed Instanced for Apache Cassandra has no backend dependencies on Azure Cosmos DB.

+- devx-track-azurecli

+This quickstart demonstrates how to use the Azure CLI commands to configure a multi-region cluster in Azure.

+* [Azure Virtual Network](../virtual-network/virtual-networks-overview.md) with connectivity to your self-hosted or on-premises environment. For more information on connecting on premises environments to Azure, see the [Connect an on-premises network to Azure](/azure/architecture/reference-architectures/hybrid-networking/) article.

+ > We explicitly add different IP address ranges to ensure no errors when peering.

+ --allow-forwarded-traffic

+ > If you add more regions, each VNet requires peering from it to all other VNets, and from all other VNets to it.

+ --node-count 3

+ > * Standard_E16s_v4

+ > * Standard_E32s_v4

+ > * Standard_D32s_v4

+> [!NOTE]

+> The Azure Cosmos DB role assignment is used for deployment purposes only. Azure Managed Instanced for Apache Cassandra has no backend dependencies on Azure Cosmos DB.

+No, there's no architectural dependency between Azure Managed Instance for Apache Cassandra and the Azure Cosmos DB backend.

+The service currently supports Cassandra versions 3.11 and 4.0. By default, version 3.11 is deployed, as version 4.0 is currently in public preview. See our [Azure CLI Quickstart](create-cluster-cli.md) (step 5) for specifying Cassandra version during cluster deployment.

+Yes, the SLA is published [here](https://azure.microsoft.com/support/legal/sla/managed-instance-apache-cassandra/v1_0/).

+Yes, you can configure a hybrid cluster with Azure Virtual Network injected data-centers deployed by the service. Managed Instance data-centers can communicate with on-premises data-centers within the same cluster ring.

+* The system currently doesn't perform a major compaction.

+* The version in Apache Cassandra is in the format `X.Y.Z`. You can control the deployment of major (X) and minor (Y) versions manually via service tools. Whereas the Cassandra patches (Z) that may be required for that major/minor version combination are done automatically.

+Azure Managed Instance for Apache Cassandra provides an [SLA](https://azure.microsoft.com/support/legal/sla/managed-instance-apache-cassandra/v1_0/) for the availability of data centers in a managed cluster. If you encounter any issues with using the service, file a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) in the Azure portal.

+> * Poor data model or partition key strategy.

+> In the event that we investigate a support case and discover that the root cause of the issue is at the Apache Cassandra configuration level (and not any underlying platform level aspects we maintain), the case may be closed. Where possible, we will also provide recommendations and guidance on remediation. We therefore recommend you [enable metrics](visualize-prometheus-grafana.md) and/or become familiar with our [Azure monitor integration](monitor-clusters.md ) in order to prevent common application/configuration level issues in Apache Cassandra, such as the above.

+> Backups can be restored to the same VNet/subnet as your existing cluster, but they cannot be restored to the *same cluster*. Backups can only be restored to **new clusters**. Backups are intended for accidental deletion scenarios, and are not geo-redundant. They are therefore not recommended for use as a disaster recovery (DR) strategy in case of a total regional outage. To safeguard against region-wide outages, we recommend a multi-region deployment. Take a look at our [quickstart for multi-region deployments](create-multi-region-cluster.md).

+When a [hybrid](configure-hybrid-cluster.md) cluster is configured, automated reaper operations running in the service will benefit the whole cluster. This includes data centers that aren't provisioned by the service. Outside this, it is your responsibility to maintain your on-premises or externally hosted data center.

+Regardless of the migration option chosen, the first step to migrate a server using Azure Migration: Server Migration is to start replication for the server. This performs an initial replication of your VM/server data to Azure. After the initial replication is completed, an ongoing replication (ongoing delta-sync) is established to migrate incremental data to Azure. Once the operation reaches the delta-sync stage, you can choose to migrate to Azure at any time.

+### Can I use the same Azure Migrate project to migrate to multiple subscriptions?

+The Azure Migrate appliance in the agentless replication case compresses data and encrypts before uploading. Data is transmitted over a secure communication channel over https and uses TLS 1.2 or later. Additionally, Azure Storage automatically encrypts your data when it is persisted it to the cloud (encryption-at-rest).

+Test migration provides a way to test and validate migrations prior to the actual migration. Test migration works by letting you use a sandbox environment in Azure to test the virtual machines before actual migration. The sandbox environment is demarcated by a test virtual network you specify. The test migration operation is non-disruptive, provided the test VNet is sufficiently isolated. Isolated VNet here means the inbound and outbound connection rules are designed to avoid unwanted connections. For example ΓÇô connection to on-premises machines is restricted.

+You can use the Test Migration option to validate your application functionality and performance in Azure. You can perform any number of test migrations and can execute the final migration after establishing confidence through the test migration operation.

+A test migration doesnΓÇÖt impact the on-premises machine, which remains operational and continues replicating until you perform the actual migration. If there were any errors during the test migration UAT, you can choose to postpone the final migration and keep your source VM/server running and replicating to Azure. You can reattempt the final migration once you resolve the errors.

+Azure Migrate server migration capabilities support like for like migrations currently. We do not support consolidating servers or upgrading the operating system as part of the migration.

+### How do I throttle replication in using Azure Migrate appliance for agentless VMware replication?

+$ThrottleBandwidthAction = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-executionpolicy bypass -noprofile -file $ThrottleBandwidthScript"

+$IncreaseBandwidthAction = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-executionpolicy bypass -noprofile -file $IncreaseBandwidthScript"

+The agent-based migration method uses agent software installed on the server being migrated to replicate server data to Azure. The replication process uses an offload architecture in which the agent relays replication data to a dedicated replication server called the replication appliance or Configuration Server (or to a scale-out Process Server). [Learn more](./agent-based-migration-architecture.md) about how the agent-based migration option works.

+Premium plans are for production workloads and run on dedicated Virtual Machine instances. Each instance can support multiple applications and domains. The Isolated plans host your apps in a private, dedicated Azure environment and are ideal for apps that require secure connections with your on-premises network.

+- [Review](best-practices-assessment.md) best practices for creating assessments.

+ Title: Build a migration plan with Azure Migrate

+Before you start, understanding and evaluating your [motivation](/azure/cloud-adoption-framework/strategy/motivations) for moving to the cloud can contribute to a successful business outcome. As explained in the [Cloud Adoption Framework](/azure/cloud-adoption-framework), there are a number of triggers and outcomes.

+Datacenter exit | Cost

+Azure Migrate uses a lightweight Azure Migrate appliance to perform agentless discovery of on-premises VMware VMs, Hyper-V VMs, other virtualized servers, and physical servers. Continuous discovery collects server configuration information, and performance metadata, as well as application data. Here's what the appliance collects from on-premises servers:

+Along with data discovered with the Discovery and assessment tool, you can use your Configuration Management Database (CMDB) data to build a view of your server and database estate, and to understand how your servers are distributed across business units, application owners, geographies, etc. This helps decide which workloads to prioritize for migration.

+- **Ready for Azure**: Servers can be migrated as-is to Azure, without any changes.

+- **Not ready for Azure**: Servers can't be migrated to Azure as-is. Issues must be fixed in accordance with remediation guidance, before migration.

+After a server is marked as ready for Azure, Discovery and assessment makes sizing recommendations that identify the Azure VM SKU and disk type for your servers. You can get sizing recommendations based on performance history (to optimize resources as you migrate), or based on on-premises server settings, without performance history. In a database assessment, you can see recommendations for the database SKU, pricing tier, and compute level.

+Performance-based sizing option in Azure Migrate assessments helps you to right-size VMs, and should be used as a best practice for optimizing workloads in Azure. In addition to right-sizing, there are a few other options to help save Azure costs:

+- **Target region**: You can create assessments in different regions, to figure out whether migrating to a specific region might be more cost effective.

+You can view Discovery and assessment reports (with Azure readiness information, and monthly cost distribution) in the portal. You can also export assessment, and enrich your migration plan with additional visualizations. You can create multiple assessments, with different combinations of properties, and choose the set of properties that work best for your business.

+As you figure out the apps and workloads you want to migrate, identify downtime constraints for them, and look for any operational dependencies between your apps and the underlying infrastructure. This analysis helps you to plan migrations that meet your recovery time objective (RTO), and ensure minimal to zero data loss. Before you migrate, we recommend that you review and mitigate any compatibility issues, or unsupported features, that may block server/SQL database migration. The Azure Migrate Discovery and assessment report, and Azure Migrate Database Assessment, can help with this.

+To prioritize migration order, you can use strategic factors such as complexity, time-to-migrate, business urgency, production/non-production considerations, compliance, security requirements, application knowledge, etc.

+- **Start small, then go big**: Start by moving apps and workloads that present minimal risk and complexity, to build confidence in your migration strategy. Analyze Azure Migrate assessment recommendations together with your CMDB repository, to find and migrate dev/test workloads that might be candidates for pilot migrations. Feedback and learnings from pilot migrations can be helpful as you begin migrating production workloads.

+- **Comply**: Azure maintains the largest compliance portfolio in the industry, in terms of breadth and depth of offerings. Use compliance requirements to prioritize migrations, so that apps and workloads comply with your national, regional, and industry-specific standards and laws. This is especially true for organizations that deal with business-critical process, hold sensitive information, or are in heavily regulated industries. In these types of organizations, standards and regulations abound, and might change often, being difficult to keep up with.

+Before finalizing your migration plan, make sure you consider and mitigate other potential blockers, as follows:

+- **Training**: Prepare your organization for the digital transformation. A solid training foundation is important for successful organizational change. Check out free training on [Microsoft Learn](/learn/azure/?ocid=CM_Discovery_Checklist_PDF), including courses on Azure fundamentals, solution architectures, and security. Encourage your team to exploreΓÇ»[Azure certifications](https://www.microsoft.com/learning/certification-overview.aspx?ocid=CM_Discovery_Checklist_PDF).ΓÇ»

+- **Implementation support**: Get support for your implementation if you need it. Many organizations opt for outside help to support their cloud migration. To move to Azure quickly and confidently with personalized assistance, consider anΓÇ»[Azure Expert Managed Service Provider](https://www.microsoft.com/solution-providers/search?cacheId=9c2fed4f-f9e2-42fb-8966-4c565f08f11e&ocid=CM_Discovery_Checklist_PDF), orΓÇ»[FastTrack for Azure](https://azure.microsoft.com/programs/azure-fasttrack/?ocid=CM_Discovery_Checklist_PDF).ΓÇ»

+Create an effective cloud migration plan that includes detailed information about the apps you want to migrate, app/database availability, downtime constraints, and migration milestones. The plan considers how long the data copy will take, and include a realistic buffer for post-migration testing, and cut-over activities.

+A post-migration testing plan should include functional, integration, security, and performance testing and use cases, to ensure that migrated apps work as expected, and that all database objects, and data relationships, are transferred successfully to the cloud.

+Build a migration roadmap, and declare a maintenance window to migrate your apps and databases with minimal to zero downtime, and limit the potential operational and business impact during migration.

+- Azure DMS provides a fully managed service that's designed to enable seamless migrations from multiple database sources to Azure Data platforms, with minimal downtime.

+Number of disks | Two: The OS disk and the process server cache disk.

+Azure Payment HSM Service is a "BareMetal" service delivered using [Thales payShield 10K payment hardware security modules (HSM)](https://cpl.thalesgroup.com/encryption/hardware-security-modules/payment-hsms/payshield-10k) to provide cryptographic key operations for real-time, critical payment transactions in the Azure cloud. Azure Payment HSM is designed specifically to help a service provider and an individual financial institution accelerate their payment system's digital transformation strategy and adopt the public cloud. It meets the most stringent security, audit compliance, low latency, and high-performance requirements by the Payment Card Industry (PCI).

+Momentum is building as financial institutions move some or all of their payment applications to the cloud. This entails a migration from the legacy on-premises (on-prem) applications and HSMs to a cloud-based infrastructure that isn't generally under their direct control. Often it means a subscription service rather than perpetual ownership of physical equipment and software. Corporate initiatives for efficiency and a scaled-down physical presence are the drivers for this. Conversely, with cloud-native organizations, the adoption of cloud-first without any on-premises presence is their fundamental business model. Whatever the reason, end users of a cloud-based payment infrastructure expect reduced IT complexity, streamlined security compliance, and flexibility to scale their solution seamlessly as their business grows.

+End users of the service can leverage Microsoft security and compliance investments to increase their security posture. Microsoft maintains PCI DSS and PCI 3DS compliant Azure data centers, including those which house Azure Payment HSM solutions. The Azure Payment HSM solution can be deployed as part of a validated PCI P2PE / PCI PIN component or solution, helping to simplify ongoing security audit compliance. Thales payShield 10K HSMs deployed in the security infrastructure are certified to FIPS 140-2 Level 3 and PCI HSM v3.

+For existing Thales payShield customers wishing to add a cloud option, the Azure Payment HSM solution offers native access to a payment HSM in Azure for "lift and shift" while still experiencing the low latency they're accustomed to via their on-premise payShield HSMs. The solution also offers high-performance transactions for mission-critical payment applications. Consequently, customers can continue their digital transformation strategy by leveraging technology innovation in the cloud. Existing Thales payShield customers can utilize their existing remote management solutions (payShield Manager and payShield TMD together with associated smart card readers and smart cards as appropriate) to work with the Azure Payment HSM service. Customers new to payShield can source the hardware accessories from Thales or one of its partners before deploying their HSM as part of the subscription service.

+The solution provides clear benefits for both Payment HSM users with a legacy on-premise HSM footprint and those new payment ecosystem entrants with no legacy infrastructure to support and who may choose a cloud-native approach from the outset.

+- Lowers upfront investment via the Azure subscription model

+Single Server is a fully managed database service with minimal requirements for customizations of the database. The single server platform is designed to handle most of the database management functions such as patching, backups, high availability, security with minimal user configuration and control. The architecture is optimized to provide 99.99% availability on single availability zone. It supports community version of PostgreSQL 10 and 11. The service is generally available today in wide variety of [Azure regions](https://azure.microsoft.com/global-infrastructure/services/).

+- Ensure Visual C++ Redistributable for Visual Studio 2015 or higher is installed on the self-hosted integration runtime machine. If you don't have this update installed, [you can download it here](https://docs.microsoft.com/cpp/windows/latest-supported-vc-redist#visual-studio-2015-2017-2019-and-2022).

+* **Performance** set to 'Premium'. 'Standard' works as well, but has lower loading time characteristics when a model is loaded by the runtime.

+ "name": "myCustomSkill",

+### Accenture Cyber Threat Intelligence

+- [Learn about Accenture CTI integration with Microsoft Sentinel](https://www.accenture.com/us-en/services/security/cyber-defense).

+- Azure Container Apps

+# Integrate Apache Kafka on Confluent Cloud with Service Connector

+## Supported compute services

+- Azure Container Apps

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+|--|-|--|--|-|

+| .NET | | |  | |

+| Java | | |  | |

+| Java - Spring Boot | | |  | |

+| Node.js | | |  | |

+| Python | | |  | |

+- Azure Container Apps

+## Supported authentication types and client types

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+|--|--|--|--|--|

+| .NET |  |  |  |  |

+| Java |  |  |  |  |

+| Java - Spring Boot | | |  | |

+| Node.js |  |  |  |  |

+| Go |  |  |  |  |

+### Secret / Connection string

+### System-assigned managed identity

+### User-assigned managed identity

+### Service principal

+- Azure Container Apps

+- Azure Container Apps

+## Supported authentication types and client types

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+#### System-assigned managed identity

+#### User-assigned managed identity

+#### Service principal

+#### Java - Spring Boot service principal

+- Azure Container Apps

+## Supported authentication types and client types

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+||-|--|--|-|

+| .NET (MySqlConnector) | | |  | |

+| Java (JDBC) | | |  | |

+| Java - Spring Boot (JDBC) | | |  | |

+| Node.js (mysql) | | |  | |

+| Python (mysql-connector-python) | | |  | |

+| Python-Django | | |  | |

+| Go (go-sql-driver for mysql) | | |  | |

+| PHP (mysqli) | | |  | |

+| Ruby (mysql2) | | |  | |

+### .NET (MySqlConnector) secret / connection string

+### Java (JDBC) secret / connection string

+### Java - Spring Boot (JDBC) secret / connection string

+### Node.js (mysql) secret / connection string

+### Python (mysql-connector-python) secret / connection string

+### Python-Django secret / connection string

+### Go (go-sql-driver for mysql) secret / connection string

+### PHP (mysqli) secret / connection string

+### Ruby (mysql2) secret / connection string

+- Azure App Configuration

+## Supported authentication types and client types

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+### .NET (ADO.NET) secret / connection string

+### Java (JDBC) secret / connection string

+### Java - Spring Boot (JDBC) secret / connection string

+### Node.js (pg) secret / connection string

+### Python (psycopg2) secret / connection string

+### Python-Django secret / connection string

+### Go (pg) secret / connection string

+### PHP (native) secret / connection string

+### Ruby (ruby-pg) secret / connection string

+- Azure Container Apps

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+|--|-|--|--|-|

+| .NET (StackExchange.Redis) | | |  | |

+| Java (Jedis) | | |  | |

+| Java - Spring Boot (spring-boot-starter-data-redis) | | |  | |

+| Node.js (node-redis) | | |  | |

+| Python (redis-py) | | |  | |

+| Go (go-redis) | | |  | |

+### .NET (StackExchange.Redis) secret / connection string

+### Java (Jedis) secret / connection string

+### Java - Spring Boot (spring-boot-starter-data-redis) secret / connection string

+### Node.js (node-redis) secret / connection string

+### Python (redis-py) secret / connection string

+### Go (go-redis) secret / connection string

+- Azure Container Apps

+- Azure Container Apps

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+|-|--|--|--|--|

+| .NET |  |  |  |  |

+- Azure Container Apps

+- Azure Container Apps

+## Supported authentication types and client types

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+|--|--|--|--|--|

+| .NET |  |  |  |  |

+| Java |  |  |  |  |

+| Java - Spring Boot | | |  | |

+| Node.js |  |  |  |  |

+| Python |  |  |  |  |

+#### Secret / connection string

+#### system-assigned managed identity

+#### User-assigned managed identity

+#### Service principal

+#### Java - Spring Boot secret / connection string

+- Azure Container Apps

+## Supported authentication types and client types

+| Client Type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+|--|-|--|--|-|

+| .NET | | |  | |

+| Java | | |  | |

+| Java - Spring Boot | | |  | |

+| Node.js | | |  | |

+| Python | | |  | |

+| PHP | | |  | |

+| Ruby | | |  | |

+### .NET, Java, Node.JS, Python, PHP and Ruby secret / connection string

+### Java - Spring Boot secret / connection string

+- Azure Container Apps

+## Supported authentication types and client types

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+#### Secret/ connection string

+#### System-assigned managed identity

+#### User-assigned managed identity

+#### Service principal

+#### Java - Spring Boot secret / connection string

+- Azure Container Apps

+## Supported authentication types and client types

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret / connection string | Service principal |

+|-|-|--|--|-|

+| .NET | | |  | |

+| Java | | |  | |

+| Node.js | | |  | |

+| Python | | |  | |

+### .NET, Java, Node.JS and Python secret / connection string

+JIO | JIO India West<br/><br/>Replication cannot be done between JIO and non-JIO regions for Virtual Machines present in JIO subscriptions. This is because JIO subscriptions can have resources only in JIO regions.

+> Enabling replication for physical machines is not supported with this preview.

+C:\Windows\Temp\MicrosoftAzure

+C:\Program Files\Microsoft Azure to On-Premises Reprotect agent <br>

+> Enabling replication for physical machines is not supported with this preview.

+ **DRInstaller.ps1**

+> Ensure that .NET Framework 4.6.2 or higher is present on the on-premises server.

+HUB | Yes | Yes

+This article provides best practice guidelines that help you optimize performance, reduce costs, and secure your Data Lake Storage Gen2 enabled Azure Storage account.

+Azure Data Lake Storage Gen2 is not a dedicated service or account type. It's a set of capabilities that support high throughput analytic workloads. The Data Lake Storage Gen2 documentation provides best practices and guidance for using these capabilities. Refer to the [Blob storage documentation](storage-blobs-introduction.md) content, for all other aspects of account management such as setting up network security, designing for high availability, and disaster recovery.

+3. Scan feature articles for any guidance that is specific to Data Lake Storage Gen2 enabled accounts.

+When ingesting data from a source system, the source hardware, source network hardware, or the network connectivity to your storage account can be a bottleneck.

+Whether you are using on-premises machines or Virtual Machines (VMs) in Azure, make sure to carefully select the appropriate hardware. For disk hardware, consider using Solid State Drives (SSD) and pick disk hardware that has faster spindles. For network hardware, use the fastest Network Interface Controllers (NIC) as possible. On Azure, we recommend Azure D14 VMs, which have the appropriately powerful disk and networking hardware.

+The following table summarizes the key settings for several popular ingestion tools.

+| Tool | Settings |

+| [Azure Data Factory](../../data-factory/copy-activity-performance.md) | parallelCopies |

+| [Sqoop](/archive/blogs/shanyu/performance-tuning-for-hdinsight-storm-and-microsoft-azure-eventhubs) | fs.azure.block.size, -m (mapper) |

+Consider pre-planning the structure of your data. File format, file size, and directory structure can all impact performance and cost.

+Data can be ingested in various formats. Data can be appear in human readable formats such as JSON, CSV, or XML or as compressed binary formats such as `.tar.gz`. Data can come in various sizes as well. Data can be composed of large files (a few terabytes) such as data from an export of a SQL table from your on-premise systems. Data can also come in the form of a large number of tiny files (a few kilobytes) such as data from real-time events from an Internet of things (IoT) solution. You can optimize efficiency and costs by choosing an appropriate file format and file size.

+Larger files lead to better performance and reduced costs.

+Typically, analytics engines such as HDInsight have a per-file overhead that involves tasks such as listing, checking access, and performing various metadata operations. If you store your data as many small files, this can negatively affect performance. In general, organize your data into larger sized files for better performance (256 MB to 100 GB in size). Some engines and applications might have trouble efficiently processing files that are greater than 100 GB in size.

+Sometimes, data pipelines have limited control over the raw data, which has lots of small files. In general, we recommend that your system have some sort of process to aggregate small files into larger ones for use by downstream applications. If you're processing data in real time, you can use a real time streaming engine (such as [Azure Stream Analytics](../../stream-analytics/stream-analytics-introduction.md) or [Spark Streaming](https://databricks.com/glossary/what-is-spark-streaming)) together with a message broker (such as [Event Hub](../../event-hubs/event-hubs-about.md) or [Apache Kafka](https://kafka.apache.org/)) to store your data as larger files. As you aggregate small files into larger ones, consider saving them in a read-optimized format such as [Apache Parquet](https://parquet.apache.org/) for downstream processing.

+For Hive workloads, partition pruning of time-series data can help some queries read only a subset of the data, which improves performance.

+Start by reviewing the recommendations in the [Security recommendations for Blob storage](security-recommendations.md) article. You'll find best practice guidance about how to protect your data from accidental or malicious deletion, secure data behind a firewall, and use Azure Active Directory (Azure AD) as the basis of identity management.

+Then, review the [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-access-control-model.md) article for guidance that is specific to Data Lake Storage Gen2 enabled accounts. This article helps you understand how to use Azure role-based access control (Azure RBAC) roles together with access control lists (ACLs) to enforce security permissions on directories and files in your hierarchical file system.

+There are many different sources of data and different ways in which that data can be ingested into a Data Lake Storage Gen2 enabled account.

+For example, you can ingest large sets of data from HDInsight and Hadoop clusters or smaller sets of *ad hoc* data for prototyping applications. You can ingest streamed data that is generated by various sources such as applications, devices, and sensors. For this type of data, you can use tools to capture and process the data on an event-by-event basis in real time, and then write the events in batches into your account. You can also ingest web server which contain information such as the history of page requests. For log data, consider writing custom scripts or applications to upload them so that you'll have the flexibility to include your data uploading component as part of your larger big data application.

+Once the data is available in your account, you can run analysis on that data, create visualizations, and even download data to your local machine or to other repositories such as an Azure SQL database or SQL Server instance.

+The following table recommends tools that you can use to ingest, analyze, visualize, and download data. Use the links in this table to find guidance about how to configure and use each tool.

+> This table doesn't reflect the complete list of Azure services that support Data Lake Storage Gen2. To see a list of supported Azure services, their level of support, see [Azure services that support Azure Data Lake Storage Gen2](data-lake-storage-supported-azure-services.md).

+Monitoring use and performance is an important part of operationalizing your service. Examples include frequent operations, operations with high latency, or operations that cause service-side throttling.

+Using the WASB driver as a client to a hierarchical namespace enabled storage account is not supported. Instead, we recommend that you use the [Azure Blob File System (ABFS)](data-lake-storage-abfs-driver.md) driver in your Hadoop environment. If you are trying to migrate off of an on-premises Hadoop environment with a version earlier than Hadoop branch-3, then please open an Azure Support ticket so that we can get in touch with you on the right path forward for you and your organization.

+Premium block blob storage accounts make data available via high-performance hardware. Data is stored on solid-state drives (SSDs) which are optimized for low latency. SSDs provide higher throughput compared to traditional hard drives. File transfer is much faster because data is stored on instantly accessible memory chips. All parts of a drive accessible at once. By contrast, the performance of a hard disk drive (HDD) depends on the proximity of data to the read/write heads.

+- **Interactive workloads**. Highly interactive and real-time applications must write data quickly. E-commerce and mapping applications often require instant updates and user feedback. For example, in an e-commerce application, less frequently viewed items are likely not cached. However, they must be instantly displayed to the customer on demand. Interactive editing or multi-player online gaming applications maintain a quality experience by providing real-time updates.

+In most cases, workloads executing more than 35 to 40 transactions per second per terabyte (TPS/TB) are good candidates for this type of account. For example, if your workload executes 500 million read operations and 100 million write operations in a month, then you can calculate the TPS/TB as follows:

+- Write transactions per second = 100,000,000 / (30 x 24 x 60 x 60) = **39** (_rounded to the nearest whole number_)

+- Total transactions per second = **193** + **39** = **232**

+- Assuming your account had **5TB** data on average, then TPS/TB would be **230 / 5** = **46**.

+> Prices differ per operation and per region. Use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/) to compare pricing between standard and premium performance tiers.

+> If you prefer to evaluate cost effectiveness based on the number of transactions per second for each TB of data, you can use the column headings that appear at the bottom of the table.

+This section contains real-world examples of how some of our Azure Storage partners use premium block blob storage. Some of them also enable Azure Data Lake Storage Gen2 which introduces a hierarchical file structure that can further enhance transaction performance in certain scenarios.

+> If you have an analytics use case, we highly recommend that you use Azure Data Lake Storage Gen2 along with a premium block blob storage account.

+- [Premium block blob storage accounts](#premium-block-blob-storage-accounts)

+ - [High performance workloads](#high-performance-workloads)

+ - [Cost effectiveness](#cost-effectiveness)

+ - [Premium scenarios](#premium-scenarios)

+ - [Fast data hydration](#fast-data-hydration)

+ - [Interactive editing applications](#interactive-editing-applications)

+ - [Data visualization software](#data-visualization-software)

+ - [E-commerce businesses](#e-commerce-businesses)

+ - [Interactive analytics](#interactive-analytics)

+ - [Data processing pipelines](#data-processing-pipelines)

+ - [Internet of Things (IoT)](#internet-of-things-iot)

+ - [Machine Learning](#machine-learning)

+ - [Real-time streaming analytics](#real-time-streaming-analytics)

+ - [Getting started with premium](#getting-started-with-premium)

+ - [Check for Blob Storage feature compatibility](#check-for-blob-storage-feature-compatibility)

+ - [Create a new Storage account](#create-a-new-storage-account)

+ - [See also](#see-also)

+Premium block blob storage can help you *hydrate* or bring up your environment quickly. In industries such as banking, certain regulatory requirements might require companies to regularly tear down their environments, and then bring them back up from scratch. The data used to hydrate their environment must load quickly.

+In applications where multiple users edit the same content, the speed of updates becomes critical for a smooth user experience.

+Some of our partners develop video editing software. Any update that a user makes to a video is immediately visible to other users. Users can focus on their tasks instead of waiting for content updates to appear. The low latencies associated with premium block blob storage helps to create this seamless and collaborative experience.

+Users can be far more productive with data visualization software if rendering time is quick.

+We've seen companies in the mapping industry use mapping editors to detect issues with maps. These editors use data that is generated from customer Global Positioning System (GPS) data. To create map overlaps, the editing software renders small sections of a map by quickly performing key lookups.

+In addition to supporting their customer facing stores, e-commerce businesses might also provide data warehousing and analytics solutions to internal teams. We've seen partners use premium block blob storage accounts to support the low latency requirements by these data warehousing and analytics solutions. In one case, a catalog team maintains a data warehousing application for data that pertains to offers, pricing, ship methods, suppliers, inventory, and logistics. Information is queried, scanned, extracted, and mined for multiple use cases. The team runs analytics on this data to provide various merchandising teams with relevant insights and information.