+ "ui_locales":"en-US",

+## Daemons/server-side applications

+The [OAuth 2.0 client credentials flow](./client-credentials-grant-flow.md) is currently in public preview. You can also set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint (`https://login.microsoftonline.com/your-tenant-name.onmicrosoft.com/oauth2/v2.0/token`) for a [Microsoft Graph application](microsoft-graph-get-started.md) or your own application. For more information, check out the [Azure AD token reference](../active-directory/develop/id-tokens.md) article.

+## Unsupported application types

+### Web API chains (on-behalf-of flow)

+ Title: Set up OAuth 2.0 client credentials flow

+description: Learn how to set up the OAuth 2.0 client credentials flow in Azure Active Directory B2C.

+zone_pivot_groups: b2c-policy-type

+# Set up OAuth 2.0 client credentials flow in Azure Active Directory B2C

+The OAuth 2.0 client credentials grant flow permits an app (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling web resource, such as REST API. This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. These types of applications are often referred to as daemons or service accounts.

+In the client credentials flow, permissions are granted directly to the application itself by an administrator. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action since there's no user involved in the authentication. This article covers the steps needed to authorize an application to call an API, and how to get the tokens needed to call that API.

+## App registration overview

+To enable your app to sign in with client credentials and call a web API, you register two applications in the Azure AD B2C directory.

+- The **application** registration enables your app to sign in with Azure AD B2C. The app registration process generates an *application ID*, also known as the *client ID*, which uniquely identifies your app. You also create a *client secret*, which your app uses to securely acquire the tokens.

+- The **web API** registration enables your app to call a secure web API. The registration includes the web API *scopes*. The scopes provide a way to manage permissions to protected resources, such as your web API. Then, you grant your application permissions to the web API scopes. When an access token is requested, your app specifies the `.default` scope parameter of the request. Azure AD B2C returns the web API scopes granted to your app.

+The app architecture and registrations are illustrated in the following diagram:

+

+## Step 1. Register the web API app

+In this step you register the web API (**App 2**) with its scopes. Later you'll grant your application (**App 1**) permission to those scopes. If you already have such app registration, skip to the next step [Step 1.1 Define web API roles (scopes)](#step-11-define-web-api-roles-scopes).

+### Step 1.1 Define web API roles (scopes)

+In this step you configure the web API **Application ID URI**, then define **App roles**. The app *roles*, used by the OAuth 2.0 *scopes* and defined on an application registration representing your API. Your application uses the Application ID URI with the `.default` scope. To define app roles, follow these steps:

+1. Select the web API that you created, for example *my-api1*.

+1. Under **Manage**, select **Expose an API**.

+1. Next to **Application ID URI**, select the **Set** link. Replace the default value (GUID) with a unique name (for example, **api**), and then select **Save**.

+1. Copy the **Application ID URI**. The following screenshot shows how to copy the Application ID URI.

+ 

+1. Under **Manage**, select **Manifest** to open the application manifest editor.

+In the editor, locate the `appRoles` setting, and define app roles that target `applications`. Each app role definition must have a global unique identifier (GUID) for its `id` value. Generate

+a new GUID by running `new-guid`command in the Microsoft PowerShell, or an [online GUID generator](https://www.bing.com/search?q=online+guid+generator). The `value` property of each app role definition will appear in the scope, the `scp` claim. The `value` property

+can't contain spaces. The following example demonstrates two app roles, read and write:

+ ```json

+ "appRoles": [

+ {

+ "allowedMemberTypes": ["Application"],

+ "displayName": "Read",

+ "id": "d6a15e20-f83c-4264-8e61-5082688e14c8",

+ "isEnabled": true,

+ "description": "Readers have the ability to read tasks.",

+ "value": "app.read"

+ },

+ {

+ "allowedMemberTypes": ["Application"],

+ "displayName": "Write",

+ "id": "204dc4ab-51e1-439f-8c7f-31a1ebf3c7b9",

+ "isEnabled": true,

+ "description": "Writers have the ability to create tasks.",

+ "value": "app.write"

+ }],

+ ```

+1. At the top of the page, select **Save** to save the manifest changes.

+

+## Step 2. Register an application

+To enable your app to sign in with Azure AD B2C using client credentials flow, register your applications (**App 1**). To create the web API app registration, follow these steps:

+1. In the Azure portal, search for and select **Azure AD B2C**

+1. Select **App registrations**, and then select **New registration**.

+1. Enter a **Name** for the application. For example, *ClientCredentials_app*.

+1. Leave the other values as they are, and then select **Register**.

+1. Record the **Application (client) ID** for use in a later step.

+ 

+## Step 2.1 Create a client secret

+Create a client secret for the registered application. Your app uses the client secret to prove its identity when it requests tokens.

+1. Under **Manage**, select **Certificates & secrets**.

+1. Select **New client secret**.

+1. In the **Description** box, enter a description for the client secret (for example, *clientsecret1*).

+1. Under **Expires**, select a duration for which the secret is valid, and then select **Add**.

+1. Record the secret's **Value**. You'll use this value for configuration in a later step.

+

+ 

+## Step 2.2 Grant the app permissions for the web API

+To grant your app (**App 1**) permissions, follow these steps:

+1. Select **App registrations**, and then select the app that you created (**App 1**).

+1. Under **Manage**, select **API permissions**.

+1. Under **Configured permissions**, select **Add a permission**.

+1. Select the **My APIs** tab.

+1. Select the API (**App 2**) to which the web application should be granted access. For example, enter **my-api1**.

+1. Select **Application permission**.

+1. Under **Permission**, expand **app**, and then select the scopes that you defined earlier (for example, **app.read** and **app.write**).

+ 

+1. Select **Add permissions**.

+1. Select **Grant admin consent for \<*your tenant name*>**.

+1. Select **Yes**.

+1. Select **Refresh**, and then verify that **Granted for ...** appears under **Status** for both scopes.

+## Step 3. Obtain an access token

+There are no specific actions to enable the client credentials for user flows or custom policies. Both Azure AD B2C user flows and custom policies support the client credentials flow. If you haven't done so already, create a [user flow or a custom policy](add-sign-up-and-sign-in-policy.md). Then, use your favorite API development application to generate an authorization request. Construct a call like this example with the following information as the body of the POST request:

+`https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy>/oauth2/v2.0/token`

+- Replace `<tenant-name>` with the [name](tenant-management.md#get-your-tenant-name) of your Azure AD B2C tenant. For example, `contoso.b2clogin.com`.

+- Replace `<policy>` with the full name of your user flow, or custom policy. Note, all types of user flows and custom policies support client credentials flow. You can use any user flow or custom policy you have, or create a new one, such as sign-up or sign-in.

+| Key | Value |

+| | -- |

+| grant_type | `client_credentials` |

+| client_id | The **Client ID** from the [Step 2 Register an application](#step-2-register-an-application). |

+| client_secret | The **Client secret** value from [Step 2.1 Create a client secret](#step-21-create-a-client-secret). |

+| scope | The **Application ID URI** from [Step 1.1 Define web API roles (scopes)](#step-11-define-web-api-roles-scopes) and `.default`. For example `https://contoso.onmicrosoft.com/api/.default`, or `https://contoso.onmicrosoft.com/12345678-0000-0000-0000-000000000000/.default`.|

+The actual POST request looks like the following example:

+```https

+POST /<tenant-name>.onmicrosoft.com/B2C_1A_SUSI/oauth2/v2.0/token HTTP/1.1

+Host: <tenant-name>.b2clogin.com

+Content-Type: application/x-www-form-urlencoded

+grant_type=client_credentials&client_id=33333333-0000-0000-0000-000000000000&client_secret=FyX7Q~DuPJ...&scope=https%3A%2F%2Fcontoso.onmicrosoft.com%2Fapi%2F.default

+```

+```json

+{

+ "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlBFcG5OZDlnUkNWWUc2dUs...",

+ "token_type": "Bearer",

+ "not_before": 1645172292,

+ "expires_in": 3600,

+ "expires_on": 1645175892,

+ "resource": "33333333-0000-0000-0000-000000000000"

+}

+```

+Learn about the return [access token](tokens-overview.md) claims. The following table lists the claims that are related to the client credentials flow.

+| Claim | Description | Value |

+| -- | - | - |

+| `aud` | Identifies the intended recipient of the token. | The **Client ID** of the API. |

+| `sub` | The service principal associate with the application that initiated the request. | It's the service principal of the `client_id` of the authorization request. |

+| `azp` | Authorized party - the party to which the access token was issued. | The **Client ID** of the application that initiated the request. It's the same value you specified in the `client_id` of the authorization request. |

+| `scp` | The set of scopes exposed by your application API (space delimiter). | In client credentials flow, the authorization request asks for the `.default` scope, while the token contains the list of scopes exposed (and consented by the app administrator) by the API. For example, `app.read app.write`. |

+### Step 3.1 Obtain an access token with script

+Use the following PowerShell script to test your configuration:

+```powershell

+$appId = "<client ID>"

+$secret = "<client secret>"

+$endpoint = "https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy>/oauth2/v2.0/token"

+$scope = "<Your API id uri>/.default"

+$body = "granttype=client_credentials&scope=" + $scope + "&client_id=" + $appId + "&client_secret=" + $secret

+$token = Invoke-RestMethod -Method Post -Uri $endpoint -Body $body

+```

+Use the following cURL script to test your configuration:

+```bash

+curl --location --request POST 'https://<your-tenant>.b2clogin.com/<your-tenant>.onmicrosoft.com/<policy>/oauth2/v2.0/token' \

+--header 'Content-Type: application/x-www-form-urlencoded' \

+--form 'grant_type="client_credentials"' \

+--form 'client_id="<client ID>"' \

+--form 'client_secret="<client secret>"' \

+--form 'scope="<Your API id uri>/.default"'

+```

+## Step 4. Customize the token

+Custom policies provide a way to extend the token issuance process. To customize the user journey of the OAuth 2.0 Client credentials, follow the [guidance how to configure a client credentials user journey](https://github.com/azure-ad-b2c/samples/tree/master/policies/client_credentials_flow). Then, in the `JwtIssuer` technical profile, add the `ClientCredentialsUserJourneyId` metadata with a reference to the user journey you created.

+The following example shows how to add the `ClientCredentialsUserJourneyId` to the token issuer technical profile.

+```xml

+<TechnicalProfile Id="JwtIssuer">

+ <Metadata>

+ <Item Key="ClientCredentialsUserJourneyId">ClientCredentialsJourney</Item>

+ </Metadata>

+</TechnicalProfile>

+```

+The following example shows a client credentials user journey. The first and the last orchestration steps are required.

+```xml

+<UserJourneys>

+ <UserJourney Id="ClientCredentialsJourney">

+ <OrchestrationSteps>

+ <!-- [Required] Do the client credentials -->

+ <OrchestrationStep Order="1" Type="ClaimsExchange">

+ <ClaimsExchanges>

+ <ClaimsExchange Id="ClientCredSetupExchange" TechnicalProfileReferenceId="ClientCredentials_Setup" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+

+ <!-- [Optional] Call a REST API or claims transformation -->

+ <OrchestrationStep Order="2" Type="ClaimsExchange">

+ <ClaimsExchanges>

+ <ClaimsExchange Id="TokenAugmentation" TechnicalProfileReferenceId="TokenAugmentation" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+

+ <!-- [Required] Issue the access token -->

+ <OrchestrationStep Order="3" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

+ </OrchestrationSteps>

+ </UserJourney>

+</UserJourneys>

+```

+

+## Next steps

+Learn how to [set up a resource owner password credentials flow in Azure AD B2C](add-ropc-policy.md)

+[Client credentials flow](client-credentials-grant-flow.md)| Preview | Preview | Allows access web-hosted resources by using the identity of an application. Commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. |

+* Due to the geo-distributed nature of the Azure AD authentication service, there may be slight variance in the total number of failed sign-in attempts before a user gets locked out. For example, if the lockout threshold is set to 10, up to 12 total failed sign-in attempts may occur before the account is locked out.

+- To customize the experience further, you can [configure custom banned passwords for Azure AD password protection](tutorial-configure-custom-password-protection.md).

+- To help users reset or change their password from a web browser, you can [configure Azure AD self-service password reset](tutorial-enable-sspr.md).

+ - Microsoft Entra admin center

+>This information last updated on June 14th, 2022.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Dynamics 365 Customer Insights vTrial | DYN365_CUSTOMER_INSIGHTS_VIRAL | 036c2481-aa8a-47cd-ab43-324f0c157c2d | CDS_CUSTOMER_INSIGHTS_TRIAL (94e5cbf6-d843-4ee8-a2ec-8b15eb52019e)<br/>DYN365_CUSTOMER_INSIGHTS_ENGAGEMENT_INSIGHTS_BASE_TRIAL (e2bdea63-235e-44c6-9f5e-5b0e783f07dd)<br/>DYN365_CUSTOMER_INSIGHTS_VIRAL (ed8e8769-94c5-4132-a3e7-7543b713d51f)<br/>Forms_Pro_Customer_Insights (fe581650-cf61-4a09-8814-4bd77eca9cb5) | Common Data Service for Customer Insights Trial (94e5cbf6-d843-4ee8-a2ec-8b15eb52019e)<br/>Dynamics 365 Customer Insights Engagement Insights Viral (e2bdea63-235e-44c6-9f5e-5b0e783f07dd)<br/>Dynamics 365 Customer Insights Viral Plan (ed8e8769-94c5-4132-a3e7-7543b713d51f)<br/>Microsoft Dynamics 365 Customer Voice for Customer Insights (fe581650-cf61-4a09-8814-4bd77eca9cb5) |

+| Dynamics 365 Customer Voice | DYN365_CUSTOMER_VOICE_BASE | 359ea3e6-8130-4a57-9f8f-ad897a0342f1 | Customer_Voice_Base (296820fe-dce5-40f4-a4f2-e14b8feef383)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 Customer Voice Base Plan (296820fe-dce5-40f4-a4f2-e14b8feef383)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Dynamics 365 for Case Management Enterprise Edition | DYN365_ENTERPRISE_CASE_MANAGEMENT | d39fb075-21ae-42d0-af80-22a2599749e0 | DYN365_ENTERPRISE_CASE_MANAGEMENT (2822a3a1-9b8f-4432-8989-e11669a60dc8)<br/>NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba) | Dynamics 365 for Case Management (2822a3a1-9b8f-4432-8989-e11669a60dc8)<br/>Microsoft Social Engagement (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Project Online Essentials (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Power Apps for Dynamics 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>Power Automate for Dynamics 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba) |

+| Dynamics 365 for Marketing Business Edition | DYN365_BUSINESS_MARKETING | 238e2f8d-e429-4035-94db-6926be4ffe7b | DYN365_BUSINESS_Marketing (393a0c96-9ba1-4af0-8975-fa2f853a25ac)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 Marketing (393a0c96-9ba1-4af0-8975-fa2f853a25ac)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |

+| Enterprise Mobility + Security A3 for Faculty | EMS_EDU_FACULTY | aedfac18-56b8-45e3-969b-53edb4ba4952 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>AAD_EDU (3a3976ce-de18-4a87-a78e-5e9245e252df)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>RMS_S_PREMIUM (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>RMS_S_ENTERPRISE (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>MFA_PREMIUM (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>ADALLOM_S_DISCOVERY (932ad362-64a8-4783-9106-97849a1a30b9)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>INTUNE_EDU (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>WINDOWS_STORE (a420f25f-a7b3-4ff5-a9d0-5d58f73b537d) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Azure Active Directory for Education (3a3976ce-de18-4a87-a78e-5e9245e252df)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Azure Information Protection Premium P1 (6c57d4b6-3b23-47a5-9bc9-69f17b4947b3)<br/>Azure Rights Management (bea4c11e-220a-4e6d-8eb8-8ea15d019f90)<br/>Microsoft Azure Multi-Factor Authentication (8a256a2b-b617-496d-b51b-e76466e88db0)<br/>Microsoft Defender for Cloud Apps Discovery (932ad362-64a8-4783-9106-97849a1a30b9)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Intune for Education (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>Windows Store Service (a420f25f-a7b3-4ff5-a9d0-5d58f73b537d) |

+| Microsoft 365 Apps for enterprise (device) | OFFICE_PROPLUS_DEVICE1 | ea4c5ec8-50e3-4193-89b9-50da5bd4cdc7 | OFFICE_PROPLUS_DEVICE (3c994f28-87d5-4273-b07a-eb6190852599) | Microsoft 365 Apps for Enterprise (Device) (3c994f28-87d5-4273-b07a-eb6190852599) |

+| Microsoft 365 Apps for Students | OFFICESUBSCRIPTION_STUDENT | c32f9321-a627-406d-a114-1f9c81aaafac | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>OFFICESUBSCRIPTION (43de0ff5-c92c-492b-9116-175376d08c38)<br/>OFFICE_FORMS_PLAN_2 (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>MICROSOFT_SEARCH (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>SHAREPOINTWAC_EDU (e03c7e47-402c-463c-ab25-949079bedb21)<br/>ONEDRIVESTANDARD (13696edf-5a08-49f6-8134-03083ed8ba30)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>WHITEBOARD_PLAN2 (94a54592-cd8b-425e-87c6-97868b000b91)<br/>RMS_S_BASIC (31cf2cfc-6b0d-4adc-a336-88b724ed8122) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft 365 Apps for Enterprise (43de0ff5-c92c-492b-9116-175376d08c38)<br/>Microsoft Forms (Plan 2) (9b5de886-f035-4ff2-b3d8-c9127bea3620)<br/>Microsoft Search (94065c59-bc8e-4e8b-89e5-5138d471eaff)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>Office for the Web for Education (e03c7e47-402c-463c-ab25-949079bedb21)<br/>OneDrive for Business (Plan 1) (13696edf-5a08-49f6-8134-03083ed8ba30)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>Whiteboard (Plan 2) (94a54592-cd8b-425e-87c6-97868b000b91<br/>Microsoft Azure Rights Management Service (31cf2cfc-6b0d-4adc-a336-88b724ed8122) |

+| Microsoft Defender for Office 365 (Plan 1) Faculty | ATP_ENTERPRISE_FACULTY | 26ad4b5c-b686-462e-84b9-d7c22b46837f | ATP_ENTERPRISE (f20fedf3-f3c3-43c3-8267-2bfdd51c0939) | Microsoft Defender for Office 365 (Plan 1) (f20fedf3-f3c3-43c3-8267-2bfdd51c0939) |

+| Microsoft PowerApps for Developer | POWERAPPS_DEV | 5b631642-bd26-49fe-bd20-1daaa972ef80 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>DYN365_CDS_DEV_VIRAL (d8c638e2-9508-40e3-9877-feb87603837b)<br/>FLOW_DEV_VIRAL (c7ce3f26-564d-4d3a-878d-d8ab868c85fe)<br/>POWERAPPS_DEV_VIRAL (a2729df7-25f8-4e63-984b-8a8484121554) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Common Data Service (d8c638e2-9508-40e3-9877-feb87603837b)<br/>Flow for Developer (c7ce3f26-564d-4d3a-878d-d8ab868c85fe)<br/>PowerApps for Developer (a2729df7-25f8-4e63-984b-8a8484121554) |

+| Power Apps per app plan (1 app or portal) | POWERAPPS_PER_APP_NEW | b4d7b828-e8dc-4518-91f9-e123ae48440d | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CDSAICAPACITY_PERAPP (5d7a2e9a-4ee5-4f1c-bc9f-abc481bf39d8)<br/>DATAVERSE_POWERAPPS_PER_APP_NEW (6f0e9100-ff66-41ce-96fc-3d8b7ad26887)<br/>POWERAPPS_PER_APP_NEW (14f8dac2-0784-4daa-9cb2-6d670b088d64)<br/>Flow_Per_APP (c539fa36-a64e-479a-82e1-e40ff2aa83ee) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>AI Builder capacity Per App add-on (5d7a2e9a-4ee5-4f1c-bc9f-abc481bf39d8)<br/>Dataverse for Power Apps per app (6f0e9100-ff66-41ce-96fc-3d8b7ad26887)<br/>Power Apps per app (14f8dac2-0784-4daa-9cb2-6d670b088d64)<br/>Power Automate for Power Apps per App Plan (c539fa36-a64e-479a-82e1-e40ff2aa83ee) |

+| Power Apps Portals login capacity add-on Tier 2 (10 unit min) | POWERAPPS_PORTALS_LOGIN_T2 | 57f3babd-73ce-40de-bcb2-dadbfbfff9f7 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CDS_POWERAPPS_PORTALS_LOGIN (32ad3a4e-2272-43b4-88d0-80d284258208)<br/>POWERAPPS_PORTALS_LOGIN (084747ad-b095-4a57-b41f-061d84d69f6f) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Common Data Service Power Apps Portals Login Capacity (32ad3a4e-2272-43b4-88d0-80d284258208)<br/>Power Apps Portals Login Capacity Add-On (084747ad-b095-4a57-b41f-061d84d69f6f) |

+When you delete an application, the application registration by default enters the soft-delete state. To understand the relationship between application registrations and service principals, see [Apps and service principals in Azure AD - Microsoft identity platform](../develop/app-objects-and-service-principals.md).

+Applications have two objects: the application registration and the service principal. For more information on the differences between the registration and the service principal, see [Apps and service principals in Azure AD](../develop/app-objects-and-service-principals.md).

+* Monitoring and data retention

+1. If the application is not already listed, then check if the application is available the [application gallery](../manage-apps/overview-application-gallery.md) for applications that can be integrated for federated SSO or provisioning. If it is in the gallery, then use the [tutorials](../saas-apps/tutorial-list.md) to configure the application for federation, and if it supports provisioning, also [configure the application](../app-provisioning/configure-automatic-user-provisioning-portal.md) for provisioning.

+* [Create an access review of a group or application](create-access-review.md)

+Staged rollout allows you to selectively test groups of users with cloud authentication capabilities like Azure AD Multi-Factor Authentication (MFA), Conditional Access, Identity Protection for leaked credentials, Identity Governance, and others, before cutting over your domains. This article discusses how to make the switch. Before you begin the staged rollout, however, you should consider the implications if one or more of the following conditions is true:

+- You have decided to move one of the following options:

+ - **Password hash synchronization (sync)**. For more information, see [What is password hash sync](whatis-phs.md)

+ - **Pass-through authentication**. For more information, see [What is pass-through authentication](how-to-connect-pta.md)

+ - **Azure AD Certificate-based authentication (CBA) settings**. For more information, see [What is pass-through authentication](../authentication/concept-certificate-based-authentication.md)

+You can roll out these options:

+- **Password hash sync** + **Seamless SSO**

+- **Pass-through authentication** + **Seamless SSO**

+- **Not supported** - **Password hash sync** + **Pass-through authentication** + **Seamless SSO**

+- **Certificate-based authentication settings**

+ For example, if you want to enable **Password Hash Sync** and **Seamless single sign-on**, slide both controls to **On**.

+Service Health events allow the addition of alerts and notifications to be applied to subscription events. Currently, this isn't yet supported with tenant events, but will be coming soon.

+* A Velpic tenant with the Enterprise plan or better enabled

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+The Azure Files Container Storage Interface (CSI) driver is a [CSI specification][csi-specification]-compliant driver used by Azure Kubernetes Service (AKS) to manage the lifecycle of Azure Files shares.

+The CSI is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. By adopting and using CSI, AKS now can write, deploy, and iterate plug-ins to expose new or improve existing storage systems in Kubernetes. Using CSI drivers in AKS avoids having to touch the core Kubernetes code and wait for its release cycles.

+To create an AKS cluster with CSI drivers support, see [Enable CSI drivers on AKS][csi-drivers-overview].

+## Azure Files CSI driver new features

+In addition to the original in-tree driver features, Azure Files CSI driver supports the following new features:

+- Network File System (NFS) version 4.1

+- [Private endpoint][private-endpoint-overview]

+- Creating large mount of file shares in parallel

+A [persistent volume (PV)][persistent-volume] represents a piece of storage that's provisioned for use with Kubernetes pods. A PV can be used by one or many pods and can be dynamically or statically provisioned. If multiple pods need concurrent access to the same storage volume, you can use Azure Files to connect by using the [Server Message Block (SMB)][smb-overview] or [NFS protocol][nfs-overview]. This article shows you how to dynamically create an Azure Files share for use by multiple pods in an AKS cluster. For static provisioning, see [Manually create and use a volume with an Azure Files share][azure-files-pvc-manual].

+When you use storage CSI drivers on AKS, there are two more built-in `StorageClasses` that use the Azure Files CSI storage drivers. The other CSI storage classes are created with the cluster alongside the in-tree default storage classes.

+The reclaim policy on both storage classes ensures that the underlying Azure Files share is deleted when the respective PV is deleted. The storage classes also configure the file shares to be expandable, you just need to edit the [persistent volume claim][persistent-volume-claim-overview] (PVC) with the new size.

+To use these storage classes, create a PVC and respective pod that references and uses them. A PVC is used to automatically provision storage based on a storage class. A PVC can use one of the pre-created storage classes or a user-defined storage class to create an Azure Files share for the desired SKU and size. When you create a pod definition, the PVC is specified to request the desired storage.

+Create an [example PVC and pod that prints the current date into an `outfile`](https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/deploy/example/statefulset.yaml) by running the [kubectl apply][kubectl-apply] commands:

+```bash

+kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/pvc-azurefile-csi.yaml

+kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/nginx-pod-azurefile.yaml

+```

+The output of the command resembles the following example:

+```bash

+```bash

+kubectl exec nginx-azurefile -- ls -l /mnt/azurefile

+```

+The output of the command resembles the following example:

+```bash

+Create the storage class by running the [kubectl apply][kubectl-apply] command:

+```bash

+```

+The output of the command resembles the following example:

+```bash

+> This driver only supports snapshot creation, restore from snapshot is not supported by this driver. Snapshots can be restored from Azure portal or CLI. For more information about creating and restoring a snapshot, see [Overview of share snapshots for Azure Files][share-snapshots-overview].

+```bash

+kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/snapshot/volumesnapshotclass-azurefile.yaml

+```

+The output of the command resembles the following example:

+```bash

+kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/snapshot/volumesnapshot-azurefile.yaml

+```

+The output of the command resembles the following example:

+```bash

+Verify the snapshot was created correctly by running the following command:

+kubectl describe volumesnapshot azurefile-volume-snapshot

+```

+The output of the command resembles the following example:

+```bash

+```bash

+kubectl exec -it nginx-azurefile -- df -h /mnt/azurefile

+```

+The output of the command resembles the following example:

+```bash

+```bash

+kubectl patch pvc pvc-azurefile --type merge --patch '{"spec": {"resources": {"requests": {"storage": "200Gi"}}}}'

+```

+The output of the command resembles the following example:

+```bash

+```bash

+kubectl get pvc pvc-azurefile

+kubectl exec -it nginx-azurefile -- df -h /mnt/azurefile

+```

+The output of the command resembles the following example:

+```bash

+[Azure Files supports the NFS v4.1 protocol](../storage/files/storage-files-how-to-create-nfs-shares.md). NFS version 4.1 support for Azure Files provides you with a fully managed NFS file system as a service built on a highly available and highly durable distributed resilient storage platform.

+### Prerequsites

+- Your AKS clusters service principal or managed identity must be added to the Contributor role to the storage account.

+- Your AKS cluster *Control plane* identity (that is, your AKS cluster name) is added to the [Contributor](../role-based-access-control/built-in-roles.md#contributor) role in the resource group hosting the VNet.

+Create a ile named `nfs-sc.yaml` and copy the manifest below.

+```bash

+kubectl apply -f nfs-sc.yaml

+```

+The output of the command resembles the following example:

+```bash

+```bash

+kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/nfs/statefulset.yaml

+```

+The output of the command resembles the following example:

+```bash

+Validate the contents of the volume by running the following command:

+```bash

+kubectl exec -it statefulset-azurefile-0 -- df -h

+```

+The output of the command resembles the following example:

+```bash

+> Note that since NFS file share is in Premium account, the minimum file share size is 100GB. If you create a PVC with a small storage size, you might encounter an error similar to the following: *failed to create file share ... size (5)...*.

+The Azure Files CSI driver also supports Windows nodes and containers. To use Windows containers, follow the [Windows containers quickstart](./learn/quick-windows-container-deploy-cli.md) to add a Windows node pool.

+After you have a Windows node pool, use the built-in storage classes like `azurefile-csi` or create a custom one. You can deploy an example [Windows-based stateful set](https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/deploy/example/windows/statefulset.yaml) that saves timestamps into a file `data.txt` by running the [kubectl apply][kubectl-apply] command:

+```bash

+kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azurefile-csi-driver/master/deploy/example/windows/statefulset.yaml

+```

+The output of the command resembles the following example:

+```bash

+Validate the contents of the volume by running the following [kubectl exec][kubectl-exec] command:

+```bash

+kubectl exec -it busybox-azurefile-0 -- cat c:\\mnt\\azurefile\\data.txt # on Linux/MacOS Bash

+kubectl exec -it busybox-azurefile-0 -- cat c:\mnt\azurefile\data.txt # on Windows Powershell/CMD

+```

+The output of the commands resembles the following example:

+```bash

+[nfs-overview]:/windows-server/storage/nfs/nfs-overview

+[kubectl-exec]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#exec

+[csi-specification]: https://github.com/container-storage-interface/spec/blob/master/spec.md

+[csi-drivers-overview]: csi-storage-drivers.md

+[persistent-volume-claim-overview]: concepts-storage.md#persistent-volume-claims

+[azure-files-pvc-manual]: azure-files-volume.md

+[private-endpoint-overview]: ../private-link/private-endpoint-overview.md

+[persistent-volume]: concepts-storage.md#persistent-volumes

+[share-snapshots-overview]: ../storage/files/storage-snapshots-files.md

+ No, the pod subnet should be from the same VNet as the cluster.

+[aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md

+[az-ad-group-show]: /cli/azure/ad/group#az_ad_group_show

+[arc-k8s-cluster]: ../azure-arc/kubernetes/quickstart-connect-cluster.md

+[supported-cloud-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc

+> [!NOTE]

+> The container image versions shown in this guide have been tested to work with this example but may not be the latest version available.

+Open Service Mesh (OSM) is a supported service mesh that runs Azure Kubernetes Service (AKS):

+There are also service meshes provided by open-source projects and third parties that are commonly used with AKS. These open-source and third-party service meshes are not covered by the [AKS support policy][aks-support-policy].

+For more details on the service mesh landscape, see [Layer 5's Service Mesh Landscape][service-mesh-landscape].

+For more details service mesh standardization efforts:

+[aks-support-policy]: support-policies.md

+[aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md

+[start-azakscluster]: /powershell/module/az.aks/start-azakscluster

+Azure will then automatically append a default suffix, such as `<location>.cloudapp.azure.com` (where location is the region you selected), to the name you provide, to create the fully qualified DNS name. For example:

+[ip-sku]: ../virtual-network/ip-services/public-ip-addresses.md#sku

+> AKS will create a system-assigned kubelet identity in the Node resource group if you do not [specify your own kubelet managed identity][Use a pre-created kubelet managed identity].

+[install-azure-cli]: /cli/azure/install-azure-cli

+If `identity-type=jwt` is configured, a JWT token is required to be validated. The audience of this token must be `https://azure-api.net/authorization-manager`.

+The `log-to-eventhub` policy sends messages in the specified format to an event hub defined by a Logger entity. As its name implies, the policy is used for saving selected request or response context information for online or offline analysis.

+The policy is not affected by Application Insights sampling. All invocations of the policy will be logged.

+- The policy is not affected by Application Insights sampling. All invocations of the policy will be logged.

+* **API Management landing zone accelerator**: [Reference architecture](/azure/architecture/example-scenario/integration/app-gateway-internal-api-management-function?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) and [design guidance](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/landing-zone-accelerator?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)

+- [Convert JSON to XML](#ConvertJSONtoXML) - Converts request or response body from JSON to XML.

+- [Convert XML to JSON](#ConvertXMLtoJSON) - Converts request or response body from XML to JSON.

+- [Find and replace string in body](#Findandreplacestringinbody) - Finds a request or response substring and replaces it with a different substring.

+- [Mask URLs in content](#MaskURLSContent) - Rewrites (masks) links in the response body so that they point to the equivalent link via the gateway.

+- [Set backend service](#SetBackendService) - Changes the backend service for an incoming request.

+- [Set body](#SetBody) - Sets the message body for incoming and outgoing requests.

+- [Set HTTP header](#SetHTTPheader) - Assigns a value to an existing response and/or request header or adds a new response and/or request header.

+- [Set query string parameter](#SetQueryStringParameter) - Adds, replaces value of, or deletes request query string parameter.

+- [Rewrite URL](#RewriteURL) - Converts a request URL from its public form to the form expected by the web service.

+- [Transform XML using an XSLT](#XSLTransform) - Applies an XSL transformation to XML in the request or response body.

+ The `redirect-content-urls` policy rewrites (masks) links in the response body so that they point to the equivalent link via the gateway. Use in the outbound section to rewrite response body links to make them point to the gateway. Use in the inbound section for an opposite effect.

+If further transformation of the request is desired, other [Transformation policies](api-management-transformation-policies.md#TransformationPolicies) can be used. For example, to remove the version query parameter now that the request is being routed to a version specific backend, the [Set query string parameter](api-management-transformation-policies.md#SetQueryStringParameter) policy can be used to remove the now redundant version attribute.

+|sf-listener-name|Only applicable when the backend is a Service Fabric service and is specified using ΓÇÿbackend-idΓÇÖ. Service Fabric Reliable Services allows you to create multiple listeners in a service. This attribute is used to select a specific listener when a backend Reliable Service has more than one listener. If this attribute isn't specified, API Management will attempt to use a listener without a name. A listener without a name is typical for Reliable Services that have only one listener. |No|N/A|

+#### Example accessing the body as a string

+We are preserving the original request body so that we can access it later in the pipeline.

+#### Example accessing the body as a JObject

+Since we are not reserving the original request body, accessing it later in the pipeline will result in an exception.

+The `set-body` policy can be configured to use the [Liquid](https://shopify.github.io/liquid/basics/introduction/) templating language to transform the body of a request or response. This can be effective if you need to completely reshape the format of your message.

+#### Supported Liquid filters

+The following Liquid filters are supported in the `set-body` policy. For filter examples, see the [Liquid documentation](https://shopify.github.io/liquid/).

+> [!NOTE]

+> The policy requires Pascal casing for Liquid filter names (for example, "AtLeast" instead of "at_least").

+>

+* Abs

+* Append

+* AtLeast

+* AtMost

+* Capitalize

+* Compact

+* Currency

+* Date

+* Default

+* DividedBy

+* Downcase

+* Escape

+* First

+* H

+* Join

+* Last

+* Lstrip

+* Map

+* Minus

+* Modulo

+* NewlineToBr

+* Plus

+* Prepend

+* Remove

+* RemoveFirst

+* Replace

+* ReplaceFirst

+* Round

+* Rstrip

+* Size

+* Slice

+* Sort

+* Split

+* Strip

+* StripHtml

+* StripNewlines

+* Times

+* Truncate

+* TruncateWords

+* Uniq

+* Upcase

+* UrlDecode

+* UrlEncode

+ |**Web service URL** | https://api.github.com/users |

+Learn more about [access restriction policies](api-management-access-restriction-policies.md).

+* **API Management landing zone accelerator**: [Reference architecture](/azure/architecture/example-scenario/integration/app-gateway-internal-api-management-function?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) and [design guidance](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/landing-zone-accelerator?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)

+* External API interfaces should be decoupled from the internal data implementation. Avoid binding API contracts directly to data contracts in backend services. Review the API design frequently, and deprecate and remove legacy properties using [versioning](api-management-versions.md) in API Management.

+This article explains how to configure common settings for web apps, mobile back end, or API app. For Azure Functions, see [App settings reference for Azure Functions](../azure-functions/functions-app-settings.md).

+az webapp up --runtime "PHP:8.0" --os-type=linux

+ az webapp up --runtime "PHP:8.0" --os-type=linux

+> [Tutorial: Python (Django) web app with PostgreSQL](./tutorial-python-postgresql-app.md)

+> [Tutorial: Run Python app in custom container](tutorial-custom-container.md)

+| `WEBSITE_ENABLE_DNS_CACHE` | Allows successful DNS resolutions to be cached. By Default expired DNS cache entries will be flushed & in addition to the existing cache to be flushed every 4.5 mins. | |

+> The [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package and Azure AD Authentication Library (ADAL) have been deprecated. No new features have been added since June 30, 2020. We strongly encourage you to upgrade, see the [migration guide](../../active-directory/develop/msal-migration.md) for more details.

+2. For an Azure VM running as a Hybrid Runbook Worker, use the **VM Managed Identity**. In this case, you can use either the VMΓÇÖs User-assigned Managed Identity **OR** the VMΓÇÖs System-assigned Managed Identity.

+ > This will **NOT** work in an Automation Account which has been configured with an Automation account Managed Identity. As soon as the Automation account Managed Identity is enabled, it is no longer possible to use the VM Managed Identity and then, it is only possible to use the Automation Account System-Assigned Managed Identity as mentioned in option 1 above.

+ Use any **one** of the following managed identities:

+

+ # [VM's system-assigned managed identity](#tab/sa-mi)

+

+

+ # [VM's user-assigned managed identity](#tab/ua-mi)

+

+**An Arc-enabled server running as a Hybrid Runbook Worker** already has a built-in System Managed Identity assigned to it which can be used for authentication.

+1. You can grant this Managed Identity access to resources in your subscription in the Access control (IAM) blade for the resource by adding the appropriate role assignment.

+ :::image type="content" source="./media/automation-hrw-run-runbooks/access-control-add-role-assignment.png" alt-text="Screenshot of how to select managed identities.":::

+

+2. Add the Azure Arc Managed Identity to your chosen role as required.

+ :::image type="content" source="./media/automation-hrw-run-runbooks/select-managed-identities-inline.png" alt-text="Screenshot of how to add role assignment in the Access control blade." lightbox="./media/automation-hrw-run-runbooks/select-managed-identities-expanded.png":::

+

+> [!NOTE]

+> This will **NOT** work in an Automation Account which has been configured with an Automation account Managed Identity. As soon as the Automation account Managed Identity is enabled, it is no longer possible to use the Arc Managed Identity and then, it is **only** possible to use the Automation Account System-Assigned Managed Identity as mentioned in option 1 above.

+New-AzConnectedMachineExtension -ResourceGroupName <VMResourceGroupName> -Location <VMLocation> -MachineName <VMName> -Name "HybridWorkerExtension" -Publisher "Microsoft.Azure.Automation.HybridWorker" -ExtensionType HybridWorkerForWindows -TypeHandlerVersion 0.1 -Setting $settings -NoWait

+New-AzConnectedMachineExtension -ResourceGroupName <VMResourceGroupName> -Location <VMLocation> -MachineName <VMName> -Name "HybridWorkerExtension" -Publisher "Microsoft.Azure.Automation.HybridWorker" -ExtensionType HybridWorkerForLinux -TypeHandlerVersion 0.1 -Setting $settings -NoWait

+ :::image type="content" source="./media/extension-based-hybrid-runbook-worker-install/basics-tab-portal.png" alt-text="Screenshot showing to enter name and credentials in basics tab.":::

+## Scenario: Runbook fails with "this.Client.SubscriptionId cannot be null." error message

+### Issue

+Your runbook using a managed identity Connect-AzAccount -Identity which attempts to manage Azure objects, fails to work successfully and logs the following error - `this.Client.SubscriptionId cannot be null.`

+```error

+get-azvm : 'this.Client.SubscriptionId' cannot be null. At line:5 char:1 + get-azvm + ~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzVM], ValidationException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.GetAzureVMCommand

+```

+### Cause

+This can happen when the Managed Identity (or other account used in the runbook) has not been granted any permissions to access the subscription.

+### Resolution

+Grant the Managed Identity (or other account used in the runbook) an appropriate role membership in the subscription. [Learn more](../enable-managed-identity-for-automation.md#assign-role-to-a-system-assigned-managed-identity)

+## <a name="runbook-fails-no-permission"></a>Scenario: Runbook fails with "this.Client.SubscriptionId cannot be null." error message

+### Issue

+Your runbook using a managed identity Connect-AzAccount -Identity which attempts to manage Azure objects, fails to work successfully and logs the following error - `this.Client.SubscriptionId cannot be null.`

+```error

+get-azvm : 'this.Client.SubscriptionId' cannot be null. At line:5 char:1 + get-azvm + ~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzVM], ValidationException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.GetAzureVMCommand

+```

+### Cause

+This can happen when the Managed Identity (or other account used in the runbook) has not been granted any permissions to access the subscription.

+### Resolution

+Grant the Managed Identity (or other account used in the runbook) an appropriate role membership in the subscription. [Learn more](../enable-managed-identity-for-automation.md#assign-role-to-a-system-assigned-managed-identity)

+- Learn more about [Azure Key Vault](../../key-vault/general/overview.md).

+- Empower developers and application teams to self-serve VM operations on-demand using [Azure role-based access control (RBAC)](../../role-based-access-control/overview.md).

+To Arc-enable a System Center VMM management server, deploy [Azure Arc resource bridge](../resource-bridge/overview.md) (preview) in the VMM environment. Arc resource bridge is a virtual appliance that connects VMM management server to Azure. Azure Arc resource bridge (preview) enables you to represent the SCVMM resources (clouds, VMs, templates etc.) in Azure and do various operations on them.

+[See how to create a Azure Arc VM](create-virtual-machine.md)

+1. To create a premium cache, sign in to the [Azure portal](https://portal.azure.com) and select **Create a resource**. You can create caches in the Azure portal. You can also create them using Resource Manager templates, PowerShell, or Azure CLI. For more information about creating an Azure Cache for Redis, see [Create a cache](cache-dotnet-how-to-use-azure-redis-cache.md#create-a-cache).

+ :::image type="content" source="media/cache-how-to-premium-persistence/create-resource.png" alt-text="Screenshot that shows a form to create an Azure Cache for Redis resource.":::

+ :::image type="content" source="media/cache-how-to-premium-persistence/select-cache.png" alt-text="Screenshot showing Azure Cache for Redis selected as a new database type.":::

+5. In the **Networking** tab, select your connectivity method. For premium cache instances, you connect either publicly, via Public IP addresses or service endpoints. You connect privately using a private endpoint.

+Use a second storage account for AOF persistence when you believe you've higher than expected set operations on the cache. Setting up the secondary storage account helps ensure your cache doesn't reach storage bandwidth limits.

+To be able to view Application Insights data from a function app, you must have at least Contributor role permissions on the function app. You also need to have the the [Monitoring Reader permission](../azure-monitor/roles-permissions-security.md#monitoring-reader) on the Application Insights instance. You have these permissions by default for any function app and Application Insights instance that you create.

+Permissions are effective at the function app level. The Contributor role is required to perform most function app-level tasks. You also need the Contributor role along with the [Monitoring Reader permission](../azure-monitor/roles-permissions-security.md#monitoring-reader) to be able to view log data in Application Insights. Only the Owner role can delete a function app.

+Start/Stop VMs v2 includes a [dashboard](../../azure-monitor/best-practices-analysis.md#azure-dashboards) to help you understand the management scope and recent operations against your VMs. It is a quick and easy way to verify the status of each operation thatΓÇÖs performed on your Azure VMs. The visualization in each tile is based on a Log query and to see the query, select the **Open in logs blade** option in the right-hand corner of the tile. This opens the [Log Analytics](../../azure-monitor/logs/log-analytics-overview.md#start-log-analytics) tool in the Azure portal, and from here you can evaluate the query and modify to support your needs, such as custom [log alerts](../../azure-monitor/alerts/alerts-log.md), a custom [workbook](../../azure-monitor/visualize/workbooks-overview.md), etc.

+The Azure CLI command [az maps account create](/cli/azure/maps/account?view=azure-cli-latest&preserve-view=true#az-maps-account-create) doesnΓÇÖt have a location property, but defaults to ΓÇ£globalΓÇ¥, making it useful for creating an Azure Maps account with a global region setting for use with the Geofence API async event.

+ - IMDS service is not running/accessible from the virtual machine. [Check if you can access IMDS from the machine](../../virtual-machines/windows/instance-metadata-service.md?tabs=windows). If not, [file a ticket](#file-a-ticket) with **Summary** as 'IMDS service not running' and **Problem type** as 'I need help configuring data collection from a VM'.

+| On-premises servers | No | [Virtual machine extension](./azure-monitor-agent-manage.md#virtual-machine-extension-details) (with Azure Arc agent) | Installs the agent using Azure extension framework, provided for on-premises by installing Arc agent |

+|Azure CLI | [az monitor alert](/cli/azure/monitor/metrics/alert) | [az monitor metrics alert](/cli/azure/monitor/metrics/alert) |

+ - Copy and paste this URL into the browser: [https://api.loganalytics.io/v1/version](https://api.loganalytics.io/v1/version). If you get an error, contact your IT administrator to allow the IP addresses associated with **api.loganalytics.io** listed [here](../app/ip-addresses.md#application-insights-and-log-analytics-apis).

+ - [System Center Service Manager](./itsmc-connections.md)

+* [Troubleshoot problems in ITSMC](./itsmc-resync-servicenow.md)

+description: Insert a few lines of code in your device or desktop app, webpage, or service to track usage and diagnose issues.

+Insert a few lines of code in your application to find out what users are doing with it, or to help diagnose issues. You can send telemetry from device and desktop apps, web clients, and web servers. Use the [Application Insights](./app-insights-overview.md) core telemetry API to send custom events and metrics and your own versions of standard telemetry. This API is the same API that the standard Application Insights data collectors use.

+The core API is uniform across all platforms, apart from a few variations like `GetMetric` (.NET only).

+| [`GetMetric`](#getmetric) |Zero and multidimensional metrics, centrally configured aggregation, C# only. |

+For [ASP.NET Core](asp-net-core.md) apps and [Non-HTTP/Worker for .NET/.NET Core](worker-service.md#how-can-i-track-telemetry-thats-not-automatically-collected) apps, get an instance of `TelemetryClient` from the dependency injection container as explained in their respective documentation.

+If you use Azure Functions v2+ or Azure WebJobs v3+, see [Monitor Azure Functions](../../azure-functions/functions-monitoring.md).

+If you see a message that tells you this method is obsolete, see [microsoft/ApplicationInsights-dotnet#1152](https://github.com/microsoft/ApplicationInsights-dotnet/issues/1152) for more information.

+`TelemetryClient` is thread safe.

+For ASP.NET and Java projects, incoming HTTP requests are automatically captured. You might want to create more instances of `TelemetryClient` for other modules of your app. For example, you might have one `TelemetryClient` instance in your middleware class to report business logic events. You can set properties such as `UserId` and `DeviceId` to identify the machine. This information is attached to all events that the instance sends.

+In Node.js projects, you can use `new applicationInsights.TelemetryClient(instrumentationKey?)` to create a new instance. We recommend this approach only for scenarios that require isolated configuration from the singleton `defaultClient`.

+In Application Insights, a *custom event* is a data point that you can display in [Metrics Explorer](../essentials/metrics-charts.md) as an aggregated count and in [Diagnostic Search](./diagnostic-search.md) as individual occurrences. (It isn't related to MVC or other framework "events.")

+Insert `TrackEvent` calls in your code to count various events. For example, you might want to track how often users choose a particular feature. Or you might want to know how often they achieve certain goals or make specific types of mistakes.

+### Custom events in Log Analytics

+The telemetry is available in the `customEvents` table on the [Application Insights Logs tab](../logs/log-query-overview.md) or [usage experience](usage-overview.md). Events might come from `trackEvent(..)` or the [Click Analytics Auto-collection plug-in](javascript-click-analytics-plugin.md).

+If [sampling](./sampling.md) is in operation, the `itemCount` property shows a value greater than `1`. For example, `itemCount==10` means that of 10 calls to `trackEvent()`, the sampling process transmitted only one of them. To get a correct count of custom events, use code such as `customEvents | summarize sum(itemCount)`.

+To learn how to effectively use the `GetMetric()` call to capture locally pre-aggregated metrics for .NET and .NET Core applications, see [Custom metric collection in .NET and .NET Core](./get-metric.md).

+> `Microsoft.ApplicationInsights.TelemetryClient.TrackMetric` isn't the preferred method for sending metrics. Metrics should always be pre-aggregated across a time period before being sent. Use one of the `GetMetric(..)` overloads to get a metric object for accessing SDK pre-aggregation capabilities.

+>

+> If you're implementing your own pre-aggregation logic, you can use the `TrackMetric()` method to send the resulting aggregates. If your application requires sending a separate telemetry item on every occasion without aggregation across time, you likely have a use case for event telemetry. See `TelemetryClient.TrackEvent

+(Microsoft.ApplicationInsights.DataContracts.EventTelemetry)`.

+Application Insights can chart metrics that aren't attached to particular events. For example, you could monitor a queue length at regular intervals. With metrics, the individual measurements are of less interest than the variations and trends, and so statistical charts are useful.

+To send metrics to Application Insights, you can use the `TrackMetric(..)` API. There are two ways to send a metric:

+* **Single value**. Every time you perform a measurement in your application, you send the corresponding value to Application Insights.

+ For example, assume you have a metric that describes the number of items in a container. During a particular time period, you first put three items into the container and then you remove two items. Accordingly, you would call `TrackMetric` twice. First, you would pass the value `3` and then pass the value `-2`. Application Insights stores both values for you.

+* **Aggregation**. When you work with metrics, every single measurement is rarely of interest. Instead, a summary of what happened during a particular time period is important. Such a summary is called _aggregation_.

+ In the preceding example, the aggregate metric sum for that time period is `1` and the count of the metric values is `2`. When you use the aggregation approach, you invoke `TrackMetric` only once per time period and send the aggregate values. We recommend this approach because it can significantly reduce the cost and performance overhead by sending fewer data points to Application Insights, while still collecting all relevant information.

+### Single value examples

+### Custom metrics in Log Analytics

+* `valueSum`: The sum of the measurements. To get the mean value, divide by `valueCount`.

+* `valueCount`: The number of measurements that were aggregated into this `trackMetric(..)` call.

+In a device or webpage app, page view telemetry is sent by default when each screen or page is loaded. But you can change the default to track page views at more or different times. For example, in an app that displays tabs or blades, you might want to track a page whenever the user opens a new blade.

+User and session data is sent as properties along with page views, so the user and session charts come alive when there's page view telemetry.

+By default, the times reported as **Page view load time** are measured from when the browser sends the request until the browser's page load event is called.

+### Page telemetry in Log Analytics

+In [Log Analytics](../logs/log-query-overview.md), two tables show data from browser operations:

+* `pageViews`: Contains data about the URL and page title.

+* `browserTimings`: Contains data about client performance like the time taken to process the incoming data.

+To discover the popularity of different browsers:

+The server SDK uses `TrackRequest` to log HTTP requests.

+The recommended way to send request telemetry is where the request acts as an <a href="#operation-context">operation context</a>.

+You can correlate telemetry items together by associating them with operation context. The standard request-tracking module does this for exceptions and other events that are sent while an HTTP request is being processed. In [Search](./diagnostic-search.md) and [Analytics](../logs/log-query-overview.md), you can easily find any events associated with the request by using its operation ID.

+For more information on correlation, see [Telemetry correlation in Application Insights](./correlation.md).

+When you track telemetry manually, the easiest way to ensure telemetry correlation is by using this pattern:

+Along with setting an operation context, `StartOperation` creates a telemetry item of the type that you specify. It sends the telemetry item when you dispose of the operation or if you explicitly call `StopOperation`. If you use `RequestTelemetry` as the telemetry type, its duration is set to the timed interval between start and stop.

+Telemetry items reported within a scope of operation become children of such an operation. Operation contexts could be nested.

+In **Search**, the operation context is used to create the **Related Items** list.

+

+For more information on custom operations tracking, see [Track custom operations with Application Insights .NET SDK](./custom-operations-tracking.md).

+### Requests in Log Analytics

+If [sampling](./sampling.md) is in operation, the `itemCount` property shows a value greater than `1`. For example, `itemCount==10` means that of 10 calls to `trackRequest()`, the sampling process transmitted only one of them. To get a correct count of requests and average duration segmented by request names, use code such as:

+The SDKs catch many exceptions automatically, so you don't always have to call `TrackException` explicitly:

+* **ASP.NET**: [Write code to catch exceptions](./asp-net-exceptions.md).

+* **Java EE**: [Exceptions are caught automatically](./java-in-process-agent.md).

+* **JavaScript**: Exceptions are caught automatically. If you want to disable automatic collection, add a line to the code snippet that you insert in your webpages:

+### Exceptions in Log Analytics

+If [sampling](./sampling.md) is in operation, the `itemCount` property shows a value greater than `1`. For example, `itemCount==10` means that of 10 calls to `trackException()`, the sampling process transmitted only one of them. To get a correct count of exceptions segmented by type of exception, use code such as:

+Most of the important stack information is already extracted into separate variables, but you can pull apart the `details` structure to get more. Because this structure is dynamic, you should cast the result to the type you expect. For example:

+Use `TrackTrace` to help diagnose problems by sending a "breadcrumb trail" to Application Insights. You can send chunks of diagnostic data and inspect them in [Diagnostic Search](./diagnostic-search.md).

+In .NET [Log adapters](./asp-net-trace-logs.md), use this API to send third-party logs to the portal.

+In Java, the [Application Insights Java agent](java-in-process-agent.md) autocollects and sends logs to the portal.

+`properties` | Map of string to string. More data is used to [filter exceptions](#properties) in the portal. Defaults to empty.

+`severityLevel` | Supported values: [SeverityLevel.ts](https://github.com/microsoft/ApplicationInsights-JS/blob/17ef50442f73fd02a758fbd74134933d92607ecf/shared/AppInsightsCommon/src/Interfaces/Contracts/Generated/SeverityLevel.ts).

+You can search on message content, but unlike property values, you can't filter on it.

+The size limit on `message` is much higher than the limit on properties. An advantage of `TrackTrace` is that you can put relatively long data in the message. For example, you can encode POST data there.

+You can also add a severity level to your message. And, like other telemetry, you can add property values to help you filter or search for different sets of traces. For example:

+### Traces in Log Analytics

+In [Application Insights Analytics](../logs/log-query-overview.md), calls to `TrackTrace` show up in the `traces` table.

+If [sampling](./sampling.md) is in operation, the `itemCount` property shows a value greater than `1`. For example, `itemCount==10` means that of 10 calls to `trackTrace()`, the sampling process transmitted only one of them. To get a correct count of trace calls, use code such as `traces | summarize sum(itemCount)`.

+Use the `TrackDependency` call to track the response times and success rates of calls to an external piece of code. The results appear in the dependency charts in the portal. The following code snippet must be added wherever a dependency call is made.

+> For .NET and .NET Core, you can alternatively use the `TelemetryClient.StartOperation` (extension) method that fills the `DependencyTelemetry` properties that are needed for correlation and some other properties like the start time and duration, so you don't need to create a custom timer as with the following examples. For more information, see the section on outgoing dependency tracking in [Track custom operations with Application Insights .NET SDK](./custom-operations-tracking.md#outgoing-dependencies-tracking).

+Remember that the server SDKs include a [dependency module](./asp-net-dependencies.md) that discovers and tracks certain dependency calls automatically, for example, to databases and REST APIs. You have to install an agent on your server to make the module work.

+In Java, many dependency calls can be automatically tracked by using the

+[Suppressing specific autocollected telemetry](./java-standalone-config.md#suppressing-specific-auto-collected-telemetry).

+### Dependencies in Log Analytics

+In [Application Insights Analytics](../logs/log-query-overview.md), `trackDependency` calls show up in the `dependencies` table.

+If [sampling](./sampling.md) is in operation, the `itemCount` property shows a value greater than 1. For example, `itemCount==10` means that of 10 calls to `trackDependency()`, the sampling process transmitted only one of them. To get a correct count of dependencies segmented by target component, use code such as:

+Normally, the SDK sends data at fixed intervals, typically 30 seconds, or whenever the buffer is full, which is typically 500 items. In some cases, you might want to flush the buffer. An example is if you're using the SDK in an application that shuts down.

+When you use `Flush()`, we recommend this [pattern](./console.md#full-example):

+When you use `FlushAsync()`, we recommend this pattern:

+We recommend always flushing as part of the application shutdown to guarantee that telemetry isn't lost.

+In a web app, users are [identified by cookies](./usage-segmentation.md#the-users-sessions-and-events-segmentation-tool) by default. A user might be counted more than once if they access your app from a different machine or browser, or if they delete cookies.

+If your app groups users into accounts, you can also pass an identifier for the account. The same character restrictions apply.

+You can also [search](./diagnostic-search.md) for client data points with specific user names and accounts.

+> The [EnableAuthenticationTrackingJavaScript property in the ApplicationInsightsServiceOptions class](https://github.com/microsoft/ApplicationInsights-dotnet/blob/develop/NETCORE/src/Shared/Extensions/ApplicationInsightsServiceOptions.cs) in the .NET Core SDK simplifies the JavaScript configuration needed to inject the user name as the Auth ID for each trace sent by the Application Insights JavaScript SDK.

+>

+>When this property is set to `true`, the user name from the user in the ASP.NET Core is printed along with [client-side telemetry](asp-net-core.md#enable-client-side-telemetry-for-web-applications). For this reason, adding `appInsights.setAuthenticatedUserContext` manually wouldn't be needed anymore because it's already injected by the SDK for ASP.NET Core. The Auth ID will also be sent to the server where the SDK in .NET Core will identify it and use it for any server-side telemetry, as described in the [JavaScript API reference](https://github.com/microsoft/ApplicationInsights-JS/blob/master/API-reference.md#setauthenticatedusercontext).

+>

+>For JavaScript applications that don't work in the same way as ASP.NET Core MVC, such as SPA web apps, you would still need to add `appInsights.setAuthenticatedUserContext` manually.

+## <a name="properties"></a>Filter, search, and segment your data by using properties

+You can attach properties and measurements to your events, metrics, page views, exceptions, and other telemetry data.

+There's a limit of 8,192 on the string length. If you want to send large chunks of data, use the message parameter of `TrackTrace`.

+*Metrics* are numeric values that can be presented graphically. For example, you might want to see if there's a gradual increase in the scores that your gamers achieve. The graphs can be segmented by the properties that are sent with the event so that you can get separate or stacked graphs for different games.

+Metric values should be greater than or equal to 0 to display correctly.

+> Make sure you don't log personally identifiable information in properties.

+> Don't reuse the same telemetry item instance (`event` in this example) to call `Track*()` multiple times. This practice might cause telemetry to be sent with incorrect configuration.

+### Custom measurements and properties in Log Analytics

+In [Log Analytics](../logs/log-query-overview.md), custom metrics and properties show in the `customMeasurements` and `customDimensions` attributes of each telemetry record.

+For example, if you add a property named "game" to your request telemetry, this query counts the occurrences of different values of "game" and shows the average of the custom metric "score":

+* When you extract a value from the `customDimensions` or `customMeasurements` JSON, it has dynamic type, so you must cast it `tostring` or `todouble`.

+* To take account of the possibility of [sampling](./sampling.md), use `sum(itemCount)` not `count()`.

+Sometimes you want to chart how long it takes to perform an action. For example, you might want to know how long users take to consider choices in a game. To obtain this information, use the measurement parameter.

+If you want to set default property values for some of the custom events that you write, set them in a `TelemetryClient` instance. They're attached to every telemetry item that's sent from that client.

+## Sample, filter, and process telemetry

+[Sampling](./api-filtering-sampling.md) is a packaged solution to reduce the volume of data that's sent from your app to the portal. It does so without affecting the displayed metrics. And it does so without affecting your ability to diagnose problems by navigating between related items like exceptions, requests, and page views.

+To learn more, see [Filter and preprocess telemetry in the Application Insights SDK](./api-filtering-sampling.md).

+## Disable telemetry

+To *disable selected standard collectors*, for example, performance counters, HTTP requests, or dependencies, delete or comment out the relevant lines in [ApplicationInsights.config](./configuration-with-applicationinsights-config.md). An example is if you want to send your own `TrackRequest` data.

+To *disable selected standard collectors*, for example, performance counters, HTTP requests, or dependencies, at initialization time, chain configuration methods to your SDK initialization code.

+To disable these collectors after initialization, use the Configuration object: `applicationInsights.Configuration.setAutoCollectRequests(false)`.

+During debugging, it's useful to have your telemetry expedited through the pipeline so that you can see results immediately. You also get other messages that help you trace any problems with the telemetry. Switch it off in production because it might slow down your app.

+For Node.js, you can enable developer mode by enabling internal logging via `setInternalLogging` and setting `maxBatchSize` to `0`, which causes your telemetry to be sent as soon as it's collected.

+## <a name="ikey"></a> Set the instrumentation key for selected custom telemetry

+Instead of getting the instrumentation key from the configuration file, you can set it in your code. Set the key in an initialization method, such as `global.aspx.cs` in an ASP.NET service:

+In webpages, you might want to set it from the web server's state instead of coding it literally into the script. For example, in a webpage generated in an ASP.NET app:

+`TelemetryClient` has a Context property, which contains values that are sent along with all telemetry data. They're normally set by the standard telemetry modules, but you can also set them yourself. For example:

+If you set any of these values yourself, consider removing the relevant line from [ApplicationInsights.config](./configuration-with-applicationinsights-config.md) so that your values and the standard values don't get confused.

+* **Device**: Data about the device where the app is running. In web apps, it's the server or client device that the telemetry is sent from.

+* **InstrumentationKey**: The Application Insights resource in Azure where the telemetry appears. It's usually picked up from `ApplicationInsights.config`.

+* **Operation**: In web apps, the current HTTP request. In other app types, you can set this value to group events together.

+ * **ID**: A generated value that correlates different events so that when you inspect any event in Diagnostic Search, you can find related items.

+ * **SyntheticSource**: If not null or empty, a string that indicates that the source of the request has been identified as a robot or web test. By default, it's excluded from calculations in Metrics Explorer.

+* **Session**: The user's session. The ID is set to a generated value, which is changed when the user hasn't been active for a while.

+* What exceptions might `Track_()` calls throw?

+ None. You don't need to wrap them in try-catch clauses. If the SDK encounters problems, it will log messages in the debug console output and, if the messages get through, in Diagnostic Search.

+* Is there a REST API to get data from the portal?

+ Yes, the [data access API](https://dev.applicationinsights.io/). Other ways to extract data include [export from Log Analytics to Power BI](./export-power-bi.md) and [continuous export](./export-telemetry.md).

+description: This article discusses server firewall exceptions that are required by Application Insights.

+[Azure Monitor](../overview.md) uses several IP addresses. Azure Monitor is made up of core platform metrics and logs in addition to Log Analytics and Application Insights. You might need to know IP addresses if the app or infrastructure that you're monitoring is hosted behind a firewall.

+> Although these addresses are static, it's possible that we'll need to change them from time to time. All Application Insights traffic represents outbound traffic with the exception of availability monitoring and webhooks, which require inbound firewall rules.

+You can use Azure [network service tags](../../virtual-network/service-tags-overview.md) to manage access if you're using Azure network security groups. If you're managing access for hybrid/on-premises resources, you can download the equivalent IP address lists as [JSON files](../../virtual-network/service-tags-overview.md#discover-service-tags-by-using-downloadable-json-files), which are updated each week. To cover all the exceptions in this article, use the service tags `ActionGroup`, `ApplicationInsightsAvailability`, and `AzureMonitor`.

+Alternatively, you can subscribe to this page as an RSS feed by adding https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/azure-monitor/app/ip-addresses.md to your favorite RSS/ATOM reader to get notified of the latest changes.

+You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or Status Monitor to send data to the portal.

+Status Monitor configuration is needed only when you're making changes.

+This is the list of addresses from which [availability web tests](./monitor-web-app-availability.md) are run. If you want to run web tests on your app but your web server is restricted to serving specific clients, you'll have to permit incoming traffic from our availability test servers.

+> For resources located inside private virtual networks that can't allow direct inbound communication with the availability test agents in public Azure, the only option is to [create and host your own custom availability tests](availability-azure-functions.md).

+If you're using Azure network security groups, add an *inbound port rule* to allow traffic from Application Insights availability tests. Select **Service Tag** as the **Source** and **ApplicationInsightsAvailability** as the **Source service tag**.

+>

+>

+Open port 80 (HTTP) and port 443 (HTTPS) for incoming traffic from these addresses. IP addresses are grouped by location.

+### IP addresses

+If you're looking for the actual IP addresses so that you can add them to the list of allowed IPs in your firewall, download the JSON file that describes Azure IP ranges. These files contain the most up-to-date information. For Azure public cloud, you might also look up the IP address ranges by location using the following table.

+After you download the appropriate file, open it by using your favorite text editor. Search for **ApplicationInsightsAvailability** to go straight to the section of the file that describes the service tag for availability tests.

+> These addresses are listed by using Classless Interdomain Routing notation. As an example, an entry like `51.144.56.112/28` is equivalent to 16 IPs that start at `51.144.56.112` and end at `51.144.56.127`.

+#### Azure public cloud

+Download [public cloud IP addresses](https://www.microsoft.com/download/details.aspx?id=56519).

+#### Azure US Government cloud

+Download [US Government cloud IP addresses](https://www.microsoft.com/download/details.aspx?id=57063).

+#### Azure China cloud

+Download [China cloud IP addresses](https://www.microsoft.com/download/details.aspx?id=57062).

+#### Addresses grouped by location (Azure public cloud)

+You might also want to [programmatically retrieve](../../virtual-network/service-tags-overview.md#use-the-service-tag-discovery-api) the current list of service tags together with IP address range details.

+## Application Insights and Log Analytics APIs

+## Application Insights analytics

+| Analytics portal | analytics.applicationinsights.io | dynamic | 80,443 |

+The *.applicationinsights.io domain is owned by the Application Insights team.

+## Log Analytics portal

+The *.loganalytics.io domain is owned by the Log Analytics team.

+## Application Insights Azure portal extension

+| Application Insights extension | stamp2.app.insightsportal.visualstudio.com | dynamic | 80,443 |

+| Application Insights extension CDN | insightsportal-prod2-cdn.aisvc.visualstudio.com<br/>insightsportal-prod2-asiae-cdn.aisvc.visualstudio.com<br/>insightsportal-cdn-aimon.applicationinsights.io | dynamic | 80,443 |

+## Action group webhooks

+You can query the list of IP addresses used by action groups by using the [Get-AzNetworkServiceTag PowerShell command](/powershell/module/az.network/Get-AzNetworkServiceTag).

+### Action group service tag

+Managing changes to source IP addresses can be time consuming. Using *service tags* eliminates the need to update your configuration. A service tag represents a group of IP address prefixes from a specific Azure service. Microsoft manages the IP addresses and automatically updates the service tag as addresses change, which eliminates the need to update network security rules for an action group.

+1. In the Azure portal under **Azure Services**, search for **Network Security Group**.

+1. Select **Add** and create a network security group:

+ 1. Add the resource group name, and then enter **Instance details** information.

+ 1. Select **Review + Create**, and then select **Create**.

+ :::image type="content" source="../alerts/media/action-groups/action-group-create-security-group.png" alt-text="Screenshot that shows how to create a network security group."border="true":::

+1. Go to **Resource Group**, and then select the network security group you created:

+ 1. Select **Inbound security rules**.

+ 1. Select **Add**.

+ :::image type="content" source="../alerts/media/action-groups/action-group-add-service-tag.png" alt-text="Screenshot that shows how to add inbound security rules." border="true":::

+1. A new window opens in the right pane:

+ 1. Under **Source**, enter **Service Tag**.

+ 1. Under **Source service tag**, enter **ActionGroup**.

+ 1. Select **Add**.

+

+ :::image type="content" source="../alerts/media/action-groups/action-group-service-tag.png" alt-text="Screenshot that shows how to add a service tag." border="true":::

+The [Microsoft Azure SDK lifecycle policy](/lifecycle/faq/azure) is followed when features are enhanced in a new SDK or before an SDK is designated as legacy. Microsoft strives to retain legacy SDK functionality, but newer features may not be available with older versions.

+|Unsupported ([support policy](/lifecycle/faq/azure)) | Any supported version | **UPDATE REQUIRED** |

+Activity logs you send to a [Log Analytics workspace](../logs/log-analytics-workspace-overview.md) are stored in a table called AzureActivity.

+Activity log insights are a curated [Log Analytics workbook](../visualize/workbooks-overview.md) with dashboards that visualize the data in the AzureActivity table. For example, which administrators deleted, updated or created resources, and whether the activities failed or succeeded.

+ * **Azure Activity Log Entries** shows the count of Activity log records in each activity log category.

+description: This overview describes Log Analytics, which is a tool in the Azure portal used to edit and run log queries for analyzing data in Azure Monitor logs.

+Log Analytics is a tool in the Azure portal that's used to edit and run log queries with data in Azure Monitor Logs.

+You might write a simple query that returns a set of records and then use features of Log Analytics to sort, filter, and analyze them. Or you might write a more advanced query to perform statistical analysis and visualize the results in a chart to identify a particular trend.

+Whether you work with the results of your queries interactively or use them with other Azure Monitor features, such as log query alerts or workbooks, Log Analytics is the tool that you'll use to write and test them.

+> This article describes Log Analytics and its features. If you want to jump right into a tutorial, see [Log Analytics tutorial](./log-analytics-tutorial.md).

+## Start Log Analytics

+To start Log Analytics in the Azure portal, on the **Azure Monitor** menu select **Logs**. You'll also see this option on the menu for most Azure resources. No matter where you start Log Analytics, the tool is the same. But the menu you use to start Log Analytics determines the data that's available.

+If you start Log Analytics from the **Azure Monitor** menu or the **Log Analytics workspaces** menu, you'll have access to all the records in a workspace. If you select **Logs** from another type of resource, your data will be limited to log data for that resource. For more information, see [Log query scope and time range in Azure Monitor Log Analytics](./scope.md).

+[](media/log-analytics-overview/start-log-analytics.png#lightbox)

+When you start Log Analytics, a dialog appears that contains [example queries](../logs/queries.md). The queries are categorized by solution. Browse or search for queries that match your requirements. You might find one that does exactly what you need. You can also load one to the editor and modify it as required. Browsing through example queries is a good way to learn how to write your own queries.

+If you want to start with an empty script and write it yourself, close the example queries. Select **Queries** at the top of the screen to get them back.

+The following image identifies four Log Analytics components.

+[](media/log-analytics-overview/log-analytics.png#lightbox)

+### Top action bar

+The top bar has controls for working with a query in the query window.

+| Scope | Specifies the scope of data used for the query. This could be all the data in a Log Analytics workspace or data for a particular resource across multiple workspaces. See [Query scope](./scope.md). |

+| Run button | Run the selected query in the query window. You can also select **Shift+Enter** to run a query. |

+| Time picker | Select the time range for the data available to the query. This action is overridden if you include a time filter in the query. See [Log query scope and time range in Azure Monitor Log Analytics](./scope.md). |

+| Save button | Save the query to **Query Explorer** for the workspace. |

+| Example queries button | Open the example queries dialog that appears when you first open Log Analytics. |

+| Query Explorer button | Open **Query Explorer**, which provides access to saved queries in the workspace. |

+### Left sidebar

+The sidebar on the left lists tables in the workspace, sample queries, and filter options for the current query.

+| Tables | Lists the tables that are part of the selected scope. Select **Group by** to change the grouping of the tables. Hover over a table name to display a dialog with a description of the table and options to view its documentation and preview its data. Expand a table to view its columns. Double-click a table or column name to add it to the query. |

+| Queries | List of example queries that you can open in the query window. This list is the same one that appears when you open Log Analytics. Select **Group by** to change the grouping of the queries. Double-click a query to add it to the query window or hover over it for other options. |

+| Filter | Creates filter options based on the results of a query. After you run a query, columns appear with different values from the results. Select one or more values, and then select **Apply & Run** to add a **where** command to the query and run it again. |

+### Query window

+The query window is where you edit your query. IntelliSense is used for KQL commands and color coding enhances readability. Select **+** at the top of the window to open another tab.

+A single window can include multiple queries. A query can't include any blank lines, so you can separate multiple queries in a window with one or more blank lines. The current query is the one with the cursor positioned anywhere in it.

+To run the current query, select the **Run** button or select **Shift+Enter**.

+### Results window

+The results of a query appear in the results window. By default, the results are displayed as a table. To display the results as a chart, select **Chart** in the results window. You can also add a **render** command to your query.

+The results view displays query results in a table organized by columns and rows. Click to the left of a row to expand its values. Select the **Columns** dropdown to change the list of columns. Sort the results by selecting a column name. Filter the results by selecting the funnel next to a column name. Clear the filters and reset the sorting by running the query again.

+Select **Group columns** to display the grouping bar above the query results. Group the results by any column by dragging it to the bar. Create nested groups in the results by adding more columns.

+The chart view displays the results as one of multiple available chart types. You can specify the chart type in a **render** command in your query. You can also select it from the **Visualization Type** dropdown.

+| Visualization type | Type of chart to display. |

+| X-axis | Column in the results to use for the x-axis.

+| Y-axis | Column in the results to use for the y-axis. Typically, this is a numeric column. |

+| Split by | Column in the results that defines the series in the chart. A series is created for each value in the column. |

+| Aggregation | Type of aggregation to perform on the numeric values in the y-axis. |

+If you've worked with the Azure Data Explorer web UI, Log Analytics should look familiar. That's because it's built on top of Azure Data Explorer and uses the same Kusto Query Language.

+Log Analytics adds features specific to Azure Monitor, such as filtering by time range and the ability to create an alert rule from a query. Both tools include an explorer that lets you scan through the structure of available tables. The Azure Data Explorer web UI primarily works with tables in Azure Data Explorer databases. Log Analytics works with tables in a Log Analytics workspace.

+Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor logs and interactively analyze their results. You can use Log Analytics queries to retrieve records that match particular criteria, identify trends, analyze patterns, and provide various insights into your data.

+This tutorial walks you through the Log Analytics interface, gets you started with some basic queries, and shows you how you can work with the results. You'll learn how to:

+> * Understand the log data schema.

+> * Write and run simple queries, and modify the time range for queries.

+> * Filter, sort, and group query results.

+> * View, modify, and share visuals of query results.

+> * Load, export, and copy queries and results.

+> In this tutorial, you'll use Log Analytics features to build one query and use another example query. When you're ready to learn the syntax of queries and start directly editing the query itself, read the [Kusto Query Language tutorial](/azure/data-explorer/kusto/query/tutorial?pivots=azuremonitor). That tutorial walks you through example queries that you can edit and run in Log Analytics. It uses several of the features that you'll learn in this tutorial.

+Open the [Log Analytics demo environment](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade), or select **Logs** from the Azure Monitor menu in your subscription. This step sets the initial scope to a Log Analytics workspace so that your query selects from all data in that workspace. If you select **Logs** from an Azure resource's menu, the scope is set to only records from that resource. For details about the scope, see [Log query scope](./scope.md).

+The left side of the screen includes the **Tables** tab, where you can inspect the tables that are available in the current scope. These tables are grouped by **Solution** by default, but you can change their grouping or filter them.

+Expand the **Log Management** solution and locate the **AppRequests** table. You can expand the table to view its schema, or hover over its name to show more information about it.

+This is the simplest query that we can write. It just returns all the records in a table. Run it by selecting the **Run** button or by selecting **Shift+Enter** with the cursor positioned anywhere in the query text.

+You can see that we do have results. The number of records that the query has returned appears in the lower-right corner.

+All queries return records generated within a set time range. By default, the query returns records generated in the last 24 hours.

+You can set a different time range by using the [where operator](/azure/data-explorer/kusto/query/tutorial?pivots=azuremonitor#filter-by-boolean-expression-where-1) in the query. You can also use the **Time range** dropdown list at the top of the screen.

+Let's change the time range of the query by selecting **Last 12 hours** from the **Time range** dropdown. Select **Run** to return the results.

+> Changing the time range by using the **Time range** dropdown doesn't change the query in the query editor.

+Let's reduce our results further by adding another filter condition. A query can include any number of filters to target exactly the set of records that you want. Select **Get Home/Index** under **Name**, and then select **Apply & Run**.

+Select the name of any column to sort the results by that column. Select the filter icon next to it to provide a filter condition. This action is similar to adding a filter condition to the query itself, except that this filter is cleared if the query is run again. Use this method if you want to quickly analyze a set of records as part of interactive analysis.

+For example, set a filter on the **DurationMs** column to limit the records to those that took more than **150** milliseconds.

+Let's search through the query results by using the search box at the top right of the results pane.

+Enter **Chicago** in the query results search box, and select the arrows to find all instances of this string in your search results.

+Select **Columns** to the right of the results pane to open the **Columns** sidebar.

+In the sidebar, you'll see a list of all available columns. Drag the **Url** column into the **Row Groups** section. Results are now organized by that column, and you can collapse each group to help you with your analysis. This action is similar to adding a filter condition to the query, but instead of refetching data from the server, you're processing the data your original query returned. When you run the query again, Log Analytics retrieves data based on your original query. Use this method if you want to quickly analyze a set of records as part of interactive analysis.

+To analyze the performance of your pages, create a pivot table.

+In the **Columns** sidebar, select **Pivot Mode**.

+To view the maximum call duration to each URL, select **sum(DurationMs)** > **max**.

+Select the query called **Function Error rate** in the **Applications** category. This step adds the query to the query window. Notice that the new query is separated from the other by a blank line. A query in KQL ends when it encounters a blank line, so these are considered separate queries.

+To view the results in a graph, select **Chart** on the results pane. Notice that there are various options for working with the chart, such as changing it to another type.

+description: Overview of Log Analytics workspace, which stores data for Azure Monitor Logs.

+A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration but might combine data from multiple services. This article provides an overview of concepts related to Log Analytics workspaces and provides links to other documentation for more details on each.

+> You might see the term *Microsoft Sentinel workspace* used in [Microsoft Sentinel](../../sentinel/overview.md) documentation. This workspace is the same Log Analytics workspace described in this article, but it's enabled for Microsoft Sentinel. All data in the workspace is subject to Microsoft Sentinel pricing as described in the [Cost](#cost) section.

+You can use a single workspace for all your data collection. You can also create multiple workspaces based on requirements such as:

+- The geographic location of the data.

+- Access rights that define which users can access data.

+- Configuration settings like pricing tiers and data retention.

+To create a new workspace, see [Create a Log Analytics workspace in the Azure portal](./quick-create-workspace.md). For considerations on creating multiple workspaces, see [Design a Log Analytics workspace configuration](./workspace-design.md).

+There's no direct cost for creating or maintaining a workspace. You're charged for the data sent to it, which is also known as data ingestion. You're charged for how long that data is stored, which is otherwise known as data retention. These costs might vary based on the data plan of each table, as described in [Log data plans (preview)](#log-data-plans-preview).

+For information on pricing, see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/). For guidance on how to reduce your costs, see [Azure Monitor best practices - Cost management](../best-practices-cost.md). If you're using your Log Analytics workspace with services other than Azure Monitor, see the documentation for those services for pricing information.

+By default, all tables in a workspace are **Analytics** tables, which are available to all features of Azure Monitor and any other services that use the workspace. You can configure certain tables as **Basic Logs (preview)** to reduce the cost of storing high-volume verbose logs you use for debugging, troubleshooting, and auditing, but not for analytics and alerts. Tables configured for Basic Logs have a lower ingestion cost in exchange for reduced features.

+The following table summarizes the two plans. For more information on Basic Logs and how to configure them, see [Configure Basic Logs in Azure Monitor (preview)](basic-logs-configure.md).

+> [!NOTE]

+> Basic Logs are in public preview. You can currently work with Basic Logs tables in the Azure portal and use a limited number of other components. The Basic Logs feature isn't available for workspaces in [legacy pricing tiers](cost-logs.md#legacy-pricing-tiers).

+| Log queries | No extra cost. Full query capabilities. | Extra cost.<br>[Subset of query capabilities](basic-logs-query.md#limitations). |

+[Data collection rules (DCRs)](../essentials/data-collection-rule-overview.md) that define data coming into Azure Monitor can include transformations that allow you to filter and transform data before it's ingested into the workspace. Since all workflows don't yet support DCRs, each workspace can define ingestion-time transformations. For this reason, you can filter or transform data before it's stored.

+[Ingestion-time transformations](ingestion-time-transformations.md) are defined for each table in a workspace and apply to all data sent to that table, even if sent from multiple sources. Ingestion-time transformations only apply to workflows that don't already use a DCR. For example, [Azure Monitor agent](../agents/azure-monitor-agent-overview.md) uses a DCR to define data collected from virtual machines. This data won't be subject to any ingestion-time transformations defined in the workspace.

+For example, you might have [diagnostic settings](../essentials/diagnostic-settings.md) that send [resource logs](../essentials/resource-logs.md) for different Azure resources to your workspace. You can create a transformation for the table that collects the resource logs that filters this data for only records that you want. This method saves you the ingestion cost for records you don't need. You might also want to extract important data from certain columns and store it in other columns in the workspace to support simpler queries.

+To access archived data, you must first retrieve data from it in an Analytics Logs table by using one of the following methods:

+| [Search jobs](search-jobs.md) | Retrieve data matching particular criteria. |

+Permission to access data in a Log Analytics workspace is defined by the [access control mode](manage-access.md#access-control-mode), which is a setting on each workspace. You can give users explicit access to the workspace by using a [built-in or custom role](../roles-permissions-security.md). Or, you can allow access to data collected for Azure resources to users with access to those resources.

+See [Manage access to log data and workspaces in Azure Monitor](manage-access.md) for information on the different permission options and how to configure permissions.

+- [Create a new Log Analytics workspace](quick-create-workspace.md).

+- See [Design a Log Analytics workspace configuration](workspace-design.md) for considerations on creating multiple workspaces.

+- [Learn about log queries to retrieve and analyze data from a Log Analytics workspace](./log-query-overview.md).

+description: This article explains how you can manage access to data stored in a Log Analytics workspace in Azure Monitor by using resource, workspace, or table-level permissions.

+ The data in a Log Analytics workspace that you can access is determined by a combination of the following factors:

+- The settings on the workspace itself.

+- The access to resources sending data to the workspace.

+- The method used to access the workspace.

+This article describes how access is managed and how to perform any required configuration.

+The factors that define the data you can access are described in the following table. Each factor is further described in the sections that follow.

+| [Access mode](#access-mode) | Method used to access the workspace. Defines the scope of the data available and the access control mode that's applied. |

+| [Azure role-based access control (RBAC)](#azure-rbac) | Permissions applied to individuals or groups of users for the workspace or resource sending data to the workspace. Defines what data you have access to. |

+| [Table-level Azure RBAC](#table-level-azure-rbac) | Optional permissions that define specific data types in the workspace that you can access. Apply to all users no matter your access mode or access control mode. |

+The *access mode* refers to how you access a Log Analytics workspace and defines the data you can access during the current session. The mode is determined according to the [scope](scope.md) you select in Log Analytics.

+There are two access modes:

+- **Workspace-context**: You can view all logs in the workspace for which you have permission. Queries in this mode are scoped to all data in all tables in the workspace. This access mode is used when logs are accessed with the workspace as the scope, such as when you select **Logs** on the **Azure Monitor** menu in the Azure portal.

+ - **Resource-context**: When you access the workspace for a particular resource, resource group, or subscription, such as when you select **Logs** from a resource menu in the Azure portal, you can view logs for only resources in all tables that you have access to. Queries in this mode are scoped to only data associated with that resource. This mode also enables granular Azure RBAC. Workspaces use a resource-context log model where every log record emitted by an Azure resource is automatically associated with this resource.

+Records are only available in resource-context queries if they're associated with the relevant resource. To check this association, run a query and verify that the [_ResourceId](./log-standard-columns.md#_resourceid) column is populated.

+- **Computers outside of Azure**: Resource-context is only supported with [Azure Arc for servers](../../azure-arc/servers/index.yml).

+- **Application Insights**: Supported for resource-context only when using a [workspace-based Application Insights resource](../app/create-workspace-resource.md).

+- **Azure Service Fabric**

+### Compare access modes

+| What does a user require to view logs? | Permissions to the workspace.<br>See "Workspace permissions" in [Manage access using workspace permissions](./manage-access.md#azure-rbac). | Read access to the resource.<br>See "Resource permissions" in [Manage access using Azure permissions](./manage-access.md#azure-rbac). Permissions can be inherited from the resource group or subscription or directly assigned to the resource. Permission to the logs for the resource will be automatically assigned. The user doesn't require access to the workspace.|

+| What is the scope of permissions? | Workspace.<br>Users with access to the workspace can query all logs in the workspace from tables they have permissions to. See [Table access control](./manage-access.md#table-level-azure-rbac). | Azure resource.<br>Users can query logs for specific resources, resource groups, or subscriptions they have access to in any workspace, but they can't query logs for other resources. |

+| How can a user access logs? | On the **Azure Monitor** menu, select **Logs**.<br><br>Select **Logs** from **Log Analytics workspaces**.<br><br>From Azure Monitor [workbooks](../best-practices-analysis.md#workbooks). | Select **Logs** on the menu for the Azure resource. Users will have access to data for that resource.<br><br>Select **Logs** on the **Azure Monitor** menu. Users will have access to data for all resources they have access to.<br><br>Select **Logs** from **Log Analytics workspaces**. Users will have access to data for all resources they have access to.<br><br>From Azure Monitor [workbooks](../best-practices-analysis.md#workbooks). |

+The *access control mode* is a setting on each workspace that defines how permissions are determined for the workspace.

+* **Require workspace permissions**. This control mode doesn't allow granular Azure RBAC. To access the workspace, the user must be [granted permissions to the workspace](#azure-rbac) or to [specific tables](#table-level-azure-rbac).

+ This setting is the default for all workspaces created before March 2019.

+* **Use resource or workspace permissions**. This control mode allows granular Azure RBAC. Users can be granted access to only data associated with resources they can view by assigning Azure `read` permission.

+ This setting is the default for all workspaces created after March 2019.

+ > If a user has only resource permissions to the workspace, they can only access the workspace by using resource-context mode assuming the workspace access mode is set to **Use resource or workspace permissions**.

+

+Change this setting on the **Properties** page of the workspace. If you don't have permissions to configure the workspace, changing the setting is disabled.

+

+A value of `False` means the workspace is configured with *workspace-context* access mode. A value of `True` means the workspace is configured with *resource-context* access mode.

+> If a workspace is returned without a Boolean value and is blank, this result also matches the results of a `False` value.

+To configure the access mode in an Azure Resource Manager template, set the **enableLogAccessUsingOnlyResourcePermissions** feature flag on the workspace to one of the following values:

+* **false**: Set the workspace to *workspace-context* permissions. This setting is the default if the flag isn't set.

+Access to a workspace is managed by using [Azure RBAC](../../role-based-access-control/role-assignments-portal.md). To grant access to the Log Analytics workspace by using Azure permissions, follow the steps in [Assign Azure roles to manage access to your Azure subscription resources](../../role-based-access-control/role-assignments-portal.md).

+Each workspace can have multiple accounts associated with it. Each account can have access to multiple workspaces. The following table lists the Azure permissions for different workspace actions:

+|Action |Azure permissions needed |Notes |

+| Change the pricing tier. | `Microsoft.OperationalInsights/workspaces/*/write` |

+| Create a workspace in the Azure portal. | `Microsoft.Resources/deployments/*` <br> `Microsoft.OperationalInsights/workspaces/*` |

+| View workspace basic properties and enter the workspace pane in the portal. | `Microsoft.OperationalInsights/workspaces/read` |

+| Query logs by using any interface. | `Microsoft.OperationalInsights/workspaces/query/read` |

+| Access all log types by using queries. | `Microsoft.OperationalInsights/workspaces/query/*/read` |

+| Access a specific log table. | `Microsoft.OperationalInsights/workspaces/query/<table_name>/read` |

+| Read the workspace keys to allow sending logs to this workspace. | `Microsoft.OperationalInsights/workspaces/sharedKeys/action` |

+| Add and remove monitoring solutions. | `Microsoft.Resources/deployments/*` <br> `Microsoft.OperationalInsights/*` <br> `Microsoft.OperationsManagement/*` <br> `Microsoft.Automation/*` <br> `Microsoft.Resources/deployments/*/write`<br><br>These permissions need to be granted at resource group or subscription level. |

+| View data in the **Backup** and **Site Recovery** solution tiles. | Administrator/Co-administrator<br><br>Accesses resources deployed by using the classic deployment model. |

+* **Subscription**: Access to all workspaces in the subscription

+* **Resource group**: Access to all workspaces in the resource group

+* **Resource**: Access to only the specified workspace

+> To add and remove users to a user role, you must have `Microsoft.Authorization/*/Delete` and `Microsoft.Authorization/*/Write` permission.

+Members of the Log Analytics Reader role can view all monitoring data and monitoring settings, including the configuration of Azure diagnostics on all Azure resources.

+Members of the Log Analytics Reader role can:

+- View and search all monitoring data.

+The Log Analytics Reader role includes the following Azure actions:

+| Action | `*/read` | Ability to view all Azure resources and resource configuration.<br>Includes viewing:<br>- Virtual machine extension status.<br>- Configuration of Azure diagnostics on resources.<br>- All properties and settings of all resources.<br><br>For workspaces, allows full unrestricted permissions to read the workspace settings and query data. See more granular options in the preceding list. |

+| Action | `Microsoft.Support/*` | Ability to open support cases. |

+|Not Action | `Microsoft.OperationalInsights/workspaces/sharedKeys/read` | Prevents reading of workspace key required to use the data collection API and to install agents. This prevents the user from adding new resources to the workspace. |

+Members of the Log Analytics Contributor role can:

+- Read all monitoring data granted by the Log Analytics Reader role.

+- Edit monitoring settings for Azure resources, including:

+ - Adding the VM extension to VMs.

+ - Configuring Azure diagnostics on all Azure resources.

+- Create and configure Automation accounts. Permission must be granted at the resource group or subscription level.

+- Add and remove management solutions. Permission must be granted at the resource group or subscription level.

+- Read storage account keys.

+- Configure the collection of logs from Azure Storage.

+| `*/read` | Ability to view all Azure resources and resource configuration.<br><br>Includes viewing:<br>- Virtual machine extension status.<br>- Configuration of Azure diagnostics on resources.<br>- All properties and settings of all resources.<br><br>For workspaces, allows full unrestricted permissions to read the workspace settings and query data. See more granular options in the preceding list. |

+| `Microsoft.Automation/automationAccounts/*` | Ability to create and configure Azure Automation accounts, including adding and editing runbooks. |

+| `Microsoft.ClassicCompute/virtualMachines/extensions/*` <br> `Microsoft.Compute/virtualMachines/extensions/*` | Add, update, and remove virtual machine extensions, including the Microsoft Monitoring Agent extension and the OMS Agent for Linux extension. |

+| `Microsoft.ClassicStorage/storageAccounts/listKeys/action` <br> `Microsoft.Storage/storageAccounts/listKeys/action` | View the storage account key. Required to configure Log Analytics to read logs from Azure Storage accounts. |

+| `Microsoft.Insights/alertRules/*` | Add, update, and remove alert rules. |

+| `Microsoft.Insights/diagnosticSettings/*` | Add, update, and remove diagnostics settings on Azure resources. |

+| `Microsoft.OperationsManagement/*` | Add and remove management solutions. |

+| `Microsoft.Resources/deployments/*` | Create and delete deployments. Required for adding and removing solutions, workspaces, and automation accounts. |

+| `Microsoft.Resources/subscriptions/resourcegroups/deployments/*` | Create and delete deployments. Required for adding and removing solutions, workspaces, and automation accounts. |

+When users query logs from a workspace by using [resource-context access](#access-mode), they'll have the following permissions on the resource:

+| `Microsoft.Insights/logs/<tableName>/read`<br><br>Examples:<br>`Microsoft.Insights/logs/*/read`<br>`Microsoft.Insights/logs/Heartbeat/read` | Ability to view all log data for the resource |

+| `Microsoft.Insights/diagnosticSettings/write` | Ability to configure diagnostics setting to allow setting up logs for this resource |

+The `/read` permission is usually granted from a role that includes _\*/read or_ _\*_ permissions, such as the built-in [Reader](../../role-based-access-control/built-in-roles.md#reader) and [Contributor](../../role-based-access-control/built-in-roles.md#contributor) roles. Custom roles that include specific actions or dedicated built-in roles might not include this permission.

+In addition to using the built-in roles for a Log Analytics workspace, you can create custom roles to assign more granular permissions. Here are some common examples.

+Grant a user access to log data from their resources:

+- Configure the workspace access control mode to *use workspace or resource permissions*.

+- Grant users `*/read` or `Microsoft.Insights/logs/*/read` permissions to their resources. If they're already assigned the [Log Analytics Reader](../../role-based-access-control/built-in-roles.md#reader) role on the workspace, it's sufficient.

+Grant a user access to log data from their resources and configure their resources to send logs to the workspace:

+- Configure the workspace access control mode to *use workspace or resource permissions*.

+- Grant users the following permissions on the workspace: `Microsoft.OperationalInsights/workspaces/read` and `Microsoft.OperationalInsights/workspaces/sharedKeys/action`. With these permissions, users can't perform any workspace-level queries. They can only enumerate the workspace and use it as a destination for diagnostic settings or agent configuration.

+- Grant users the following permissions to their resources: `Microsoft.Insights/logs/*/read` and `Microsoft.Insights/diagnosticSettings/write`. If they're already assigned the [Log Analytics Contributor](../../role-based-access-control/built-in-roles.md#contributor) role, assigned the Reader role, or granted `*/read` permissions on this resource, it's sufficient.

+Grant a user access to log data from their resources without being able to read security events and send data:

+- Configure the workspace access control mode to *use workspace or resource permissions*.

+- Add the following NonAction to block users from reading the SecurityEvent type: `Microsoft.Insights/logs/SecurityEvent/read`. The NonAction shall be in the same custom role as the action that provides the read permission (`Microsoft.Insights/logs/*/read`). If the user inherits the read action from another role that's assigned to this resource or to the subscription or resource group, they could read all log types. This scenario is also true if they inherit `*/read` that exists, for example, with the Reader or Contributor role.

+Grant a user access to log data from their resources and read all Azure AD sign-in and read Update Management solution log data from the workspace:

+- Configure the workspace access control mode to *use workspace or resource permissions*.

+- Grant users the following permissions on the workspace:

+ - `Microsoft.OperationalInsights/workspaces/read`: Required so the user can enumerate the workspace and open the workspace pane in the Azure portal

+ - `Microsoft.OperationalInsights/workspaces/query/read`: Required for every user that can execute queries

+ - `Microsoft.OperationalInsights/workspaces/query/SigninLogs/read`: To be able to read Azure AD sign-in logs

+ - `Microsoft.OperationalInsights/workspaces/query/Update/read`: To be able to read Update Management solution logs

+ - `Microsoft.OperationalInsights/workspaces/query/UpdateRunProgress/read`: To be able to read Update Management solution logs

+ - `Microsoft.OperationalInsights/workspaces/query/UpdateSummary/read`: To be able to read Update Management logs

+ - `Microsoft.OperationalInsights/workspaces/query/Heartbeat/read`: Required to be able to use Update Management solutions

+ - `Microsoft.OperationalInsights/workspaces/query/ComputerGroup/read`: Required to be able to use Update Management solutions

+- Grant users the following permissions to their resources: `*/read`, assigned to the Reader role, or `Microsoft.Insights/logs/*/read`

+## Table-level Azure RBAC

+By using table-level Azure RBAC, you can define more granular control to data in a Log Analytics workspace by defining specific data types that are accessible only to a specific set of users.

+Implement table access control with [Azure custom roles](../../role-based-access-control/custom-roles.md) to grant access to specific [tables](../logs/data-platform-logs.md) in the workspace. These roles are applied to workspaces with either workspace-context or resource-context [access control modes](#access-control-mode) regardless of the user's [access mode](#access-mode).

+Create a [custom role](../../role-based-access-control/custom-roles.md) with the following actions to define access to a particular table:

+Here are examples of custom role actions to grant and deny access to specific tables.

+Grant access to the _Heartbeat_ and _AzureActivity_ tables:

+Grant access to only the _SecurityBaseline_ table:

+Grant access to all tables except the _SecurityAlert_ table:

+ Custom logs are tables created from data sources such as [text logs](../agents/data-sources-custom-logs.md) and the [HTTP Data Collector API](data-collector-api.md). The easiest way to identify the type of log is by checking the tables listed under [Custom Logs in the log schema](./log-analytics-tutorial.md#view-table-information).

+> Tables created by the [Custom Logs API](../essentials/../logs/custom-logs-overview.md) don't yet support table-level RBAC.

+ You can't grant access to individual custom log tables, but you can grant access to all custom logs. To create a role with access to all custom log tables, create a custom role by using the following actions:

+An alternative approach to managing access to custom logs is to assign them to an Azure resource and manage access by using resource-context access control. Include the resource ID by specifying it in the [x-ms-AzureResourceId](../logs/data-collector-api.md#request-headers) header when data is ingested to Log Analytics via the [HTTP Data Collector API](../logs/data-collector-api.md). The resource ID must be valid and have access rules applied to it. After the logs are ingested, they're accessible to users with read access to the resource.

+Some custom logs come from sources that aren't directly associated to a specific resource. In this case, create a resource group to manage access to these logs. The resource group doesn't incur any cost, but it gives you a valid resource ID to control access to the custom logs.

+For example, if a specific firewall is sending custom logs, create a resource group called *MyFireWallLogs*. Make sure that the API requests contain the resource ID of *MyFireWallLogs*. The firewall log records are then accessible only to users who were granted access to *MyFireWallLogs* or those users with full workspace access.

+- If a user is granted per-table access but no other permissions, they can access log data from the API but not from the Azure portal. To provide access from the Azure portal, use Log Analytics Reader as its base role.

+- Assign roles to security groups instead of individual users to reduce the number of assignments. This practice will also help you use existing group management tools to configure and verify access.

+# Customer intent: As a DevOps engineer or IT expert, I want to set up a workspace to collect logs from multiple data sources from Azure, on-premises, and third-party cloud deployments.

+This article shows you how to create a Log Analytics workspace. When you collect logs and data, the information is stored in a workspace. A workspace has a unique workspace ID and resource ID. The workspace name must be unique for a given resource group. After you've created a workspace, configure data sources and solutions to store their data there.

+You need a Log Analytics workspace if you collect data from:

+* Azure resources in your subscription.

+* On-premises computers monitored by System Center Operations Manager.

+* Device collections from Configuration Manager.

+* Diagnostics or log data from Azure Storage.

+## Create a workspace

+Use the **Log Analytics workspaces** menu to create a workspace.

+1. In the [Azure portal](https://portal.azure.com), enter **Log Analytics** in the search box. As you begin typing, the list filters based on your input. Select **Log Analytics workspaces**.

+ :::image type="content" source="media/quick-create-workspace/azure-portal-01.png" alt-text="Screenshot that shows the search bar at the top of the Azure home screen. As you begin typing, the list of search results filters based on your input.":::

+1. Select a **Subscription** from the dropdown.

+1. Use an existing **Resource Group** or create a new one.

+1. Select an available **Region**. For more information, see which [regions Log Analytics is available in](https://azure.microsoft.com/regions/services/). Search for Azure Monitor in the **Search for a product** box.

+ :::image type="content" source="media/quick-create-workspace/create-workspace.png" alt-text="Screenshot that shows the boxes that need to be populated on the Basics tab of the Create Log Analytics workspace screen.":::

+1. Select **Review + Create** to review the settings. Then select **Create** to create the workspace. A default pricing tier of pay-as-you-go is applied. No charges will be incurred until you start collecting enough data. For more information about other pricing tiers, see [Log Analytics pricing details](https://azure.microsoft.com/pricing/details/log-analytics/).

+The following sample script creates a workspace with no data source configuration.

+After you've created a workspace, [configure a Log Analytics workspace in Azure Monitor by using PowerShell](/azure/azure-monitor/logs/powershell-workspace-configuration).

+## [Resource Manager template](#tab/azure-resource-manager)

+The following sample uses the [Microsoft.OperationalInsights workspaces](/azure/templates/microsoft.operationalinsights/workspaces?tabs=bicep) template to create a Log Analytics workspace in Azure Monitor.

+When you create a workspace that was deleted in the last 14 days and in [soft-delete state](../logs/delete-workspace.md#soft-delete-behavior), the operation could have a different outcome depending on your workspace configuration:

+1. If you provide the same workspace name, resource group, subscription, and region as in the deleted workspace, your workspace will be recovered including its data, configuration, and connected agents.

+1. Workspace names must be unique for a resource group. If you use a workspace name that already exists, or is soft deleted, an error is returned. To permanently delete your soft-deleted name and create a new workspace with the same name, follow these steps:

+ 1. [Recover](../logs/delete-workspace.md#recover-workspace) your workspace.

+ 1. [Permanently delete](../logs/delete-workspace.md#permanent-workspace-delete) your workspace.

+ 1. Create a new workspace by using the same workspace name.

+

+Now that you have a workspace available, you can configure collection of monitoring telemetry, run log searches to analyze that data, and add a management solution to provide more data and analytic insights. To learn more:

+* See [Monitor health of Log Analytics workspace in Azure Monitor](../logs/monitor-workspace.md) to create alert rules to monitor the health of your workspace.

+* See [Collect Azure service logs and metrics for use in Log Analytics](../essentials/resource-logs.md#send-to-log-analytics-workspace) to enable data collection from Azure resources with Azure Diagnostics or Azure Storage.

+The REST API specification for Azure NetApp Files is published through [GitHub](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/netapp/resource-manager):

+`https://github.com/Azure/azure-rest-api-specs/tree/main/specification/netapp/resource-manager`

+* [Manual Recovery Guide for SAP HANA on Azure VMs from Azure NetApp Files snapshot with AzAcSnap](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/manual-recovery-guide-for-sap-hana-on-azure-vms-from-azure/ba-p/3290161)

+* [Azure Policy documentation](../governance/policy/index.yml)

+ [Azure NetApp Files datastores for Azure VMware Solution](https://azure.microsoft.com/blog/power-your-file-storageintensive-workloads-with-azure-vmware-solution) is now in public preview. This new integration between Azure VMware Solution and Azure NetApp Files will enable you to [create datastores via the Azure VMware Solution resource provider with Azure NetApp Files NFS volumes](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md) and mount the datastores on your private cloud clusters of choice. Along with the integration of Azure disk pools for Azure VMware Solution, this will provide more choice to scale storage needs independently of compute resources. For your storage-intensive workloads running on Azure VMware Solution, the integration with Azure NetApp Files helps to easily scale storage capacity beyond the limits of the local instance storage for AVS provided by vSAN and lower your overall total cost of ownership for storage-intensive workloads.

+A Managed Application can be configured with Managed Identity through the [CreateUIDefinition.json](./create-uidefinition-overview.md). In the [outputs section](./create-uidefinition-overview.md#outputs), the key `managedIdentity` can be used to override the identity property of the Managed Application template. The sample below will enable **system-assigned** identity on the Managed Application. More complex identity objects can be formed by using CreateUIDefinition elements to ask the consumer for inputs. These inputs can be used to construct Managed Applications with **user-assigned identity**.

+> [How to configure a Managed Application with a Custom Provider](../custom-providers/overview.md)

+This tutorial is the first of a series. As you progress through the series, you modify the starting template, step by step, until you explore all of the core parts of an ARM template. These elements are the building blocks for more complex templates. We hope by the end of the series you're confident in creating your own templates and ready to automate your deployments with templates.

+If you want to learn about the benefits of using templates and why you should automate deployments with templates, see [ARM template overview](overview.md). To learn about ARM templates through a guided set of modules on [Microsoft Learn](/learn), see [Deploy and manage resources in Azure by using JSON ARM templates](/learn/paths/deploy-manage-resource-manager-templates).

+> If the deployment fails, use the `verbose` switch to get information about the resources being created. Use the `debug` switch to get more information for debugging.

+2. Type the resource group name in the **Filter for any field...** text field.

+3. Check the box next to **myResourceGroup** and select **myResourceGroup** or your resource group name.

+ `clientId` and `tenantId` are required to use [Azure AD application with service principal](../active-directory/develop/howto-create-service-principal-portal.md).

+ ```

+Azure Video Indexer is a service hosted on Azure. In some architecture cases the service needs to interact with other services in order to index video files (that is, a Storage Account) or when a customer orchestrates indexing jobs against our API endpoint using their own service hosted on Azure (i.e AKS, Web Apps, Logic Apps, Functions). Customers who would like to limit access to their resources on a network level can use [Network Security Groups with Service Tags](../virtual-network/service-tags-overview.md). A service tag represents a group of IP address prefixes from a given Azure service, in this case Azure Video Indexer. Microsoft manages the address prefixes grouped by the service tag and automatically updates the service tag as addresses change in our backend, minimizing the complexity of frequent updates to network security rules by the customer.

+[Azure NetApp Files](../azure-netapp-files/azure-netapp-files-introduction.md) is an enterprise-class, high-performance, metered file storage service. The service supports the most demanding enterprise file-workloads in the cloud: databases, SAP, and high-performance computing applications, with no code changes. For more information on Azure NetApp Files, see [Azure NetApp Files](../azure-netapp-files/index.yml) documentation.

+[Azure VMware Solution](./introduction.md) supports attaching Network File System (NFS) datastores as a persistent storage option. You can create NFS datastores with Azure NetApp Files volumes and attach them to clusters of your choice. You can also create virtual machines (VMs) for optimal cost and performance.

+1. [Deploy Azure VMware Solution](./deploy-azure-vmware-solution.md) private cloud in a configured virtual network. For more information, see [Network planning checklist](./tutorial-network-checklist.md) and [Configure networking for your VMware private cloud](https://review.docs.microsoft.com/azure/azure-vmware/tutorial-configure-networking?).

+1. Create an [NFSv3 volume for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-create-volumes.md) in the same virtual network as the Azure VMware Solution private cloud.

+ 1. Create a volume with **Standard** [network features](../azure-netapp-files/configure-network-features.md) if available for ExpressRoute FastPath connectivity.

+ 1. If you're using [export policies](../azure-netapp-files/azure-netapp-files-configure-export-policy.md) to control access to Azure NetApp Files volumes, enable the Azure VMware private cloud IP range, not individual host IPs. Faulty hosts in a private cloud could get replaced so if the IP isn't enabled, connectivity to datastore will be impacted.

+**Europe** : West Europe, North Europe, UK West, UK South, France Central, Switzerland West, Germany West Central.

+- For optimized performance, choose **UltraPerformance** gateway and enable [ExpressRoute FastPath](../expressroute/expressroute-howto-linkvnet-arm.md#configure-expressroute-fastpath) from a private cloud to Azure NetApp Files volumes virtual network. View more detailed information on gateway SKUs at [About ExpressRoute virtual network gateways](../expressroute/expressroute-about-virtual-network-gateways.md).

+- Create multiple datastores of 4-TB size for better performance. The default limit is 8 but it can be increased up to a maximum of 256 by submitting a support ticket. To submit a support ticket, go to [Create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md).

+- Work with your Microsoft representative to ensure that the Azure VMware Solution private cloud and the Azure NetApp Files volumes are deployed within same [Availability Zone](../availability-zones/az-overview.md#availability-zones).

+- [Service levels for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-service-levels.md)

+- Datastore protection using [Azure NetApp Files snapshots](../azure-netapp-files/snapshots-introduction.md)

+- [About ExpressRoute virtual network gateways](../expressroute/expressroute-about-virtual-network-gateways.md)

+- [Understand Azure NetApp Files backup](../azure-netapp-files/backup-introduction.md)

+- [Guidelines for Azure NetApp Files network planning](../azure-netapp-files/azure-netapp-files-network-topologies.md)

+ The default limit is 8 but it can be increased up to a maximum of 256 by submitting a support ticket. To submit a support ticket, go to [Create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md).

+ Azure NetApp Files (ANF) supports [snapshots](../azure-netapp-files/azure-netapp-files-manage-snapshots.md) of datastores for quick checkpoints for near term recovery or quick clones. ANF backup lets you offload your ANF snapshots to Azure storage. This feature is available in public preview. Only for this technology are copies and stores-changed blocks relative to previously offloaded snapshots in an efficient format. This ability decreases Recovery Point Objective (RPO) and Recovery Time Objective (RTO) while lowering backup data transfer burden on the Azure VMware Solution service.

+ Use [Metrics for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-metrics.md) to monitor storage and performance usage for the Datastore volume and to set alerts.

+ Usage and performance metrics are available for monitoring the Datastore volume. Replication metrics are also available for ANF datastore that can be replicated to another region using Cross Regional Replication. For more information about metrics, see [Metrics for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-metrics.md).

+ Azure NetApp Files NFS volumes that are used as datastores will be billed following the [capacity pool based billing model](../azure-netapp-files/azure-netapp-files-cost-model.md). Billing will depend on the service level. There's no extra charge for using Azure NetApp Files NFS volumes as datastores.

+You can use Azure storage services in workloads running in your private cloud. The Azure storage services include Storage Accounts, Table Storage, and Blob Storage. The connection of workloads to Azure storage services doesn't traverse the internet. This connectivity provides more security and enables you to use SLA-based Azure storage services in your private cloud workloads. You can also connect Azure disk pools or Azure NetApp Files to expand the storage capacity. This functionality is in preview.

+- [Azure NetApp Files with Azure VMware Solution](netapp-files-with-azure-vmware-solution.md) - You can use Azure NetApp Files to migrate and run the most demanding enterprise file-workloads in the cloud: databases, SAP, and high-performance computing applications, with no code changes. Azure NetApp Files volumes can be attached to virtual machines and can also be connected as data stores directly to Azure VMware Solution. This functionality is in preview.

+ - [Disaster Recovery with Azure NetApp Files, JetStream DR and AVS (Azure VMware Solution)](https://www.jetstreamsoft.com/portal/jetstream-knowledge-base/disaster-recovery-with-azure-netapp-files-jetstream-dr-and-avs-azure-vmware-solution/)

+>To enable this feature for your subscription, register the ```PIPOnNSXEnabled``` flag and follow these steps to [set up the preview feature in your Azure subscription](../azure-resource-manager/management/preview-features.md?tabs=azure-portal).

+>To enable this feature for your subscription, register the ```PIPOnNSXEnabled``` flag and follow these steps to [set up the preview feature in your Azure subscription](../azure-resource-manager/management/preview-features.md?tabs=azure-portal).

+[Disable Internet access or enable a default route](disable-internet-access.md)

+You can deploy new or scale existing private clouds through the Azure portal or Azure CLI.

+[Learn how to generate Azure AD Tokens](../active-directory/develop/reference-v2-libraries.md)

+- If you have a physical Raspberry Pi and BME280 sensor, you may measure and report real temperature and humidity values by following the [Connect Raspberry Pi to Azure IoT Hub (Node.js)](../iot-hub/iot-hub-raspberry-pi-kit-node-get-started.md) tutorial.

+> [Explore more Azure Web PubSub samples](https://github.com/Azure/azure-webpubsub/tree/main/samples)

+ "userEmail":"<userAzureAccountEmailAddress>",

+ "userEmail":"<userAzureAccountEmailAddress>",

+> The [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package and Azure AD Authentication Library (ADAL) have been deprecated. No new features have been added since June 30, 2020. We strongly encourage you to upgrade, see the [migration guide](../active-directory/develop/msal-migration.md) for more details.

+Manage your CDN resources with [PowerShell](cdn-manage-powershell.md).

+- An AKS cluster with Linux node pools. If you do not have an AKS cluster, see the AKS quickstart [using the Azure CLI](../aks/learn/quick-kubernetes-deploy-cli.md), [using Azure PowerShell](../aks/learn/quick-kubernetes-deploy-powershell.md), or [using the Azure portal](../aks/learn/quick-kubernetes-deploy-portal.md).

+- An AKS cluster with a Linux node pool. If you do not have an AKS cluster, see the AKS quickstart [using the Azure CLI](../aks/learn/quick-kubernetes-deploy-cli.md), [using Azure PowerShell](../aks/learn/quick-kubernetes-deploy-powershell.md), or [using the Azure portal](../aks/learn/quick-kubernetes-deploy-portal.md).

+This tutorial shows how to run both front-end and back-end in an Azure cloud service. An alternative is to run the front-end in [Azure App Service](../app-service/index.yml) and use the [WebJobs](../app-service/webjobs-create.md) feature for the back-end. For a tutorial that uses WebJobs, see [Get Started with the Azure WebJobs SDK](https://github.com/Azure/azure-webjobs-sdk/wiki). For information about how to choose the services that best fit your scenario, see [Azure App Service, Cloud Services, and virtual machines comparison](/azure/architecture/guide/technology-choices/compute-decision-tree).

+* [How to choose a cloud service provider](https://azure.microsoft.com/overview/choosing-a-cloud-service-provider/)

+ > If you receive an error stating that the provided subscription name doesn't exist in the imported publish profile, you must download and import the publishing profile for your subscription before deploying to Azure. See the **Deploying the Application to Azure** section of [Build and deploy a Node.js application to an Azure Cloud Service](./cloud-services-nodejs-develop-deploy-app.md)

+ > If you receive an error stating that the provided subscription name doesn't exist in the imported publish profile, you must download and import the publishing profile for your subscription before deploying to Azure. See the **Deploying the Application to Azure** section of [Build and deploy a Node.js application to an Azure Cloud Service](./cloud-services-nodejs-develop-deploy-app.md)

+[The output of the Publish-AzureService command]: ./media/cloud-services-nodejs-chat-app-socketio/socketio-9.png

+For a more structured approach, follow a Microsoft Learn module for Face.

+* [Detect and analyze faces with the Face service](/learn/modules/detect-analyze-faces/)

+For a more structured approach, follow a Microsoft Learn module for Image Analysis.

+* [Analyze images with the Computer Vision service](/learn/modules/analyze-images-computer-vision/)

+For a more structured approach, follow a Microsoft Learn module for OCR.

+* [Read Text in Images and Documents with the Computer Vision Service](/learn/modules/read-text-images-documents-with-computer-vision-service/)

+* [**Tutorials**](ecommerce-retail-catalog-moderation.md) are longer guides that show you how to use the service as a component in broader business solutions.

+For a more structured approach, follow a Microsoft Learn module for Content Moderator.

+* [Introduction to Content Moderator](/learn/modules/intro-to-content-moderator/)

+* [Classify and moderate text with Azure Content Moderator](/learn/modules/classify-and-moderate-text-with-azure-content-moderator/)

+For a more structured approach, follow a Microsoft Learn module for Custom Vision.

+* [Classify images with the Custom Vision service](/learn/modules/classify-images-custom-vision/)

+* [Classify endangered bird species with Custom Vision](/learn/modules/cv-classify-bird-species/)

+To copy a model to another Speech resource, use the [CopyModelToSubscription](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md). Construct the request body according to the following instructions:

+Make an HTTP PATCH request using the URI as shown in the following example. Use the URI of the new model. You can get the new model ID from the `self` property of the [CopyModelToSubscription](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription) response body. Replace `YourSubscriptionKey` with your Speech resource key, replace `YourServiceRegion` with your Speech resource region, and set the request body properties as previously described.

+### Fix data issues online

+You can fix the utterances with issues individually on **Data details** page.

+1. On the **Data details** page, select individual utterances you want to edit, then click **Edit**.

+ :::image type="content" source="media/custom-voice/cnv-edit-trainingset.png" alt-text="Screenshot of selecting edit button on the Data details page.":::

+1. Edit window will be displayed.

+ :::image type="content" source="media/custom-voice/cnv-edit-trainingset-editscript.png" alt-text="Screenshot of displaying Edit transcript and recording file window.":::

+1. Update transcript or recording file according to issue description on the edit window.

+ You can edit transcript in the text box, then click **Done**

+ :::image type="content" source="media/custom-voice/cnv-edit-trainingset-scriptedit-done.png" alt-text="Screenshot of selecting Done button on the Edit transcript and recording file window.":::

+ If you need to update recording file, select **Update recording file**, then upload the fixed recording file (.wav).

+

+ :::image type="content" source="media/custom-voice/cnv-edit-trainingset-upload-recording.png" alt-text="Screenshot that shows how to upload recording file on the Edit transcript and recording file window.":::

+1. After the data in a training set are updated, you need to check the data quality by clicking **Analyze data** before using this training set for training.

+ You can't select this training set for training model before the analysis is complete.

+ :::image type="content" source="media/custom-voice/cnv-edit-trainingset-analyze.png" alt-text="Screenshot of selecting Analyze data on Data details page.":::

+ You can also delete utterances with issues by selecting them and clicking **Delete**.

+1. Select the training method for your model.

+ If you want to create a voice in the same language of your training data, select **Neural** method. For the **Neural** method, you can select different versions of the training recipe for your model. The versions vary according to the features supported and model training time. Normally new versions are enhanced ones with bugs fixed and new features supported. The latest version is selected by default.

+ You can also select **Neural - cross lingual** and **Target language** to create a secondary language for your voice model. Only one target language can be selected for a voice model. You don't need to prepare additional data in the target language for training, but your test script needs to be in the target language. For the languages supported by cross lingual feature, see [supported languages](language-support.md#custom-neural-voice).

+ The same unit price applies to both **Neural** and **Neural - cross lingual**. Check [the pricing details](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) for training.

+### Update engine version for your voice model

+Azure Text-to-Speech engines are updated from time to time to capture the latest language model that defines the pronunciation of the language. After you've trained your voice, you can apply your voice to the new language model by updating to the latest engine version.

+When a new engine is available, you're prompted to update your neural voice model.

+Go to the model details page, click **Update** at the top to display **Update** window.

+Then click **Update** to update your model to the latest engine version.

+You're not charged for engine update. The previous versions are still kept. You can check all engine versions for this model from **Engine version** drop-down list, or remove one if you don't need it anymore.

+The updated version is automatically set as default. But you can change the default version by selecting a version from the drop-down list and clicking **Set as default**.

+If you want to test each engine version of your voice model, you can select a version from the drop-down list, then select **DefaultTests** under **Testing** to listen to the sample audios. If you want to upload your own test scripts to further test your current engine version, first make sure the version is set as default, then follow the [testing steps above](#test-your-voice-model).

+After you've updated the engine version for your voice model, you need to redeploy this new version. You can only deploy the default version.

+For more information, [learn more about the capabilities and limits of this feature, and the best practice to improve your model quality](/legal/cognitive-services/speech-service/custom-neural-voice/characteristics-and-limitations-custom-neural-voice?context=%2fazure%2fcognitive-services%2fspeech-service%2fcontext%2fcontext).

+## Cross lingual feature

+With cross lingual feature (public preview), you can create a different language for your voice model. If the language of your training data is supported by cross lingual feature, you can create a voice that speaks a different language from your training data. For example, with the `zh-CN` training data, you can create a voice that speaks `en-US` or any of the languages supported by cross lingual feature. For details, see [supported languages](language-support.md#custom-neural-voice). You don't need to prepare additional data in the target language for training, but your test script needs to be in the target language.

+For how to create a different language from your training data, select the training method **Neural-cross lingual** during training. See [how to train your custom neural voice model](how-to-custom-voice-create-voice.md#train-your-custom-neural-voice-model).

+After the voice is created, you can use the Audio Content Creation tool to fine-tune your deployed voice, with richer voice tuning supports. Sign in to the Audio Content Creation of [Speech Studio]( https://aka.ms/speechstudio/) with your Azure account, and select your created voice from the target language to start tuning experience.

+>

+> The syllable groups, IPA phonemes, and spoken phoneme features of pronunciation assessment are currently only available for the en-US locale.

+| `Granularity` | Determines the lowest level of evaluation granularity. Scores for levels above or equal to the minimal value are returned. Accepted values are `Phoneme`, which shows the score on the full text, word, syllable, and phoneme level, `Syllable`, which shows the score on the full text, word, and syllable level, `Word`, which shows the score on the full text and word level, or `FullText`, which shows the score on the full text level only. The provided full reference text can be a word, sentence, or paragraph, and it depends on your input reference text.|

+Pronunciation assessment can provide syllable-level assessment results. Grouping in syllables is more legible and aligned with speaking habits, as a word is typically pronounced syllable by syllable rather than phoneme by phoneme.

+The phoneme name is provided together with the score, to help identity which phonemes were pronounced accurately or inaccurately. For the [supported languages](language-support.md#pronunciation-assessment), you can get the phoneme name in [SAPI](/previous-versions/windows/desktop/ee431828(v=vs.85)#american-english-phoneme-table) format, and for the `en-US` locale, you can also get the phoneme name in [IPA](https://en.wikipedia.org/wiki/IPA) format.

+|en-US-JennyNeural|`angry`, `assistant`, `chat`, `cheerful`,`customerservice`, `excited`, `friendly`, `hopeful`, `newscast`, `sad`, `shouting`, `terrified`, `unfriendly`, `whispering`|||

+- Syllable-level accuracy scores are currently only available via the [JSON file](?tabs=json#scores-within-words) or [Speech SDK](how-to-pronunciation-assessment.md).

+- Read the blog about [use cases](https://techcommunity.microsoft.com/t5/azure-ai-blog/speech-service-update-pronunciation-assessment-is-generally/ba-p/2505501)

+> Phonemes tag may not work on all locales.

+| Custom text classification | `2022-05-01` | `2022-05-01` | |

+| Conversational language understanding | `2022-05-01` | `2022-05-01` | |

+| Custom named entity recognition | `2022-05-01` | `2022-05-01` | |

+| Orchestration workflow | `2022-05-01` | `2022-05-01` | |

+| `api-version` | `{API-VERSION}` | The version of the API you're calling. The value referenced here is for the latest released [model version](../../concepts/model-lifecycle.md#choose-the-model-version-used-on-your-data) released. | `2022-05-01` |

+## Delete project

+Once you are satisfied with how your model performs, it's ready to be deployed, and query it for predictions from utterances. Deploying a model makes it available for use through the [prediction API](https://aka.ms/clu-runtime-api).

+* Reviewed the [model performance](view-model-evaluation.md) to determine how your model is performing.

+After you have reviewed the model's performance and decide it's fit to be used in your environment, you need to assign it to a deployment to be able to query it. Assigning the model to a deployment makes it available for use through the [prediction API](https://aka.ms/clu-runtime-api). It is recommended to create a deployment named `production` to which you assign the best model you have built so far and use it in your system. You can create another deployment called `staging` to which you can assign the model you're currently working on to be able to test it. You can have a maximum on 10 deployments in your project.

+* [How-to guides](how-to/create-project.md) contain instructions for using the service in more specific or customized ways.

+4. **Viewmodel evaluation details**: View the evaluation details for your model to determine how well it performs when introduced to new data.

+5. **Deploy model**: Deploying a model makes it available for use via the [Runtime API](https://aka.ms/clu-runtime-api).

+|C# (Runtime) | [C# documentation](/dotnet/api/azure.ai.textanalytics?view=azure-dotnet-preview&preserve-view=true) | [C# samples](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/cognitivelanguage/Azure.AI.Language.Conversations/samples) |

+|Python (Runtime)| [Python documentation](/python/api/overview/azure/ai-textanalytics-readme?view=azure-python-preview&preserve-view=true) | [Python samples](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/cognitivelanguage/azure-ai-language-conversations/samples) |

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it's deployed. Read the transparency note for CLU to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information:

+| Project name | You can only use letters `(a-z, A-Z)`, and numbers `(0-9)` ,symbols `_ . -`,with no spaces. Maximum allowed length is 50 characters. |

+| Intent name| You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and all symbols except ":", `$ & % * ( ) + ~ # / ?`. Maximum allowed length is 50 characters.|

+| Entity name| You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and all symbols except ":", `$ & % * ( ) + ~ # / ?`. Maximum allowed length is 50 characters.|

+You can train multiple models on the same dataset within the same project. After you have trained your model successfully, you can [view its performance](how-to/view-model-evaluation.md). You can [deploy and test](quickstart.md#deploy-your-model) your model within [Language studio](https://aka.ms/languageStudio). You can add or remove labels from your data and train a **new** model and test it as well. View [service limits](service-limits.md)to learn about maximum number of trained models with the same project. When you [train a model](how-to/train-model.md), you can determine how your dataset is split into training and testing sets. You can also have your data split randomly into training and testing set where there is no guarantee that the reflected model evaluation is about the same test set, and the results are not comparable. It's recommended that you develop your own test set and use it to evaluate both models so you can measure improvement.

+You can query the deployment programmatically using the [Prediction API](https://aka.ms/ct-runtime-api) or through the Client libraries (Azure SDK).

+* Text data that [has been uploaded](design-schema.md#data-preparation) to your storage account.

+Once you're satisfied with how your model performs, you can [deploy your model](deploy-model.md).

+|C# (Runtime) | [C# documentation](/dotnet/api/azure.ai.textanalytics?view=azure-dotnet-preview&preserve-view=true) | [C# samples](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/textanalytics/Azure.AI.TextAnalytics/samples/Sample9_RecognizeCustomEntities.md) |

+| Java (Runtime) | [Java documentation](/java/api/overview/azure/ai-textanalytics-readme?view=azure-java-preview&preserve-view=true) | [Java Samples](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics/lro/RecognizeCustomEntities.java) |

+|JavaScript (Runtime) | [JavaScript documentation](/javascript/api/overview/azure/ai-text-analytics-readme?view=azure-node-preview&preserve-view=true) | [JavaScript samples](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/textanalytics/ai-text-analytics/samples/v5/javascript/customText.js) |

+|Python (Runtime) | [Python documentation](/python/api/azure-ai-textanalytics/azure.ai.textanalytics?view=azure-python-preview&preserve-view=true) | [Python samples](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/textanalytics/azure-ai-textanalytics/samples/sample_recognize_custom_entities.py) |

+# Quickstart: Custom named entity recognition

+| Project name | You can only use letters `(a-z, A-Z)`, and numbers `(0-9)` ,symbols `_ . -`,with no spaces. Maximum allowed length is 50 characters. |

+| Model name | You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and symbols `_ . -`. Maximum allowed length is 50 characters. |

+| Deployment name | You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and symbols `_ . -`. Maximum allowed length is 50 characters. |

+| Entity name| You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and all symbols except ":", `$ & % * ( ) + ~ # / ?`. Maximum allowed length is 50 characters.|

+You can query the deployment programmatically [Prediction API](https://aka.ms/ct-runtime-api) or through the client libraries (Azure SDK).

+|C# (Runtime) | [C# documentation](/dotnet/api/azure.ai.textanalytics?view=azure-dotnet-preview&preserve-view=true) | [C# samples - Single label classification](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/textanalytics/Azure.AI.TextAnalytics/samples/Sample10_SingleCategoryClassify.md) [C# samples - Multi label classification](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/textanalytics/Azure.AI.TextAnalytics/samples/Sample11_MultiCategoryClassify.md) |

+| Java (Runtime) | [Java documentation](/java/api/overview/azure/ai-textanalytics-readme?view=azure-java-preview&preserve-view=true) | [Java Samples - Single label classification](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics/lro/ClassifyDocumentSingleCategory.java) [Java Samples - Multi label classification](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics/lro/ClassifyDocumentMultiCategory.java) |

+|JavaScript (Runtime) | [JavaScript documentation](/javascript/api/overview/azure/ai-text-analytics-readme?view=azure-node-preview&preserve-view=true) | [JavaScript samples - Single label classification](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/textanalytics/ai-text-analytics/samples/v5/javascript/customText.js) [JavaScript samples - Multi label classification](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/textanalytics/ai-text-analytics/samples/v5/javascript/customText.js) |

+|Python (Runtime)| [Python documentation](/python/api/azure-ai-textanalytics/azure.ai.textanalytics?view=azure-python-preview&preserve-view=true) | [Python samples - Single label classification](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/textanalytics/azure-ai-textanalytics/samples/sample_single_category_classify.py) [Python samples - Multi label classification](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/textanalytics/azure-ai-textanalytics/samples/sample_multi_category_classify.py) |

+# Quickstart: Custom text classification

+| Project name | You can only use letters `(a-z, A-Z)`, and numbers `(0-9)` ,symbols `_ . -`,with no spaces. Maximum allowed length is 50 characters. |

+| Model name | You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and symbols `_ . -`. Maximum allowed length is 50 characters. |

+| Deployment name | You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and symbols `_ . -`. Maximum allowed length is 50 characters. |

+| Class name| You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and all symbols except ":", `$ & % * ( ) + ~ # / ?`. Maximum allowed length is 50 characters.|

+> * If you are planning to use question answering, you have to enable question answering in resource creation

+## Delete project

+[Build schema](./build-schema.md)

+* [Model evaluation metrics concepts](../concepts/evaluation-metrics.md)

+* How to [deploy a model](./deploy-model.md)

+* [How-to guides](how-to/create-project.md) contain instructions for using the service in more specific or customized ways.

+|REST APIs (Runtime) | [REST API documentation](https://aka.ms/clu-runtime-api) | |

+|C# (Runtime) | [C# documentation](/dotnet/api/azure.ai.textanalytics?view=azure-dotnet-preview&preserve-view=true) | [C# samples](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/cognitivelanguage/Azure.AI.Language.Conversations/samples) |

+|Python (Runtime)| [Python documentation](/python/api/overview/azure/ai-textanalytics-readme?view=azure-python-preview&preserve-view=true) | [Python samples](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/cognitivelanguage/azure-ai-language-conversations/samples) |

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the transparency note for CLU and orchestration workflow to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information:

+| Project name | You can only use letters `(a-z, A-Z)`, and numbers `(0-9)` ,symbols `_ . -`,with no spaces. Maximum allowed length is 50 characters. |

+| Intent name| You can only use letters `(a-z, A-Z)`, numbers `(0-9)` and all symbols except ":", `$ & % * ( ) + ~ # / ?`. Maximum allowed length is 50 characters.|

+Transparency Notes are part of a broader effort at Microsoft to put our AI principles into practice. To find out more, see [Microsoft AI Principles](https://www.microsoft.com/ai/responsible-ai).

+The tool can be accessed through an npm package `@azure/communication-monitoring`. The package contains the `CommunicationMonitoring` object that can be attached to a `Call`. Instructions on how to initialize the required `CallClient` and `CallAgent` objects can be found [here](../../how-tos/calling-sdk/manage-calls.md?pivots=platform-web#initialize-required-objects). `CommunicationMonitoring` also requires an `HTMLDivElement` as part of its constructor on which it will be rendered. The `HTMLDivElement` will dictate the size of the rendered panel.

+- [Consume call logs with Azure Monitor](../analytics/call-logs-azure-monitor.md)

+> Previously, the process of deploying container groups on virtual networks used [network profiles](./container-instances-virtual-network-concepts.md#network-profile) for configuration. However, network profiles have been retired as of the `2021-07-01` API version. We recommend you use the latest API version, which relies on [subnet IDs](../virtual-network/subnet-delegation-overview.md) instead.

+* The [Azure Container Registry](../container-registry/container-registry-vnet.md) must have [Public Access set to 'All Networks'](../container-registry/container-registry-access-selected-networks.md). To use an Azure container registry with Public Access set to 'Select Networks' or 'None', visit [ACI's article for using Managed-Identity based authentication with ACR](../container-registry/container-registry-authentication-managed-identity.md).

+[az-keyvault-secret-set]: /cli/azure/keyvault/secret#az_keyvault_secret_set

+## Cost-effective analytics on historical data

+After the analytical store is enabled, based on the data retention needs of the transactional workloads, you can configure the transactional store Time-to-Live (TTTL) property to have records automatically deleted from the transactional store after a certain time period. Similarly, the analytical store Time-to-Live (ATTL) allows you to manage the lifecycle of data retained in the analytical store independent from the transactional store. By enabling analytical store and configuring TTL properties, you can seamlessly tier and define the data retention period for the two stores.

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](/azure/cosmos-db/try-free) without an Azure subscription.

+* Review the [BulkMode, which is part of .NET V3 SDK](../sql/tutorial-sql-api-dotnet-bulk-import.md)

+ * [Try Azure Cosmos DB for free](../try-free.md), a tests environment that lasts for 30 days.

+> [Import data into Azure Cosmos DB for the SQL API](../import-data.md)

+## Next steps

+Now that you've create a container, use the next guide to create items.

+> [!div class="nextstepaction"]

+> [Create an item](how-to-dotnet-create-item.md)

+## Next steps

+Now that you've created a database, use the next guide to create containers.

+> [!div class="nextstepaction"]

+> [Create a container](how-to-dotnet-create-container.md)

+ Title: Create an item in Azure Cosmos DB SQL API using .NET

+description: Learn how to create, upsert, or replace an item in your Azure Cosmos DB SQL API container using the .NET SDK.

+ms.devlang: csharp

+# Create an item in Azure Cosmos DB SQL API using .NET

+Items in Azure Cosmos DB represent a specific entity stored within a container. In the SQL API, an item consists of JSON-formatted data with a unique identifier.

+## Create a unique identifier for an item

+The unique identifier is a distinct string that identifies an item within a container. The ``id`` property is the only required property when creating a new JSON document. For example, this JSON document is a valid item in Azure Cosmos DB:

+```json

+{

+ "id": "unique-string-2309509"

+}

+```

+Within the scope of a container, two items can't share the same unique identifier.

+> [!IMPORTANT]

+> The ``id`` property is case-sensitive. Properties named ``ID``, ``Id``, ``iD``, and ``_id`` will be treated as an arbitrary JSON property.

+Once created, the URI for an item is in this format:

+``https://<cosmos-account-name>.documents.azure.com/dbs/<database-name>/docs/<item-resource-identifier>``

+When referencing the item using a URI, use the system-generated *resource identifier* instead of the ``id`` field. For more information about system-generated item properties in Azure Cosmos DB SQL API, see [properties of an item](../account-databases-containers-items.md#properties-of-an-item)

+## Create an item

+> [!NOTE]

+> The examples in this article assume that you have already defined a C# type to represent your data named **Product**:

+>

+> :::code language="csharp" source="~/azure-cosmos-dotnet-v3/250-create-item/Product.cs" id="type" :::

+>

+> The examples also assume that you have already created a new object of type **Product** named **newItem**:

+>

+> :::code language="csharp" source="~/azure-cosmos-dotnet-v3/250-create-item/Program.cs" id="create_object" :::

+>

+To create an item, call one of the following methods:

+* [``CreateItemAsync<>``](#create-an-item-asynchronously)

+* [``ReplaceItemAsync<>``](#replace-an-item-asynchronously)

+* [``UpsertItemAsync<>``](#create-or-replace-an-item-asynchronously)

+## Create an item asynchronously

+The following example creates a new item asynchronously:

+The [``Container.CreateItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.createitemasync) method will throw an exception if there's a conflict with the unique identifier of an existing item. To learn more about potential exceptions, see [``CreateItemAsync<>`` exceptions](/dotnet/api/microsoft.azure.cosmos.container.createitemasync#exceptions).

+## Replace an item asynchronously

+The following example replaces an existing item asynchronously:

+The [``Container.ReplaceItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.replaceitemasync) method requires the provided string for the ``id`` parameter to match the unique identifier of the ``item`` parameter.

+## Create or replace an item asynchronously

+The following example will create a new item or replace an existing item if an item already exists with the same unique identifier:

+The [``Container.UpsertItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.upsertitemasync) method will use the unique identifier of the ``item`` parameter to determine if there's a conflict with an existing item and to replace the item appropriately.

+## Next steps

+Now that you've created various items, use the next guide to read an item.

+> [!div class="nextstepaction"]

+> [Read an item](how-to-dotnet-read-item.md)

+1. Use the [``az cosmosdb list``](/cli/azure/cosmosdb#az-cosmosdb-list) command to retrieve the name of the first Azure Cosmos DB account in your resource group and store it in the *accountName* shell variable.

+If you're testing on a local machine, or your application will run on Azure services with direct support for managed identities, obtain an OAuth token by creating a [``DefaultAzureCredential``](/dotnet/api/azure.identity.defaultazurecredential) instance.

+You can obtain the client ID, tenant ID, and client secret when you register an application in Azure Active Directory (AD). For more information about registering Azure AD applications, see [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md).

+* The SQL API account, which is the unique top-level namespace for your Azure Cosmos DB data.

+* Databases, which organize the containers in your account.

+* Containers, which contain a set of individual items in your database.

+* Items, which represent a JSON document in your container.

+* [Package (NuGet)](https://www.nuget.org/packages/Microsoft.Azure.Cosmos)

+* [Samples](samples-dotnet.md)

+* [API reference](/dotnet/api/microsoft.azure.cosmos)

+* [Library source code](https://github.com/Azure/azure-cosmos-dotnet-v3)

+* [Give Feedback](https://github.com/Azure/azure-cosmos-dotnet-v3/issues)

+ Title: Query items in Azure Cosmos DB SQL API using .NET

+description: Learn how to query items in your Azure Cosmos DB SQL API container using the .NET SDK.

+ms.devlang: csharp

+# Query items in Azure Cosmos DB SQL API using .NET

+Items in Azure Cosmos DB represent entities stored within a container. In the SQL API, an item consists of JSON-formatted data with a unique identifier. When you issue queries using the SQL API, results are returned as a JSON array of JSON documents.

+## Query items using SQL

+The Azure Cosmos DB SQL API supports the use of Structured Query Language (SQL) to perform queries on items in containers. A simple SQL query like ``SELECT * FROM products`` will return all items and properties from a container. Queries can be even more complex and include specific field projections, filters, and other common SQL clauses:

+```sql

+SELECT

+ p.name,

+ p.description AS copy

+FROM

+ products p

+WHERE

+ p.price > 500

+```

+To learn more about the SQL syntax for Azure Cosmos DB SQL API, see [Getting started with SQL queries](sql-query-getting-started.md).

+## Query an item

+> [!NOTE]

+> The examples in this article assume that you have already defined a C# type to represent your data named **Product**:

+>

+> :::code language="csharp" source="~/azure-cosmos-dotnet-v3/300-query-items/Product.cs" id="type" :::

+>

+To query items in a container, call one of the following methods:

+* [``GetItemQueryIterator<>``](#query-items-using-a-sql-query-asynchronously)

+* [``GetItemLinqQueryable<>``](#query-items-using-linq-asynchronously)

+## Query items using a SQL query asynchronously

+This example builds a SQL query using a simple string, retrieves a feed iterator, and then uses nested loops to iterate over results. The outer **while** loop will iterate through result pages, while the inner **foreach** loop iterates over results within a page.

+The [Container.GetItemQueryIterator<>](/dotnet/api/microsoft.azure.cosmos.container.getitemqueryiterator) method returns a [``FeedIterator<>``](/dotnet/api/microsoft.azure.cosmos.feediterator-1) that is used to iterate through multi-page results. The ``HasMoreResults`` property indicates if there are more result pages left. The ``ReadNextAsync`` method gets the next page of results as an enumerable that is then used in a loop to iterate over results.

+Alternatively, use the [QueryDefinition](/dotnet/api/microsoft.azure.cosmos.querydefinition) to build a SQL query with parameterized input:

+> [!TIP]

+> Parameterized input values can help prevent many common SQL query injection attacks.

+## Query items using LINQ asynchronously

+In this example, an [``IQueryable``<>](/dotnet/api/system.linq.iqueryable) object is used to construct a [Language Integrated Query (LINQ)](/dotnet/csharp/programming-guide/concepts/linq/). The results are then iterated over using a feed iterator.

+The [Container.GetItemLinqQueryable<>](/dotnet/api/microsoft.azure.cosmos.container.getitemlinqqueryable) method constructs an ``IQueryable`` to build the LINQ query. Then the ``ToFeedIterator<>`` method is used to convert the LINQ query expression into a [``FeedIterator<>``](/dotnet/api/microsoft.azure.cosmos.feediterator-1).

+> [!TIP]

+> While you can iterate over the ``IQueryable<>``, this operation is synchronous. Use the ``ToFeedIterator<>`` method to gather results asynchronously.

+## Next steps

+Now that you've queried multiple items, try one of our end-to-end tutorials with the SQL API.

+> [!div class="nextstepaction"]

+> [Build a .NET console app in Azure Cosmos DB SQL API](sql-api-get-started.md)

+ Title: Read an item in Azure Cosmos DB SQL API using .NET

+description: Learn how to point read a specific item in your Azure Cosmos DB SQL API container using the .NET SDK.

+ms.devlang: csharp

+# Read an item in Azure Cosmos DB SQL API using .NET

+Items in Azure Cosmos DB represent a specific entity stored within a container. In the SQL API, an item consists of JSON-formatted data with a unique identifier.

+## Reading items with unique identifiers

+Every item in Azure Cosmos DB SQL API has a unique identifier specified by the ``id`` property. Within the scope of a container, two items can't share the same unique identifier. However, Azure Cosmos DB requires both the unique identifier and the partition key value of an item to perform a quick *point read* of that item. If only the unique identifier is available, you would have to perform a less efficient [query](how-to-dotnet-query-items.md) to look up the item across multiple logical partitions. To learn more about point reads and queries, see [optimize request cost for reading data](../optimize-cost-reads-writes.md#reading-data-point-reads-and-queries).

+## Read an item

+> [!NOTE]

+> The examples in this article assume that you have already defined a C# type to represent your data named **Product**:

+>

+> :::code language="csharp" source="~/azure-cosmos-dotnet-v3/275-read-item/Product.cs" id="type" :::

+>

+To perform a point read of an item, call one of the following methods:

+* [``ReadItemAsync<>``](#read-an-item-asynchronously)

+* [``ReadItemStreamAsync<>``](#read-an-item-as-a-stream-asynchronously)

+* [``ReadManyItemsAsync<>``](#read-multiple-items-asynchronously)

+## Read an item asynchronously

+The following example point reads a single item asynchronously and returns a deserialized item using the provided generic type:

+The [``Database.ReadItemAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.readitemasync) method reads and item and returns an object of type [``ItemResponse<>``](/dotnet/api/microsoft.azure.cosmos.itemresponse-1). The **ItemResponse<>** type inherits from the [``Response<>``](/dotnet/api/microsoft.azure.cosmos.response-1) type, which contains an implicit conversion operator to convert the object into the generic type. To learn more about implicit operators, see [user-defined conversion operators](/dotnet/csharp/language-reference/operators/user-defined-conversion-operators).

+Alternatively, you can return the **ItemResponse<>** generic type and explicitly get the resource. The more general **ItemResponse<>** type also contains useful metadata about the underlying API operation. In this example, metadata about the request unit charge for this operation is gathered using the **RequestCharge** property.

+## Read an item as a stream asynchronously

+This example reads an item as a data stream directly:

+The [``Container.ReadItemStreamAsync``](/dotnet/api/microsoft.azure.cosmos.container.readitemstreamasync) method returns the item as a [``Stream``](/dotnet/api/system.io.stream) without deserializing the contents.

+If you aren't planning to deserialize the items directly, using the stream APIs can improve performance by handing off the item as a stream directly to the next component of your application. For more tips on how to optimize the SDK for high performance scenarios, see [SDK performance tips](performance-tips-dotnet-sdk-v3-sql.md#sdk-usage).

+## Read multiple items asynchronously

+In this example, a list of tuples containing unique identifier and partition key pairs are used to look up and retrieve multiple items:

+[``Container.ReadManyItemsAsync<>``](/dotnet/api/microsoft.azure.cosmos.container.readmanyitemsasync) returns a list of items based on the unique identifiers and partition keys you provide. This operation is typically more performant than a query since you'll effectively perform a point read operation on all items in the list.

+## Next steps

+Now that you've read various items, use the next guide to query items.

+> [!div class="nextstepaction"]

+> [Query items](how-to-dotnet-query-items.md)

+ resourceGroupName="msdocs-cosmos-quickstart-rg"

+ accountName="msdocs-$suffix"

+ $RESOURCE_GROUP_NAME = "msdocs-cosmos-quickstart-rg"

+ $ACCOUNT_NAME = "msdocs-$SUFFIX"

+> For this quickstart, we recommend using the resource group name ``msdocs-cosmos-quickstart-rg``.

+For more information on creating, upserting, or replacing items, see [Create an item in Azure Cosmos DB SQL API using .NET](how-to-dotnet-create-item.md).

+For more information about reading items and parsing the response, see [Read an item in Azure Cosmos DB SQL API using .NET](how-to-dotnet-read-item.md).

+ > In this quickstart, we recommended the name ``msdocs-cosmos-quickstart-rg``.

+ * [Try Azure Cosmos DB for free](../try-free.md), a tests environment that lasts for 30 days.

+* If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)

+Authorization to invite guest users is controlled by your Azure AD settings. The value of the settings is shown under **Settings** on the **Organizational relationships** page. Ensure that the setting is selected, otherwise the invitation fails. For more information, see [Restrict guest user access permissions](../../active-directory/enterprise-users/users-restrict-guest-permissions.md).

+- [What is Azure Active Directory?](../../active-directory/fundamentals/active-directory-whatis.md)

+> REST endpoints that the web activity invokes must return a response of type JSON. The activity will timeout at 1 minute with an error if it does not receive a response from the endpoint. For endpoints that support [Asynchronous Request-Reply pattern](/azure/architecture/patterns/async-request-reply), the web activity will continue to wait without timeing out (upto 7 day) or till the endpoints signals completion of the job.

+ 

+ 

+ 

+You may need to replace a node if one of the nodes on your device is down or not healthy. Perform these steps on the node that you're trying to replace.

+ 

+ a. Choose the node to replace. This should be automatically selected as the node, which is down.

+ b. Prepare another node. Configure the networking on this node in the same way as you set up on the first node. Get the node serial number and authentication token from the new incoming node.

+

+ c. Provide the **Node serial number** for the incoming replacement node.

+

+ d. Supply the **Node token** for the incoming replacement node.

+

+ e. Select **Validate & add**. The credentials of the incoming node are now validated.

+

+ 

+ f. Once the validation has successfully completed, select **Add node** to complete the node replacement. It may take several minutes for the replacement node to get added to form the cluster.

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+| :::image type="icon" source="media/secure-score-security-controls/preview-icon.png" border="false"::: | **Preview recommendation** | This recommendation won't affect your secure score until it's GA. |

+This API is supported for maintenance purposes only and is not meant to be used instead of [alert exclusion rules](./how-to-work-with-alerts-on-premises-management-console.md#create-alert-exclusion-rules). Use this API for one-time maintenance operations only.

+- [Investigate all enterprise sensor detections in a device inventory](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md)

+| Azure Resources | 400 Bad Request, 413 Request Entity Too Large, 403 Forbidden, 404 Not Found |

+> If dead-letter isn't configured for an endpoint, events will be dropped when the above errors happen. Consider configuring dead-letter if you don't want these kinds of events to be dropped. Dead lettered events will be dropped when the dead dead-letter destination is not found.

+# Configure an Azure DDoS Protection Plan using Azure Firewall Manager

+ Title: Manage Azure Web Application Firewall policies

+# Manage Web Application Firewall policies

+- [Configure WAF policies using Azure Firewall Manager](../web-application-firewall/shared/manage-policies.md)

+1. Select **Next : TLS inspection**

+> The **HTTP version** match condition is only available on Azure Front Door Standard/Premium.

+> Using the Azure Resource Manager REST API, you can enable diagnostic settings on a management group to send related Azure Activity log entries to a Log Analytics workspace, Azure Storage, or Azure Event Hub. For more information, see [Management Group Diagnostic Settings - Create Or Update](/rest/api/monitor/management-group-diagnostic-settings/create-or-update).

+- See options for [How to protect your resource hierarchy](./how-to/protect-resource-hierarchy.md)

+ [Create policy definition from constraint template](../how-to/extension-for-vscode.md#create-policy-definition-from-constraint-template) to create a

+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

+The Azure portal is a web-based application that can be used to create, manage, and remove Azure resources and services. The Azure portal is located at [portal.azure.com](https://portal.azure.com). It includes a customizable dashboard and tooling for managing Azure resources. It also provides billing and subscription information. For more information, see [Microsoft Azure portal overview](../../azure-portal/azure-portal-overview.md) and [Manage Azure resources through portal](../../azure-resource-manager/management/manage-resources-portal.md).

+- [Create a Linux VM](../../virtual-machines/linux/quick-create-portal.md)

+For more information, see [Apache Spark & Hive - Hive Warehouse Connector - Azure HDInsight | Microsoft Docs](./interactive-query/apache-hive-warehouse-connector.md)

+| HiveServer2: Preauthenticated subject for http transport isn't retained for entire duration of http communication in some cases|[HIVE-20555](https://issues.apache.org/jira/browse/HIVE-20555)|

+ Title: API versioning for DICOM service - Azure Health Data Services

+The version of the REST API must be explicitly specified in the request URL as in the following example:

+> [!NOTE]

+> Routes without a version are no longer supported.

+`<service_url>/v<version>/api.yaml`

+ Title: Configure cross-origin resource sharing in DICOM service in Azure Health Data Services

+description: This article describes how to configure cross-origin resource sharing in DICOM service in Azure Health Data Services

+# Configure cross-origin resource sharing in DICOM service in Azure Health Data Services

+## What is cross-origin resource sharing in DICOM service in Azure Health Data Services?

+DICOM service in Azure Health Data Services (hereby called DICOM service) supports [cross-origin resource sharing (CORS)](https://wikipedia.org/wiki/Cross-Origin_Resource_Sharing). CORS allows you to configure settings so that applications from one domain (origin) can access resources from a different domain, known as a cross-domain request.

+CORS is often used in a single-page app that must call a RESTful API to a different domain.

+## Cross-origin resource sharing configuration settings

+To configure a CORS setting in the DICOM service, specify the following settings:

+- **Origins (Access-Control-Allow-Origin)**. A list of domains allowed to make cross-origin requests to the DICOM service. Each domain (origin) must be entered in a separate line. You can enter an asterisk (*) to allow calls from any domain, but we don't recommend it because it's a security risk.

+- **Headers (Access-Control-Allow-Headers)**. A list of headers that the origin request will contain. To allow all headers, enter an asterisk (*).

+- **Methods (Access-Control-Allow-Methods)**. The allowed methods (PUT, GET, POST, and so on) in an API call. Choose **Select all** for all methods.

+- **Max age (Access-Control-Max-Age)**. The value in seconds to cache preflight request results for Access-Control-Allow-Headers and Access-Control-Allow-Methods.

+- **Allow credentials (Access-Control-Allow-Credentials)**. CORS requests normally donΓÇÖt include cookies to prevent [cross-site request forgery (CSRF)](https://en.wikipedia.org/wiki/Cross-site_request_forgery) attacks. If you select this setting, the request can be made to include credentials, such as cookies. You can't configure this setting if you already set Origins with an asterisk (*).

+> [!NOTE]

+> You can't specify different settings for different domain origins. All settings (**Headers**, **Methods**, **Max age**, and **Allow credentials**) apply to all origins specified in the Origins setting.

+## Next steps

+For more information about DICOM service, see

+> [!div class="nextstepaction"]

+> [Overview of the DICOM service](./dicom-services-overview.md)

+Our service makes use of REST API versioning.

+> [!NOTE]

+> The version of the REST API must be explicitly specified in the request URL as in the following example:

+>

+> `https://<service_url>/v<version>/studies`

+For information on how to specify the version when making requests visit the [API Versioning for DICOM service documentation](api-versioning-dicom-service.md).

+|DICOM service supports cross-origin resource sharing (CORS) |DICOM service now supports [CORS](./../healthcare-apis/dicom/configure-cross-origin-resource-sharing.md). CORS allows you to configure settings so that applications from one domain (origin) can access resources from a different domain, known as a cross-domain request. |

+In the following, there are several Command-line Arguments described that can be used to set global settings for OPC Publisher.

+> Command-line Arguments overrule environment variable settings.

+## OPC Publisher Command-line Arguments for Version 2.8.2 and above

+The following OPC Publisher configuration can be applied by Command Line Interface (CLI) options or as environment variable settings.

+The `Alternative` field, where present, refers to the CLI argument applicable in **standalone mode only**. When both environment variable and CLI argument are provided, the latest will overrule the env variable.

+```

+ PublishedNodesFile=VALUE

+ The file used to store the configuration of the nodes to be published

+ along with the information to connect to the OPC UA server sources

+ When this file is specified, or the default file is accessible by

+ the module, OPC Publisher will start in standalone mode

+ Alternative: --pf, --publishfile

+ Mode: Standalone only

+ Type: string - file name, optionally prefixed with the path

+ Default: publishednodes.json

+ site=VALUE

+ The site OPC Publisher is assigned to

+ Alternative: --s, --site

+ Mode: Standalone and Orchestrated

+ Type: string

+ Default: <not set>

+ LogFileName==VALUE

+ The filename of the logfile to use

+ Alternative: --lf, --logfile

+ Mode: Standalone only

+ Type: string - file name, optionally prefixed with the path

+ Default: <not set>

+ LogFileFlushTimeSpan=VALUE

+ The time span in seconds when the logfile should be flushed in the storage

+ Alternative: --lt, --logflushtimespan

+ Mode: Standalone only

+ Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

+ Alternative argument type: integer in seconds

+ Default: {00:00:30}

+ loglevel=Value

+ The level for logs to pe persisted in the logfile

+ Alternative: --ll --loglevel

+ Mode: Standalone only

+ Type: string enum - Fatal, Error, Warning, Information, Debug, Verbose

+ Default: info

+ EdgeHubConnectionString=VALUE

+ An IoT Edge Device or IoT Edge module connection string to use,

+ when deployed as module in IoT Edge, the environment variable

+ is already set as part of the container deployment

+ Alternative: --dc, --deviceconnectionstring

+ --ec, --edgehubconnectionstring

+ Mode: Standalone and Orchestrated

+ Type: connection string

+ Default: <not set> <set by iotedge runtime>

+ Transport=VALUE

+ Protocol to use for upstream communication to edgeHub or IoTHub

+ Alternative: --ih, --iothubprotocol

+ Mode: Standalone and Orchestrated

+ Type: string enum: Any, Amqp, Mqtt, AmqpOverTcp, AmqpOverWebsocket,

+ MqttOverTcp, MqttOverWebsocket, Tcp, Websocket.

+ Default: MqttOverTcp

+ BypassCertVerification=VALUE

+ Enables/disables bypass of certificate verification for upstream communication to edgeHub

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: boolean

+ Default: false

+

+ EnableMetrics=VALUE

+ Enables/disables upstream metrics propagation

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: boolean

+ Default: true

+ DefaultPublishingInterval=VALUE

+ Default value for the OPC UA publishing interval of OPC UA subscriptions

+ created to an OPC UA server. This value is used when no explicit setting

+ is configured.

+ Alternative: --op, --opcpublishinginterval

+ Mode: Standalone only

+ Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

+ Alternative argument type: integer in milliseconds

+ Default: {00:00:01} (1000)

+ DefaultSamplingInterval=VALUE

+ Default value for the OPC UA sampling interval of nodes to publish.

+ This value is used when no explicit setting is configured.

+ Alternative: --oi, --opcsamplinginterval

+ Mode: Standalone only

+ Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

+ Alternative argument type: integer in milliseconds

+ Default: {00:00:01} (1000)

+ DefaultQueueSize=VALUE

+ Default setting value for the monitored item's queue size to be used when

+ not explicitly specified in pn.json file

+ Alternative: --mq, --monitoreditemqueuecapacity

+ Mode: Standalone only

+ Type: integer

+ Default: 1

+ DefaultHeartbeatInterval=VALUE

+ Default value for the heartbeat interval setting of published nodes

+ having no explicit setting for heartbeat interval.

+ Alternative: --hb, --heartbeatinterval

+ Mode: Standalone

+ Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

+ Alternative argument type: integer in seconds

+ Default: {00:00:00} meaning heartbeat is disabled

+ MessageEncoding=VALUE

+ The messaging encoding for outgoing telemetry.

+ Alternative: --me, --messageencoding

+ Mode: Standalone only

+ Type: string enum - Json, Uadp

+ Default: Json

+ MessagingMode=VALUE

+ The messaging mode for outgoing telemetry.

+ Alternative: --mm, --messagingmode

+ Mode: Standalone only

+ Type: string enum - PubSub, Samples

+ Default: Samples

+ FetchOpcNodeDisplayName=VALUE

+ Fetches the DisplayName for the nodes to be published from

+ the OPC UA Server when not explicitly set in the configuration.

+ Note: This has high impact on OPC Publisher startup performance.

+ Alternative: --fd, --fetchdisplayname

+ Mode: Standalone only

+ Type: boolean

+ Default: false

+ FullFeaturedMessage=VALUE

+ The full featured mode for messages (all fields filled in the telemetry).

+ Default is 'false' for legacy compatibility.

+ Alternative: --fm, --fullfeaturedmessage

+ Mode: Standalone only

+ Type:boolean

+ Default: false

+ BatchSize=VALUE

+ The number of incoming OPC UA data change messages to be cached for batching.

+ When BatchSize is 1 or TriggerInterval is set to 0 batching is disabled.

+ Alternative: --bs, --batchsize

+ Mode: Standalone and Orchestrated

+ Type: integer

+ Default: 50

+ BatchTriggerInterval=VALUE

+ The batching trigger interval.

+ When BatchSize is 1 or TriggerInterval is set to 0 batching is disabled.

+ Alternative: --si, --iothubsendinterval

+ Mode: Standalone and Orchestrated

+ Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

+ Alternative argument type: integer in seconds

+ Default: {00:00:10}

+ IoTHubMaxMessageSize=VALUE

+ The maximum size of the (IoT D2C) telemetry message.

+ Alternative: --ms, --iothubmessagesize

+ Mode: Standalone and Orchestrated

+ Type: integer

+ Default: 0

+ DiagnosticsInterval=VALUE

+ Shows publisher diagnostic info at the specified interval in seconds

+ (need log level info). -1 disables remote diagnostic log and

+ diagnostic output

+ Alternative: --di, --diagnosticsinterval

+ Mode: Standalone only

+ Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

+ Alternative argument type: integer in seconds

+ Default: {00:00:60}

+ LegacyCompatibility=VALUE

+ Forces the Publisher to operate in 2.5 legacy mode, using

+ `"application/opcua+uajson"` for `ContentType` on the IoT Hub

+ Telemetry message.

+ Alternative: --lc, --legacycompatibility

+ Mode: Standalone only

+ Type: boolean

+ Default: false

+ PublishedNodesSchemaFile=VALUE

+ The validation schema filename for published nodes file.

+ Alternative: --pfs, --publishfileschema

+ Mode: Standalone only

+ Type: string

+ Default: <not set>

+ MaxNodesPerDataSet=VALUE

+ Maximum number of nodes within a DataSet/Subscription.

+ When more nodes than this value are configured for a

+ DataSetWriter, they will be added in a separate DataSet/Subscription.

+ Alternative: N/A

+ Mode: Standalone only

+ Type: integer

+ Default: 1000

+ ApplicationName=VALUE

+ OPC UA Client Application Config - Application name as per

+ OPC UA definition. This is used for authentication during communication

+ init handshake and as part of own certificate validation.

+ Alternative: --an, --appname

+ Mode: Standalone and Orchestrated

+ Type: string

+ Default: "Microsoft.Azure.IIoT"

+ ApplicationUri=VALUE

+ OPC UA Client Application Config - Application URI as per

+ OPC UA definition.

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: string

+ Default: $"urn:localhost:{ApplicationName}:microsoft:"

+ ProductUri=VALUE

+ OPC UA Client Application Config - Product URI as per

+ OPC UA definition.

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: string

+ Default: "https://www.github.com/Azure/Industrial-IoT"

+ DefaultSessionTimeout=VALUE

+ OPC UA Client Application Config - Session timeout in seconds

+ as per OPC UA definition.

+ Alternative: --ct --createsessiontimeout

+ Mode: Standalone and Orchestrated

+ Type: integer

+ Default: 0, meaning <not set>

+ MinSubscriptionLifetime=VALUE

+ OPC UA Client Application Config - Minimum subscription lifetime in seconds

+ as per OPC UA definition.

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: integer

+ Default: 0, <not set>

+ KeepAliveInterval=VALUE

+ OPC UA Client Application Config - Keep alive interval in seconds

+ as per OPC UA definition.

+ Alternative: --ki, --keepaliveinterval

+ Mode: Standalone and Orchestrated

+ Type: integer milliseconds

+ Default: 10,000 (10s)

+ MaxKeepAliveCount=VALUE

+ OPC UA Client Application Config - Maximum count of keep alive events

+ as per OPC UA definition.

+ Alternative: --kt, --keepalivethreshold

+ Mode: Standalone and Orchestrated

+ Type: integer

+ Default: 50

+ PkiRootPath=VALUE

+ OPC UA Client Security Config - PKI certificate store root path

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: string

+ Default: "pki"

+ ApplicationCertificateStorePath=VALUE

+ OPC UA Client Security Config - application's

+ own certificate store path

+ Alternative: --ap, --appcertstorepath

+ Mode: Standalone and Orchestrated

+ Type: string

+ Default: $"{PkiRootPath}/own"

+ ApplicationCertificateStoreType=VALUE

+ OPC UA Client Security Config - application's

+ own certificate store type

+ Alternative: --at, --appcertstoretype

+ Mode: Standalone and Orchestrated

+ Type: enum string : Directory, X509Store

+ Default: Directory

+ ApplicationCertificateSubjectName=VALUE

+ OPC UA Client Security Config - the subject name

+ in the application's own certificate

+ Alternative: --sn, --appcertsubjectname

+ Mode: Standalone and Orchestrated

+ Type: string

+ Default: "CN=Microsoft.Azure.IIoT, C=DE, S=Bav, O=Microsoft, DC=localhost"

+ TrustedIssuerCertificatesPath=VALUE

+ OPC UA Client Security Config - trusted certificate issuer

+ store path

+ Alternative: --ip, --issuercertstorepath

+ Mode: Standalone and Orchestrated

+ Type: string

+ Default: $"{PkiRootPath}/issuers"

+ TrustedIssuerCertificatesType=VALUE

+ OPC UA Client Security Config - trusted issuer certificates

+ store type

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: enum string : Directory, X509Store

+ Default: Directory

+ TrustedPeerCertificatesPath=VALUE

+ OPC UA Client Security Config - trusted peer certificates

+ store path

+ Alternative: --tp, --trustedcertstorepath

+ Mode: Standalone and Orchestrated

+ Type: string

+ Default: $"{PkiRootPath}/trusted"

+ TrustedPeerCertificatesType=VALUE

+ OPC UA Client Security Config - trusted peer certificates

+ store type

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: enum string : Directory, X509Store

+ Default: Directory

+ RejectedCertificateStorePath=VALUE

+ OPC UA Client Security Config - rejected certificates

+ store path

+ Alternative: --rp, --rejectedcertstorepath

+ Mode: Standalone and Orchestrated

+ Type: string

+ Default: $"{PkiRootPath}/rejected"

+ RejectedCertificateStoreType=VALUE

+ OPC UA Client Security Config - rejected certificates

+ store type

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: enum string : Directory, X509Store

+ Default: Directory

+ AutoAcceptUntrustedCertificates=VALUE

+ OPC UA Client Security Config - auto accept untrusted

+ peer certificates

+ Alternative: --aa, --autoaccept

+ Mode: Standalone and Orchestrated

+ Type: boolean

+ Default: false

+ RejectSha1SignedCertificates=VALUE

+ OPC UA Client Security Config - reject deprecated Sha1

+ signed certificates

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: boolean

+ Default: false

+ MinimumCertificateKeySize=VALUE

+ OPC UA Client Security Config - minimum accepted

+ certificates key size

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: integer

+ Default: 1024

+ AddAppCertToTrustedStore=VALUE

+ OPC UA Client Security Config - automatically copy own

+ certificate's public key to the trusted certificate store

+ Alternative: --tm, --trustmyself

+ Mode: Standalone and Orchestrated

+ Type: boolean

+ Default: true

+ SecurityTokenLifetime=VALUE

+ OPC UA Stack Transport Secure Channel - Security token lifetime in milliseconds

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: integer (milliseconds)

+ Default: 3,600,000 (1h)

+ ChannelLifetime=VALUE

+ OPC UA Stack Transport Secure Channel - Channel lifetime in milliseconds

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: integer (milliseconds)

+ Default: 300,000 (5 min)

+ MaxBufferSize=VALUE

+ OPC UA Stack Transport Secure Channel - Max buffer size

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: integer

+ Default: 65,535 (64KB -1)

+ MaxMessageSize=VALUE

+ OPC UA Stack Transport Secure Channel - Max message size

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: integer

+ Default: 4,194,304 (4 MB)

+ MaxArrayLength=VALUE

+ OPC UA Stack Transport Secure Channel - Max array length

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: integer

+ Default: 65,535 (64KB - 1)

+ MaxByteStringLength=VALUE

+ OPC UA Stack Transport Secure Channel - Max byte string length

+ Alternative: N/A

+ Mode: Standalone and Orchestrated

+ Type: integer

+ Default: 1,048,576 (1MB);

+ OperationTimeout=VALUE

+ OPC UA Stack Transport Secure Channel - OPC UA Service call

+ operation timeout

+ Alternative: --ot, --operationtimeout

+ Mode: Standalone and Orchestrated

+ Type: integer (milliseconds)

+ Default: 120,000 (2 min)

+ MaxStringLength=VALUE

+ OPC UA Stack Transport Secure Channel - Maximum length of a string

+ that can be send/received over the OPC UA Secure channel

+ Alternative: --ol, --opcmaxstringlen

+ Mode: Standalone and Orchestrated

+ Type: integer

+ Default: 130,816 (128KB - 256)

+ RuntimeStateReporting=VALUE

+ Enables reporting of OPC Publisher restarts.

+ Alternative: --rs, --runtimestatereporting

+ Mode: Standalone

+ Type: boolean

+ Default: false

+ EnableRoutingInfo=VALUE

+ Adds the routing info to telemetry messages. The name of the property is

+ `$$RoutingInfo` and the value is the `DataSetWriterGroup` for that particular message.

+ When the `DataSetWriterGroup` is not configured, the `$$RoutingInfo` property will

+ not be added to the message even if this argument is set.

+ Alternative: --ri, --enableroutinginfo

+ Mode: Standalone

+ Type: boolean

+ Default: false

+```

+* Microsoft Azure Active Directory (Azure AD)→App registrations

+can be used as landing pages after authentication succeeds. The deployment script may be unable to configure this automatically under certain scenarios, such as lack of Azure AD admin rights. You may want to add or modify URIs when changing the hostname of the Web app, for example, the port number used by the localhost for debugging

+## Configuration via Command-line Arguments for OPC Publisher 2.8.2 and above

+There are [several Command-line Arguments](reference-command-line-arguments.md#opc-publisher-command-line-arguments-for-version-282-and-above) that can be used to set global settings for OPC Publisher.

+Refer to the `mode` part in the command line description to check if a Command-line Argument is applicable to orchestrated or standalone mode.

+1. On the menu in the left pane, select **IoT Edge** under **Device Management**.

+1. On the upper bar, select **Add Deployment** or **Add Layered Deployment**.

+[DoWhy](https://py-why.github.io/dowhy/) is a Python library that aims to spark causal thinking and analysis. DoWhy provides a principled four-step interface for causal inference that focuses on explicitly modeling causal assumptions and validating them as much as possible. The key feature of DoWhy is its state-of-the-art refutation API that can automatically test causal assumptions for any estimation method, thus making inference more robust and accessible to non-experts. DoWhy supports estimation of the average causal effect for backdoor, front-door, instrumental variable and other identification methods, and estimation of the conditional effect (CATE) through an integration with the EconML library.

+* The `label_column_name` parameter is only required for multi-class and multi-label text classification tasks.

+* If the majority of the samples in your dataset contain more than 128 words, it's considered long range. By default, automated ML considers all samples long range text. To disable this feature, include the `enable_long_range_text=False` parameter in your `AutoMLConfig`.

+The Azure CLI [extension v1 for machine learning](reference-azure-machine-learning-cli.md) provides the [az ml workspace update](/cli/azure/ml(v1)/workspace#az-ml(v1)-workspace-update) command. To enable the parameter for a workspace, add the parameter `--v1-legacy-mode true`.

+ Title: Troubleshoot private endpoint connection

+description: 'Learn how to troubleshoot connectivity problems to a workspace that is configured with a private endpoint.'

+# Troubleshoot connection to a workspace with a private endpoint

+When connecting to a workspace that has been configured with a private endpoint, you may encounter a 403 or a messaging saying that access is forbidden. Use the information in this article to check for common configuration problems that can cause this error.

+> [!TIP]

+> Before using the steps in this article, try the Azure Machine Learning workspace diagnostic API. It can help identify configuration problems with your workspace. For more information, see [How to use workspace diagnostics](how-to-workspace-diagnostic-api.md).

+## DNS configuration

+The troubleshooting steps for DNS configuration differ based on whether you're using Azure DNS or a custom DNS. Use the following steps to determine which one you're using:

+1. In the [Azure portal](https://portal.azure.com), select the private endpoint for your Azure Machine Learning workspace.

+1. From the __Overview__ page, select the __Network Interface__ link.

+ :::image type="content" source="./media/how-to-troubleshoot-secure-connection-workspace/private-endpoint-overview.png" alt-text="Screenshot of the private endpoint overview with network interface link highlighted.":::

+1. Under __Settings__, select __IP Configurations__ and then select the __Virtual network__ link.

+ :::image type="content" source="./media/how-to-troubleshoot-secure-connection-workspace/network-interface-ip-configurations.png" alt-text="Screenshot of the IP configuration with virtual network link highlighted.":::

+1. From the __Settings__ section on the left of the page, select the __DNS servers__ entry.

+ :::image type="content" source="./media/how-to-troubleshoot-secure-connection-workspace/dns-servers.png" alt-text="Screenshot of the DNS servers configuration.":::

+ * If this value is __Default (Azure-provided)__ or __168.63.129.16__, then the VNet is using Azure DNS. Skip to the [Azure DNS troubleshooting](#azure-dns-troubleshooting) section.

+ * If there's a different IP address listed, then the VNet is using a custom DNS solution. Skip to the [Custom DNS troubleshooting](#custom-dns-troubleshooting) section.

+### Custom DNS troubleshooting

+Use the following steps to verify if your custom DNS solution is correctly resolving names to IP addresses:

+1. From a virtual machine, laptop, desktop, or other compute resource that has a working connection to the private endpoint, open a web browser. In the browser, use the URL for your Azure region:

+ | Azure region | URL |

+ | -- | -- |

+ | Azure Government | https://portal.azure.us/?feature.privateendpointmanagedns=false |

+ | Azure China 21Vianet | https://portal.azure.cn/?feature.privateendpointmanagedns=false |

+ | All other regions | https://ms.portal.azure.com/?feature.privateendpointmanagedns=false |

+1. In the portal, select the private endpoint for the workspace. Make a list of FQDNs listed for the private endpoint.

+ :::image type="content" source="./media/how-to-troubleshoot-secure-connection-workspace/custom-dns-settings.png" alt-text="Screenshot of the private endpoint with custom DNS settings highlighted.":::

+1. Open a command prompt, PowerShell, or other command line and run the following command for each FQDN returned from the previous step. Each time you run the command, verify that the IP address returned matches the IP address listed in the portal for the FQDN:

+ `nslookup <fqdn>`

+ For example, running the command `nslookup 29395bb6-8bdb-4737-bf06-848a6857793f.workspace.eastus.api.azureml.ms` would return a value similar to the following text:

+ ```

+ Server: yourdnsserver

+ Address: yourdnsserver-IP-address

+ Name: 29395bb6-8bdb-4737-bf06-848a6857793f.workspace.eastus.api.azureml.ms

+ Address: 10.3.0.5

+ ```

+1. If the `nslookup` command returns an error, or returns a different IP address than displayed in the portal, then the custom DNS solution isn't configured correctly. For more information, see [How to use your workspace with a custom DNS server](how-to-custom-dns.md)

+### Azure DNS troubleshooting

+When using Azure DNS for name resolution, use the following steps to verify that the Private DNS integration is configured correctly:

+1. On the Private Endpoint, select __DNS configuration__. For each entry in the __Private DNS zone__ column, there should also be an entry in the __DNS zone group__ column.

+ :::image type="content" source="./media/how-to-troubleshoot-secure-connection-workspace/dns-zone-group.png" alt-text="Screenshot of the DNS configuration with Private DNS zone and group highlighted.":::

+ * If there's a Private DNS zone entry, but __no DNS zone group entry__, delete and recreate the Private Endpoint. When recreating the private endpoint, __enable Private DNS zone integration__.

+ * If __DNS zone group__ isn't empty, select the link for the __Private DNS zone__ entry.

+

+ From the Private DNS zone, select __Virtual network links__. There should be a link to the VNet. If there isn't one, then delete and recreate the private endpoint. When recreating it, select a Private DNS Zone linked to the VNet or create a new one that is linked to it.

+ :::image type="content" source="./media/how-to-troubleshoot-secure-connection-workspace/virtual-network-links.png" alt-text="Screenshot of the virtual network links for the Private DNS zone.":::

+1. Repeat the previous steps for the rest of the Private DNS zone entries.

+## Browser configuration (DNS over HTTPS)

+Check if DNS over HTTP is enabled in your web browser. DNS over HTTP can prevent Azure DNS from responding with the IP address of the Private Endpoint.

+* Mozilla Firefox: For more information, see [Disable DNS over HTTPS in Firefox](https://support.mozilla.org/en-US/kb/firefox-dns-over-https).

+* Microsoft Edge:

+ 1. Search for DNS in Microsoft Edge settings: image.png

+ 2. Disable __Use secure DNS to specify how to look up the network address for websites__.

+## Proxy configuration

+If you use a proxy, it may prevent communication with a secured workspace. To test, use one of the following options:

+* Temporarily disable the proxy setting and see if you can connect.

+* Create a [Proxy auto-config (PAC)](https://wikipedia.org/wiki/Proxy_auto-config) file that allows direct access to the FQDNs listed on the private endpoint. It should also allow direct access to the FQDN for any compute instances.

+* Configure your proxy server to forward DNS requests to Azure DNS.

+ Title: Troubleshoot SerializationError

+description: Troubleshooting steps when you get the "cannot import name 'SerializationError'" message.

+# Troubleshoot "cannot import name 'SerializationError'"

+When using Azure Machine Learning, you may receive the error "Cannot import name 'SerializationError'". This error may occur when using an Azure Machine Learning environment. For example, when submitting a training job.

+## Cause

+This problem is caused by a bug in the Azure Machine Learning SDK version 1.42.0.

+## Resolution

+Update your Azure Machine Learning environment to use SDK version 1.42.0.post1 or greater.

+For more information on updating an environment, see the following articles:

+* [Manage environments in studio](how-to-manage-environments-in-studio.md#rebuild-an-environment)

+* [Create & use software environments (SDK v1)](how-to-use-environments.md#update-an-existing-environment)

+* [Create & manage environments (CLI v2)](how-to-manage-environments-v2.md#update)

+# secret "todo-list-secret" deleted

+# project.project.openshift.io "eap-demo" deleted

+This sample CLI script scales compute and storage for a single Azure Database for PostgreSQL server after querying the metrics. Compute can scale up or down. Storage can only scale up.

+For servers that support up to 4-TB maximum storage, full backups occur once every week. Differential backups occur twice a day. Transaction log backups occur every five minutes.

+In a subset of [Azure regions](./concepts-pricing-tiers.md#storage), all newly provisioned servers can support up to 16-TB storage. Backups on these large storage servers are snapshot-based. The first full snapshot backup is scheduled immediately after a server is created. That first full snapshot backup is retained as the server's base backup. Subsequent snapshot backups are differential backups only. Differential snapshot backups do not occur on a fixed schedule. In a day, multiple differential snapshot backups are performed, but only 3 backups are retained. Transaction log backups occur every five minutes.

+Azure Database for PostgreSQL provides the flexibility to choose between locally redundant or geo-redundant backup storage in the General Purpose and Memory Optimized tiers. When the backups are stored in geo-redundant backup storage, an additional backup copy is replicated to a [paired region](../../availability-zones/cross-region-replication-azure.md). This provides better protection and ability to restore your server in the event of a regional disaster. The Basic tier only offers locally redundant backup storage.

+Azure Database for PostgreSQL provides up to 100% of your provisioned server storage as backup storage at no extra cost. Any additional backup storage used is charged in GB per month. For example, if you have provisioned a server with 250 GB of storage, you have 250 GB of additional storage available for server backups at no extra cost. Storage consumed for backups more than 250 GB is charged as per the [pricing model](https://azure.microsoft.com/pricing/details/postgresql/).

+- An Azure web app with a **PremiumV2-tier** or higher app service plan, deployed in your Azure subscription.

+- The latest version of the Azure CLI, installed.

+ Check your version of the Azure CLI in a terminal or command window by running `az --version`. For the latest version, see the most recent [release notes](/cli/azure/release-notes-azure-cli?tabs=azure-cli).

+

+ If you don't have the latest version of the Azure CLI, update it by following the [installation guide for your operating system or platform](/cli/azure/install-azure-cli).

+If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. To find the installed version, run `Get-Module -ListAvailable Az`. If you need to upgrade, see [Install the Azure PowerShell module](/powershell/azure/install-Az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

+# [**Portal**](#tab/portal)

+# [**PowerShell**](#tab/powershell)

+```azurepowershell-interactive

+## Place the previously created webapp into a variable. ##

+$webapp = Get-AzWebApp -ResourceGroupName myResourceGroup -Name myWebApp1979

+## Create the private endpoint connection. ##

+$pec = @{

+ Name = 'myConnection'

+ PrivateLinkServiceId = $webapp.ID

+ GroupID = 'sites'

+}

+$privateEndpointConnection = New-AzPrivateLinkServiceConnection @pec

+## Place the virtual network you created previously into a variable. ##

+$vnet = Get-AzVirtualNetwork -ResourceGroupName 'myResourceGroup' -Name 'myVNet'

+## Place the application security group you created previously into a variable. ##

+$asg = Get-AzApplicationSecurityGroup -ResourceGroupName 'myResourceGroup' -Name 'myASG'

+## Create the private endpoint. ##

+$pe = @{

+ ResourceGroupName = 'myResourceGroup'

+ Name = 'myPrivateEndpoint'

+ Location = 'eastus'

+ Subnet = $vnet.Subnets[0]

+ PrivateLinkServiceConnection = $privateEndpointConnection

+ ApplicationSecurityGroup = $asg

+}

+New-AzPrivateEndpoint @pe

+```

+# [**CLI**](#tab/cli)

+```azurecli-interactive

+id=$(az webapp list \

+ --resource-group myResourceGroup \

+ --query '[].[id]' \

+ --output tsv)

+asgid=$(az network asg show \

+ --name myASG \

+ --resource-group myResourceGroup \

+ --query id \

+ --output tsv)

+az network private-endpoint create \

+ --connection-name myConnection \

+ --name myPrivateEndpoint \

+ --private-connection-resource-id $id \

+ --resource-group myResourceGroup \

+ --subnet myBackendSubnet \

+ --asg id=$asgid \

+ --group-id sites \

+ --vnet-name myVNet

+```

+# [**Portal**](#tab/portal)

+# [**PowerShell**](#tab/powershell)

+Associating an ASG with an existing private endpoint with Azure PowerShell is currently unsupported.

+# [**CLI**](#tab/cli)

+```azurecli-interactive

+asgid=$(az network asg show \

+ --name myASG \

+ --resource-group myResourceGroup \

+ --query id \

+ --output tsv)

+az network private-endpoint asg add \

+ --resource-group myResourceGroup \

+ --endpoint-name myPrivateEndpoint \

+ --asg-id $asgid

+```

+ | Region | Select **(US) East US** |

+Azure Private endpoint is the fundamental building block for Private Link in Azure. It enables Azure resources, like virtual machines (VMs), to privately and securely communicate with Private Link resources such as Azure Storage.

+> Azure Route Servers created before November 1st, 2021, that don't have a public IP address associated, are deployed with the Public preview offering. The public preview offering is not backed by Generally Available SLA and support. To deploy Azure Route Server with the Generally Available offering, and to acheive Generally Available SLA and support, please delete and recreate Route Server.

+Check your application's performance before you launch it or deploy updates to production. Run cloud-based [load tests](/azure/load-testing/) by using Visual Studio to find performance problems in your application, improve deployment quality, make sure that your application is always up or available, and that your application can handle traffic for your launch.

+| Azure Managed Grafana | Yes | - | N/A |

+**Detail**: Run cloud-based [load tests](/azure/load-testing/) to:

+| **Kusto function URL:** | https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Aruba%20ClearPass/Parsers/ArubaClearPass.txt |

+| **Azure Function App code** | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Workplace%20from%20Facebook/Data%20Connectors/WorkplaceFacebook/WorkplaceFacebookWebhooksSentinelConn.zip |

+| **Kusto function URL/<br>Parser config instructions** | https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Workplace%20from%20Facebook/Parsers/Workplace_Facebook.txt |

+- [Azure Storage Explorer](/azure/architecture/data-science-process/move-data-to-azure-blob-using-azure-storage-explorer)

+> [Ingest your data](migration-export-ingest.md)

+|`min(X,…)` |Returns the minimum value in a column. |`min(delay, mydelay)` |• [min_of()](/azure/data-explorer/kusto/query/min-offunction)<br>• [min()](/azure/data-explorer/kusto/query/min-aggfunction)<br>• [arg_min](/azure/data-explorer/kusto/query/arg-min-aggfunction) |[KQL example](#minx-kql-example) |

+- **Tenant level view** - Users who are Tenant Admins can now see Service Issues that happen at a Tenant level. Service Issues blade and Health History blades are updated to show incidents both at Tenant and Subscription levels. Users can filter on the scope (Tenant or Subscription) within the blades. The scope column indicates when an event is at the Tenant or Subscriber level. Classic view does not support tenant-level events. Tenant-level events are only available in the new user interface.

+ cd "C:\Program Files\Microsoft Azure Site Recovery Provider"

+ "C:\Program Files\Microsoft Azure Site Recovery Provider\DRConfigurator.exe" /r /Friendlyname "FriendlyName of the Server" /Credentials "path to where the credential file is saved"

+> [Run a disaster recovery drill](tutorial-dr-drill-azure.md)

+> [!NOTE]

+> On Linux distributions, only the stock kernels that are part of the distribution minor version release/update are supported. [Learn more](https://docs.microsoft.com/azure/site-recovery/vmware-physical-azure-support-matrix#for-linux).

+> When you run a failover for disaster recovery, as a last step you commit the failover. When you migrate AWS instances, the **Commit** option isn't relevant. Instead, you select the **Complete Migration** option.

+| excludePrefix | Array of up to 10 strings for prefixes to be excluded. | Specifies the blob paths to exclude from the inventory report.<br><br>An *excludePrefix* must be a container name prefix or a container name. An empty *excludePrefix* would mean that all blobs with names matching any *prefixMatch* string will be listed.<br><br>If you want to include a certain prefix, but exclude some specific subset from it, then you could use the excludePrefix filter. For example, if you want to include all blobs under `container-a` except those under the folder `container-a/folder`, then *prefixMatch* should be set to `container-a` and *excludePrefix* should be set to `container-a/folder`. | No |

+ "excludePrefix": ["inventorytestcontainer10", "etc/logs"],

+> [!NOTE]

+> The **Data Lake Storage Gen2** column shows support in accounts that have the hierarchical namespace feature enabled.

+| Field | Blob Storage (default support) | Data Lake Storage Gen2 |

+||-||

+| Name (Required) |  |  |

+| Creation-Time |  |  |

+| Last-Modified |  |  |

+| Last-Access-Time |  |  |

+| ETag |  |  |

+| Content-Length |  |  |

+| Content-Type |  |  |

+| Content-Encoding |  |  |

+| Content-Language |  |  |

+| Content-CRC64 |  |  |

+| Content-MD5 |  |  |

+| Cache-Control |  |  |

+| Cache-Disposition |  |  |

+| BlobType |  |  |

+| AccessTier |  |  |

+| AccessTierChangeTime |  |  |

+| LeaseStatus |  |  |

+| LeaseState |  |  |

+| ServerEncrypted |  |  |

+| CustomerProvidedKeySHA256 |  |  |

+| Metadata |  |  |

+| Expiry-Time |  |  |

+| hdi_isfolder |  |  |

+| Owner |  |  |

+| Group |  |  |

+| Permissions |  |  |

+| Acl |  |  |

+| Snapshot (Available and required when you choose to include snapshots in your report) |  |  |

+| Deleted | |  |

+| DeletedId |  |  |

+| DeletedTime | |  |

+| RemainingRetentionDays |  | |

+| VersionId (Available and required when you choose to include blob versions in your report) |  |  |

+| IsCurrentVersion (Available and required when you choose to include blob versions in your report) |  |  |

+| TagCount |  |  |

+| Tags |  |  |

+| CopyId |  |  |

+| CopySource |  |  |

+| CopyStatus |  |  |

+| CopyProgress |  |  |

+| CopyCompletionTime |  |  |

+| CopyStatusDescription |  |  |

+| ImmutabilityPolicyUntilDate |  |  |

+| ImmutabilityPolicyMode |  |  |

+| LegalHold |  |  |

+| RehydratePriority |  |  |

+| ArchiveStatus |  |  |

+| EncryptionScope |  |  |

+| IncrementalCopy |  |  |

+| x-ms-blob-sequence-number |  |  |

+> [!NOTE]

+> The **Data Lake Storage Gen2** column shows support in accounts that have the hierarchical namespace feature enabled.

+| Field | Blob Storage (default support) | Data Lake Storage Gen2 |

+||-||

+| Name (Required) |  |  |

+| Last-Modified |  |  |

+| ETag |  |  |

+| LeaseStatus |  |  |

+| LeaseState |  |  |

+| LeaseDuration |  |  |

+| Metadata |  |  |

+| PublicAccess |  |  |

+| DefaultEncryptionScope |  |  |

+| DenyEncryptionScopeOverride |  |  |

+| HasImmutabilityPolicy |  |  |

+| HasLegalHold |  |  |

+| ImmutableStorageWithVersioningEnabled |  |  |

+| Deleted (Will appear only if include deleted containers is selected) |  |  |

+| Version (Will appear only if include deleted containers is selected) |  |  |

+| DeletedTime (Will appear only if include deleted containers is selected) |  |  |

+| RemainingRetentionDays (Will appear only if include deleted containers is selected) |  |  |

+#### Unregister the server with PowerShell

+You can also unregister the server via PowerShell by using the `Unregister-AzStorageSyncServer` cmdlet.

+> [!WARNING]

+> Unregistering a server will result in cascading deletes of all server endpoints on the server. You should only run this cmdlet when you are certain that no path on the server is to be synced anymore.

+```powershell

+$RegisteredServer = Get-AzStorageSyncServer -ResourceGroupName "<your-resource-group-name>" -StorageSyncServiceName "<your-storage-sync-service-name>"

+Unregister-AzStorageSyncServer -Force -ResourceGroupName "<your-resource-group-name>" -StorageSyncServiceName "<your-storage-sync-service-name>" -ServerId $RegisteredServer.ServerId

+```

+> A workspace that is not co-located with the client applications or storage can be the root cause of many performance issues. If your data or the clients are placed in multiple regions, you can create separate workspaces in different regions co-located with your data and clients.

+# Cheat sheet for dedicated SQL pool (formerly SQL DW) in Azure Synapse Analytics

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FMicrosoft%2Fsql-data-warehouse-samples%2Fmaster%2Farm-templates%2FsqlDwSpokeDbTemplate%2Fazuredeploy.json)

+ This step is not required for dedicated SQL pools within a Synapse workspace. The system assigned managed identity (SA-MI) of the workspace is a member of the Synapse Administrator role and thus has elevated privileges on the dedicated SQL pools of the workspace.

+With overprovisioning turned on, the scale set actually spins up more VMs than you asked for, then deletes the extra VMs once the requested number of VMs are successfully provisioned. Overprovisioning improves provisioning success rates and reduces deployment time. You are not billed for the extra VMs, and they do not count toward your quota limits.

+A: No, most Premium Storage VM sizes are supported (DS, ES, FS, GS, M, etc.). To know whether a particular VM size supports ephemeral OS disks for an OS image size you can use the below script. It takes the OS image size and location as inputs and provides a list of VM SKUs and corresponding placement supported. If both OS Cache and temp disk placement are marked as not supported then Ephemeral OS disk cannot be used for the given OS image size.

+[CmdletBinding()]

+param([Parameter(Mandatory=$true)]

+ [ValidateNotNullOrEmpty()]

+ [string]$Location,

+ [Parameter(Mandatory=$true)]

+ [long]$OSImageSizeInGB

+ )

+Function HasSupportEphemeralOSDisk([object[]] $capability)

+{

+ return $capability | where { $_.Name -eq "EphemeralOSDiskSupported" -and $_.Value -eq "True"}

+}

+

+Function Get-MaxTempDiskAndCacheSize([object[]] $capabilities)

+ $MaxResourceVolumeGB = 0;

+ $CachedDiskGB = 0;

+

+ foreach($capability in $capabilities)

+ {

+ if ($capability.Name -eq "MaxResourceVolumeMB")

+ { $MaxResourceVolumeGB = [int]($capability.Value / 1024) }

+

+ if ($capability.Name -eq "CachedDiskBytes")

+ { $CachedDiskGB = [int]($capability.Value / (1024 * 1024 * 1024)) }

+ }

+

+ return ($MaxResourceVolumeGB, $CachedDiskGB)

+

+Function Get-EphemeralSupportedVMSku

+{

+ [CmdletBinding()]

+ Param

+ (

+ [Parameter(Mandatory=$true)]

+ [long]$OSImageSizeInGB,

+ [Parameter(Mandatory=$true)]

+ [string]$Location

+ )

+

+ $VmSkus = Get-AzComputeResourceSku $Location | Where-Object { $_.ResourceType -eq "virtualMachines" -and (HasSupportEphemeralOSDisk $_.Capabilities) -ne $null }

+

+ $Response = @()

+ foreach ($sku in $VmSkus)

+ {

+ ($MaxResourceVolumeGB, $CachedDiskGB) = Get-MaxTempDiskAndCacheSize $sku.Capabilities

+

+ $Response += New-Object PSObject -Property @{

+ ResourceSKU = $sku.Size

+ TempDiskPlacement = @{ $true = "NOT SUPPORTED"; $false = "SUPPORTED"}[$MaxResourceVolumeGB -lt $OSImageSizeInGB]

+ CacheDiskPlacement = @{ $true = "NOT SUPPORTED"; $false = "SUPPORTED"}[$CachedDiskGB -lt $OSImageSizeInGB]

+ };

+ }

+

+ return $Response

+}

+

+Get-EphemeralSupportedVMSku -OSImageSizeInGB $OSImageSizeInGB -Location $Location | Format-Table

+> | `bastion_deployment` | Boolean flag controlling if Azure Bastion host is to be deployed | Optional | |

+Route tables now have features for association and propagation. A pre-existing route table is a route table that doesn't have these features. If you have pre-existing routes in hub routing and would like to use the new capabilities, consider the following:

+ If you have pre-existing routes in Routing section for the hub in Azure portal, you'll need to first delete them and then attempt creating new route tables (available in the Route Tables section for the hub in Azure portal).

+ If you have pre-existing routes in Routing section for the hub in Azure portal, you'll need to first delete them, then **upgrade** your Basic Virtual WAN to Standard Virtual WAN. See [Upgrade a virtual WAN from Basic to Standard](upgrade-virtual-wan.md).

+Virtual hub **Reset** is available only in the Azure portal. Resetting provides you a way to bring any failed resources such as route tables, hub router, or the virtual hub resource itself back to its rightful provisioning state. Consider resetting the hub prior to contacting Microsoft for support. This operation doesn't reset any of the gateways in a virtual hub.

+* When using Azure Firewall in multiple regions, all spoke virtual networks must be associated to the same route table. For example, having a subset of the VNets going through the Azure Firewall while other VNets bypass the Azure Firewall in the same virtual hub isn't possible.

+* You may specify multiple next hop IP addresses on a single Virtual Network connection. However, Virtual Network Connection doesn't support ΓÇÿmultiple/uniqueΓÇÖ next hop IP to the ΓÇÿsameΓÇÖ network virtual appliance in a SPOKE Virtual Network 'if' one of the routes with next hop IP is indicated to be public IP address or 0.0.0.0/0 (internet)

+* All information pertaining to 0.0.0.0/0 route is confined to a local hub's route table. This route doesn't propagate across hubs.

+* You can only use Virtual WAN to program routes in a spoke if the prefix is shorter (less specific) than the virtual network prefix. For example, in the diagram above the spoke VNET1 has the prefix 10.1.0.0/16: in this case, Virtual WAN wouldn't be able to inject a route that matches the virtual network prefix (10.1.0.0/16) or any of the subnets (10.1.0.0/24, 10.1.1.0/24). In other words, Virtual WAN can't attract traffic between two subnets that are in the same virtual network.

+Contoso is a global financial organization with offices in both Europe and Asia. They are planning to move their existing applications from an on-premises data center in to Azure and have built out a foundation design based on the customer-managed hub-and-spoke architecture, including regional hub virtual networks for hybrid connectivity. As part of the move to cloud-based technologies, the network team has been tasked with ensuring that their connectivity is optimized for the business moving forward.

+The networking team has been tasked with delivering a global network model that can support the Contoso migration to the cloud and must optimize in the areas of cost, scale, and performance. In summary, the following requirements are to be met:

+At this stage, it's important to recognize that both the original customer-managed hub virtual network and the new Virtual WAN Hub are both connected to the same ExpressRoute circuit. Due to this, we have a traffic path that can be used to enable spokes in both environments to communicate. For example, traffic from a spoke that is attached to the customer-managed hub virtual network will traverse the MSEE devices used for the ExpressRoute circuit to reach any spoke connected via a VNet connection to the new Virtual WAN hub. This allows a staged migration of spokes in Step 5.

+Because the Virtual WAN hub is a managed entity and doesn't allow deployment of custom resources such as virtual machines, the shared services block now exists as a spoke virtual network and hosts functions such as internet ingress via Azure Application Gateway or network virtualized appliance. Traffic between the shared services environment and backend virtual machines now transits the Virtual WAN-managed hub.

+ Title: 'Azure AD tenant for User VPN connections: Azure AD authentication -OpenVPN'

+# Configure an Azure AD tenant for P2S User VPN OpenVPN protocol connections

+When you connect to your VNet using Virtual WAN User VPN (point-to-site), you have a choice of which protocol to use. The protocol you use determines the authentication options that are available to you. If you're using the OpenVPN protocol, Azure Active Directory authentication is one of the authentication options available for you to use. This article helps you configure an Azure AD tenant for Virtual WAN User VPN (point-to-site) using OpenVPN authentication.

+1. Create two accounts in the newly created Azure AD tenant. For steps, see [Add or delete a new user](../active-directory/fundamentals/add-users-azure-active-directory.md).

+ * Global administrator account

+ * User account

+ The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.

+1. Assign one of the accounts the **Global administrator** role. For steps, see [Assign administrator and non-administrator roles to users with Azure Active Directory](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).

+## <a name="enable-authentication"></a>3. Grant consent to the Azure VPN app registration

+In order to connect to your virtual networks using Azure AD authentication, you must create a User VPN configuration and associate it to a Virtual Hub. See [Configure Azure AD authentication for point-to-site connection to Azure](virtual-wan-point-to-site-azure-ad.md).

+An Enterprise cloud footprint can span multiple cloud regions and it's optimal (latency-wise) to access the cloud from a region closest to their physical site and users. One of the key principles of global transit network architecture is to enable cross-region connectivity between all cloud and on-premises network endpoints. This means that traffic from a branch that is connected to the cloud in one region can reach another branch or a VNet in a different region using hub-to-hub connectivity enabled by [Azure Global Network](https://azure.microsoft.com/global-infrastructure/global-network/).

+Global transit network architecture enables any-to-any connectivity via virtual WAN hubs. This architecture eliminates or reduces the need for full mesh or partial mesh connectivity between spokes that are more complex to build and maintain. In addition, routing control in hub-and-spoke vs. mesh networks is easier to configure and maintain.

+Branch-to-VNet is the primary path supported by Azure Virtual WAN. This path allows you to connect branches to Azure IAAS enterprise workloads that are deployed in Azure VNets. Branches can be connected to the virtual WAN via ExpressRoute or site-to-site VPN. The traffic transits to VNets that are connected to the virtual WAN hubs via VNet Connections. Explicit [gateway transit](../virtual-network/virtual-network-peering-overview.md#gateways-and-on-premises-connectivity) isn't required for Virtual WAN because Virtual WAN automatically enables gateway transit to branch site. See [Virtual WAN Partners](virtual-wan-configure-automation-providers.md) article on how to connect an SD-WAN CPE to Virtual WAN.

+The VNet-to-VNet transit enables VNets to connect to each other in order to interconnect multi-tier applications that are implemented across multiple VNets. Optionally, you can connect VNets to each other through VNet Peering and this may be suitable for some scenarios where transit via the VWAN hub isn't necessary.

+This flag is visible when the user edits a virtual network connection, a VPN connection, or an ExpressRoute connection. By default, this flag is disabled when a site or an ExpressRoute circuit is connected to a hub. It's enabled by default when a virtual network connection is added to connect a VNet to a virtual hub. The default route doesn't originate in the Virtual WAN hub; the default route is propagated if it is already learned by the Virtual WAN hub as a result of deploying a firewall in the hub, or if another connected site has forced-tunneling enabled.

+The VNet-to-Internet enables VNets to connect to the internet via the Azure Firewall in the virtual WAN hub. Traffic to internet via supported third-party security services doesn't flow through the Azure Firewall. You can configure Vnet-to-Internet path via supported third-party security service using Azure Firewall Manager.

+The Branch-to-Internet enables branches to connect to the internet via the Azure Firewall in the virtual WAN hub. Traffic to internet via supported third-party security services doesn't flow through the Azure Firewall. You can configure Branch-to-Internet path via supported third-party security service using Azure Firewall Manager.

+ Title: 'Configure Azure AD tenant for P2S VPN connections: Azure AD authentication-OpenVPN'

+# Configure an Azure AD tenant for P2S OpenVPN protocol connections

+When you connect to your VNet using the Azure VPN Gateway point-to-site VPN, you have a choice of which protocol to use. The protocol you use determines the authentication options that are available to you. If you're using the OpenVPN protocol, Azure Active Directory authentication is one of the authentication options available for you to use. This article helps you configure your AD tenant and P2S VPN gateway for Azure AD authentication. For more information about point-to-site protocols and authentication, see [About point-to-site VPN](point-to-site-about.md).

+1. Create two accounts in the newly created Azure AD tenant. For steps, see [Add or delete a new user](../active-directory/fundamentals/add-users-azure-active-directory.md).

+ * Global administrator account

+ * User account

+ The global administrator account will be used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.

+1. Assign one of the accounts the **Global administrator** role. For steps, see [Assign administrator and non-administrator roles to users with Azure Active Directory](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).

+### Enable the application

+### Configure P2S gateway settings

+1. Locate the tenant ID of the directory that you want to use for authentication. It's listed in the properties section of the Active Directory page. For help with finding your tenant ID, see [How to find your Azure Active Directory tenant ID](../active-directory/fundamentals/active-directory-how-to-find-tenant.md).

+1. Enable Azure AD authentication on the VPN gateway by navigating to **Point-to-site configuration** and picking **OpenVPN (SSL)** as the **Tunnel type**. Select **Azure Active Directory** as the **Authentication type**, then fill in the information under the **Azure Active Directory** section. Replace {AzureAD TenantID} with your tenant ID.

+ :::image type="content" source="./media/openvpn-create-azure-ad-tenant/configuration.png" alt-text="Screenshot showing settings for Tunnel type, Authentication type, and Azure Active Directory settings.":::

+ > [!NOTE]

+ > Make sure you include a trailing slash at the end of the `AadIssuerUri` **Issuer** value. Otherwise, the connection may fail.

+ >

+1. Save your changes.

+|932130|Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found|

+|932130|Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found|

+|932130|Remote Command Execution: Unix Shell Expression or Confluence Vulnerability (CVE-2022-26134) Found|

+resource wafPolicy 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-08-01' = {

+ "apiVersion": "2021-08-01",

+You can also exclude the `User-Agent` header from evaluation just by rule 942270:

+# [Azure portal](#tab/portal)

+Follow the steps described in the preceding example, and select rule 942270 in step 4.

+# [Azure PowerShell](#tab/powershell)

+```azurepowershell

+$ruleEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRule `

+ -Rule '942270'

+$ruleGroupEntry = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleGroup `

+ -RuleGroupName 'REQUEST-942-APPLICATION-ATTACK-SQLI' `

+ -Rule $ruleEntry

+$exclusionManagedRuleSet = New-AzApplicationGatewayFirewallPolicyExclusionManagedRuleSet `

+ -RuleSetType 'OWASP' `

+ -RuleSetVersion '3.2' `

+ -RuleGroup $ruleGroupEntry

+$exclusionEntry = New-AzApplicationGatewayFirewallPolicyExclusion `

+ -MatchVariable "RequestHeaderValues" `

+ -SelectorMatchOperator 'Equals' `

+ -Selector 'User-Agent' `

+ -ExclusionManagedRuleSet $exclusionManagedRuleSet

+$wafPolicy = Get-AzApplicationGatewayFirewallPolicy `

+ -Name $wafPolicyName `

+ -ResourceGroupName $resourceGroupName

+$wafPolicy.ManagedRules[0].Exclusions.Add($exclusionEntry)

+$wafPolicy | Set-AzApplicationGatewayFirewallPolicy

+```

+# [Azure CLI](#tab/cli)

+```azurecli

+az network application-gateway waf-policy managed-rule exclusion rule-set add \

+ --resource-group $resourceGroupName \

+ --policy-name $wafPolicyName \

+ --type OWASP \

+ --version 3.2 \

+ --group-name 'REQUEST-942-APPLICATION-ATTACK-SQLI' \

+ --rule-ids 942270 \

+ --match-variable 'RequestHeaderValues' \

+ --match-operator 'Equals' \

+ --selector 'User-Agent'

+```

+# [Bicep](#tab/bicep)

+```bicep

+resource wafPolicy 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-08-01' = {

+ name: wafPolicyName

+ location: location

+ properties: {

+ managedRules: {

+ managedRuleSets: [

+ {

+ ruleSetType: 'OWASP'

+ ruleSetVersion: '3.2'

+ }

+ ]

+ exclusions: [

+ {

+ matchVariable: 'RequestHeaderValues'

+ selectorMatchOperator: 'Equals'

+ selector: 'User-Agent'

+ exclusionManagedRuleSets: [

+ {

+ ruleSetType: 'OWASP'

+ ruleSetVersion: '3.2'

+ ruleGroups: [

+ {

+ ruleGroupName: 'REQUEST-942-APPLICATION-ATTACK-SQLI'

+ rules: [

+ {

+ ruleId: '942270'

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+ }

+}

+```

+# [ARM template](#tab/armtemplate)

+```json

+{

+ "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",

+ "apiVersion": "2021-08-01",

+ "name": "[parameters('wafPolicyName')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "managedRules": {

+ "managedRuleSets": [

+ {

+ "ruleSetType": "OWASP",

+ "ruleSetVersion": "3.2"

+ }

+ ],

+ "exclusions": [

+ {

+ "matchVariable": "RequestHeaderValues",

+ "selectorMatchOperator": "Equals",

+ "selector": "User-Agent",

+ "exclusionManagedRuleSets": [

+ {

+ "ruleSetType": "OWASP",

+ "ruleSetVersion": "3.2",

+ "ruleGroups": [

+ {

+ "ruleGroupName": "REQUEST-942-APPLICATION-ATTACK-SQLI",

+ "rules": [

+ {

+ "ruleId": "942270"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+ }

+}

+```

+To configure a global exclusion by using the Azure portal, follow these steps:

+resource wafPolicy 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-08-01' = {

+ "apiVersion": "2021-08-01",

+ Title: Use Azure Firewall Manager to manage Web Application Firewall policies

+# Configure WAF policies using Azure Firewall Manager

+- [Manage Azure Web Application Firewall policies](../../firewall-manager/manage-web-application-firewall-policies.md)