-# How trust relationships work for resource forests in Azure Active Directory Domain Services

-The trust path is implemented by the Net Logon service using an authenticated remote procedure call (RPC) connection to the trusted domain authority. A secured channel also extends to other AD DS domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups.

-For an overview of how trusts apply to Azure AD DS, see [Resource forest concepts and features][create-forest-trust].

- > Azure AD Domain Services resource forest must use this DNS configuration. Hosting a DNS namespace other than the resource forest DNS namespace is not a feature of Azure AD Domain Services. Conditional forwarders is the proper configuration.

-A managed domain resource forest supports up to five one-way outbound forest trusts to on-premises forests. The outbound forest trust for Azure AD Domain Services is created in the Azure portal. You don't manually create the trust with the managed domain itself. The incoming forest trust must be configured by a user with the privileges previously noted in the on-premises Active Directory.

-To learn more about resource forests, see [How do forest trusts work in Azure AD DS?][concepts-trust]

-To get started with creating a managed domain with a resource forest, see [Create and configure an Azure AD DS managed domain][tutorial-create-advanced]. You can then [Create an outbound forest trust to an on-premises domain][create-forest-trust].

-By default, a managed domain is created as a *user* forest. This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. User accounts can directly authenticate against the managed domain, such as to sign in to a domain-joined VM. A user forest works when the password hashes can be synchronized, and users aren't using exclusive sign-in methods like smart card authentication.

-In a managed domain *resource* forest, users authenticate over a one-way forest *trust* from their on-premises AD DS. With this approach, the user objects and password hashes aren't synchronized to the managed domain. The user objects and credentials only exist in the on-premises AD DS. This approach lets enterprises host resources and application platforms in Azure that depend on classic authentication such LDAPS, Kerberos, or NTLM, but any authentication issues or concerns are removed.

-#Customer intent: As an identity administrator, I want to create a one-way outbound forest from an Azure Active Directory Domain Services resource forest to an on-premises Active Directory Domain Services forest to provide authentication and resource access between forests.

-In environments where you can't synchronize password hashes, or where users exclusively sign in using smart cards and don't know their password, you can use a resource forest in Azure Active Directory Domain Services (Azure AD DS). A resource forest uses a one-way outbound trust from Azure AD DS to one or more on-premises AD DS environments. This trust relationship lets users, applications, and computers authenticate against an on-premises domain from the Azure AD DS managed domain. In a resource forest, on-premises password hashes are never synchronized.

-

-* An Azure Active Directory Domain Services managed domain created using a resource forest and configured in your Azure AD tenant.

- > Make sure that you create a managed domain using a *resource* forest. The default option creates a *user* forest. Only resource forests can create trusts to on-prem AD DS environments.

- >

- > You also need to use a minimum of *Enterprise* SKU for your managed domain. If needed, [change the SKU for a managed domain][howto-change-sku].

-The virtual network that hosts the Azure AD DS resource forest needs network connectivity to your on-premises Active Directory. Applications and services also need network connectivity to the virtual network hosting the Azure AD DS resource forest. Network connectivity to the Azure AD DS resource forest must be always on and stable otherwise users may fail to authenticate or access resources.

- * Azure virtual network peerings must be created between all virtual networks you want to use the Azure AD DS resource forest trust to the on-premises AD DS environment.

-* Make sure there's continuous name resolution (DNS) between your Azure AD DS resource forest name and your on-premises Active Directory forest name.

- > [!NOTE]

- > If you don't see the **Trusts** menu option, check under **Properties** for the *Forest type*. Only *resource* forests can create trusts. If the forest type is *User*, you can't create trusts. There's currently no way to change the forest type of a managed domain. You need to delete and recreate the managed domain as a resource forest.

-* [On-premises user authentication from the Azure AD DS resource forest](#on-premises-user-authentication-from-the-azure-ad-ds-resource-forest)

-* [Access resources in the Azure AD DS resource forest using on-premises user](#access-resources-in-the-azure-ad-ds-resource-forest-using-on-premises-user)

-### On-premises user authentication from the Azure AD DS resource forest

-1. Connect to the Windows Server VM joined to the Azure AD DS resource forest using [Azure Bastion](../bastion/bastion-overview.md) and your Azure AD DS administrator credentials.

-### Access resources in the Azure AD DS resource forest using on-premises user

-Using the Windows Server VM joined to the Azure AD DS resource forest, you can test the scenario where users can access resources hosted in the resource forest when they authenticate from computers in the on-premises domain with users from the on-premises domain. The following examples show you how to create and test various common scenarios.

-1. Connect to the Windows Server VM joined to the Azure AD DS resource forest using [Azure Bastion](../bastion/bastion-overview.md) and your Azure AD DS administrator credentials.

-1. On the Windows Server VM joined to the Azure AD DS resource forest, create a folder and provide name such as *CrossForestShare*.

-For more conceptual information about forest types in Azure AD DS, see [What are resource forests?][concepts-forest] and [How do forest trusts work in Azure AD DS?][concepts-trust]

-1. Restart provisioning.

-1. Restart provisioning.

-1. Restart provisioning.

-This section covers different write-back scenarios. It recommends configuration approaches based on how email and phone number is setup in SuccessFactors.

-1. The user enters their username into the Azure AD sign in page, and then clicks **Next**.

-1. If one CA binds to MFA, all user certificates that this CA issues qualify as MFA. The same logic applies for single-factor authentication.

-1. If the specified X.509 certificate field is found on the certificate, but Azure AD does not find a user object in the directory matching that value, the authentication fails. Azure AD does not attempt to use the next binding in the list in this case. Only if the X.509 certificate field is not on the certificate does it tries the next binding, as mentioned in Step 2.

-As of now, we don't support Online Certificate Status Protocol (OCSP) because of performance and reliability reasons. Instead of downloading the CRL at every connection by the client browser for OCSP, Azure AD downloads once at the first sign in and caches it, thereby improving the performance and reliability of CRL verification. We also index the cache so the search is must faster every time. Customers must publish CRLs for certificate revocation.

- The entry with **Interrupted** status provides has more diagnostic info in the **Additional Details** tab.

-There are some configuration steps to complete before enabling Azure AD CBA. First, an admin must configure the trusted CAs that issue user certificates. As seen in the following diagram, we use role-based access control to make sure only least-privileged administrators make changes. Configuring the certificate authority is done only by the [Privileged Authentication Administrator](../roles/permissions-reference.md#privileged-authentication-administrator) role.

-## Step 1: Configure the certificate authorities

-You can validate the crlDistributionPoint value you provide in the above PowerShell example are valid for the Certificate Authority being added by downloading the CRL and comparing the CA certificate and the CRL Information.

- of the CA in the Certificate Authority Microsoft Management Console (MMC)

-| **HTTPS_COMMUNICATION_ERROR** | The NPS server is unable to receive responses from Azure AD MFA. Verify that your firewalls are open bidirectionally for traffic to and from https://adnotifications.windowsazure.com |

-An administrator needs to enable CBA for the tenant to make the sign in with certificate option available for users. Link to getting started doc step 2

-### AADSTS50034 - Users sign in fails with "Your account or password is incorrect. If you don't remember your password, reset it now."

-### AADSTS130501 - Users sign in fails with "Sign in was blocked due to User Credential Policy"

-This is a known issue, and we are working on graceful error handling. This error happens when there is no Certificate Authority (CA) on the tenant. To resolve the error, see [Configure the certificate authorities](how-to-certificate-based-authentication.md#step-1-configure-the-certificate-authorities).

-`Install-Module Microsoft.Graph.Authentication`

-Connect to Microsoft Graph, requesting the required scopes ΓÇô

-`Connect-MgGraph -Scopes Policy.Read.All,Policy.ReadWrite.ConditionalAccess,Application.Read.All -TenantId <TenantID>`

-Create the JSON body for the PATCH request ΓÇô

-`$patchBody = '{"sessionControls": {"disableResilienceDefaults": true}}'`

-Execute the patch operation ΓÇô

-`Invoke-MgGraphRequest -Method PATCH -Uri https://graph.microsoft.com/beta/identity/conditionalAccess/policies/<PolicyID> -Body $patchBody`

-> While it is possible to use the `WithClientAssertion()` API to acquire tokens for the confidential client, we do not recommend using it by default as it is more advanced and is designed to handle very specific scenarios which are not common. Using the `.WithCertificate()` API will allow MSAL.NET to handle this for you. This api offers you the ability to customize your authentication request if needed but the default assertion created by `.WithCertificate()` will suffice for most authentication scenarios. This API can also be used as a workaround in some scenarios where MSAL.NET fails to perform the signing operation internally.

- .WithClientAssertion(() => { return GetSignedClientAssertion(); } )

- .Build();

-

-// or in async manner

-app = ConfidentialClientApplicationBuilder.Create(config.ClientId)

- .WithClientAssertion(async cancellationToken => { return await GetClientAssertionAsync(cancellationToken); })

-This article describes how to use the user management enhancements in the Azure Active Directory (Azure AD) portal. The **All users** and **Deleted users** pages have been updated to provide more information and make it easier to find users.

-## User properties enhanced

-WeΓÇÖve made some changes to the columns available on the **All users** and **Deleted users** pages. In addition to the existing columns we provide for managing your list of users, we've added a few more columns.

-### All users page

-The following are the displayed user properties on the **All users** page:

-

-### Deleted users page

-The **Deleted users** page includes all the columns that are available on the **All users** page, and a few additional columns, namely:

-> [!NOTE]

-> Deletion dates are displayed in Coordinated Universal Time ΓÇÄ(UTC)ΓÇÄ.

-Some columns are displayed by default. To add other columns, select **Columns** on the page, select the column names youΓÇÖd like to add, and select **OK** to save your preferences.

-### Identity issuers

-Select an entry in the **Identity issuer** column for any user to view additional details about the issuer including the sign-in type and the issuer assigned ID. The entries in the **Identity issuer** column can be multi-valued. If there are multiple issuers of the user's identity, you'll see the word Multiple in the **Identity issuer** column on **All users** and **Deleted users** pages, and the details pane list all issuers.

-> [!NOTE]

-> The **Source** column is replaced by multiple columns including **Creation type**, **Directory synced**, and **Identity issuer** for more granular filtering.

-## User list search

-When you enter a search string, the search now uses "starts with" and substring search to match names, emails, or object IDs in a single search. You can enter any of these attributes into the search box, and the search automatically looks across all these properties to return any matching results. The substring search is performed only on whole words. You can perform the same search on both the **All users** and **Deleted users** pages.

-## User list filtering

-Filtering capabilities have been enhanced to provide more filtering options for the **All users** and **Deleted users** pages. You can now filter by multiple properties simultaneously, and can filter by more properties.

-### Filtering All users list

-The following are the filterable properties on the **All users** page:

-### Filtering Deleted users list

-The **Deleted users** page has additional filters not in the **All users** page. The following are the filterable properties on the **Deleted users** page:

-## User list sorting

-You can now sort by name and user principal name in the **All users** and **Deleted users** pages. You can also sort by deletion date in the **Deleted Users** list.

-## User list counts

-You can view the total number of users in the **All users** and **Deleted users** pages. As you search or filter the lists, the count is updated to reflect the total number of users found.

-

-## Frequently Asked Questions (FAQ)

-Question | Answer

-Why is the deleted user still displayed when the permanent deletion date has passed? | The permanent deletion date is displayed in the UTC time zone, so this may not match your current time zone. Also, this date is the earliest date after which the user will be permanently deleted from the organization, so it may still be processing. Permanently deleted users will automatically be removed from the list.

-What happen to the bulk capabilities for users and guests? | The bulk operations are all still available for users and guests, including bulk create, bulk invite, bulk delete, and download users. WeΓÇÖve just merged them into a menu called **Bulk operations**. You can find the **Bulk operations** options at the top of the **All users** page.

-What happened to the Source column? | The **Source** column has been replaced with other columns that provide similar information, while allowing you to filter on those values independently. Examples include **Creation type**, **Directory synced** and **Identity issuer**.

-What happened to the User Name column? | The **User Name** column is still there, but itΓÇÖs been renamed to **User Principal Name**. This better reflects the information contained in that column. YouΓÇÖll also notice that the full User Principal Name is now displayed for B2B guests. This matches what youΓÇÖd get in MS Graph.

-1. On the user's profile page, in the **Identity** section, select **Manage B2B collaboration**.

- 

- > [!NOTE]

- > If you see **Invitation accepted** instead of **Manage B2B collaboration**, the user has already been invited to use external credentials for B2B collaboration.

-1. In the list, select the user's name to open the user's profile.

- - Select the **Edit** icon at the top of the page.

- - In the **Contact info** section, under **Email**, type the new email.

- - Next to **Alternate email**, select **Edit**. Update the alternate email In the list with the new email, and then select **Update**.

- - Select the **Save** icon at the top of the page.

-1. In the **Identity** section, under **Invitation accepted**, select **(manage)**.

-1. Create a VM using [az vm create](/cli/azure/vm/#az-vm-create). The following example creates a VM named *myVM* with a system-assigned managed identity, as requested by the `--assign-identity` parameter. The `--admin-username` and `--admin-password` parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:

- az vm create --resource-group myResourceGroup --name myVM --image win2016datacenter --generate-ssh-keys --assign-identity --admin-username azureuser --admin-password myPassword12

-3. Create a VM using [az vm create](/cli/azure/vm/#az-vm-create). The following example creates a VM associated with the new user-assigned identity, as specified by the `--assign-identity` parameter. Be sure to replace the `<RESOURCE GROUP>`, `<VM NAME>`, `<USER NAME>`, `<PASSWORD>`, and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values.

- az vm create --resource-group <RESOURCE GROUP> --name <VM NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY NAME>

-1. [Create](/cli/azure/vmss/#az-vmss-create) a virtual machine scale set. The following example creates a virtual machine scale set named *myVMSS* with a system-assigned managed identity, as requested by the `--assign-identity` parameter. The `--admin-username` and `--admin-password` parameters specify the administrative user name and password account for virtual machine sign-in. Update these values as appropriate for your environment:

- az vmss create --resource-group myResourceGroup --name myVMSS --image win2016datacenter --upgrade-policy-mode automatic --custom-data cloud-init.txt --admin-username azureuser --admin-password myPassword12 --assign-identity --generate-ssh-keys --role contributor

-3. [Create](/cli/azure/vmss/#az-vmss-create) a virtual machine scale set. The following example creates a virtual machine scale set associated with the new user-assigned managed identity, as specified by the `--assign-identity` parameter. Be sure to replace the `<RESOURCE GROUP>`, `<VMSS NAME>`, `<USER NAME>`, `<PASSWORD>`, `<USER ASSIGNED IDENTITY>`, and `<ROLE>` parameter values with your own values.

- az vmss create --resource-group <RESOURCE GROUP> --name <VMSS NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY> --role <ROLE>

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Momenta

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* Once you configure Momenta you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-## Adding Momenta from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-To configure and test Azure AD SSO with Momenta, complete the following building blocks:

-1. In the [Azure portal](https://portal.azure.com/), on the **Momenta** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

- 

-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:

- 

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Momenta tile in the Access Panel, you should be automatically signed in to the Momenta for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Motus

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* Motus supports **SP and IDP** initiated SSO

-## Adding Motus from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on for Motus

-To configure and test Azure AD SSO with Motus, complete the following building blocks:

-1. In the [Azure portal](https://portal.azure.com/), on the **Motus** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

- 

-1. On the **Basic SAML Configuration** section the application is pre-configured in **IDP** initiated mode and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.

- In the **Sign-on URL** text box, type a URL:

- 

- 

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Motus tile in the Access Panel, you should be automatically signed in to the Motus for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with MyAryaka

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* MyAryaka supports **SP** initiated SSO

-## Adding MyAryaka from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on for MyAryaka

-To configure and test Azure AD SSO with MyAryaka, complete the following building blocks:

- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

- * **[Create MyAryaka test user](#create-myaryaka-test-user)** - to have a counterpart of B.Simon in MyAryaka that is linked to the Azure AD representation of user.

-1. In the [Azure portal](https://portal.azure.com/), on the **MyAryaka** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

- 

-1. On the **Basic SAML Configuration** section, enter the values for the following fields:

- a. In the **Sign on URL** text box, use one of the following pattern:

- ```https

- https://my.aryaka.com/

- https://kso.aryaka.com/auth/realms/<CUSTOMERID>

- ```

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- `https://kso.aryaka.com/auth/realms/<CUSTOMERID>`

- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [MyAryaka Client support team](mailto:support@aryaka.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- 

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the MyAryaka tile in the Access Panel, you should be automatically signed in to the MyAryaka for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Opal

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* Opal supports **IDP** initiated SSO

-## Adding Opal from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on for Opal

-To configure and test Azure AD SSO with Opal, complete the following building blocks:

-1. In the [Azure portal](https://portal.azure.com/), on the **Opal** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

- 

-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:

- 1. In the **Identifier** text box, type a URL:

- 1. In the **Reply URL** text box, type a URL using the following pattern:

- `https://<subdomain>.ouropal.com/auth/saml/callback`

- > [!NOTE]

- > The Reply URL value is not real. Update the value with the actual Reply URL. Contact [Opal Client support team](mailto:support@workwithopal.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- 

- 

- 

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Opal tile in the Access Panel, you should be automatically signed in to the Opal for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

- a. In **Sign on URL**, enter a URL that uses the following pattern:

- `https://<instance-name>.service-now.com/login_with_sso.do?glide_sso_id=<sys_id of the sso configuration>`

- > Please copy the sys_id value from step 5.d.iii in **Configure ServiceNow** section.

- | `https://<instancename>.service-now.com/customer.do` |

- a. For **Sign on URL**, enter a URL that uses the following pattern:

- `https://<instance-name>.service-now.com/login_with_sso.do?glide_sso_id=<sys_id of the sso configuration>` please copy the sys_id value from step 5.d.iii in **Configure ServiceNow** section.

- c. For **Reply URL**, enter one of the following URL:

- b. Search for **Integration - Multiple Provider single sign-on Installer**.

- c. Select the plug-in. Right-click, and select **Activate/Upgrade**.

- 

- d. Select **Activate**.

- 

-1. In the left pane, search for the **Multi-Provider SSO** section from the search bar, and then select **Properties**.

- 

- 

- 

- a. For **Name**, enter a name for your configuration (for example, **Microsoft Azure Federated single sign-on**).

- b. Copy the **ServiceNow Homepage** value. Paste it in **Sign-on URL** in the **ServiceNow Basic SAML Configuration** section of the Azure portal.

- c. Copy the **Entity ID / Issuer** value. Paste it in **Identifier** in **ServiceNow Basic SAML Configuration** section of the Azure portal.

- d. Confirm that **NameID Policy** is set to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` value.

- e. Select **Advanced**. In **User Field**, enter **email**.

-1. Click on **User Settings** option form the top right corner of the page and select **Account Settings**.

-Azure Load Balancer is available in two SKUs - *Basic* and *Standard*. By default, *Standard* SKU is used when you create an AKS cluster. Use the *Standard* SKU to have access to added functionality, such as a larger backend pool, [**multiple node pools**](use-multiple-node-pools.md), and [**Availability Zones**](availability-zones.md). It's the recommended Load Balancer SKU for AKS.

-[azure-lb]: ../load-balancer/load-balancer-overview.md

-description: Learn how to add a spot node pool to an Azure Kubernetes Service (AKS) cluster.

-#Customer intent: As a cluster operator or developer, I want to learn how to add a spot node pool to an AKS Cluster.

-# Add a spot node pool to an Azure Kubernetes Service (AKS) cluster

-A spot node pool is a node pool backed by a [spot virtual machine scale set][vmss-spot]. Using spot VMs for nodes with your AKS cluster allows you to take advantage of unutilized capacity in Azure at a significant cost savings. The amount of available unutilized capacity will vary based on many factors, including node size, region, and time of day.

-When deploying a spot node pool, Azure will allocate the spot nodes if there's capacity available. But there's no SLA for the spot nodes. A spot scale set that backs the spot node pool is deployed in a single fault domain and offers no high availability guarantees. At any time when Azure needs the capacity back, the Azure infrastructure will evict spot nodes.

-Spot nodes are great for workloads that can handle interruptions, early terminations, or evictions. For example, workloads such as batch processing jobs, development and testing environments, and large compute workloads may be good candidates to be scheduled on a spot node pool.

-In this article, you add a secondary spot node pool to an existing Azure Kubernetes Service (AKS) cluster.

-When you create a cluster to use a spot node pool, that cluster must also use Virtual Machine Scale Sets for node pools and the *Standard* SKU load balancer. You must also add an additional node pool after you create your cluster to use a spot node pool. Adding an additional node pool is covered in a later step.

-This article requires that you are running the Azure CLI version 2.14 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

-The following limitations apply when you create and manage AKS clusters with a spot node pool:

-* A spot node pool can't be the cluster's default node pool. A spot node pool can only be used for a secondary pool.

-* You can't upgrade a spot node pool since spot node pools can't guarantee cordon and drain. You must replace your existing spot node pool with a new one to do operations such as upgrading the Kubernetes version. To replace a spot node pool, create a new spot node pool with a different version of Kubernetes, wait until its status is *Ready*, then remove the old node pool.

-* The control plane and node pools cannot be upgraded at the same time. You must upgrade them separately or remove the spot node pool to upgrade the control plane and remaining node pools at the same time.

-* A spot node pool must use Virtual Machine Scale Sets.

-* You cannot change ScaleSetPriority or SpotMaxPrice after creation.

-* A spot node pool will have the label *kubernetes.azure.com/scalesetpriority:spot*, the taint *kubernetes.azure.com/scalesetpriority=spot:NoSchedule*, and system pods will have anti-affinity.

-* You must add a [corresponding toleration][spot-toleration] and affinity to schedule workloads on a spot node pool.

-## Add a spot node pool to an AKS cluster

-You must add a spot node pool to an existing cluster that has multiple node pools enabled. More details on creating an AKS cluster with multiple node pools are available [here][use-multiple-node-pools].

-Create a node pool using the [az aks nodepool add][az-aks-nodepool-add].

-By default, you create a node pool with a *priority* of *Regular* in your AKS cluster when you create a cluster with multiple node pools. The above command adds an auxiliary node pool to an existing AKS cluster with a *priority* of *Spot*. The *priority* of *Spot* makes the node pool a spot node pool. The *eviction-policy* parameter is set to *Delete* in the above example, which is the default value. When you set the [eviction policy][eviction-policy] to *Delete*, nodes in the underlying scale set of the node pool are deleted when they're evicted. You can also set the eviction policy to *Deallocate*. When you set the eviction policy to *Deallocate*, nodes in the underlying scale set are set to the stopped-deallocated state upon eviction. Nodes in the stopped-deallocated state count against your compute quota and can cause issues with cluster scaling or upgrading. The *priority* and *eviction-policy* values can only be set during node pool creation. Those values can't be updated later.

-The command also enables the [cluster autoscaler][cluster-autoscaler], which is recommended to use with spot node pools. Based on the workloads running in your cluster, the cluster autoscaler scales up and scales down the number of nodes in the node pool. For spot node pools, the cluster autoscaler will scale up the number of nodes after an eviction if additional nodes are still needed. If you change the maximum number of nodes a node pool can have, you also need to adjust the `maxCount` value associated with the cluster autoscaler. If you do not use a cluster autoscaler, upon eviction, the spot pool will eventually decrease to zero and require a manual operation to receive any additional spot nodes.

-> [!Important]

-> Only schedule workloads on spot node pools that can handle interruptions, such as batch processing jobs and testing environments. It is recommended that you set up [taints and tolerations][taints-tolerations] on your spot node pool to ensure that only workloads that can handle node evictions are scheduled on a spot node pool. For example, the above command by default adds a taint of *kubernetes.azure.com/scalesetpriority=spot:NoSchedule* so only pods with a corresponding toleration are scheduled on this node.

-## Verify the spot node pool

-To verify your node pool has been added as a spot node pool:

-To schedule a pod to run on a spot node, add a toleration and node affinity that corresponds to the taint applied to your spot node. The following example shows a portion of a yaml file that defines a toleration that corresponds to the *kubernetes.azure.com/scalesetpriority=spot:NoSchedule* taint and a node affinity that corresponds to the *kubernetes.azure.com/scalesetpriority=spot* label used in the previous step.

-## Max price for a spot pool

-[Pricing for spot instances is variable][pricing-spot], based on region and SKU. For more information, see pricing for [Linux][pricing-linux] and [Windows][pricing-windows].

-With variable pricing, you have option to set a max price, in US dollars (USD), using up to 5 decimal places. For example, the value *0.98765* would be a max price of $0.98765 USD per hour. If you set the max price to *-1*, the instance won't be evicted based on price. The price for the instance will be the current price for Spot or the price for a standard instance, whichever is less, as long as there is capacity and quota available.

-In this article, you learned how to add a spot node pool to an AKS cluster. For more information about how to control pods across node pools, see [Best practices for advanced scheduler features in AKS][operator-best-practices-advanced-scheduler].

-* If you want to label your data, download the [Form Recognizer Sample Labeling tool for Windows](https://github.com/microsoft/OCR-Form-Tools/releases/tag/v2.1-ga). The download will import the labeling tool .exe file that you'll use to label the data present on your local file system. You can ignore any warnings that occur during the download process.

-| Azure Storage:ΓÇ»[Files Storage](../storage/files/storage-files-planning.md) |  |

-| Virtual Machines:ΓÇ»[Azure Dedicated Host](../virtual-machines/windows/create-powershell-availability-zone.md) |  |

-| Virtual Machines:ΓÇ»[Ddsv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) |  |

-| Virtual Machines:ΓÇ»[Ddv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) |  |

-| Virtual Machines:ΓÇ»[Dsv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) |  |

-| Virtual Machines:ΓÇ»[Dv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) |  |

-| Virtual Machines:ΓÇ»[Edsv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) |  |

-| Virtual Machines:ΓÇ»[Edv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) |  |

-| Virtual Machines:ΓÇ»[Esv4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) |  |

-| Virtual Machines:ΓÇ»[Ev4-Series](../virtual-machines/windows/create-powershell-availability-zone.md) |  |

-| Virtual Machines:ΓÇ»[Fsv2-Series](../virtual-machines/windows/create-powershell-availability-zone.md) |  |

-| Virtual Machines:ΓÇ»[M-Series](../virtual-machines/windows/create-powershell-availability-zone.md) |  |

-## Create an Azure Arc-enabled SQL Managed Instance

-During a data controller upgrade, portions of the data control plane such as Custom Resource Definitions (CRDs) and containers may be upgraded. An upgrade of the data controller will not cause downtime for the data services (SQL Managed Instance or PostgreSQL Hyperscale server).

-You will need a directly connected data controller with the imageTag v1.0.0_2021-07-30 or later.

-Before you can proceed with the tasks in this article you need to install:

- az arcdata dc list-upgrades --k8s-namespace <custom location>

-### Upgrade

-You will need to connect and authenticate to a Kubernetes cluster and have an existing Kubernetes context selected prior to beginning the upgrade of the Azure Arc data controller.

-You can perform a dry run first. The dry run validates the registry exists, the version schema, and the private repository authorization token (if used). To perform a dry run, use the `--dry-run` parameter in the `az arcdata dc upgrade` command. For example:

-az arcdata dc upgrade --resource-group <resource group> --name <data controller name> --desired-version <version> [--no-wait]

-The output for the preceding command is:

-```output

-Preparing to upgrade dc arcdc in namespace arc to version <version-tag>.

-Preparing to upgrade dc arcdc in namespace arc to version <version-tag>.

-****Dry Run****

-Arcdata Control Plane would be upgraded to: <version-tag>

-Upgrade the data controller by running an upgrade on the Arc data controller extension first. This can be done as follows:

-You can retrieve the name of your extension and its version, by browsing to the Overview blade of your Arc enabled kubernetes cluster and select Extensions tab on the left. You can also retrieve the name of your extension and its version running `az` CLI As follows:

-az k8s-extension list --resource-group <resource-group> --cluster-name <connected cluster name> --cluster-type connectedClusters

-For example:

-az k8s-extension list --resource-group myresource-group --cluster-name myconnected-cluster --cluster-type connectedClusters

-After retrieving the Arc data controller extension name and its version, the extension can be upgraded as follows:

-For example:

-```azurecli

-az k8s-extension update --resource-group myresource-group --cluster-name myconnected-cluster --cluster-type connectedClusters --name arcdc-ext --version 1.2.19481002 --release-train stable --config systemDefaultValues.image="mcr.microsoft.com/arcdata/arc-bootstrapper:v1.6.0_2022-05-02"

-Once the extension is upgraded, run the `az arcdata dc upgrade` command to upgrade the data controller. If you don't specify a target image, the data controller will be upgraded to the latest version.

-az arcdata dc upgrade --resource-group <resource group> --name <data controller name> [--no-wait]

-In example above, you can include `--desired-version <version>` to specify a version if you do not want the latest version.

-> [!NOTE]

-> Currently upgrade is only supported to the next immediate version. Hence, if you are more than one version behind, specify the `--desired-version` to avoid compatibility issues.

-During a data controller upgrade, portions of the data control plane such as Custom Resource Definitions (CRDs) and containers may be upgraded. An upgrade of the data controller will not cause downtime for the data services (SQL Managed Instance or PostgreSQL Hyperscale server).

-During a data controller upgrade, portions of the data control plane such as Custom Resource Definitions (CRDs) and containers may be upgraded. An upgrade of the data controller will not cause downtime for the data services (SQL Managed Instance or PostgreSQL Hyperscale server).

-You will need an indirectly connected data controller with the imageTag v1.0.0_2021-07-30 or later.

-Before you can proceed with the tasks in this article you need to install:

-You will need to connect and authenticate to a Kubernetes cluster and have an existing Kubernetes context selected prior to beginning the upgrade of the Azure Arc data controller.

-To upgrade the data controller, run the `az arcdata dc upgrade` command. If you don't specify a target image, the data controller will be upgraded to the latest version.

-az arcdata dc upgrade --k8s-namespace <namespace> --use-k8s

-In example above, you can include `--desired-version <version>` to specify a version if you do not want the latest version.

-You can monitor the progress of the upgrade with kubectl or CLI.

-### kubectl

-```console

-kubectl get datacontrollers --namespace <namespace>

-kubectl get monitors --namespace <namespace>

-```

-The upgrade is a two-part process. First the controller is upgraded, then the monitoring stack is upgraded. During the upgrade, use ```kubectl get monitors -n <namespace> -w``` to view the status. The output will be:

-```output

-NAME STATUS AGE

-monitorstack Updating 36m

-monitorstack Updating 36m

-monitorstack Updating 39m

-monitorstack Updating 39m

-monitorstack Updating 41m

-monitorstack Ready 41m

-```

- az arcdata dc status show --k8s-namespace <namespace> --use-k8s

-The upgrade is a two-part process. First the controller is upgraded, then the monitoring stack is upgraded. When the upgrade is complete, the output will be:

-During a data controller upgrade, portions of the data control plane such as Custom Resource Definitions (CRDs) and containers may be upgraded. An upgrade of the data controller will not cause downtime for the data services (SQL Managed Instance or PostgreSQL Hyperscale server).

-In this article, you will apply a .yaml file to:

-Prior to beginning the upgrade of the Azure Arc data controller, you will need:

-### Install tools

-To upgrade the Azure Arc data controller using Kubernetes tools you need to have the Kubernetes tools installed.

-The examples in this article use kubectl, but similar approaches could be used with other Kubernetes tools

-such as the Kubernetes dashboard, oc, or helm if you are familiar with those tools and Kubernetes yaml/json.

-To upgrade the data controller, you will apply a yaml file to the Kubernetes cluster. The example file for the upgrade is available in GitHub at <https://github.com/microsoft/azure_arc/tree/main/arc_data_services/upgrade/yaml>.

-In the yaml file, you will replace ```{{namespace}}``` with your namespace.

-A cluster role (`ClusterRole`) grants the service account permission to perform the upgrade.

-1. Describe the cluster role and rules in a .yaml file. The following example defines a cluster role for `arc:cr-upgrade-worker` and allows all API groups, resources, and verbs.

-1. Edit the file as needed.

-1. Edit the file as needed.

-description: Article describes how to enable automatic upgrades of SQL Managed Instance for Azure Arc

-# Enable automatic upgrades of a SQL Managed Instance

-You can set the `--desired-version` parameter of the `spec.update.desiredVersion` property of an Azure Arc-enabled SQL Managed Instance to `auto` to ensure that your Managed Instance will be upgraded after a data controller upgrade, with no interaction from a user. This allows for ease of management, as you do not need to manually upgrade every instance for every release.

-After setting the `--desired-version` parameter of the `spec.update.desiredVersion` property to `auto` the first time, Azure Arc-enabled data service will begin an upgrade to the newest image version within five minutes for the Managed Instance. Thereafter, within five minutes of a data controller being upgraded, the Managed Instance will begin the upgrade process. This works for both directly connected and indirectly connected modes.

-If the `spec.update.desiredVersion` property is pinned to a specific version, automatic upgrades will not take place. This allows you to let most instances automatically upgrade, while manually managing instances that need a more hands-on approach.

-## Enable with with Kubernetes tools (kubectl)

-Use kubectl to view the existing spec in yaml.

-Indirectly connected:

-Directly connected:

-````

-description: Article describes how to upgrade an indirectly connected Azure Arc-enabled Managed Instance using the CLI

-# Upgrade an indirectly connected Azure Arc-enabled Managed Instance using the CLI

-Before you can proceed with the tasks in this article you need to install:

-The Azure Arc Data Controller must be upgraded to the new version before the Managed Instance can be upgraded.

-Currently, only one Managed Instance can be upgraded at a time.

-## Upgrade the Managed Instance

-A dry run can be performed first. This will validate the version schema and list which instance(s) will be upgraded.

-````cli

-````

-### General Purpose

-During a SQL Managed Instance General Purpose upgrade, the containers in the pod will be upgraded and will be reprovisioned. This will cause a short amount of downtime as the new pod is created. You will need to build resiliency into your application, such as connection retry logic, to ensure minimal disruption. Read [Overview of the reliability pillar](/azure/architecture/framework/resiliency/overview) for more information on architecting resiliency and [Retry Guidance for Azure Services](/azure/architecture/best-practices/retry-service-specific#sql-database-using-adonet).

-### Business Critical

-To upgrade the Managed Instance, use the following command:

-````cli

-````

-````cli

-````

-You can monitor the progress of the upgrade with kubectl or CLI.

-### kubectl

-```console

-kubectl describe sqlmi --namespace <namespace>

-```

-description: Article describes how to upgrade a directly connected Azure Arc-enabled Managed Instance using the CLI

-# Upgrade a directly connected Azure Arc-enabled Managed Instance using the CLI

-This article describes how to upgrade a SQL Managed Instance deployed on a directly connected Azure Arc-enabled data controller using the Azure CLI (`az`).

-Before you can proceed with the tasks in this article you need to install:

-The Azure Arc Data Controller must be upgraded to the new version before the Managed Instance can be upgraded.

-Currently, only one Managed Instance can be upgraded at a time.

-## Upgrade the Managed Instance

-A dry run can be performed first. This will validate the version schema and list which instance(s) will be upgraded.

-````cli

-````

-### General Purpose

-During a SQL Managed Instance General Purpose upgrade, the containers in the pod will be upgraded and will be reprovisioned. This will cause a short amount of downtime as the new pod is created. You will need to build resiliency into your application, such as connection retry logic, to ensure minimal disruption. Read [Overview of the reliability pillar](/azure/architecture/framework/resiliency/overview) for more information on architecting resiliency and [retry guidance for Azure Services](/azure/architecture/best-practices/retry-service-specific#sql-database-using-adonet).

-### Business Critical

-To upgrade the Managed Instance, use the following command:

-````cli

-````

-````cli

-````

-### CLI

-description: Article describes how to upgrade an indirectly connected Azure Arc-enabled Managed Instance using Kubernetes tools

-# Upgrade an an indirectly connected Azure Arc-enabled Managed Instance using Kubernetes tools

-This article describes how to upgrade a SQL Managed Instance deployed on an indirectly connected Azure Arc-enabled data controller using Kubernetes tools.

-Before you can proceed with the tasks in this article you need:

-The Azure Arc Data Controller must be upgraded to the new version before the Managed Instance can be upgraded.

-Currently, only one Managed Instance can be upgraded at a time.

-## Upgrade the Managed Instance

-### General Purpose

-During a SQL Managed Instance General Purpose upgrade, the containers in the pod will be upgraded and will be reprovisioned. This will cause a short amount of downtime as the new pod is created. You will need to build resiliency into your application, such as connection retry logic, to ensure minimal disruption. Read [Overview of the reliability pillar](/azure/architecture/framework/resiliency/overview) for more information on architecting resiliency.

-### Business Critical

-Use a kubectl command to view the existing spec in yaml.

-Run kubectl patch to update the desired version.

-You can monitor the progress of the upgrade with kubectl.

-description: Learn how to replicate your Azure Cache for Redis Enterprise instances across Azure regions

-In this article, you'll learn how to configure an active geo-replicated Azure Cache using the Azure portal.

-Active geo-replication groups up to five Enterprise Azure Cache for Redis instances into a single cache that spans across Azure regions. All instances act as the local primaries. An application decides which instance or instances to use for read and write requests.

-## Create or join an active geo-replication group

-> [!IMPORTANT]

-> Active geo-replication must be enabled at the time an Azure Cache for Redis is created.

->

-1. In the **Advanced** tab of **New Redis Cache** creation UI, select **Enterprise** for **Clustering Policy**.

- For more information on choosing **Clustering policy**, see [Clustering Policy](quickstart-create-redis-enterprise.md#clustering-policy).

- :::image type="content" source="media/cache-how-to-active-geo-replication/cache-clustering-policy.png" alt-text="Configure active geo-replication":::

-1. Create a new replication group, for a first cache instance, or select an existing one from the list.

- :::image type="content" source="media/cache-how-to-active-geo-replication/cache-active-geo-replication-new-group.png" alt-text="Link caches":::

- :::image type="content" source="media/cache-how-to-active-geo-replication/cache-active-geo-replication-configured.png" alt-text="Active geo-replication configured":::

-1. Wait for the first cache to be created successfully. Repeat the above steps for each cache instance in the geo-replication group.

- :::image type="content" source="media/cache-how-to-active-geo-replication/cache-active-geo-replication-group.png" alt-text="screenshot of active geo-replication group":::

- :::image type="content" source="media/cache-how-to-active-geo-replication/cache-cache-active-geo-replication-unlink.png" alt-text="screenshot of unlinking in active geo-replication":::

-Azure Functions lets you run your C# code in a serverless environment in Azure.

-There is also a [Visual Studio Code-based version](create-first-function-vs-code-csharp.md) of this article.

- | **Functions worker** | **.NET 6** or **.NET 6 Isolated** | When you choose **.NET 6**, you create a project that runs in-process with version 4.x of the Azure Functions runtime. When you choose **.NET 6 Isolated**, you create a project that runs in a separate worker process. Azure Functions 1.x supports the .NET Framework. For more information, see [Azure Functions runtime versions overview](./functions-versions.md). |

- | **Use Azurite for runtime storage account (AzureWebJobsStorage)** | Enable | Because a function app in Azure requires a storage account, one is assigned or created when you publish your project to Azure. An HTTP trigger doesn't use an Azure Storage account connection string; all other trigger types require a valid Azure Storage account connection string. When you select this option, the Azurite emulator is used. |

- :::image type="content" source="../../includes/media/functions-vs-tools-create/functions-project-settings-v4.png" alt-text="Azure Functions project settings":::

-Your function definition should now look like the following code, depending on mode:

-# [In-process](#tab/in-process)

-# [Isolated process](#tab/isolated-process)

-Before you can publish your project, you must have a function app in your Azure subscription. Visual Studio publishing creates a function app for you the first time you publish your project.

-Other quickstarts in this collection build upon this quickstart. If you plan to work with subsequent quickstarts, tutorials, or with any of the services you have created in this quickstart, do not clean up the resources.

-You created resources to complete these quickstarts. You may be billed for these resources, depending on your [account status](https://azure.microsoft.com/account/) and [service pricing](https://azure.microsoft.com/pricing/).

-> [Add an Azure Storage queue binding to your function](functions-add-output-binding-storage-queue-vs.md)

-Based on this decision there are different considerations when building and deploying on Azure Government.

-| Azure VM | Log Analytics agent VM extension for Windows/Linux | Agent is automatically upgraded by default [after the VM model changes](../../virtual-machines/extensions/features-linux.md#how-agents-and-extensions-are-updated), unless you configured your Azure Resource Manager template to opt out by setting the property *autoUpgradeMinorVersion* to **false**. |

-| AlmaLinux | X | | | |

-| Rocky Linux | X | | | |

- - references_regions

- - kr2b-contr-experiment

-|[Metric alerts](alerts-types.md#metric-alerts)|Metric alerts evaluate resource metrics at regular intervals. Metrics can be platform metrics, custom metrics, logs from Azure Monitor converted to metrics or Application Insights metrics. Metric alerts have several additional features (link), such as the ability to apply multiple conditions and dynamic thresholds.|

-|Activity Log alert|Activity logs provide auditing of all actions that occurred on resources. Use activity log alerts if you want to be alerted when a specific event happens to a resource, for example, a restart, a shutdown, or the creation or deletion of a resource.|For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/monitor/).|

-A *dependency* is a component that is called by your application. It's typically a service called using HTTP, or a database, or a file system. [Application Insights](./app-insights-overview.md) measures the duration of dependency calls, whether its failing or not, along with additional information like name of dependency and so on. You can investigate specific dependency calls, and correlate them to requests and exceptions.

-|SQL | Calls made with `SqlClient`. See [this](#advanced-sql-tracking-to-get-full-sql-query) for capturing SQL query. |

-|[EventHub Client SDK](https://www.nuget.org/packages/Microsoft.Azure.EventHubs) | Version 1.1.0 and above. |

-|[ServiceBus Client SDK](https://www.nuget.org/packages/Microsoft.Azure.ServiceBus)| Version 3.0.0 and above. |

-For .NET Core console apps TelemetryConfiguration.Active is obsolete. Refer to the guidance in the [worker service documentation](./worker-service.md) and the [ASP.NET Core monitoring documentation](./asp-net-core.md)

-For example, if you build your code with an assembly that you didn't write yourself, you could time all the calls to it, to find out what contribution it makes to your response times. To have this data displayed in the dependency charts in Application Insights, send it using `TrackDependency`.

-Alternatively, `TelemetryClient` provides extension methods `StartOperation` and `StopOperation` which can be used to manually track dependencies, as shown [here](custom-operations-tracking.md#outgoing-dependencies-tracking)

-For SQL calls, the name of the server and database is always collected and stored as name of the collected `DependencyTelemetry`. There's an additional field called 'data', which can contain the full SQL query text.

-For ASP.NET Core applications, It is now required to opt-in to SQL Text collection by using

-| Azure Web App |In your web app control panel, [open the Application Insights blade](../../azure-monitor/app/azure-web-apps.md) and enable SQL Commands under .NET |

-| IIS Server (Azure VM, on-prem, and so on.) | Either use the [Microsoft.Data.SqlClient](https://www.nuget.org/packages/Microsoft.Data.SqlClient) NuGet package or use the Status Monitor PowerShell Module to [install the Instrumentation Engine](../../azure-monitor/app/status-monitor-v2-api-reference.md#enable-instrumentationengine) and restart IIS. |

-* Click through from slow or failed requests to check their dependency calls.

-Each request event is associated with the dependency calls, exceptions, and other events that are tracked while your app is processing the request. So if some requests are doing badly, you can find out whether it's because of slow responses from a dependency.

-Click on a **Dependency Name** under overall. After you select a dependency a graph of that dependency's distribution of durations will show up on the right.

-Click on the blue **Samples** button on the bottom right and then on a sample to see the end-to-end transaction details.

-We can go to the **Failures** tab on the left and then click on the **dependencies** tab at the top.

-Here you will be able to see the failed dependency count. To get more details about a failed occurrence trying clicking on a dependency name in the bottom table. You can click on the blue **Dependencies** button at the bottom right to get the end-to-end transaction details.

-* Failed dependency calls will have 'success' field set to False. `DependencyTrackingTelemetryModule` does not report `ExceptionTelemetry`. The full data model for dependency is described [here](data-model-dependency-telemetry.md).

-In the Log Analytics query view `timestamp` represents the moment the TrackDependency() call was initiated which occurs immediately after the dependency call response is received. To calculate the time when the dependency call began, you would take `timestamp` and subtract the recorded `duration` of the dependency call.

-For more on editing workbook templates, refer to the [Exploring a Workbook Template](../visualize/workbooks-overview.md#exploring-a-workbook-template) page.

-To learn about managing rights and permissions to the workbook, review [Access control](../visualize/workbooks-access-control.md).

- * Azure Network Security Group Analytics

-## Network Security Group analytics

-1. Add the management solution to Azure Monitor, and

-2. Enable diagnostics to direct the diagnostics to a Log Analytics workspace in Azure Monitor. It is not necessary to write the logs to Azure Blob storage.

-If diagnostic logs are not enabled, the dashboard blades for that resource are blank and display an error message.

-> [!NOTE]

-> In January 2017, the supported way of sending logs from Application Gateways and Network Security Groups to a Log Analytics workspace changed. If you see the **Azure Networking Analytics (deprecated)** solution, refer to [migrating from the old Networking Analytics solution](#migrating-from-the-old-networking-analytics-solution) for steps you need to follow.

->

->

-* Ability to consume and [share workbook templates](../visualize/workbooks-overview.md#workbooks-versus-workbook-templates) with wider community.

-## Azure Network Security Group analytics solution in Azure Monitor

-

-> [!NOTE]

-> The Network Security Group analytics solution is moving to community support since its functionality has been replaced by [Traffic Analytics](../../network-watcher/traffic-analytics.md).

-> - The solution is now available in [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/oms-azurensg-solution/) and will soon no longer be available in the Azure Marketplace.

-> - For existing customers who already added the solution to their workspace, it will continue to function with no changes.

-> - Microsoft will continue to support sending NSG resource logs to your workspace using Diagnostics Settings.

-The following logs are supported for network security groups:

-* NetworkSecurityGroupEvent

-* NetworkSecurityGroupRuleCounter

-### Install and configure the solution

-Use the following instructions to install and configure the Azure Networking Analytics solution:

-1. Enable the Azure Network Security Group analytics solution by using the process described in [Add Azure Monitor solutions from the Solutions Gallery](./solutions.md).

-2. Enable diagnostics logging for the [Network Security Group](../../virtual-network/virtual-network-nsg-manage-log.md) resources you want to monitor.

-### Enable Azure network security group diagnostics in the portal

-1. In the Azure portal, navigate to the Network Security Group resource to monitor

-2. Select *Diagnostics logs* to open the following page

- 

-3. Click *Turn on diagnostics* to open the following page

- 

-4. To turn on diagnostics, click *On* under *Status*

-5. Click the checkbox for *Send to Log Analytics*

-6. Select an existing Log Analytics workspace, or create a workspace

-7. Click the checkbox under **Log** for each of the log types to collect

-8. Click *Save* to enable the logging of diagnostics to Log Analytics

-### Enable Azure network diagnostics using PowerShell

-The following PowerShell script provides an example of how to enable resource logging for network security groups

-```powershell

-$workspaceId = "/subscriptions/d2e37fee-1234-40b2-5678-0b2199de3b50/resourcegroups/oi-default-east-us/providers/microsoft.operationalinsights/workspaces/rollingbaskets"

-$nsg = Get-AzNetworkSecurityGroup -Name 'ContosoNSG'

-Set-AzDiagnosticSetting -ResourceId $nsg.ResourceId -WorkspaceId $workspaceId -Enabled $true

-```

-### Use Azure Network Security Group analytics

-After you click the **Azure Network Security Group analytics** tile on the Overview, you can view summaries of your logs and then drill in to details for the following categories:

-* Network security group blocked flows

- * Network security group rules with blocked flows

- * MAC addresses with blocked flows

-* Network security group allowed flows

- * Network security group rules with allowed flows

- * MAC addresses with allowed flows

-

-

-On the **Azure Network Security Group analytics** dashboard, review the summary information in one of the blades, and then click one to view detailed information on the log search page.

-On any of the log search pages, you can view results by time, detailed results, and your log search history. You can also filter by facets to narrow the results.

-## Migrating from the old Networking Analytics solution

-In January 2017, the supported way of sending logs from Azure Application Gateways and Azure Network Security Groups to a Log Analytics workspace changed. These changes provide the following advantages:

-+ Logs are written directly to Azure Monitor without the need to use a storage account

-+ Less latency from the time when logs are generated to them being available in Azure Monitor

-+ Fewer configuration steps

-+ A common format for all types of Azure diagnostics

-To use the updated solutions:

-1. [Configure diagnostics to be sent directly to Azure Monitor from Azure Application Gateways](#enable-azure-application-gateway-diagnostics-in-the-portal)

-2. [Configure diagnostics to be sent directly to Azure Monitor from Azure Network Security Groups](#enable-azure-network-security-group-diagnostics-in-the-portal)

-2. Enable the *Azure Application Gateway Analytics* and the *Azure Network Security Group Analytics* solution by using the process described in [Add Azure Monitor solutions from the Solutions Gallery](solutions.md)

-3. Update any saved queries, dashboards, or alerts to use the new data type

- + Type is to AzureDiagnostics. You can use the ResourceType to filter to Azure networking logs.

- | Instead of: | Use: |

- | | |

- | NetworkApplicationgateways &#124; where OperationName=="ApplicationGatewayAccess" | AzureDiagnostics &#124; where ResourceType=="APPLICATIONGATEWAYS" and OperationName=="ApplicationGatewayAccess" |

- | NetworkApplicationgateways &#124; where OperationName=="ApplicationGatewayPerformance" | AzureDiagnostics &#124; where ResourceType=="APPLICATIONGATEWAYS" and OperationName=="ApplicationGatewayPerformance" |

- | NetworkSecuritygroups | AzureDiagnostics &#124; where ResourceType=="NETWORKSECURITYGROUPS" |

- + For any field that has a suffix of \_s, \_d, or \_g in the name, change the first character to lower case

- + For any field that has a suffix of \_o in name, the data is split into individual fields based on the nested field names.

-4. Remove the *Azure Networking Analytics (Deprecated)* solution.

- + If you are using PowerShell, use `Set-AzureOperationalInsightsIntelligencePack -ResourceGroupName <resource group that the workspace is in> -WorkspaceName <name of the log analytics workspace> -IntelligencePackName "AzureNetwork" -Enabled $false`

-Data collected before the change is not visible in the new solution. You can continue to query for this data using the old Type and field names.

-The [Azure Network Security Group Analytics solution](../insights/azure-networking-analytics.md#azure-network-security-group-analytics-solution-in-azure-monitor) will be replaced with the recently launched [Traffic Analytics](https://azure.microsoft.com/blog/traffic-analytics-in-preview/) which provides visibility into user and application activity on cloud networks. Traffic Analytics helps you audit your organization's network activity, secure applications and data, optimize workload performance and stay compliant.

-You can continue to rely on Diagnostics Settings to send NSG logs to Log Analytics so your existing saved searches, alerts, dashboards will continue to work. Customers who have already installed the solution can continue to use it until further notice. Starting September 5, the Network Security Group Analytics solution will be removed from the marketplace and made available through the community as a [Azure QuickStart Template](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Operationalinsights).

-## How to start using workbooks

-Open workbooks from the Workbooks tile under your Log Analytics workspace.

-

-Once selected, a gallery will be displayed listing out all the saved workbooks and templates for your workspace.

-

-To start a new workbook, you may select the **Empty** template under **Quick start**, or the **New** icon in the top navigation bar. To view templates or return to saved workbooks, select the item from the gallery or search for the name in the search bar.

-To save a workbook, you will need to save the report with a specific title, subscription, resource group, and location.

-The workbook will autofill to the same settings as the LA workspace, with the same subscription, resource group, however, users may change these report settings. Workbooks are shared resources that require write access to the parent resource group to be saved.

-description: Simplify complex reporting with prebuilt and custom parameterized workbooks with role based access control

-# Access control

-Access control in workbooks refers to two things:

-* Access required to read data in a workbook. This access is controlled by standard [Azure roles](../../role-based-access-control/overview.md) on the resources used in the workbook. Workbooks do not specify or configure access to those resources. Users would usually get this access to those resources using the [Monitoring Reader](../../role-based-access-control/built-in-roles.md#monitoring-reader) role on those resources.

-* Access required to save workbooks

- - Saving workbooks requires write privileges in a resource group to save the workbook. These privileges are usually specified by the [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) role, but can also be set via the *Workbooks Contributor* role.

-

-## Standard roles with workbook-related privileges

-[Monitoring Reader](../../role-based-access-control/built-in-roles.md#monitoring-reader) includes standard /read privileges that would be used by monitoring tools (including workbooks) to read data from resources.

-[Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) includes general `/write` privileges used by various monitoring tools for saving items (including `workbooks/write` privilege to save shared workbooks).

-ΓÇ£Workbooks ContributorΓÇ¥ adds ΓÇ£workbooks/writeΓÇ¥ privileges to an object to save shared workbooks.

-For custom roles:

-Add `microsoft.insights/workbooks/write` to save workbooks. For more details, see the [Workbook Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) role.

-## Next steps

-* [Get started](./workbooks-overview.md#visualizations) learning more about workbooks many rich visualizations options.

-* [Deploy](../visualize/workbooks-automate.md) workbooks with Azure Resource Manager.

-* [Control](./workbooks-access-control.md) and share access to your workbook resources.

-description: Simplify complex reporting with prebuilt and custom parameterized Azure Monitor Workbooks built from multiple data sources

-# Azure Monitor workbooks data sources

-Workbooks are compatible with a large number of data sources. This article will walk you through data sources which are currently available for Azure Monitor workbooks.

-For the **Cluster Name** field, you should add ther region name following the cluster name. For example: *mycluster.westeurope*.

-To make a query control using [Application Change Analysis](../app/change-analysis.md) as the data source, use the *Data source* drop down and choose *Change Analysis (preview)* and select a single resource. Changes for up to the last 14 days can be shown. The *Level* drop down can be used to filter between "Important", "Normal", and "Noisy" changes, and this drop down supports workbook parameters of type [drop down](workbooks-dropdowns.md).

-## Merge data from different sources

-It is often necessary to bring together data from different sources that enhance the insights experience. An example is augmenting active alert information with related metric data. This allows users to see not just the effect (an active alert), but also potential causes (for example, high CPU usage). The monitoring domain has numerous such correlatable data sources that are often critical to the triage and diagnostic workflow.

-Workbooks allows not just the querying of different data sources, but also provides simple controls that allow you to merge or join the data to provide rich insights. The `merge` control is the way to achieve it.

-The example below combines alerting data with log analytics VM performance data to get a rich insights grid.

-> [!div class="mx-imgBorder"]

-> 

-Workbooks support a variety of merges:

-* Inner unique join

-* Full inner join

-* Full outer join

-* Left outer join

-* Right outer join

-* Left semi-join

-* Right semi-join

-* Left anti-join

-* Right anti-join

-* Union

-* Duplicate table

-This provider supports [JSONPath](workbooks-jsonpath.md).

-## Alerts (preview)

-> The suggested way to query for Azure Alert information is by using the [Azure Resource Graph](#azure-resource-graph) data source, by querying the `AlertsManagementResources` table.

->

-> See the [Azure Resource Graph table reference](../../governance/resource-graph/reference/supported-tables-resources.md), or the [Alerts template](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Workbooks/Azure%20Resources/Alerts/Alerts.workbook) for examples.

->

-> The Alerts data source will remain available for a period of time while authors transition to using ARG. Use of this data source in templates is discouraged.

-Workbooks allow users to visualize the active alerts related to their resources.

-Limitations: the alerts data source requires read access to the Subscription in order to query resources, and may not show newer kinds of alerts.

-To make a query control use this data source, use the _Data source_ drop-down to choose _Alerts (preview)_ and select the subscriptions, resource groups, or resources to target. Use the alert filter drop downs to select an interesting subset of alerts for your analytic needs.

-> [!NOTE]

-> Do not write any secrets in any of the fields (`headers`, `parameters`, `body`, `url`), since they will be visible to all of the Workbook users.

-* [Get started](./workbooks-overview.md#visualizations) learning more about workbooks many rich visualizations options.

-* [Control](./workbooks-access-control.md) and share access to your workbook resources.

-* [Log Analytics query optimization tips](../logs/query-optimization.md)

-* [Get started](./workbooks-overview.md#visualizations) learning more about workbooks many rich visualizations options.

-* [Control](./workbooks-access-control.md) and share access to your workbook resources.

-* [Get started](./workbooks-overview.md#visualizations) learning more about workbooks many rich visualizations options.

-* [Control](./workbooks-access-control.md) and share access to your workbook resources.

-# Azure Monitor Workbooks

-Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences.

-Here is a video walkthrough on creating workbooks.

-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4B4Ap]

-> [!NOTE]

-> Legacy and private workbooks have been removed. Use the the [workbook retrieval tool](https://github.com/microsoft/Application-Insights-Workbooks/blob/master/Documentation/LegacyAI/DeprecatedWorkbookRetrievalTool.md) to retrieve the contents of your old workbook.

-## Data sources

-Workbooks can query data from multiple sources within Azure. Authors of workbooks can transform this data to provide insights into the availability, performance, usage, and overall health of the underlying components. For instance, analyzing performance logs from virtual machines to identify high CPU or low memory instances and displaying the results as a grid in an interactive report.

-

-But the real power of workbooks is the ability to combine data from disparate sources within a single report. This allows for the creation of composite resource views or joins across resources enabling richer data and insights that would otherwise be impossible.

-Workbooks are currently compatible with the following data sources:

-* [Logs](../visualize/workbooks-data-sources.md#logs)

-* [Metrics](../visualize/workbooks-data-sources.md#metrics)

-* [Azure Resource Graph](../visualize/workbooks-data-sources.md#azure-resource-graph)

-* [Alerts (Preview)](../visualize/workbooks-data-sources.md#alerts-preview)

-* [Workload Health](../visualize/workbooks-data-sources.md#workload-health)

-* [Azure Resource Health](../visualize/workbooks-data-sources.md#azure-resource-health)

-* [Azure Data Explorer](../visualize/workbooks-data-sources.md#azure-data-explorer)

-## Visualizations

-Workbooks provide a rich set of capabilities for visualizing your data. For detailed examples of each visualization type, you can consult the links below:

-* [Text](../visualize/workbooks-text-visualizations.md)

-* [Charts](../visualize/workbooks-chart-visualizations.md)

-* [Grids](../visualize/workbooks-grid-visualizations.md)

-* [Tiles](../visualize/workbooks-tile-visualizations.md)

-* [Trees](../visualize/workbooks-tree-visualizations.md)

-* [Graphs](../visualize/workbooks-graph-visualizations.md)

-* [Composite bar](../visualize/workbooks-composite-bar.md)

-* [Honey comb](workbooks-honey-comb.md)

-* [Map](workbooks-map-visualizations.md)

-### Pinning Visualizations

-Text, query, and metrics steps in a workbook can be pinned by using the pin button on those items while the workbook is in pin mode, or if the workbook author has enabled settings for that element to make the pin icon visible.

-To access pin mode, select **Edit** to enter editing mode, and select the blue pin icon in the top bar. An individual pin icon will then appear above each corresponding workbook part's *Edit* box on the right-hand side of your screen.

-> [!NOTE]

-> The state of the workbook is saved at the time of the pin, and pinned workbooks on a dashboard will not update if the underlying workbook is modified. In order to update a pinned workbook part, you will need to delete and re-pin that part.

-## Getting started

-To explore the workbooks experience, first navigate to the Azure Monitor service. This can be done by typing **Monitor** into the search box in the Azure portal.

-Then select **Workbooks**.

-### Gallery

-The gallery makes it convenient to organize, sort, and manage workbooks of all types.

-#### Features

-* In each tab, there is a grid with info on the workbooks. It includes description, last modified date, tags, subscription, resource group, region, and shared state. You can also sort the workbooks by this information.

-* Filter by resource group, subscriptions, workbook/template name, or template category.

-* Select multiple workbooks to delete or bulk delete.

-* Each Workbook has a context menu (ellipsis/three dots at the end), selecting it will open a list of quick actions.

- * View resource - Access workbook resource tab to see the resource ID of the workbook, add tags, manage locks etc.

- * Delete or rename workbook.

- * Pin workbook to dashboard.

-### Workbooks versus workbook templates

-You can see a _workbook_ in green and a number of _workbook templates_ in purple. Templates serve as curated reports that are designed for flexible reuse by multiple users and teams. Opening a template creates a transient workbook populated with the content of the template.

-You can adjust the template-based workbook's parameters and perform analysis without fear of breaking the future reporting experience for colleagues. If you open a template, make some adjustments, and then select the save icon you will be saving the template as a workbook which would then show in green leaving the original template untouched.

-Under the hood, templates also differ from saved workbooks. Saving a workbook creates an associated Azure Resource Manager resource, whereas the transient workbook created when just opening a template has no unique resource associated with it. To learn more about how access control is managed in workbooks consult the [workbooks access control article](../visualize/workbooks-access-control.md).

-### Exploring a workbook template

-Select **Application Failure Analysis** to see one of the default application workbook templates.

-As stated previously, opening the template creates a temporary workbook for you to be able to interact with. By default, the workbook opens in reading mode which displays only the information for the intended analysis experience that was created by the original template author.

-In the case of this particular workbook, the experience is interactive. You can adjust the subscription, targeted apps, and the time range of the data you want to display. Once you have made those selections the grid of HTTP Requests is also interactive whereby selecting an individual row will change what data is rendered in the two charts at the bottom of the report.

-### Editing mode

-To understand how this workbook template is put together you need to swap to editing mode by selecting **Edit**.

-Once you have switched to editing mode you will notice a number of **Edit** boxes appear to the right corresponding with each individual aspect of your workbook.

-If we select the edit button immediately under the grid of request data we can see that this part of our workbook consists of a Kusto query against data from an Application Insights resource.

-Selecting the other **Edit** buttons on the right will reveal a number of the core components that make up workbooks like markdown-based [text boxes](../visualize/workbooks-text-visualizations.md), [parameter selection](../visualize/workbooks-parameters.md) UI elements, and other [chart/visualization types](#visualizations).

-Exploring the pre-built templates in edit-mode and then modifying them to fit your needs and save your own custom workbook is an excellent way to start to learn about what is possible with Azure Monitor workbooks.

-## Dashboard time ranges

-Pinned workbook query parts will respect the dashboard's time range if the pinned item is configured to use a *Time Range* parameter. The dashboard's time range value will be used as the time range parameter's value, and any change of the dashboard time range will cause the pinned item to update. If a pinned part is using the dashboard's time range, you will see the subtitle of the pinned part update to show the dashboard's time range whenever the time range changes.

-Additionally, pinned workbook parts using a time range parameter will auto refresh at a rate determined by the dashboard's time range. The last time the query ran will appear in the subtitle of the pinned part.

-If a pinned step has an explicitly set time range (does not use a time range parameter), that time range will always be used for the dashboard, regardless of the dashboard's settings. The subtitle of the pinned part will not show the dashboard's time range, and the query will not auto-refresh on the dashboard. The subtitle will show the last time the query executed.

-> [!NOTE]

-> Queries using the *merge* data source are not currently supported when pinning to dashboards.

-## Sharing workbook templates

-Once you start creating your own workbook templates you might want to share it with the wider community. To learn more, and to explore other templates that aren't part of the default Azure Monitor gallery view visit our [GitHub repository](https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/README.md). To browse existing workbooks, visit the [Workbook library](https://github.com/microsoft/Application-Insights-Workbooks/tree/master/Workbooks) on GitHub.

-## Next step

-* [Get started](#visualizations) learning more about workbooks many rich visualizations options.

-* [Control](../visualize/workbooks-access-control.md) and share access to your workbook resources.

-description: Learn how parameters allow workbook authors to collect input from the consumers and reference it in other parts of the workbook.

-# Workbook parameters

-* [Time](workbooks-time.md) - allows a user to select from prepopulated time ranges or select a custom range

-## Creating a parameter

-2. Choose _Add parameters_ from the links within the workbook.

-3. Click on the blue _Add Parameter_ button.

-4. In the new parameter pane that pops up enter:

- 1. Parameter name: `TimeRange` *(note that parameter __names__ **cannot** include spaces or special characters)*

- 2. Display name: `Time Range` *(however, __display names__ can include spaces, special characters, emoji, etc.)*

- 2. Parameter type: `Time range picker`

- 3. Required: `checked`

- 4. Available time ranges: Last hour, Last 12 hours, Last 24 hours, Last 48 hours, Last 3 days, Last 7 days and Allow custom time range selection

-5. Choose 'Save' from the toolbar to create the parameter.

- 

- 

-## Referencing a parameter

-### Via Bindings

-2. Open the _Time Range_ drop down and select the `Time Range` option from the Parameters section at the bottom.

- 

-### In KQL

- 

-### In Text

-The _In Text_ section used the `label` of the parameter instead of its value. Parameters expose various such options depending on its type - e.g. time range pickers allow value, label, query, start, end, and grain.

-Use the `Previews` section of the _Edit Parameter_ pane to see the expansion options for your parameter:

-

-* [Get started](./workbooks-overview.md#visualizations) learning more about workbooks many rich visualizations options.

-* [Control](./workbooks-access-control.md) and share access to your workbook resources.

-## Creating a resource parameter (workbook resources)

-## Creating a resource parameter (Azure Resource Graph)

-## Creating a resource parameter (JSON list)

-## Referencing a resource parameter

-* [Get started](./workbooks-overview.md#visualizations) learning more about workbooks many rich visualizations options.

-* [Control](./workbooks-access-control.md) and share access to your workbook resources.

-* [Get started](./workbooks-overview.md#visualizations) learning more about workbooks many rich visualizations options.

-* [Control](./workbooks-access-control.md) and share access to your workbook resources.

- 

-

- 

- 

-* [Get started](./workbooks-overview.md#visualizations) learning more about workbooks many rich visualizations options.

-* [Control](./workbooks-access-control.md) and share access to your workbook resources.

-* To resolve this issue, use the [restore disks](./backup-azure-arm-restore-vms.md#restore-disks) option during the restore operation and then use [PowerShell](./backup-azure-vms-automation.md#create-a-vm-from-restored-disks) or [Azure CLI](./tutorial-restore-disk.md) cmdlets to create the VM with the latest marketplace information corresponding to the VM.

-* If the publisher does not have any Marketplace information, you can use the data disks to retrieve your data and you can attach them to an existing VM.

-Error message: Extension state is not supportive to backup operation

-Backup operation on the VM failed due to delay in network calls while performing the snapshot operation. To resolve this issue, perform Step 1. If the issue persists, try steps 2 and 3.

-| Urn | urn:provider:Azure-chaosStudio:Microsoft.Azure.Chaos.Delay.Timed |

- "name": "urn:provider:Azure-chaosStudio:Microsoft.Azure.Chaos.Delay.Timed",

-|ML entities|All of your ML entities will be transferred as conversational language understanding entities with the same names. The labels will be persisted and used to train the Learned component of the entity. Structured ML entities will transfer over the leaf nodes of the structure as different entities and apply their labels accordingly.|

-|Utterances|All of your LUIS utterances will be transferred as conversational language understanding utterances with their intent and entity labels. Structured ML entity labels will only consider the top-level entity labels, and the individual subentity labels will be ignored.|

-In this article, you'll set up a *robust, key rotation agnostic* solution to access Azure Cosmos DB keys by using [managed identities](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md) and [data plane role-based access control](how-to-setup-rbac.md). The example in this article uses Azure Functions, but you can use any service that supports managed identities.

-1. Use ``az cosmosdb show`` with the **query** parameter set to ``documentEndpoint``. Record the result. You'll use this value in a later step.

-> [!TIP]

-1. Use [``az role assignment create``](/cli/azure/cosmosdb/sql/role/assignment#az-cosmosdb-sql-role-assignment-create) to assign the ``Cosmos DB Built-in Data Reader`` role to the system-assigned managed identity.

-## (Optional) Run the function locally

-1. Run the function app

-* [Certificate-based authentication with Azure Cosmos DB and Azure Active Directory](certificate-based-authentication.md)

-* [Secure Azure Cosmos DB keys using Azure Key Vault](access-secrets-from-keyvault.md)

-* [Security baseline for Azure Cosmos DB](security-baseline.md)

-After you migrate your account to continuous backup mode, the cost with this mode is different when compared to the periodic backup mode. The continuous mode backup cost is cheaper than periodic mode. To learn more, see the [continuous backup mode pricing](continuous-backup-restore-introduction.md#continuous-backup-pricing) example.

-This sample requires Azure PowerShell Az 5.4.0 or later. Run `Get-Module -ListAvailable Az` to see which versions are installed.

-|`Microsoft.Azure.Documents.Client.DocumentClient`|`Microsoft.Azure.CosmosClient`|

- "EndpointSuffix=core.windows.net;

- "TableEndpoint=https://your_endpoint;" ;

-An EA administrator can download the invoice from the [Azure portal](https://portal.azure.com) or have it sent in email. Invoices are sent to whoever is set up to receive invoices for the enrollment.

-| MC (USD) | Indicates the Monetary Committment value |

-4. You can also download your a daily breakdown of consumed quantities and estimated charges by selecting **Download csv**.

-For more information about your invoice, see [Understand your bill for Microsoft Azure](../understand/review-individual-bill.md). For help managing your costs, see [Analyze unexpected charges](../understand/analyze-unexpected-charges.md).

-You can opt in and configure additional recipients to receive your Azure invoice in an email. This feature may not be available for certain subscriptions such as support offers, Enterprise Agreements, or Azure in Open. If you have a Microsoft Customer agreement, see [Get your billing profile invoices in email](../understand/download-azure-invoice.md#get-your-billing-profiles-invoice-in-email).

-Microsoft partners who are Power Platform and Dynamics Customer Insights service providers can associate their service to customers on Microsoft Power Apps, Power Automate, Power BI and Dynamics Customer Insights. You have access to your customer's environment when you, the Microsoft partner, manage, configure, and support Power Platform and Customer Insights resources for your customer. You can use your Azure credentials and a Partner Admin Link (PAL) to associate your partner network ID with the account credentials used for service delivery.

-The PAL allows Microsoft to identify and recognize partners that have Power Platform and Customer Insights customers. Microsoft attributes usage to a partner's organization based on the account's permissions (user role) and scope (tenant, resource, and so on). This attribution can be used for Advanced Specializations, such as the [Microsoft Low Code Advanced Specializations](https://partner.microsoft.com/membership/advanced-specialization#tab-content-2), and [Partner Incentives](https://partner.microsoft.com/asset/collection/microsoft-commerce-incentive-resources#/).

-The following sections explain in more detail how to

-The final step typically happens automatically, as the partner user is the one creating, editing, and updating the resource. It's a critical step to ensure partners receive proper credit for their work on Microsoft Power Apps, Power Automate, Power BI and Dynamics Customer Insights where relevant.

-## Get access from your customer

-When you have access to your customer's resources, use the Azure portal, PowerShell, or the Azure CLI to link your Microsoft Partner Network ID (MPN ID) to your user ID or service principal. Link the partner ID to each customer tenant.

-### Use the Azure portal to link to a new partner ID

-1. Go to [Link to a partner ID](https://portal.azure.com/#blade/Microsoft_Azure_Billing/managementpartnerblade) in the Azure portal.

-1. Enter the [Microsoft Partner Network](https://partner.microsoft.com/) ID for your organization. Be sure to use the **Associated MPN ID** shown on your partner center profile. It's typically known as your [Partner Location Account MPN ID](/partner-center/account-structure).

-1. To link your partner ID to another customer, switch the directory. Under **Switch directory**, select the appropriate directory.

- :::image type="content" source="./media/link-partner-id-power-apps-accounts/switch-directory.png" alt-text="Screenshot showing the Directory + subscription window where can you switch your directory." lightbox="./media/link-partner-id-power-apps-accounts/switch-directory.png" :::

-## Attribute your access account to the product resource

-The partner user/guest account that you received from your customer and was linked through the Partner Admin Link (PAL) needs to be attributed to the *resource* for Power Platform or Dynamics Customer Insights to count the usage of that specific resource. The user/guest account doesn't need to be associated with a specific Azure subscription for Power Apps, Power Automate, Power BI or D365 Customer Insights. In many cases, it happens automatically, as the partner user is the one creating, editing, and updating the resource. Besides the logic below, the specific programs the PAL link is used for (such as the [Microsoft Low Code Advanced Specializations](https://partner.microsoft.com/membership/advanced-specialization#tab-content-2) or Partner Incentives) may have other requirements such as the resource needing to be in production and associated with paid usage.

-| Product | Primary Metric | Resource | Attributed User Logic |

-|-||-||

-| Power Apps | Monthly Active Users (MAU) | Application |The user must be an owner/co-owner of the application. For more information, see [Share a canvas app with your organization](/powerapps/maker/canvas-apps/share-app). In cases of multiple partners being mapped to a single application, the user's activity is reviewed to select the 'latest' partner. |

-| Power Automate | Monthly Active Users (MAU) | Flow | The user must be the creator of the flow. There can only be one creator so there's no logic for multiple partners. |

-| Power BI | Monthly Active Users (MAU) | Dataset | The user must be the publisher of the dataset. For more information, see [Publish datasets and reports from Power BI Desktop](/power-bi/create-reports/desktop-upload-desktop-files). In cases of multiple partners being mapped to a single dataset, the user's activity is reviewed to select the 'latest' partner. |

-| Customer Insights | Unified Profiles | Instance | Any active user of an Instance is treated as the attributed user. In cases of multiple partners being mapped to a single Instance, the user's activity is reviewed to select the 'latest' partner |

-1. Start on a subscription scope.

-The following data sources and services have native private endpoint support. They can be connected through private link from a Data Factory managed virtual network:

-You can access all data sources that are supported by Data Factory through a public network.

-

-* Canada Central

-

-Dedicated HSM is not freely available for use as it is delivering hardware resources in the cloud and hence is a precious resource that needs protecting. We therefore use a allowlisting process via email using `HSMrequest@microsoft.com`.

-The Azure resource for an HSM cannot be deleted unless the HSM is in a "zeroized" state. Hence, all key material must have been deleted prior to trying to delete it as a resource. The quickest way to zeroize is to get the HSM admin password wrong 3 times (note: this refers to the HSM admin and not appliance level admin). The Luna shell does have a `hsm -factoryreset` command that zeroizes but it can only be executed via console on the serial port and customers do not have access to this.

-If you would like to learn more about Defender for Cloud from a cybersecurity expert, check out [Lessons Learned from the Field](episode-six.md).

-Learn more from the product manager about [Microsoft Defender for Containers in a multicloud environment](episode-nine.md).

-You can also learn how to [Protect Containers in GCP with Defender for Containers](episode-ten.md).

-You can also check out the following blogs:

-If you would like to learn more from the product manager about Microsoft Defender for Containers, check out [Microsoft Defender for Containers](episode-three.md).

-You can also check out the following blogs:

-If you would like to learn more from the product manager about Defender for Servers, check out [Microsoft Defender for Servers](episode-five.md). You can also learn about the [Enhanced workload protection features in Defender for Servers](episode-twelve.md).

-You can also check out the following blogs:

-Defender for Storage doesn't access the Storage account data and has no impact on its performance.

-If you would like to learn more from the product manager about security posture, check out [Microsoft Defender for Servers](episode-five.md).

-You can also check out the following blogs:

-> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

-If you would like to learn more from the product manager about Microsoft Defender for Cloud's [integration with Azure Purview](episode-two.md).

-You can also check out the following blog:

-If you would like to learn more from the product manager about Microsoft Defender for Cloud's new AWS connector check out [Microsoft Defender for Cloud in the Field](episode-one.md).

-You can also check out the following blogs:

-If you would like to learn more from the product manager about security posture, check out [Security posture management improvements](episode-four.md).

-You can also check out the following blogs:

-The security agent reads the configuration file once when the agent starts running. Configurations found in the local configuration file contain both authentication configuration and other agent related configurations.

-| agentId | GUID | Agent unique identifier |

-| readRemoteConfigurationTimeout | TimeSpan | Time period for fetching remote configuration from IoT Hub. If the agent can't fetch the configuration within the specified time, the operation will time out.|

-| schedulerInterval | TimeSpan | Internal scheduler interval. |

-| producerInterval | TimeSpan | Event producer worker interval. |

-| consumerInterval | TimeSpan | Event consumer worker interval. |

-| highPriorityQueueSizePercentage | 0 < number < 1 | The portion of total cache dedicated for high priority messages. |

-| logLevel | "Off", "Fatal", "Error", "Warning", "Information", "Debug" | Log messages equal and above this severity are logged to debug console (Syslog in Linux). |

-| fileLogLevel | "Off", "Fatal", "Error", "Warning", "Information", "Debug"| Log messages equal and above this severity are logged to file (Syslog in Linux). |

-| diagnosticVerbosityLevel | "None", "Some", "All", | Verbosity level of diagnostic events. None - diagnostic events are not sent. Some - Only diagnostic events with high importance are sent. All - all logs are also sent as diagnostic events. |

-| logFilePath | Path to file | If fileLogLevel > Off, logs are written to this file. |

-| defaultEventPriority | "High", "Low", "Off" | Default event priority. |

-| moduleName | string | Name of the Defender-IoT-micro-agent identity. This name must correspond to the module identity name in the device. |

-| deviceId | string | ID of the device (as registered in Azure IoT Hub). |

-| schedulerInterval | TimeSpan string | Internal scheduler interval. |

-| gatewayHostname | string | Host name of the Azure Iot Hub. Usually \<my-hub\>.azure-devices.net |

-| filePath | string - path to file | Path to the file that contains the authentication secret.|

-| type | "SymmetricKey", "SelfSignedCertificate" | The user secret for authentication. Choose *SymmetricKey* if the user secret is a Symmetric key, choose *self-signed certificate* if the secret is a self-signed certificate. |

-| identity | "DPS", "Module", "Device" | Authentication identity - DPS if authentication is made through DPS, Module if authentication is made using module credentials, or device if authentication is made using device credentials.

-| certificateLocationKind | "LocalFile", "Store" | LocalFile if the certificate is stored in a file, store if the certificate is located in a certificate store. |

-| idScope | string | ID scope of DPS |

-| registrationId | string | DPS device registration ID. |

-|

-| transportType | "Ampq" "Mqtt" | IoT Hub transport type. |

-|

-## General

-## Collection

-> * Investigate using kql queries

-See the sample kql queries below to get started with investigating alerts and activities on your device.

-You can find out if other alerts were triggered around the same time through the following kql query:

-To find out which users have access to this device use the following kql query:

-To find out which ports in the device are currently in use or were used, use the following kql query:

-To find users that logged into the device use the following kql query:

-To find out if the process list is as expected, use the following kql query:

-## Prerequisites

-## Prepare

-## Move

-## Verify

-This glossary provides a brief description of important terms and concepts for the Microsoft Defender for IoT platform. Select the **Learn more** links to go to related terms in the glossary. This will help you more quickly learn and use product tools.

-## A

-## B

-## C

-## D

-| **Device twins** | Device twins are JSON documents that store device state information including metadata, configurations, and conditions. | [Module Twin](#m) <br /> <br />[Defender-IoT-micro-agent twin](#s) |

-## E

-## F

-## G

-## H

-## L

-## N

-## O

-## P

-## R

-## S

-## Z

-## Clean up resources

-There are no resources to clean up.

-## Clean up resources

-There are no resources to clean up.

-> Learn how to [integrate Microsoft Sentinel and Microsoft Defender for IoT](../../sentinel/iot-solution.md?bc=%2fazure%2fdefender-for-iot%2fbreadcrumb%2ftoc.json&tabs=use-out-of-the-box-analytics-rules-recommended&toc=%2fazure%2fdefender-for-iot%2forganizations%2ftoc.json)

-description: Learn about the Dell PowerEdge R340 XL appliance in its legacy configuration when used for OT monitoring with Microsoft Defender for IoT in enterprise deployments.

-Legacy appliances are certified but aren't currently offered as pre-configured appliances.

-The Dell appliance is managed by an integrated iDRAC with Lifecycle Controller (LC). The LC is embedded in every Dell PowerEdge server and provides functionality that helps you deploy, update, monitor, and maintain your Dell PowerEdge appliances.

-Configure the appliance BIOS only if you didn't purchase your appliance from Arrow, or if you have an appliance, but don't have access to the XML configuration file.

- - If the appliance isn't a Defender for IoT appliance, open a browser and go to the IP address that was configured before. Sign in with the Dell default administrator privileges. Use **root** for the username and **calvin** for the password.

-The installation process takes about 20 minutes. After the installation, the system is restarted several times.

-Legacy appliances are certified but aren't currently offered as pre-configured appliances.

-|Chassis |1U rack server |

-|Dimensions |Four 3.5" chassis: 4.29 x 43.46 x 70.7 cm / 1.69 x 17.11 x 27.83 in |

-|Weight | Max 16.72 kg / 35.86 lb |

-|Chassis |1U rack server|

-|Dimensions| 42.9 x 43.46 x 70.7 cm / 1.69" x 17.11" x 27.83" in|

-|Weight| Max 16.27 kg / 35.86 lb |

-|Processor | 2x Intel Xeon Silver 4215 R 3.2 GHz 11M cache 8c/16T 130 W|

-|Chipset | Intel C621|

-|Memory | 32 GB = Two 16-GB 2666MT/s DDR4 ECC UDIMM|

-|Storage| Six 1.2-TB SAS 12G Enterprise 10K SFF (2.5 in) in hot-plug hard drive - RAID 5|

-|Network controller| On-board: Two 1 Gb <br> On-board: iLO Port Card 1 Gb <br>External: One HPE Ethernet 1-Gb 4-port 366FLR adapter|

-|Management |HPE iLO Advanced |

-|Device access | Two rear USB 3.0 |

-|One front | USB 2.0 |

-|One internal |USB 3.0 |

-|Power |Two HPE 500-W flex slot platinum hot plug low halogen power supply kit

-|Rack support | HPE 1U Gen10 SFF easy install rail kit |

-|P19766-B21 | HPE DL360 Gen10 8SFF NC CTO Server |1|

-|P19766-B21 | Europe - Multilingual Localization |1|

-|P24479-L21 | Intel Xeon-S 4215 R FIO Kit for DL360 G10 |1|

-|P24479-B21 | Intel Xeon-S 4215 R Kit for DL360 Gen10 |1|

-|P00922-B21 | HPE 16-GB 2Rx8 PC4-2933Y-R Smart Kit |2|

-|872479-B21 | HPE 1.2-TB SAS 10K SFF SC DS HDD |6|

-|811546-B21 | HPE 1-GbE 4-p BASE-T I350 Adapter |1|

-|P02377-B21 | HPE Smart Hybrid Capacitor w_ 145 mm Cable |1|

-|804331-B21 | HPE Smart Array P408i-a SR Gen10 Controller |1|

-|665240-B21 | HPE 1-GbE 4-p FLR-T I350 Adapter |1|

-|871244-B21 | HPE DL360 Gen10 High Performance Fan Kit |1|

-|865408-B21 | HPE 500-W FS Plat Hot Plug LH Power Supply Kit |2|

-|512485-B21 | HPE iLO Adv 1-Server License 1 Year Support |1|

-|874543-B21 | HPE 1U Gen10 SFF Easy Install Rail Kit |1|

-| PCI Slot 1 (Low profile)| Quad Port Ethernet NIC| 811546-B21 - HPE 1 GbE 4p BASE-T I350 Adapter SI |

-| PCI Slot 1 (Low profile) | DP F/O NIC|727054-B21 - HPE 10 GbE 2p FLR-SFP+ X710 Adapter|

-| PCI Slot 2 (High profile)| Quad Port Ethernet NIC|811546-B21 - HPE 1 GbE 4p BASE-T I350 Adapter SI|

-| PCI Slot 2 (High profile)|DP F/O NIC| 727054-B21 - HPE 10 GbE 2p FLR-SFP+ X710 Adapter|

-| PCI Slot 2 (High profile)|Quad Port F/O NIC| 869585-B21 - HPE 10 GbE 4p SFP+ X710 Adapter SI|

-| SFPs for Fiber Optic NICs|MultiMode, Short Range|455883-B21 - HPE BLc 10G SFP+ SR Transceiver|

-| SFPs for Fiber Optic NICs|SingleMode, Long Range | 455886-B21 - HPE BLc 10G SFP+ LR Transceiver|

-This section describes how to install OT sensor software on the HPE ProLiant DL360 appliance, and includes adjusting the appliance's BIOS configuration.

-|Construction|Aluminum, fanless and dust-proof design|

-|Dimensions|240 mm (W) x 225 mm (D) x 77 mm (H)|

-|Weight|3.1 kg (including CPU, memory, and HDD)|

-|CPU|Intel Core i5-6500TE (6M Cache, up to 3.30 GHz) S1151|

-|Chipset|Intel® Q170 Platform Controller Hub|

-|Memory|8 GB DDR4 2133 MHz Wide Temperature SODIMM|

-|Storage|128 GB 3ME3 Wide Temperature mSATA SSD|

-|Network controller|Six-Gigabit Ethernet ports by Intel® I219|

-|Device access|Four USBs: Two in front, two in the rear, and 1 internal|

-|Power Adapter|120/240VAC-20VDC/6A|

-|Mounting|Mounting kit, Din Rail|

-|Operating Temperature|-25┬░C - 70┬░C|

-|Storage Temperature|-40┬░C ~ 85┬░C|

-|Humidity|10%~90%, non-condensing|

-|Vibration|Operating, 5 Grms, 5-500 Hz, three Axes <br>(w/ SSD, according to IEC60068-2-64)|

-|Shock|Operating, 50 Grms, Half-sine 11 ms Duration <br>(w/ SSD, according to IEC60068-2-27)|

-|EMC|CE/FCC Class A, according to EN 55022, EN 55024 & EN 55032|

-This section describes how to install OT sensor software on the Nuvo 5006LP appliance. Before you install the OT sensor software, you must adjust the appliance's BIOS configuration.

-Before you start installing OT sensor software, or updating the BIOS configuration, make sure that the operating system is installed on the appliance.

-After approximately 10 minutes, sign-in credentials are automatically generated. Save the username and passwords, you'll need these credentials to access the platform the first time you use it.

-*Promiscuous mode* is a mode of operation and a security, monitoring, and administration technique that is defined at the virtual switch or portgroup level. When promiscuous mode is used, any of the virtual machineΓÇÖs network interfaces that are in the same portgroup can view all network traffic that goes through that virtual switch. By default, promiscuous mode is turned off.

- | VK-C1000V-LongRunning-650 | CPPM VA name |

- |vSwitch_Span |Newly added SPAN virtual switch name |

- |Monitor |Newly added adapter name |

-| vSwitch_Span | Newly added SPAN virtual switch name. |

-| MonitorMode=2 | Source |

-| MonitorMode=1 | Destination |

-| MonitorMode=0 | None |

-| vSwitch_Span | Newly added SPAN virtual switch name |

-This article describes how to accelerate alert workflows by using alert comments, alert groups, and custom alert rules for standard protocols and proprietary protocols in Microsoft Defender for IoT. These tools help you

-Work with alert comments to improve communication between individuals and teams during the investigation of an alert event.

-The list of available options appears in each alert. Users can select one or several messages.

-Alert groups let SOC teams view and filter alerts in their SIEM solutions and then manage these alerts based on enterprise security policies and business priorities. For example, alerts about new detections are organized in a discovery group. This group includes alerts that deal with the detection of new devices, new VLANs, new user accounts, new MAC addresses, and more.

-Add custom alert rule to pinpoint specific activity as needed for your organization such as for specific protocols, source or destination addresses, or a combination of parameters.

-For example, you might want to define an alert for an environment running MODBUS to detect any write commands to a memory register, on a specific IP address and ethernet destination. Another example would be an alert for any access to a specific IP address.

-The device inventory displays an extensive range of device attributes that your sensor detects. Use the inventory to gain insight and full visibility into the devices on your network.

-This section describes device details available from the inventory and describes how to work with inventory filters and view contextual information about each device.

-| **Discovered** | When this device was first seen in the network. |

-| **Is Authorized** | The authorization status defined by the user:<br />- **True**: The device has been authorized.<br />- **False**: The device hasn't been |

-1. Navigate to additional information such as firmware details, and view contextual information such alerts related to the device, or a timeline of events associated with the device.

-In addition to learning OT devices, you can discover Microsoft Windows workstations, and servers. These devices are also displayed in Device Inventory. After you learn devices, you can enrich the Device Inventory with detailed Windows information, such as:

-You can deploy the script once or schedule ongoing queries by using standard automated deployment methods and tools.

-Files generated from the queries can be placed in one folder that you can access from sensors. Use standard, automated methods and tools to move the files from each Windows endpoint to the location where you'll be importing them to the sensor.

-Devices you delete from the Inventory are removed from the map and won't be calculated when generating Defender for IoT reports, for example Data Mining, Risk Assessment, and Attack Vector reports.

-You'll be prompted to record a reason for deleting devices. This information, as well as the time/date and number of devices deleted, appears in the Event timeline.

-| **Site** | The site that contains this device. |

-Onboard a sensor by registering it with Microsoft Defender for IoT and downloading a sensor activation file.

-**Prerequisites**: Make sure that you've set up your sensor and configured your SPAN port or TAP. For more information, see [Defender for IoT installation](how-to-install-software.md).

-**To onboard your sensor to Defender for IoT**:

-1. In the Azure portal, navigate to **Defender for IoT** > **Getting started** and select **Set up OT/ICS Security**. Alternately, from the Defender for IoT **Sites and sensors** page, select **Onboard OT sensor**.

- 1. In the **Sensor name** field, enter a meaningful name for your sensor. We recommend including your sensor's IP address as part of the name, or using another easily identifiable name, that can help you keep track between the registration name in the Azure portal and the IP address of the sensor shown in the sensor console.

-A success message appears and your activation file is automatically downloaded, and your sensor is now shown under the configured site on the Defender for IoT **Sites and sensors** page.

-However, until you activate your sensor, the sensor's status will show as **Pending Activation**.

-If a sensor can't connect to the primary on-premises management console, it automatically connects to the secondary. Your system will be supported by both the primary and secondary simultaneously, if less than half of the sensors are communicating with the secondary. The secondary takes over when more than half of the sensors are communicating with it. Fail over from the primary to the secondary takes approximately three minutes. When the failover occurs, the primary on-premises management console freezes. When this happens, you can sign in to the secondary using the same sign-in credentials.

-During failover, sensors continue attempting to communicate with the primary appliance. When more than half the managed sensors succeed to communicate with the primary, the primary is restored. The following message appears on the secondary console when the primary is restored:

-Verify if your organizational security policy allows you to have access to the following services on the primary and secondary on-premises management console. These services also allow the connection between the sensors and secondary on-premises management console:

-To update an on-premises management console that has high availability configured, you will need to:

-| Inactive devices | Traffic was not detected on a device for more than 60 days. | **Delete** <br /> If this device is not part of your network, remove it. <br /><br />**Dismiss** <br /> Remove the notification if the device is part of your network. If the device is inactive (for example, because it's mistakenly disconnected from the network), dismiss the notification and reconnect the device. |

-| New OT devices | A subnet includes an OT device that's not defined in an ICS subnet. <br /><br /> Each subnet that contains at least one OT device can be defined as an ICS subnet. This helps differentiate between OT and IT devices on the map. | **Set as ICS Subnet** <br /> <br /> **Dismiss** <br />Remove the notification if the device is not part of the subnet. |

-When you search by IP or MAC address, the map displays the device that you searched for with devices connected to it.

-| **Device inventory filters** | Devices grouped according to the filters save in the Device Inventory table. |

-| **Polling intervals** | Devices grouped by polling intervals. The polling intervals are generated automatically according to cyclic channels, or periods. For example, 15.0 seconds, 3.0 seconds, 1.5 seconds, or any interval. Reviewing this information helps you learn if systems are polling too quickly or slowly. |

-| **Last seen** | Devices grouped by the time frame they were last seen, for example: One hour, six hours, one day, seven days. |

-|:::image type="icon" source="media/how-to-work-with-maps/layouts-icon-v2.png" border="false"::: | Layout options, including: <br />**Pin layout**. Drag devices in the map to a new location and use the Pin option to save those locations when you leave the map to use another option. <br />**Layout by connection**. View connections between devices. <br />**Layout by Purdue**. View the devices in the map according to Enterprise, supervisory and process control layers. <br /> |

-Working with map views help expedite forensics when analyzing large networks.

-By default, IT devices are automatically aggregated by subnet, so that the map view is focused on OT and ICS networks. The presentation of the IT network elements is collapsed to a minimum, which reduces the total number of the devices presented on the map and provides a clear picture of the OT and ICS network elements.

-Each subnet is presented as a single entity on the Device map. Options are available to expand subnets to see details; and collapse subnets or hide them.

-| Name | The device name. <br /> By default, the sensor discovers the device name as it defined in the network. For example, a name defined in the DNS server. <br /> If no such names were defined, the device IP address appears in this field. <br /> You can change a device name manually. Give your devices meaningful names that reflect their functionality. |

-| Type | The device type detected by the sensor. |

-| Attributes | Additional information was discovered on the device. For example, view the PLC Run and Key state, the secure status of the PLC, or information on when the state changed. <br /> The information is read only and cannot be updated from the Attributes section. |

-Under certain circumstances, you may need to merge devices. This may be required if the sensor discovered separate network entities that are associated with one unique device. For example,

-You can mark significant network devices as important, for example business critical servers. These devices are marked with a star on the map. The star varies according to the map's zoom level.

-1. Enter a name for the sensor.

- :::image type="content" source="media/tutorial-get-started-eiot/onboard-sensor-screen.png" alt-text="Enter the following information into the onboarding screen.":::

-1. Select a subscription from the drop-down menu.

-1. Enter a meaningful site name that will assist you in locating where the sensor is located.

-1. Enter a display name.

-1. Enter a zone name. If no name is entered, the name `default` will be applied.

-1. Select **Set up**.

-1. Save the command provided to you.

- :::image type="content" source="media/tutorial-get-started-eiot/successful-registration.png" alt-text="Screenshot of the successful registration of an Enterprise IoT sensor.":::

-The device inventory is where you'll be able to view all of your device systems, and network information. Learn more about the device inventory see [Manage your IoT devices with the device inventory for organizations](how-to-manage-device-inventory-for-organizations.md#manage-your-iot-devices-with-the-device-inventory-for-organizations).

-> If you are already working with a Defender for IoT and ServiceNow integration, and upgrade using the on-premises management console, pervious data received from Defender for IoT sensors should be cleared from ServiceNow.

-* **A local variable _DigitalTwinsClient_.** Add the variable inside your function to hold your Azure Digital Twins client instance. *Don't* make this variable static inside your class.

->[!NOTE]

->If you're using anything other than Cloud Shell in the Bash environment, you may need to escape certain characters in the inline JSON so that it's parsed correctly.

->

->For more information, see [Use special characters in different shells](concepts-cli.md#use-special-characters-in-different-shells).

-## Create a function

-1. First, create a new function app project in Visual Studio. For instructions on how to do so, see [Develop Azure Functions using Visual Studio](../azure-functions/functions-develop-vs.md#create-an-azure-functions-project).

-To access Azure Digital Twins, your function app needs a system-managed identity with permissions to access your Azure Digital Twins instance. You'll set that up next.

-Next, assign an access role for the function and configure the application settings so that it can access your Azure Digital Twins instance.

-## Connect your function to IoT Hub

-In the [Azure portal](https://portal.azure.com/), navigate to your IoT Hub instance that you created in the [Prerequisites](#prerequisites) section. Under **Events**, create a subscription for your function.

-In the **Create Event Subscription** page, fill the fields as follows:

- 1. For **Name**, choose whatever name you want for the event subscription.

- 2. For **Event Schema**, choose **Event Grid Schema**.

- 3. For **System Topic Name**, choose whatever name you want.

- 1. For **Filter to Event Types**, choose the **Device Telemetry** checkbox and uncheck other event types.

- 1. For **Endpoint Type**, Select **Azure Function**.

- 1. For **Endpoint**, use the **Select an endpoint** link to choose what Azure Function to use for the endpoint.

-

-In the **Select Azure Function** page that opens up, verify or fill in the below details.

- 1. **Subscription**: Your Azure subscription.

- 2. **Resource group**: Your resource group.

- 3. **Function app**: Your function app name.

- 4. **Slot**: **Production**.

- 5. **Function**: Select the function from earlier, *IoTHubtoTwins*, from the dropdown.

-Save your details with the **Confirm Selection** button.

-

-Select the **Create** button to create the event subscription.

-## Send simulated IoT data

-To test your new ingress function, use the device simulator from [Connect an end-to-end solution](./tutorial-end-to-end.md). That tutorial is driven by this [Azure Digital Twins end-to-end sample project written in C#](/samples/azure-samples/digital-twins-samples/digital-twins-samples). You'll be using the *DeviceSimulator* project in that repository.

-In the end-to-end tutorial, complete the following steps:

-1. [Register the simulated device with IoT Hub](./tutorial-end-to-end.md#register-the-simulated-device-with-iot-hub)

-2. [Configure and run the simulation](./tutorial-end-to-end.md#configure-and-run-the-simulation)

-## Validate your results

-While running the device simulator above, the temperature value of your digital twin will be changing. In the Azure CLI, run the following command to see the temperature value. There's one placeholder for the instance's host name (you can also use the instance's friendly name with a slight decrease in performance).

-az dt twin query --query-command "select * from digitaltwins" --dt-name <instance-hostname-or-name>

-Your output should contain a temperature value like this:

-To see the value change, repeatedly run the query command above.

-#### Configure the function app

-#### Add application settings

-You'll also need to add some application settings to fully set up your environment and the Azure function. Go to the [Azure portal](https://portal.azure.com) and navigate to your newly created Azure function by searching for its name in the portal search bar.

-Select Configuration from the function's left navigation menu. Use the **+ New application setting** button to start creating new settings.

-There are three application settings you need to create:

-| Setting | Description | Required |

-| | | |

-| ADT_SERVICE_URL | URL for your Azure Digital Twins instance. Example: `https://example.api.eus.digitaltwins.azure.net` | Γ£ö |

-| JSON_MAPPINGFILE_URL | URL of the shared access signature for the opcua-mapping.json | Γ£ö |

-| LOG_LEVEL | Log level verbosity. Default is 100. Verbose is 300 | |

-> [!TIP]

-> Set the `LOG_LEVEL` application setting on the function to 300 for a more verbose logging experience.

-You've now published the functions to a function app in Azure.

-To do so, you'll create an *Event Subscription* on your IoT Hub, with the Azure function as an endpoint. This "subscribes" the function to events happening in IoT Hub.

-In the [Azure portal](https://portal.azure.com/), navigate to your newly created IoT hub by searching for its name in the top search bar. Select **Events** from the hub menu, and select **+ Event Subscription**.

-Selecting this option will bring up the **Create Event Subscription** page.

-Fill in the fields as follows (fields filled by default aren't mentioned):

-* **EVENT SUBSCRIPTION DETAILS** > **Name**: Give a name to your event subscription.

-* **TOPIC DETAILS** > **System Topic Name**: Give a name to use for the system topic.

-* **EVENT TYPES** > **Filter to Event Types**: Select **Device Telemetry** from the menu options.

-* **ENDPOINT DETAILS** > **Endpoint Type**: Select **Azure Function** from the menu options.

-* **ENDPOINT DETAILS** > **Endpoint**: Select the **Select an endpoint** link, which will open a **Select Azure Function** window:

- :::image type="content" source="media/tutorial-end-to-end/event-subscription-3.png" alt-text="Screenshot of the Azure portal event subscription showing the window to select an Azure function." border="false":::

- - Fill in your **Subscription**, **Resource group**, **Function app**, and **Function** (**ProcessHubToDTEvents**). Some of these values may auto-populate after selecting the subscription.

- - Select **Confirm Selection**.

-Back on the **Create Event Subscription** page, select **Create**.

-Once you've verified the live temperatures logging is working successfully, you can stop running both projects. Keep the Visual Studio windows open, as you'll continue using them in the rest of the tutorial.

-1. [Create an event grid topic](#create-the-event-grid-topic) to enable movement of data between Azure services

-1. [Create an endpoint](#create-the-endpoint) in Azure Digital Twins that connects the instance to the event grid topic

-1. [Set up an Azure function](#connect-the-azure-function) that listens on the event grid topic at the endpoint, receives the twin property change events that are sent there, and updates other twins in the graph accordingly

-Next, subscribe the *ProcessDTRoutedData* Azure function to the event grid topic you created earlier, so that telemetry data can flow from the thermostat67 twin through the event grid topic to the function, which goes back into Azure Digital Twins and updates the room21 twin accordingly.

-To do so, you'll create an Event Grid subscription that sends data from the event grid topic that you created earlier to your *ProcessDTRoutedData* Azure function.

-In the [Azure portal](https://portal.azure.com/), navigate to your event grid topic by searching for its name in the top search bar. Select **+ Event Subscription**.

-The steps to create this event subscription are similar to when you subscribed the first Azure function to IoT Hub earlier in this tutorial. This time, you don't need to specify **Device Telemetry** as the event type to listen for, and you'll connect to a different Azure function.

-On the **Create Event Subscription** page, fill in the fields as follows (fields filled by default aren't mentioned):

-* **EVENT SUBSCRIPTION DETAILS** > **Name**: Give a name to your event subscription.

-* **ENDPOINT DETAILS** > **Endpoint Type**: Select **Azure Function** from the menu options.

-* **ENDPOINT DETAILS** > **Endpoint**: Select the **Select an endpoint** link, which will open a **Select Azure Function** window:

- - Fill in your **Subscription**, **Resource group**, **Function app**, and **Function** (**ProcessDTRoutedData**). Some of these values may auto-populate after selecting the subscription.

- - Select **Confirm Selection**.

-Back on the **Create Event Subscription** page, select **Create**.

-Here's a review of the scenario that you built out in this tutorial.

-3. Property change events in Azure Digital Twins are routed to an event grid topic, where the *ProcessDTRoutedData* Azure function is listening for events. The *ProcessDTRoutedData* Azure function uses the information in these events to set the `Temperature` property on room21 (**arrow C** in the diagram).

-> [Custom models](concepts-models.md)

-Under this configuration, the traffic goes over the public IP/internet from Event Grid to Event Hubs, Service Bus, or Azure Storage, but the channel can be encrypted and a managed identity of Event Grid is used. If you configure your Azure Functions or webhook deployed to your virtual network to use an Event Hubs, Service Bus, or Azure Storage via private link, that section of the traffic will evidently stay within Azure.

-For more information about delivering events using a managed identity, see [Event delivery using a managed identity](managed-service-identity.md).

-description: This article explains transition from Event Grid on Azure IoT Edge to Azure IoT Edge Hub module in Azure IoT Edge runtime.

-# Transition from Event Grid on Azure IoT Edge to Azure IoT Edge native capabilities

-On March 31, 2023, Event Grid on Azure IoT Edge will be retired, so make sure to transition to IoT Edge native capabilities prior to that date.

-## Why are we retiring?

-There's one major reason for deciding to retire Event Grid on IoT Edge, which is currently in Preview, in March 2023: Event Grid has been evolving in the cloud native space to provide more robust capabilities not only in Azure but also in on-prem scenarios with [Kubernetes with Azure Arc](../kubernetes/overview.md).

-| Event Grid on Azure IoT Edge | Azure IoT Edge Hub |

-| - Publishing and subscribing to events locally/cloud<br/>- Forwarding events to Event Grid<br/>- Forwarding events to IoT Hub<br/>- React to Blob Storage events locally | - Connectivity to Azure IoT Hub<br/>- Route messages between modules or devices locally<br/>- Offline support<br/>- Message filtering |

-## How to transition to Azure IoT Edge features

-To transition to use the Azure IoT Edge features, follow these steps.

-1. Learn about the feature differences between [Event Grid on Azure IoT Edge](overview.md#when-to-use-event-grid-on-iot-edge) and [Azure IoT Edge](../../iot-edge/how-to-publish-subscribe.md).

-2. Identify your scenario based on the feature table in the next section.

-## Event Grid on Azure IoT Edge vs. Azure IoT Edge

-| Event Grid on Azure IoT Edge | Azure IoT Edge |

-| Publish, subscribe and forward events locally or cloud | Use the message routing feature in IoT Edge Hub to facilitate local and cloud communication. It enables device-to-module, module-to-module, and device-to-device communications by brokering messages to keep devices and modules independent from each other. To learn more, see [using routing for IoT Edge hub](../../iot-edge/iot-edge-runtime.md#using-routing). </br> </br> If you're subscribing to IoT Hub, itΓÇÖs possible to create an event to publish to Event Grid if you need. For details, see [Azure IoT Hub and Event Grid](../../iot-hub/iot-hub-event-grid.md). |

-| Forward events to IoT Hub | Use IoT Edge Hub to optimize connections to send messages to the cloud with offline support. For details, see [IoT Edge Hub cloud communication](../../iot-edge/iot-edge-runtime.md#using-routing). |

-| React to Blob Storage events on IoT Edge (Preview) | You can use Azure Function Apps to react to blob storage events on cloud when a blob is created or updated. For more information, see [Azure Blob storage trigger for Azure Functions](../../azure-functions/functions-bindings-storage-blob-trigger.md) and [Tutorial: Deploy Azure Functions as modules - Azure IoT Edge](../../iot-edge/tutorial-deploy-function.md). Blob triggers in IoT Edge blob storage module aren't supported. |

-# Azure API Management as an Event Grid source (Preview)

-Runtime audit logs capture aggregated diagnostic information for all data plane access operations (such as send or receive events) in the Event Hubs dedicated cluster.

-> Runtime audit logs are currently available only in **premium** and **dedicated** tiers.

-> Application metrics logs are currently available only in **premium** and **dedicated** tiers.

-## Analyzing metrics

-### Filtering and splitting

-## Analyzing logs

-

-When you create a virtual network gateway, you need to specify several settings. One of the required settings, '-GatewayType', specifies whether the gateway is used for ExpressRoute, or VPN traffic. The two gateway types are:

-Each virtual network can have only one virtual network gateway per gateway type. For example, you can have one virtual network gateway that uses -GatewayType Vpn, and one that uses -GatewayType ExpressRoute.

-If you want to upgrade your gateway to a more powerful gateway SKU, you can use the 'Resize-AzVirtualNetworkGateway' PowerShell cmdlet or perform the upgrade directly in the ExpressRoute virtual network gateway configuration blade in the Azure portal. The following upgrades are supported:

-BFD is configured by default under all the newly created ExpressRoute private peering interfaces on the MSEEs. As such, to enable BFD, you only need to configure BFD on both your primary and secondary devices. Configuring BFD is two-step process. You configure the BFD on the interface and then link it to the BGP session.

->To enable BFD under an already existing private peering; you need to reset the peering. See [Reset ExpressRoute peerings][ResetPeering]

-| **[Zayo](https://www.zayo.com/solutions/industries/cloud-connectivity/microsoft-expressroute)** |Supported |Supported | Amsterdam, Chicago, Dallas, Denver, Dublin, Hong Kong, London, London2, Los Angeles, Montreal, New York, Paris, Phoenix, San Antonio, Seattle, Silicon Valley, Toronto, Vancouver, Washington DC, Washington DC2, Zurich|

-## <a name = "anycast"></a>Select the Front Door edge location for the request (Anycast)

-Traffic routed to the Azure Front Door edge locations uses [Anycast](https://en.wikipedia.org/wiki/Anycast) for both DNS (Domain Name System) and HTTP (Hypertext Transfer Protocol) traffic. Anycast allows for user requests to reach the closest edge location in the fewest network hops. This architecture offers better round-trip times for end users by maximizing the benefits of [Split TCP](#splittcp).

-## <a name = "splittcp"></a>Connect to the Front Door edge location (Split TCP)

- Search-AzGraph -Query 'Resources | project name, type | order by name asc | limit 5'

-When the final query is run several times, assuming that nothing in your environment is changing,

-At this time, Azure Health Data Services is available for you to use at no charge.

-When happy with the results, you can [share the workbook](../azure-monitor/visualize/workbooks-access-control.md) with your team or [deploy them programmatically](../azure-monitor/visualize/workbooks-automate.md) as part of your organization's resource deployments.

-Save your changes as a new workbook. You can [share](../azure-monitor/visualize/workbooks-access-control.md) the saved workbook with your team or [deploy them programmatically](../azure-monitor/visualize/workbooks-automate.md) as part of your organization's resource deployments.

-# Device Update APT Manifest

-The APT Manifest is a JSON file that describes an update details required by APT Update Handler. This file can be imported into Device Update for IoT Hub just like any other update.

-[Learn More](import-update.md) about importing updates into Device Update.

-When an APT manifest is delivered to an Device Update Agent as an update, the agent will process the manifest and carry out the necessary operations. These operations include downloading and installing the packages specified in the APT Manifest file and their dependencies from a designated repository.

-Device Update supports APT UpdateType and APT Update Handler. This support allows the Device Update Agent to evaluate the installed Debian packages and update the necessary packages.

-An APT Manifest file is a JSON file with a versioned schema.

-Example:

-### name

-The name for this APT Manifest. This can be whatever name or ID is meaningful for your

-scenarios. For example, `contoso-iot-edge`.

-### version

-A version number for this APT Manifest. For example, `1.0.0.0`.

-### packages

-A list of objects containing package-specific properties.

-#### name

-The name or ID of the package. For example, `iotedge`.

-#### version

-The desired version criteria for the package. For example, `1.0.8-2`.

-Currently only exact version number is supported. The version number is the desired Debian package

-version in format [epoch:]upstream_version[-debian_revision].

-**epoch** is an unsigned int.

-**upstream_version** can include alphanumerics and characters such as ".","+","-" and "~". It should start with a digit.

-For example, **`"name":"iotedge" and "version":"1.0.8-2"`** is equivalent to installing a package using command `apt-get install iotedge=1.0.8-2`

-> [!NOTE]

-> Version value doesn't contain an equal sign

-If version is omitted, the latest available version of specified package will be installed.

-[Learn More](https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-version) about how Debian packages are versioned.

-> APT package manager ignores versioning requirements given by a package when the dependent packages to install are being automatically resolved. Unless explicit versions of dependent packages are given they will use the latest, even though the package itself may specify a strict requirement (=) on a given

-version. This automatic resolution can lead to errors regarding an unmet dependency. [Learn More](https://unix.stackexchange.com/questions/350192/apt-get-not-properly-resolving-a-dependency-on-a-fixed-version-in-a-debian-ubunt)

-If you're updating a specific version of the Azure IoT Edge security daemon, then you should include the desired version of the `aziot-edge` package and its dependent `aziot-identity-service` package in your APT manifest.

-[Learn More](../iot-edge/how-to-update-iot-edge.md#update-the-security-subsystem)

-> [!NOTE]

-> An apt manifest can be used to update Device Update agent and its dependencies. List the device update agent name and desired version in the apt manifest, like you would for any other package. This apt manifest can then be imported and deployed through the Device Update for IoT Hub pipeline.

-You can also use an apt manifest to remove installed packages from your device. A single apt manifest can be used to remove, add and update multiple packages.

-To remove a package, add a minus sign "-" after the package name. You shouldn't include a version number for the packages you are removing.

-Removing packages through an apt manifest doesn't remove its dependencies and configurations.

-Example:

-This apt manifest will remove the package "foo" from the device(s) it is deployed to.

-## Recommended value for installed Criteria

-The Installed Criteria for an APT Manifest is `<name>-<version>` where `<name>` is the name of the APT Manifest and `<version>` is the version of the APT Manifest. For example, `contoso-iot-edge-1.0.0.0`.

-## Guidelines on creating an APT Manifest

-While creating the APT Manifest, there are some guidelines to keep in mind:

-**Base APT manifest**

-**BAD UPDATE**

-**GOOD UPDATE**

-> [!div class="nextstepaction"]

-> [Import new update](import-update.md)

-# Device Update Compliance

-In Device Update for IoT Hub, compliance measures how many devices have installed the highest version compatible update. A device

-is compliant if it has installed the highest version available update that is compatible for it.

-|Update Name|Update Version|Compatible Device Model|

-|--|--|--|

-|Update1 |1.0 |Model1|

-|Update2 |1.0 |Model2|

-|Update3 |2.0 |Model1|

-|Deployment Name |Update Name |Targeted Group|

-|--|--|-|

-|Deployment1 |Update1 |Group1|

-|Deployment2 |Update2 |Group2|

-|Deployment3 |Update3 |Group3|

-|DeviceId |Device Model |Installed Update Version|Group |Compliance|

-|--|--|--|--||

-|Device1 |Model1 |1.0 |Group1 |New updates available</span>|

-|Device2 |Model1 |2.0 |Group3 |On latest update|

-|Device3 |Model2 |1.0 |Group2 |On latest update|

-|Device4 |Model1 |1.0 |Group3 |Update in progress|

-Device1 and Device4 aren't compliant because they have version 1.0 installed even

-though thereΓÇÖs a higher version update, Update3, compatible for their model in the Device Update instance. Device2 and

-Device3 are both compliant because they have the highest version updates compatible for their models installed.

-Compliance doesn't consider whether an update is deployed to a deviceΓÇÖs group or not; it looks at any updates

-published to Device Update. So in the example above, even though Device1 has installed the update deployed to it, it's considered non-compliant. Device1 will continue being considered non-compliant till it successfully installs Update3. The compliance status can help you identify whether new deployments are needed.

-* **On latest update** ΓÇô the device has installed the highest version compatible update published to Device Update.

-* **Update in progress** ΓÇô an active deployment is in the process of delivering the highest version compatible update to the device.

-* **New updates available** ΓÇô a device hasn't yet installed the highest version compatible update and isn't in an active deployment for that update.

-# Azure Role-based access control (RBAC) and Device Update

-| Device Update Administrator | Has access to all device update resources |

-### Create client Azure AD App

-To integrate an application or service with Azure AD, [first register](../active-directory/develop/quickstart-register-app.md) a client application with Azure AD. Client application setup will vary depending on the authorization flow you'll need (users, applications or managed identities). For example, to call Device Update from:

-* Mobile or desktop application, add `Mobile and desktop applications` platform with https://login.microsoftonline.com/common/oauth2/nativeclient for the Redirect URI.

-* Website with implicit sign-on, add `Web` platform and select `Access tokens (used for implicit flows)`.

-1. Go to `API permissions` page of your app and click `Add a permission`.

-2. Go to `APIs my organization uses` and search for `Azure Device Update`.

-3. Select `user_impersonation` permission and click `Add permissions`.

-### Requesting authorization token

-Device Update REST API requires OAuth 2.0 authorization token in the request header. Following are some examples of various ways to request an authorization token.

-## Next Steps

-* Create device update resources and configure access control roles](./create-device-update-account.md)

-Deployments in Device Update for IoT Hub are dynamic in nature. Dynamic deployments empower users to move towards a set-and-forget management model by automatically deploying

-updates to newly provisioned, applicable devices. Any devices that are provisioned or change their group membership after a deployment is initiated, will automatically receive

-the update deployment as long as the deployment remains active without any other action on part of the user.

-## Deployment life cycle

-Due to their dynamic nature, deployments remain active and in-progress until they are explicitly canceled. A deployment is considered Inactive and Superseded if a new deployment

-is created targeting the same device group. A deployment can be retried for devices that might fail. Once a deployment is canceled, it cannot be reactivated again.

-You may choose to create multiple device groups to organize your devices. For example, Contoso might use the "Flighting" device group for the devices in its test laboratory and

-the "Evaluation" device group for the devices that its field team uses in the operations center. Further, Contoso might choose to group their Production devices based on

-their geographic regions, so that they can update devices on a schedule that aligns with their regional timezones.

-## Using device or module twin tag for device group creation

-```markdown

-Any device that has the Device Update agent installed and provisioned, but does not have a ADUGroup tag added to its device or module twin will be added to a default group. Default groups or system-assigned groups help reduce the overhead of tagging and grouping devices, so customers can easily deploy updates to them. Default groups cannot be deleted or re-created by customers. Customers cannot change the definition or add/remove devices from a default group manually. Devices with the same device class are grouped together in a default group. Default group names are reserved within an IOT solution. Default groups will be named in the format ΓÇ£Default-(deviceClassID)ΓÇ¥. All deployment features that are available for user-defined groups are also available for default, system-assigned groups.

-```markdown

-```markdown

-```markdown

-```markdown

-|Device |Group |

-|--|--|

-|Device1 |Group1|

-|Device2 |Group1|

-|Device3 |Group2|

-|Device4 |DefaultGroup1-(deviceClassId)|

-A corresponding invalid group is created for every user-defined group. A device is added to the invalid group if it doesn't meet the compatibility requirements of the user-defined group. This can be resolved by either re-tagging and regrouping the device under a new group, or modifying it's compatibility properties through the agent configuration file.

-An invalid group only exists for diagnostic purposes. Updates cannot be deployed to invalid groups

-[Create device group](./create-update-group.md)

-Device Update for IoT Hub uses [IoT Plug and Play](../iot-develop/index.yml) to discover and manage devices that are over-the-air update capable. The Device Update service sends and receives properties and messages to and from devices using IoT Plug and Play interfaces. Device Update for IoT Hub requires IoT devices to implement the following interfaces and model id.

-Concepts:

-* Understand the [IoT Plug and Play device client](../iot-develop/concepts-developer-guide-device.md?pivots=programming-language-csharp).

-## Device Update Core Interface

-The 'DeviceUpdateCore' interface is used to send update actions and metadata to devices and receive update status from devices. The 'DeviceUpdateCore' interface is split into two Object properties.

-The expected component name in your model is **"deviceUpdate"** when this interface is implemented. [Learn more about Azure IoT Plug and Play Components](../iot-develop/concepts-modeling-guide.md)

-### Agent Metadata

-The Device Update agent uses Agent Metadata fields to send

-information to Device Update services.

-|deviceProperties|Map|device to cloud|The set of properties that contain the manufacturer, model, and other device information.|See other examples for details|

-|compatPropertyNames|String (Comma separated)|device to cloud|The device reported properties that are used to check for compatibility of the device to target the update deployment. Limited to five device properties|"compatPropertyNames": "manufacturer,model"|

-|lastInstallResult|Map|device to cloud|The result reported by the agent. It contains result code, extended result code, and result details for main update and other step updates||

-|stepResults|map|device to cloud|The result reported by the agent containing result code, extended result code, and result details for step updates | "step_1": { "resultCode": 0,"extendedResultCode": 0, "resultDetails": ""}|

-|state|integer|device to cloud|It is an integer that indicates the current state of the Device Update agent. See State section for details |0|

-|workflow|complex|device to cloud|It is a set of values that indicates which deployment the agent is currently working on, ID of current deployment, and acknowledgment of any retry request sent from service to agent.|"workflow": {"action": 3,"ID": "11b6a7c3-6956-4b33-b5a9-87fdd79d2f01","retryTimestamp": "2022-01-26T11:33:29.9680598Z"}|

-|installedUpdateId|string|device to cloud|An ID of the update that is currently installed (through Device Update). This value will be a string capturing the Update ID JSON or null for a device that has never taken an update through Device Update.|installedUpdateID{\"provider\":\"contoso\",\"name\":\"image-update\",\"version\":\"1.0.0\"}"|

-#### State

-It is the status reported by the Device Update (DU) agent after receiving an action from the Device Update service. `State` is reported in response to an `Action` (see `Actions` section) sent to the Device Update agent from the Device Update service. See the [overview workflow](understand-device-update.md#device-update-agent) for requests that flow between the Device Update service and the Device Update agent.

-|Name|Value|Description|

-||--|--|

-|Idle|0|The device is ready to receive an action from the Device Update service. After a successful update, state is returned to the `Idle` state.|

-|DeploymentInprogress|6| A deployment in progress|

-|Failed|255|A failure occurred during updating.|

-|DownloadSucceeded|2|A successful download. This status is only reported by devices with agent version 0.7.0 or older.|

-|InstallSucceeded|4|A successful install. This status is only reported by devices with agent version 0.7.0 or older.|

-#### Device Properties

-It is the set of properties that contain the manufacturer and model.

-|manufacturer|string|device to cloud|The device manufacturer of the device, reported through `deviceProperties`. This property is read from one of two places - the 'DeviceUpdateCore' interface will first attempt to read the 'aduc_manufacturer' value from the [Configuration file](device-update-configuration-file.md) file. If the value is not populated in the configuration file, it will default to reporting the compile-time definition for ADUC_DEVICEPROPERTIES_MANUFACTURER. This property will only be reported at boot time. Default value 'Contoso'|

-|model|string|device to cloud|The device model of the device, reported through `deviceProperties`. This property is read from one of two - the DeviceUpdateCore interface will first attempt to read the 'aduc_model' value from the [Configuration file](device-update-configuration-file.md) file. If the value is not populated in the configuration file, it will default to reporting the compile-time definition for ADUC_DEVICEPROPERTIES_MODEL. This property will only be reported at boot time. Default value 'Video'|

-|interfaceId|string|device to cloud|This property is used by the service to identify the interface version being used by the Device Update agent. It is required by Device Update service to manage and communicate with the agent. This property is set at 'dtmi:azure:iot:deviceUpdateModel;1' for device using DU agent version 0.8.0.|

-|aduVer|string|device to cloud|Version of the Device Update agent running on the device. This value is read from the build only if during compile time ENABLE_ADU_TELEMETRY_REPORTING is set to 1 (true). Customers can choose to opt-out of version reporting by setting the value to 0 (false). [How to customize Device Update agent properties](https://github.com/Azure/iot-hub-device-update/blob/main/docs/agent-reference/how-to-build-agent-code.md).|

-|doVer|string|device to cloud|Version of the Delivery Optimization agent running on the device. The value is read from the build only if during compile time ENABLE_ADU_TELEMETRY_REPORTING is set to 1 (true). Customers can choose to opt-out of the version reporting by setting the value to 0 (false).[How to customize Delivery Optimization agent properties](https://github.com/microsoft/do-client/blob/main/README.md#building-do-client-components).|

-|Custom compatibility Properties|User Defined|device to cloud|Implementer can define other device properties to be used for the compatibility check while targeting the update deployment|

-IoT Hub Device Twin sample

->The device or module must add the `{"__t": "c"}` marker to indicate that the element refers to a component, learn more [here](../iot-develop/concepts-convention.md#sample-multiple-components-writable-property).

-### Service Metadata

-Service Metadata contains fields that the Device Update services uses to communicate actions and data to the Device Update agent.

-|action|integer|cloud to device|It is an integer that corresponds to an action the agent should perform. Values listed in the Action section.|

-|updateManifest|string|cloud to device|Used to describe the content of an update. Generated from the [Import Manifest](create-update.md)|

-|fileUrls|Map|cloud to device|Map of `FileID` to `DownloadUrl`. Tells the agent, which files to download and the hash to use to verify that the files were downloaded correctly.|

-`Actions` in this section represents the actions taken by the Device Update agent as instructed by the Device Update service. The Device Update agent will report a `State` (see `State` section) processing the `Action` received. See the [overview workflow](understand-device-update.md#device-update-agent) for requests that flow between the Device Update service and the Device Update agent.

-|ApplyDeployment|3|Apply the update. It signals to the device to apply the deployed update|

-|Cancel|255|Stop processing the current action and go back to `Idle`. It is also be used to tell the agent in the `Failed` state to go back to `Idle`.|

-|Download|0|Download published content or update and any other content needed. This action is only sent to devices with agent version 0.7.0 or older.|

-|Install|1|Install the content or update. Typically this action means to call the installer for the content or update. This action is only sent to devices with agent version 0.7.0 or older.|

-|Apply|2|Finalize the update. It signals the system to reboot if necessary. This action is only sent to devices with agent version 0.7.0 or older.|

-## Device Information Interface

-The Device Information interface is a concept used within [IoT Plug and Play architecture](../iot-develop/overview-iot-plug-and-play.md). It contains device to cloud properties that provide information about the hardware and operating system of the device. Device Update for IoT Hub uses the DeviceInformation.manufacturer and DeviceInformation.model properties for telemetry and diagnostics. To learn more about Device Information interface, see this [example](https://devicemodels.azure.com/dtmi/azure/devicemanagement/deviceinformation-1.json).

-To use Device Update for IoT Hub, you need to create a device update account and instance resource.

-## Device update account

-you can select the region where your Device Update account will be created. You can also set permissions to authorize users that

-will have access to Device Update.

-updates and deployments associated with a specific IoT hub. Device Update uses IoT hub as a device directory, and a communication channel with devices.

-## Configuring Device update linked IoT Hub

-In order for Device Update to receive change notifications from IoT Hub, Device Update integrates with the "Built-In" Event Hub. Clicking the "Configure IoT Hub" button within your instance configures the required message routes, consumer groups and access policy required to communicate with IoT devices.

-The following Message Routes are configured for Device Update:

-| DeviceUpdate.DigitalTwinChanges | DigitalTwinChangeEvents | true | events | Listens for Digital Twin Changes Events |

-| DeviceUpdate.DeviceLifecycle | DeviceLifecycleEvents | opType = 'deleteDeviceIdentity' OR opType = 'deleteModuleIdentity' | events | Listens for Devices that have been deleted |

-| DeviceUpdate.DeviceTwinEvents| TwinChangeEvents | (opType = 'updateTwin' OR opType = 'replaceTwin') AND IS_DEFINED($body.tags.ADUGroup) | events | Listens for new Device Update Groups |

-> Route names don't really matter when configuring these routes. We are including DeviceUpdate as a prefix to make the names consistent and easily identifiable that they are being used for Device Update. The rest of the route properties should be configured as they are in the table below for the Device Update to work properly.

-### Consumer Group

-Configuring the IoT Hub also creates an event hub consumer group that is required by the Device Update Management services.

-### Access Policy

-A shared access policy named "deviceupdateservice" is required by the Device Update Management services to query for update-capable devices. The "deviceupdateservice" policy is created and given the following permissions as part of configuring the IoT Hub:

-description: Create Azure Resource Manager templates for automating deployment in Azure Logic Apps.

-# Create Azure Resource Manager templates to automate deployment for Azure Logic Apps

-To help you automate creating and deploying your logic app, this article describes the ways that you can create an [Azure Resource Manager template](../azure-resource-manager/management/overview.md) for your logic app. For an overview about the structure and syntax for a template that includes your workflow definition and other resources necessary for deployment, see [Overview: Automate deployment for logic apps with Azure Resource Manager templates](logic-apps-azure-resource-manager-templates-overview.md).

-Azure Logic Apps provides a [prebuilt logic app Azure Resource Manager template](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.logic/logic-app-create/azuredeploy.json) that you can reuse, not only for creating logic apps, but also to define the resources and parameters to use for deployment. You can use this template for your own business scenarios or customize the template to meet your requirements.

-> Make sure that connections in your template use the same Azure resource group and location as your logic app.

-For more about Azure Resource Manager templates, see these topics:

-> [Deploy logic app templates](../logic-apps/logic-apps-deploy-azure-resource-manager-templates.md)

-> * [v1](v1/how-to-create-attach-compute-cluster.md)

-> * [v2 (preview)](how-to-create-attach-compute-cluster.md)

-> Examples in this article refer to both CLI v1 and CLI v2 versions. If no version is specified for a command, it will work with either the v1 or CLI v2. The machine learning CLI v2 is currently in public preview. This preview version is provided without a service-level agreement, and it's not recommended for production workloads.

-# [Bring existing resources (CLI v2 - preview)](#tab/bringexistingresources2)

-# [CLI v2 - preview](#tab/vnetpleconfigurationsv2cli)

-# [CLI v2 - preview](#tab/vnetpleconfigurationsv2cli)

-# [CLI v2 - preview](#tab/workspaceupdatev2)

-# [CLI v2 - preview](#tab/workspaceupdatev2)

-# [CLI v2 - preview](#tab/workspacesynckeysv2)

-# [CLI v2 - preview](#tab/workspacedeletev2)

-> * [v1](how-to-create-attach-compute-cluster.md)

-> * [v2 (preview)](../how-to-create-attach-compute-cluster.md)

-Learn how to create and manage a [compute instance](../concept-compute-instance.md) in your Azure Machine Learning workspace with CLI v1.

-> [How to share an Azure Managed Grafana Preview workspace](./how-to-share-grafana-workspace.md)

-## Assign roles to the service principal of your application and of your Azure Managed Grafana Preview workspace

-1. Start by [Creating an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). This guide takes you through creating an application and assigning a role to its service principal. For simplicity, use an application located in the same Azure Active Directory (Azure AD) tenant as your Grafana workspace.

-1. Assign the role of your choice to the service principal for your Grafana resource. Refer to [How to share a Managed Grafana workspace](how-to-share-grafana-workspace.md) to learn how to grant access to a Grafana instance. Instead of selecting a user, select **Service principal**.

-Replace `<access-token>` with the access token retrieved in the previous step and replace `<grafana-url>` with the URL of your Grafana instance. For example `https://grafanaworkspace-abcd.cuse.grafana.azure.com`. This URL is displayed in the Azure platform, in the **Overview** page of your Managed Grafana workspace.

-> [Grafana UI](./grafana-app-ui.md)

-You can find all available Grafana data sources by going to your workspace and selecting this page from the left menu: **Configuration** > **Data sources** > **Add a data source** . Search for the data source you need from the available list. For more information about data sources, go to [Data sources](https://grafana.com/docs/grafana/latest/datasources/) on the Grafana Labs website.

-The Azure Monitor data source is automatically added to all new Managed Grafana resources. To review or modify its configuration, follow these steps in your workspace endpoint:

-1. Azure Monitor should be listed as a built-in data source for your workspace. Select **Azure Monitor**.

-Authentication and authorization are subsequently made through the provided managed identity. With Managed Identity, you can assign permissions for your Managed Grafana workspace to access Azure Monitor data without having to manually manage service principals in Azure Active Directory (Azure AD).

-> [Share an Azure Managed Grafana workspace](./how-to-share-grafana-workspace.md)

-description: Learn how to monitor your workspace in Azure Managed Grafana Preview with logs

-# How to monitor your workspace with logs in Azure Managed Grafana Preview

-In this article, you'll learn how to monitor an Azure Managed Grafana Preview workspace by configuring diagnostic settings and accessing event logs.

-To monitor an Azure Managed Grafana workspace, the first step to take is to configure diagnostic settings. In this process, you'll configure the streaming export of your workspace's logs to a destination of your choice.

-1. Open a Managed Grafana workspace, and go to **Diagnostic settings**, under **Monitoring**

- | Storage account | Archive data to a storage account | Select the **subscription** containing an existing storage account, then select the **storage account**. Only storage accounts in the same region as the Grafana workspace are displayed in the dropdown menu. |

- | Event hub | Stream to an event hub | Select a **subscription** and an existing Azure Event Hub **namespace**. Optionally also choose an existing **event hub**. Lastly, choose an **event hub policy** from the list. Only event hubs in the same region as the Grafana workspace are displayed in the dropdown menu. |

-1. In your Managed Grafana workspace, select **Logs** from the left menu. The Azure platform displays a **Queries** page, with suggestions of queries to choose from.

-> [How to share an Azure Managed Grafana workspace](./how-to-share-grafana-workspace.md)

-description: Learn how to manually set up permissions that allow your Azure Managed Grafana Preview workspace to access a data source

-By default, when a Grafana workspace is created, Azure Managed Grafana grants it the Monitoring Reader role for all Azure Monitor data and Log Analytics resources within a subscription.

-This means that the new Grafana workspace can access and search all monitoring data in the subscription, including viewing the Azure Monitor metrics and logs from all resources, and any logs stored in Log Analytics workspaces in the subscription.

-## Edit Azure Monitor permissions for an Azure Managed Grafana workspace

-1. Select the **Subscription** containing your Managed Grafana workspace

-1. Select your Managed Grafana workspace from the list.

- :::image type="content" source="media/permissions/permissions-managed-identities.png" alt-text="Screenshot of the Azure platform selecting the workspace.":::

-> [How to configure data sources for Azure Managed Grafana](./how-to-data-source-plugins-managed-identity.md)

-# How to share an Azure Managed Grafana Preview workspace

-A DevOps team may build dashboards to monitor and diagnose an application or infrastructure that it manages. Likewise, a support team may use a Grafana monitoring solution for troubleshooting customer issues. In these scenarios, multiple users will be accessing one Grafana workspace. Azure Managed Grafana enables such sharing by allowing you to set the custom permissions on a workspace that you own. This article explains what permissions are supported and how to grant permissions to share dashboards with your internal teams or external customers.

-The Admin role is automatically assigned to the creator of a Grafana workspace. More details on Admin, Editor, and Viewer roles can be found at [Grafana organization roles](https://grafana.com/docs/grafana/latest/permissions/organization_roles/#compare-roles).

-1. Open your Managed Grafana workspace.

-> [How to call Grafana APIs in your automation with Azure Managed Grafana](./how-to-api-calls.md)

-> [Create a workspace in Azure Managed Grafana Preview using the Azure portal](./quickstart-managed-grafana-portal.md).

-description: Learn how to create a Managed Grafana workspace using the Azure CLI

-# Quickstart: Create a workspace in Azure Managed Grafana Preview using the Azure CLI

-This quickstart describes how to use the Azure Command-Line Interface (CLI) to create a new workspace in Azure Managed Grafana Preview.

-| --name | Choose a unique name for your new Managed Grafana workspace. | *grafana-test* |

-| --location | Choose an Azure Region where Managed Grafana is available. | *eastus* |

-Once the deployment is complete, you'll see a note in the output of the command line stating that instance was successfully created, alongside with additional information about the deployment.

-## Open your new Managed Grafana dashboard

-Now let's check if you can access your new Managed Grafana dashboard.

-1. Open a browser and enter the endpoint URL. You should now see your Azure Managed Grafana Dashboard. From there, you can finish setting up your Grafana installation.

-> If creating a Grafana workspace fails the first time, please try again. The failure might be due to a limitation in our backend, and we are actively working to fix.

-If you're not going to continue to use this workspace, delete the Azure resources you created.

-description: Learn how to create a Managed Grafana workspace using the Azure portal

-# Quickstart: Create a workspace in Azure Managed Grafana Preview using the Azure portal

-Get started by using the Azure portal to create a new workspace in Azure Managed Grafana Preview.

-1. In the Create Grafana Workspace pane, enter the following settings.

- | Subscription ID | mysubscription | Select the Azure subscription you want to use. |

- | Resource group name | myresourcegroup | Select or create a resource group for your Azure Managed Grafana resources. |

- | Location | East US | Use Location to specify the geographic location in which to host your resource. Choose the location closest to you. |

- | Name | mygrafanaworkspace | Enter a unique resource name. It will be used as the domain name in your workspace URL. |

-1. Select **Next : Permission >** to access rights for your Grafana dashboard and data sources:

- > If creating a Grafana workspace fails the first time, please try again. The failure might be due to a limitation in our backend, and we are actively working to fix.

-## Connect to your Managed Grafana workspace

-1. In the **Overview** tab's Essentials section, note the **Endpoint** URL. Open it to access the newly created Managed Grafana workspace. Single sign-on via Azure Active Directory should have been configured for you automatically. If prompted, enter your Azure account.

- :::image type="content" source="media/managed-grafana-quickstart-portal-grafana-workspace.png" alt-text="Screenshot of a Managed Grafana dashboard.":::

->- Python 2.6+

->- OpenSSL 1.0+

->- OpenSSH 5.3+

->- Filesystem utilities: sfdisk, fdisk, mkfs, parted

->- Password tools: chpasswd, sudo

->- Text processing tools: sed, grep

->- Network tools: ip-route

-You can also edit and customize these templates according to your requirements. For more information, see [Azure Monitor workbooks overview](../../azure-monitor/visualize/workbooks-overview.md#editing-mode).

-> * You can also edit these templates and customize them according to your requirements. For more information, see the "Editing mode" section of the [Azure Monitor workbooks overview](../../azure-monitor/visualize/workbooks-overview.md#editing-mode).

-In this tutorial, we'll use Azure CNI networking in AKS. If you'd like to configure kubenet networking instead, see [Use kubenet networking in AKS](../../aks/configure-kubenet.md#create-a-service-principal-and-assign-permissions).

-> * You can also edit these templates and customize them according to your requirements. For more information, see [Azure Monitor workbooks overview](../../azure-monitor/visualize/workbooks-overview.md#editing-mode).

-|4.10|March 2022| May 20 2022|4.12 GA|

-With continuous backup of transaction logs, you'll be able to restore to the last transaction. You can choose between two restore options:

-The estimated time to recover depends on several factors, including the volume of transaction logs to process after the previous backup time, and the total number of databases recovering in the same region at the same time. The overall recovery time usually takes from few minutes up to a few hours.

-The following table provides a high-level features and capabilities comparisons between Single Server and Flexible Server. For most new deployments, we recommend using Flexible Server. However, you should consider your own requirements against the comparison table below.

-| Ability to scale across compute tiers | Cannot scale Basic tier | Yes. Can scale across tiers |

-| Max. Storage size | 1 TB (Basic), 4 TB or 16 TB (GP,MO). Note: Not all regions support 16 TB. | 16 TB |

-| Storage auto-grow | Yes (1 GB increments) | No |

-| Max IOPS | Basic - Variable. GP/MO: up to 20K | Up to 20K |

-| Can turn off SSL | Yes | No |

-| Cross region DR | Using read replicas, geo-redundant backup | N/A |

-| Customer scheduled window| No | Yes (can choose any 1hr on any day) |

-| Notice period | 3 days | 5 days |

-| Maintenance period | Anytime within 15 hrs window | 1hr window |

-| Azure Active Directory Support (AAD) | Yes | No |

-| Customer managed encryption key (BYOK) | Yes | No |

-| Resource health | Yes | No |

-If zone redundant high availability is configured, the service provisions and maintains a warm standby server across availability zone within the same Azure region. The data changes on the source server is synchronously replicated to the standby server to ensure zero data loss. With zone redundant high availability, once the planned or unplanned failover event is triggered, the standby server comes online immediately and is available to process incoming transactions. This allows the service resiliency from availability zone failure within an Azure region that supports multiple availability zones as shown in the picture below.

-Flexible servers allows full private access to the servers using Azure virtual network (VNet integration). Servers in Azure virtual network can only be reached and connected through private IP addresses. With VNet integration, public access is denied and servers cannot be reached using public endpoints.

-Create a flexible server with the `az postgres flexible-server create` command. A server can contain multiple databases. The following command creates a server using service defaults and values from your Azure CLI's [local context](/cli/local-context):

-## Release" June 2022

-* Version updates for [extension](concepts-extensions.md) PostGIS

-## Direct costs

-### Elastic data map

-#### Operation throughput

-#### Metadata storage

-### Automated scanning, classification, and ingestion

-#### 1. Automatic scans using native connectors

-#### 2. Automated ingestion using Azure Data Factory and/or Azure Synapse pipelines

-### Advanced resource sets

-description: This article provides an overview of Microsoft Purview (formerly Azure Purview), including its features and the problems it addresses. Microsoft Purview enables any user to register, discover, understand, and consume data sources.

-# What is Microsoft Purview (formerly Azure Purview)?

-Microsoft Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data. Microsoft Purview allows you to:

-> Azure Route Servers created before November 1st, 2021, that don't have a public IP address associated, are deployed with the Public preview offering. The public preview offering is not backed by Generally Available SLA and support. To deploy Azure Route Server with the Generally Available offering, and to acheive Generally Available SLA and support, please delete and recreate Route Server.

-* You can peer multiple instances of your NVA with Azure Route Server. You can configure the BGP attributes in your NVA and, depending on your design (e.g., active-active for performance or active-passive for resiliency), let Azure Route Server know which NVA instance is active or which one is passive.

-> If you have an Azure Route Server created before September 1st and it doesn't have a public IP address asssociated, you'll need to recreate the Route Server so it can obtain an IP address for management purpose.

-> If you have an Azure Route Server created before September 1st and it doesn't have a public IP address asssociated, you'll need to recreate the Route Server so it can obtain an IP address for management purpose.

-### Sign in to your Azure account and select your subscription.

-> If you have an Azure Route Server created before September 1st and it doesn't have a public IP address asssociated, you'll need to recreate the Route Server so it can obtain an IP address for management purpose.

-description: Debug Sessions, accessed through the Azure portal, provides an IDE-like environment where you can identify and fix errors, validate changes, and push changes to skillsets in the AI enrichment pipeline. Debug Sessions is a preview feature.

-Debug Sessions is a visual editor that works with an existing skillset in the Azure portal, exposing the structure and content of a single enriched document, as it's produced by an indexer and skillset, for the duration of the session. Because you are working with a live document, the session is interactive - you can identify errors, modify and invoke skill execution, and validate the results in real time. If your changes resolve the problem, you can commit them to a published skillset to apply the fixes globally.

-> [!Important]

-> Debug Sessions is a preview feature provided under [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-When you start a session, the search service creates a copy of the skillset, indexer, and a data source containing a single document that will be used to test the skillset. All session state will be saved to a container in an Azure Storage account that you provide.

-Selecting a skill in the graph will display the details of that instance of the skill in the right pane, including it's definition, errors or warnings, and execution history. The **Skill Graph** is where you will select which skill to debug or enhance. The details pane to the right is where you edit and explore.

-Skill details includes the following areas:

-When debugging an error with a custom skill, there is the option to generate a request for a skill invocation in the execution history.

-> [!Important]

-> Debug sessions is a preview portal feature, provided under [Supplemental Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-+ You must have at least **Contributor** role over the Search service, to be able to run Debug Sessions.

-+ You must have at least **Storage Blob Data Contributor** role assgined over the Storage account.

-+ If the Azure Storage account has configured a firewall, you must configure it to [provide access to the Search service](search-indexer-howto-access-ip-restricted.md).

-+ For the SQL API of Cosmos DB, if a row fails during index and there is no corresponding metadata, the debug session might not pick the correct row.

- > By default, Azure Functions are exposed on 7071. Other tools and configurations might require that you provide a different port.

-### Test

-## Expected behaviors

-+ If debugging for a CosmosDB SQL data source, if the CosmosDB SQL collection was previously non-partitioned, and then it was changed to a partitioned collection on the CosmosDB end, Debug Sessions won't be able to pick up the correct document from CosmosDB.

-+ CosmosDB SQL errors omit some metadata about what row failed, so in some cases, Debug Sessions wonΓÇÖt pick the correct row.

-> [Tutorial: Explore Debug sessions](./cognitive-search-tutorial-debug-sessions.md)

-description: Debug sessions (preview) is an Azure portal tool used to find, diagnose, and repair problems in a skillset.

-> [!Important]

-> Debug sessions is a preview feature provided under [Supplemental Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

->

-1. In the right pane, select **Skill Settings** for the #1 skill and open the Expression Evaluator **</>** for the input "languageCode."

-1. Select **Run**.

-After the debug session execution completes, check the Errors/Warnings tab and it will show that all of the input warnings are gone. There now remains just the two warnings about output fields for organizations and locations.

-This article is a comprehensive list of all features that are in public preview. Preview functionality is provided without a service level agreement, and is not recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-Preview features that transition to general availability are removed from this list. If a feature isn't listed below, you can assume it is generally available. For announcements regarding general availability, see [Service Updates](https://azure.microsoft.com/updates/?product=search) or [What's New](whats-new.md).

-| [**Debug Sessions**](cognitive-search-debug-session.md) | Portal, AI enrichment (skills) | An in-session skillset editor used to investigate and resolve issues with a skillset. Fixes applied during a debug session can be saved to a skillset in the service. | Portal only, using mid-page links on the Overview page to open a debug session. |

-Several premium features ([Knowledge store](knowledge-store-concept-intro.md), [Debug Sessions](cognitive-search-debug-session.md), [Enrichment cache (preview)](cognitive-search-incremental-indexing-conceptual.md)) have a dependency on Azure Storage. The meters for Azure Storage apply in this case, and the associated storage costs of using these features will be included in the Azure Storage bill.

-```csharp

-```dos

-Check your application's performance before you launch it or deploy updates to production. Run cloud-based [load tests](/azure/load-testing/) by using Visual Studio to find performance problems in your application, improve deployment quality, make sure that your application is always up or available, and that your application can handle traffic for your launch.

-Microsoft Defender for Cloud's threat protection enables you to detect and prevent threats at the Infrastructure as a Service (IaaS) layer, non-Azure servers as well as for Platforms as a Service (PaaS) in Azure.

-Security Center's threat protection includes fusion kill-chain analysis, which automatically correlates alerts in your environment based on cyber kill-chain analysis, to help you better understand the full story of an attack campaign, where it started and what kind of impact it had on your resources.

- az vm create --resource-group <resource group name> --name <VM Name> --image Canonical:0001-com-ubuntu-server-focal:20_04-lts-gen2:latest --admin-username <azureuser> --public-ip-address "" --size Standard_D2as_v5 --generate-ssh-keys --assign-identity

- <Service Name="Processing">

- <StatefulService ServiceTypeName="ProcessingType" TargetReplicaSetSize="[Processing_TargetReplicaSetSize]" MinReplicaSetSize="[Processing_MinReplicaSetSize]">

- </Service>

-Please note that the above limits are applicable to hybrid DR scenarios only.

-East US, East US 2, South Central US, West US 2, West US 3, West Europe, North Europe, UK South, Southeast Asia, Australia East.

-To run the network connectivity test, install Azure File Sync agent version 9.1 or later and run the following PowerShell commands:

-| Maximum object name length (total pathname including all directories and filename) | 2,048 characters | 2,048 characters |

-| Maximum individual pathname component length (in the path \A\B\C\D, each letter represents a directory or file that is an individual component) | 255 characters | 255 characters |

-description: Learn how to add and manage libraries used by Apache Spark in Azure Synapse Analytics.

-Libraries provide reusable code that you may want to include in your programs or projects.

-You may need to update your serverless Apache Spark pool environment for various reasons. For example, you may find that:

-To make third party or locally built code available to your applications, you can install a library onto one of your serverless Apache Spark pools or notebook session.

-Apache Spark in Azure Synapse Analytics has a full Anacondas install plus extra libraries. The full libraries list can be found at [Apache Spark version support](apache-spark-version-support.md).

-When a Spark instance starts up, these libraries will automatically be included. Additional packages can be added at the Spark pool level or session level.

-When developing custom applications or models, your team may develop various code artifacts like wheel or jar files to package your code.

-In Synapse, workspace packages can be custom or private wheel or jar files. You can upload these packages to your workspace and later assign them to a specific Spark pool. Once assigned, these workspace packages are automatically installed on all Spark pool sessions.

-To learn more about how to manage workspace libraries, visit the following how-to guides:

-In some cases, you may want to standardize the set of packages that are used on a given Apache Spark pool. This standardization can be useful if the same packages are commonly installed by multiple people on your team.

-Using the Azure Synapse Analytics pool management capabilities, you can configure the default set of libraries that you would like installed on a given serverless Apache Spark pool. These libraries are installed on top of the [base runtime](./apache-spark-version-support.md).

-Currently, pool management is only supported for Python. For Python, Synapse Spark pools use Conda to install and manage Python package dependencies. When specifying your pool-level libraries, you can now provide a requirements.txt or an environment.yml. This environment configuration file is used every time a Spark instance is created from that Spark pool.

-To learn more about these capabilities, visit the documentation on [Python pool management](./apache-spark-manage-python-packages.md#pool-libraries).

-> - If the package you are installing is large or takes a long time to install, this affects the Spark instance start up time.

-Often, when doing interactive data analysis or machine learning, you may find that you want to try out newer packages or you may need packages that are not already available on your Apache Spark pool. Instead of updating the pool configuration, users can now use session-scoped packages to add, manage, and update session dependencies.

-Session-scoped packages allow users to define package dependencies at the start of their session. When you install a session-scoped package, only the current session has access to the specified packages. As a result, these session-scoped packages will not impact other sessions or jobs using the same Apache Spark pool. In addition, these libraries are installed on top of the base runtime and pool level packages.

-To learn more about how to manage session-scoped packages, visit the following how-to guides:

- @concat(activity('CheckState').output.value[0].properties.status,'-',pipeline().parameters.PauseOrResume)

-To learn about managing rights and permissions to the workbook, see [Access control](../azure-monitor/visualize/workbooks-access-control.md).

-The Dav4-series and Dasv4-series are new sizes utilizing AMD's 2.35Ghz EPYC^TM 7452 processor in a multi-threaded configuration with up to 256 MB L3 cache dedicating 8 MB of that L3 cache to every 8 cores increasing customer options for running their general purpose workloads. The Dav4-series and Dasv4-series have the same memory and disk configurations as the D & Dsv3-series.

-Dav4-series sizes are based on the 2.35Ghz AMD EPYC^TM 7452 processor that can achieve a boosted maximum frequency of 3.35GHz. The Dav4-series sizes offer a combination of vCPU, memory and temporary storage for most production workloads. Data disk storage is billed separately from virtual machines. To use premium SSD, use the Dasv4 sizes. The pricing and billing meters for Dasv4 sizes are the same as the Dav4-series.

-Dasv4-series sizes are based on the 2.35Ghz AMD EPYC^TM 7452 processor that can achieve a boosted maximum frequency of 3.35GHz and use premium SSD. The Dasv4-series sizes offer a combination of vCPU, memory and temporary storage for most production workloads.

-The Eav4-series and Easv4-series utilize AMD's 2.35Ghz EPYC^TM 7452 processor in a multi-threaded configuration with up to 256MB L3 cache, increasing options for running most memory optimized workloads. The Eav4-series and Easv4-series have the same memory and disk configurations as the Ev3 & Esv3-series.

-Eav4-series sizes are based on the 2.35Ghz AMD EPYC^TM 7452 processor that can achieve a boosted maximum frequency of 3.35GHz. The Eav4-series sizes are ideal for memory-intensive enterprise applications. Data disk storage is billed separately from virtual machines. To use premium SSD, use the Easv4-series sizes. The pricing and billing meters for Easv4 sizes are the same as the Eav3-series.

-Easv4-series sizes are based on the 2.35Ghz AMD EPYC^TM 7452 processor that can achieve a boosted maximum frequency of 3.35GHz and use premium SSD. The Easv4-series sizes are ideal for memory-intensive enterprise applications.

-Each NAT gateway public IP address provides 64,512 SNAT ports to make outbound connections. NAT gateway can support up to 50,000 concurrent connections per public IP address to the same destination endpoint over the internet for TCP and UDP. Review the following section for details and the [troubleshooting article](./troubleshoot-nat.md) for specific problem resolution guidance.

-You can use the [Azure Portal](#azure-portal), [PowerShell](#powershell), or the [Azure CLI](#azure-cli) to enable resource logging.

-### Azure Portal

-To enable resource logging, you need the Id of an existing NSG. If you don't have an existing NSG, you can create one with [New-AzNetworkSecurityGroup](/powershell/module/az.network/new-aznetworksecuritygroup).

-If you only want to log data for one category or the other, rather than both, add the `-Categories` option to the previous command, followed by *NetworkSecurityGroupEvent* or *NetworkSecurityGroupRuleCounter*. If you want to log to a different [destination](#log-destinations) than a Log Analytics workspace, use the appropriate parameters for an Azure [Storage account](../azure-monitor/essentials/resource-logs.md?toc=%2fazure%2fvirtual-network%2ftoc.json#send-to-azure-storage) or [Event Hub](../azure-monitor/essentials/resource-logs.md?toc=%2fazure%2fvirtual-network%2ftoc.json#send-to-azure-event-hubs).

-To enable resource logging, you need the Id of an existing NSG. If you don't have an existing NSG, you can create one with [az network nsg create](/cli/azure/network/nsg#az-network-nsg-create).

-If you only want to log data for one category or the other, remove the category you don't want to log data for in the previous command. If you want to log to a different [destination](#log-destinations) than a Log Analytics workspace, use the appropriate parameters for an Azure [Storage account](../azure-monitor/essentials/resource-logs.md?toc=%2fazure%2fvirtual-network%2ftoc.json#send-to-azure-storage) or [Event Hub](../azure-monitor/essentials/resource-logs.md?toc=%2fazure%2fvirtual-network%2ftoc.json#send-to-azure-event-hubs).